A kind of HTTP redirection method that is used for the WEB authentication
Technical field:
The invention belongs to the access authentication technique field in the modern IP communication network, relate in particular to modern access authentication method based on Web browser.
Background technology:
ISP (the following ISP that all abbreviates as) provides the access service of paying for the user, and is indispensable as the authenticating user identification of basis of chargeing and foundation.Authentication method based on Web is a kind of new technology that occurs in recent years, not needing to be characterized in independently logining software, the user uses common Web browser (as the Internet Explorer of Microsoft) just can finish the input the user name and password, finishes all operations that identity is differentiated.Conventional web authentication technology has a weak point: the user must at first know the IP address or the domain name of the server of authentication, and visits the html page that this server just can obtain authenticating with Web browser.If the user does not know the address or the domain name of certificate server in advance, then can't finish authentication, make troubles to use.
Summary of the invention:
The HTTP redirection method that the purpose of this invention is to provide a kind of WEB of being used for authentication, can be used for access authentication based on the WEB browser, make the user need not remember the IP address or the domain name of certificate server, can finish authentication, the operation that WEB is authenticated becomes and is simple and easy to use.
Technical scheme of the present invention is as follows:
A kind of HTTP redirection method that is used for the WEB authentication may further comprise the steps:
(1) the HTTP message that the packet filtering function of use router is caught the unauthenticated user on the edge of ISP couple in router;
(2) couple in router " camouflage " becomes the destination host that the user visited, and sets up TCP with unauthenticated user's main frame and is connected;
(3) couple in router utilizes the redirect response in the http protocol, user's HTTP request is redirected to the certificate server end of appointment.
After the HTTP request of adopting reorientation method of the present invention with the user was redirected to the certificate server end of appointment, the html page that certificate server will be used to authenticate sent user's browser to, and the user can finish authentication operation according to the prompting on this HTML.
Reorientation method of the present invention, be implemented on the edge couple in router of ISP, its function be with also not the HTTP request of the user by authentication be redirected on the certificate server, certificate server can send the html page that is used to authenticate to user's browser, and the user can finish authentication operation according to the prompting on this HTML.
Based on the WEB compulsory authentication method of HTTP redirection method of the present invention, make user's WEB authentication operation obtain simplifying.The user only need open the WEB browser and visit any one website with it, if the user is not also by authenticating, then couple in router can be redirected to user's HTTP request on the WEB certificate server automatically.Certificate server sends the html page of authentication to user's browser, and the user can import the user name and password and finish authentication operation.If the user attempts not carry out authentication and accesses network, couple in router will make it no matter visit the html page that has only authentication what website obtains, and the link that makes the user can't get around authentication is illegally used network.This technology is called the WEB forcible authentication technology based on HTTP redirection.
Adopt the HTTP redirection method of the present invention to carry out the WEB forcible authentication, solved the problem that the user must remember address of the authentication server, the operation of WEB authentication is become be simple and easy to use.For ISP, the address of WEB certificate server no longer is exposed to the public, reduced server under fire may and help disposing distributed WEB Verification System.
Embodiment:
The preferred embodiment of the HTTP redirection method that is used for WEB authentication of the present invention is as follows:
Method of the present invention realizes that on edge switch type couple in router this router can carry out rule-based linear speed to the IP grouping and filter.The HTTP redirection function only just starts after the WEB of router authentication function is opened, and the HTTP message that can not influence under other certification mode is transmitted.
Concrete steps are as follows:
1. distinguish authenticated user message and unauthenticated user message.This is a key point of implementing the HTTP message redirecting, and the method that adopts in this patent is the identification user's IP address.Be not reserved address sector address (as: 10.0.0.0/8) by DHCP (DHCP) server-assignment by user's IP address before the authentication, the IP address by authenticated user then is global unique ip address.Therefore, IP packet filtering rule is set: every IP address is that the grouping of the IP address of authenticated user entities is all transmitted.
2. catch the HTTP message of unauthenticated user.Belong to the feature of reserved address section according to the IP address of unauthenticated user, the filtering rule of catching the HTTP message with this feature is set on the port of router, make this class message be sent to router software and handle and be not forwarded.
3. the TCP message of router analysis user, and " camouflage " one-tenth destination host that the user visited is finished " three-way handshake " with subscriber's main station, sets up TCP and connects.Concrete method is: if the SYN position of user TCP heading (SYN " position " refers to the meaning of bit) set, also be 1, then generate a source IP and be purpose IP in the user TCP message, purpose IP sends to the user for TCP SYNACK (syn ack) message of source IP in the user TCP message; If user TCP message is ACK (a replying) message, represent then that TCP connects to set up, can prepare to receive user's HTTP request message.
4. after receiving user's HTTP request message, HTTP response message of router assembling, and Statue-Code territory value of providing " 307 " therein, the URL that inserts certificate server in the LOCATION territory identifies.
5. after the HTTP response message that is redirected being sent to the user, close TCP to user's transmission TCP FIN message and connect.
After user browser is received above-mentioned HTTP response message, can be redirected the address that the URL among the visit LOCATION points to automatically, also be the address of WEB certificate server.Certificate server is set up TCP with the user and is connected, and server sends the html page of authentication to user's browser.In the packet filtering rule of router an ACL must be arranged, allowing purpose IP is WEB certificate server IP, and source IP address is that the HTTP message of any IP address is transmitted.