CN1894645A - Internet protocol compatible access authentication system - Google Patents
Internet protocol compatible access authentication system Download PDFInfo
- Publication number
- CN1894645A CN1894645A CN 200480037554 CN200480037554A CN1894645A CN 1894645 A CN1894645 A CN 1894645A CN 200480037554 CN200480037554 CN 200480037554 CN 200480037554 A CN200480037554 A CN 200480037554A CN 1894645 A CN1894645 A CN 1894645A
- Authority
- CN
- China
- Prior art keywords
- user
- certificate information
- user identifier
- carried out
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
An Internet compatible system, for use in authenticating user access to information, includes a repository and an authentication processor. The repository associates an initial user identifier with a particular executable application and with credential information. The credential information includes a first user identifier and a corresponding first password, which enable user access to the particular executable application. The authentication processor receives data representing the initial user identifier. The authentication processor detects a browser application initiated request for credential information in response to a user command to the browser application to access a particular executable application. The authentication processor validates whether credential information derived from the repository, using the received initial user identifier, authorizes a user to access the particular executable application in response to a detected browser application initiated request. The authentication processor provides validated authorized credential information derived from the repository to the browser application to enable a user to access the particular executable application in response to successful validation.
Description
Cross reference to related application
The application's sequence number that to be David Anuszewski submit to Dec 17 in 2003 is the non-provisional application of 60/530,361 provisional application.
Invention field
The present invention relates generally to computer information system.More specifically, the present invention relates to the access authentication system of internet protocol compatible.
Background of invention
Computer security is meant such technology, promptly is used for protecting the data that are stored in computer system not have appropriate permission not to be read or to damage.Most computer safety systems use authentication and/or authorization control visit.
Authentication is a kind of by computing machine, computer program or the individual's control process to the trusted computer system visit.Authentication usually by discern they be who (for example, biometry, as finger-print or retina scanning), what they (for example have, identification card or radio-frequency (RF) identification mark) or they know what (for example, certificate (credentials) is as user name and/or password) discern the individual in case control to the visit of multi-user's trusted computer system.Being used in a kind of technology of carrying out authentication on the Internet is the process that is called the basic authentication of HTTP(Hypertext Transport Protocol), and it comprises user name and user password.
By comparison, mandate is the process of the right of the system object in the control personal visit trusted computer system.Usually, trusted computer system is authentication at first, and then authorizes the individual.
Some trusted computer systems based on the Internet use basic authentication, and during the identical or different computer resource of each personal visit, described system needs individual artificially to re-authenticate.Yet, manually re-authenticating and interrupted individual workflow, this is consuming time, and different computer resources may need different certificates, this may be very chaotic or be difficult to memory.
Other trusted computer systems based on the Internet use basic authentication and recording/reproducing mechanism to re-authenticate to provide automatically with the certificate that input automatically is used for the individual.The use of recording/reproducing mechanism need be caught the certificate by individual's input, and sends certificate to personal computer to allow certificate by input (that is, writing (script)) automatically.Yet recording/reproducing mechanism is vulnerable to safety issue and is vulnerable to availability on personal computer.
Other trusted computer systems based on the Internet substitute basic authentication with proprietary security mechanism, and described proprietary security mechanism has the specific hook (hook) that is used for by user's context.Yet proprietary security mechanism and industrial standard or non-proprietary computer resource are incompatible, and need sizable R﹠D costs and effort.
Other trusted computer systems based on the Internet substitute basic authentication with industrial standard certificate.Yet certificate has been forced considerable certificate management problem and expense, because need obtain and the management certificate for each client computer.
Therefore need overcome a kind of access authentication system of internet protocol compatible of these and other shortcoming of existing system.
Summary of the invention
The compatible with internet system that is used for authenticated user accesses information comprises storage vault and authentication processor.Storage vault makes the initial user identifier be associated with specific application carried out and certificate information.Described certificate information comprises first user identifier and corresponding first password, and it makes the user can visit the specific application carried out.Authentication processor receives the data of expression initial user identifier.Authentication processor detects the request to certificate information that browser application is initiated in response to the order that is used to visit the specific application carried out that the user gives browser application.The request whether certificate information that the initial user identifier that authentication processor affirmation use is received obtains from storage vault is initiated in response to the browser application that is detected comes the specific application carried out of authorized user visit.Authentication processor provides the effective certificate of authority information that obtains from storage vault to browser application, so that make the user can visit the specific application carried out in response to the affirmation of success.
The accompanying drawing summary
Fig. 1 principle according to the present invention has illustrated a right discriminating system.
Fig. 2 principle according to the present invention has illustrated a client and server of the system that is used for as shown in fig. 1.
Fig. 3 principle according to the present invention has illustrated the method for authenticating that is used for system as shown in fig. 1.
Fig. 4 principle according to the present invention has illustrated the sequential chart of user's operation first time of system as shown in fig. 1.
Fig. 5 principle according to the present invention has illustrated the sequential chart of the normal running of system as shown in fig. 1.
Fig. 6 principle according to the present invention has illustrated the sequential chart of the expired password operation of system as shown in fig. 1.
Fig. 7 principle according to the present invention has illustrated the authentication window of the system that is used for as shown in fig. 1.
Preferred embodiment describes in detail
Fig. 1 has illustrated right discriminating system 100 (" system ").Described system 100 comprises client 101, first server 102, second server 103 and total session manager 104 (" manager "), and they interconnect each other by network 105.First server 102 comprises that first can carry out application 106 (" first uses ").Second server 103 comprises that second can carry out application 107 (" second uses ").Described system 100 can comprise client, server and the manager of arbitrary number, and each server can comprise the application carried out of arbitrary number.Can the described application of indoor or long-range use.
System 100 can be used by the enterprise of any kind, tissue, or certain department can using system 100, for example the people's that looked after of the health care products provider and/or the service of being responsible for the health and/or the service provider of welfare.For example, system's 100 expression hospital information systems.Health care provider can provide spirit, emotion or the healthy service towards patient.The example of health care provider comprises hospital, sanatorium, auxiliary treatment mechanism, domestic hygiene health institution, collecting post mechanism, emergency treatment mechanism, health care outpatient service, physical treatment outpatient service, chiropractic adjustment outpatient service, medical supplier, pharmacy and the hospital of tooth section of living.When the man-hour that service is looked after, health care provider diagnosis situation or disease, and recommend a kind of therapeutic process to cure described situation (if this treatment exists), preventative health care service perhaps is provided.The example of institute of health care provider service group comprises patient, resident, client and individual.
Each element in the system 100 can be fix and/or move (promptly, portable) and can various forms realize that described form includes but not limited to following one or more: personal computer (PC), desktop PC, laptop computer, workstation, small-size computer, main frame, supercomputer, based on network equipment, PDA(Personal Digital Assistant), smart card, cell phone, pager and wrist-watch.Can realize system 100 with centralized configuration or decentralized configuration.
In system 100, can realize one or more elements with hardware, software or the two combination, and described one or more element can comprise one or more processors.Processor is equipment and/or the set of machine-readable instruction that is used to execute the task.Processor comprises the combination in any of hardware, firmware and/or software.Processor passes through to calculate, operates, analyzes, revises, changes or sends executable program or the employed information of information equipment, and/or acts on the information of being stored and/or received by described information is routed to output device.For example, processor can use or comprise the ability of controller or microprocessor.
Network 105 (being also referred to as communication path or link in addition) can use the agreement or the data layout of any kind, and it includes but not limited to following: Internet Protocol (IP), transmission control protocol Internet Protocol (TCPIP), HTTP(Hypertext Transport Protocol), the RS232 agreement, Ethernet protocol, medical interface bus (MIB) compatible protocol, the Local Area Network agreement, wide area network (WAN) agreement, campus area network (CAN) agreement, metropolitan area network (MAN) agreement, home area network (HAN) agreement, Institute of Electrical and Electric Engineers (IEEE) bus compatible agreement, digital (DICOM) agreement and health and fitness information exchange layer 7 (HL7) agreement of communicating by letter with imaging.
System 100 uses client/server structure.Client/server structure is a distributed computing fabric, and it relates to from the client's process and/or the equipment of server process and/or device request service.Client 101 is computing machine or the equipment on the network 105, for example personal computer or workstation, and the user moves application thereon.Server 102 or 103 is the computing machine or the equipment of network resource administration on the network 105, for example disc driver, printer, Network, database and processing power.Server can be exclusively used in to be carried out individual task or carries out some tasks simultaneously.
System 100 supports to be called the process (also be spelled as single signon or single sign-on and be abbreviated as SSO) of single login.Single login is the authentication process in client/server structure, wherein the user to visit more than one application, perhaps obtains a plurality of resources in the access system 100 via the disposable input of certificate information 216 (see figure 2)s of client's 101 execution such as user identifier 219 and password 220.When an application switches to Another Application, single login cancellation needs the user to import identical or extra certificate information, and the task of permission sequential working stream continues and do not interrupt.Need the different application of login on same server or different server, to realize.For example, the user uses 107 via client's 101 singles input certificate information to visit second on application of first on first server 102 106 and the visit second server 103.
Single login process provides following at least advantage:
1. allow resource by the basic authentication protection of HTTP.
2. the foundation structure that allows the utilization of resources to use the basic authentication of HTTP and work.
3. make the needed assembly except explorer can download to client 101 via the HTTP request through request.
4. do not need independent software to catch certificate information.
5. the management of certificate of protection and transmission.
6. do not need expensive certificate management process/solution.
7. the cookies (cookies) that do not need the http server side.
Fig. 2 has illustrated the client 101 and the second server 103 of the system 100 that is used for shown in Fig. 1.Client 101 communicates by letter with second server 103 via network 105.
In client 101, by user interface data 207 being input to client 101 and/or receiving user interface data via network 105 from server 103, user interface 201 permission users and client 101 are mutual.One or more display images 208 that user interface 201 generations for example go out as shown in Figure 7.
From user's input information or receive automatically from the input information of electronic equipment, data input device 204 provides input data 207 to video-stream processor 205 in response to the recipient building site.For example, data input device 204 is keyboard and mouse, and can be touch-screen, perhaps for example has the microphone that voice recognition is used.
In response to receiving input data 207 or from other data of server 103, user interface data for example, video-stream processor 205 produces the video data of the one or more images that are used to show 208 of expression.Video-stream processor 205 is the well known elements that comprise electronic circuit or software or the two combination, is used to produce display image 208 or its part.The image 208 that is used for showing can comprise any information and/or any information described here that is stored in storer 203.User's action, for example the activation of the Show Button can cause display image 208.
Any kind element by the data of user capture is reproduced in data output apparatus 206 expressions.For example, in response to receiving shows signal, data output apparatus 206 is displays of the display image that produces to go out as shown in Figure 7, but also can for example be loudspeaker or printer.
In storer 203, browser application 209 (i.e. " web browser ") is the software application (being function or program) that is used to locate with display web page.The example of browser comprises Netscape Navigator and Microsoft Internet Explorer .These two browsers all are graphical browsers, this means that they can display graphics and text.Browser can show the multimedia messages that comprises sound and video, although it needs plug-in unit for some forms.
In browser application 209, it is application carried out (that is, function or program) of carrying out in Another Application (for example browser 209) that applet uses 210.Applet is provided with certificate information 216 in browser 209.Usually, applet can not be directly carries out and is suitable for using from the little the Internet of browser 209 visits from client 101 operating system.The Applet document size is little, crossover-platform is compatible and have high security (that is, they can not be used to the hard drives of calling party).Usually, applet 210 is the little Java programs that can be embedded in HTML (HTML) webpage, and when browser 209 accessed web pages, it is downloaded to browser 209.The difference that Applet and full-fledged Java use is that they are not allowed to visit some resource on the local computer, for example file and serial device (modulator-demodular unit, printer or the like), and forbid on the Internet with most other compunications.General rule is that applet only makes the Internet be connected to the computing machine that sends applet.The browser 209 that can be equipped with Java Virtual Machine can be explained the applet that comes from Website server.
As a kind of alternative to applet 210, server 103 can be downloaded ActiveX control to browser 209.ActiveX is one group of technology of the loosely definition of Microsoft's research and development, is used for the information of sharing between different application.ActiveX is the product that is called two other micro soft techniques of object linking and embedding (OLE) and The Component Object Model (COM).ActiveX is applicable to the whole set based on the technology of COM.ActiveX control represents to carry out the ad hoc approach of ActiveX technology.
Automatically download and carry out ActiveX control by browser 209.ActiveX is not a programming language, but uses one group of rule of the information of how sharing.The programmer can be to comprise C, C++, the various language research and development ActiveX controls of Visual Basic and Java.
The similar Java applet of ActiveX control.Yet unlike Java applet, ActiveX control can be visited Windows operating system fully.Than the more power of Javaapplet, still this power has been brought certain danger to ActiveX control for this, and promptly ActiveX control may damage software or the data on the client 101.In order to control this danger, Microsoft has researched and developed a kind of Accreditation System so that browser 209 can be discerned and the authentication ActiveX control before downloading ActiveX control.Another difference of Java applet and ActiveX control is that Javaapplet can be written into operation on multi-platform, yet ActiveX control is limited to the Windows environment at present.
As a kind of alternative to applet 210 and ActiveX control, server 103 (for example can use script, Visual Basic Script (VBScript) or JavaScript), described script allow network designer to insert interactive elements in html file.Therefore, server 103 can download various forms (for example, applet, ActiveX control and script) the permission function to client 101 to realize advantage of the present invention.
In server 103, processor 211 and client's 101 swap datas, and with memory storage storehouse 212 exchange storage data 223.In response to process object, processor 211 is executed the task.Object comprises that one group of data and/or executable instruction, executable program or second can carry out and use 107.
In Fig. 3, authentication processor 214 manners of execution 300.Authentication processor 214 can represent by a processor or more than one processor, for example the execution in step 302 and 303 first authentication processor and second authentication processor of execution in step 304-307.
Especially, cache memory is special memory mechanism at a high speed.Cache memory can be the preparation part of primary memory or high speed storing equipment independently.When finding data in cache memory, it is called as cache hit, and the efficient of cache memory is judged by its hit rate.Many cache memory systems use the technology that is known as intelligent cache, and wherein system can discern some categorical data of frequent use.
The storage vault 212 that is used for cache memory can be to have the existing database of foundation structure now to provide advantage described here to existing foundation structure.This comprises database connection pool and resources bank deposit data storer, is used for leading subscriber account and password with accessing database.Do not need extra configuration information.Following form has been listed the row that are increased to the existing database in the server 103.
| The row name | Type | Size | NULL | Default | ?Key |
| ?Datamode | Varchar | 255 | Not | N/A | Be |
| ?GsmUserId | Varchar | 255 | Not | N/A | Be |
| ?UserId | Varchar | 255 | Not | N/A | Not |
| ?Password | Varchar | 255 | Not | N/A | Not |
Other fields in the form can for example comprise biologicall test, genome, DNA or other customer identification informations.
Any information of certificate information 216 expression identification users.The user can by they be who (for example, biometric information 221, as finger-print or retina scanning), what they (for example have, Security Object information 222, as identification card or radio-frequency (RF) identification mark) or they know what (for example, certificate is as user identifier 219 (for example, user's name) and/or user password 220) and be identified.User identifier 219 and user password 220 can be any forms, for example comprise letter, numeral, symbol or the like.Use user's name and user password in the basic authentication of the HTTP on the Internet.
Second can carry out application 107 expression one or more software application, program or functions, and it is according to the operation of predetermined instruction control system 100.Can carry out to use and comprise code or machine readable instructions, for example be used for carrying out the predetermined function of the function that comprises operating system, health care information system or other information handling systems in response to user command or input.Storage vault 212 also comprises the system software (not shown), and it is included on the main level very the lower-level program with computer interactive, and comprises operating system, compiler and be used for the utility routine of supervisory computer resource.
The user identity that initial user identifier 217 expression first server 107 is known.Initial user identifier 217 can be any form, and for example it comprises any form of certificate information 216.
Fig. 3 has illustrated the method for authenticating 300 (" method ") of the system 100 that is used for going out as shown in fig. 1.
In step 301, method 300 beginnings.
In step 302, in response to receiving customer identification information, authentication processor 214 obtains initial user identifier 217 safely.Be used for the special session of identifying user operation and the Session ID that is produced by safety of computer resource purposes by use, authentication processor 214 obtains the initial user identifier safely.
In step 303, authentication processor 214 canned datas, described information makes initial user identifier 217 be associated and be associated with the certificate information 216 that comprises first user identifier 219 and corresponding first password 220 with the specific application carried out 107, and this makes the user can visit the specific application carried out 107.
In step 304, authentication processor 214 receives the data of expression initial user identifier 217.
In step 305, in response to the user command that is used to visit the specific application carried out 107 to browser application 209, authentication processor 214 detects the request to certificate information 216 that browser application 209 is initiated.
In step 306, in response to the request that the browser application that detected 209 is initiated, authentication processor 214 confirms to use the whether specific application carried out 107 of authenticated user accesses of certificate information that the initial user identifier 217 that received obtains from storage vault 212 216.
In step 307, in response to the affirmation of success, authentication processor 214 provide the certificate information of confirming authentication 216 that obtains from storage vault 212 to browser application 209 so that the user can visit the specific application carried out 107.
In step 308, method 300 finishes.
With reference to figure 4, Fig. 5 and Fig. 6, each of these figure described between client 101, first server 102, second server 103 and the manager 104 or within sequential step (that is, reciprocation, exchange, communication or the like).Client 101 comprises browser 209 and applet 210.First server 102 comprises that first uses 106.Second server 103 comprises second application 107, processor 211 and storage vault 212.System 100 advantageously makes applet 210 and storage vault 212 and shown other combination of elements to support single sign-on method.The perpendicular line that extends below each of these elements is represented corresponding element.Each bar horizontal line is represented the communication between the particular element, and the direction of arrow on each bar horizontal line is represented communication direction.One or more message of sending between the particular element are represented in described communication.
Fig. 4 has illustrated user's sequential chart 400 (" figure ") of the system 100 shown in the application drawing 1 for the first time.
In step 401, the user uses 210 via first in 209 logins of the browser among the client 101, first server 106.The user is by input initial user identifier 217 (for example, described initial user identifier is known to first application 210) login.
In step 402, first uses 106 passes to manager 104 with the initial conversation message of total session manager (" GSM ").Initial conversation message transmits by conventional user interface interoperability agreement (" UIIP ") or other agreements.Initial conversation message comprises initial user identifier 217.
In step 403, first in first server 102 used 106 registered user's mapping message passed to manager 104.Use UIIP or other agreements to transmit user's mapping message.
In step 404, the application 106 of first in the browser 209 among the client 101 and first server 106 is mutual.Like this for example can comprise input, change, analysis, processing or reception information alternately.When health care organization's using system 100, first application 106 can be clinical practice, and for example it comprises the health care information about patient.
In step 405, the browser 209 among the client 101 passes to processor 211 in the second server 103 (for example, giving the GsmChild.asp server page) with the HTTP(Hypertext Transport Protocol) request.For example, by the link of clicking icon, menu item or in first uses, showing, use the such request of acquisition in 106 first.Described request represent to sign in to second in the new example (instance) of browser 209 used and with described second use mutual request.When health care organization's using system 100, second application 107 can be a financial application, and for example it comprises the financial information about patient.Use UIIP or other agreement transmission requests, and from inquiry string search argument to obtain session id.
Described request for example can form the URL(uniform resource locator) according to one of following form.Three versions of URL represent how the user will check browser.
1.http://<Soarian?Financial?Server>/<Financial?Information?system?Virtual?Root>/bin/GsmChild.asp?GSM=<sessionID:encrypted?data>&Tab=<initial?tab?url>
The one URL utilizes user home page and initial markers to start browser 209.
2.http://<Soarian?Financial?Server>/<Financial?Information?system?VirtualRoot>/bin/GsmChild.asp?GSM=<sessionID:encrypted?data>&Homepage=<initial?tab?url>
The 2nd URL does not utilize default homepage running browser 209 to be branched off into other tasks to prevent the user.
3.http://<Soarian?Financial?Server>/<Financial?Information?system?VirtualRoot>/bin/GsmChild.asp?GSM=<sessionID:encrypted?data>>
The 3rd URL utilizes default homepage and not specific task activity to start browser 209.
First uses 210 in conjunction with correct<Financial InformationsystemServer 〉,<Financial Information systemVirtual Root〉and<initial tab url 〉.<initial tab url〉can be defined fully or with<Financial Information systemServer/<Financial InformationsystemVirtual Root/html is relevant.First application 210 also is established as the independent example of browser 209 target of URL.The independent example of browser 209 should be the name window, if so context changes, then first application, 210 refreshable windows.
Because the GsmChild.asp server page might be with<Financial InformationsystemServer〉change into the domain name that limits fully, so the GSM enciphered data is decrypted, changed by hash and encrypt.
In step 406, the processor 211 in the second server 103 obtains conversation message with GSM and passes to manager 104.Use UIIP or other agreement transmission to obtain conversation message.
In step 407, the processor 211 in the second server 103 will obtain user's mapping message and pass to manager 104.Use UIIP or other agreements to transmit user's mapping message.
In step 408, the processor 211 in the second server 103 will obtain certificate message and pass to the certificate information 216 that storage vault 212 in the second server 103 is thought requested dialogue retrieval user.In certificate information 216, for example by using encryption method and session key to protect password 220.Yet, to operate for the first time for the user, storage vault 212 is not a user storage deed of appointment information 216.
In step 409, there is not to find to be stored in certificate information 216 in the storage vault 212 in response to the user, the storage vault 212 in the second server 103 will not have certificate message and will pass to processor 211 in the second server 103.
In step 410, in response to the user certificate information 216 that does not have to find to be stored in the storage vault 212, the storage vault 211 in the second server 103 will not have certificate message and will pass to browser 209 among the client 101.Certificate information 216 is blank (that is distance of zero mark degree character strings).
In step 411, for example by using Microsoft Win32 the Internet (WinInet) application programming interfaces (API), the browser 209 among the client 101 will be provided with certificate message and pass to applet 210 among the client 101.Step 411 guarantees that user's certificate information 216 is set for the request of the HTTP from browser 209 to the website subsequently, and cancellation needs prompting user certificate information 216 thus.Yet, because the certificate information 216 that storage vault 212 will not return in step 409 and step 410 for user storage, so no certificate information 216 is set in step 411.
In step 412, for example use Microsoft Win32 the Internet (WinInet) application programming interfaces (API), applet 210 among the client 101 passes to processor 211 in the second server 103 (for example, giving the TestCredential.asp server page) with test certificate message.Described test certificate message determines whether certificate information 216 is effective or invalid to authorize respectively or denied access second application 107.
In step 413, in response to the user certificate information 216 of not finding storage in the storage vault 212, the processor 211 in the second server 103 passes to the applet 210 among the client 101 with access reject message (for example 401 http state).
In step 414, the prompting that the applet 210 among the client 101 will be used for certificate message passes to client 101 browser 209.Processor 211 (for example, authentication processor 214) begins to point out the user to import certificate information by following one or more steps: (a) begin to produce the data of expression menu prompt, be used for request input certificate information is shown to the user; And (b) guide web browser 209 to begin to produce the data of expression menu prompt, be used for request input certificate information is shown to the user.Use the conventional dialog box that is used for the basic authentication of HTTP that for example goes out as shown in Figure 7, the user can import certificate information 216.If the certificate information 216 of user's input error, then server is incited somebody to action at most repeating step 413 twice (that is, the user has chances input correct information three times) again.
In step 415, the certificate message that the browser 209 among the client 101 will have a certificate information 216 passes to the applet 210 among the client 101.
In step 416, the applet 210 among the client 101 will be provided with certificate message and pass to the certificate information 216 renewal storage vaults 216 that the processor 211 (for example, giving the SetCredential.asp server page) in the second server 103 is imported with utilization.The SetCredential.asp server page is user ID and user password query request object server variable.This webpage is also retrieved the GSM session id and retrieval entity and data pattern from cache memory from query argument.
In step 417, the processor 211 in the second server 103 obtains conversation message with GSM and passes to manager 104.Use UIIP or other agreements to transmit GSM and obtain conversation message.
In step 418, the processor 211 in the second server 103 passes to storage vault 212 in the second server 103 with the certificate message that is provided with.In case complete successfully the described method that certificate is set, processor 211 makes browser changed course second use 107.
In step 419, in response to the user certificate information 216 in storage and/or the affirmation storage vault 212, the browser 209 among the client 101 is mutual via the new example and second application 107 in the second server 103 of browser 209.After the user finished second using in 107 of the task, the user can close the example of the browser 209 that is used for second application 107, and stayed open the example of the browser 209 that is used for first application 106.In another time, remain valid in storage vault 212 if discern second certificate information 216 of using 107 user, then the user will be allowed to open second and use and need not import the certificate information 216 that 107 user is used in identification second once more.Therefore, when request visit second used 107, user's workflow can not be logged process and interrupt.
In step 420, the application 106 of first in the browser 209 among the client 101 and first server 102 is mutual.Therefore, after the user logined each application, system 100 allowed first application 106 and second application 107 in the second server 103 in the users and first server 102 mutual.
Fig. 5 has illustrated the sequential chart 500 of the system 100 that normal running goes out as shown in fig. 1.In Fig. 5, step 401-408,419 is identical with the step with description shown in Fig. 4 with 420.
In step 501, the storage vault 212 in the second server will return certificate message and pass to processor 211 in the second server 103.The described certificate message of returning comprises the routine (for example, using window load event (onLoad event)) of separating password.
In step 502, the processor 211 in the second server 103 will return the browser 209 that certificate message (for example HTTP 200 status messages) passes among the client 101 and to call applet210 the certificate method will be set.
In step 503, the browser 209 among the client 101 will be provided with certificate message and pass to applet 210 among the client 101, as the step 411 among Fig. 4.
In step 504, the applet 210 among the client 101 passes to processor 211 in the second server 103 with test certificate message, as the step 412 among Fig. 4.
Fig. 6 has illustrated the sequential chart 600 of the expired password operation of system 100 as shown in fig. 1.In Fig. 6, step 401-408,419 is identical with the step with description shown in Fig. 4 with 420, and step 501-504 is with identical with the step of describing shown in Fig. 5.
In step 601, the processor 211 in the second server 103 passes to the applet 210 among the client 101 with redirected message (for example, HTTP 302 status messages).
In step 602, the applet 210 among the client 101 will be provided with changed course URL(uniform resource locator) (" URL ") and pass to applet 210 among the client 101.
In step 603, the applet 210 among the client 101 passes to browser 209 among the client 101 with redirected message.Client 101 shows a window, notifies the user: " your password expires ".In case see this window, the user imports user identifier 219, old password and secondary new password and click OK uses 107 to recover visit second.
In step 604, the browser 209 among the client 101 will obtain changed course URL message and pass to applet 210 among the client 101.
In step 605, the URL that will alter course of the browser 209 among the client 101 passes to processor 211 in the second server 103.
In step 606, the processor 211 in the second server 103 obtains conversation message with GSM and passes to manager 104.
In step 607, the processor 211 in the second server 103 will obtain user's mapping message and pass to manager 104.
In step 608, the processor 211 in the second server 103 will be provided with certificate message and pass to storage vault 212 in the second server 103.
Equally, similarly method can be used to password 220, and described password 220 will be expired but not also be had expired.In this case, being used for second, to use 107 user password expiration date be to be used for giving user notification in the expired time limit in advance.After step 408, for example client 101 shows a window, notifies the user: " your password will be expired ".In case see this window, the user can import user identifier 219, old password and secondary new password and click OK uses 107 to continue visit second.
Fig. 7 explanation is used for the authentication window 700 of the system 100 shown in Fig. 1.Browser 109 among the client 101 produces authentication window 700.Authentication window 700 comprises website identification 701, scope identification 702, user's name frame 703, password frame 704, preserves password checking frame 705, ACK button 706 and cancel button 707.The user of system 100 in user's name frame 703, import their user's name and in password frame 740 their password of input so that the user to be provided the basic HTTP authentication to system 100.
Therefore, although described the present invention with reference to various explanation embodiment of the present invention, the present invention is not intended to be limited to these specific embodiments.Those skilled in the art should be appreciated that and can change, revise and make up disclosed theme under the situation that does not depart from the listed scope and spirit of the present invention of institute's accessory claim.
Claims (14)
1. compatible with internet system that is used for authenticated user accesses information comprises:
Storage vault, it makes the initial user identifier be associated with the specific application carried out and with the certificate information that comprises first user identifier and corresponding first password, and described first user identifier and described first password make the user can visit the described specific application carried out; And
Authentication processor is used for:
Receive the data of the described initial user identifier of expression;
In response to the user command that is used to visit the specific application carried out, detect the request that browser application is initiated to certificate information to described browser application;
In response to the request that the browser application that detected is initiated, the whether described specific application carried out of authenticated user accesses of the certificate information that the initial user identifier of confirming to use described reception obtains from described storage vault; And
In response to the affirmation of success, provide the certificate information of confirming authentication that obtains from described storage vault to described browser application so that the user can visit the described specific application carried out.
2. according to the system of claim 1, wherein:
The described storage vault of certificate information is stored in the non-safety zone of storer, to avoid needing authentication to visit described storage vault.
3. according to the system of claim 1, comprising:
Context handler is used for obtaining safely described initial user identifier; And
Be used for the Session ID that the quilt of the purposes of the special session of identifying user operation and computer resource produces safely by use, described context handler obtains described initial user identifier safely.
4. according to the system of claim 1, wherein:
Described certificate information comprises at least one of following content: (a) password, (b) user identifier, (c) client, and the biometric information that (d) is associated with the specific user.
5. according to the system of claim 1, wherein:
Failure in response to the described certificate information that obtains from described storage vault confirms that described authentication processor begins to point out the user to import certificate information; And
By following steps at least one, described authentication processor begins to point out the user to import certificate information: (a) begin to produce the data of expression menu prompt, be used for request input certificate information is shown to the user; (b) guide web browser to begin to produce the data of expression menu prompt, be used for request input certificate information is shown to the user.
6. according to the system of claim 5, wherein:
In response to the input based on the user certificate of described prompting, described authentication processor is utilized the described storage vault of the certificate update of described input.
7. according to the system of claim 1, wherein:
In response to the affirmation of success, described authentication processor begins a new browser instances so that the user can visit the described specific application carried out; And
Described browser application comprises at least one of following content: (a) Microsoft
The Internet compatible Explorer browser and (b) Netscape Navigator
Compatible browser.
8. according to the system of claim 1, wherein:
Described storage vault makes the certificate information and second that is associated with another initial user identifier can carry out the application combination, can carry out application thereby make the user can visit second; And
Described storage vault comprises one or more storage vaults, it makes a plurality of message file combinations, the single file of described file comprises with another initial user identifier and with another can carry out the certificate information that application is associated, thereby make the user can visit described other and can carry out application, described a plurality of files are supported the user capture of one or more different users to a plurality of different application carried out.
9. compatible with internet system that is used for authenticated user accesses information comprises:
First authentication processor is used in response to the customer identification information that is received, and obtains the initial user identifier safely;
Storage vault, it makes the initial user identifier be associated with the specific application carried out and with the certificate information that comprises first user identifier and corresponding first password, and described first user identifier and described first password make the user can visit the described specific application carried out; And
Second authentication processor is used for:
Receive the data of the described initial user identifier of expression;
In response to the user command that is used to visit the specific application carried out, detect the request that browser application is initiated to certificate information to described browser application;
In response to the request that the browser application that detected is initiated, confirm to use the whether described specific application carried out of authenticated user accesses of certificate information that the initial user identifier that received obtains from described storage vault; And
In response to the affirmation of success, provide the certificate information of confirming authentication that obtains from described storage vault to described browser application so that the user can visit the described specific application carried out.
10. according to the system of claim 9, wherein:
Be used for the special session of identifying user operation and the Session ID that is produced by safety of computer resource purposes by use, described first authentication processor obtains described initial user identifier safely.
11. a compatible with internet system that is used for authenticated user accesses information comprises:
First authentication processor is used in response to the customer identification information that is received, and obtains the initial user identifier safely;
Storage vault, it makes the initial user identifier be associated with the specific application carried out and with the certificate information that comprises first user identifier and corresponding first password, and described first user identifier and described first password make the user can visit the described specific application carried out; And
Second authentication processor is used for:
Receive the data of the described initial user identifier of expression;
In response to the user command that is used to visit the specific application carried out, detect the request that browser application is initiated to certificate information to described browser application;
Confirm in response to the request of the browser application initiation that is detected and in response to the failure of the described certificate information that obtains from described storage vault, the whether described specific application carried out of authenticated user accesses of the certificate information that the initial user identifier that confirm to use described reception obtains from described storage vault, described authentication processor begins to point out the user to import certificate information; And
In response to the affirmation of success, provide the certificate information of confirming authentication that obtains from described storage vault to described browser application so that the user can visit the described specific application carried out.
12. a method that is used for the information of authenticated user accesses compatible with internet system comprises following activity:
Canned data, described information makes the initial user identifier be associated with the specific application carried out and with the certificate information that comprises first user identifier and corresponding first password, and described first user identifier and described first password make the user can visit the described specific application carried out; And
Receive the data of the described initial user identifier of expression;
In response to the user command that is used to visit the specific application carried out, detect the request that browser application is initiated to certificate information to browser application;
In response to the request that the browser application that detected is initiated, confirm to use the whether described specific application carried out of authenticated user accesses of certificate information that the initial user identifier that received obtains from described storage vault; And
In response to the affirmation of success, provide the certificate information of confirming authentication that obtains from described storage vault to described browser application so that the user can visit the described specific application carried out.
13. a compatible with internet system that is used for authenticated user accesses information comprises:
Storage vault, it makes the initial user identifier be associated with the specific application carried out and with certificate information, thereby makes the user can visit the described specific application carried out; And
Authentication processor is used for:
Receive the data of the described initial user identifier of expression;
In response to the user command that is used to visit the specific application carried out, detect the request that browser application is initiated to certificate information to described browser application;
In response to the request that the browser application that detected is initiated, the whether described specific application carried out of authenticated user accesses of the certificate information that the initial user identifier of confirming to use described reception obtains from described storage vault; And
In response to the affirmation of success, provide the certificate information of confirming authentication that obtains from described storage vault to described browser application so that the user can visit the described specific application carried out.
14. according to the system of claim 13, wherein certificate information also comprises:
First user identifier and corresponding first password.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US53036103P | 2003-12-17 | 2003-12-17 | |
| US60/530,361 | 2003-12-17 | ||
| US11/013,084 | 2004-12-15 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1894645A true CN1894645A (en) | 2007-01-10 |
Family
ID=37598268
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200480037554 Pending CN1894645A (en) | 2003-12-17 | 2004-12-17 | Internet protocol compatible access authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1894645A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685491A (en) * | 2013-12-04 | 2014-03-26 | 华为技术有限公司 | Application service providing method, system and related equipment |
| TWI478122B (en) * | 2012-12-25 | 2015-03-21 | Univ Chienkuo Technology | All-round care counseling system |
| CN105208045A (en) * | 2015-10-28 | 2015-12-30 | 广东欧珀移动通信有限公司 | Identity authentication method, equipment and system |
-
2004
- 2004-12-17 CN CN 200480037554 patent/CN1894645A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI478122B (en) * | 2012-12-25 | 2015-03-21 | Univ Chienkuo Technology | All-round care counseling system |
| CN103685491A (en) * | 2013-12-04 | 2014-03-26 | 华为技术有限公司 | Application service providing method, system and related equipment |
| CN103685491B (en) * | 2013-12-04 | 2017-10-17 | 华为技术有限公司 | A kind of application service provides method, system and relevant device |
| CN105208045A (en) * | 2015-10-28 | 2015-12-30 | 广东欧珀移动通信有限公司 | Identity authentication method, equipment and system |
| CN105208045B (en) * | 2015-10-28 | 2017-08-25 | 广东欧珀移动通信有限公司 | A kind of auth method, equipment and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20050144482A1 (en) | Internet protocol compatible access authentication system | |
| US11336633B2 (en) | Authentication using a feeder robot in a web environment | |
| JP7075819B2 (en) | Self-adaptive secure authentication system | |
| US20060075224A1 (en) | System for activating multiple applications for concurrent operation | |
| CN102281286B (en) | Flexible end-point compliance and strong authentication method and system for distributed hybrid enterprises | |
| JP6533871B2 (en) | System and method for controlling sign-on to web applications | |
| CN103581166B (en) | Location aware certification | |
| US8732795B2 (en) | System and method for user authentication | |
| JP2005317022A (en) | Account creation via mobile device | |
| US20110055912A1 (en) | Methods and apparatus for enabling context sharing | |
| US20070300057A1 (en) | Dynamic Web Services Systems and Method For Use of Personal Trusted Devices and Identity Tokens | |
| CN101075875A (en) | Method and system for realizing monopoint login between gate and system | |
| CN1783052A (en) | Portable computing environment | |
| CN105659557A (en) | Web-based interface integration for single sign-on | |
| US20060206926A1 (en) | Single login systems and methods | |
| US11068574B2 (en) | Phone factor authentication | |
| US20220303268A1 (en) | Passwordless login | |
| CN109388937A (en) | A kind of single-point logging method and login system of multiple-factor authentication | |
| AU2017221894A1 (en) | Methods for remotely accessing electronic medical records without having prior authorization | |
| JP2008242926A (en) | Authentication system, authentication method and authentication program | |
| US20180063152A1 (en) | Device-agnostic user authentication and token provisioning | |
| US20240143732A1 (en) | Securely manipulating and utilizing user credentials | |
| US20170339140A1 (en) | Biometric authentication system and method | |
| JP2005070979A (en) | Information processor, authenticating device, authenticating method, authenticating program and recording medium | |
| CN1894645A (en) | Internet protocol compatible access authentication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |