WO2010075798A1 - Procédé de configuration et d'authentification pour autorisation inter-domaine, équipement et système correspondants - Google Patents

Procédé de configuration et d'authentification pour autorisation inter-domaine, équipement et système correspondants Download PDF

Info

Publication number
WO2010075798A1
WO2010075798A1 PCT/CN2009/076318 CN2009076318W WO2010075798A1 WO 2010075798 A1 WO2010075798 A1 WO 2010075798A1 CN 2009076318 W CN2009076318 W CN 2009076318W WO 2010075798 A1 WO2010075798 A1 WO 2010075798A1
Authority
WO
WIPO (PCT)
Prior art keywords
page
information
user
resource information
server
Prior art date
Application number
PCT/CN2009/076318
Other languages
English (en)
Chinese (zh)
Inventor
孙谦
胡立新
谭东晖
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2010075798A1 publication Critical patent/WO2010075798A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of computer applications, and in particular, to a cross-domain authorization setting, a signing method, a related device, and a system. Background technique
  • the SNS (Social Network Site) website commonly referred to as the social networking server in China, is a virtual social network platform based on the idea of social network relationship system. From Myspace to Facebook, Kaixin and intranet, domestic and international social networking servers have matured and become part of the daily life of more and more people. At the same time, a large number of applications are provided to users in the social networking platform.
  • the application is generally provided by an application server. It is these colorful social applications that truly bring value to users.
  • the application website server is often separated from the social network server and can be operated by different service providers, and the application website server and the social network server are generally located in different domains.
  • the user can have a lot of resource information in the application website server, such as photos, videos, diaries, microblogs, URL collections or location information, and the social network server stores the user's relationship information, such as contacts (also called For friends list, etc.) and groups and other information.
  • resource information such as photos, videos, diaries, microblogs, URL collections or location information
  • the social network server stores the user's relationship information, such as contacts (also called For friends list, etc.) and groups and other information.
  • the embodiments of the present invention provide a cross-domain authorization setting, a signing method, a related device, and a system, so as to implement the relationship information of the resource information of the user in the first domain to the second domain, thereby improving the user experience.
  • the embodiment of the invention provides a method for setting an inter-domain authorization, which includes:
  • the embodiment of the invention further provides an authentication method for cross-domain authorization, which includes:
  • the embodiment of the invention further provides an authentication method for cross-domain authorization, which includes:
  • the embodiment of the invention further provides a method for setting a cross-domain authorization, which includes:
  • the terminal Sending, by the foregoing request, the first page that includes the resource information to the terminal, so that the terminal sends the acquisition request of acquiring the relationship information to the second server of the second domain according to the first page, and the terminal acquires the second server. Transmitting the relationship information and displaying the relationship information on the second page; receiving resource information sent by the terminal and selecting, by the user, relationship information corresponding to the resource information on the second page, storing the selected relationship information and resource information Corresponding to the record, and the corresponding record is used as the authorization information for accessing the resource information.
  • the embodiment of the invention further provides a terminal, which includes:
  • a request receiving module configured to receive a request for a user to access resource information
  • a display module configured to display, according to the foregoing request, a first page that includes resource information of the user located in the first domain, where the first page displays a second information that includes relationship information of the user located in the second domain Page
  • a relationship information receiving module configured to receive, by the user, relationship information corresponding to the resource information on the second page
  • a sending module configured to send the foregoing resource information and the relationship information selected in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as the access point Authorization information about resource information.
  • the embodiment of the invention further provides a server, which includes:
  • a receiving module configured to receive a request of the user through the terminal
  • An obtaining module configured to obtain the authorization information of the user according to the foregoing request, and obtain resource information that the user is authorized to access according to the authorization information;
  • a sending module configured to send the foregoing resource information to the terminal.
  • An embodiment of the present invention further provides a server, including:
  • a receiving module configured to receive, by the user, the resource information in the first server in the first domain by using the terminal Request
  • the obtaining module is configured to obtain the authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;
  • the processing module is configured to determine whether the user belongs to the relationship information; when the determination is yes, the user is allowed to access the resource information, and when the determination is no, the user is denied access to the resource information.
  • An embodiment of the present invention further provides a server, including:
  • a receiving module configured to receive a request sent by a user through the terminal
  • a sending module configured to send, by using the foregoing request, a first page that includes resource information to the terminal, so that the terminal sends an acquisition request for obtaining the relationship information to the second server of the second domain according to the first page, and the terminal Obtaining relationship information sent by the second server and displaying the relationship information on the second page;
  • a storage module configured to receive resource information sent by the terminal, and the user selects relationship information corresponding to the resource information on the second page, and stores a corresponding record of the selected relationship information and resource information, and uses the corresponding record as an access Authorization information of the resource information.
  • the embodiment of the invention further provides a cross-domain authorization system, which is characterized in that it comprises:
  • the first server is located in the first domain, and is configured to receive a request sent by the user by using the terminal, and send, by using the foregoing request, the first page that includes the resource information to the terminal, so that the terminal is configured to the second domain according to the first page.
  • the second server sends an acquisition request for acquiring the relationship information, and the terminal acquires the relationship information sent by the second server and displays the relationship information on the second page; the resource information sent by the receiving terminal and the user corresponding to the second page selection And storing the corresponding record of the selected relationship information and the resource information in the relationship information of the resource information, and using the corresponding record as the authorization information for accessing the resource information;
  • the second server is located in the second domain, and is configured to send the relationship information of the user to the terminal.
  • the resource information of the user in the first domain can be authorized to the relationship information such as the contact located in the other domain of the user. , groups, etc., thereby improving the user experience.
  • Users can directly use the second service
  • the relationship information in the server is associated with the resources in the first server, that is, the user can conveniently share and authorize resources from his own perspective.
  • FIG. 1 is a flowchart of a method for setting cross-domain authorization according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for setting cross-domain authorization according to another embodiment of the present invention
  • FIG. 4 is a flowchart of a method for setting cross-domain authorization according to another embodiment of the present invention
  • FIG. 6 is a flowchart of a method for authenticating an inter-domain authorization according to an embodiment of the present invention
  • FIG. 7 is a flowchart of a method for authenticating an inter-domain authorization according to another embodiment of the present invention
  • 8 is a flowchart of a method for authenticating an inter-domain authorization according to another embodiment of the present invention
  • FIG. 9 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of a server according to another embodiment of the present invention
  • FIG. 12 is a schematic structural diagram of a server according to another embodiment of the present invention
  • FIG. 13 is a schematic diagram of a server according to an embodiment of the present invention
  • Schematic diagram of a cross-domain authorization system The embodiment of the present invention provides a method for setting a cross-domain authorization. Referring to FIG. 1 , the method includes: 101: receiving a request for a user to access resource information;
  • the first page of the foregoing displays a second page that includes the relationship information of the user, where the second page is provided by the second server in the second domain;
  • the receiving user selects relationship information corresponding to the resource information on the second page.
  • 105 Send the foregoing resource information and the relationship information selected in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as accessing the resource information.
  • Authorization information Send the foregoing resource information and the relationship information selected in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as accessing the resource information.
  • the relationship information of the resource information that the user is in the first domain is authorized to the second domain, so that the user experience can be improved.
  • the first server in the first domain stores resource information of the user, such as photos, videos, URL collections, blog logs, etc.; is in a second different from the first domain.
  • a second server in the domain that stores relationship information such as contacts and groups of the user.
  • Step 201 The terminal receives a request for accessing resource information by the user.
  • the user passes the resource information in the first server of the terminal, and the access mode can adopt OpenID technology, that is, the first server is a relying party of OpenID (open identity), the second server is a provider of OpenID, and the first server receives the user using OpenID.
  • the identity is performed.
  • the terminal's browser is forwarded to the second page of the second server to authenticate the user.
  • the user provides a password or other authentication information such as a fingerprint, etc.
  • the first page displayed on the terminal by the first server is returned by the redirect, and the first page includes resource information of the user, such as a photo, a video, a URL collection, a blog log, and the like.
  • the first server may also set a session cookie on the browser side of the terminal to maintain the current user session, and the subsequent user does not need to perform authentication when accessing the first server. If the browser of the terminal disables the cookie, the session information can be carried directly in the HTTP request and response message to maintain the current user session.
  • SSO Single Sign On
  • OpenSSO OpenSSO
  • Microsoft Passport a cross-domain identity authentication technologies
  • Browser login once first service In the subsequent authorization of the resource information, the user browser can directly access the second server to obtain the relationship information of the user without performing authentication on the second server again.
  • Step 202 The first server displays the first page, that is, the authorization page of the resource information in the first server, by using a browser of the user terminal, where the resource information is displayed in the first page, and the authorized button or hyperlink is determined.
  • the hypertext code (including the script code) in the first page is generated by the first server and displayed by the first server to the browser end of the user terminal.
  • Step 203 Display a second page that includes relationship information according to the first page.
  • the browser of the terminal is also displayed with a second page including the relationship information of the user, and the hypertext code (including the script code) of the second page is generated by the second server.
  • the second page can have multiple display modes, such as displaying an iframe (Inline Frame) in the first page, or popping up a new browser when clicking a button or link on the first page.
  • the browser page displays the user's relationship information such as contacts and groups.
  • the second page also includes an iframe frame page pointing to the first server, called the third page, which is generally set to a hidden style.
  • the third page is generally set to a hidden style.
  • the second page is displayed in the form of an iframe in the first page, and is visible through a first page from the first server to a second page of the second server, and then to a third page of the first server.
  • a circular information delivery channel such as the first page of the first server
  • the cross-domain transfer of the relationship information in the browser is realized, so that the first server can conveniently obtain the relationship information of the user in the second server.
  • the second page can be displayed by setting the source address of the second page in the first page, such as the source address of the second page in the iframe format in the javascript script function of the first page.
  • the properties are set, for example as follows:
  • Iframel .src "http://snsexample.com/relationship.php” ;
  • the click event of the button corresponds to the script to open a new page such as:
  • the second server performs identity authentication, such as adopting OpenID or single point, that is, the user is in step 101.
  • identity authentication such as adopting OpenID or single point
  • the second server may set a corresponding session C00 kie item on the browser end of the user terminal, and the data of the cookie item may include session information such as a session identifier, and the user accesses the current session.
  • the second server does not have to be authenticated. That is, the second page first obtains the cookie data of the browser end of the user's terminal, and then carries the cookie data to request the second server to obtain the relationship information of the user, and displays the obtained relationship information on the page.
  • the second server corresponding to the second page does not have corresponding session information. For example, if the second page displays the relationship information of the user, the user is prompted to perform identity authentication on the second server.
  • the first page contains resource information, such as a photo, and a button for determining authorization.
  • the second page may be included in the form of an inline frame, and the relationship information displayed on the second page may include a contact list, and the contacts may be displayed in groups, such as grouping for colleagues, classmates, and family members, etc.
  • a check box is displayed in front of the contact or group name.
  • some public groups and group members created or participated by the user can be displayed for the user to select. Whether it is a grouping of contacts or a public group, it can be represented by a unique group identifier.
  • the second page can display the name or nickname of the contact, as well as the name of the group, but when the actual information is transmitted,
  • the user ID of the contact is generally used, as well as the group ID.
  • the second server can also detect other users who have recently communicated with the user, such as having sent a message, a message, a record over the phone, and then displaying those users in the second server. In the second page.
  • the telecommunication network and the Internet are closely integrated.
  • the second server operated by the telecommunication operator it is easy to obtain the user's communication records (such as text messages, telephones, etc.), and those who have had communication with the user may not be in contact with the above users.
  • the first page may also request the first server to obtain the existing authorization information of the current resource information of the user, and
  • the authorized contact and group information and the like are passed to the second page as parameters of the second page source address URL (Uniform Resource Locator). Examples are as follows:
  • the second page can obtain the above parameters in the current page address when the window loading event (window.onLoad) occurs, and then set the authorized group such as groupl to be selected according to the above parameters when displaying the relationship information of the user. status. This allows the user to know which relationship information, such as a contact or group, has been authorized to access current resource information. Examples of parameters including both groups and contacts are as follows:
  • the parameters in the above address indicate that the current resource has been authorized to the group groupl and the contacts usera and userbc group 1 are group identifiers, and usera and userb are user identifiers.
  • Step 204 The user selects relationship information in the second page, and transmits the relationship information selected by the user to the third page.
  • the second page will be the currently selected relationship information (group or contact) when the user selects or deselects the group or contact event through the terminal (such as the onClick event of the check box corresponding to the contact or group).
  • the method of passing can specify the page address of the third page by setting the source address attribute of the third page, and the relationship information selected by the user is included in the address parameter and transmitted to the third page.
  • the source address of the third page set is as follows:
  • the parameters in the above address indicate that the current resource is selected for authorization to the groups groupl and group2 and the contacts usera, userb and userc»
  • Step 205 The third page transmits the relationship information selected by the user sent by the second page to the first page.
  • the third page sets a timer function, which is executed every predetermined time interval, such as 500 milliseconds.
  • the relationship information can be normal.
  • the example of the processing script in the third page is as follows: function transmit() ⁇
  • the first page corresponds to the parent.opener object, which is different from the second page in the inline frame form.
  • Step 206 After the user determines to authorize the resource information for the selected contact and/or group, the first page submits the relationship information and resource information finally selected by the user to the first server.
  • the first page includes a button or hyperlink that determines the authorization, which can be named "shared” or "ok".
  • the button When the button is activated by the user, the first page submits the relationship information and resource information and the like finally selected by the user to the first server server.
  • the first server stores a corresponding record of the relationship information and the resource information selected by the user, and uses the corresponding record as the authorization information for accessing the resource information.
  • the authorization information may further include an authorization time, that is, a time when the first page submits the relationship information and the corresponding resource information finally selected by the user to the first server.
  • the transmission of the relationship information of the corresponding resource information is completed only between the first server and the second server, and the authorized relationship information is transmitted from the first page of the first server to the The second page of the second server, and the relationship information selected by the user, are transmitted from the second page of the second server to the first page via the third page. It is not necessary to directly transfer any data between the first server and the second server, and the resource authorization of the cross-domain can be completed, which is simple and efficient, and fully utilizes the computing power of the terminal.
  • the first server lacking the relationship information can make full use of the user relationship information in the second server to enhance the social function of the application, and attract more users to visit. ask.
  • Step 301 the first page obtains the first password.
  • the first password may be generated by the first page using a random function, or may be requested from the first server to obtain the first password. Because some browsers do not use random functions to generate highly secure passwords, it is recommended to use a password from the server.
  • the password can be a random string.
  • the session ID (Session ID) between the first server and the user's browser can be used as the first password because the session IDs are usually an unpredictable random string.
  • Step 302 The first page passes the first password to the second page.
  • the password parameter set in the source address of the second page of the first page is obtained, for example, the password can be included in the bookmark parameter.
  • the second page will buffer the first password received for subsequent password verification.
  • Step 303 The second page obtains the second password, and sends the second password to the third page.
  • the second password can also be generated by the second page itself, or requesting the second password from the second server, and passing the second password to the third page, or using the session between the second server and the user browser.
  • the logo (Session ID) is used as the second password.
  • Step 304 The third page further passes the second password to the first page.
  • the first page caches the second password for subsequent password verification. This completes the cross-domain password exchange between the first server and the second server.
  • Step 305 When subsequently transmitting the relationship information selected by the user, the first page and the second page respectively carry the password corresponding to the respective domain in the set URL bookmark parameter.
  • the example of carrying the password is as follows:
  • the bookmark parameter of the above address includes the first password "qw3e45s32328f3nl".
  • Step 306 The second page verifies the password.
  • the password in the bookmark parameter in the address of the window is taken out, such as the above password "qw3e45s32328f3nl", and then the password is compared with the previously cached first password, and the subsequent processing is performed after the verification is passed. If you need to take out the authorized relationship information in the parameters in the subsequent steps.
  • Step 307 When the second page transmits the relationship information selected by the user to the third page, the second password is also carried.
  • Step 308 The third page performs password verification.
  • the password in the bookmark parameter in the address of the window is taken out, and then the password is compared with the previously cached second password, and the subsequent processing is performed after the verification is passed.
  • the request for accessing the address corresponding to the second page or the third page in a place other than the current browser instance does not reveal the user's relationship information or resource authorization information and the like because the above password cannot be obtained.
  • An authentication method for cross-domain authorization describes an authentication process when other users access resource information in the first server.
  • the user who has the resource information in the first server is referred to as the first user, and the user who wants to access the resource information of the first user is the second user.
  • the first user has authorized the resource information in the first server, such as album P, to group A, and the member in group A contains the second user.
  • the steps of the embodiment are as follows: Step 401: The first server receives a request for the second user to access the resource information of the first user, such as the album P, where the resource information is in the first server in the first domain.
  • the above request may be performed by the second user, such as OpenID, or by other means.
  • Step 402 The first server queries and obtains the authorization information of the first user for the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information.
  • Step 403 The first server determines whether the second user belongs to the relationship information.
  • Step 404 If yes, the first server allows the second user to access the resource information, otherwise the second user is denied access to the resource information.
  • the first server can share the resource information authorized by another user to the user by verifying the user, thereby improving the user experience.
  • the second server is not convenient to all deliver to the first server. That is, in the embodiment, the first server only stores the contact information corresponding to the resource information of the first user and the identifier of the group, and does not save the specific contact in the group.
  • Step 501 The first server receives a request for the second user to access the resource information of the first user, such as the album P.
  • the first server of the second user may adopt the method of OpenID, or may adopt other methods.
  • Step 502 The first server acquires, according to the resource information, the authorization information record of the first user for the resource information, and determines whether the second user is an authorized contact (including a temporary contact), and if yes, allows the second User access, end this process; otherwise, go to step 503.
  • Step 503 The first server sends the group identifier authorized by the first user to the authorization information record of the resource and the identifier of the second user to the second server, and requests the second server to determine whether the second user is authorized by the foregoing. Member of the group. When the second user is a member of at least one of the authorized groups, the second server returns a positive determination result.
  • Step 504 The first server receives the determination result returned by the second server. If the determination result is a positive result, the first server allows the second user to access, otherwise the access is prohibited.
  • the first server can share the resource information authorized by another user to the user by verifying the user, thereby improving the user experience.
  • Step 601 The first server receives the access request of the second user, and retrieves, in the stored authorization information, the resource information of the authorized access corresponding to the group to which the second user belongs, and the corresponding user of the second user. Resource information for authorized access.
  • the corresponding authorization time can be used to filter resources, such as only the resources authorized to access for a predetermined period of time (such as the last week), or the latest (most authorized time). Close to the current time) a predetermined number (such as the top 10 most recently authorized) resources, etc.
  • Step 602 Display the resource information in a page after the second user.
  • the method provided by the embodiment of the present invention enables the user to log in to the first server to display resource information shared by other users that the user has permission to access, thereby improving the user experience.
  • An embodiment of the present invention provides a terminal 7, as shown in FIG. 9, which includes:
  • a request receiving module 71 configured to receive a request for a user to access resource information
  • the display module 72 is configured to display, according to the request, a first page that includes resource information of the user located in the first domain, and display, according to the first page, a second page that includes relationship information of the user located in the second domain. ;
  • the relationship information receiving module 73 is configured to receive, by the user, relationship information corresponding to the resource information on the second page;
  • the sending module 74 is configured to send the resource information and the relationship information selected by the user in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and the corresponding Record the authorization information as access to the above resource information.
  • the request receiving module 71 is further configured to receive the existing authorization information that is sent by the first server according to the foregoing request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected; the display module 72 is further configured to: The above existing authorization information displays the relationship information selected by the user in the second page.
  • the second page is an inline frame page located in the first page or a new page opened by clicking a hyperlink or a button in the first page.
  • An embodiment of the present invention provides a server 8, as shown in FIG. 10, which includes:
  • the receiving module 81 is configured to receive a request of the user to pass the terminal;
  • the obtaining module 82 is configured to obtain the authorization information of the user according to the foregoing request, and obtain resource information that the user is authorized to access according to the authorization information;
  • the sending module 83 is configured to send the foregoing resource information to the terminal.
  • the foregoing obtaining module 82 is specifically configured to: obtain, according to the foregoing authorization information, resource information that is authorized to be accessed by the user at the latest scheduled time or resource information that is a predetermined number of newly authorized accesses; the sending module is specifically configured to: The resource information authorized by the user at the most recent scheduled time or the resource information for the predetermined number of newly authorized accesses is sent to the terminal.
  • the embodiment of the present invention further provides a server 9, as shown in FIG. 11, which includes:
  • the receiving module 91 is configured to receive, by the terminal, a request for accessing resource information in the first server in the first domain by using the terminal;
  • the obtaining module 92 is configured to obtain the authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;
  • the processing module 93 is configured to determine whether the user belongs to the relationship information; when the determination is yes, the user is allowed to access the resource information, and when the determination is negative, the user is denied access to the resource information.
  • the foregoing relationship information includes a contact or a group
  • the processing module 93 is specifically configured to: determine whether the user belongs to the contact in the relationship information, and if yes, allow the user to access the resource information, and end the process; if not, the group in the relationship information And the identifier of the user is sent to the second server, so that the second server determines whether the user belongs to the group; and receives the determination result sent by the second server, and if the determination result is yes, the user is allowed to access the resource. Information, otherwise the above user is denied access to the resource information.
  • the embodiment of the present invention further provides a server 10, as shown in FIG. 12, which includes:
  • the receiving module 101 is configured to receive a request sent by the user by using the terminal;
  • the sending module 102 is configured to send, to the terminal, the first page that includes the resource information according to the foregoing request, so that the terminal sends the acquiring request for acquiring the relationship information to the second server of the second domain according to the first page, and the terminal is Obtaining relationship information sent by the second server and displaying the relationship information on a second page;
  • the storage module 103 is configured to receive the resource information sent by the terminal, and the user selects the relationship information corresponding to the resource information on the second page, and stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as the access Authorization information for resource information.
  • the sending module 102 is further configured to: send the stored existing authorization information to the terminal according to the request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected.
  • the embodiment of the present invention further provides a cross-domain authorization system 11, as shown in FIG. 13, which includes: a first server 111, located in a first domain, configured to receive a request sent by a user through a terminal; Sending a first page that includes resource information, so that the terminal sends an acquisition request for acquiring the relationship information to the second server 112 of the second domain according to the first page, and the terminal acquires the relationship sent by the second server 112. And displaying the relationship information on the second page; receiving the resource information sent by the terminal, and selecting, by the user, the relationship information corresponding to the resource information on the second page, storing the corresponding record of the selected relationship information and the resource information, and The corresponding record is used as authorization information for accessing the resource information;
  • the second server 112 is located in the second domain, and is configured to send the relationship information of the user to the terminal.
  • the terminal, the server, and the system provided by the foregoing embodiments can implement the relationship information of the resource information of the user in the first domain to the second domain, thereby improving the user experience.

Abstract

L'invention porte sur un procédé de configuration pour autorisation inter-domaine, qui comprend les étapes suivantes : réception d'une requête d'accès aux informations de ressource provenant de l'utilisateur ; affichage de la première page comprenant les informations de ressource selon la requête, la première page étant fournie par le premier serveur dans le premier domaine ; affichage de la seconde page comprenant les informations de relation de l'utilisateur selon la première page, la seconde page étant fournie par le second serveur dans le second domaine ; réception des informations de relation correspondant aux informations de ressource sélectionnées par l'utilisateur à partir de la seconde page ; envoi des informations de ressource et des informations de relation sélectionnées à partir de la seconde page au premier serveur, de sorte que le premier serveur sauvegarde l'enregistrement de correspondance entre les informations de relation et les informations de ressource sélectionnées, et considère l'enregistrement de correspondance en tant qu'informations d'autorisation lors d'un accès aux informations de ressource. Les modes de réalisation de l'invention portent également sur un procédé d'authentification, un terminal, un équipement et un système correspondants pour l'autorisation inter-domaine. Avec les modes de réalisation de la présente invention, les informations de ressource de l'utilisateur dans le premier domaine peuvent être autorisées aux informations de relation dans le second domaine, de sorte que l'expérience de l'utilisateur peut être améliorée.
PCT/CN2009/076318 2008-12-31 2009-12-31 Procédé de configuration et d'authentification pour autorisation inter-domaine, équipement et système correspondants WO2010075798A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810242174.3 2008-12-31
CN 200810242174 CN101771676B (zh) 2008-12-31 2008-12-31 一种跨域授权的设置、鉴权方法、相关装置及系统

Publications (1)

Publication Number Publication Date
WO2010075798A1 true WO2010075798A1 (fr) 2010-07-08

Family

ID=42309830

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/076318 WO2010075798A1 (fr) 2008-12-31 2009-12-31 Procédé de configuration et d'authentification pour autorisation inter-domaine, équipement et système correspondants

Country Status (2)

Country Link
CN (1) CN101771676B (fr)
WO (1) WO2010075798A1 (fr)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143091B (zh) * 2010-08-06 2014-07-16 华为技术有限公司 跨域操作的实现方法、系统、服务器和浏览器
CN102694779B (zh) * 2011-03-24 2017-03-29 中兴通讯股份有限公司 组合认证系统及认证方法
EP2811708B1 (fr) * 2013-06-06 2016-09-28 Nagravision S.A. Système et méthode pour l'authentification d'un utilisateur
CN103391192B (zh) * 2013-07-16 2016-09-21 国家电网公司 一种基于隐私保护的跨安全域访问控制系统及其控制方法
CN104618217B (zh) * 2014-03-24 2018-09-04 腾讯科技(北京)有限公司 分享资源的方法、终端、服务器及系统
US9203612B1 (en) * 2014-06-02 2015-12-01 Atlanta DTH, Inc. Systems and methods for controlling media distribution
CN104486458B (zh) * 2014-12-15 2019-01-08 北京国双科技有限公司 跨域会话的数据处理方法和装置
CN106161361B (zh) * 2015-04-03 2018-10-02 北京神州泰岳软件股份有限公司 一种跨域资源的访问方法及装置
CN105183851A (zh) * 2015-09-08 2015-12-23 上海上讯信息技术股份有限公司 克服浏览器同源策略限制的交互方法及设备
CN106708878B (zh) * 2015-11-16 2020-06-16 北京国双科技有限公司 终端识别方法及装置
CN105472029B (zh) * 2015-12-29 2019-06-21 锐达互动科技股份有限公司 一种基于缓存的单点登录的方法及系统
CN110300133B (zh) * 2018-03-22 2023-04-28 财付通支付科技有限公司 跨域数据传输方法、装置、设备及存储介质
CN108595512A (zh) * 2018-03-23 2018-09-28 华迪计算机集团有限公司 一种跨安全域的信息检索方法及设备
CN110502880B (zh) * 2019-07-30 2021-06-04 同济大学 一种基于属性聚合的异构身份关联方法

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093666A1 (en) * 2000-11-10 2003-05-15 Jonathan Millen Cross-domain access control
US20030120948A1 (en) * 2001-12-21 2003-06-26 Schmidt Donald E. Authentication and authorization across autonomous network systems
CN1627683A (zh) * 2003-12-09 2005-06-15 鸿富锦精密工业(深圳)有限公司 单一认证授权管理系统及方法
CN1633085A (zh) * 2004-12-29 2005-06-29 北京邮电大学 一种基于无等级角色间映射的访问控制方法
CN1953455A (zh) * 2006-11-15 2007-04-25 北京北大方正电子有限公司 一种网络资源访问控制的方法、模块和服务器
CN101262474A (zh) * 2008-04-22 2008-09-10 武汉理工大学 一种基于跨域授权中介实现角色和组映射的跨域访问控制系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093666A1 (en) * 2000-11-10 2003-05-15 Jonathan Millen Cross-domain access control
US20030120948A1 (en) * 2001-12-21 2003-06-26 Schmidt Donald E. Authentication and authorization across autonomous network systems
CN1627683A (zh) * 2003-12-09 2005-06-15 鸿富锦精密工业(深圳)有限公司 单一认证授权管理系统及方法
CN1633085A (zh) * 2004-12-29 2005-06-29 北京邮电大学 一种基于无等级角色间映射的访问控制方法
CN1953455A (zh) * 2006-11-15 2007-04-25 北京北大方正电子有限公司 一种网络资源访问控制的方法、模块和服务器
CN101262474A (zh) * 2008-04-22 2008-09-10 武汉理工大学 一种基于跨域授权中介实现角色和组映射的跨域访问控制系统

Also Published As

Publication number Publication date
CN101771676A (zh) 2010-07-07
CN101771676B (zh) 2013-04-24

Similar Documents

Publication Publication Date Title
WO2010075798A1 (fr) Procédé de configuration et d'authentification pour autorisation inter-domaine, équipement et système correspondants
US11658979B2 (en) Systems and methods for efficient and secure temporary anonymous access to media content
US11665146B2 (en) Migrating authenticated content towards content consumer
EP2383946B1 (fr) Procédé, serveur et système de fourniture de ressources pour un utilisateur d'accès
US9692747B2 (en) Authenticating linked accounts
US7827318B2 (en) User enrollment in an e-community
CN103327100B (zh) 资源处理方法和站点服务器
US11831680B2 (en) Electronic authentication infrastructure
US20110258326A1 (en) Method, device, and system for implementing resource sharing
JP2004173285A5 (fr)
CN101331731A (zh) 由身份提供商对联盟内的客户进行定制认证的方法、装置和程序产品
TW201019676A (en) Identity and authentication system using aliases
EP2518972A1 (fr) Système et procédé d'adressage de dispositif
US10601809B2 (en) System and method for providing a certificate by way of a browser extension
US9553863B2 (en) Computer implemented method and system for an anonymous communication and computer program thereof
JP2012159980A (ja) 識別情報の不正な取得を防止するためのサーバ
JP2014130542A (ja) 画像形成装置、セッション管理方法及びプログラム
JP2017049881A (ja) サーバ装置、サーバ装置の制御方法、及びプログラム
WO2015027298A1 (fr) Système de mandataire à gestion d'identité intégrée

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09836085

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09836085

Country of ref document: EP

Kind code of ref document: A1