WO2021027600A1 - Single log-in method, apparatus and device, and computer-readable storage medium - Google Patents

Single log-in method, apparatus and device, and computer-readable storage medium Download PDF

Info

Publication number
WO2021027600A1
WO2021027600A1 PCT/CN2020/106349 CN2020106349W WO2021027600A1 WO 2021027600 A1 WO2021027600 A1 WO 2021027600A1 CN 2020106349 W CN2020106349 W CN 2020106349W WO 2021027600 A1 WO2021027600 A1 WO 2021027600A1
Authority
WO
WIPO (PCT)
Prior art keywords
user information
single sign
redis
session identifier
operation request
Prior art date
Application number
PCT/CN2020/106349
Other languages
French (fr)
Chinese (zh)
Inventor
罗鹏
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2021027600A1 publication Critical patent/WO2021027600A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • This application relates to the field of financial technology (Fintech) big data technology, in particular to single sign-on methods, devices, equipment, and computer-readable storage media.
  • the business platform (access party) corresponding to the existing single sign-on system needs to call Redis related methods to store and obtain user information by modifying the code.
  • the Redis interface will be exposed to On the access side, the Redis interface is at risk of being tampered with, and the stability and security of the single sign-on system is low.
  • the main purpose of this application is to propose a single sign-on method, device, device, and computer-readable storage medium, aiming at the technical problem of low stability and security of the current single sign-on system.
  • this application provides a single sign-on method, which includes the following steps:
  • Upon receiving the operation request determine whether the operation request is a login request according to the network address of the operation request;
  • the operation request is a login request, acquiring user information corresponding to the login request, and logging in to an account corresponding to the user information;
  • a session identifier is generated, the session identifier is written into a Cookie, and the user information is written into the Redis server corresponding to the Redis address information.
  • the step of "after determining that the account login is successful, generate a session identifier, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information" includes:
  • the set method in the preset network interface is called to write the user information into the Redis server corresponding to the Redis address information.
  • the method includes:
  • Redis server Query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server;
  • the step of "after determining that the account login is successful, generate a session identifier, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information" After that, include:
  • the method further includes:
  • prompt information is output to prompt the user to log in again.
  • the step of "determining that the operation request is a login request, then obtaining user information corresponding to the login request, and logging in to the account corresponding to the user information" includes:
  • the operation request is a login request, acquiring user information corresponding to the login request, and verifying the user information;
  • this application also provides a single sign-on device, which includes:
  • the address obtaining module is configured to detect that the access party service is started and obtain the Redis address information from the preset configuration center;
  • the request judgment module is configured to receive the operation request, and determine whether the operation request is a login request according to the network address of the operation request;
  • the account login module is configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and log in to the account corresponding to the user information;
  • the information writing module is configured to generate a session identifier after determining that the account is successfully logged in, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information.
  • the information writing module includes:
  • the first writing unit is configured to generate a session identifier through a preset interceptor after determining that the account is successfully logged in, and write the session identifier into a Cookie;
  • the second writing unit is configured to call the set method in the preset network interface to write the user information into the Redis server corresponding to the Redis address information.
  • the single sign-on device includes:
  • An identification acquisition module configured to, after determining that the operation request is not a login request, obtain the session identifier corresponding to the operation request from the Cookie through a preset loading interface;
  • An information query module configured to query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server;
  • the access execution module is configured to, after determining that the user information corresponding to the session identifier exists in the Redis server, access the access party interface to execute the operation request.
  • the single sign-on device further includes:
  • a time setting module configured to set the timeout period of the user information in the Redis server
  • An information deletion module configured to delete the user information in the Redis server when detecting that the storage time of the user information reaches the timeout period
  • the login prompt module is configured to output prompt information to prompt the user to log in again after determining that the user information corresponding to the session identifier does not exist in the Redis server.
  • the account login module includes:
  • An information verification unit configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and verify the user information
  • the prompt output unit is configured to output prompt information to prompt the user to input new user information after determining that the user information verification fails;
  • the account login unit is configured to log in to the account corresponding to the user information after determining that the user information is verified.
  • this application also provides a single sign-on device, the single sign-on device comprising: a memory, a processor, and a single sign-on stored on the memory and capable of running on the processor
  • the corresponding computer program when the computer program corresponding to the single sign-on is executed by the processor, implements the steps of the single sign-on method described above.
  • the present application also provides a computer-readable storage medium having a computer program corresponding to single sign-on stored on the computer-readable storage medium, and the computer program corresponding to single sign-on is executed by a processor When implementing the steps of the single sign-on method above.
  • the single sign-on method in this application includes: detecting that the access party service is started, obtaining Redis address information from the preset configuration center; receiving The operation request is to determine whether the operation request is a login request according to the network address of the operation request; if it is determined that the operation request is a login request, the user information corresponding to the login request is obtained, and the user information corresponding to the user information is logged in Account; after determining that the account is successfully logged in, a session identifier is generated, the session identifier is written into a Cookie, and the user information is written into the Redis server corresponding to the Redis address information.
  • the configuration center is preset and the Redis address information is saved to the configuration center.
  • the single sign-on device determines whether the operation request is a login request, and after determining that the operation request is a login request, The single sign-on device obtains the Redis address information from the configuration center, and the single sign-on device stores the user information in the login request in the Redis server corresponding to the Redis address information, so that the access party does not need to directly connect to the Redis interface, which improves single sign-on Stability and security.
  • FIG. 1 is a schematic diagram of a device structure of a hardware operating environment involved in a solution of an embodiment of the present application
  • FIG. 3 is a schematic diagram of a specific scenario of the first embodiment of the single sign-on method of this application.
  • FIG. 5 is a schematic diagram of functional modules of an embodiment of a single sign-on device according to the present application.
  • FIG. 1 is a schematic diagram of the device structure of the hardware operating environment involved in the solution of the embodiment of the present application.
  • the single sign-on device in the embodiment of the present application may be a PC or a server device.
  • the single sign-on device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, and a communication bus 1002.
  • the communication bus 1002 is used to implement connection and communication between these components.
  • the user interface 1003 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
  • the network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface).
  • the memory 1005 may be a high-speed RAM memory, or a stable memory (non-volatile memory), such as a magnetic disk memory.
  • the memory 1005 may also be a storage device independent of the foregoing processor 1001.
  • the single sign-on device shown in FIG. 1 does not constitute a limitation on the single sign-on device.
  • the single sign-on device may include more or less components than shown in the figure, or a combination of some Components, or different component arrangements.
  • a memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a computer program corresponding to single sign-on.
  • the network interface 1004 is mainly used to connect to a background server and perform data communication with the background server;
  • the user interface 1003 is mainly used to connect to a client (user side) and perform data communication with the client;
  • the processor 1001 may be used to call the computer program corresponding to the single sign-on stored in the memory 1005.
  • the method implemented can refer to the single sign-on of this application.
  • Fig. 2 is a schematic flowchart of a first embodiment of a single sign-on method according to this application.
  • the single sign-on method includes:
  • Step S10 it is detected that the access party service is started, and the Redis address information is obtained from the preset configuration center.
  • the single sign-on method is applied to a single sign-on device, the single sign-on device is set at the front end of the single sign-on system, and the single sign-on device is used to process operation requests received on the single sign-on system; specifically,
  • the single sign-on device is in communication connection with the user client, the access party service platform, and the single sign-on system.
  • the first service platform, the second service platform, and the third service platform serve as interconnected and trusted connections.
  • Incoming business platform, the development or operation and maintenance personnel will communicate in advance the first business platform, the second business platform and the third business platform to the single sign-on system, so that after the user logs in to the first business platform, the user can use the single sign-on system.
  • the configuration center of the single sign-on device in this embodiment is preset, and the configuration center contains Redis address information.
  • the single sign-on device detects the access party.
  • the access party sends a start instruction to Single sign-on device
  • the single sign-on device receives the start instruction sent by the access party
  • the single sign-on device detects that the access party service is started
  • the single sign-on device obtains the Redis address information from the preset configuration center to call the Redis address information Redis related methods store or obtain user information.
  • the Redis-related configuration is stored in the configuration center through a preset configuration center.
  • the internal implementation of single sign-on is hidden to avoid the risk of exposing the single-point system caused by Redis.
  • Step S20 receiving the operation request, and judging whether the operation request is a login request according to the network address of the operation request.
  • the single sign-on device receives the operation request.
  • the type of the operation request is not specifically limited, that is, the operation request can be a login request, an access request, or an editing request.
  • the triggering method of the operation request is not specifically limited, and the operation request can be It is triggered by the user.
  • the user enters on the user terminal: xxx mailbox clicks "Enter" to trigger an operation request, and the terminal sends the operation request to the single sign-on device;
  • the operation request can also be triggered automatically, for example, in the user terminal It is preset to automatically log in to the xxx system every morning to query business data, and the terminal automatically triggers an operation request every morning, and the terminal sends the operation request to the single sign-on device.
  • the single sign-on device When the single sign-on device receives the operation request, the single sign-on device obtains the network address corresponding to the operation request, and the single sign-on device judges whether the operation request is a login request according to the network address. Specifically, a set of login URLs is preset in the single sign-on device , The single sign-on device compares the network address corresponding to the operation request with each preset login address in the set of login URLs, determines whether the network address corresponding to the operation request is the preset login address in the set of preset login URLs, and determines the network If the address is the preset login address in the preset login URL set, the single sign-on device determines that the operation request is a login request; if the network address is not the preset login address in the preset login URL set, the single sign-on device determines the operation request Not a login request.
  • the single sign-on device determines whether the operation request is a login request to determine the subsequent processing steps, namely,
  • Step S30 It is determined that the operation request is a login request, then user information corresponding to the login request is obtained, and the account corresponding to the user information is logged in.
  • the single sign-on device obtains the user information corresponding to the login request, where the user information includes account identification (account identification refers to identification information that uniquely identifies the login account, for example, account name, user name, user ID Number) and login password and other account-related information, the single sign-on device enters the user information into the corresponding network address and executes the login instruction to log in to the account corresponding to the user information; specifically, including:
  • Step a1 it is determined that the operation request is a login request, then user information corresponding to the login request is obtained, and the user information is verified;
  • Step a2 it is determined that the user information verification fails, and then a prompt message is output to prompt the user to input new user information;
  • Step a3 it is determined that the user information is verified, and then the account corresponding to the user information is logged in.
  • a filter is preset in the single sign-on device, where the preset filter refers to a preset filtering code, and the preset filter can be passed through SDK (Software Development Kit, a software development kit is a collection of development tools used by software engineers to build application software for specific software packages, software frameworks, hardware platforms, operating systems, etc.).
  • SDK Software Development Kit
  • a software development kit is a collection of development tools used by software engineers to build application software for specific software packages, software frameworks, hardware platforms, operating systems, etc.
  • the preset filter in the single sign-on device does not intercept the login request.
  • the single sign-on device obtains the user information corresponding to the login request and verifies the user information; that is, the standard login is pre-stored in the single sign-on device Information collection, the standard login information of each user registered or actively set in the standard login information collection, the single sign-on device compares the user information corresponding to the login request with the standard login information in the standard login information collection to compare the user information Perform verification, that is, if there is the same target standard information as the user information in the standard login information set, the user information verification is passed; if the standard login information set does not have the same target standard information as the user information, the user information verification fails ; If the user information verification fails, the single sign-on device outputs prompt information to prompt the user to enter new user information; if the user information is verified, the single sign-on device logs in to the account corresponding to the user information.
  • Step S40 After it is determined that the account login is successful, a session identifier is generated, the session identifier is written into a Cookie, and the user information is written into the Redis server corresponding to the Redis address information.
  • Step b1 after determining that the account is successfully logged in, generate a session identifier through a preset interceptor, and write the session identifier into a Cookie;
  • Step b2 calling the set method in the preset network interface, and writing the user information into the Redis server corresponding to the Redis address information.
  • an interceptor is preset in the single sign-on device.
  • the preset interceptor refers to the preset code used to generate the session identifier.
  • the preset interceptor can be used through SDK (Software Development Kit, a software development kit is a collection of development tools used by some software engineers to build application software for specific software packages, software frameworks, hardware platforms, operating systems, etc.).
  • SDK Software Development Kit
  • Single sign-on devices generate session identifiers through preset interceptors. , And write the session ID to the Cookie.
  • the single sign-on device calls the set method in the preset network interface (the preset network interface refers to the pre-rewritten Http Session interface code to implement user information storage operations).
  • the preset network interface follows the set method Write user information to the Redis server corresponding to the Redis address information.
  • the single sign-on device writes user information into the Redis server corresponding to the Redis address information.
  • the single sign-on device calls the preset Loading interface (default loading interface refers to the pre-adapted Http Servlet Reques interface, the preset loading interface is used to obtain user information from Redis and return user information to the get
  • the User Principle method obtains the session ID corresponding to the operation request from the Cookie; the single sign-on device queries the Redis server corresponding to the Redis address information through the preset loading interface, and obtains the user information corresponding to the session ID in the Redis server, so as to realize single sign-on, That is, the single sign-on device queries the Redis server for the user information corresponding to the session identifier, and the access party responds to the user operation request; the single sign-on device queries the Redis server that there is no user information corresponding to the session identifier, the single sign-on device The user is prompted to log
  • the configuration center is preset and the Redis address information is saved to the configuration center.
  • the single sign-on device determines whether the operation request is a login request, and after determining that the operation request is a login request, The single sign-on device obtains the Redis address information from the configuration center, and the single sign-on device stores the user information in the login request in the Redis server corresponding to the Redis address information, so that the access party does not need to directly connect to the Redis interface, which improves single sign-on Stability and security.
  • This embodiment is a step after step S20 in the first embodiment.
  • the difference between this embodiment and the first embodiment is:
  • Step S50 It is determined that the operation request is not a login request, and the session identifier corresponding to the operation request is obtained from the Cookie through a preset loading interface.
  • the single sign-on device calls the preset loading interface (the preset loading interface refers to the pre-adapted Http Servlet Reques interface, the preset loading interface is used to obtain user information from Redis and return user information to the get The User Principle method obtains the session identifier corresponding to the operation request from the Cookie.
  • the preset loading interface refers to the pre-adapted Http Servlet Reques interface
  • the preset loading interface is used to obtain user information from Redis and return user information to the get
  • the User Principle method obtains the session identifier corresponding to the operation request from the Cookie.
  • the single sign-on device when the user performs single sign-on, the single sign-on device will generate a session identifier and write the session identifier into the cookie.
  • the single sign-on device When the user performs an operation request, the single sign-on device will obtain the session identifier from the cookie to transfer the session
  • the identifier is used as the key value to obtain the user information corresponding to the session identifier from the Redis server, specifically:
  • Step S60 Query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server.
  • the single sign-on device queries the Redis server corresponding to the Redis address information through the preset loading interface, and the single sign-on device determines whether there is user information corresponding to the session identifier in the Redis server.
  • Step S70 It is determined that the user information corresponding to the session identifier exists in the Redis server, and the access party interface is accessed to execute the operation request.
  • the single sign-on device determines that the user is in the logged-in state, and the single sign-on device accesses the access party interface to perform the operation request, that is, the single sign-on device calls Http through the access party interface
  • the set or get method of the Session request sets and obtains the session attribute value.
  • the set and get methods will set or query the attribute value to the Redis server according to the session identifier to implement the operation request.
  • Step S80 It is determined that the user information corresponding to the session identifier does not exist in the Redis server, and a prompt message is output to prompt the user to log in again.
  • the Redis server can clear the cache information, the single sign-on device queries to determine that there is no user information corresponding to the session identifier in the Redis server, and the single sign-on device outputs prompt information to prompt the user to log in again.
  • the Redis server caches the updated information Features to avoid the situation that long-term login on the business platform takes up resources and no one uses it.
  • the single sign-on device calls the Http Servlet Get in Request User Principle method to obtain user information, in Http
  • the user information returned by the Servlet Request does not require the user to perform repeated login operations.
  • the single sign-on device accesses the access party interface to perform the operation request, which makes the user operation more convenient.
  • the original Http Session interface code and Http Servlet Reqeust interface code is adapted, and the native Http Session and Http
  • the Servlet Request is replaced with the implementation of the single sign-on system, so that the operation and maintenance personnel of the access party do not need to modify the code, which achieves zero intrusion to the system, facilitates the operation of the access party, and realizes that the user is not aware.
  • This embodiment is a step after step S20 of the first embodiment.
  • the difference between this embodiment and the above-mentioned embodiment lies in:
  • the single sign-on device sets the timeout time of the user information in the Redis server so that the Redis server automatically clears the cache information according to the set timeout time.
  • setting the timeout time of the user information in the Redis server can be implemented in different ways, specifically: Implementation method 1: The single sign-on device sets the timeout time of user information according to the user level in the user information.
  • the timeout time of the user information is 10 minutes, and the user level in the user information If it is level two, the timeout time for user information is 20 minutes; implementation mode 2: the remaining space setting in the Redis server of the single sign-on device, when the remaining space in the Redis server is greater than 50%, the timeout time is 20 minutes, When the remaining space in the Redis server is less than or equal to 50%, the timeout period is 10 minutes.
  • the single sign-on device When the single sign-on device detects that the storage time of the user information in the Redis server reaches the timeout period, the single sign-on device deletes the user information in the Redis server, and then executes step S60 in the second embodiment, and loads through the preset The interface queries the Redis server corresponding to the Redis address information, and determines whether the user information corresponding to the session identifier exists in the Redis server. The result obtained is: the user information corresponding to the session identifier does not exist in the Redis server, then the single The login device outputs prompt information to enable the user to log in again.
  • the single sign-on device in this embodiment may also set the storage time of the user information to reduce the resource occupation of the Redis server and further improve security.
  • an embodiment of the present application further provides a single sign-on device, the single sign-on device includes:
  • the address obtaining module 10 is configured to detect that the access party service is started, and obtain Redis address information from the preset configuration center;
  • the request judgment module 20 is configured to receive an operation request, and determine whether the operation request is a login request according to the network address of the operation request;
  • the account login module 30 is configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and log in to the account corresponding to the user information;
  • the information writing module 40 is configured to generate a session identifier after determining that the account is successfully logged in, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information.
  • the information writing module includes:
  • the first writing unit is configured to generate a session identifier through a preset interceptor after determining that the account is successfully logged in, and write the session identifier into a Cookie;
  • the second writing unit is configured to call the set method in the preset network interface to write the user information into the Redis server corresponding to the Redis address information.
  • the single sign-on device includes:
  • An identification acquisition module configured to, after determining that the operation request is not a login request, obtain the session identifier corresponding to the operation request from the Cookie through a preset loading interface;
  • An information query module configured to query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server;
  • the access execution module is configured to, after determining that the user information corresponding to the session identifier exists in the Redis server, access the access party interface to execute the operation request.
  • the single sign-on device further includes:
  • a time setting module configured to set the timeout period of the user information in the Redis server
  • An information deletion module configured to delete the user information in the Redis server when detecting that the storage time of the user information reaches the timeout period
  • the login prompt module is configured to output prompt information to prompt the user to log in again after determining that the user information corresponding to the session identifier does not exist in the Redis server.
  • the account login module includes:
  • An information verification unit configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and verify the user information
  • the prompt output unit is configured to output prompt information to prompt the user to input new user information after determining that the user information verification fails;
  • the account login unit is configured to log in to the account corresponding to the user information after determining that the user information is verified.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed is a single log-in method. The method comprises: when it is detected that a service of an access party is started, acquiring Redis address information from a preset configuration center; when an operation request is received, determining, according to a network address of the operation request, whether the operation request is a login request; when it is determined that the operation request is a login request, acquiring user information corresponding to the login request, and logging in to an account corresponding to the user information; and when the account is successfully logged into, generating a session identifier, writing the session identifier into a Cookie, and writing the user information into a Redis server corresponding to the Redis address information.

Description

单点登录方法、装置、设备及计算机可读存储介质Single sign-on method, device, equipment and computer readable storage medium
本申请要求于2019年8月9日提交中国专利局、申请号为201910742748.1,发明名称为“单点登录方法、装置、设备及计算机可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on August 9, 2019, the application number is 201910742748.1, and the invention title is "Single Sign-On Method, Device, Equipment, and Computer-readable Storage Medium", and its entire contents Incorporated in this application by reference.
技术领域Technical field
本申请涉及金融科技(Fintech)的大数据技术领域,尤其涉及单点登录方法、装置、设备及计算机可读存储介质。This application relates to the field of financial technology (Fintech) big data technology, in particular to single sign-on methods, devices, equipment, and computer-readable storage media.
背景技术Background technique
近年来,随着互联网技术,尤其是互联网金融科技(Fintech)的飞速发展,越来越多的技术(大数据、分布式、区块链Blockchain、人工智能等)应用在金融领域,以金融企业为例,通常它们拥有多个业务平台对应多个服务器,用户在访问这些业务平台时,每个业务平台都要进行注册登录,退出的时候又要一个个退出,用户操作较为麻烦,这种情况下,企业通过将各个业务平台遵从单点登录协议形成单点登录系统,用户只需要登录其中一个业务平台,就可以访问所有互相信任的业务平台。In recent years, with the rapid development of Internet technology, especially Internet financial technology (Fintech), more and more technologies (big data, distributed, blockchain, artificial intelligence, etc.) have been applied in the financial field. For example, they usually have multiple service platforms corresponding to multiple servers. When users access these service platforms, each service platform must register and log in, and when they log out, they have to log out one by one. User operations are more troublesome. Next, the enterprise forms a single sign-on system by complying with the single sign-on protocol on each business platform. Users only need to log in to one of the business platforms to access all mutually trusted business platforms.
现有的单点登录系统对应的业务平台(接入方)需要通过修改代码来调用Redis相关方法存放和获取用户信息,在调用Redis相关方法存放和获取用户信息的过程中,Redis接口会暴露给接入方,Redis接口存在被篡改的风险,单点登录系统的稳定性和安全性较低。The business platform (access party) corresponding to the existing single sign-on system needs to call Redis related methods to store and obtain user information by modifying the code. In the process of calling Redis related methods to store and obtain user information, the Redis interface will be exposed to On the access side, the Redis interface is at risk of being tampered with, and the stability and security of the single sign-on system is low.
技术解决方案Technical solutions
本申请的主要目的在于提出一种单点登录方法、装置、设备及计算机可读存储介质,旨在当前单点登录系统的稳定性和安全性较低的技术问题。The main purpose of this application is to propose a single sign-on method, device, device, and computer-readable storage medium, aiming at the technical problem of low stability and security of the current single sign-on system.
为实现上述目的,本申请提供一种单点登录方法,所述单点登录方法包括如下步骤:In order to achieve the above objective, this application provides a single sign-on method, which includes the following steps:
在检测到接入方服务启动时,从预设配置中心获取Redis地址信息;When detecting that the access party service is started, obtain the Redis address information from the preset configuration center;
在接收到操作请求时,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求;Upon receiving the operation request, determine whether the operation request is a login request according to the network address of the operation request;
确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户;Determining that the operation request is a login request, acquiring user information corresponding to the login request, and logging in to an account corresponding to the user information;
确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器。After it is determined that the account login is successful, a session identifier is generated, the session identifier is written into a Cookie, and the user information is written into the Redis server corresponding to the Redis address information.
在一实施方式中,所述“确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器”的步骤,包括:In one embodiment, the step of "after determining that the account login is successful, generate a session identifier, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information" ,include:
确定所述账户登录成功后,通过预设拦截器生成会话标识,并将所述会话标识写入Cookie;After determining that the account is successfully logged in, generate a session identifier through a preset interceptor, and write the session identifier into a Cookie;
调用预设网络接口中的set方法,将所述用户信息写入所述Redis地址信息对应的Redis服务器。The set method in the preset network interface is called to write the user information into the Redis server corresponding to the Redis address information.
在一实施方式中,所述“确定接收到操作请求后,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求”的步骤之后,包括:In one embodiment, after the step of "determining whether the operation request is a login request according to the network address of the operation request after the operation request is determined to be received", the method includes:
确定所述操作请求不是登录请求后,通过预设加载接口从Cookie中获取所述操作请求对应的会话标识;After determining that the operation request is not a login request, obtain the session identifier corresponding to the operation request from the Cookie through the preset loading interface;
通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息;Query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server;
确定所述Redis服务器中存在所述会话标识对应的用户信息,则访问所述接入方接口执行所述操作请求。It is determined that the user information corresponding to the session identifier exists in the Redis server, then accessing the access party interface to execute the operation request.
在一实施方式中,所述“确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器”的步骤之后,包括:In one embodiment, the step of "after determining that the account login is successful, generate a session identifier, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information" After that, include:
设置所述Redis服务器中所述用户信息的超时时间;Setting the timeout period of the user information in the Redis server;
检测到所述用户信息的保存时间到达所述超时时间,删除所述Redis服务器中的所述用户信息;Detecting that the storage time of the user information reaches the timeout period, deleting the user information in the Redis server;
所述“通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息”的步骤之后,还包括:After the step of "querying the Redis server corresponding to the Redis address information through the preset loading interface, and judging whether the user information corresponding to the session identifier exists in the Redis server", the method further includes:
确定所述Redis服务器中不存在所述会话标识对应的用户信息,则输出提示信息,以提示用户重新登录。If it is determined that the user information corresponding to the session identifier does not exist in the Redis server, prompt information is output to prompt the user to log in again.
在一实施方式中,所述“确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户”的步骤,包括:In one embodiment, the step of "determining that the operation request is a login request, then obtaining user information corresponding to the login request, and logging in to the account corresponding to the user information" includes:
确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并验证所述用户信息;Determining that the operation request is a login request, acquiring user information corresponding to the login request, and verifying the user information;
确定所述用户信息验证不通过,则输出提示信息,以提示用户输入新的用户信息;If it is determined that the user information verification fails, output a prompt message to prompt the user to input new user information;
确定所述用户信息验证通过,则登录所述用户信息对应的账户。If it is determined that the user information is verified, log in to the account corresponding to the user information.
此外,为实现上述目的,本申请还提供一种单点登录装置,所述单点登录装置包括:In addition, in order to achieve the above-mentioned object, this application also provides a single sign-on device, which includes:
地址获取模块,配置为检测到接入方服务启动,从预设配置中心获取Redis地址信息;The address obtaining module is configured to detect that the access party service is started and obtain the Redis address information from the preset configuration center;
请求判断模块,配置为接收到操作请求,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求;The request judgment module is configured to receive the operation request, and determine whether the operation request is a login request according to the network address of the operation request;
账户登录模块,配置为确定所述操作请求是登录请求后,获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户;The account login module is configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and log in to the account corresponding to the user information;
信息写入模块,配置为确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器。The information writing module is configured to generate a session identifier after determining that the account is successfully logged in, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information.
在一实施方式中,所述信息写入模块,包括:In an embodiment, the information writing module includes:
第一写入单元,配置为确定所述账户登录成功后,通过预设拦截器生成会话标识,并将所述会话标识写入Cookie;The first writing unit is configured to generate a session identifier through a preset interceptor after determining that the account is successfully logged in, and write the session identifier into a Cookie;
第二写入单元,配置为调用预设网络接口中的set方法,将所述用户信息写入所述Redis地址信息对应的Redis服务器。The second writing unit is configured to call the set method in the preset network interface to write the user information into the Redis server corresponding to the Redis address information.
在一实施方式中,所述单点登录装置,包括:In an embodiment, the single sign-on device includes:
标识获取模块,配置为确定所述操作请求不是登录请求后,通过预设加载接口从Cookie中获取所述操作请求对应的会话标识;An identification acquisition module, configured to, after determining that the operation request is not a login request, obtain the session identifier corresponding to the operation request from the Cookie through a preset loading interface;
信息查询模块,配置为通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息;An information query module, configured to query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server;
访问执行模块,配置为确定所述Redis服务器中存在所述会话标识对应的用户信息后,访问所述接入方接口执行所述操作请求。The access execution module is configured to, after determining that the user information corresponding to the session identifier exists in the Redis server, access the access party interface to execute the operation request.
在一实施方式中,所述单点登录装置,还包括:In an embodiment, the single sign-on device further includes:
时间设置模块,配置为设置所述Redis服务器中所述用户信息的超时时间;A time setting module configured to set the timeout period of the user information in the Redis server;
信息删除模块,配置为检测到所述用户信息的保存时间到达所述超时时间时,删除所述Redis服务器中的所述用户信息;An information deletion module configured to delete the user information in the Redis server when detecting that the storage time of the user information reaches the timeout period;
登录提示模块,配置为确定所述Redis服务器中不存在所述会话标识对应的用户信息后,输出提示信息,以提示用户重新登录。The login prompt module is configured to output prompt information to prompt the user to log in again after determining that the user information corresponding to the session identifier does not exist in the Redis server.
在一实施方式中,所述账户登录模块,包括:In one embodiment, the account login module includes:
信息验证单元,配置为确定所述操作请求是登录请求后,获取所述登录请求对应的用户信息,并验证所述用户信息;An information verification unit configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and verify the user information;
提示输出单元,配置为确定所述用户信息验证不通过后,输出提示信息,以提示用户输入新的用户信息;The prompt output unit is configured to output prompt information to prompt the user to input new user information after determining that the user information verification fails;
账户登录单元,配置为确定所述用户信息验证通过后,登录所述用户信息对应的账户。The account login unit is configured to log in to the account corresponding to the user information after determining that the user information is verified.
此外,为实现上述目的,本申请还提供一种单点登录设备,所述单点登录设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的单点登录对应的计算机程序,所述单点登录对应的计算机程序被所述处理器执行时实现如上述单点登录方法的步骤。In addition, in order to achieve the above object, this application also provides a single sign-on device, the single sign-on device comprising: a memory, a processor, and a single sign-on stored on the memory and capable of running on the processor The corresponding computer program, when the computer program corresponding to the single sign-on is executed by the processor, implements the steps of the single sign-on method described above.
此外,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有单点登录对应的计算机程序,所述单点登录对应的计算机程序被处理器执行时实现如上述单点登录方法的步骤。In addition, in order to achieve the above object, the present application also provides a computer-readable storage medium having a computer program corresponding to single sign-on stored on the computer-readable storage medium, and the computer program corresponding to single sign-on is executed by a processor When implementing the steps of the single sign-on method above.
本申请公开了一种单点登录方法、装置、设备和计算机可读存储介质,本申请中单点登录方法包括:检测到接入方服务启动,从预设配置中心获取Redis地址信息;接收到操作请求,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求;确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户;确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器。本申请实施例中预先设置配置中心,并将Redis地址信息保存至配置中心,单点登录设备接收到操作请求时,单点登录设备判断操作请求是否为登录请求,确定操作请求是登录请求后,单点登录设备从配置中心获取Redis地址信息,单点登录设备将登录请求中的用户信息存放到Redis地址信息对应的Redis服务器中,使得接入方不需要直接对接Redis接口,提高了单点登录稳定性和安全性。This application discloses a single sign-on method, device, equipment, and computer-readable storage medium. The single sign-on method in this application includes: detecting that the access party service is started, obtaining Redis address information from the preset configuration center; receiving The operation request is to determine whether the operation request is a login request according to the network address of the operation request; if it is determined that the operation request is a login request, the user information corresponding to the login request is obtained, and the user information corresponding to the user information is logged in Account; after determining that the account is successfully logged in, a session identifier is generated, the session identifier is written into a Cookie, and the user information is written into the Redis server corresponding to the Redis address information. In the embodiment of this application, the configuration center is preset and the Redis address information is saved to the configuration center. When the single sign-on device receives the operation request, the single sign-on device determines whether the operation request is a login request, and after determining that the operation request is a login request, The single sign-on device obtains the Redis address information from the configuration center, and the single sign-on device stores the user information in the login request in the Redis server corresponding to the Redis address information, so that the access party does not need to directly connect to the Redis interface, which improves single sign-on Stability and security.
附图说明Description of the drawings
图1是本申请实施例方案涉及的硬件运行环境的设备结构示意图;FIG. 1 is a schematic diagram of a device structure of a hardware operating environment involved in a solution of an embodiment of the present application;
图2为本申请单点登录方法第一实施例的流程示意图;2 is a schematic flowchart of the first embodiment of the single sign-on method of this application;
图3为本申请单点登录方法第一实施例的具体场景示意图;3 is a schematic diagram of a specific scenario of the first embodiment of the single sign-on method of this application;
图4为本申请单点登录方法第二实施例的流程示意图;4 is a schematic flowchart of a second embodiment of the single sign-on method of this application;
图5为本申请单点登录装置一实施例的功能模块示意图。FIG. 5 is a schematic diagram of functional modules of an embodiment of a single sign-on device according to the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics, and advantages of the purpose of this application will be further described in conjunction with the embodiments and with reference to the accompanying drawings.
本申请的实施方式Implementation of this application
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described here are only used to explain the application, and are not used to limit the application.
如图1所示,图1是本申请实施例方案涉及的硬件运行环境的设备结构示意图。As shown in FIG. 1, FIG. 1 is a schematic diagram of the device structure of the hardware operating environment involved in the solution of the embodiment of the present application.
本申请实施例单点登录设备可以是PC机或服务器设备。The single sign-on device in the embodiment of the present application may be a PC or a server device.
如图1所示,该单点登录设备可以包括:处理器1001,例如CPU,网络接口1004,用户接口1003,存储器1005,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 1, the single sign-on device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, and a communication bus 1002. Among them, the communication bus 1002 is used to implement connection and communication between these components. The user interface 1003 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 may be a high-speed RAM memory, or a stable memory (non-volatile memory), such as a magnetic disk memory. Optionally, the memory 1005 may also be a storage device independent of the foregoing processor 1001.
本领域技术人员可以理解,图1中示出的单点登录设备结构并不构成对单点登录设备的限定,单点登录设备可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the structure of the single sign-on device shown in FIG. 1 does not constitute a limitation on the single sign-on device. The single sign-on device may include more or less components than shown in the figure, or a combination of some Components, or different component arrangements.
如图1所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及单点登录对应的计算机程序。As shown in FIG. 1, a memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a computer program corresponding to single sign-on.
在图1所示的单点登录设备中,网络接口1004主要用于连接后台服务器,与后台服务器进行数据通信;用户接口1003主要用于连接客户端(用户端),与客户端进行数据通信;而处理器1001可以用于调用存储器1005中存储的单点登录对应的计算机程序,所述处理器上运行的单点登录对应的计算机程序被执行时,所实现的方法可参照本申请单点登录方法各个实施例。In the single sign-on device shown in FIG. 1, the network interface 1004 is mainly used to connect to a background server and perform data communication with the background server; the user interface 1003 is mainly used to connect to a client (user side) and perform data communication with the client; The processor 1001 may be used to call the computer program corresponding to the single sign-on stored in the memory 1005. When the computer program corresponding to the single sign-on running on the processor is executed, the method implemented can refer to the single sign-on of this application. Various examples of methods.
基于上述硬件结构,提出了本申请单点登录方法实施例。Based on the above hardware structure, an embodiment of the single sign-on method of the present application is proposed.
参照图2,图2为本申请单点登录方法第一实施例的流程示意图,所述单点登录方法包括:Referring to Fig. 2, Fig. 2 is a schematic flowchart of a first embodiment of a single sign-on method according to this application. The single sign-on method includes:
步骤S10,检测到接入方服务启动,从预设配置中心获取Redis地址信息。Step S10, it is detected that the access party service is started, and the Redis address information is obtained from the preset configuration center.
本实施例中,单点登录方法应用于单点登录设备,单点登录设备设置于单点登录系统的前端,单点登录设备用于处理单点登录系统上接收到的操作请求;具体地,本实施例中,单点登录设备与用户客户端、接入方业务平台和单点登录系统通信连接,例如,第一业务平台、第二业务平台和第三业务平台作为相互关联和信任的接入方业务平台,开发或者运维人员预先将第一业务平台、第二业务平台和第三业务平台与单点登录系统进行通信连接,这样用户登录第一业务平台之后,借助单点登录系统用户可以同时访问第二业务平台和第三业务平台,具体地:In this embodiment, the single sign-on method is applied to a single sign-on device, the single sign-on device is set at the front end of the single sign-on system, and the single sign-on device is used to process operation requests received on the single sign-on system; specifically, In this embodiment, the single sign-on device is in communication connection with the user client, the access party service platform, and the single sign-on system. For example, the first service platform, the second service platform, and the third service platform serve as interconnected and trusted connections. Incoming business platform, the development or operation and maintenance personnel will communicate in advance the first business platform, the second business platform and the third business platform to the single sign-on system, so that after the user logs in to the first business platform, the user can use the single sign-on system. Can access the second business platform and the third business platform at the same time, specifically:
本实施例中的单点登录设备中预设配置中心,配置中心中包含Redis地址信息,单点登录设备检测接入方,在接入方对应的业务平台启动时,接入方发送启动指令至单点登录设备,单点登录设备接收接入方发送的启动指令,单点登录设备检测到接入方服务启动,单点登录设备从预设配置中心获取Redis地址信息,以调用Redis地址信息中Redis相关方法存放或者获取用户信息。The configuration center of the single sign-on device in this embodiment is preset, and the configuration center contains Redis address information. The single sign-on device detects the access party. When the service platform corresponding to the access party starts, the access party sends a start instruction to Single sign-on device, the single sign-on device receives the start instruction sent by the access party, the single sign-on device detects that the access party service is started, the single sign-on device obtains the Redis address information from the preset configuration center to call the Redis address information Redis related methods store or obtain user information.
本实施例中通过预设配置中心,将Redis相关配置存放于配置中心,本实施例中隐藏单点登录内部实现,避免暴露Redis所带来的单点系统的风险。In this embodiment, the Redis-related configuration is stored in the configuration center through a preset configuration center. In this embodiment, the internal implementation of single sign-on is hidden to avoid the risk of exposing the single-point system caused by Redis.
步骤S20,接收到操作请求,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求。Step S20, receiving the operation request, and judging whether the operation request is a login request according to the network address of the operation request.
单点登录设备接收操作请求,其中,操作请求的类型不作具体限定,即,操作请求可以是登录请求、访问请求或编辑请求等等,此外,操作请求的触发方式不作具体限定,操作请求既可以是用户主动触发的,例如,用户在用户终端上输入:xxx邮箱点击“进入”触发操作请求,终端将操作请求发送至单点登录设备;操作请求还可以是自动触发的,例如,用户终端中预先设置每天凌晨自动登录xxx系统查询业务数据,则终端每天凌晨自动触发操作请求,终端将操作请求发送至单点登录设备。The single sign-on device receives the operation request. The type of the operation request is not specifically limited, that is, the operation request can be a login request, an access request, or an editing request. In addition, the triggering method of the operation request is not specifically limited, and the operation request can be It is triggered by the user. For example, the user enters on the user terminal: xxx mailbox clicks "Enter" to trigger an operation request, and the terminal sends the operation request to the single sign-on device; the operation request can also be triggered automatically, for example, in the user terminal It is preset to automatically log in to the xxx system every morning to query business data, and the terminal automatically triggers an operation request every morning, and the terminal sends the operation request to the single sign-on device.
单点登录设备接收到操作请求时,单点登录设备获取操作请求对应的网络地址,单点登录设备根据网络地址判断操作请求是否为登录请求,具体地,单点登录设备中预先设置登录网址集合,单点登录设备将操作请求对应的网络地址与登录网址集合中的各个预设登录地址进行比对,判断操作请求对应的网络地址是否是预设登录网址集合中的预设登录地址,确定网络地址是预设登录网址集合中的预设登录地址,则单点登录设备判定操作请求是登录请求;确定网络地址不是预设登录网址集合中的预设登录地址,则单点登录设备判定操作请求不是登录请求。When the single sign-on device receives the operation request, the single sign-on device obtains the network address corresponding to the operation request, and the single sign-on device judges whether the operation request is a login request according to the network address. Specifically, a set of login URLs is preset in the single sign-on device , The single sign-on device compares the network address corresponding to the operation request with each preset login address in the set of login URLs, determines whether the network address corresponding to the operation request is the preset login address in the set of preset login URLs, and determines the network If the address is the preset login address in the preset login URL set, the single sign-on device determines that the operation request is a login request; if the network address is not the preset login address in the preset login URL set, the single sign-on device determines the operation request Not a login request.
本实施例中单点登录设备判断操作请求是否是登录请求,以确定后续处理步骤,即,In this embodiment, the single sign-on device determines whether the operation request is a login request to determine the subsequent processing steps, namely,
步骤S30,确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户。Step S30: It is determined that the operation request is a login request, then user information corresponding to the login request is obtained, and the account corresponding to the user information is logged in.
确定操作请求是登录请求,单点登录设备获取登录请求对应的用户信息,其中,用户信息包括账户标识(账户标识是指唯一识别登录账户的标识信息,例如,账户名称,用户姓名、用户身份证号码)和登录密码等其他账户相关信息,单点登录设备将用户信息输入对应的网络地址,执行登录指令,以登录用户信息对应的账户;具体地,包括:To determine that the operation request is a login request, the single sign-on device obtains the user information corresponding to the login request, where the user information includes account identification (account identification refers to identification information that uniquely identifies the login account, for example, account name, user name, user ID Number) and login password and other account-related information, the single sign-on device enters the user information into the corresponding network address and executes the login instruction to log in to the account corresponding to the user information; specifically, including:
步骤a1,确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并验证所述用户信息;Step a1, it is determined that the operation request is a login request, then user information corresponding to the login request is obtained, and the user information is verified;
步骤a2,确定所述用户信息验证不通过,则输出提示信息,以提示用户输入新的用户信息;Step a2, it is determined that the user information verification fails, and then a prompt message is output to prompt the user to input new user information;
步骤a3,确定所述用户信息验证通过,则登录所述用户信息对应的账户。Step a3, it is determined that the user information is verified, and then the account corresponding to the user information is logged in.
结合图3,本实施例中,单点登录设备中预设有filter(过滤器),其中,预设的filter是指预先设置的过滤代码,预设的filter可以通过SDK(Software Development Kit,软件开发工具包是一些软件工程师为特定的软件包、软件框架、硬件平台、操作系统等建立应用软件时的开发工具的集合)实现。With reference to Figure 3, in this embodiment, a filter (filter) is preset in the single sign-on device, where the preset filter refers to a preset filtering code, and the preset filter can be passed through SDK (Software Development Kit, a software development kit is a collection of development tools used by software engineers to build application software for specific software packages, software frameworks, hardware platforms, operating systems, etc.).
若操作请求是登录请求,单点登录设备中预设的filter不拦截该登录请求,单点登录设备获取登录请求对应的用户信息,并验证用户信息;即,单点登录设备中预先保存标准登录信息集合,标准登录信息集合中包含的各个用户注册或者主动设置的标准登录信息,单点登录设备将登录请求对应的用户信息与标准登录信息集合中的标准登录信息进行比对,以对用户信息进行验证,即,若标准登录信息集合中存在与用户信息相同的目标标准信息,则用户信息验证通过;若标准登录信息集合中不存在与用户信息相同的目标标准信息,则用户信息验证不通过;若用户信息验证不通过,则单点登录设备输出提示信息,以提示用户输入新的用户信息;若用户信息验证通过,则单点登录设备登录用户信息对应的账户。If the operation request is a login request, the preset filter in the single sign-on device does not intercept the login request. The single sign-on device obtains the user information corresponding to the login request and verifies the user information; that is, the standard login is pre-stored in the single sign-on device Information collection, the standard login information of each user registered or actively set in the standard login information collection, the single sign-on device compares the user information corresponding to the login request with the standard login information in the standard login information collection to compare the user information Perform verification, that is, if there is the same target standard information as the user information in the standard login information set, the user information verification is passed; if the standard login information set does not have the same target standard information as the user information, the user information verification fails ; If the user information verification fails, the single sign-on device outputs prompt information to prompt the user to enter new user information; if the user information is verified, the single sign-on device logs in to the account corresponding to the user information.
步骤S40,确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器。Step S40: After it is determined that the account login is successful, a session identifier is generated, the session identifier is written into a Cookie, and the user information is written into the Redis server corresponding to the Redis address information.
具体地,包括:Specifically, it includes:
步骤b1,确定所述账户登录成功后,通过预设拦截器生成会话标识,并将所述会话标识写入Cookie;Step b1, after determining that the account is successfully logged in, generate a session identifier through a preset interceptor, and write the session identifier into a Cookie;
步骤b2,调用预设网络接口中的set方法,将所述用户信息写入所述Redis地址信息对应的Redis服务器。Step b2, calling the set method in the preset network interface, and writing the user information into the Redis server corresponding to the Redis address information.
即,在账户登录成功时,单点登录设备中预设拦截器,预设拦截器是指预先设置的用于生成会话标识的代码,预设拦截器可以通过SDK(Software Development Kit,软件开发工具包是一些软件工程师为特定的软件包、软件框架、硬件平台、操作系统等建立应用软件时的开发工具的集合)实现,单点登录设备通过预设拦截器生成会话标识,并将会话标识写入Cookie。That is, when the account is successfully logged in, an interceptor is preset in the single sign-on device. The preset interceptor refers to the preset code used to generate the session identifier. The preset interceptor can be used through SDK (Software Development Kit, a software development kit is a collection of development tools used by some software engineers to build application software for specific software packages, software frameworks, hardware platforms, operating systems, etc.). Single sign-on devices generate session identifiers through preset interceptors. , And write the session ID to the Cookie.
结合图3,单点登录设备调用预设网络接口(预设网络接口是指预先重新编写过的Http Session接口代码,用于实现用户信息存放操作)中的set方法,预设网络接口按照set方法将用户信息写入Redis地址信息对应的Redis服务器。With reference to Figure 3, the single sign-on device calls the set method in the preset network interface (the preset network interface refers to the pre-rewritten Http Session interface code to implement user information storage operations). The preset network interface follows the set method Write user information to the Redis server corresponding to the Redis address information.
可以理解的是,本实施例中,单点登录设备将用户信息写入Redis地址信息对应的Redis服务器,在用户访问预设建立的相互关联和信任的接入方,单点登录设备调用预设加载接口(预设加载接口是指预先改编过的Http Servlet Reques接口,预设加载接口用于从Redis中获取用户信息,并将用户信息返回操作)中的get User Principle方法,从Cookie中获取操作请求对应的会话标识;单点登录设备通过预设加载接口查询Redis地址信息对应的Redis服务器,获取Redis服务器中会话标识对应的用户信息,则实现单点登录,即,单点登录设备查询到Redis服务器中存在会话标识对应的用户信息,则接入方响应用户操作请求;单点登录设备查询到Redis服务器中不存在会话标识对应的用户信息,单点登录设备提示用户重新登录,其中,Redis服务器中不存在会话标识对应的用户信息的原因有多种,例如,Redis服务器中用户信息存储时间过长被删除,或者用户触发了登录账户退出操作。It is understandable that, in this embodiment, the single sign-on device writes user information into the Redis server corresponding to the Redis address information. When the user visits the preset interconnected and trusted access party, the single sign-on device calls the preset Loading interface (default loading interface refers to the pre-adapted Http Servlet Reques interface, the preset loading interface is used to obtain user information from Redis and return user information to the get The User Principle method obtains the session ID corresponding to the operation request from the Cookie; the single sign-on device queries the Redis server corresponding to the Redis address information through the preset loading interface, and obtains the user information corresponding to the session ID in the Redis server, so as to realize single sign-on, That is, the single sign-on device queries the Redis server for the user information corresponding to the session identifier, and the access party responds to the user operation request; the single sign-on device queries the Redis server that there is no user information corresponding to the session identifier, the single sign-on device The user is prompted to log in again. Among them, there are many reasons why the user information corresponding to the session identifier does not exist in the Redis server. For example, the user information in the Redis server is stored for too long and is deleted, or the user triggers the logout operation of the login account.
本申请实施例中预先设置配置中心,并将Redis地址信息保存至配置中心,单点登录设备接收到操作请求时,单点登录设备判断操作请求是否为登录请求,确定操作请求是登录请求后,单点登录设备从配置中心获取Redis地址信息,单点登录设备将登录请求中的用户信息存放到Redis地址信息对应的Redis服务器中,使得接入方不需要直接对接Redis接口,提高了单点登录稳定性和安全性。In the embodiment of this application, the configuration center is preset and the Redis address information is saved to the configuration center. When the single sign-on device receives the operation request, the single sign-on device determines whether the operation request is a login request, and after determining that the operation request is a login request, The single sign-on device obtains the Redis address information from the configuration center, and the single sign-on device stores the user information in the login request in the Redis server corresponding to the Redis address information, so that the access party does not need to directly connect to the Redis interface, which improves single sign-on Stability and security.
进一步地,参照图4,在本申请单点登录方法第一实施例的基础上,提出本了申请方法第二实施例。Further, referring to FIG. 4, on the basis of the first embodiment of the single sign-on method of the present application, a second embodiment of the application method is proposed.
