CN1538706A - HTTP relocation method for WEB identification - Google Patents
HTTP relocation method for WEB identification Download PDFInfo
- Publication number
- CN1538706A CN1538706A CNA2003101018822A CN200310101882A CN1538706A CN 1538706 A CN1538706 A CN 1538706A CN A2003101018822 A CNA2003101018822 A CN A2003101018822A CN 200310101882 A CN200310101882 A CN 200310101882A CN 1538706 A CN1538706 A CN 1538706A
- Authority
- CN
- China
- Prior art keywords
- user
- http
- message
- authentication
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention is applicable to access authentication based on WEB browser. Thus, it is possible to complete authentication without asking user to remember IP address and domain name. The method includes steps: (1) filtering packet function of peripheral access router of ISP captures HTTP message from not authenticated user; (2) the access router is 'masquerading' as target host user accesses, and builds TCP connection with the host of not authenticated user; (3) the access router redirects HTTP request of user to pointed authentication server. The authentication server transfers HTML page in use for authentication to browser at user side. Based on hint on the HTML page, user completes authentication.
Description
Technical field:
The invention belongs to the access authentication technique field in the modern IP communication network, relate in particular to modern access authentication method based on Web browser.
Background technology:
ISP (the following ISP that all abbreviates as) provides the access service of paying for the user, and is indispensable as the authenticating user identification of basis of chargeing and foundation.Authentication method based on Web is a kind of new technology that occurs in recent years, not needing to be characterized in independently logining software, the user uses common Web browser (as the Internet Explorer of Microsoft) just can finish the input the user name and password, finishes all operations that identity is differentiated.Conventional web authentication technology has a weak point: the user must at first know the IP address or the domain name of the server of authentication, and visits the html page that this server just can obtain authenticating with Web browser.If the user does not know the address or the domain name of certificate server in advance, then can't finish authentication, make troubles to use.
Summary of the invention:
The HTTP redirection method that the purpose of this invention is to provide a kind of WEB of being used for authentication, can be used for access authentication based on the WEB browser, make the user need not remember the IP address or the domain name of certificate server, can finish authentication, the operation that WEB is authenticated becomes and is simple and easy to use.
Technical scheme of the present invention is as follows:
A kind of HTTP redirection method that is used for the WEB authentication may further comprise the steps:
(1) the HTTP message that the packet filtering function of use router is caught the unauthenticated user on the edge of ISP couple in router;
(2) couple in router " camouflage " becomes the destination host that the user visited, and sets up TCP with unauthenticated user's main frame and is connected;
(3) couple in router utilizes the redirect response in the http protocol, user's HTTP request is redirected to the certificate server end of appointment.
After the HTTP request of adopting reorientation method of the present invention with the user was redirected to the certificate server end of appointment, the html page that certificate server will be used to authenticate sent user's browser to, and the user can finish authentication operation according to the prompting on this HTML.
Reorientation method of the present invention, be implemented on the edge couple in router of ISP, its function be with also not the HTTP request of the user by authentication be redirected on the certificate server, certificate server can send the html page that is used to authenticate to user's browser, and the user can finish authentication operation according to the prompting on this HTML.
Based on the WEB compulsory authentication method of HTTP redirection method of the present invention, make user's WEB authentication operation obtain simplifying.The user only need open the WEB browser and visit any one website with it, if the user is not also by authenticating, then couple in router can be redirected to user's HTTP request on the WEB certificate server automatically.Certificate server sends the html page of authentication to user's browser, and the user can import the user name and password and finish authentication operation.If the user attempts not carry out authentication and accesses network, couple in router will make it no matter visit the html page that has only authentication what website obtains, and the link that makes the user can't get around authentication is illegally used network.This technology is called the WEB forcible authentication technology based on HTTP redirection.
Adopt the HTTP redirection method of the present invention to carry out the WEB forcible authentication, solved the problem that the user must remember address of the authentication server, the operation of WEB authentication is become be simple and easy to use.For ISP, the address of WEB certificate server no longer is exposed to the public, reduced server under fire may and help disposing distributed WEB Verification System.
Embodiment:
The preferred embodiment of the HTTP redirection method that is used for WEB authentication of the present invention is as follows:
Method of the present invention realizes that on edge switch type couple in router this router can carry out rule-based linear speed to the IP grouping and filter.The HTTP redirection function only just starts after the WEB of router authentication function is opened, and the HTTP message that can not influence under other certification mode is transmitted.
Concrete steps are as follows:
1. distinguish authenticated user message and unauthenticated user message.This is a key point of implementing the HTTP message redirecting, and the method that adopts in this patent is the identification user's IP address.Be not reserved address sector address (as: 10.0.0.0/8) by DHCP (DHCP) server-assignment by user's IP address before the authentication, the IP address by authenticated user then is global unique ip address.Therefore, IP packet filtering rule is set: every IP address is that the grouping of the IP address of authenticated user entities is all transmitted.
2. catch the HTTP message of unauthenticated user.Belong to the feature of reserved address section according to the IP address of unauthenticated user, the filtering rule of catching the HTTP message with this feature is set on the port of router, make this class message be sent to router software and handle and be not forwarded.
3. the TCP message of router analysis user, and " camouflage " one-tenth destination host that the user visited is finished " three-way handshake " with subscriber's main station, sets up TCP and connects.Concrete method is: if the SYN position of user TCP heading (SYN " position " refers to the meaning of bit) set, also be 1, then generate a source IP and be purpose IP in the user TCP message, purpose IP sends to the user for TCP SYNACK (syn ack) message of source IP in the user TCP message; If user TCP message is ACK (a replying) message, represent then that TCP connects to set up, can prepare to receive user's HTTP request message.
4. after receiving user's HTTP request message, HTTP response message of router assembling, and Statue-Code territory value of providing " 307 " therein, the URL that inserts certificate server in the LOCATION territory identifies.
5. after the HTTP response message that is redirected being sent to the user, close TCP to user's transmission TCP FIN message and connect.
After user browser is received above-mentioned HTTP response message, can be redirected the address that the URL among the visit LOCATION points to automatically, also be the address of WEB certificate server.Certificate server is set up TCP with the user and is connected, and server sends the html page of authentication to user's browser.In the packet filtering rule of router an ACL must be arranged, allowing purpose IP is WEB certificate server IP, and source IP address is that the HTTP message of any IP address is transmitted.
Claims (5)
1. a HTTP redirection method that is used for the WEB authentication is characterized in that, may further comprise the steps:
(1) the HTTP message that the packet filtering function of use router is caught the unauthenticated user on the edge of ISP couple in router;
(2) couple in router " camouflage " becomes the destination host that the user visited, and sets up TCP with unauthenticated user's main frame and is connected;
(3) couple in router utilizes the redirect response in the http protocol, user's HTTP request is redirected to the certificate server end of appointment.
2. the HTTP redirection method that is used for the WEB authentication as claimed in claim 1, it is characterized in that, the concrete grammar that described step (1) is caught is: distinguish the HTTP message of authenticated user and the HTTP message of unauthenticated user according to user's IP address: be not the reserved address sector address of being distributed by Dynamic Host Configuration Protocol server by user's IP address before the authentication, the IP address by authenticated user then is global unique ip address; IP packet filtering rule is set is " every IP address is that the grouping of the IP address of authenticated user entities is all transmitted "; Belong to the feature of reserved address section according to the IP address of unauthenticated user, the filtering rule of catching the HTTP message with reserved address section feature is set on the port of router, this class message is delivered to router handle and be not forwarded.
3. the HTTP redirection method that is used for the WEB authentication as claimed in claim 1, it is characterized in that, the method of setting up the TCP connection in the described step (2) is: if the position, SYN position of user TCP heading, then source IP of router generation is purpose IP in the user TCP message, and purpose IP sends to the user for the TCP SYNACK message of source IP in the user TCP message; If user TCP message is the ACK message, represent then that TCP connects to set up, can prepare to receive user's HTTP request message.
4. the HTTP redirection method that is used for the WEB authentication as claimed in claim 1, it is characterized in that, the method that is redirected in the described step (3) is: an ACL is set in the packet filtering rule of couple in router, and allowing purpose IP is that WEB certificate server IP, source IP address are the HTTP message forwarding of any IP address; After router is received user's HTTP request message, assemble a HTTP response message, and Statue-Code territory value of providing " 307 " therein, the URL that inserts certificate server in the LOCATION territory identifies, and the HTTP response message that is redirected is sent to the user.
5. the HTTP redirection method that is used for the WEB authentication as claimed in claim 1, it is characterized in that, also comprise step (4): the html page that certificate server will be used to authenticate sends user's browser to, and the user can finish authentication operation according to the prompting on this HTML; If the user attempts not carry out authentication and accesses network, couple in router will make it no matter visit the html page that has only authentication what website obtains, and the link that makes the user can't get around authentication is illegally used network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2003101018822A CN1538706A (en) | 2003-10-23 | 2003-10-23 | HTTP relocation method for WEB identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2003101018822A CN1538706A (en) | 2003-10-23 | 2003-10-23 | HTTP relocation method for WEB identification |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1538706A true CN1538706A (en) | 2004-10-20 |
Family
ID=34333122
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2003101018822A Pending CN1538706A (en) | 2003-10-23 | 2003-10-23 | HTTP relocation method for WEB identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1538706A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007053996A1 (en) * | 2005-11-10 | 2007-05-18 | Huawei Technologies Co., Ltd. | Method and system for redirecting of the client |
| CN101340322B (en) * | 2008-08-29 | 2010-09-22 | 陈玲玲 | Error prompt method for WEB access |
| WO2011017924A1 (en) * | 2009-08-11 | 2011-02-17 | 华为终端有限公司 | Method, system, server, and terminal for authentication in wireless local area network |
| CN101106566B (en) * | 2007-06-28 | 2011-11-30 | 深圳市中科新业信息科技发展有限公司 | A webpage access redirection method and system in network security control |
| CN101164321B (en) * | 2005-04-25 | 2012-10-03 | 汤姆森许可贸易公司 | Process for managing resource address requests and associated gateway device |
| CN102916949A (en) * | 2012-10-11 | 2013-02-06 | 北京东土科技股份有限公司 | Web authentication method and device |
| CN103179554A (en) * | 2011-12-22 | 2013-06-26 | 中国移动通信集团广东有限公司 | Control method and device for wireless broadband network access and network equipment |
| CN103746806A (en) * | 2013-12-13 | 2014-04-23 | 福建星网锐捷网络有限公司 | Webpage authentication method, webpage authentication device and network equipment |
| CN104254073A (en) * | 2014-09-03 | 2014-12-31 | 深信服网络科技(深圳)有限公司 | Method and device for authentication of access terminal |
| CN104270364A (en) * | 2014-09-30 | 2015-01-07 | 杭州华三通信技术有限公司 | Message processing method and device for hypertext transfer protocol |
| CN104468363A (en) * | 2013-09-18 | 2015-03-25 | 华为终端有限公司 | Page redirection method, page redirection system, router equipment and terminal equipment |
| CN104580319A (en) * | 2013-10-24 | 2015-04-29 | 宋云波 | Wireless safety information portal method |
| CN104778854A (en) * | 2014-01-10 | 2015-07-15 | 宋云波 | Mobile phone electronic bus stop board and wireless internet access state indication method |
| CN105791290A (en) * | 2016-03-02 | 2016-07-20 | 上海斐讯数据通信技术有限公司 | Authentication method and device for network connection |
| CN106803822A (en) * | 2015-11-26 | 2017-06-06 | 北京网御星云信息技术有限公司 | The safety access method and device of network application |
| CN106982191A (en) * | 2016-01-18 | 2017-07-25 | 天津赞普科技股份有限公司 | Embedded Credential-Security authentication communication mechanism for business WiFi |
| CN107257352A (en) * | 2017-08-02 | 2017-10-17 | 赛尔网络有限公司 | The Redirectional system and method for URL certifications based on DPDK |
-
2003
- 2003-10-23 CN CNA2003101018822A patent/CN1538706A/en active Pending
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101164321B (en) * | 2005-04-25 | 2012-10-03 | 汤姆森许可贸易公司 | Process for managing resource address requests and associated gateway device |
| US8667143B2 (en) | 2005-11-10 | 2014-03-04 | Huawei Technologies Co., Ltd. | Method and system for redirecting a client |
| US9661055B2 (en) | 2005-11-10 | 2017-05-23 | Huawei Technologies Co., Ltd. | Method and system for redirecting a client |
| WO2007053996A1 (en) * | 2005-11-10 | 2007-05-18 | Huawei Technologies Co., Ltd. | Method and system for redirecting of the client |
| CN101106566B (en) * | 2007-06-28 | 2011-11-30 | 深圳市中科新业信息科技发展有限公司 | A webpage access redirection method and system in network security control |
| CN101340322B (en) * | 2008-08-29 | 2010-09-22 | 陈玲玲 | Error prompt method for WEB access |
| WO2011017924A1 (en) * | 2009-08-11 | 2011-02-17 | 华为终端有限公司 | Method, system, server, and terminal for authentication in wireless local area network |
| CN101621801B (en) * | 2009-08-11 | 2012-11-28 | 华为终端有限公司 | Method, system, server and terminal for authenticating wireless local area network |
| US8589675B2 (en) | 2009-08-11 | 2013-11-19 | Huawei Device Co., Ltd. | WLAN authentication method by a subscriber identifier sent by a WLAN terminal |
| CN103179554A (en) * | 2011-12-22 | 2013-06-26 | 中国移动通信集团广东有限公司 | Control method and device for wireless broadband network access and network equipment |
| CN103179554B (en) * | 2011-12-22 | 2016-06-22 | 中国移动通信集团广东有限公司 | Wireless broadband network connection control method, device and the network equipment |
| CN102916949A (en) * | 2012-10-11 | 2013-02-06 | 北京东土科技股份有限公司 | Web authentication method and device |
| CN102916949B (en) * | 2012-10-11 | 2015-09-02 | 北京东土科技股份有限公司 | A kind of Web authentication method and device |
| US10250714B2 (en) | 2013-09-18 | 2019-04-02 | Huawei Device Co., Ltd. | Page redirection method, routing device, terminal device and system |
| CN104468363A (en) * | 2013-09-18 | 2015-03-25 | 华为终端有限公司 | Page redirection method, page redirection system, router equipment and terminal equipment |
| WO2015039559A1 (en) * | 2013-09-18 | 2015-03-26 | 华为终端有限公司 | Page redirection method, routing device, terminal device and system |
| CN104580319B (en) * | 2013-10-24 | 2019-10-11 | 宋云波 | Wireless security information portal method |
| CN104580319A (en) * | 2013-10-24 | 2015-04-29 | 宋云波 | Wireless safety information portal method |
| CN103746806B (en) * | 2013-12-13 | 2017-02-15 | 福建星网锐捷网络有限公司 | Webpage authentication method, webpage authentication device and network equipment |
| CN103746806A (en) * | 2013-12-13 | 2014-04-23 | 福建星网锐捷网络有限公司 | Webpage authentication method, webpage authentication device and network equipment |
| CN104778854A (en) * | 2014-01-10 | 2015-07-15 | 宋云波 | Mobile phone electronic bus stop board and wireless internet access state indication method |
| CN104778854B (en) * | 2014-01-10 | 2019-07-09 | 宋云波 | The information of mobile phone wireless online is shown and state indication method |
| CN104254073A (en) * | 2014-09-03 | 2014-12-31 | 深信服网络科技(深圳)有限公司 | Method and device for authentication of access terminal |
| CN104270364B (en) * | 2014-09-30 | 2018-01-12 | 新华三技术有限公司 | A kind of Hypertext Transfer Protocol message treating method and apparatus |
| CN104270364A (en) * | 2014-09-30 | 2015-01-07 | 杭州华三通信技术有限公司 | Message processing method and device for hypertext transfer protocol |
| CN106803822A (en) * | 2015-11-26 | 2017-06-06 | 北京网御星云信息技术有限公司 | The safety access method and device of network application |
| CN106982191A (en) * | 2016-01-18 | 2017-07-25 | 天津赞普科技股份有限公司 | Embedded Credential-Security authentication communication mechanism for business WiFi |
| CN105791290A (en) * | 2016-03-02 | 2016-07-20 | 上海斐讯数据通信技术有限公司 | Authentication method and device for network connection |
| CN107257352A (en) * | 2017-08-02 | 2017-10-17 | 赛尔网络有限公司 | The Redirectional system and method for URL certifications based on DPDK |
| CN107257352B (en) * | 2017-08-02 | 2020-09-08 | 赛尔网络有限公司 | DPDK-based URL authentication redirection system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1199418C (en) | Secured session sequencing proxy system and method therefor | |
| US8484695B2 (en) | System and method for providing access control | |
| CN1538706A (en) | HTTP relocation method for WEB identification | |
| JP3459183B2 (en) | Packet verification method | |
| US8082579B2 (en) | Access server and connection restriction method | |
| CN101465856B (en) | Method and system for controlling user access | |
| CN100437550C (en) | Ethernet confirming access method | |
| US20020042883A1 (en) | Method and system for controlling access by clients to servers over an internet protocol network | |
| US20020184507A1 (en) | Centralized single sign-on method and system for a client-server environment | |
| JP5239341B2 (en) | Gateway, relay method and program | |
| JP2004505383A (en) | System for distributed network authentication and access control | |
| WO2002098100A1 (en) | Access control systems | |
| JPWO2013069161A1 (en) | Routing method and network transmission apparatus | |
| JP2002508121A (en) | Method and apparatus for a communication system | |
| CN104601566B (en) | authentication method and device | |
| JP5864598B2 (en) | Method and system for providing service access to a user | |
| JP2009100064A (en) | Communication method and communication system for wireless lan | |
| JP2004062417A (en) | Certification server device, server device and gateway device | |
| JP4693174B2 (en) | Intermediate node | |
| US20120106399A1 (en) | Identity management system | |
| US7237025B1 (en) | System, device, and method for communicating user identification information over a communications network | |
| KR20120044381A (en) | Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof | |
| CN1505345A (en) | A method for accessing user forced access identification server | |
| CN114640495B (en) | Zero-trust single-packet authentication system and method based on universal browser | |
| US7194521B1 (en) | HTTP call Recognition on a PSTN device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: HUAWEI TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: GANGWAN NETWORK CO., LTD. Effective date: 20061013 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20061013 Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Applicant after: Huawei Technologies Co., Ltd. Address before: 100089, No. 21 West Third Ring Road, Beijing, Haidian District, Long Ling Building, 13 floor Applicant before: Harbour Networks Holdings Limited |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |