CN115442131A - Login method, login device, computer equipment and storage medium - Google Patents

Login method, login device, computer equipment and storage medium Download PDF

Info

Publication number
CN115442131A
CN115442131A CN202211065158.8A CN202211065158A CN115442131A CN 115442131 A CN115442131 A CN 115442131A CN 202211065158 A CN202211065158 A CN 202211065158A CN 115442131 A CN115442131 A CN 115442131A
Authority
CN
China
Prior art keywords
login
user
user terminal
address
application system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211065158.8A
Other languages
Chinese (zh)
Inventor
连帮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202211065158.8A priority Critical patent/CN115442131A/en
Publication of CN115442131A publication Critical patent/CN115442131A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application relates to a login method, a login device, a computer device, a storage medium and a computer program product, relates to the technical field of information security, and can be used in the field of financial technology or other fields. The method comprises the following steps: responding to a login query request message sent by an application system, and querying a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal contained in the login query request message; and under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, determining a target user according to the login online record corresponding to the IP address of the user terminal, and sending a target user information message corresponding to the target user to the application system, wherein the target user information message is used for indicating the application system to allow the user terminal to access the application system with the identity of the target user. By adopting the method, the single sign-on can be realized without being limited by the same browser, and the flexibility of the single sign-on is higher.

Description

Login method, login device, computer equipment and storage medium
Technical Field
The present application relates to the field of information security technologies, and in particular, to a login method, an apparatus, a computer device, a storage medium, and a computer program product.
Background
With the increase of application systems in banks, each application system maintains respective user authentication information, so that a user needs to record login passwords of a plurality of application systems, and the user authentication information of each application system is redundant, and the like, thereby generating a unified authentication system. The unified authentication system, namely the unified identity authentication system, can perform identity authentication on a user, provide an identity authentication unified pass and corresponding authorization, and accordingly establish unified identity authentication management of all associated application systems.
When a user accesses the application system through a browser of the terminal, if the user does not log in, the user jumps to a login page of the unified authentication system, so that the user inputs login credential information (such as a user name and a password), the unified authentication system returns the authentication credential of the user to the terminal after the login credential information is verified, the terminal stores the authentication credential in a browser cache, and jumps to a callback address to access the application system. When the user accesses other associated application systems through the browser of the terminal, the user can directly access the associated application systems according to the cached authentication credentials without logging again, and therefore single sign-on can be achieved.
However, the login method is to store the authentication credentials in the browser cache of the terminal, and thus access to each application system is limited to the same browser, and if the browser is replaced to access another application system or the browser cache is empty, the login needs to be performed again, i.e. the single sign-on flexibility is poor.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a login method, device, computer readable storage medium and computer program product capable of improving flexibility of single sign-on.
In a first aspect, the present application provides a login method, where the method is applied to a unified authentication system, and the method includes:
responding to a login query request message sent by an application system, and querying a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal contained in the login query request message; the login query request message is constructed by the application system in response to an access request sent by the user terminal;
and under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, determining a target user according to the login online record corresponding to the IP address of the user terminal, and sending a target user information message corresponding to the target user to the application system, wherein the target user information message is used for indicating the application system to allow the user terminal to access the application system with the identity of the target user.
In one embodiment, the method further comprises:
sending an unregistered message corresponding to the IP address of the user terminal to the application system under the condition that the login online record corresponding to the IP address of the user terminal does not exist in the database; the unregistered message is used for indicating the application system to jump to a login page of the application system; the login page of the application system is used for acquiring login credential information of the target user;
responding to a login request message sent by the application system, and performing user identity authentication according to login credential information of the target user contained in the login request message;
and sending a target user information message corresponding to the target user to the application system under the condition that the user identity is verified to be passed.
In one embodiment, after the user identity authentication is performed according to the login credential information of the target user included in the login request message, the method further includes:
and under the condition that the user identity authentication is passed, correspondingly storing the IP address of the user terminal and the login credential information of the target user in the database as a login online record corresponding to the IP address of the user terminal.
In a second aspect, the present application further provides a login method, where the method is applied to an application system, and the method includes:
responding to an access request sent by a user terminal, and sending a login query request message containing an IP address of the user terminal to a unified authentication system; the login query request message is used for indicating the unified authentication system to query a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal, determining a target user according to the login online record corresponding to the IP address of the user terminal under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, and sending a target user information message corresponding to the target user to the application system;
and allowing the user terminal to access the application system with the identity of the target user under the condition of receiving the target user information message corresponding to the target user sent by the unified authentication system.
In one embodiment, the login query request message is further used to indicate that the unified authentication system sends an unregistered message corresponding to the IP address of the user terminal to the application system when the login online record corresponding to the IP address of the user terminal does not exist in the database; the method further comprises the following steps:
under the condition that an unregistered message corresponding to the IP address of the user terminal sent by the unified authentication system is received, jumping to a login page of the application system;
obtaining login credential information of the target user through a login page of the application system, and sending a login request message containing the login credential information of the target user to the unified authentication system; the login request message is used for indicating the unified authentication system to carry out user identity authentication according to login credential information of a target user in the login request message, and sending a target user information message corresponding to the target user to the application system under the condition that the user identity authentication is passed.
In a third aspect, the present application further provides a login apparatus. The device comprises:
the query module is used for responding to a login query request message sent by an application system, and querying a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal contained in the login query request message; the login query request message is constructed by the application system in response to an access request sent by the user terminal;
a first sending module, configured to, when a login online record corresponding to the IP address of the user terminal exists in the database, determine a target user according to the login online record corresponding to the IP address of the user terminal, and send a target user information packet corresponding to the target user to the application system, where the target user information packet is used to indicate that the application system allows the user terminal to access the application system in the identity of the target user.
In one embodiment, the apparatus further comprises:
a second sending module, configured to send, to the application system, an unregistered message corresponding to the IP address of the user terminal when there is no login online record corresponding to the IP address of the user terminal in the database; the unregistered message is used for indicating the application system to jump to a login page of the application system; the login page of the application system is used for acquiring login credential information of the target user;
the verification module is used for responding to a login request message sent by the application system and performing user identity verification according to login credential information of the target user contained in the login request message;
and the third sending module is used for sending the target user information message corresponding to the target user to the application system under the condition that the user identity is verified to be passed.
In one embodiment, the apparatus further comprises:
and the storage module is used for correspondingly storing the IP address of the user terminal and the login credential information of the target user in the database as the login online record corresponding to the IP address of the user terminal under the condition that the user identity authentication is passed.
In a fourth aspect, the present application further provides a login apparatus. The device comprises:
the first sending module is used for responding to an access request sent by a user terminal and sending a login query request message containing an IP address of the user terminal to a unified authentication system; the login query request message is used for indicating the unified authentication system to query a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal, determining a target user according to the login online record corresponding to the IP address of the user terminal under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, and sending a target user information message corresponding to the target user to the application system;
and the access module is used for allowing the user terminal to access the application system by the identity of the target user under the condition of receiving the target user information message corresponding to the target user sent by the unified authentication system.
In one embodiment, the login query request message is further used to indicate that the unified authentication system sends an unregistered message corresponding to the IP address of the user terminal to the application system when the login online record corresponding to the IP address of the user terminal does not exist in the database; the device further comprises:
the skip module is used for skipping to a login page of the application system under the condition of receiving an unregistered message which is sent by the unified authentication system and corresponds to the IP address of the user terminal;
the second sending module is used for obtaining the login credential information of the target user through the login page of the application system and sending a login request message containing the login credential information of the target user to the unified authentication system; the login request message is used for indicating the unified authentication system to carry out user identity verification according to login credential information of a target user in the login request message, and sending a target user information message corresponding to the target user to the application system under the condition that the user identity verification is passed.
In a fifth aspect, the application further provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the method of the first or second aspect when the computer program is executed.
In a sixth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of the first or second aspect described above.
In a seventh aspect, the present application further provides a computer program product. The computer program product comprising a computer program that when executed by a processor implements the steps of the method of the first or second aspect.
According to the login method, the login device, the computer equipment, the storage medium and the computer program product, when a user accesses the application system through the user terminal, the application system sends a login query request message to the unified authentication system, the unified authentication system queries a login online record corresponding to the IP address of the user terminal in the database according to the IP address of the user terminal contained in the login query request message, if the login online record corresponding to the IP address of the user terminal exists in the database, a target user is determined according to the login online record corresponding to the IP address of the user terminal, a target user information message corresponding to the target user is sent to the application system, and the application system is instructed to allow the user terminal to access the application system with the identity of the target user. According to the method, the login online records corresponding to the IP addresses of the user terminals are stored in the database of the unified authentication system, when a user accesses any one associated application system, the application system sends a login query request message to the unified authentication system, the unified authentication system further queries the login online records corresponding to the IP addresses of the user terminals in the database, and if the login online records exist, the user can directly access the application system through the terminal without logging in again. Therefore, when a user accesses different application systems through the same terminal, single sign-on can be achieved without being limited by the same browser, and even if the cache of the browser is emptied, the single sign-on can still be achieved, so that the flexibility of the single sign-on of the method is high.
Drawings
FIG. 1 is a diagram of an application environment for a login method in an example;
FIG. 2 is a flowchart illustrating a login method according to an embodiment;
FIG. 3 is a flowchart illustrating a login method in another embodiment;
FIG. 4 is a flowchart illustrating a login method in another embodiment;
FIG. 5 is a flowchart illustrating a login method in another embodiment;
FIG. 6 is a block diagram showing the configuration of a login apparatus in one embodiment;
FIG. 7 is a block diagram showing the construction of a login means in another embodiment;
FIG. 8 is a diagram of an internal structure of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
First, before specifically describing the technical solution of the embodiment of the present application, a technical background or a technical evolution context on which the embodiment of the present application is based is described. The unified authentication system, namely the unified identity authentication system, can perform identity authentication on a user, provide an identity authentication unified pass and corresponding authorization, and accordingly establish unified identity authentication management of all the associated application systems. When a user accesses the application system through a browser of the terminal for the first time, the user jumps to a login page of the unified authentication system and inputs login credential information (such as a user name and a password), after the unified authentication system verifies the login credential information, the authentication credential of the user is returned to the terminal, the terminal stores the authentication credential in a browser cache, and the user jumps to a callback address to access the application system. When the user accesses other associated application systems through the browser of the terminal, the user can directly access the associated application systems according to the cached authentication credentials without logging again, and therefore single sign-on is achieved.
However, the login method is to store the authentication credentials in the browser cache of the terminal, and thus access to each application system is limited to the same browser, and if the browser is replaced to access another application system or the browser cache is empty, the login needs to be performed again, i.e. the single sign-on flexibility is poor. Based on the background, the applicant provides the login method of the application through long-term research and development and experimental verification, so that the single-point login can be still realized when the user accesses different application systems through different browsers of the terminal, and the flexibility of the single-point login can be improved. In addition, it should be noted that the applicant has paid a lot of creative efforts in finding the technical problems of the present application and the technical solutions described in the following embodiments.
The login method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. The application system 104 is in communication connection with the unified authentication system 106 and the user terminal 102, respectively. The user terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, portable wearable devices, and the like. The application 104 may be implemented as a stand-alone server or as a server cluster comprising a plurality of servers. The unified authentication system 106 may be implemented as a stand-alone server or as a server cluster comprised of multiple servers.
In one embodiment, as shown in fig. 2, a login method is provided, which is described by taking the method as an example applied to the unified authentication system 106 in fig. 1, and includes the following steps:
step 201, responding to a login query request message sent by an application system, and querying a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal contained in the login query request message.
The login query request message is constructed by the application system responding to an access request sent by the user terminal.
In implementation, a user may request access to an application system through a user terminal. For example, the user may input an access website of the application system in a browser of the user terminal to initiate an access request, and the user terminal may send the access request including an IP address of the user terminal to the application system. After receiving the access request sent by the user terminal, the application system can construct a login query request message according to the IP address of the user terminal and send the login query request message to the unified authentication system.
After receiving the login query request message sent by the application system, the unified authentication system can query the login online record corresponding to the IP address of the user terminal in the database according to the IP address of the user terminal contained in the login query request message. The login online record can be a login online record stored in the database after the user passes the identity authentication through the unified authentication system, and is used for indicating that the user is in a login online state. For example, when a user accesses any application system through the user terminal for the first time, the user can jump to a login page of the unified authentication system, or directly access the login page of the unified authentication system, and input login credential information such as a user name and a password on the login page of the unified authentication system, where the login credential information includes identity information of the user. Then, the unified authentication system performs user identity authentication in a pre-stored user identity authentication information database according to login credential information input by the user, and if the login credential information is consistent with the pre-stored identity authentication information, that is, the authentication is passed, the unified authentication system can correspondingly store the IP address of the user terminal and the login credential information of the user as login online records and store the login online records in the database.
Step 202, under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, determining the target user according to the login online record corresponding to the IP address of the user terminal, and sending the target user information message corresponding to the target user to the application system.
The target user information message is used for indicating the application system to allow the user terminal to access the application system in the identity of the target user.
In implementation, if the unified authentication system queries the login online record corresponding to the IP address of the user terminal in the database, the target user may be determined according to the corresponding login online record. For example, the target user may be determined from login credential information in the login online record. Then, the unified authentication system may construct a target user information packet according to the user information (e.g., identity information such as a user ID) of the target user, and send the target user information packet to the application system. After receiving the target user information message, the application system may parse the message, obtain target user information (e.g., identity information such as a target user ID), and allow the user terminal to access the application system with the identity of the target user.
In some examples, if the unified authentication system queries the login online record corresponding to the IP address of the user terminal in the database, the user identity may also be verified according to the login credential information of the target user in the login online record. If the verification is passed, sending a target user information message corresponding to the target user to the application system; if the verification fails, sending a verification failure message to the application system, and the application system can display error prompt information through the user terminal according to the verification failure message and then jump to a login page to enable the user to input login credential information again for login. Therefore, if the user changes the login credential information (such as a password), the login credential information in the login online record stored before can not pass the verification, and the security of the user information can be improved.
In the login method, when a user accesses the application system through the user terminal, the application system sends a login query request message to the unified authentication system, the unified authentication system queries the login online record corresponding to the IP address of the user terminal in the database according to the IP address of the user terminal contained in the login query request message, if the login online record corresponding to the IP address of the user terminal exists in the database, a target user is determined according to the login online record corresponding to the IP address of the user terminal, and a target user information message corresponding to the target user is sent to the application system, so that the application system is indicated to allow the user terminal to access the application system with the identity of the target user. According to the method, the login online records corresponding to the IP address of the user terminal are stored in the database of the unified authentication system, when a user accesses any one associated application system, the application system sends a login query request message to the unified authentication system, the unified authentication system further queries the login online records corresponding to the IP address of the user terminal in the database, and if the login online records exist, the user can directly access the application system through the terminal without logging again. Therefore, when a user accesses different application systems through the same terminal, single sign-on can be achieved without being limited by the same browser, and even if the cache of the browser is emptied, the single sign-on can still be achieved, so that the flexibility of the single sign-on of the method is high.
In one embodiment, as shown in fig. 3, the method further comprises the steps of:
step 301, sending an unregistered message corresponding to the IP address of the user terminal to the application system under the condition that the login online record corresponding to the IP address of the user terminal does not exist in the database.
The login-free message is used for indicating the application system to jump to a login page of the application system; and the login page of the application system is used for acquiring login credential information of the target user.
In implementation, if the unified authentication system does not inquire the login online record corresponding to the IP address of the user terminal in the database, an unregistered message corresponding to the IP address of the user terminal may be constructed and sent to the application system.
After receiving the unregistered message, the application system can jump to a login page of the application system, the login page is displayed through a browser of the user terminal, and a user can input login credential information on the login page. Then, the application system can construct a login request message according to the login credential information input by the user and send the login request message to the unified authentication system.
Step 302, in response to the login request message sent by the application system, performing user identity authentication according to the login credential information of the target user included in the login request message.
In implementation, after receiving a login request message sent by an application system, the unified authentication system may perform user identity verification in a pre-stored user authentication information database according to login credential information of a target user included in the login request message, where if the login credential information is consistent with the pre-stored authentication information, the verification is passed, and if the login credential information is not consistent with the pre-stored authentication information, the verification fails.
Step 303, sending a target user information message corresponding to the target user to the application system when the user identity authentication is passed.
In implementation, if the unified authentication system passes user identity verification on the login credential information of the target user included in the login request message, the target user information message may be constructed according to the user ID in the login credential information and sent to the application system, so that the application system analyzes the target user information message to obtain the target user information, thereby allowing the user terminal to access the application system with the identity of the target user.
In this embodiment, if the user accesses the application system through the user terminal for the first time, or the previous access time exceeds a preset period (for example, one hour, one day, and the like), the unified authentication system does not query the login online record corresponding to the IP address of the user terminal in the database, and at this time, the unified authentication system can construct an unregistered message corresponding to the IP address of the user terminal and send the unregistered message to the application system. The non-login message is used for indicating the application system to jump to a login page of the application system, obtaining login credential information of the user through the login page of the application system, and then the application system sends a login request message containing the login credential information of the target user to the unified authentication system for user identity authentication. Because the traditional login method needs to jump to the login page of the unified authentication system, if the unified authentication system is adapted to the IE browser, each application system is limited by the browser adapted to the unified authentication system, and cannot be smoothly accessed by other browsers, and the login flexibility is poor. In the embodiment, the login credential information input by the user is acquired through the login page of the application system, and the user does not need to jump to the login page of the unified authentication system, so that the method is not limited by the problem of adaptability brought by the unified authentication system.
In one embodiment, after the user authentication in step 302, the method further comprises the steps of: and under the condition that the user identity authentication is passed, correspondingly storing the IP address of the user terminal and the login credential information of the target user in the database as the login online record corresponding to the IP address of the user terminal.
In implementation, if the unified authentication system performs user identity verification according to the login credential information of the target user included in the login request message, the IP address of the user terminal and the login credential information of the target user may be correspondingly stored as the login online record corresponding to the IP address of the user terminal, and stored in the database. For example, the unified authentication system may obtain information such as an IP address and login credential information (a user name, a password, and the like) of the user terminal in the login request message, and store the information accordingly.
In some examples, the unified authentication system may also identify a login validity period for each login online record, e.g., the validity period may be one hour or less from the time the login request message was sent. If the validity period is exceeded, the unified authentication system can delete the login online record or identify the login online record as an invalid state. Therefore, if the login validity period is exceeded, the user can input login credential information again for login, and the safety of user information is improved.
In this embodiment, the IP address of the user terminal in the login request message and the login credential information of the target user are stored as login online records corresponding to the IP address of the user terminal, so that when the user accesses other associated application systems through the user terminal, the user can directly access the associated application systems according to the login online records, single-point login is achieved, access to different application systems by the same browser is not limited, and flexibility is higher.
In some examples, data messages (including login query request messages, login request messages, unregistered messages, etc.) that interact between the unified authentication system and the application system may be in the following message format (defining the message convention to start with 0 bit):
Figure BDA0003828081610000111
the message comprises a header (also called a header) and data, wherein the header comprises a fixed part and a variable part, so that the following relation exists: message = header (fixed part + variable part) + data.
The fixed part is the key point of the message, and the fields are described as follows in sequence:
1. version: the version of the application is represented, takes 4 bits, and can represent a secondary system number of 0000-1111 (decimal number of 0-15), so that 16 versions can be accommodated at most;
2. header length: the length (number of bytes) of the header in the header is represented, and the 4 bits are occupied, wherein the unit of the approximate number is 4B, so that the length of the header is 60 in total 4 x 15;
3. unifying the authentication length: a character length indicating a unified authentication number (user name), 15 characters at maximum;
4. identification: the message state OF each function is represented, 4 bits are occupied, the front 2 bits and the rear 2 bits represent different functions and are respectively marked as TF (Type Flag) and OF (Option Flag) Option flags. Wherein, TF 00 indicates whether the user is requested to be queried to log in (TF =00 in the login query request message), 01 indicates that the user is requested to log in (currently, user name and password authentication is adopted, and TF =01 in the login query request message), and 10 indicates that authentication data is returned (TF =10 in the target user information message). OF 00 indicates that the login OF multiple users OF the same user terminal is prohibited, and 01 indicates that the login OF multiple users OF the same user terminal is permitted;
5. total length: the total length of the message is represented, and takes 16 bits, and the length can represent 2^16=65536 at most;
6. header checksum: the 16bit value is formed by encrypting the header through an encryption method, and the party receiving the data compares the header with the field value after encrypting the header through the same method, if the header is the same, the message is not tampered;
7. and (3) reserving: a reserved field is represented, and occupies 16 bits for subsequent expansion;
8. IP address: IP address representing request, which occupies 32bit, IP address form such as 127.0.0.1 format, and is recorded by bits as 0111 1111 0000 0000 0000 0000 0000 0000 0001;
9. unified authentication coding: the coded content of the unified authentication number occupies 32 bits and can represent 2^32 (40 billions) of unified authentication numbers at most, and the unified authentication length field is used in combination to uniquely determine a user. If the unified authentication length is 9 and the unified authentication code is 0000 0000 0000 0000 0000 1111 1111 1111 1111, the decimal value of the unified authentication code binary system can be determined to be 4095 according to the unified authentication code binary system, and then 0 is complemented in front of 4095 according to the unified authentication length being 9, so that the final unified authentication number is 000004095;
10. application identification: the code representing the application takes 32 bits and is used in conjunction with the OF flag in the identification field. If OF is 00, the application identifier can be ignored and is set to be 0; if OF is 01, encoding identified to this application system is applied.
The variable part is also used as a subsequent extension, and is related to a header length field of the fixed part, the header length defines that the length of the header can be 60B at most, the fixed part of the header occupies 20B, and therefore the variable part is 40B at most. The data part is some extra information of the user, and the starting position and the ending position are determined by the fields of the total length and the length of the header.
In the method, the unified authentication system and the application system are simple to butt joint, and the method for constructing the message and analyzing the message is only required to be packaged into the method packet and provided for the application system needing butt joint, and a small amount of configuration is added to realize the method. The design of the message header is simple, and the unified authentication system can store the message header (stored as a login online record), so that the login state of the user can be more effectively controlled, and the related behaviors of the user can be counted. The average data size required for storing 1 header is 20B, if 500 multiple users are online in a certain period of time, the required storage space is 20b × 5,000,000/1024 (B/KB)/1024 (KB/MB) =95.37MB, if 20 systems are specially modified, multiple users can log in the same machine, and in the worst case that 500 multiple users log in 20 systems at the same time, the storage space is not required to be 2 GB.
In some examples, the login query message sent by the application system to the unified authentication system may further include a multi-user login control identifier (i.e., an OF identifier in the foregoing message example), where the multi-user login control identifier includes a first identifier (e.g., OF = 00) and a second identifier (e.g., OF = 01), the first identifier indicates that the same user terminal is prohibited from logging in the application system by multiple users at the same time, and the second identifier indicates that the same terminal is permitted to log in the application system by multiple users at the same time. Correspondingly, under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, the unified authentication system can further match the user login control identification contained in the login query message with the user login control identification contained in the login online record.
And if the matching is successful, determining the user corresponding to the login credential information in the successfully matched login online record as the target user.
If the matching fails, determining the user corresponding to the login online record corresponding to the IP address OF the user terminal as the target user when the user login control identifier included in the login query message is the first identifier (for example, OF = 00). And under the condition that the user login control identifier contained in the login query message is a second identifier (for example, OF = 01), the unified authentication system determines the user corresponding to the login online record corresponding to the IP address OF the user terminal as the first user, and sends a user determination instruction to the application system. The user determination instruction contains first user information for instructing the application system to jump to a user determination page and display the user determination page through the user terminal. The user can trigger the operation of determining the first user as the target user on the user determination page, namely, the application system requests to access the application system by the identity of the first user, the application system sends the user determination information to the unified authentication system, and the unified authentication system can send the target user information message corresponding to the target user to the application system after receiving the user determination information. The user can also select to log in with other user identities on the user determination page, if the user triggers the operation of selecting to log in with other user identities, the application system can jump to the login page of the application system for obtaining the login credential information of the target user, and sends a login request message containing the login credential information of the target user to the unified authentication system for user identity verification. And under the condition that the user identity passes verification, the unified authentication system sends a target user information message corresponding to the target user to the application system.
It can be understood that, when the user selects to log in with the identity OF another user, and the identity verification passes, the unified authentication system may store the login credential information OF the user, the user login control identifier (in this case, the second identifier, for example, OF = 01), and the IP address OF the user terminal as the login online record. In addition, the login query message and the login request message may further include an identifier of the application system, and the unified authentication system may further store the identifier of the application system in the login online record correspondingly.
In addition, a user or an administrator can configure the unified authentication system to control whether the same user terminal is allowed to log in multiple users at the same time, so that login management and control are more flexible. For example, if the unified authentication system is configured to prohibit the same user terminal from simultaneously logging in a plurality OF users (if the configuration label is OF = 00), the unified authentication system identifies the user corresponding to the login credential information in the login online record as the target user when the login online record corresponding to the IP address OF the user terminal exists in the database. If other users wish to log in through the user terminal, the logged-in user can be logged out or requested to delete the logged-in online record, so as to delete the logged-in online record corresponding to the IP address of the user terminal in the database. If the unified authentication system is configured to allow the same user terminal to log in multiple users at the same time (for example, the configuration tag is OF = 01), the target user may be determined (login may be selected as a logged-in user identity, or login may be selected as another user identity) by matching with the login online record based on the IP address OF the user terminal and the user login control identifier in the message sent by the application system.
In one embodiment, as shown in fig. 4, there is further provided a login method applied to an application system, the method including the steps of:
step 401, in response to the access request sent by the user terminal, sending a login query request message containing the IP address of the user terminal to the unified authentication system.
In an implementation, a user may request to access the application system through the user terminal, for example, the user may input an access website of the application system in a browser of the user terminal to initiate an access request, and the user terminal may send the access request including an IP address of the user terminal to the application system. After receiving the access request sent by the user terminal, the application system can construct a login query request message according to the IP address of the user terminal and send the login query request message to the unified authentication system. The login query request message is used for indicating the unified authentication system to query a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal, and under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, a target user is determined according to the login online record corresponding to the IP address of the user terminal, and a target user information message corresponding to the target user is sent to the application system.
And 402, allowing the user terminal to access the application system with the identity of the target user under the condition of receiving the target user information message corresponding to the target user sent by the unified authentication system.
In implementation, when receiving a target user information message corresponding to a target user sent by the unified authentication system, the application system may parse the target user information message, obtain target user information (e.g., identity information such as a target user ID) in the message, and allow the user terminal to access the application system with the identity of the target user.
In this embodiment, the login online record corresponding to the IP address of the user terminal is stored in the database of the unified authentication system, when the user accesses any associated application system, the application system sends a login query request message to the unified authentication system, and then the unified authentication system queries the login online record corresponding to the IP address of the user terminal in the database, and if the login online record exists, the user can directly access the application system through the terminal without logging again. Therefore, when a user accesses different application systems through the same terminal, single sign-on can be achieved without being limited by the same browser, and even if the cache of the browser is emptied, the single sign-on can still be achieved, so that the flexibility of the single sign-on of the method is high.
In an embodiment, as shown in fig. 5, the login query request message is further used to indicate that the unified authentication system sends an unregistered message corresponding to the IP address of the user terminal to the application system when the login online record corresponding to the IP address of the user terminal does not exist in the database. The method also includes the following steps:
and 501, skipping to a login page of the application system under the condition of receiving an unregistered message which is sent by the unified authentication system and corresponds to the IP address of the user terminal.
In implementation, if the unified authentication system does not inquire the login online record corresponding to the IP address of the user terminal in the database, an unregistered message corresponding to the IP address of the user terminal may be constructed and sent to the application system. The application system can jump to the login page of the application system under the condition that the application system receives the unregistered message, the login page is displayed through a browser of the user terminal, and the user can input login credential information on the login page.
Step 502, obtaining the login credential information of the target user through the login page of the application system, and sending a login request message containing the login credential information of the target user to the unified authentication system.
In implementation, a user can input login credential information through a login page of an application system, and a user terminal can acquire the login credential information and send the login credential information as login credential information of a target user to the application system. And the application system can construct a login request message according to the login credential information of the target user and send the login request message to the unified authentication system. The login request message is used for indicating the unified authentication system to carry out user identity authentication according to login credential information of a target user in the login request message, and sending a target user information message corresponding to the target user to the application system under the condition that the user identity authentication is passed.
In the embodiment, the login credential information input by the user is acquired through the login page of the application system, and the login page of the unified authentication system does not need to be jumped to, so that the method is not limited by the problem of adaptability brought by the unified authentication system, and the flexibility is higher.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides a login device for implementing the above-mentioned login method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the method, so specific limitations in one or more login device embodiments provided below can refer to the limitations on the login method in the foregoing, and details are not described here.
In one embodiment, as shown in fig. 6, there is provided a logging apparatus 600 comprising: a query module 601 and a first sending module 602, wherein:
the query module 601 is configured to respond to a login query request message sent by an application system, and query, according to an IP address of a user terminal included in the login query request message, a login online record corresponding to the IP address of the user terminal in a database; the login query request message is constructed by the application system in response to an access request sent by the user terminal.
A first sending module 602, configured to determine a target user according to a login online record corresponding to an IP address of a user terminal when the login online record corresponding to the IP address of the user terminal exists in a database, and send a target user information message corresponding to the target user to an application system, where the target user information message is used to indicate that the application system allows the user terminal to access the application system with the identity of the target user.
In one embodiment, the apparatus further comprises a second sending module, a verification module, and a third sending module, wherein:
the second sending module is used for sending an unregistered message corresponding to the IP address of the user terminal to the application system under the condition that the login online record corresponding to the IP address of the user terminal does not exist in the database; the unregistered message is used for indicating the application system to jump to a login page of the application system; and the login page of the application system is used for acquiring login credential information of the target user.
And the verification module is used for responding to the login request message sent by the application system and performing user identity verification according to the login credential information of the target user contained in the login request message.
And the third sending module is used for sending the target user information message corresponding to the target user to the application system under the condition that the user identity authentication is passed.
In one embodiment, the apparatus further includes a storage module, configured to, in the database, correspondingly store, as the login online record corresponding to the IP address of the user terminal, the IP address of the user terminal and the login credential information of the target user when the user identity is verified.
In one embodiment, as shown in fig. 7, there is further provided a login apparatus 700, including: a first sending module 701 and an accessing module 702, wherein:
a first sending module 701, configured to send a login query request message including an IP address of a user terminal to a unified authentication system in response to an access request sent by the user terminal; the login query request message is used for indicating the unified authentication system to query a login online record corresponding to the IP address of the user terminal in the database according to the IP address of the user terminal, and under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, a target user is determined according to the login online record corresponding to the IP address of the user terminal, and a target user information message corresponding to the target user is sent to the application system.
The access module 702 is configured to allow the user terminal to access the application system with the identity of the target user when receiving the target user information packet corresponding to the target user sent by the unified authentication system.
In an embodiment, the login query request message is further used to indicate that the unified authentication system sends an unregistered message corresponding to the IP address of the user terminal to the application system when the login online record corresponding to the IP address of the user terminal does not exist in the database.
The device also comprises a skip module and a second sending module, wherein:
and the skipping module is used for skipping to a login page of the application system under the condition of receiving an unregistered message which is sent by the unified authentication system and corresponds to the IP address of the user terminal.
The second sending module is used for acquiring the login credential information of the target user through the login page of the application system and sending a login request message containing the login credential information of the target user to the unified authentication system; the login request message is used for indicating the unified authentication system to carry out user identity authentication according to login credential information of a target user in the login request message, and sending a target user information message corresponding to the target user to the application system under the condition that the user identity authentication is passed.
The modules in the login device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data required or generated for performing the above-mentioned logging method. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a login method.
Those skilled in the art will appreciate that the architecture shown in fig. 8 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In an embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
The application relates to the technical field of information security, and the application is not limited to the application fields of login methods, devices, computer equipment, storage media and computer program products.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1. A login method is applied to a unified authentication system, and comprises the following steps:
responding to a login query request message sent by an application system, and querying a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal contained in the login query request message; the login query request message is constructed by the application system in response to an access request sent by the user terminal;
and under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, determining a target user according to the login online record corresponding to the IP address of the user terminal, and sending a target user information message corresponding to the target user to the application system, wherein the target user information message is used for indicating the application system to allow the user terminal to access the application system with the identity of the target user.
2. The login method according to claim 1, wherein the method further comprises:
sending an unregistered message corresponding to the IP address of the user terminal to the application system under the condition that the login online record corresponding to the IP address of the user terminal does not exist in the database; the unregistered message is used for indicating the application system to jump to a login page of the application system; the login page of the application system is used for acquiring login credential information of the target user;
responding to a login request message sent by the application system, and performing user identity authentication according to login credential information of the target user contained in the login request message;
and sending a target user information message corresponding to the target user to the application system under the condition that the user identity authentication is passed.
3. The login method according to claim 2, wherein after the user authentication is performed according to the login credential information of the target user included in the login request message, the method further comprises:
and under the condition that the user identity authentication is passed, correspondingly storing the IP address of the user terminal and the login credential information of the target user in the database as a login online record corresponding to the IP address of the user terminal.
4. A login method is applied to an application system, and the method comprises the following steps:
responding to an access request sent by a user terminal, and sending a login query request message containing an IP address of the user terminal to a unified authentication system; the login query request message is used for indicating the unified authentication system to query a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal, determining a target user according to the login online record corresponding to the IP address of the user terminal under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, and sending a target user information message corresponding to the target user to the application system;
and allowing the user terminal to access the application system with the identity of the target user under the condition of receiving the target user information message corresponding to the target user sent by the unified authentication system.
5. The login method according to claim 4, wherein the login query request message is further used to indicate that the unified authentication system sends an unregistered message corresponding to the IP address of the user terminal to the application system when the online login record corresponding to the IP address of the user terminal does not exist in the database; the method further comprises the following steps:
under the condition that an unregistered message corresponding to the IP address of the user terminal sent by the unified authentication system is received, jumping to a login page of the application system;
obtaining login credential information of the target user through a login page of the application system, and sending a login request message containing the login credential information of the target user to the unified authentication system; the login request message is used for indicating the unified authentication system to carry out user identity verification according to login credential information of a target user in the login request message, and sending a target user information message corresponding to the target user to the application system under the condition that the user identity verification is passed.
6. A login apparatus, the apparatus comprising:
the query module is used for responding to a login query request message sent by an application system, and querying a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal contained in the login query request message; the login query request message is constructed by the application system responding to an access request sent by the user terminal;
a first sending module, configured to determine a target user according to a login online record corresponding to the IP address of the user terminal when the login online record corresponding to the IP address of the user terminal exists in the database, and send a target user information packet corresponding to the target user to the application system, where the target user information packet is used to indicate that the application system allows the user terminal to access the application system in the identity of the target user.
7. A login apparatus, the apparatus comprising:
the first sending module is used for responding to an access request sent by a user terminal and sending a login query request message containing an IP address of the user terminal to a unified authentication system; the login query request message is used for indicating the unified authentication system to query a login online record corresponding to the IP address of the user terminal in a database according to the IP address of the user terminal, determining a target user according to the login online record corresponding to the IP address of the user terminal under the condition that the login online record corresponding to the IP address of the user terminal exists in the database, and sending a target user information message corresponding to the target user to the application system;
and the access module is used for allowing the user terminal to access the application system by the identity of the target user under the condition of receiving the target user information message corresponding to the target user sent by the unified authentication system.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 3 or 4 to 5.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 3 or 4 to 5.
10. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 3 or 4 to 5 when executed by a processor.
CN202211065158.8A 2022-09-01 2022-09-01 Login method, login device, computer equipment and storage medium Pending CN115442131A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211065158.8A CN115442131A (en) 2022-09-01 2022-09-01 Login method, login device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211065158.8A CN115442131A (en) 2022-09-01 2022-09-01 Login method, login device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115442131A true CN115442131A (en) 2022-12-06

Family

ID=84245392

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211065158.8A Pending CN115442131A (en) 2022-09-01 2022-09-01 Login method, login device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115442131A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117354356A (en) * 2023-12-04 2024-01-05 四川才子软件信息网络有限公司 APP region retention statistical method, system and equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117354356A (en) * 2023-12-04 2024-01-05 四川才子软件信息网络有限公司 APP region retention statistical method, system and equipment

Similar Documents

Publication Publication Date Title
US10303549B2 (en) Dispersed storage network with access control and methods for use therewith
US11716357B2 (en) Data access policies
US8625635B2 (en) Dispersed storage network frame protocol header
US11243688B1 (en) Bi-directional application switching with contextual awareness
CN109495426B (en) Data access method and device and electronic equipment
CN105610810A (en) Data processing method, client and servers
CN105308580A (en) Allocating data based on hardware faults
CN107104924B (en) Verification method and device for website backdoor file
CN102186173B (en) Identity authentication method and system
US20180152434A1 (en) Virtual content repository
CN115442131A (en) Login method, login device, computer equipment and storage medium
CN116484338A (en) Database access method and device
US20160269446A1 (en) Template representation of security resources
US7325130B2 (en) Method for guaranteeing freshness of results for queries against a non-secure data store
CN113010904A (en) Data processing method and device and electronic equipment
CN105519069A (en) Data processing system, center apparatus and program
CN114143042A (en) Vulnerability simulation method and device, computer equipment and storage medium
CN112486941A (en) Mimicry object storage system based on multiple erasure codes
CN117411725B (en) Portal application authentication method and device and computer equipment
CN117313052A (en) Application access method, apparatus, device, storage medium and program product
CN117997654B (en) Data processing method, device and computer equipment in edge computing architecture
CN117081782A (en) Network access method, system, computer equipment and storage medium
CN116055186A (en) Access authentication method, device, computer equipment and storage medium
CN114826777A (en) Identity authentication method and device, computer equipment and storage medium
CN111355710A (en) Data request method and device of network service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination