WO2016188256A1 - Procédé d'authentification d'accès à une application, système, appareil et terminal - Google Patents

Procédé d'authentification d'accès à une application, système, appareil et terminal Download PDF

Info

Publication number
WO2016188256A1
WO2016188256A1 PCT/CN2016/079209 CN2016079209W WO2016188256A1 WO 2016188256 A1 WO2016188256 A1 WO 2016188256A1 CN 2016079209 W CN2016079209 W CN 2016079209W WO 2016188256 A1 WO2016188256 A1 WO 2016188256A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
authentication
service
application client
information
Prior art date
Application number
PCT/CN2016/079209
Other languages
English (en)
Chinese (zh)
Inventor
王祺
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016188256A1 publication Critical patent/WO2016188256A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/72Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
    • H04M1/724User interfaces specially adapted for cordless or mobile telephones
    • H04M1/72403User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • This document relates to, but is not limited to, the field of Internet applications and open service platforms, and relates to a method, system, device and terminal for applying access authentication.
  • 3G 3rd-Generation, 3rd-generation mobile communication technology
  • 4G 4rd-Generation
  • smartphones and the mobile internet model to various fields Infiltration, whether it is a telecom operator that provides voice services or SMS services or MMS services, or a traditional enterprise that provides products and services to users offline, can be developed to run on smart terminals (such as running iOS (a mobile operating system)).
  • Apps such as iPhone or iPad, mobile phones running android OS (Android operating system) and Pads (ie, application clients), users can use the APP to conveniently or quickly use the service or purchase product services via the mobile network or wifi network.
  • an APP that is usually issued by an operator or a company as an application provider is free.
  • the user does not need to purchase the app separately for downloading and installing, but the function or service that the user can use through the APP. It is related to the business, product or service that the user subscribes to from the operator or the company.
  • an operator has multiple service systems or a single service system provides multiple functions.
  • the operator can combine different functions into different APPs, and users who subscribe to different services or services use different APPs.
  • the operator can also integrate multiple applications in the same APP. Function, the function that different users can access through an APP is related to its order information.
  • the network port opened by the server can be accessed by any node on the Internet, and the Internet is an untrusted network.
  • the Internet is an untrusted network.
  • various network security technologies have been developed to prevent network threats, each technology has defects and vulnerabilities, and the attacker It may also be hidden in the user group, so it is still necessary to establish a network security awareness for the back-end service system that supports the application.
  • the request received by the server does not necessarily come from a legitimate APP.
  • the object requesting access does not necessarily conform to the scope of the user requesting the request (the user account information may be stolen, or the attacker itself). Is a user), so how to achieve application access authentication is the Internet to provide applications The primary challenge.
  • the application access authentication belongs to the system basic function and does not belong to the service function category
  • the application provider usually deploys an application access authentication system independently before the business system.
  • the system exposes each API of the business system (Application Programming Interface, The application programming interface) is supplied by the client through the network, and on the other hand, the authentication of the application access is performed.
  • the authentication scheme adopted by the related open service platform is based on the user's purchase of an APP developed by a third-party application developer.
  • the platform determines whether the user can use one based on the user and the APP subscription information.
  • the APP and the pre-registered calling capability set of the APP perform authentication.
  • the user download and install the APP is usually free, and the user does not purchase the APP separately. Therefore, there is no subscription information between the user and the APP, and the authentication scheme based on the assumption cannot be applied.
  • the application request message is parsed internally, but the application protocols and message definitions of different APPs are different.
  • the related application access authentication scheme only supports the application protocol for the specified application.
  • the code parsing APP request if the application protocol of the new APP or the existing APP is changed, the code needs to be modified to be parsed, and the requirements for flexible deployment of new applications and upgrading of existing applications in the multi-application access scenario cannot be adapted.
  • the embodiments of the present invention provide a method, a system, a device, and a terminal for applying access authentication, so as to implement unified access in a multi-application scenario.
  • An embodiment of the present invention provides a method for applying access authentication, including:
  • the information carried by the login instruction includes: the application client identifier, the application client key, a user account, and user password information;
  • Performing login authentication according to the information carried by the login instruction including:
  • the login authentication After the login authentication is passed, it is determined whether the service level of the specified user meets the service function authorization condition. If the service level of the specified user meets the service function authorization condition, the login authentication is passed.
  • the determining, by the specified user, a service function set authorized by the application client includes:
  • the method further includes:
  • the method further includes:
  • the service request message is sent to the corresponding service system.
  • the authenticating the service request includes:
  • the authenticating the service request further includes:
  • the authentication success response is returned to the application client.
  • the parsing the resource identifier string that is requested to be accessed from the service request message includes:
  • the application resource deep packet detection plug-in corresponding to the application client identifier parses the resource identifier string requested to be accessed from the service request message.
  • the embodiment of the invention further provides a system for applying access authentication, including:
  • the login module is configured to perform login authentication according to the information carried by the login command after receiving the login command sent by the application client, and return a login success response to the application client after the login authentication is passed;
  • the service determining module is configured to: after receiving the application authorization information query instruction sent by the application client, determine, by the specified user, the service function set authorized by the application client, and send the service function set information to the application Client.
  • the information carried by the login instruction includes: the application client identifier, the application client key, a user account, and user password information;
  • the login module is configured to perform login authentication according to the information carried in the login instruction by: determining, when the application client is legal according to the application client identifier and the application client key, according to the The user account and the user password information are used for login authentication. After the login authentication is passed, it is determined whether the service level of the specified user satisfies the service function authorization condition. If the service level of the specified user satisfies the service function authorization condition, the login authentication is performed. by.
  • the service determining module is configured to: determine, by using a service function set that the specified user is authorized by the application client, by querying preset application authentication configuration data, and acquiring a service level corresponding to the specified user, and a first service function set corresponding to the service level; acquiring a second service function set of the application client according to the application client identifier; determining the first service function set and An intersection of the second set of service functions, the intersection being the set of service functions authorized by the user through the application client.
  • the service determining module is further configured to: after receiving the application authorization information query instruction of the application client, query the preset application authentication configuration data according to the application client identifier to obtain the application client.
  • the address information of each port of the terminal sends the address information of each port to the application client.
  • system further includes:
  • the authentication module is configured to: after receiving the service request message sent by the application client, authenticating the service request message; after the authentication is passed, sending the service request message to the corresponding service system.
  • the authentication module is configured to: perform authentication on the service request by parsing the identifier of the application client from the service request message; querying preset application authentication configuration data, and obtaining Comparing the port information corresponding to the identifier of the application client; comparing the queried port information with the port information of the link receiving the service request message, if the queried port information and the link receiving the service request message If the port information is consistent, it is determined that the service request message is a legitimate request message.
  • the authentication module is further configured to parse the information of the corresponding application port from the service request message, and parse the service request message when determining that the resource under the application port is a restricted access.
  • a resource identifier string for requesting access when determining that the service function set required for the resource corresponding to the resource identifier string is a subset of the service function set corresponding to the user service level, returning the authentication success response to the application client
  • the authentication module is configured to parse the resource identifier string that is requested to be accessed from the service request message by: determining that the resource resolution mode of the application port is a standard resolution, according to a standard protocol The service request message parses the resource identifier string that is requested to be accessed; and when the resource resolution mode of the application port is determined by the plug-in, the application resource deep packet detection plug-in corresponding to the application client identifier is parsed from the service request message. Resource tag requesting access String.
  • the embodiment of the invention further provides a method for applying access authentication, including:
  • the information display of the interaction interface is controlled according to the service function set information.
  • the login instruction carries an identifier of the application client, the application client key, a user account, and a password input by the user.
  • the login success response carries the session token information.
  • the method further includes:
  • the application client sends a service request message to the application authentication system, where the service request message carries an identifier of the application client, a user account, the session token information, and an application port name requested to be accessed.
  • the method further includes:
  • the application client sends an exit instruction to the application authentication system, wherein the exit instruction carries an identifier of the application client, a user account, and the session token.
  • An embodiment of the present invention further provides an apparatus for applying access authentication, including:
  • the login module is configured to send a login command to the application authentication system, and after receiving the login success response returned by the application authentication system, send an application authorization information query instruction to the application authentication system;
  • the control module is configured to, after receiving the authorized service function set information returned by the application authentication system, control the information display of the interaction interface according to the service function set information.
  • the device further includes:
  • a service module configured to send a service request message to the application authentication system, where the service request message carries an identifier of the application client, a user account, session token information carried by the login success response, and a request for access Application port name.
  • the login module is further configured to send an exit instruction to the application authentication system, where the exit instruction carries an identifier of the application client, a user account, and the session token.
  • the embodiment further provides a terminal, including the foregoing device for access authentication.
  • the embodiment of the invention further provides a computer readable storage medium, wherein the computer readable storage medium stores computer executable instructions, and the method for implementing application access authentication when the computer executable instructions are executed.
  • the embodiments of the present invention provide a method, a system, a device, and a terminal for applying access authentication, which can implement unified access and complete flexible authentication in multiple application scenarios. Other aspects will be apparent upon reading and understanding the drawings and detailed description.
  • FIG. 1 is a schematic diagram of a applicable scenario of a method for applying access authentication according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of an application access authentication system according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of an apparatus for applying access authentication according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of an application example of an application access authentication system according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of APP login authentication according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a verification service request according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of acquiring resources accessed by a service request according to an embodiment of the present invention.
  • FIG. 8 is a flowchart of session authentication and resource authentication according to an embodiment of the present invention.
  • FIG. 9 is a flowchart of a method for applying access authentication according to an embodiment of the present invention.
  • FIG. 10 is another flowchart of a method for applying access authentication according to an embodiment of the present invention.
  • the essence of the APP access system is that the client connects to one or more ports of the server to access the service.
  • One or more resources inside the server where the resources and access are generalized, as long as the object can be accessed through the network API (Application Programming Interface), it can be considered as a resource, including not only data (for example, a contact list) or media (for example, a phone message, a video), etc., also includes an application port, API interface or function (for example, printing a fax), etc.
  • Access refers not only to the usual CRUD (create, query, Modify and delete operations, including connecting ports and calling functions or functions.
  • the core of multi-application access authentication is that the system can verify that legitimate users can only access resources within the scope of authorization through a legitimate APP, even if the user account is abused (refers to a system that holds a legitimate account but accesses an unauthorized account beyond the account).
  • the side resources) and the APP are abused (meaning that the APP developer does not allow the APP to use resources in the APP code), and the system can also limit the accessed resources to a controllable range.
  • the embodiment of the invention provides a method and a system for applying access authentication, which supports different APPs to access one or more service systems of the back end through the same application access authentication system, which not only realizes unified access of multiple applications, but also implements multiple applications.
  • Application access authentication The method of this embodiment utilizes multiple technologies, including designing an application authentication configuration model and authentication algorithm logic, designing an interaction mechanism between the APP and the multi-application access authentication system, and parameters required by the APP in the request. And based on the application port and the concept of resources, the DPI (Deeply Packet Inspection) parsing plug-in for different applications is used to identify the resources accessed by the application request, and comprehensively realize complete and flexible access authentication, as follows: The method of the embodiment of the present invention is described in detail:
  • the embodiment includes the following three sets of configuration data models:
  • Each user is associated with a service level on the system side according to the service or service that it subscribes to.
  • the model defines a set of business functions that each service level is authorized to use, including the following information:
  • the service level is authorized by the business function set, and each business function is assigned a unique business function code.
  • the model defines basic information for each application (referred to as the APP client), including the following:
  • APP key that is, the application key
  • the APP needs to access the complete set of system side ports through the network, and each application port includes the following information:
  • the port corresponding to the internal network is also set up (because there is a mapping between the internal and external network addresses, and the internal and external address ports are different). Used internally to request distribution and authentication.
  • a network port supports only one type of protocol, but multiple application ports are available.
  • one application port may serve multiple applications and not each application monopolizes its own application port.
  • the function set implemented by an APP client corresponds to one or more service function items on the system side, and the following information is configured for each service function associated with each APP:
  • the model defines application port information that each application needs to be authorized to access, including the following:
  • the application port is configured as a restricted application port of the application, and one application can configure one or more restricted application ports.
  • Each restricted application port needs to be configured with a resource resolution mode, which is divided into the following two categories:
  • the accessed resource identification string is parsed from the request message by the application access authentication system according to a standard protocol as a resource authentication element.
  • the application access authentication system forwards the request message to the internally loaded application resource DPI plug-in of the application, and returns a resource identifier string accessed by the request message as a resource authentication element.
  • An application port can be configured with one or more restricted port resources, and each restricted port resource includes the following attributes:
  • Each port resource is indicated by a text string, and the text string format and encoding are determined by the application.
  • the APP ID, the application port name, and the service function code in the above configuration data need to be consistent in the APP and the system, and are the common language of the interaction between the front and the back.
  • the APP needs to use the same application port name configured for the APP on the system side in the encoding. (An APP has one or more application ports), and in the encoding understands the specific meaning of each business function code defined on the system side and corresponds to the function or interface provided by the APP itself.
  • the login authentication algorithm is: the user using any APP allows the user to use the APP only when the intersection of the service function set corresponding to the service level of the user and the basic service function set of the APP is not empty.
  • the resource authentication algorithm is: the user sends a request to any application port on the system side through any APP to access any resource, and only the service function set required for the accessed resource under the application port is the service level of the user. When the subset of the service feature set is used, the user is allowed to access the resource under the application port through the APP.
  • the APP is required to interact with the system side according to the following processes and mechanisms:
  • the message sent by the APP is divided into two types: general instruction and service request.
  • the general instruction is applicable to different applications and the message format of the request and response is uniformly defined by the system side.
  • the general instruction is directly processed and responded by the application access authentication system without Will be forwarded to the business system, including the following instructions:
  • the login instruction request carries an APP ID, an APP key, a user account, and a password input by the user, and the login success response returns a session token;
  • the APP requests to query the service function set authorized by the login user through the APP and the address of each application port;
  • the service request is related to the specific service function. All service requests need to be authenticated by the application access authentication system. Only the service request passed by the authentication will be forwarded by the application access authentication system to the service system corresponding to the request. Otherwise, the application access authentication system directly returns an error response of the authentication failure.
  • the login command is sent, and after receiving the authentication success response, the APP sends an application authorization information query instruction, and the APP controls the display and hiding of the interface or component according to the received service function set information, and provides the available information to the user.
  • An interactive interface that avoids showing users the features they can't use.
  • the APP sends an exit command to invalidate the session token.
  • Port name refers to the port name that the APP fills in the application layer data, instead of the TCP (Transmission Control Protocol)/UDP (User Datagram Protocol) layer. Port
  • connection link protocols for example, HTTP (Hyper Text Transfer Protocol), SOAP (Simple Object Access Protocol)
  • the APP needs to carry this set of information (ie, the APP ID, the user account, the session token, and the application port name requested by the request) in each service request.
  • a service request based on a long-link protocol for example, Internet Mail Access Protocol (IMAP), SMTP (Simple Mail Transfer Protocol), etc.
  • IMAP Internet Mail Access Protocol
  • SMTP Simple Mail Transfer Protocol
  • the system side implements strict and fine-grained application authentication, including APP identification, login authentication, port verification, session authentication, and resource authentication.
  • APP identification is used to determine whether the request is from a legitimate client
  • the login authentication is used to determine whether the user who uses the APP is a registered user, and whether the user has the authorization to use the APP;
  • the port check is used to determine whether the application port filled in by the APP is consistent with the port actually accessed.
  • the session authentication is used to determine whether the access request is sent from the logged-in APP.
  • Resource authentication is used to determine whether the APP and the user have the authorization of the service function required by the accessed resource.
  • the port checksum resource check is a specific mechanism used to achieve the objectives set by the embodiments of the present invention. The above process is described in detail in the following specific embodiments in conjunction with the drawings.
  • the application resource DPI plugin of different applications is responsible for parsing and processing the requested access resources from the APP business class instructions.
  • the embodiment of the present invention proposes an application resource DPI plug-in parsing method, and multiple application resource DPI plug-ins can be dynamically loaded and run on the application gateway server of the application access authentication system.
  • the application gateway server For each APP service request, if the APP application resource resolution mode is the DPI plug-in resolution mode, the application gateway server internally transmits the memory address of the request message body to the DPI plug-in corresponding to the application, and the DPI plug-in returns the resource requesting the accessed resource.
  • the identification string is applied, and the application access authentication system determines whether it is authorized according to the resource identification string, the user service level, and the application resource authorization configuration data. Access the resource. If not allowed, the application access authentication system returns an authentication failure response to the APP, otherwise the request is distributed to the service system corresponding to the back end.
  • FIG. 1 is a schematic diagram of a applicable scenario of a method for applying access authentication according to an embodiment of the present invention.
  • the main body involved in the authentication system of this embodiment includes a front-end application and a back-end system.
  • an example of using two APPs (ie, APP1, APP2) by two users (ie, user a, user b) in the front-end application is as follows:
  • APP1 and APP2 support function a.1, but APP1 also supports function a.2, and APP2 also supports function b.1.
  • APP1 The functions that different users can use through the same APP may be different. For example, with APP1, user a allows the use of function a.1, while user b allows the use of function a.2.
  • user a can use function a.1 through APP1 and APP2, and the functions that user 2 can use through APP1 and APP2 do not intersect.
  • the back-end system includes: a multi-application access authentication system (referred to as an access system) and a service service domain composed of one or more public basic services and service systems, and the front-end application accesses the back-end basic service or business system through the access system.
  • the functions on the APP are supported and driven by the service system of the back end. For example, functions a.1 and functions a.2 on APP1 are supported by service system A, while functions a.1 and b on APP2. 2 Service support is provided by business system A and business system B, respectively.
  • FIG. 2 is a schematic diagram of an application access authentication system according to an embodiment of the present invention. As shown in FIG. 2, the application access authentication system in this embodiment includes:
  • the login module 21 is configured to perform login authentication according to the information carried by the login command after receiving the login command sent by the application client, and return a login success response to the application client after the login authentication is passed;
  • the service determining module 22 is configured to receive the application authorization information sent by the application client. After the command is instructed, the specified user is determined to send the service function set information to the application client by using the service function set authorized by the application client.
  • the designated user refers to the user account of the client, and the application authorization information query instruction is for the user account.
  • the information carried by the login instruction may include: the application client identifier, the application client key, a user account, and user password information.
  • the login module 21 is configured to perform login authentication according to the information carried by the login instruction by determining the application client according to the application client identifier and the application client key.
  • the login authentication is performed according to the user account and the user password information.
  • the service determining module 22 is configured to: determine, by using a service function set that the specified user is authorized by the application client, by: querying preset application authentication configuration data, and acquiring the specified user corresponding a service level, and a first service function set corresponding to the service level; acquiring a second service function set of the application client according to the application client identifier; determining the first service function set and the second service An intersection of feature sets that are used as a set of business functions that are authorized by the user through the application client.
  • the service determining module 22 is further configured to: after receiving the application authorization information query instruction of the application client, query the preset application authentication configuration data according to the application client identifier to obtain the application client.
  • the address information of each port of the terminal sends the address information of each port to the application client.
  • system may further include:
  • the authentication module 23 is configured to: after receiving the service request message sent by the application client, authenticating the service request message; after the authentication is passed, sending the service request message to the corresponding service system .
  • the authentication module 23 is configured to: perform authentication on the service request by parsing the service request message, parsing an identifier of the application client, and querying a preset Applying the authentication configuration data, obtaining the port information corresponding to the identifier of the application client; comparing the queried port information with the port information of the link receiving the service request message, if the queried port information and the receiving If the port information of the link of the service request message is consistent, the service request message is determined to be a legal request message.
  • the authentication module 23 is further configured to parse the information of the corresponding application port from the service request message; and when the resource under the application port is determined to be restricted access, the service request message is Parsing the resource identifier string for requesting access; when determining that the service function set required for the resource corresponding to the resource label string is a subset of the service function set corresponding to the user service level, returning the authentication success to the application client Responding to: when determining that the resource under the application port is unrestricted access, returning the authentication success response to the application client.
  • the authentication module 23 is configured to parse the resource identifier string that is requested to be accessed from the service request message by: determining that the resource resolution mode of the application port is a standard resolution, according to a standard protocol. Extracting, from the service request message, a resource identifier string that is requested to be accessed; determining that the resource resolution mode of the application port is a plug-in parsing, and the application resource deep packet detection plug-in corresponding to the application request identifier is used by the application client identifier Parse the resource tag string requested to access.
  • FIG. 3 is a schematic diagram of an apparatus for applying access authentication according to an embodiment of the present invention. As shown in FIG. 3, the apparatus for applying access authentication in this embodiment includes:
  • the login module 31 is configured to send a login command to the application authentication system, and after receiving the login success response returned by the application authentication system, send an application authorization information query instruction to the application authentication system;
  • the control module 32 is configured to, after receiving the authorized service function set information returned by the application authentication system, control the information display of the interaction interface according to the service function set information.
  • the device for accessing the application for the application further includes:
  • the service module 33 is configured to send a service request message to the application authentication system, where the service request message carries an identifier of the application client, a user account, session token information carried by the login success response, and request access.
  • Application port name is an identifier of the application client, a user account, session token information carried by the login success response, and request access.
  • the login module 31 is further configured to send an exit finger to the application authentication system. And wherein the exit instruction carries an identifier of the application client, a user account, and the session token.
  • an application access authentication system of the application example includes an application gateway server, an application authentication server, and an application data server. Multiple servers can be deployed in each type of multi-application access authentication system. Both the application gateway server and the application authentication server need to access the application authentication configuration data stored by the application data server.
  • the application gateway server is composed of a link access module and one or more protocol parsing modules.
  • one or more application resource DPI plugins can be loaded and run.
  • the link access module is responsible for monitoring one or more application ports, responding to the link establishment and chain breaking requests of the APP client, and maintaining link session information of the long connection link.
  • the client request message received by the link access module is distributed to different protocol parsing modules for processing.
  • the protocol parsing module parses the authentication related information provided by the APP client from the request message according to the protocol, and performs verification after the legal request is further processed.
  • the protocol parsing module parses each general-purpose instruction parameter from the message content, and then forwards it to the application authentication server for processing; when receiving the processing result of the application authentication server, the response message is returned to the APP according to the protocol.
  • the protocol parsing module not only parses the authentication parameter carried by the service request, but also parses the resource identifier string accessed by the service request, and sends an authentication request to the application authentication server, where the authentication request carries the authentication The weight parameter and the resource label string; if the application authentication server returns the authentication success, the protocol parsing module distributes the message body content requested by the client to the service system corresponding to the client request, and encodes the service system processing result according to the protocol. After being returned to the APP through the link access module, if the application authentication server returns the authentication failure, the protocol parsing module generates an error response of the authentication failure according to the protocol, and returns it to the APP through the link access module.
  • the application authentication server is composed of a general instruction execution module and an authentication logic module.
  • the application authentication server is the core of the multi-application access authentication system, and performs processing on the general instruction request and the authentication request sent by the application gateway server.
  • the application authentication server accesses the application data server inside the multi-application access authentication system to store and access the application session data, obtains the application and the authentication configuration data to perform authentication or returns to the APP, and also accesses the APP.
  • Backend user database to verify account User, password, and information such as user service level.
  • the application data server stores the application session record and the application authentication configuration data.
  • the application session record stores the triplet information of the user account, the APP ID, and the session token.
  • FIG. 5 is a flowchart of APP login authentication according to an embodiment of the present invention. As shown in FIG. 5, the method includes the following steps:
  • Step 501 After the APP is started, a login interface is displayed, the user inputs an account and a password, and the APP sends a login instruction.
  • Each APP is preset to the login port address of the application gateway server.
  • the login command carries the APP ID, APP key, user account and user password information, and uses SSL (Security Socket Layer)/TLS. (Transport Layer Security, Secure Transport Layer Protocol) Link encrypted transmission.
  • SSL Secure Socket Layer
  • TLS Transport Layer Security
  • Step 502 After receiving the login command, the authentication server identifies whether it is a legal APP according to the APP ID and the APP key. If the application is a legal APP, the process proceeds to step 503; if it is not a legal APP, the information of the illegal APP is returned, and the process ends.
  • Step 503 The authentication server determines, according to the user account and the password, whether the user is a registered user and the password is correct. If the user account is a registered user and the password is correct, then go to step 504, otherwise return an unregistered user, or an account/password error, etc. End;
  • Step 504 The authentication server determines, according to the service level of the user, whether there is a service function authorization required to use the APP. If there is a service function authorization required to use the APP, that is, the service function authorization condition is met, then go to step 505; otherwise, Return to the APP the authorization to use the APP, and end;
  • Step 505 The authentication server generates a session token for the login authentication, and stores the user account, the APP ID, and the session token in the application data server, and returns a login success response to the APP and carries the session token.
  • Step 506 After receiving the login success response, the APP sends an application authorization information query instruction, where the application authorization information query instruction carries an APP ID, a user account, and a session token.
  • Step 507 The authentication server queries the application data server for the corresponding application session record according to the user account, the APP ID, and the session token. If the corresponding application session record exists, indicating that the user has successfully logged in through the APP, then the step is changed. 508. If it does not exist, return illegal session information to the APP, and the process ends.
  • Step 508 Determine a service function set of the user; query address information of each port of the APP, and return the service function set of the user and the address information of each port to the APP;
  • the authentication server queries the user database for the service level corresponding to the user account, queries the service function set of the service level from the application authentication configuration data of the application data server according to the service level, and obtains the APP from the application authentication configuration data according to the APP ID. Applying the service function set, calculating the intersection of the two service function sets, obtaining the service function set authorized by the user through the APP, and querying the address information of each port of the APP according to the APP ID from the application access configuration data of the application data server. And then returning the two sets of information to the APP (ie, the set of service functions authorized by the user through the APP and the address information of each port of the APP).
  • Step 509 The APP determines an interface or component to be displayed or hidden according to the returned service function set, avoids displaying an interface or element that the user is not authorized to use, and affects the user experience, and the application port address is used by the APP to subsequently send a service request.
  • FIG. 6 is a flowchart of a verification service request according to an embodiment of the present invention. As shown in FIG. 6 , after receiving an APP service request message, the multi-application access authentication system needs to verify whether the service request message is a legal request. as follows:
  • Step 601 The link access module completely receives the APP service request message.
  • Step 602 The link access module determines, according to the application access configuration data and the intranet port, a protocol type of the APP service request (a port supports only one protocol type), thereby determining a protocol parsing module that is distributed;
  • the protocol type may be IMAP4 (Internet Message Access Protocol 4, fourth version of Interactive Data Message Access Protocol), SMTP (Simple Mail Transfer Protocol), SOAP (Simple Object Access Protocol), simple object. Access agreement) and so on.
  • IMAP4 Internet Message Access Protocol 4, fourth version of Interactive Data Message Access Protocol
  • SMTP Simple Mail Transfer Protocol
  • SOAP Simple Object Access Protocol
  • simple object. Access agreement and so on.
  • Step 603 The link access module forwards the internal port of the received service request link together with the service request message to the corresponding protocol parsing module for processing;
  • Step 604 The protocol parsing module parses the APP ID and the application port name from the service request message according to the protocol.
  • Step 605 the protocol parsing module determines whether the parsed APP ID and the application port are empty. If it is empty, return an error response with a missing parameter to the APP, and end; if not, go to step 606;
  • Step 606 The protocol parsing module queries the record corresponding to the APP ID and the application port name from the application access configuration data.
  • Step 607 The protocol parsing module determines whether the record corresponding to the APP ID and the application port name exists. If yes, the process proceeds to step 608. If not, the error response of the unknown application port is returned to the APP, and the process ends.
  • Step 608 The protocol parsing module compares the queried internal port with the internal port provided by the link access module. If the two ports are consistent, indicating that the service request is a legitimate request, the protocol parsing module performs subsequent execution on the service request. Processing; otherwise, indicating that the service request attempts to access the network port that does not match the application port name filled in is an illegal request, so the error response that the application port is inconsistent with the actual port is directly returned, and the process ends.
  • FIG. 7 is a flowchart of acquiring resources accessed by a service request according to an embodiment of the present invention. As shown in FIG. 7, the method includes the following steps:
  • Step 701 For a valid service request message, the protocol parsing module queries the corresponding record from the application resource authorization configuration data according to the APP ID and the application port name.
  • Step 702 The protocol processing module determines whether the record exists. If the resource indicates limited access of the resource under the application port, the process proceeds to step 703. If the resource does not exist under the application port, the packet is sent. The right request to the application authentication server, without filling in the resource label string, ending;
  • Step 703 the protocol processing module determines the resource resolution mode of the application port, if it is a limited application port and is a standard parsing mode, then go to step 704, if the restricted application port and the resource resolution mode is plug-in parsing, then go to step 705;
  • Step 704 directly by the protocol parsing module according to the standard protocol from the service request message to parse the resource tag string requested to access, and then proceeds to step 707;
  • a service request of HTTP directly uses an HTTP request line as a resource identifier string (for example, POST voicemail/forwardmsg HTTP/1.1), and the service request of the IMAP protocol is used by the selected folder.
  • Resource tag string for example, IMAP's SELECT Greetings command, then Greetings is the resource tag string).
  • Step 705 The protocol parsing module sends a resource parsing request to the application resource DPI plug-in corresponding to the APP ID that is loaded by the application gateway server.
  • Step 706 After receiving the resource resolution request, the application resource DPI plugin parses the resource identifier string of the requested access from the message body according to the message interface definition of the application, and returns the parsing result to the protocol parsing module.
  • the application refers to any client software, and the client software and the server have an agreed interface protocol, and the DPI of the application itself can identify the characteristics required for resource authentication from the content according to the interface protocol. information.
  • Step 707 The protocol parsing module fills in the resource identifier string in the authentication request sent to the application authentication server.
  • the protocol parsing module fills in the resource label string in the authentication request sent to the application authentication server; if the step 706 resolves to the unrestricted application The port, the protocol parsing module does not fill in the resource tag in the authentication request sent to the application authentication server.
  • FIG. 8 is a flowchart of session authentication and resource authentication according to an embodiment of the present invention. As shown in FIG. 8, the method includes the following steps:
  • Step 801 The protocol parsing module of the application gateway server sends an authentication request to the application authentication server.
  • the authentication request carries the group information of the APP ID, the user account, the session token, the application port name, and the resource identifier string.
  • Step 802 The authentication logic module of the application authentication server parses the APP from the authentication request ID, user account, session token, application port name, and resource tag string;
  • Step 803 Query whether there is a corresponding application session record from the application data server according to the APP ID, the user account, and the session token. If there is a corresponding record, it indicates that the request is from the APP that has successfully logged in, so it is a request for a legitimate session. Then, the process proceeds to step 804, otherwise an illegal session error response is returned to the protocol parsing module;
  • Step 804 After the session is authenticated, determine whether the resource identifier string in the authentication request is empty. If it is not empty, indicating that the service requests access to the restricted application port, go to step 805; if it is empty, go to step 808. ;
  • Step 805 The authentication logic module queries the user database for the service level of the user account, and obtains the service function set corresponding to the service level from the service level authorization configuration data.
  • Step 806 The authentication logic module queries the corresponding record from the application port resource authorization information according to the APP ID, the application port, and the resource identifier string. If the corresponding record exists, the authentication logic module obtains the service function set set by the record. And then to step 807, if there is no corresponding record, indicating that the application does not exist in the port, the authentication logic module returns an error response of the unknown resource to the protocol parsing module;
  • the resource tag string represents a string of data or functions to be accessed.
  • the encoding format is not limited as long as the service subsystem can recognize it.
  • business support soap request For example: business support soap request:
  • the DPI plugin provided by the service can use "a.b" as a resource label string.
  • Step 807 The authentication logic module determines whether the service function set of the service level is greater than or equal to a service function set required by the resource (that is, whether the service function set required for the resource is a subset of the service level corresponding business function set), such as a service. If the level of the service function set is greater than or equal to the service function set required by the resource, indicating that the user is allowed to access the resource, go to step 808; if the service level is serviced The set of business functions required to be smaller than the resource indicates that the user does not have the right to access the resource, and the authentication logic module returns an error response that the resource cannot be accessed to the protocol parsing module;
  • Step 808 The authentication logic module directly returns a response of the authentication success to the protocol parsing module.
  • the application gateway server After receiving the authentication success response, the application gateway server forwards the APP service request to the corresponding service system or the public basic service.
  • the embodiment of the present invention provides a method for applying access authentication, including:
  • Step 901 After receiving the login instruction sent by the application client, perform login authentication according to the information carried by the login instruction.
  • Step 902 After the login authentication is passed, return a login success response to the application client.
  • Step 903 After receiving an application authorization information query instruction sent by the application client, determine a service function set that is authorized by the specified user through the application client.
  • Step 904 Send the service function set information to the application client.
  • an embodiment of the present invention provides a method for applying access authentication, including:
  • Step 1001 After the application client starts, send a login instruction to the application authentication system.
  • Step 1002 After receiving the login success response returned by the application authentication system, send an application authorization information query instruction to the application authentication system.
  • Step 1003 After receiving the authorized service function set information returned by the application authentication system, control information display of the interaction interface according to the service function set information.
  • the embodiment of the invention further provides a computer readable storage medium, wherein the computer readable storage medium stores computer executable instructions, and the method for implementing application access authentication when the computer executable instructions are executed.
  • each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function.
  • This application is not limited to any specific combination of hardware and software.
  • the foregoing technical solution can implement unified access and complete flexible authentication in multiple application scenarios.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Human Computer Interaction (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé d'authentification d'accès à une application. Le procédé consiste à : après réception d'une instruction de connexion envoyée par un client d'application, réaliser une authentification de connexion selon des informations transportées par l'instruction de connexion ; après que l'authentification de connexion est réussie, renvoyer une réponse de réussite de connexion au client d'application ; et après réception d'une instruction d'interrogation d'informations d'autorisation d'application du client d'application, déterminer un ensemble de fonctions de service, qui est autorisé par l'intermédiaire du client d'application, pour un utilisateur désigné, et envoyer des informations concernant l'ensemble de fonctions de service au client d'application. La solution technique peut mettre en œuvre un accès unifié et une authentification complète et flexible dans de multiples scénarios d'application.
PCT/CN2016/079209 2016-01-25 2016-04-13 Procédé d'authentification d'accès à une application, système, appareil et terminal WO2016188256A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610049963.X 2016-01-25
CN201610049963.XA CN106998551B (zh) 2016-01-25 2016-01-25 一种应用接入鉴权的方法、系统、装置及终端

