WO2018036415A1 - Authentication proxy method, apparatus and device - Google Patents

Authentication proxy method, apparatus and device Download PDF

Info

Publication number
WO2018036415A1
WO2018036415A1 PCT/CN2017/097703 CN2017097703W WO2018036415A1 WO 2018036415 A1 WO2018036415 A1 WO 2018036415A1 CN 2017097703 W CN2017097703 W CN 2017097703W WO 2018036415 A1 WO2018036415 A1 WO 2018036415A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user terminal
redirect message
proxy
sent
Prior art date
Application number
PCT/CN2017/097703
Other languages
French (fr)
Chinese (zh)
Inventor
郑占彬
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018036415A1 publication Critical patent/WO2018036415A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present application relates to the field of authentication technology, for example, to an authentication agent method, apparatus and device.
  • AAA authentication is used to provide security services.
  • AAA authentication includes: Authentication, Authorization, and Accounting.
  • Authentication is to verify the identity of the user and determine whether the user is a legitimate user.
  • Authorization is the network service that the authorized user can use.
  • the accounting is to record the resources of the user using the network service. This information will be used as the basis for charging.
  • the authentication interaction between the user terminal of the user and the remote authentication server may cause a large authentication delay, if the user is in the absence of the base station signal.
  • the user terminal performs authentication interaction through the satellite communication system and the remote authentication server, and the authentication delay is even greater.
  • the satellite can be used as the relay station to forward the authentication interaction message, and the authentication interaction message between the user terminal and the AAA authentication server is transmitted through the satellite link, during the entire authentication process.
  • the authentication interaction message is transparently transmitted through the satellite end station multiple times, but due to the inherent delay of the satellite link transmission, the authentication delay is large, the authentication time is long, and the user experience is poor.
  • the present disclosure provides an authentication proxy method, apparatus, and device for solving the problem of large authentication delay when performing related technologies for remote authentication.
  • the present disclosure provides an authentication proxy method, including: intercepting a redirect message sent by a first authentication device to a user terminal; modifying the redirect message and sending the message to the user terminal; wherein the redirect message is used The redirected address is modified to the address of the proxy device; the authentication information sent by the user terminal according to the modified redirect message is received; and the user terminal is authenticated according to the authentication information.
  • the intercepting the redirect message sent by the first authentication device to the user terminal further includes: Receiving a domain name sent by the user terminal; obtaining, in a preset domain name cache list, an Internet Protocol IP address corresponding to the domain name and returning to the user terminal; and receiving the received user terminal according to the IP address
  • the initiated IP access request is forwarded to the first authentication device, where the first authentication device sends a redirect to the user terminal by using the proxy device when determining that the user terminal does not pass the authentication according to the IP access request. Message.
  • the receiving the authentication information that is sent by the user terminal according to the modified redirect message includes: receiving an authentication page acquisition request sent by the user terminal according to the modified redirect message; a page acquisition request, returning the pre-stored authentication page to the user terminal; and receiving the authentication information sent by the user terminal based on the authentication page.
  • the method further includes: establishing a communication connection between the proxy device and the second authentication device.
  • the performing the authentication by the user terminal according to the authentication information includes: sending the authentication information to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information; Receiving an authentication result returned by the second authentication device, and transmitting the authentication result to the user terminal.
  • the present disclosure also provides an authentication proxy device, including: an intercepting module configured to intercept a redirect message sent by the first authentication device to the user terminal; and a modifying module configured to modify the redirect message;
  • the address for redirecting in the redirect message is modified to the address of the proxy device;
  • the transceiver module is configured to send the modified redirect message to the user terminal, and receive the modified user terminal according to the modified
  • the proxy module is configured to proxy the user terminal for authentication according to the authentication information.
  • the transceiver module is further configured to: receive a domain name sent by the user terminal; obtain, in a preset domain name cache list, an Internet Protocol IP address corresponding to the domain name, and return it to the user terminal; Receiving, by the user terminal, the IP access request initiated by the IP address to the first authentication device, where the first authentication device determines, when the user terminal fails to pass the authentication according to the IP access request, The proxy device sends a redirect message to the user terminal.
  • the transceiver module may be configured to: receive an authentication page acquisition request sent by the user terminal according to the modified redirect message; and return, according to the authentication page acquisition request, the pre-stored authentication page to the a user terminal; receiving the user terminal to send based on the authentication page Certification information.
  • the device further includes a connection module, and the connection module is configured to establish a communication connection between the proxy device and the second authentication device before the authenticating the user terminal according to the authentication information .
  • the proxy module may be configured to: send the authentication information to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information; and receives the second authentication device to return The authentication result is sent to the user terminal.
  • the present disclosure also provides an authentication proxy device, characterized in that the above authentication proxy device is provided in the authentication proxy device.
  • Embodiments of the present disclosure also provide a computer readable storage medium storing computer executable instructions arranged to perform the above method.
  • An embodiment of the present disclosure further provides an electronic device, including:
  • At least one processor At least one processor
  • the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to cause the at least one processor to perform the method described above.
  • the disclosure modifies the redirect message to be redirected to the proxy device, and the proxy device acts as a proxy for the user terminal, and is responsible for authenticating the proxy user terminal, reducing interaction between the user terminal and the first authentication device and the second authentication device, and effectively Reduced authentication delay, shortened certification time, improved authentication efficiency, and improved user experience.
  • FIG. 1 is a flow chart of an authentication proxy method in accordance with an embodiment of the present disclosure
  • FIG. 2 is a flow chart of a method for authenticating an agent based on a satellite communication system, in accordance with an embodiment of the present disclosure
  • FIG. 3 is a timing diagram of an authentication proxy method based on a satellite communication system, in accordance with an embodiment of the present disclosure
  • FIG. 4 is a structural diagram of an authentication proxy device according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
  • the redirect message sent by the first authentication device to the user terminal is intercepted; the redirect message is modified and sent to the user terminal; wherein the address used for redirection in the redirect message is modified into an agent.
  • the address of the device receiving the authentication information sent by the user terminal according to the modified redirect message; and authenticating the user terminal according to the authentication information.
  • the present disclosure reduces the interaction between the user terminal and the first authentication device and the second authentication device by changing the message redirected to the second authentication device to the local end, thereby effectively shortening the authentication duration and improving the authentication efficiency. Improve the user experience.
  • the intercepting the redirection message sent by the first authentication device to the user terminal further comprising: receiving a domain name sent by the user terminal; acquiring, in a preset domain name cache list, an internet protocol IP address corresponding to the domain name Returning to the user terminal; forwarding the received IP access request initiated by the user terminal according to the IP address to the first authentication device; wherein the first authentication device determines, according to the IP access request, When the user terminal fails to pass the authentication, the proxy device sends a redirect message to the user terminal.
  • the disclosure avoids the step of sending a domain name to the first authentication device for domain name resolution by setting a domain name cache list in advance, which reduces the authentication delay and improves the authentication efficiency.
  • Receiving the authentication information that is sent by the user terminal according to the modified redirect message including: receiving an authentication page acquisition request sent by the user terminal according to the modified redirect message; and acquiring the request according to the authentication page, Returning the pre-stored authentication page to the user terminal; receiving the authentication information sent by the user terminal based on the authentication page.
  • the user terminal is prevented from obtaining the authentication page from the second authentication device, thereby improving the authentication efficiency and shortening the authentication time.
  • the method further includes: establishing a communication connection between the proxy device and the second authentication device.
  • establishing a communication connection in advance, the delay in transmitting the authentication interactive information is shortened, and the authentication time is shortened.
  • the authenticating the user terminal according to the authentication information including: authenticating the authentication The information is sent to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information; receives an authentication result returned by the second authentication device, and sends the authentication result to the user terminal.
  • the proxy device When the proxy device is responsible for authenticating the user terminal for authentication, the proxy device redirects the message to the second authentication device to the local end and adopts a pre-cached DNS and authentication page mode, thereby reducing the user terminal and the first authentication device. And the interaction between the second authentication device, the proxy device also adopts a method of establishing a communication link in advance, which effectively shortens the authentication delay. Therefore, the present embodiment can effectively shorten the authentication duration, improve the authentication efficiency, and improve the user experience.
  • This embodiment provides an authentication proxy method, as shown in FIG. 1, which is a flowchart of an authentication proxy method according to a first embodiment of the present disclosure.
  • the execution subject of this embodiment is a proxy device.
  • Step S110 intercepting the redirect message sent by the first authentication device to the user terminal.
  • the redirect message is a response message to the IP access request after the first authentication device determines that the user terminal does not pass the authentication according to the IP access request of the user terminal.
  • the redirect message is used to redirect the IP access request to the second authentication device, causing the second authentication device to initiate an authentication request to the user terminal.
  • the first authentication device may provide services such as domain name resolution and broadband access.
  • the first authentication device may be a broadband remote access server (Bras).
  • the second authentication device can provide a user authentication service.
  • the second authentication device may be a portal Portal server.
  • the first authentication device and the second authentication device may be two independent devices or may be combined into one device.
  • IP Internet Protocol Address
  • Domain Name the domain name
  • the IP address request initiated by the IP address is forwarded to the first authentication device.
  • the first authentication device sends a redirect message to the user terminal through the proxy device when determining that the user terminal does not pass the authentication according to the IP access request.
  • the domain name cache list records the correspondence between the domain name and the IP address.
  • Pre-store domains in the proxy device Name the cache list and update it in real time or periodically.
  • Pre-setting the domain name cache list can implement the domain name proxy on the proxy device side to prevent the user terminal from remotely accessing the first authentication device to perform domain name resolution on the first authentication device. This embodiment reduces the authentication delay and improves the authentication efficiency.
  • Step S120 Modify the redirect message and send it to the user terminal; wherein the address used for redirection in the redirect message is modified to the address of the proxy device.
  • the address used for the redirection is the address of the second authentication device, and the address of the second authentication device is modified to the address of the proxy device, thereby redirecting to the second authentication device.
  • the message is modified to redirect to the proxy device.
  • the proxy device may be the proxy of the user terminal, and the message sent by the user terminal to the first authentication device and the second authentication device is sent to the proxy device instead. Processing, the interaction between the user terminal and the first authentication device and the second authentication device can be reduced.
  • Step S130 Receive authentication information sent by the user terminal according to the modified redirect message.
  • the address of the second authentication device in the modified redirect message has been modified to the address of the proxy device, and the user terminal sends the authentication information that should be sent to the second authentication device to the proxy according to the modified redirect message.
  • the device receives the authentication information sent by the user terminal by the proxy device.
  • the authentication page acquisition request is used to obtain an authentication page to submit authentication information based on the authentication page. Since the address for redirection in the modified redirect message is the address of the proxy device, the user terminal sends the authentication page acquisition request to the proxy device.
  • the authentication information includes: a username, a password, and an IP address of the user terminal.
  • the user terminal can display an authentication page.
  • a user name and a password can be input.
  • the proxy device uses the user name, the password, and the IP address of the user terminal as the authentication information.
  • the authentication device obtains the authentication page, which improves the authentication efficiency and shortens the authentication time.
  • Step S140 performing authentication according to the authentication information proxy user terminal.
  • the AAA authentication is performed by the proxy user terminal according to the authentication information. Sending the authentication information to the second authentication device, so that the second authentication device initiates the authentication of the user terminal according to the authentication information; receives the authentication result returned by the second authentication device, and sends the authentication result to the user terminal.
  • a communication connection may be established between the proxy device and the second authentication device; based on the communication connection, the authentication information is sent to the second authentication device, so that The authentication device initiates the authentication of the user terminal according to the authentication information; receives the authentication result returned by the second authentication device, and sends the authentication result to the user terminal.
  • the proxy device is responsible for authenticating the user terminal for authentication, and the proxy device redirects the message redirected to the second authentication device to the local end and adopts a pre-cached DNS and authentication page mode to reduce the user terminal and the first
  • the proxy device also adopts a method of establishing a communication link in advance, which effectively shortens the authentication delay. Therefore, the present embodiment can effectively shorten the authentication duration, improve the authentication efficiency, and improve the user experience.
  • a satellite end station acts as a ground station for a communication satellite and is configured to transparently pass authentication interaction messages between the user terminal and the Bras server and the Portal server.
  • the user terminal accesses the network via the satellite end station, and the Bras server intercepts the Internet access request of the user terminal and determines whether the user terminal passes the AAA authentication. If yes, the user requests the Internet access, otherwise the user terminal sends a message redirected to the Portal server, so that the user The terminal obtains the authentication page from the portal server, and the user terminal sends the authentication information to the portal server based on the authentication page.
  • the portal server, the Bras server, and the AAA authentication server cooperate to complete the AAA authentication of the user terminal, and the portal server returns the authentication result to the user terminal. .
  • the Internet request, redirect message, authentication page acquisition and return, authentication information and authentication result are transparently transmitted by the satellite end station. Due to the inherent delay of the satellite link transmission, the authentication delay is large, and the authentication is delayed. Long time, if the satellite end station is set as a proxy device, it will effectively reduce the authentication delay, shorten the authentication time, improve the authentication efficiency, and enhance the user experience.
  • This embodiment provides an authentication proxy method based on a satellite communication system.
  • the proxy device is a satellite end station, so the execution entity of this embodiment is a satellite end station.
  • the first authentication device is a Bras server, and the second authentication device is a Portal server.
  • the satellite link includes a communication satellite, a first ground station and a second ground station.
  • the satellite end station in this embodiment is the first ground station closest to the user terminal, and the communication satellite and the second ground station play forwarding/transparent transmission.
  • the communication satellite and the second ground station that play the role of forwarding/transmission are not embodied.
  • FIG. 2 is a flow chart of a satellite communication based authentication proxy method in accordance with an embodiment of the present disclosure.
  • Step S210 intercepting the redirect message sent by the Bras server to the user terminal.
  • the redirect message sent by the Bras server to the user terminal is intercepted.
  • the redirect message is a response message of the Bras server to the IP access request after determining that the user terminal has not passed the authentication according to the IP access request.
  • the redirect message is used to redirect the IP access request to the Portal server, so that the Portal server initiates an authentication request to the user terminal.
  • the redirect message sent by the Bras server to the user terminal can be forwarded to the user terminal after the satellite end station, so the satellite end station can intercept the redirect message.
  • Receiving a domain name sent by the user terminal obtaining, in a preset domain name cache list, an IP address corresponding to the domain name (mapped) and returning to the user terminal; receiving an IP access request initiated by the user terminal according to the IP address;
  • the user terminal forwards the IP access request initiated by the IP address to the Bras server.
  • the Brass server sends a redirect message to the user terminal through the satellite end station, and the redirect message is used to redirect to the Portal server, when determining that the user terminal fails to pass the authentication according to the IP access request.
  • the domain name cache list records the correspondence between the domain name and the IP address.
  • the list of domain name caches is pre-stored in the satellite end station and updated in real time or periodically.
  • Pre-setting the domain name cache list in the satellite end station can avoid the step of sending the domain name to the Bras server through the satellite link for domain name resolution, which reduces the authentication delay and improves the authentication efficiency.
  • the user terminal can directly perform IP access, and the satellite end station can directly receive the IP access sent by the user terminal. request.
  • Step S220 Modify the redirect message and send it to the user terminal; wherein the redirect message is modified to be redirected to the satellite end station.
  • the address used for redirection is the address of the Portal server, and the address of the Portal server is modified to the address of the satellite end station, and the redirect message redirected to the Portal server is modified to be redirected. Go to the satellite terminal.
  • Modifying the redirect message can make the satellite end station become the proxy of the user terminal, and the message sent by the user terminal to the Bras server and the Portal server is sent to the satellite end station for processing, which can reduce the interaction between the user terminal and the Bras server and the Portal server. .
  • Step S230 Receive authentication information sent by the user terminal according to the modified redirect message.
  • the user terminal sends the authentication information that should be sent to the Portal server to the satellite end station, and the satellite end station receives the authentication information sent by the user terminal.
  • the authentication page is, for example, a Portal login page.
  • the user input username and password can be collected in the Portal login page.
  • the authentication page is pre-stored in the satellite end station and updated in real time or periodically to prevent the user terminal from obtaining the authentication page from the Portal server through the satellite link, thereby improving the authentication efficiency and shortening the authentication time.
  • Step S240 performing authentication according to the authentication information proxy user terminal.
  • the authentication information can be used to proxy the user terminal for AAA authentication.
  • the satellite end station can proxy the user terminal to send authentication information to the Portal server, and the proxy user terminal receives the authentication result returned by the portal.
  • the method before authenticating the user terminal according to the authentication information, the method further includes: establishing a communication connection between the satellite end station and the Portal server to form a communication link for authentication; and receiving based on the communication connection The obtained authentication information is sent to the Portal server, so that the Portal server initiates authentication of the user terminal according to the authentication information.
  • the satellite end station After modifying the redirect message, the satellite end station establishes a communication connection with the Portal server before receiving the authentication information. Can receive the request from the authentication page or return to the user terminal At the same time as the authentication page is returned, the satellite end station establishes a communication connection with the Portal server.
  • the satellite end station When the satellite end station establishes a communication connection with the Portal server, the satellite end station (first ground station) requests to establish a connection with the Portal server, among the formed physical communication links, the first ground station, the communication satellite, the second ground station, and The portal server is connected in sequence.
  • the Portal server After the portal server initiates the authentication request to the user terminal, the Portal server, the Bras server, and the AAA server perform AAA authentication on the user terminal, and the Portal server is responsible for feeding back the authentication result to the satellite end station.
  • the satellite end station receives the authentication result returned by the Portal server, and sends the authentication result to the user terminal.
  • the satellite end station is responsible for the AAA authentication of the proxy user terminal, and the satellite end station redirects the message redirected to the Portal server to the local end and uses the pre-cached DNS and authentication page mode to reduce the user terminal and
  • the interaction between the Bras server and the Portal server, the satellite end station also uses the way to establish a communication link in advance, which effectively shortens the authentication delay. Therefore, the present embodiment can effectively shorten the authentication duration, improve the authentication efficiency, and improve the user experience.
  • FIG. 3 is a timing diagram of a satellite communication based authentication proxy method in accordance with an embodiment of the present disclosure.
  • step 1 the satellite end station receives the domain name access request sent by the user terminal.
  • a satellite end station is the ground station in the satellite link that is closest to the user terminal.
  • the domain name access request carries the domain name requested by the user terminal. Users can use the browser of the user terminal to access a website, such as entering www.sina.com in a browser to initiate access to the domain name www.sina.com.
  • step 2 the satellite end station returns the IP address corresponding to the domain name to the user terminal.
  • the satellite end station returns the IP address corresponding to the domain name requested by the user terminal to the user terminal.
  • the domain name access request sent by the user terminal must first be sent to the satellite end station and sent to Bras via the satellite link. server.
  • the satellite end station intercepts the domain name access request, and filters the domain name requested by the user terminal. If the satellite end station has previously stored the IP address corresponding to the domain name, the IP address is directly returned to the user terminal; If the satellite end station does not pre-store the IP address corresponding to the domain name, the domain name access request is forwarded to the Bras server and the IP address returned by the Bras server is forwarded to the user terminal. Proceed as follows:
  • step A the satellite station queries the domain name in the domain name access request in the preset domain name cache list.
  • the corresponding (mapping) relationship between the domain name and the IP address is recorded in the domain name cache list.
  • the domain name cache list can be preset and updated regularly, or it can be recorded and updated in real time during the process of the user terminal accessing the network.
  • the mapping between the domain name and the IP address of the common website may be stored in the domain name cache list, and the domain name cache list may be updated in real time according to the user's access status.
  • Step B The satellite end station determines whether the IP address corresponding to the domain name exists in the domain name cache list; if the domain name exists, step C is performed, and if the domain name does not exist, step D is performed.
  • step C the satellite end station returns the IP address corresponding to the domain name to the user terminal.
  • Step D The satellite end station forwards the domain name access request to the Bras server, and the Brass server performs domain name resolution and determines the IP address corresponding to the domain name; after that, the satellite end station returns the IP address corresponding to the domain name returned by the Bras server to The user terminal updates the correspondence between the domain name and the IP address to the domain name cache list for next use.
  • the process of the user terminal interacting with the Bras server through the air interface can be omitted, and the Bras server does not need to parse the domain name, thereby shortening the authentication. delay.
  • Step 3 The user terminal sends an IP access request according to the IP address, and the satellite end station forwards the IP access request to the Bras server.
  • Step 4 If the Bras server determines that the user terminal fails the authentication according to the IP access request, intercepts the IP access request, and returns a redirect message to the user terminal through the satellite end station.
  • the Bras server records the IP address of the user terminal that passes the authentication in advance; after receiving the IP access request forwarded by the satellite end station, the Bras server extracts the source IP address in the IP access request, that is, the IP address of the user terminal, and determines the Whether the source IP address has passed the authentication. If the user terminal has passed the authentication, it is determined that the user terminal has passed the authentication, and the IP access request can be released to implement the user terminal to the network. The access, obtain the network resources required by the user terminal, and if not authenticated, determine that the user terminal fails the authentication, intercept the IP access request, and return a redirect message to the user terminal through the satellite end station.
  • the redirect message is a response message to the IP access request sent by the user terminal, and the redirect message is used to redirect the destination address in the IP access request to another address.
  • the redirect message sent by the Bras server to the user terminal is used to redirect to the Portal server.
  • Step 5 The satellite end station intercepts the redirect message sent by the Bras server to the user terminal, and if the satellite end station stores the authentication page, the redirect message is modified to be redirected to the satellite end station, and the modified weight is The directed message is returned to the user terminal.
  • the satellite end station can pre-cache the authentication page and update it regularly.
  • the authentication page can be a portal login page. This eliminates the step of the user terminal obtaining the authentication page from the Portal server.
  • the satellite end station intercepts the response message redirected to the Portal server.
  • the response message redirected to the Portal server is modified to be a response message redirected to the satellite end station, so that the user terminal according to the redirect The address sends the message.
  • the redirect message sent by the Bras server to the user terminal is used to redirect to the Portal server.
  • the satellite station intercepts the redirect message, it checks whether the authentication page is cached. If the authentication page is cached, the redirect message is modified. The redirected message is redirected to the satellite end station; if the authentication page is not cached, the intercepted redirect message is directly forwarded to the user terminal, and the user terminal passes the satellite end station according to the redirect message.
  • the authentication page is obtained from the Portal server, and the satellite end station forwards the authentication page returned by the Portal server to the user terminal, and stores the authentication page for the next use.
  • the satellite end station can determine whether the redirect message is redirected to the Portal server according to whether the Uniform Resource Locator (URL) for redirecting in the redirect message points to the Portal server, if the URL points to the Portal server. , you can determine that the redirect message is used to redirect to the Portal.
  • the URL is the URL of the Portal server, and the URL of the Portal server is replaced with the URL of the satellite end station to complete the modification of the redirect message.
  • Step 6 The satellite end station receives an authentication page acquisition request sent by the user terminal according to the modified redirect message.
  • the modified redirect message is used to redirect to the satellite end station.
  • the user terminal sends a request for obtaining an authentication page to the URL according to the URL used for redirection in the modified redirect message, and the URL has been modified to the URL of the satellite end station, so the authentication page acquisition request is sent to Satellite terminal station.
  • step 7 the satellite end station establishes a connection with the Portal server.
  • the connection established between the satellite end station and the Portal server is a HyperText Transfer Protocol (HTTP) connection.
  • HTTP HyperText Transfer Protocol
  • the connection can be maintained for a predetermined length of time. For example: the connection can be kept for 60s. If the satellite end station does not receive the authentication request within the predetermined length of time, the satellite end station re-establishes an HTTP connection with the Portal server. To save air interface bandwidth, a link can be established for each user terminal.
  • HTTP HyperText Transfer Protocol
  • Establishing a link between the satellite end station and the Portal server in advance can provide a channel for subsequent authentication in advance, shortening the authentication delay time.
  • step 8 the satellite end station returns an authentication page to the user terminal according to the authentication request.
  • the cached authentication page is returned to the user terminal.
  • the satellite end station pre-stores the authentication page, which saves the time for the user terminal to obtain the authentication page from the Portal server through the air interface.
  • step 9 the user terminal sends the authentication information to the satellite end station.
  • the user terminal displays the authentication page, and the user inputs a user name and password in the authentication page.
  • the user terminal collects the user name and password input by the user, and sends the collected authentication page to the satellite terminal.
  • Step 10 The satellite end station sends the authentication information sent by the user terminal to the Portal server.
  • the satellite terminal After receiving the authentication information (user name, password, and IP address of the user terminal) sent by the user terminal, the satellite terminal can proxy the user terminal for authentication.
  • the authentication information user name, password, and IP address of the user terminal
  • step 11 the Portal server sends the authentication information to the Bras server.
  • the portal server sends the authentication information to the Bras server to notify the Bras server that the user terminal corresponding to the authentication information needs to access the network, and the user terminal needs to be authenticated.
  • the portal server After receiving the authentication information, the portal server records the source IP address of the authentication information. In order to return the authentication result to the source IP address after obtaining the authentication result. Since the satellite end station transmits the authentication information to the Portal server as a proxy for the user terminal, the source IP address is the IP address of the satellite end station.
  • Step 12 The Bras server initiates an authentication request to the AAA server based on the authentication information.
  • the authentication information of the user terminal is carried in the authentication request.
  • Step 13 The AAA server authenticates the user terminal according to the authentication request, and returns the authentication result to the Bras server.
  • the AAA server pre-records the authentication information (user name and password) of the legitimate user.
  • the AAA server receives the authentication information sent by the Brass server to determine whether the authentication information is legal. If the authentication is valid, the user terminal passes the authentication. If not, the user terminal fails to pass the authentication.
  • the authentication result may include an IP address of the user terminal and a result of whether the user terminal authentication is passed.
  • step 14 the Bras server notifies the Portal server of the authentication result.
  • the Bras server stores the IP address of the user terminal and the authentication result correspondingly, so that the next time the IP access request is received, the user terminal can determine whether the user terminal has passed the authentication according to the IP address; and, the Bras server The IP access request intercepted before the release is performed, the user terminal accesses the network, and the network resources required by the user terminal are obtained.
  • the Bras server can discard the previously intercepted IP access request.
  • step 15 the Portal server sends the authentication result to the satellite end station.
  • the Portal server sends the authentication result to the satellite end station, and the satellite end station disconnects the connection with the Portal server after forwarding the authentication result to the user terminal.
  • step 16 the satellite end station is responsible for forwarding the authentication result to the user terminal.
  • the satellite end station may re-send the pre-stored authentication page to the user terminal to acquire the authentication information of the user terminal again, and re-proxy the user terminal for authentication.
  • the message redirected to the Portal server is redirected to the satellite end station, and the message is adopted.
  • the method of pre-caching the DNS and the authentication page and establishing the communication link in advance can effectively shorten the authentication delay and the authentication time, and improve the authentication efficiency and improve the user experience.
  • the embodiment of the present disclosure also provides an authentication proxy device.
  • the device is arranged on the proxy device side, for example a satellite end station.
  • FIG. 4 it is a structural diagram of an authentication proxy device according to an embodiment of the present disclosure.
  • the device includes:
  • the intercepting module 410 is configured to intercept the redirect message sent by the first authentication device to the user terminal.
  • the modification module 420 is configured to modify the redirect message; wherein the address for the redirect in the redirect message is modified to the address of the satellite end station.
  • the transceiver module 430 is configured to send the modified redirect message to the user terminal, and receive the authentication information sent by the user terminal according to the modified redirect message.
  • the proxy module 440 is configured to proxy the user terminal for authentication according to the authentication information.
  • the certification is AAA certification.
  • the transceiver module 430 is further configured to: receive a domain name sent by the user terminal; obtain, in a preset domain name cache list, an Internet Protocol IP address corresponding to the domain name and return to the user terminal Forwarding, by the user terminal, the IP access request initiated by the user terminal to the first authentication device, where the first authentication device determines that the user terminal fails to pass the authentication according to the IP access request. Transmitting, by the satellite end station, a redirect message to the user terminal.
  • the transceiver module 430 may be configured to: receive an authentication page acquisition request sent by the user terminal according to the modified redirect message; and according to the authentication page acquisition request, the pre-stored authentication page Returning to the user terminal; receiving authentication information sent by the user terminal based on the authentication page.
  • the apparatus further includes a connection module (not shown); the connection module configured to: before the authenticating the user terminal according to the authentication information, in the A communication connection is established between the satellite end station and the second authentication device.
  • the proxy module 440 can be configured to: send the authentication information to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information; Determining an authentication result returned by the second authentication device, and transmitting the authentication result to the user terminal.
  • the present disclosure also provides an authentication proxy device provided with the authentication proxy device of any of the above embodiments to proxy the service of the user terminal.
  • the authentication proxy device can be a satellite end station or other physical entity.
  • the method according to the above embodiments can be implemented by means of software plus a general hardware platform, and of course, can also be implemented by hardware.
  • the technical solution of the present disclosure which is essential or contributes to the related art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, CD-ROM).
  • the instructions include a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present disclosure.
  • Embodiments of the present disclosure also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • the redirect message is modified and sent to the user terminal.
  • the address used for redirection in the redirect message is modified to an address of the proxy device.
  • the user terminal is authenticated according to the authentication information.
  • the storage medium may be a transitory computer readable storage medium or a non-transitory computer readable storage medium.
  • the above storage medium may include: a U disk, a read-only memory (ROM), a random access memory (RAM, Random Access). Memory, removable hard disk, disk or optical disk, etc., which can store program code.
  • the processor executes the method steps described in the foregoing embodiments according to the stored program code in the storage medium.
  • the embodiment of the present disclosure further provides a schematic structural diagram of an electronic device applied to the processor.
  • the electronic device includes:
  • At least one processor 50 which is exemplified by a processor 50 in FIG. 5; and a memory 51, may further include a communication interface 52 and a bus 53.
  • the processor 50, the communication interface 52, and the memory 51 can complete communication with each other through the bus 53.
  • Communication interface 52 can be used for information transmission.
  • Processor 50 can invoke logic instructions in memory 51 to perform the methods of the above-described embodiments.
  • logic instructions in the memory 51 described above may be implemented in the form of software functional units and sold or used as separate products, and may be stored in a computer readable storage medium.
  • the memory 51 is used as a computer readable storage medium for storing software programs, computer executable programs, and program instructions/modules corresponding to the methods in the embodiments of the present disclosure.
  • the processor 50 executes the function application and the data processing by executing software programs, instructions, and modules stored in the memory 51, that is, implementing the authentication agent method in the above method embodiments.
  • the memory 51 may include a storage program area and an storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data created according to use of the terminal device, and the like. Further, the memory 51 may include a high speed random access memory, and may also include a nonvolatile memory.
  • the technical solution of the embodiments of the present disclosure may be embodied in the form of a software product stored in a storage medium, including one or more instructions for causing a computer device (which may be a personal computer, a server, or a network) The device or the like) performs all or part of the steps of the method described in the embodiments of the present disclosure.
  • the foregoing storage medium may be a non-transitory storage medium, including: a USB flash drive, and a mobile device.
  • a medium that can store program code such as a hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, or a transient storage medium.
  • the various modules or steps of the present disclosure described above may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices. Alternatively, they may be calculated
  • the program code executable by the apparatus is implemented such that they may be stored in a storage device by the computing device, and in some cases, the steps shown or described may be performed in an order different than that herein, or They are fabricated separately into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated into a single integrated circuit module.
  • the disclosure is not limited to any specific combination of hardware and software.
  • the authentication agent method, device and device disclosed in the present application reduce the interaction between the user terminal and the first authentication device and the second authentication device, effectively reduce the authentication delay, shorten the authentication time, improve the authentication efficiency, and improve the user. Experience.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed in the present application are an authentication proxy method, apparatus and device. The method comprises: intercepting a redirection message sent by a first authentication device to a user terminal; modifying the redirection message and sending the modified redirection message to the user terminal, an address used for redirection in the redirection message being modified into an address of a proxy device; receiving authentication information sent by the user terminal according to the modified redirection message; and performing, according to the authentication information, authentication in a manner of acting as a proxy of the user terminal. In the present application, a redirection message is modified to be redirected to a proxy device, and the proxy device is used as a proxy of the user terminal and is responsible for authenticating the user terminal in a manner of acting as the proxy of the user terminal, and accordingly interactions between a first authentication device and a second authentication device are reduced, thereby effectively reducing authentication delay, shortening authentication time, improving the authentication efficiency, and improving user experience.

Description

一种认证代理方法、装置和设备Authentication agent method, device and device 技术领域Technical field
本申请涉及认证技术领域,例如涉及一种认证代理方法、装置和设备。The present application relates to the field of authentication technology, for example, to an authentication agent method, apparatus and device.
背景技术Background technique
AAA认证用于提供安全服务,AAA认证包括:认证(Authentication)、授权(Authorization)和计费(Accounting)。认证是对用户的身份进行验证,判断用户是否为合法用户;授权是授权通过认证的用户可以使用哪些网络服务;计费是记录用户使用网络服务的资源情况,这些信息将作为计费的依据。AAA authentication is used to provide security services. AAA authentication includes: Authentication, Authorization, and Accounting. Authentication is to verify the identity of the user and determine whether the user is a legitimate user. Authorization is the network service that the authorized user can use. The accounting is to record the resources of the user using the network service. This information will be used as the basis for charging.
目前,如果用户处于偏远地区,如:用户处于大海、沙漠、森林等偏远地区,用户的用户终端和远距离的认证服务器进行认证交互会出现认证时延较大的问题,如果用户处于没有基站信号的偏远地区,那么用户终端通过卫星通信系统和远距离的认证服务器进行认证交互,认证时延会更大。用户终端在接入网络之前如果需要通过卫星通信系统完成AAA认证,则可以将卫星作为中继站转发认证交互消息,用户终端与AAA认证服务器的认证交互消息经过卫星链路传输,在整个认证过程中,认证交互消息多次经由卫星端站透传,但是由于卫星链路传输的固有延时较大,会造成认证时延大,认证时间长,用户体验差的问题的发生。At present, if the user is in a remote area, such as the user is in a remote area such as the sea, the desert, or the forest, the authentication interaction between the user terminal of the user and the remote authentication server may cause a large authentication delay, if the user is in the absence of the base station signal. In remote areas, the user terminal performs authentication interaction through the satellite communication system and the remote authentication server, and the authentication delay is even greater. If the user terminal needs to complete the AAA authentication through the satellite communication system before accessing the network, the satellite can be used as the relay station to forward the authentication interaction message, and the authentication interaction message between the user terminal and the AAA authentication server is transmitted through the satellite link, during the entire authentication process. The authentication interaction message is transparently transmitted through the satellite end station multiple times, but due to the inherent delay of the satellite link transmission, the authentication delay is large, the authentication time is long, and the user experience is poor.
发明内容Summary of the invention
本公开提供一种认证代理方法、装置和设备,用以解决相关技术进行远距离认证时,认证时延大的问题。The present disclosure provides an authentication proxy method, apparatus, and device for solving the problem of large authentication delay when performing related technologies for remote authentication.
本公开提供了一种认证代理方法,包括:截获第一认证设备向用户终端发送的重定向消息;修改所述重定向消息并发送给所述用户终端;其中,将所述重定向消息中用于重定向的地址修改为代理设备的地址;接收所述用户终端根据修改后的所述重定向消息发送的认证信息;根据所述认证信息代理所述用户终端进行认证。The present disclosure provides an authentication proxy method, including: intercepting a redirect message sent by a first authentication device to a user terminal; modifying the redirect message and sending the message to the user terminal; wherein the redirect message is used The redirected address is modified to the address of the proxy device; the authentication information sent by the user terminal according to the modified redirect message is received; and the user terminal is authenticated according to the authentication information.
其中,所述截获第一认证设备向用户终端发送的重定向消息,还包括:接 收所述用户终端发送的域名;在预设的域名缓存列表中,获取与所述域名对应的互联网协议IP地址并返回给所述用户终端;将接收到的所述用户终端根据所述IP地址发起的IP访问请求转发给第一认证设备;其中,所述第一认证设备在根据所述IP访问请求确定所述用户终端未通过认证时,通过所述代理设备向所述用户终端发送重定向消息。The intercepting the redirect message sent by the first authentication device to the user terminal further includes: Receiving a domain name sent by the user terminal; obtaining, in a preset domain name cache list, an Internet Protocol IP address corresponding to the domain name and returning to the user terminal; and receiving the received user terminal according to the IP address The initiated IP access request is forwarded to the first authentication device, where the first authentication device sends a redirect to the user terminal by using the proxy device when determining that the user terminal does not pass the authentication according to the IP access request. Message.
其中,所述接收所述用户终端根据修改后的所述重定向消息发送的认证信息,包括:接收所述用户终端根据修改后的所述重定向消息发送的认证页面获取请求;根据所述认证页面获取请求,将预先存储的认证页面返回给所述用户终端;接收所述用户终端基于所述认证页面发送的认证信息。The receiving the authentication information that is sent by the user terminal according to the modified redirect message includes: receiving an authentication page acquisition request sent by the user terminal according to the modified redirect message; a page acquisition request, returning the pre-stored authentication page to the user terminal; and receiving the authentication information sent by the user terminal based on the authentication page.
其中,在所述根据所述认证信息代理所述用户终端进行认证之前,还包括:在所述代理设备和第二认证设备之间建立通信连接。Before the authenticating the user terminal according to the authentication information, the method further includes: establishing a communication connection between the proxy device and the second authentication device.
其中,所述根据所述认证信息代理所述用户终端进行认证,包括:将所述认证信息发送给第二认证设备,以便所述第二认证设备根据所述认证信息发起对用户终端的认证;接收所述第二认证设备返回的认证结果,并将所述认证结果发送给所述用户终端。The performing the authentication by the user terminal according to the authentication information includes: sending the authentication information to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information; Receiving an authentication result returned by the second authentication device, and transmitting the authentication result to the user terminal.
本公开还提供了一种认证代理装置,包括:截获模块,被配置为截获第一认证设备向用户终端发送的重定向消息;修改模块,被配置为修改所述重定向消息;其中,将所述重定向消息中用于重定向的地址修改为代理设备的地址;收发模块,被配置为将修改后的所述重定向消息发送给所述用户终端,并接收所述用户终端根据修改后的所述重定向消息发送的认证信息;代理模块,被配置为根据所述认证信息代理所述用户终端进行认证。The present disclosure also provides an authentication proxy device, including: an intercepting module configured to intercept a redirect message sent by the first authentication device to the user terminal; and a modifying module configured to modify the redirect message; The address for redirecting in the redirect message is modified to the address of the proxy device; the transceiver module is configured to send the modified redirect message to the user terminal, and receive the modified user terminal according to the modified The authentication information sent by the redirect message; the proxy module is configured to proxy the user terminal for authentication according to the authentication information.
其中,所述收发模块还被配置为:,接收所述用户终端发送的域名;在预设的域名缓存列表中,获取与所述域名对应的互联网协议IP地址并返回给所述用户终端;将接收到的所述用户终端根据所述IP地址发起的IP访问请求转发给第一认证设备;其中,所述第一认证设备在根据所述IP访问请求确定所述用户终端未通过认证时,通过所述代理设备向所述用户终端发送重定向消息。The transceiver module is further configured to: receive a domain name sent by the user terminal; obtain, in a preset domain name cache list, an Internet Protocol IP address corresponding to the domain name, and return it to the user terminal; Receiving, by the user terminal, the IP access request initiated by the IP address to the first authentication device, where the first authentication device determines, when the user terminal fails to pass the authentication according to the IP access request, The proxy device sends a redirect message to the user terminal.
其中,所述收发模块可以被配置为:接收所述用户终端根据修改后的所述重定向消息发送的认证页面获取请求;根据所述认证页面获取请求,将预先存储的认证页面返回给所述用户终端;接收所述用户终端基于所述认证页面发送 的认证信息。The transceiver module may be configured to: receive an authentication page acquisition request sent by the user terminal according to the modified redirect message; and return, according to the authentication page acquisition request, the pre-stored authentication page to the a user terminal; receiving the user terminal to send based on the authentication page Certification information.
其中,所述装置还包括连接模块;所述连接模块,被配置为在所述根据所述认证信息代理所述用户终端进行认证之前,在所述代理设备和第二认证设备之间建立通信连接。The device further includes a connection module, and the connection module is configured to establish a communication connection between the proxy device and the second authentication device before the authenticating the user terminal according to the authentication information .
其中,所述代理模块可以被配置为:将所述认证信息发送给第二认证设备,以便所述第二认证设备根据所述认证信息发起对用户终端的认证;接收所述第二认证设备返回的认证结果,并将所述认证结果发送给所述用户终端。The proxy module may be configured to: send the authentication information to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information; and receives the second authentication device to return The authentication result is sent to the user terminal.
本公开还提供了一种认证代理设备,其特征在于,在所述认证代理设备中设置有上述认证代理装置。The present disclosure also provides an authentication proxy device, characterized in that the above authentication proxy device is provided in the authentication proxy device.
本公开实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行上述方法。Embodiments of the present disclosure also provide a computer readable storage medium storing computer executable instructions arranged to perform the above method.
本公开实施例还提供了一种电子设备,包括:An embodiment of the present disclosure further provides an electronic device, including:
至少一个处理器;以及At least one processor;
与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein
所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器执行上述的方法。The memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to cause the at least one processor to perform the method described above.
本公开将重定向消息修改为重定向到代理设备,由代理设备作为用户终端的代理,负责代理用户终端进行认证,减少了用户终端和第一认证设备以及第二认证设备之间的交互,有效降低了认证时延,缩短了认证时长,提高了认证效率,提升用户体验。The disclosure modifies the redirect message to be redirected to the proxy device, and the proxy device acts as a proxy for the user terminal, and is responsible for authenticating the proxy user terminal, reducing interaction between the user terminal and the first authentication device and the second authentication device, and effectively Reduced authentication delay, shortened certification time, improved authentication efficiency, and improved user experience.
附图概述BRIEF abstract
图1是根据本公开一实施例的认证代理方法的流程图;1 is a flow chart of an authentication proxy method in accordance with an embodiment of the present disclosure;
图2是根据本公开一实施例的基于卫星通信系统的认证代理方法的流程图;2 is a flow chart of a method for authenticating an agent based on a satellite communication system, in accordance with an embodiment of the present disclosure;
图3是根据本公开一实施例的基于卫星通信系统的认证代理方法的时序图;3 is a timing diagram of an authentication proxy method based on a satellite communication system, in accordance with an embodiment of the present disclosure;
图4是根据本公开一实施例的认证代理装置的结构图;以及 4 is a structural diagram of an authentication proxy device according to an embodiment of the present disclosure;
图5是根据本公开实施例的电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
具体实施方式detailed description
本公开中,截获第一认证设备向用户终端发送的重定向消息;修改所述重定向消息并发送给所述用户终端;其中,将所述重定向消息中用于重定向的地址修改为代理设备的地址;接收所述用户终端根据修改后的所述重定向消息发送的认证信息;根据所述认证信息代理所述用户终端进行认证。本公开通过将重定向到第二认证设备的消息改为重定向到本端,减少了用户终端和第一认证设备以及第二认证设备之间的交互,有效缩短认证时长,提高了认证效率,提升用户体验。In the disclosure, the redirect message sent by the first authentication device to the user terminal is intercepted; the redirect message is modified and sent to the user terminal; wherein the address used for redirection in the redirect message is modified into an agent. The address of the device; receiving the authentication information sent by the user terminal according to the modified redirect message; and authenticating the user terminal according to the authentication information. The present disclosure reduces the interaction between the user terminal and the first authentication device and the second authentication device by changing the message redirected to the second authentication device to the local end, thereby effectively shortening the authentication duration and improving the authentication efficiency. Improve the user experience.
在所述截获第一认证设备向用户终端发送的重定向消息,还包括:接收所述用户终端发送的域名;在预设的域名缓存列表中,获取与所述域名对应的互联网协议IP地址并返回给所述用户终端;将接收到的所述用户终端根据所述IP地址发起的IP访问请求转发给第一认证设备;其中,所述第一认证设备在根据所述IP访问请求确定所述用户终端未通过认证时,通过所述代理设备向所述用户终端发送重定向消息。本公开通过预先设置域名缓存列表的方式避免了将域名发送给第一认证设备进行域名解析的步骤,降低了认证时延,提高了认证效率。And the intercepting the redirection message sent by the first authentication device to the user terminal, further comprising: receiving a domain name sent by the user terminal; acquiring, in a preset domain name cache list, an internet protocol IP address corresponding to the domain name Returning to the user terminal; forwarding the received IP access request initiated by the user terminal according to the IP address to the first authentication device; wherein the first authentication device determines, according to the IP access request, When the user terminal fails to pass the authentication, the proxy device sends a redirect message to the user terminal. The disclosure avoids the step of sending a domain name to the first authentication device for domain name resolution by setting a domain name cache list in advance, which reduces the authentication delay and improves the authentication efficiency.
接收所述用户终端根据修改后的所述重定向消息发送的认证信息,包括:接收所述用户终端根据修改后的所述重定向消息发送的认证页面获取请求;根据所述认证页面获取请求,将预先存储的认证页面返回给所述用户终端;接收所述用户终端基于所述认证页面发送的认证信息。通过预先存储认证页面避免了用户终端从第二认证设备获取认证页面,从而提升了认证效率,缩短了认证时间。Receiving the authentication information that is sent by the user terminal according to the modified redirect message, including: receiving an authentication page acquisition request sent by the user terminal according to the modified redirect message; and acquiring the request according to the authentication page, Returning the pre-stored authentication page to the user terminal; receiving the authentication information sent by the user terminal based on the authentication page. By pre-storing the authentication page, the user terminal is prevented from obtaining the authentication page from the second authentication device, thereby improving the authentication efficiency and shortening the authentication time.
在所述根据所述认证信息代理所述用户终端进行认证之前,还包括:在所述代理设备和第二认证设备之间建立通信连接。通过提前建立通信连接,缩短了认证交互信息发送的时延,缩短了认证时间。Before the authenticating the user terminal according to the authentication information, the method further includes: establishing a communication connection between the proxy device and the second authentication device. By establishing a communication connection in advance, the delay in transmitting the authentication interactive information is shortened, and the authentication time is shortened.
所述根据所述认证信息代理所述用户终端进行认证,包括:将所述认证信 息发送给第二认证设备,以便所述第二认证设备根据所述认证信息发起对用户终端的认证;接收所述第二认证设备返回的认证结果,并将所述认证结果发送给所述用户终端。And the authenticating the user terminal according to the authentication information, including: authenticating the authentication The information is sent to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information; receives an authentication result returned by the second authentication device, and sends the authentication result to the user terminal.
在公开由代理设备负责代理用户终端进行认证,代理设备将重定向到第二认证设备的消息改为重定向到本端并且采用预先缓存DNS和认证页面方式,减少了用户终端和第一认证设备以及第二认证设备之间的交互,代理设备还采用提前建立通信链路的方式,有效缩短了认证延时。因此,通过本实施例可以有效缩短认证时长,提高了认证效率,提升用户体验。When the proxy device is responsible for authenticating the user terminal for authentication, the proxy device redirects the message to the second authentication device to the local end and adopts a pre-cached DNS and authentication page mode, thereby reducing the user terminal and the first authentication device. And the interaction between the second authentication device, the proxy device also adopts a method of establishing a communication link in advance, which effectively shortens the authentication delay. Therefore, the present embodiment can effectively shorten the authentication duration, improve the authentication efficiency, and improve the user experience.
以下结合附图以及实施例,对本公开进行详细说明。此处所描述的实施例仅仅用以解释本公开,并不限定本公开。The present disclosure will be described in detail below with reference to the accompanying drawings and embodiments. The embodiments described herein are merely illustrative of the disclosure and are not limiting of the disclosure.
实施例一Embodiment 1
本实施例提供一种认证代理方法,如图1所示,为根据本公开第一实施例的认证代理方法的流程图。本实施例的执行主体为代理设备。This embodiment provides an authentication proxy method, as shown in FIG. 1, which is a flowchart of an authentication proxy method according to a first embodiment of the present disclosure. The execution subject of this embodiment is a proxy device.
步骤S110,截获第一认证设备向用户终端发送的重定向消息。Step S110, intercepting the redirect message sent by the first authentication device to the user terminal.
重定向消息是第一认证设备在根据用户终端的IP访问请求确定该用户终端没有通过认证之后,对IP访问请求的应答消息。重定向消息用于将IP访问请求重定向到第二认证设备,使第二认证设备发起对用户终端的认证请求。The redirect message is a response message to the IP access request after the first authentication device determines that the user terminal does not pass the authentication according to the IP access request of the user terminal. The redirect message is used to redirect the IP access request to the second authentication device, causing the second authentication device to initiate an authentication request to the user terminal.
第一认证设备可以提供域名解析、宽带接入等服务,第一认证设备可以是宽带远程接入服务器(Broadband Remote Access Server,简称Bras)。The first authentication device may provide services such as domain name resolution and broadband access. The first authentication device may be a broadband remote access server (Bras).
第二认证设备可以提供用户认证服务。第二认证设备可以是门户Portal服务器。第一认证设备和第二认证设备可以作为两个独立的设备,也可以合并为一个设备。The second authentication device can provide a user authentication service. The second authentication device may be a portal Portal server. The first authentication device and the second authentication device may be two independent devices or may be combined into one device.
接收用户终端发送的域名;在预设的域名缓存列表中,获取与域名(Domain Name)对应的互联网协议地址(Internet Protocol Address,简称IP)并返回给用户终端;将接收到的用户终端根据该IP地址发起的IP访问请求转发给第一认证设备;其中,第一认证设备在根据该IP访问请求确定用户终端未通过认证时,通过代理设备向用户终端发送重定向消息。Receiving the domain name sent by the user terminal; obtaining an Internet Protocol Address (IP) corresponding to the domain name (Domain Name) and returning it to the user terminal; and receiving the received user terminal according to the domain name The IP address request initiated by the IP address is forwarded to the first authentication device. The first authentication device sends a redirect message to the user terminal through the proxy device when determining that the user terminal does not pass the authentication according to the IP access request.
域名缓存列表记录了域名和IP地址的对应关系。在代理设备中预先存储域 名缓存列表并进行实时或定期更新。The domain name cache list records the correspondence between the domain name and the IP address. Pre-store domains in the proxy device Name the cache list and update it in real time or periodically.
预先设置域名缓存列表可以在代理设备侧实现域名代理,避免用户终端远距离访问第一认证设备,以在第一认证设备进行域名解析,本实施例降低了认证时延,提高了认证效率。Pre-setting the domain name cache list can implement the domain name proxy on the proxy device side to prevent the user terminal from remotely accessing the first authentication device to perform domain name resolution on the first authentication device. This embodiment reduces the authentication delay and improves the authentication efficiency.
步骤S120,修改重定向消息并发送给用户终端;其中,将重定向消息中用于重定向的地址修改为代理设备的地址。Step S120: Modify the redirect message and send it to the user terminal; wherein the address used for redirection in the redirect message is modified to the address of the proxy device.
修改重定向消息中用于重定向的地址。在接收到的重定向消息中,用于重定向的地址为第二认证设备的地址,将该第二认证设备的地址修改为代理设备的地址,进而将重定向到第二认证设备的重定向消息修改为重定向到代理设备。Modify the address in the redirect message for redirection. In the received redirect message, the address used for the redirection is the address of the second authentication device, and the address of the second authentication device is modified to the address of the proxy device, thereby redirecting to the second authentication device. The message is modified to redirect to the proxy device.
将重定向消息中第二认证设备的地址修改为代理设备的地址,可以使代理设备成为用户终端的代理,用户终端向第一认证设备和第二认证设备发送的消息,改为发送给代理设备处理,可以减少用户终端和第一认证设备以及第二认证设备之间的交互。Modifying the address of the second authentication device in the redirect message to the address of the proxy device, the proxy device may be the proxy of the user terminal, and the message sent by the user terminal to the first authentication device and the second authentication device is sent to the proxy device instead. Processing, the interaction between the user terminal and the first authentication device and the second authentication device can be reduced.
步骤S130,接收用户终端根据修改后的重定向消息发送的认证信息。Step S130: Receive authentication information sent by the user terminal according to the modified redirect message.
修改后的重定向消息中的第二认证设备的地址已经被修改为代理设备的地址,用户终端根据该修改后的重定向消息将原本应该发送给第二认证设备的认证信息改为发送给代理设备,由代理设备接收用户终端发送的认证信息。The address of the second authentication device in the modified redirect message has been modified to the address of the proxy device, and the user terminal sends the authentication information that should be sent to the second authentication device to the proxy according to the modified redirect message. The device receives the authentication information sent by the user terminal by the proxy device.
接收所述用户终端根据修改后的所述重定向消息发送的认证页面获取请求;根据所述认证页面获取请求,将预先存储的认证页面返回给所述用户终端;接收所述用户终端基于所述认证页面发送的认证信息。Receiving an authentication page acquisition request sent by the user terminal according to the modified redirect message; returning the pre-stored authentication page to the user terminal according to the authentication page acquisition request; receiving the user terminal based on the The authentication information sent by the authentication page.
认证页面获取请求用于获取认证页面,以便基于认证页面提交认证信息。由于在修改后的重定向消息中用于重定向的地址为代理设备的地址,因此用户终端将认证页面获取请求向代理设备发送。The authentication page acquisition request is used to obtain an authentication page to submit authentication information based on the authentication page. Since the address for redirection in the modified redirect message is the address of the proxy device, the user terminal sends the authentication page acquisition request to the proxy device.
认证信息包括:用户名、密码以及用户终端的IP地址。The authentication information includes: a username, a password, and an IP address of the user terminal.
用户终端可以显示认证页面,在认证页面中可以输入用户名和密码,在向代理设备发送用户名和密码时携带用户终端的IP地址,代理设备将用户名、密码以及用户终端的IP地址作为认证信息。The user terminal can display an authentication page. In the authentication page, a user name and a password can be input. When the user name and password are sent to the proxy device, the IP address of the user terminal is carried, and the proxy device uses the user name, the password, and the IP address of the user terminal as the authentication information.
在代理设备中预先存储认证页面并实时或定期更新,避免用户终端从第二 认证设备获取认证页面,从而提升了认证效率,缩短了认证时间。Pre-store the authentication page in the proxy device and update it in real time or periodically to avoid the user terminal from the second The authentication device obtains the authentication page, which improves the authentication efficiency and shortens the authentication time.
步骤S140,根据认证信息代理用户终端进行认证。Step S140, performing authentication according to the authentication information proxy user terminal.
根据认证信息代理用户终端进行AAA认证。将认证信息发送给第二认证设备,以便第二认证设备根据认证信息发起对用户终端的认证;接收第二认证设备返回的认证结果,并将认证结果发送给用户终端。The AAA authentication is performed by the proxy user terminal according to the authentication information. Sending the authentication information to the second authentication device, so that the second authentication device initiates the authentication of the user terminal according to the authentication information; receives the authentication result returned by the second authentication device, and sends the authentication result to the user terminal.
在本实施例中,在根据认证信息代理用户终端进行认证之前,还可以在代理设备和第二认证设备之间建立通信连接;基于该通信连接,将认证信息发送给第二认证设备,以便第二认证设备根据认证信息发起对用户终端的认证;接收第二认证设备返回的认证结果,并将认证结果发送给用户终端。通过提前建立通信连接,缩短了认证交互信息发送的时延,缩短了认证时间,提升了用户体验。In this embodiment, before the authentication is performed by the proxy user terminal according to the authentication information, a communication connection may be established between the proxy device and the second authentication device; based on the communication connection, the authentication information is sent to the second authentication device, so that The authentication device initiates the authentication of the user terminal according to the authentication information; receives the authentication result returned by the second authentication device, and sends the authentication result to the user terminal. By establishing a communication connection in advance, the delay of sending authentication interaction information is shortened, the authentication time is shortened, and the user experience is improved.
在本实施例中由代理设备负责代理用户终端进行认证,代理设备将重定向到第二认证设备的消息改为重定向到本端并且采用预先缓存DNS和认证页面方式,减少了用户终端和第一认证设备以及第二认证设备之间的交互,代理设备还采用提前建立通信链路的方式,有效缩短了认证延时。因此,通过本实施例可以有效缩短认证时长,提高了认证效率,提升用户体验。In this embodiment, the proxy device is responsible for authenticating the user terminal for authentication, and the proxy device redirects the message redirected to the second authentication device to the local end and adopts a pre-cached DNS and authentication page mode to reduce the user terminal and the first The interaction between an authentication device and the second authentication device, the proxy device also adopts a method of establishing a communication link in advance, which effectively shortens the authentication delay. Therefore, the present embodiment can effectively shorten the authentication duration, improve the authentication efficiency, and improve the user experience.
实施例二Embodiment 2
在卫星通信系统中,卫星端站作为通信卫星的地面站,被配置为透传用户终端和Bras服务器以及Portal服务器之间的认证交互消息。用户终端经由卫星端站访问网络,Bras服务器截获用户终端的上网请求并判断用户终端是否通过AAA认证,如果是,则放行该上网请求,否则向用户终端发送重定向到Portal服务器的消息,使用户终端从Portal服务器获取认证页面,用户终端基于认证页面发送认证信息到Portal服务器,由Portal服务器、Bras服务器和AAA认证服务器配合完成对用户终端的AAA认证,并由Portal服务器将认证结果返回给用户终端。In a satellite communication system, a satellite end station acts as a ground station for a communication satellite and is configured to transparently pass authentication interaction messages between the user terminal and the Bras server and the Portal server. The user terminal accesses the network via the satellite end station, and the Bras server intercepts the Internet access request of the user terminal and determines whether the user terminal passes the AAA authentication. If yes, the user requests the Internet access, otherwise the user terminal sends a message redirected to the Portal server, so that the user The terminal obtains the authentication page from the portal server, and the user terminal sends the authentication information to the portal server based on the authentication page. The portal server, the Bras server, and the AAA authentication server cooperate to complete the AAA authentication of the user terminal, and the portal server returns the authentication result to the user terminal. .
在此过程中,上网请求、重定向消息、认证页面获取和返回、认证信息和认证结果由卫星端站透传,由于卫星链路传输的固有延时较大,会造成认证时延大,认证时间长,如果将卫星端站设置为代理设备,则将会有效降低认证时延,缩短认证时间,提高认证效率,提升用户体验。 In this process, the Internet request, redirect message, authentication page acquisition and return, authentication information and authentication result are transparently transmitted by the satellite end station. Due to the inherent delay of the satellite link transmission, the authentication delay is large, and the authentication is delayed. Long time, if the satellite end station is set as a proxy device, it will effectively reduce the authentication delay, shorten the authentication time, improve the authentication efficiency, and enhance the user experience.
本实施例提供一种基于卫星通信系统的认证代理方法。This embodiment provides an authentication proxy method based on a satellite communication system.
在本实施例中,代理设备为卫星端站,因此本实施例的执行主体为卫星端站。第一认证设备为Bras服务器,第二认证设备为Portal服务器。In this embodiment, the proxy device is a satellite end station, so the execution entity of this embodiment is a satellite end station. The first authentication device is a Bras server, and the second authentication device is a Portal server.
卫星链路包括通信卫星、第一地面站和第二地面站,本实施例所述的卫星端站为距离用户终端最近的第一地面站,通信卫星和第二地面站起到转发/透传信息的作用,卫星端站和Bras服务器以及Portal服务器之间的交互信息,要经过通信卫星和第二地面站的转发/透传,为了使本公开的描述更加清楚,在本实施例中,对起到转发/透传作用的通信卫星和第二地面站不做体现。The satellite link includes a communication satellite, a first ground station and a second ground station. The satellite end station in this embodiment is the first ground station closest to the user terminal, and the communication satellite and the second ground station play forwarding/transparent transmission. The role of the information, the interaction information between the satellite end station and the Bras server and the Portal server, through the forwarding/transmission of the communication satellite and the second ground station, in order to make the description of the present disclosure clearer, in this embodiment, The communication satellite and the second ground station that play the role of forwarding/transmission are not embodied.
图2为根据本公开一实施例的基于卫星通信的认证代理方法的流程图。2 is a flow chart of a satellite communication based authentication proxy method in accordance with an embodiment of the present disclosure.
步骤S210,截获Bras服务器向用户终端发送的重定向消息。Step S210, intercepting the redirect message sent by the Bras server to the user terminal.
在向Bras服务器转发用户终端发出的IP访问请求之后,截获该Bras服务器向用户终端发送的重定向消息。After forwarding the IP access request sent by the user terminal to the Bras server, the redirect message sent by the Bras server to the user terminal is intercepted.
重定向消息是Bras服务器在根据IP访问请求确定用户终端没有通过认证之后,对IP访问请求的应答消息。The redirect message is a response message of the Bras server to the IP access request after determining that the user terminal has not passed the authentication according to the IP access request.
重定向消息用于将IP访问请求重定向到Portal服务器,使Portal服务器发起对用户终端的认证请求。Bras服务器向用户终端发送的重定向消息,经过卫星端站才能被转发到用户终端,因而卫星端站可以截获到该重定向消息。The redirect message is used to redirect the IP access request to the Portal server, so that the Portal server initiates an authentication request to the user terminal. The redirect message sent by the Bras server to the user terminal can be forwarded to the user terminal after the satellite end station, so the satellite end station can intercept the redirect message.
接收用户终端发送的域名;在预设的域名缓存列表中,获取与该域名对应(映射)的IP地址并返回给用户终端;接收用户终端根据该IP地址发起的IP访问请求;将接收到的用户终端根据该IP地址发起的IP访问请求转发给Bras服务器。其中,Bras服务器在根据该IP访问请求确定用户终端未通过认证时,通过卫星端站向用户终端发送重定向消息,该重定向消息用于重定向到Portal服务器。Receiving a domain name sent by the user terminal; obtaining, in a preset domain name cache list, an IP address corresponding to the domain name (mapped) and returning to the user terminal; receiving an IP access request initiated by the user terminal according to the IP address; The user terminal forwards the IP access request initiated by the IP address to the Bras server. The Brass server sends a redirect message to the user terminal through the satellite end station, and the redirect message is used to redirect to the Portal server, when determining that the user terminal fails to pass the authentication according to the IP access request.
域名缓存列表记录了域名和IP地址的对应关系。在卫星端站中预先存储域名缓存列表并进行实时或定期更新。The domain name cache list records the correspondence between the domain name and the IP address. The list of domain name caches is pre-stored in the satellite end station and updated in real time or periodically.
在卫星端站中预先设置域名缓存列表可以避免将域名通过卫星链路发送给Bras服务器进行域名解析的步骤,降低了认证时延,提高了认证效率。用户终端可以直接进行IP访问,那么卫星端站可以直接接收到用户终端发送的IP访问 请求。Pre-setting the domain name cache list in the satellite end station can avoid the step of sending the domain name to the Bras server through the satellite link for domain name resolution, which reduces the authentication delay and improves the authentication efficiency. The user terminal can directly perform IP access, and the satellite end station can directly receive the IP access sent by the user terminal. request.
步骤S220,修改重定向消息并发送给用户终端;其中,将重定向消息修改为重定向到卫星端站。Step S220: Modify the redirect message and send it to the user terminal; wherein the redirect message is modified to be redirected to the satellite end station.
在接收到的重定向消息中,用于重定向的地址为Portal服务器的地址,将该Portal服务器的地址修改为卫星端站的地址,进而将重定向到Portal服务器的重定向消息修改为重定向到卫星端站。In the received redirect message, the address used for redirection is the address of the Portal server, and the address of the Portal server is modified to the address of the satellite end station, and the redirect message redirected to the Portal server is modified to be redirected. Go to the satellite terminal.
修改重定向消息可以使卫星端站成为用户终端的代理,用户终端向Bras服务器和Portal服务器发送的消息,改为发送给卫星端站处理,可以减少用户终端和Bras服务器以及Portal服务器之间的交互。Modifying the redirect message can make the satellite end station become the proxy of the user terminal, and the message sent by the user terminal to the Bras server and the Portal server is sent to the satellite end station for processing, which can reduce the interaction between the user terminal and the Bras server and the Portal server. .
步骤S230,接收用户终端根据修改后的重定向消息发送的认证信息。Step S230: Receive authentication information sent by the user terminal according to the modified redirect message.
由于重定向消息被修改,所以用户终端将原本应该发送给Portal服务器的认证信息改为发送给卫星端站,由卫星端站接收用户终端发送的认证信息。Since the redirect message is modified, the user terminal sends the authentication information that should be sent to the Portal server to the satellite end station, and the satellite end station receives the authentication information sent by the user terminal.
接收用户终端根据修改后的重定向消息发送的认证页面获取请求;根据该认证页面获取请求,将预先存储的认证页面返回给用户终端;接收用户终端基于该认证页面发送的认证信息。认证页面例如是Portal登录页面。在该Portal登录页面中可以采集用户输入用户名和密码。Receiving an authentication page acquisition request sent by the user terminal according to the modified redirect message; returning the pre-stored authentication page to the user terminal according to the authentication page acquisition request; and receiving the authentication information sent by the user terminal based on the authentication page. The authentication page is, for example, a Portal login page. The user input username and password can be collected in the Portal login page.
在卫星端站中预先存储认证页面并实时或定期更新,避免用户终端通过卫星链路从Portal服务器获取认证页面,从而提升了认证效率,缩短了认证时间。The authentication page is pre-stored in the satellite end station and updated in real time or periodically to prevent the user terminal from obtaining the authentication page from the Portal server through the satellite link, thereby improving the authentication efficiency and shortening the authentication time.
步骤S240,根据认证信息代理用户终端进行认证。Step S240, performing authentication according to the authentication information proxy user terminal.
卫星端站在具备用户终端的认证信息之后,就可以利用该认证信息代理用户终端进行AAA认证。卫星端站可以代理用户终端向Portal服务器发送认证信息,代理用户终端接收Portal返回的认证结果。After the satellite terminal has the authentication information of the user terminal, the authentication information can be used to proxy the user terminal for AAA authentication. The satellite end station can proxy the user terminal to send authentication information to the Portal server, and the proxy user terminal receives the authentication result returned by the portal.
在本实施例中,在根据认证信息代理用户终端进行认证之前,还包括:在卫星端站和Portal服务器之间建立通信连接,以形成用于认证的通信链路;基于该通信连接,将接收到的认证信息发送给Portal服务器,以便Portal服务器根据该认证信息发起对用户终端的认证。In this embodiment, before authenticating the user terminal according to the authentication information, the method further includes: establishing a communication connection between the satellite end station and the Portal server to form a communication link for authentication; and receiving based on the communication connection The obtained authentication information is sent to the Portal server, so that the Portal server initiates authentication of the user terminal according to the authentication information.
可以在修改重定向消息之后,在接收认证信息之前,卫星端站和Portal服务器建立通信连接。可以在接收到认证页面获取请求的同时或者在向用户终端返 回认证页面的同时,卫星端站和Portal服务器建立通信连接。通过提前建立通信连接,缩短了交互信息发送的时延,缩短了认证时间,提升了用户体验。After modifying the redirect message, the satellite end station establishes a communication connection with the Portal server before receiving the authentication information. Can receive the request from the authentication page or return to the user terminal At the same time as the authentication page is returned, the satellite end station establishes a communication connection with the Portal server. By establishing a communication connection in advance, the delay of sending interactive information is shortened, the authentication time is shortened, and the user experience is improved.
在卫星端站和Portal服务器建立通信连接时,卫星端站(第一地面站)请求和Portal服务器建立连接,在形成的物理通信链路中,第一地面站、通信卫星、第二地面站和Portal服务器顺次连接。When the satellite end station establishes a communication connection with the Portal server, the satellite end station (first ground station) requests to establish a connection with the Portal server, among the formed physical communication links, the first ground station, the communication satellite, the second ground station, and The portal server is connected in sequence.
在Portal服务器发起对用户终端的认证请求之后,由Portal服务器、Bras服务器和AAA服务器执行对用户终端的AAA认证,由Portal服务器负责向卫星端站反馈认证结果。卫星端站接收Portal服务器返回的认证结果,并将该认证结果发送给用户终端。After the portal server initiates the authentication request to the user terminal, the Portal server, the Bras server, and the AAA server perform AAA authentication on the user terminal, and the Portal server is responsible for feeding back the authentication result to the satellite end station. The satellite end station receives the authentication result returned by the Portal server, and sends the authentication result to the user terminal.
在本实施例中由卫星端站负责代理用户终端的AAA认证,卫星端站将重定向到Portal服务器的消息改为重定向到本端并且采用预先缓存DNS和认证页面方式,减少了用户终端和Bras服务器以及Portal服务器之间的交互,卫星端站还采用提前建立通信链路的方式,有效缩短了认证延时。因此,通过本实施例可以有效缩短认证时长,提高了认证效率,提升用户体验。In this embodiment, the satellite end station is responsible for the AAA authentication of the proxy user terminal, and the satellite end station redirects the message redirected to the Portal server to the local end and uses the pre-cached DNS and authentication page mode to reduce the user terminal and The interaction between the Bras server and the Portal server, the satellite end station also uses the way to establish a communication link in advance, which effectively shortens the authentication delay. Therefore, the present embodiment can effectively shorten the authentication duration, improve the authentication efficiency, and improve the user experience.
实施例三Embodiment 3
为了使本公开更加清楚,下面基于图3对本公开进行描述。由于距离用户终端较远的地面站(第二地面站)和通信卫星在卫星链路中起到转发信息的作用,故在图3中不作体现。In order to make the disclosure clearer, the present disclosure will be described below based on FIG. Since the ground station (the second ground station) and the communication satellite which are far from the user terminal function to forward information in the satellite link, they are not shown in FIG.
图3是根据本公开一实施例的基于卫星通信的认证代理方法的时序图。3 is a timing diagram of a satellite communication based authentication proxy method in accordance with an embodiment of the present disclosure.
步骤1,卫星端站接收用户终端发送的域名访问请求。In step 1, the satellite end station receives the domain name access request sent by the user terminal.
卫星端站是指卫星链路中距离用户终端最近的地面站。A satellite end station is the ground station in the satellite link that is closest to the user terminal.
在域名访问请求中携带有用户终端请求访问的域名。用户可以利用用户终端的浏览器访问某个网站,比如在浏览器中输入www.sina.com,从而发起对域名www.sina.com的访问。The domain name access request carries the domain name requested by the user terminal. Users can use the browser of the user terminal to access a website, such as entering www.sina.com in a browser to initiate access to the domain name www.sina.com.
步骤2,卫星端站将域名对应的IP地址返回给用户终端。In step 2, the satellite end station returns the IP address corresponding to the domain name to the user terminal.
卫星端站将用户终端请求访问的域名所对应的IP地址返回给用户终端。The satellite end station returns the IP address corresponding to the domain name requested by the user terminal to the user terminal.
用户终端发出的域名访问请求先要到卫星端站,通过卫星链路发送到Bras 服务器。在本实施例中,卫星端站拦截域名访问请求,对用户终端请求访问的域名进行过滤,如果卫星端站已经预先存储了该域名对应的IP地址,则直接将该IP地址返回给用户终端;如果卫星端站没有预先存储该域名对应的IP地址,则将该域名访问请求转发给Bras服务器并将Bras服务器返回的IP地址转发给用户终端。步骤如下:The domain name access request sent by the user terminal must first be sent to the satellite end station and sent to Bras via the satellite link. server. In this embodiment, the satellite end station intercepts the domain name access request, and filters the domain name requested by the user terminal. If the satellite end station has previously stored the IP address corresponding to the domain name, the IP address is directly returned to the user terminal; If the satellite end station does not pre-store the IP address corresponding to the domain name, the domain name access request is forwarded to the Bras server and the IP address returned by the Bras server is forwarded to the user terminal. Proceed as follows:
步骤A,卫星端站在预设的域名缓存列表中查询域名访问请求中的域名。In step A, the satellite station queries the domain name in the domain name access request in the preset domain name cache list.
在域名缓存列表中记录有域名和IP地址的对应(映射)关系。The corresponding (mapping) relationship between the domain name and the IP address is recorded in the domain name cache list.
域名缓存列表可以预先设置并定时更新,也可以在用户终端访问网络的过程中进行记录并实时更新。例如:可以将常用网站的域名和IP地址的对应关系存储在域名缓存列表中,后续根据用户的访问情况实时更新该域名缓存列表。The domain name cache list can be preset and updated regularly, or it can be recorded and updated in real time during the process of the user terminal accessing the network. For example, the mapping between the domain name and the IP address of the common website may be stored in the domain name cache list, and the domain name cache list may be updated in real time according to the user's access status.
步骤B,卫星端站判断域名缓存列表中是否存在该域名对应的IP地址;若存在该域名,则执行步骤C,若不存在该域名,则执行步骤D。Step B: The satellite end station determines whether the IP address corresponding to the domain name exists in the domain name cache list; if the domain name exists, step C is performed, and if the domain name does not exist, step D is performed.
步骤C,卫星端站将该域名对应的IP地址返回给用户终端。In step C, the satellite end station returns the IP address corresponding to the domain name to the user terminal.
步骤D,卫星端站将该域名访问请求转发给Bras服务器,由Bras服务器执行域名解析并确定该域名对应的IP地址;之后,卫星端站将Bras服务器返回的与该域名对应的IP地址返回给用户终端,并且将该域名和该IP地址的对应关系更新到域名缓存列表中以供下次使用。Step D: The satellite end station forwards the domain name access request to the Bras server, and the Brass server performs domain name resolution and determines the IP address corresponding to the domain name; after that, the satellite end station returns the IP address corresponding to the domain name returned by the Bras server to The user terminal updates the correspondence between the domain name and the IP address to the domain name cache list for next use.
在此过程中,如果在域名缓存列表中存在域名和IP地址的映射关系,则可以省去用户终端通过空口与Bras服务器进行交互的过程,Bras服务器也不需要对域名进行解析,从而缩短了认证延迟时间。In this process, if there is a mapping between the domain name and the IP address in the domain name cache list, the process of the user terminal interacting with the Bras server through the air interface can be omitted, and the Bras server does not need to parse the domain name, thereby shortening the authentication. delay.
步骤3,用户终端根据该IP地址发送IP访问请求,并由卫星端站将该IP访问请求转发给Bras服务器。Step 3: The user terminal sends an IP access request according to the IP address, and the satellite end station forwards the IP access request to the Bras server.
步骤4,Bras服务器如果根据该IP访问请求确定该用户终端未通过认证,则拦截该IP访问请求,并通过卫星端站向用户终端返回重定向消息。Step 4: If the Bras server determines that the user terminal fails the authentication according to the IP access request, intercepts the IP access request, and returns a redirect message to the user terminal through the satellite end station.
Bras服务器预先对认证通过的用户终端的IP地址进行记录;Bras服务器在接收到卫星端站转发的IP访问请求之后,提取该IP访问请求中的源IP地址,即用户终端的IP地址,判断该源IP地址是否已经通过认证,如果已经通过认证,则确定用户终端已经通过认证,可以放行该IP访问请求,实现用户终端对网络 的访问,获取用户终端所需的网络资源,如果未通过认证,则确定用户终端未通过认证,拦截该IP访问请求,并通过卫星端站向用户终端返回重定向消息。The Bras server records the IP address of the user terminal that passes the authentication in advance; after receiving the IP access request forwarded by the satellite end station, the Bras server extracts the source IP address in the IP access request, that is, the IP address of the user terminal, and determines the Whether the source IP address has passed the authentication. If the user terminal has passed the authentication, it is determined that the user terminal has passed the authentication, and the IP access request can be released to implement the user terminal to the network. The access, obtain the network resources required by the user terminal, and if not authenticated, determine that the user terminal fails the authentication, intercept the IP access request, and return a redirect message to the user terminal through the satellite end station.
重定向消息是对用户终端发送的IP访问请求的应答消息,重定向消息用于将IP访问请求中的目的地址重新定向到其他地址。在本实施例中,Bras服务器向用户终端发送的重定向消息用于重定向到Portal服务器。The redirect message is a response message to the IP access request sent by the user terminal, and the redirect message is used to redirect the destination address in the IP access request to another address. In this embodiment, the redirect message sent by the Bras server to the user terminal is used to redirect to the Portal server.
步骤5,卫星端站截获Bras服务器向用户终端发送的重定向消息,在卫星端站存储有认证页面的情况下,将该重定向消息修改为重定向到卫星端站,并将修改后的重定向消息返回给用户终端。Step 5: The satellite end station intercepts the redirect message sent by the Bras server to the user terminal, and if the satellite end station stores the authentication page, the redirect message is modified to be redirected to the satellite end station, and the modified weight is The directed message is returned to the user terminal.
卫星端站可以预先缓存认证页面并定时更新。该认证页面可以是Portal登录页面。这样可以省去用户终端从Portal服务器获取认证页面的步骤。The satellite end station can pre-cache the authentication page and update it regularly. The authentication page can be a portal login page. This eliminates the step of the user terminal obtaining the authentication page from the Portal server.
卫星端站截获重定向到Portal服务器的应答消息,在存储有认证页面的情况下,将该重定向到Portal服务器的应答消息修改为重定向到卫星端站的应答消息,以便用户终端根据重定向的地址发送消息。The satellite end station intercepts the response message redirected to the Portal server. When the authentication page is stored, the response message redirected to the Portal server is modified to be a response message redirected to the satellite end station, so that the user terminal according to the redirect The address sends the message.
Bras服务器向用户终端发送的重定向消息用于重定向到Portal服务器,卫星端站在截获到该重定向消息之后,查看是否缓存有认证页面,如果缓存有认证页面,则修改重定向消息中用于重定向的地址,使该重定向消息重定向到卫星端站;如果未缓存有认证页面,则直接将截获的重定向消息转发给用户终端,用户终端根据该重定向消息通过卫星端站重定向到Portal服务器,从Portal服务器获取认证页面,卫星端站将Portal服务器返回的认证页面转发给用户终端,并存储该认证页面以供下次使用。The redirect message sent by the Bras server to the user terminal is used to redirect to the Portal server. After the satellite station intercepts the redirect message, it checks whether the authentication page is cached. If the authentication page is cached, the redirect message is modified. The redirected message is redirected to the satellite end station; if the authentication page is not cached, the intercepted redirect message is directly forwarded to the user terminal, and the user terminal passes the satellite end station according to the redirect message. Directed to the Portal server, the authentication page is obtained from the Portal server, and the satellite end station forwards the authentication page returned by the Portal server to the user terminal, and stores the authentication page for the next use.
卫星端站可以根据重定向消息中用于重定向的统一资源定位符(Uniform Resource Locator,简称URL)是否指向Portal服务器,来确定重定向消息是否为重定向到Portal服务器,如果该URL指向Portal服务器,则可以确定该重定向消息用于重定向到Portal。Bras服务器向用户终端发送的重定向消息中,该URL为Portal服务器的URL,将Portal服务器的URL替换为卫星端站的URL即可完成对重定向消息的修改。The satellite end station can determine whether the redirect message is redirected to the Portal server according to whether the Uniform Resource Locator (URL) for redirecting in the redirect message points to the Portal server, if the URL points to the Portal server. , you can determine that the redirect message is used to redirect to the Portal. In the redirect message sent by the Bras server to the user terminal, the URL is the URL of the Portal server, and the URL of the Portal server is replaced with the URL of the satellite end station to complete the modification of the redirect message.
步骤6,卫星端站接收用户终端根据修改后的重定向消息发送的认证页面获取请求。 Step 6: The satellite end station receives an authentication page acquisition request sent by the user terminal according to the modified redirect message.
修改后的重定向消息用于重定向到卫星端站。The modified redirect message is used to redirect to the satellite end station.
用户终端根据修改后的重定向消息中用于重定向的URL,向该URL发出用于获取认证页面获取请求,而该URL已经被修改为卫星端站的URL,因此认证页面获取请求被发送到卫星端站。The user terminal sends a request for obtaining an authentication page to the URL according to the URL used for redirection in the modified redirect message, and the URL has been modified to the URL of the satellite end station, so the authentication page acquisition request is sent to Satellite terminal station.
步骤7,卫星端站和Portal服务器建立连接。In step 7, the satellite end station establishes a connection with the Portal server.
卫星端站和Portal服务器建立的连接为超文本传输协议(HyperText Transfer Protocol,简称HTTP)连接。该连接可以保持预定时间长度。例如:该连接可以保持60s。如果在预定时间长度内卫星端站没有接收到认证请求,则卫星端站重新和Portal服务器建立HTTP连接。为了节省空口带宽,可以针对每个用户终端建立一条链接。The connection established between the satellite end station and the Portal server is a HyperText Transfer Protocol (HTTP) connection. The connection can be maintained for a predetermined length of time. For example: the connection can be kept for 60s. If the satellite end station does not receive the authentication request within the predetermined length of time, the satellite end station re-establishes an HTTP connection with the Portal server. To save air interface bandwidth, a link can be established for each user terminal.
提前建立好卫星端站和Portal服务器之间的链路,可以提前为后续的认证提供通道,缩短了认证延迟时间。Establishing a link between the satellite end station and the Portal server in advance can provide a channel for subsequent authentication in advance, shortening the authentication delay time.
步骤8,卫星端站根据该认证请求向用户终端返回认证页面。In step 8, the satellite end station returns an authentication page to the user terminal according to the authentication request.
当卫星端站接收到认证页面获取请求时,将缓存的认证页面返回给用户终端。在该认证页面中,可以输入用户名和密码。When the satellite end station receives the authentication page acquisition request, the cached authentication page is returned to the user terminal. In the authentication page, you can enter a username and password.
卫星端站预先存储认证页面,省去了用户终端通过空口从Portal服务器获取认证页面的时间,The satellite end station pre-stores the authentication page, which saves the time for the user terminal to obtain the authentication page from the Portal server through the air interface.
步骤9,用户终端将认证信息发送给卫星端站。In step 9, the user terminal sends the authentication information to the satellite end station.
用户终端显示认证页面,用户在认证页面中输入用户名和密码,用户终端采集用户输入的用户名和密码,并将采集到的认证页面发送到卫星终端。The user terminal displays the authentication page, and the user inputs a user name and password in the authentication page. The user terminal collects the user name and password input by the user, and sends the collected authentication page to the satellite terminal.
步骤10,卫星端站将用户终端发送的认证信息发送给Portal服务器。Step 10: The satellite end station sends the authentication information sent by the user terminal to the Portal server.
卫星端站在接收到用户终端发送的认证信息(用户名、密码和用户终端的IP地址)之后,可以代理用户终端进行认证。After receiving the authentication information (user name, password, and IP address of the user terminal) sent by the user terminal, the satellite terminal can proxy the user terminal for authentication.
步骤11,Portal服务器将接收到该认证信息发送给Bras服务器。In step 11, the Portal server sends the authentication information to the Bras server.
Portal服务器将该认证信息发送给Bras服务器,是为了通知Bras服务器该认证信息对应的用户终端要接入网络,需要对该用户终端进行认证。The portal server sends the authentication information to the Bras server to notify the Bras server that the user terminal corresponding to the authentication information needs to access the network, and the user terminal needs to be authenticated.
Portal服务器在接收到认证信息之后,记录发送该认证信息的源IP地址, 以便在获得认证结果之后将认证结果返回给该源IP地址。由于卫星端站不是透传给认证信息,而是作为用户终端的代理向Portal服务器发送认证信息,所以该源IP地址为卫星端站的IP地址。After receiving the authentication information, the portal server records the source IP address of the authentication information. In order to return the authentication result to the source IP address after obtaining the authentication result. Since the satellite end station transmits the authentication information to the Portal server as a proxy for the user terminal, the source IP address is the IP address of the satellite end station.
步骤12,Bras服务器基于该认证信息向AAA服务器发起认证请求。Step 12: The Bras server initiates an authentication request to the AAA server based on the authentication information.
在给认证请求中携带用户终端的认证信息。The authentication information of the user terminal is carried in the authentication request.
步骤13,AAA服务器根据该认证请求对该用户终端进行认证,并将认证结果返回Bras服务器。Step 13: The AAA server authenticates the user terminal according to the authentication request, and returns the authentication result to the Bras server.
AAA服务器预先记录合法用户的认证信息(用户名和密码)。AAA服务器在接收到Bras服务器发送的认证信息,确定该认证信息是否合法,如果合法,则用户终端认证通过,如果不合法,则用户终端认证不通过。该认证结果可以包括用户终端的IP地址以及该用户终端认证是否通过的结果。The AAA server pre-records the authentication information (user name and password) of the legitimate user. The AAA server receives the authentication information sent by the Brass server to determine whether the authentication information is legal. If the authentication is valid, the user terminal passes the authentication. If not, the user terminal fails to pass the authentication. The authentication result may include an IP address of the user terminal and a result of whether the user terminal authentication is passed.
步骤14,Bras服务器将认证结果通知Portal服务器。In step 14, the Bras server notifies the Portal server of the authentication result.
如果认证结果为用户终端认证通过,则Bras服务器将用户终端的IP地址和认证结果对应存储,以便下次接收到IP访问请求时,可以根据IP地址判断用户终端是否已经通过认证;并且,Bras服务器放行之前截获的IP访问请求,实现用户终端对网络的访问,获取用户终端所需的网络资源。If the authentication result is that the user terminal is authenticated, the Bras server stores the IP address of the user terminal and the authentication result correspondingly, so that the next time the IP access request is received, the user terminal can determine whether the user terminal has passed the authentication according to the IP address; and, the Bras server The IP access request intercepted before the release is performed, the user terminal accesses the network, and the network resources required by the user terminal are obtained.
如果认证结果为用户终端认证不通过,则Bras服务器可以舍弃之前截获的IP访问请求。If the authentication result is that the user terminal authentication fails, the Bras server can discard the previously intercepted IP access request.
步骤15,Portal服务器将认证结果发送给卫星端站。In step 15, the Portal server sends the authentication result to the satellite end station.
因为上述重定向请求中的目的地址被修改为卫星端站,所以Portal服务器将认证结果发送给卫星端站,卫星端站将认证结果转发给用户终端之后断开和Portal服务器的连接。Because the destination address in the above redirection request is modified to be a satellite end station, the Portal server sends the authentication result to the satellite end station, and the satellite end station disconnects the connection with the Portal server after forwarding the authentication result to the user terminal.
步骤16,由卫星端站负责将认证结果转发给用户终端。In step 16, the satellite end station is responsible for forwarding the authentication result to the user terminal.
如果认证结果为用户终端认证不通过,卫星端站可以将预先存储的认证页面再次发送给用户终端,以再次获取用户终端的认证信息,重新代理用户终端进行认证。If the authentication result is that the user terminal authentication fails, the satellite end station may re-send the pre-stored authentication page to the user terminal to acquire the authentication information of the user terminal again, and re-proxy the user terminal for authentication.
本实施例将重定向到Portal服务器的消息改为重定向到卫星端站,并且采用 预先缓存DNS和认证页面,以及提前建立通信链路的方式,除了用户终端首次进行认证外,可以有效缩短了认证延时和认证时间,提高了认证效率,提升了用户体验。In this embodiment, the message redirected to the Portal server is redirected to the satellite end station, and the message is adopted. The method of pre-caching the DNS and the authentication page and establishing the communication link in advance can effectively shorten the authentication delay and the authentication time, and improve the authentication efficiency and improve the user experience.
实施例四Embodiment 4
本公开实施例还提供了一种认证代理装置。该装置被设置在代理设备侧,该代理设备例如是卫星端站。如图4所示,为根据本公开一实施例的认证代理装置的结构图。The embodiment of the present disclosure also provides an authentication proxy device. The device is arranged on the proxy device side, for example a satellite end station. As shown in FIG. 4, it is a structural diagram of an authentication proxy device according to an embodiment of the present disclosure.
该装置包括:The device includes:
截获模块410,被配置为截获第一认证设备向用户终端发送的重定向消息。The intercepting module 410 is configured to intercept the redirect message sent by the first authentication device to the user terminal.
修改模块420,被配置为修改所述重定向消息;其中,将所述重定向消息中用于重定向的地址修改为卫星端站的地址。The modification module 420 is configured to modify the redirect message; wherein the address for the redirect in the redirect message is modified to the address of the satellite end station.
收发模块430,被配置为将修改后的所述重定向消息发送给所述用户终端,并接收所述用户终端根据修改后的所述重定向消息发送的认证信息。The transceiver module 430 is configured to send the modified redirect message to the user terminal, and receive the authentication information sent by the user terminal according to the modified redirect message.
代理模块440,被配置为根据所述认证信息代理所述用户终端进行认证。其中,该认证为AAA认证。The proxy module 440 is configured to proxy the user terminal for authentication according to the authentication information. Among them, the certification is AAA certification.
在一个实施例中,收发模块430还被配置为:接收所述用户终端发送的域名;在预设的域名缓存列表中,获取与所述域名对应的互联网协议IP地址并返回给所述用户终端;将接收到的所述用户终端根据所述IP地址发起的IP访问请求转发给第一认证设备;其中,所述第一认证设备在根据所述IP访问请求确定所述用户终端未通过认证时,通过所述卫星端站向所述用户终端发送重定向消息。In an embodiment, the transceiver module 430 is further configured to: receive a domain name sent by the user terminal; obtain, in a preset domain name cache list, an Internet Protocol IP address corresponding to the domain name and return to the user terminal Forwarding, by the user terminal, the IP access request initiated by the user terminal to the first authentication device, where the first authentication device determines that the user terminal fails to pass the authentication according to the IP access request. Transmitting, by the satellite end station, a redirect message to the user terminal.
在另一实施例中,收发模块430可以被配置为:接收所述用户终端根据修改后的所述重定向消息发送的认证页面获取请求;根据所述认证页面获取请求,将预先存储的认证页面返回给所述用户终端;接收所述用户终端基于所述认证页面发送的认证信息。In another embodiment, the transceiver module 430 may be configured to: receive an authentication page acquisition request sent by the user terminal according to the modified redirect message; and according to the authentication page acquisition request, the pre-stored authentication page Returning to the user terminal; receiving authentication information sent by the user terminal based on the authentication page.
在又一实施例中,所述装置还包括连接模块(图中未示出);所述连接模块,被配置为在所述根据所述认证信息代理所述用户终端进行认证之前,在所述卫星端站和第二认证设备之间建立通信连接。 In still another embodiment, the apparatus further includes a connection module (not shown); the connection module configured to: before the authenticating the user terminal according to the authentication information, in the A communication connection is established between the satellite end station and the second authentication device.
在再一实施例中,代理模块440可以被配置为:将所述认证信息发送给所述第二认证设备,以便所述第二认证设备根据所述认证信息发起对用户终端的认证;接收所述第二认证设备返回的认证结果,并将所述认证结果发送给所述用户终端。In still another embodiment, the proxy module 440 can be configured to: send the authentication information to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information; Determining an authentication result returned by the second authentication device, and transmitting the authentication result to the user terminal.
本实施例所述的装置的功能已经在图1~图3所示的方法实施例中进行了描述,故本实施例的描述中未详尽之处,可以参见前述实施例中的相关说明,在此不做赘述。The functions of the device in this embodiment have been described in the method embodiments shown in FIG. 1 to FIG. 3. Therefore, in the description of the present embodiment, reference may be made to the related description in the foregoing embodiment. This will not be repeated.
实施例五Embodiment 5
本公开还提供了一种认证代理设备,该认证代理设备设置有上述任一实施例的认证代理装置,以代理用户终端的业务。该认证代理设备可以是卫星端站或者其他物理实体。The present disclosure also provides an authentication proxy device provided with the authentication proxy device of any of the above embodiments to proxy the service of the user terminal. The authentication proxy device can be a satellite end station or other physical entity.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加通用硬件平台的方式来实现,当然也可以通过硬件实现。基于这样的理解,本公开的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本公开各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by means of software plus a general hardware platform, and of course, can also be implemented by hardware. Based on such understanding, the technical solution of the present disclosure, which is essential or contributes to the related art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, CD-ROM). The instructions include a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present disclosure.
本公开的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:Embodiments of the present disclosure also provide a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
S11,截获第一认证设备向用户终端发送的重定向消息;S11, intercepting a redirect message sent by the first authentication device to the user terminal;
S12,修改所述重定向消息并发送给所述用户终端;其中,将所述重定向消息中用于重定向的地址修改为代理设备的地址;S12. The redirect message is modified and sent to the user terminal. The address used for redirection in the redirect message is modified to an address of the proxy device.
S13,接收所述用户终端根据修改后的所述重定向消息发送的认证信息;S13. Receive authentication information sent by the user terminal according to the modified redirect message.
S14,根据所述认证信息代理所述用户终端进行认证。S14. The user terminal is authenticated according to the authentication information.
可选地,在本实施例中,所述存储介质可以是暂态计算机可读存储介质,也可以是非暂态计算机可读存储介质。上述存储介质可以包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access  Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the storage medium may be a transitory computer readable storage medium or a non-transitory computer readable storage medium. The above storage medium may include: a U disk, a read-only memory (ROM), a random access memory (RAM, Random Access). Memory, removable hard disk, disk or optical disk, etc., which can store program code.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行上述实施例记载的方法步骤。Optionally, in this embodiment, the processor executes the method steps described in the foregoing embodiments according to the stored program code in the storage medium.
本公开实施例还提供了一种应用到上述处理器的电子设备的结构示意图。参见图5,该电子设备包括:The embodiment of the present disclosure further provides a schematic structural diagram of an electronic device applied to the processor. Referring to FIG. 5, the electronic device includes:
至少一个处理器(processor)50,图5中以一个处理器50为例;和存储器(memory)51,还可以包括通信接口(Communications Interface)52和总线53。其中,处理器50、通信接口52、存储器51可以通过总线53完成相互间的通信。通信接口52可以用于信息传输。处理器50可以调用存储器51中的逻辑指令,以执行上述实施例的方法。At least one processor 50, which is exemplified by a processor 50 in FIG. 5; and a memory 51, may further include a communication interface 52 and a bus 53. The processor 50, the communication interface 52, and the memory 51 can complete communication with each other through the bus 53. Communication interface 52 can be used for information transmission. Processor 50 can invoke logic instructions in memory 51 to perform the methods of the above-described embodiments.
此外,上述的存储器51中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。Furthermore, the logic instructions in the memory 51 described above may be implemented in the form of software functional units and sold or used as separate products, and may be stored in a computer readable storage medium.
存储器51作为一种计算机可读存储介质,可用于存储软件程序、计算机可执行程序,如本公开实施例中的方法对应的程序指令/模块。处理器50通过运行存储在存储器51中的软件程序、指令以及模块,从而执行功能应用以及数据处理,即实现上述方法实施例中的认证代理方法。The memory 51 is used as a computer readable storage medium for storing software programs, computer executable programs, and program instructions/modules corresponding to the methods in the embodiments of the present disclosure. The processor 50 executes the function application and the data processing by executing software programs, instructions, and modules stored in the memory 51, that is, implementing the authentication agent method in the above method embodiments.
存储器51可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据终端设备的使用所创建的数据等。此外,存储器51可以包括高速随机存取存储器,还可以包括非易失性存储器。The memory 51 may include a storage program area and an storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data created according to use of the terminal device, and the like. Further, the memory 51 may include a high speed random access memory, and may also include a nonvolatile memory.
本公开实施例的技术方案可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括一个或多个指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本公开实施例所述方法的全部或部分步骤。而前述的存储介质可以是非暂态存储介质,包括:U盘、移动 硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等多种可以存储程序代码的介质,也可以是暂态存储介质。The technical solution of the embodiments of the present disclosure may be embodied in the form of a software product stored in a storage medium, including one or more instructions for causing a computer device (which may be a personal computer, a server, or a network) The device or the like) performs all or part of the steps of the method described in the embodiments of the present disclosure. The foregoing storage medium may be a non-transitory storage medium, including: a USB flash drive, and a mobile device. A medium that can store program code, such as a hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, or a transient storage medium.
可选地,本实施例中的示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For example, the examples in this embodiment may refer to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.
上述的本公开的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本公开不限制于任何特定的硬件和软件结合。The various modules or steps of the present disclosure described above may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices. Alternatively, they may be calculated The program code executable by the apparatus is implemented such that they may be stored in a storage device by the computing device, and in some cases, the steps shown or described may be performed in an order different than that herein, or They are fabricated separately into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated into a single integrated circuit module. As such, the disclosure is not limited to any specific combination of hardware and software.
尽管已经公开了本公开的实施例,本领域的技术人员将意识到各种改进、增加和取代也是可能的,因此,本公开的范围应当不限于上述实施例。While the embodiments of the present disclosure have been disclosed, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, and the scope of the present disclosure should not be limited to the embodiments described above.
工业实用性Industrial applicability
本申请公开的认证代理方法、装置和设备,减少了用户终端和第一认证设备以及第二认证设备之间的交互,有效降低了认证时延,缩短了认证时长,提高了认证效率,提升用户体验。 The authentication agent method, device and device disclosed in the present application reduce the interaction between the user terminal and the first authentication device and the second authentication device, effectively reduce the authentication delay, shorten the authentication time, improve the authentication efficiency, and improve the user. Experience.

Claims (12)

  1. 一种认证代理方法,包括:An authentication agent method, including:
    截获第一认证设备向用户终端发送的重定向消息;Intercepting a redirect message sent by the first authentication device to the user terminal;
    修改所述重定向消息并发送给所述用户终端;其中,将所述重定向消息中用于重定向的地址修改为代理设备的地址;Modifying the redirect message and sending the message to the user terminal; wherein, the address used for redirection in the redirect message is modified to an address of the proxy device;
    接收所述用户终端根据修改后的所述重定向消息发送的认证信息;Receiving the authentication information sent by the user terminal according to the modified redirect message;
    根据所述认证信息代理所述用户终端进行认证。The user terminal is authenticated according to the authentication information.
  2. 如权利要求1所述的方法,还包括:The method of claim 1 further comprising:
    接收所述用户终端发送的域名;Receiving a domain name sent by the user terminal;
    在预设的域名缓存列表中,获取与所述域名对应的互联网协议IP地址并返回给所述用户终端;Obtaining, in a preset domain name cache list, an internet protocol IP address corresponding to the domain name, and returning to the user terminal;
    将接收到的所述用户终端根据所述IP地址发起的IP访问请求转发给第一认证设备;其中,所述第一认证设备在根据所述IP访问请求确定所述用户终端未通过认证时,通过所述代理设备向所述用户终端发送重定向消息。Forwarding, by the user terminal, the IP access request initiated by the user terminal to the first authentication device, where the first authentication device determines that the user terminal fails to pass the authentication according to the IP access request, A redirect message is sent to the user terminal by the proxy device.
  3. 如权利要求1所述的方法,其中,所述接收所述用户终端根据修改后的所述重定向消息发送的认证信息,包括:The method of claim 1, wherein the receiving the authentication information sent by the user terminal according to the modified redirect message comprises:
    接收所述用户终端根据修改后的所述重定向消息发送的认证页面获取请求;Receiving an authentication page acquisition request sent by the user terminal according to the modified redirect message;
    根据所述认证页面获取请求,将预先存储的认证页面返回给所述用户终端;Returning the pre-stored authentication page to the user terminal according to the authentication page obtaining request;
    接收所述用户终端基于所述认证页面发送的认证信息。Receiving the authentication information sent by the user terminal based on the authentication page.
  4. 如权利要求1所述的方法,其中,在所述根据所述认证信息代理所述用户终端进行认证之前,还包括:The method of claim 1, wherein before the authenticating the user terminal according to the authentication information, the method further comprises:
    在所述代理设备和第二认证设备之间建立通信连接。 A communication connection is established between the proxy device and the second authentication device.
  5. 如权利要求1-4中任一项所述的方法,其中,所述根据所述认证信息代理所述用户终端进行认证,包括:The method according to any one of claims 1 to 4, wherein the authenticating the user terminal according to the authentication information comprises:
    将所述认证信息发送给第二认证设备,以便所述第二认证设备根据所述认证信息发起对用户终端的认证;Sending the authentication information to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information;
    接收所述第二认证设备返回的认证结果,并将所述认证结果发送给所述用户终端。Receiving an authentication result returned by the second authentication device, and transmitting the authentication result to the user terminal.
  6. 一种认证代理装置,包括:An authentication agent device comprising:
    截获模块,被配置为截获第一认证设备向用户终端发送的重定向消息;An intercepting module configured to intercept a redirect message sent by the first authentication device to the user terminal;
    修改模块,被配置为修改所述重定向消息;其中,将所述重定向消息中用于重定向的地址修改为代理设备的地址;a modification module, configured to modify the redirect message; wherein, the address used for redirection in the redirect message is modified to an address of a proxy device;
    收发模块,被配置为将修改后的所述重定向消息发送给所述用户终端,并接收所述用户终端根据修改后的所述重定向消息发送的认证信息;The transceiver module is configured to send the modified redirect message to the user terminal, and receive the authentication information sent by the user terminal according to the modified redirect message.
    代理模块,被配置为根据所述认证信息代理所述用户终端进行认证。The proxy module is configured to proxy the user terminal for authentication according to the authentication information.
  7. 如权利要求6所述的装置,其中,所述收发模块还被配置为:The apparatus of claim 6 wherein said transceiver module is further configured to:
    接收所述用户终端发送的域名;Receiving a domain name sent by the user terminal;
    在预设的域名缓存列表中,获取与所述域名对应的互联网协议IP地址并返回给所述用户终端;Obtaining, in a preset domain name cache list, an internet protocol IP address corresponding to the domain name, and returning to the user terminal;
    将接收到的所述用户终端根据所述IP地址发起的IP访问请求转发给第一认证设备;其中,所述第一认证设备在根据所述IP访问请求确定所述用户终端未通过认证时,通过所述代理设备向所述用户终端发送重定向消息。Forwarding, by the user terminal, the IP access request initiated by the user terminal to the first authentication device, where the first authentication device determines that the user terminal fails to pass the authentication according to the IP access request, A redirect message is sent to the user terminal by the proxy device.
  8. 如权利要求6所述的装置,其中,所述收发模块被配置为:The apparatus of claim 6 wherein said transceiver module is configured to:
    接收所述用户终端根据修改后的所述重定向消息发送的认证页面获取请求; Receiving an authentication page acquisition request sent by the user terminal according to the modified redirect message;
    根据所述认证页面获取请求,将预先存储的认证页面返回给所述用户终端;Returning the pre-stored authentication page to the user terminal according to the authentication page obtaining request;
    接收所述用户终端基于所述认证页面发送的认证信息。Receiving the authentication information sent by the user terminal based on the authentication page.
  9. 如权利要求6所述的装置,还包括连接模块;The apparatus of claim 6 further comprising a connection module;
    所述连接模块,被配置为在所述根据所述认证信息代理所述用户终端进行认证之前,在所述代理设备和第二认证设备之间建立通信连接。The connection module is configured to establish a communication connection between the proxy device and the second authentication device before the authenticating the user terminal according to the authentication information.
  10. 如权利要求6-9中任一项所述的装置,其中,所述代理模块被配置为:The apparatus of any of claims 6-9, wherein the proxy module is configured to:
    将所述认证信息发送给第二认证设备,以便所述第二认证设备根据所述认证信息发起对用户终端的认证;Sending the authentication information to the second authentication device, so that the second authentication device initiates authentication of the user terminal according to the authentication information;
    接收所述第二认证设备返回的认证结果,并将所述认证结果发送给所述用户终端。Receiving an authentication result returned by the second authentication device, and transmitting the authentication result to the user terminal.
  11. 一种认证代理设备,设置有权利要求6-10中任一项所述的装置。An authentication agent device provided with the device of any of claims 6-10.
  12. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行权利要求1-5中任一项的方法。 A computer readable storage medium storing computer executable instructions arranged to perform the method of any of claims 1-5.
PCT/CN2017/097703 2016-08-26 2017-08-16 Authentication proxy method, apparatus and device WO2018036415A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610729155.8A CN107786502B (en) 2016-08-26 2016-08-26 Authentication proxy method, device and equipment
CN201610729155.8 2016-08-26

Publications (1)

Publication Number Publication Date
WO2018036415A1 true WO2018036415A1 (en) 2018-03-01

Family

ID=61246338

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/097703 WO2018036415A1 (en) 2016-08-26 2017-08-16 Authentication proxy method, apparatus and device

Country Status (2)

Country Link
CN (1) CN107786502B (en)
WO (1) WO2018036415A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499965A (en) * 2021-12-27 2022-05-13 北京安博通科技股份有限公司 Internet access authentication method and system based on POP3 protocol

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107846380B (en) * 2016-09-18 2021-12-14 中兴通讯股份有限公司 Internet access authentication method, device and system
CN114710548B (en) * 2022-03-22 2024-04-05 阿里巴巴(中国)有限公司 Message forwarding method and device
CN117749596A (en) * 2022-09-20 2024-03-22 华为技术有限公司 Wireless network access method, wireless network access device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651682A (en) * 2009-09-15 2010-02-17 杭州华三通信技术有限公司 Method, system and device of security certificate
CN102571344A (en) * 2010-12-08 2012-07-11 中国电信股份有限公司 Single point authentication method and system thereof
US9137131B1 (en) * 2013-03-12 2015-09-15 Skyhigh Networks, Inc. Network traffic monitoring system and method to redirect network traffic through a network intermediary

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111406B (en) * 2010-12-20 2014-02-05 杭州华三通信技术有限公司 Authentication method, system and DHCP proxy server
KR20130007797A (en) * 2011-07-11 2013-01-21 삼성전자주식회사 Method and system for open authentication
CN102624729B (en) * 2012-03-12 2015-07-22 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN103701760A (en) * 2012-09-28 2014-04-02 中国电信股份有限公司 Wireless LAN (Local Area Network) Portal authentication method and system and Portal server
CN103327008A (en) * 2013-05-22 2013-09-25 杭州华三通信技术有限公司 HTTP reorienting method and HTTP reorienting device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651682A (en) * 2009-09-15 2010-02-17 杭州华三通信技术有限公司 Method, system and device of security certificate
CN102571344A (en) * 2010-12-08 2012-07-11 中国电信股份有限公司 Single point authentication method and system thereof
US9137131B1 (en) * 2013-03-12 2015-09-15 Skyhigh Networks, Inc. Network traffic monitoring system and method to redirect network traffic through a network intermediary

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499965A (en) * 2021-12-27 2022-05-13 北京安博通科技股份有限公司 Internet access authentication method and system based on POP3 protocol
CN114499965B (en) * 2021-12-27 2023-07-07 北京安博通科技股份有限公司 Internet surfing authentication method and system based on POP3 protocol

Also Published As

Publication number Publication date
CN107786502B (en) 2022-03-22
CN107786502A (en) 2018-03-09

Similar Documents

Publication Publication Date Title
CN110300117B (en) IOT device and user binding authentication method, device and medium
US10873451B2 (en) Content delivery network processing method, content delivery network, device, and storage medium
CN104506510B (en) Method and device for equipment authentication and authentication service system
US8448233B2 (en) Dealing with web attacks using cryptographically signed HTTP cookies
EP2830280B1 (en) Web caching with security as a service
WO2018036415A1 (en) Authentication proxy method, apparatus and device
US8423650B2 (en) Transferring session data between network applications
AU2017344388B2 (en) Improvements in and relating to network communication
WO2019170047A1 (en) Message processing method, system, and user plane function device
US10972453B1 (en) Methods for token refreshment based on single sign-on (SSO) for federated identity environments and devices thereof
US11290487B2 (en) Method and apparatus for reducing latency of network protocols
US8719380B2 (en) Method and system for facilitating remote downloading
CN110830516B (en) Network access method, device, network control equipment and storage medium
JP5790391B2 (en) Method, system and persistent computer readable storage medium for remote download
US9900368B2 (en) Method for optimising downloading of data
CN103997479B (en) A kind of asymmetric services IP Proxy Methods and equipment
US8839396B1 (en) Providing single sign-on for wireless devices
CN108886533B (en) Accelerating connections to host servers
CN106411978B (en) Resource caching method and device
CN110856145B (en) IOT (Internet of things) equipment and user binding method, equipment and medium based on near field authentication
JP2003242109A (en) Certification access control server device, gateway device, certification access control method, gateway control method, certification access control program and recording medium with the program recorded thereon, and gateway control program and recording medium with the program recorded thereon
WO2015188453A1 (en) Client access method and device
CN116668181A (en) Intranet access method, electronic equipment and storage medium
CN116266785A (en) Key generation method, MEP server, application server and core network element

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17842838

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17842838

Country of ref document: EP

Kind code of ref document: A1