Publications (1)

Publication Number Publication Date
WO2016188256A1 true WO2016188256A1 (fr) 2016-12-01

Family

ID=57392429

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/079209 WO2016188256A1 (fr) 2016-01-25 2016-04-13 Procédé d'authentification d'accès à une application, système, appareil et terminal

Country Status (2)

Country Link
CN (1) CN106998551B (fr)
WO (1) WO2016188256A1 (fr)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110673892A (zh) * 2019-09-17 2020-01-10 中电万维信息技术有限责任公司 一种基于组件配置的接口统一调用方法
CN111191200A (zh) * 2019-12-20 2020-05-22 北京淇瑀信息科技有限公司 一种页面展示方法、装置和电子设备
CN111581608A (zh) * 2020-04-09 2020-08-25 苏宁云计算有限公司 基于应用程序登录的鉴权方法、系统及计算机可读存储介质
CN112073400A (zh) * 2020-08-28 2020-12-11 腾讯科技(深圳)有限公司 一种访问控制方法、系统、装置及计算设备
CN112258103A (zh) * 2020-09-27 2021-01-22 北京云杉世界信息技术有限公司 一种生鲜冻品库环境数据访问及监控方法
CN112422490A (zh) * 2020-04-15 2021-02-26 岭博科技(北京)有限公司 一种基于本地缓存对用户设备进行鉴权的方法及系统
CN112738027A (zh) * 2020-12-10 2021-04-30 北京爱知之星科技股份有限公司 数据处理方法、装置及电子设备
CN112769927A (zh) * 2020-12-31 2021-05-07 湖南金鹰卡通传媒有限公司 一种应用程序app的客户端微服务架构
CN112948777A (zh) * 2019-11-26 2021-06-11 联易软件有限公司 多业务系统权限统一管理方法、装置及系统
CN113645294A (zh) * 2021-08-06 2021-11-12 腾讯科技(深圳)有限公司 消息获取方法、装置、计算机设备和消息传输系统
CN113742705A (zh) * 2021-08-30 2021-12-03 北京一砂信息技术有限公司 一种基于ifaa号码认证服务实现的方法及系统
CN113872979A (zh) * 2021-09-29 2021-12-31 北京高途云集教育科技有限公司 登录认证的方法、装置、电子设备和计算机可读存储介质
CN114301870A (zh) * 2021-12-28 2022-04-08 中国电信股份有限公司 用户身份标识管理方法及相关产品
CN114390508A (zh) * 2021-12-28 2022-04-22 天翼物联科技有限公司 一种用户异步激活方法、系统、装置及存储介质
CN114401114A (zh) * 2021-12-17 2022-04-26 上海绚显科技有限公司 数据传输方法、装置、电子设备及存储介质
CN115189958A (zh) * 2022-07-18 2022-10-14 西安热工研究院有限公司 一种实现多级架构之间认证漫游和鉴权的方法
CN117493362A (zh) * 2023-11-10 2024-02-02 中国人民解放军陆军勤务学院 一种分布式系统的数据交互校验方法

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737101B (zh) * 2017-04-25 2021-06-29 中国移动通信有限公司研究院 一种应用程序的验证方法、装置及云端服务器
CN107580046B (zh) * 2017-08-31 2021-02-23 北京奇虎科技有限公司 长连接服务系统及方法
CN108052323A (zh) * 2017-11-22 2018-05-18 链家网(北京)科技有限公司 一种抽奖系统和抽奖方法
CN108901022B (zh) * 2018-06-28 2021-08-20 深圳云之家网络有限公司 一种微服务统一鉴权方法及网关
CN109376508A (zh) * 2018-09-26 2019-02-22 中国平安人寿保险股份有限公司 业务单元的管理方法、计算机可读存储介质和终端设备
CN109446081A (zh) * 2018-10-22 2019-03-08 江苏满运软件科技有限公司 用于html5网页的测试方法、系统、设备以及介质
CN109472167B (zh) * 2018-11-14 2021-07-27 北京天威诚信电子商务服务有限公司 一种数字签名方法及装置
CN110086813A (zh) * 2019-04-30 2019-08-02 新华三大数据技术有限公司 访问权限控制方法和装置
CN110232292A (zh) * 2019-05-06 2019-09-13 平安科技(深圳)有限公司 数据访问权限认证方法、服务器及存储介质
CN110943986A (zh) * 2019-11-27 2020-03-31 中国银行股份有限公司 一种服务访问控制方法及装置、网关
CN111010401A (zh) * 2019-12-23 2020-04-14 华中科技大学 用于分布式水资源管理支持系统的基于token的网络安全框架
CN113778473A (zh) * 2020-06-10 2021-12-10 北京沃东天骏信息技术有限公司 基于功能配置信息的应用处理方法和装置
CN114650316A (zh) * 2020-12-21 2022-06-21 中国电信股份有限公司 统一消息推送系统、方法和介质
CN113938289B (zh) * 2021-08-31 2024-03-01 联通沃音乐文化有限公司 一种代理客户端预防拦截机制被滥用和攻击的系统和方法
CN115879088A (zh) * 2021-09-29 2023-03-31 华为技术有限公司 权限检查的方法和电子设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101374279A (zh) * 2008-09-19 2009-02-25 中兴通讯股份有限公司 一种移动终端使用iptv业务的系统和方法
CN102075571A (zh) * 2010-12-31 2011-05-25 成都市华为赛门铁克科技有限公司 应用程序的执行方法、设备及系统
US20140351370A1 (en) * 2013-05-24 2014-11-27 International Business Machines Corporation Sharing web application sessions across multiple devices
CN104660566A (zh) * 2013-11-22 2015-05-27 中国电信股份有限公司 用于鉴权控制的方法和系统

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101110702A (zh) * 2007-08-14 2008-01-23 中兴通讯股份有限公司 一种命令行接口权限分级的方法及其系统
CN101478471B (zh) * 2009-02-04 2013-01-16 中兴通讯股份有限公司 一种mpls/bgp三层虚拟专用网的部署方法和系统
CN102457766B (zh) * 2010-10-18 2014-10-01 Tcl集团股份有限公司 一种网络电视的访问权限验证方法
CN102254272A (zh) * 2011-06-12 2011-11-23 辜进荣 根据用户特性分类的网络交互平台
CN108259972B (zh) * 2015-07-09 2020-12-22 Oppo广东移动通信有限公司 播放场景的显示控制方法及播放设备和介质产品

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101374279A (zh) * 2008-09-19 2009-02-25 中兴通讯股份有限公司 一种移动终端使用iptv业务的系统和方法
CN102075571A (zh) * 2010-12-31 2011-05-25 成都市华为赛门铁克科技有限公司 应用程序的执行方法、设备及系统
US20140351370A1 (en) * 2013-05-24 2014-11-27 International Business Machines Corporation Sharing web application sessions across multiple devices
CN104660566A (zh) * 2013-11-22 2015-05-27 中国电信股份有限公司 用于鉴权控制的方法和系统

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110673892B (zh) * 2019-09-17 2023-01-03 中电万维信息技术有限责任公司 一种基于组件配置的接口统一调用方法
CN110673892A (zh) * 2019-09-17 2020-01-10 中电万维信息技术有限责任公司 一种基于组件配置的接口统一调用方法
CN112948777A (zh) * 2019-11-26 2021-06-11 联易软件有限公司 多业务系统权限统一管理方法、装置及系统
CN111191200A (zh) * 2019-12-20 2020-05-22 北京淇瑀信息科技有限公司 一种页面展示方法、装置和电子设备
CN111191200B (zh) * 2019-12-20 2023-08-04 北京淇瑀信息科技有限公司 一种三方联动鉴权页面展示方法、装置和电子设备
CN111581608A (zh) * 2020-04-09 2020-08-25 苏宁云计算有限公司 基于应用程序登录的鉴权方法、系统及计算机可读存储介质
CN112422490B (zh) * 2020-04-15 2022-07-01 岭博科技(北京)有限公司 一种基于本地缓存对用户设备进行鉴权的方法及系统
CN112422490A (zh) * 2020-04-15 2021-02-26 岭博科技(北京)有限公司 一种基于本地缓存对用户设备进行鉴权的方法及系统
CN112073400A (zh) * 2020-08-28 2020-12-11 腾讯科技(深圳)有限公司 一种访问控制方法、系统、装置及计算设备
CN112258103A (zh) * 2020-09-27 2021-01-22 北京云杉世界信息技术有限公司 一种生鲜冻品库环境数据访问及监控方法
CN112738027A (zh) * 2020-12-10 2021-04-30 北京爱知之星科技股份有限公司 数据处理方法、装置及电子设备
CN112738027B (zh) * 2020-12-10 2023-11-07 北京爱知之星科技股份有限公司 数据处理方法、装置及电子设备
CN112769927A (zh) * 2020-12-31 2021-05-07 湖南金鹰卡通传媒有限公司 一种应用程序app的客户端微服务架构
CN112769927B (zh) * 2020-12-31 2023-06-16 湖南金鹰卡通传媒有限公司 一种应用程序app的客户端微服务系统及其使用方法
CN113645294B (zh) * 2021-08-06 2022-08-26 腾讯科技(深圳)有限公司 消息获取方法、装置、计算机设备和消息传输系统
CN113645294A (zh) * 2021-08-06 2021-11-12 腾讯科技(深圳)有限公司 消息获取方法、装置、计算机设备和消息传输系统
CN113742705A (zh) * 2021-08-30 2021-12-03 北京一砂信息技术有限公司 一种基于ifaa号码认证服务实现的方法及系统
CN113742705B (zh) * 2021-08-30 2024-05-24 北京一砂信息技术有限公司 一种基于ifaa号码认证服务实现的方法及系统
CN113872979B (zh) * 2021-09-29 2023-11-24 北京高途云集教育科技有限公司 登录认证的方法、装置、电子设备和计算机可读存储介质
CN113872979A (zh) * 2021-09-29 2021-12-31 北京高途云集教育科技有限公司 登录认证的方法、装置、电子设备和计算机可读存储介质
CN114401114A (zh) * 2021-12-17 2022-04-26 上海绚显科技有限公司 数据传输方法、装置、电子设备及存储介质
CN114401114B (zh) * 2021-12-17 2023-08-11 上海绚显科技有限公司 数据传输方法、装置、电子设备及存储介质
CN114390508B (zh) * 2021-12-28 2023-10-27 天翼物联科技有限公司 一种用户异步激活方法、系统、装置及存储介质
CN114390508A (zh) * 2021-12-28 2022-04-22 天翼物联科技有限公司 一种用户异步激活方法、系统、装置及存储介质
CN114301870A (zh) * 2021-12-28 2022-04-08 中国电信股份有限公司 用户身份标识管理方法及相关产品
CN115189958A (zh) * 2022-07-18 2022-10-14 西安热工研究院有限公司 一种实现多级架构之间认证漫游和鉴权的方法
CN115189958B (zh) * 2022-07-18 2024-01-19 西安热工研究院有限公司 一种实现多级架构之间认证漫游和鉴权的方法
CN117493362A (zh) * 2023-11-10 2024-02-02 中国人民解放军陆军勤务学院 一种分布式系统的数据交互校验方法
CN117493362B (zh) * 2023-11-10 2024-05-24 中国人民解放军陆军勤务学院 一种分布式系统的数据交互校验方法

Also Published As

Publication number Publication date
CN106998551B (zh) 2021-06-29
CN106998551A (zh) 2017-08-01

Similar Documents

Publication Publication Date Title
WO2016188256A1 (fr) Procédé d'authentification d'accès à une application, système, appareil et terminal
CN108901022B (zh) 一种微服务统一鉴权方法及网关
US9531714B2 (en) Enterprise authentication via third party authentication support
CN106471783B (zh) 经由网关的企业系统认证和授权
TWI725958B (zh) 雲端主機服務權限控制方法、裝置和系統
CN107172054B (zh) 一种基于cas的权限认证方法、装置及系统
US11477248B2 (en) Protecting web applications from untrusted endpoints using remote browser isolation
US10356612B2 (en) Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access
WO2016015436A1 (fr) Procédé d'autorisation de plateforme, serveur de plateforme, client d'application, système et support de stockage
JP2020502616A (ja) フェデレーテッド・シングル・サインオン(sso)のための非侵入型セキュリティの実施
CN106209726B (zh) 一种移动应用单点登录方法及装置
CN112468481B (zh) 一种基于CAS的单页和多页web应用身份集成认证方法
CN115021991A (zh) 未经管理的移动设备的单点登录
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
JP6572750B2 (ja) 認証制御プログラム、認証制御装置、及び認証制御方法
US10027642B2 (en) Method of access by a telecommunications terminal to a database hosted by a service platform that is accessible via a telecommunications network
CN109040069A (zh) 一种云应用程序的发布方法、发布系统及访问方法
WO2023077999A1 (fr) Procédé et appareil de commande d'accès à une application, et dispositif informatique et support de stockage
CN112868212A (zh) 用于html应用的改进的远程显示协议的系统和方法
Yang et al. Breaking and fixing mobile app authentication with OAuth2. 0-based protocols
CN104463584A (zh) 实现移动端App安全支付的方法
CN117251837A (zh) 一种系统接入方法、装置、电子设备及存储介质
CN107045603A (zh) 一种应用的调用控制方法和装置
US11977620B2 (en) Attestation of application identity for inter-app communications
US12003547B1 (en) Protecting web applications from untrusted endpoints using remote browser isolation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16799145

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16799145

Country of ref document: EP

Kind code of ref document: A1