本实施例是第一实施例中步骤S20之后的步骤,本实施例与第一实施例的区别在于:This embodiment is a step after step S20 in the first embodiment. The difference between this embodiment and the first embodiment is:
步骤S50,确定所述操作请求不是登录请求,则通过预设加载接口从Cookie中获取所述操作请求对应的会话标识。Step S50: It is determined that the operation request is not a login request, and the session identifier corresponding to the operation request is obtained from the Cookie through a preset loading interface.
若操作请求不是登录请求,单点登录设备调用预设加载接口(预设加载接口是指预先改编过的Http Servlet Reques接口,预设加载接口用于从Redis中获取用户信息,并将用户信息返回操作)中的get User Principle方法从Cookie中获取所述操作请求对应的会话标识。If the operation request is not a login request, the single sign-on device calls the preset loading interface (the preset loading interface refers to the pre-adapted Http Servlet Reques interface, the preset loading interface is used to obtain user information from Redis and return user information to the get The User Principle method obtains the session identifier corresponding to the operation request from the Cookie.
即,在用户进行单点登录时,单点登录设备会生成会话标识,并将会话标识写入到Cookie中,用户执行操作请求时,单点登录设备会从Cookie中获取会话标识,以将会话标识作为key值,从Redis服务器中获取会话标识对应的用户信息,具体地:That is, when the user performs single sign-on, the single sign-on device will generate a session identifier and write the session identifier into the cookie. When the user performs an operation request, the single sign-on device will obtain the session identifier from the cookie to transfer the session The identifier is used as the key value to obtain the user information corresponding to the session identifier from the Redis server, specifically:
步骤S60,通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息。Step S60: Query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server.
单点登录设备通过预设加载接口查询Redis地址信息对应的Redis服务器,单点登录设备判断Redis服务器中是否存在会话标识对应的用户信息。The single sign-on device queries the Redis server corresponding to the Redis address information through the preset loading interface, and the single sign-on device determines whether there is user information corresponding to the session identifier in the Redis server.
步骤S70,确定所述Redis服务器中存在所述会话标识对应的用户信息,则访问所述接入方接口执行所述操作请求。Step S70: It is determined that the user information corresponding to the session identifier exists in the Redis server, and the access party interface is accessed to execute the operation request.
若Redis服务器中存在会话标识对应的用户信息,单点登录设备判定用户处于登录状态,单点登录设备访问接入方接口执行操作请求,即,单点登录设备通过接入方接口调用Http Session请求的set或者get方法设置和获取会话属性值,set和get方法会根据会话标识向Redis服务器设置或者查询属性值实现操作请求。If there is user information corresponding to the session identifier in the Redis server, the single sign-on device determines that the user is in the logged-in state, and the single sign-on device accesses the access party interface to perform the operation request, that is, the single sign-on device calls Http through the access party interface The set or get method of the Session request sets and obtains the session attribute value. The set and get methods will set or query the attribute value to the Redis server according to the session identifier to implement the operation request.
步骤S80,确定所述Redis服务器中不存在所述会话标识对应的用户信息,则输出提示信息,以提示用户重新登录。Step S80: It is determined that the user information corresponding to the session identifier does not exist in the Redis server, and a prompt message is output to prompt the user to log in again.
Redis服务器可清除缓存信息,单点登录设备查询确定Redis服务器中不存在会话标识对应的用户信息,单点登录设备输出提示信息,以提示用户重新登录,本实施例中,利用Redis服务器缓存更新的特性,避免业务平台长期登录占用资源无人使用的情况。The Redis server can clear the cache information, the single sign-on device queries to determine that there is no user information corresponding to the session identifier in the Redis server, and the single sign-on device outputs prompt information to prompt the user to log in again. In this embodiment, the Redis server caches the updated information Features to avoid the situation that long-term login on the business platform takes up resources and no one uses it.
在本实施例中,单点登录设备在操作请求不是登录请求时,单点登录设备调用Http Servlet Request中get User Principle方法获取用户信息,在Http Servlet Request返回的用户信息时,不需要用户进行重复的登录操作,单点登录设备访问接入方接口执行操作请求,使得用户操作更加便捷。In this embodiment, when the operation request of the single sign-on device is not a login request, the single sign-on device calls the Http Servlet Get in Request User Principle method to obtain user information, in Http The user information returned by the Servlet Request does not require the user to perform repeated login operations. The single sign-on device accesses the access party interface to perform the operation request, which makes the user operation more convenient.
本实施例中对原有的Http Session接口代码和Http Servlet Reqeust接口代码进行改编,将原生的Http Session与Http Servlet Request替换成单点登录系统的实现,使得接入方运维人员不需要修改代码,实现了对系统零侵入,方便接入方的操作,实现了用户无感知。In this embodiment, the original Http Session interface code and Http Servlet Reqeust interface code is adapted, and the native Http Session and Http The Servlet Request is replaced with the implementation of the single sign-on system, so that the operation and maintenance personnel of the access party do not need to modify the code, which achieves zero intrusion to the system, facilitates the operation of the access party, and realizes that the user is not aware.
进一步地,在本申请单点登录方法上述实施例的基础上,提出本申请方法第三实施例。Further, on the basis of the foregoing embodiments of the single sign-on method of the present application, a third embodiment of the method of the present application is proposed.
本实施例是第一实施例步骤S20之后的步骤,本实施例与上述实施例的区别在于:This embodiment is a step after step S20 of the first embodiment. The difference between this embodiment and the above-mentioned embodiment lies in:
设置所述Redis服务器中所述用户信息的超时时间,检测到所述用户信息的保存时间到达所述超时时间时,删除所述Redis服务器中的所述用户信息。Set the timeout time of the user information in the Redis server, and delete the user information in the Redis server when it is detected that the storage time of the user information reaches the timeout time.
单点登录设备设置Redis服务器中用户信息的超时时间,以使Redis服务器根据设置的超时时间自动清除缓存信息,本实施例中设置Redis服务器中用户信息的超时时间可以通过不同方式实现,具体地:实现方式一:单点登录设备根据用户信息中的用户等级,设置用户信息的超时时间,例如,用户信息中用户等级为一级,则用户信息的超时时间是10分种,用户信息中用户等级为二级,则用户信息的超时时间是20分种;实现方式二:单点登录设备Redis服务器中的剩余空间设置,Redis服务器中的剩余空间为大于50%时,超时时间是20分种,Redis服务器中的剩余空间为小于或等于50%时,超时时间是10分种。The single sign-on device sets the timeout time of the user information in the Redis server so that the Redis server automatically clears the cache information according to the set timeout time. In this embodiment, setting the timeout time of the user information in the Redis server can be implemented in different ways, specifically: Implementation method 1: The single sign-on device sets the timeout time of user information according to the user level in the user information. For example, if the user level in the user information is level 1, the timeout time of the user information is 10 minutes, and the user level in the user information If it is level two, the timeout time for user information is 20 minutes; implementation mode 2: the remaining space setting in the Redis server of the single sign-on device, when the remaining space in the Redis server is greater than 50%, the timeout time is 20 minutes, When the remaining space in the Redis server is less than or equal to 50%, the timeout period is 10 minutes.
单点登录设备在检测到用户信息在Redis服务器中的保存时间到达超时时间时,单点登录设备删除Redis服务器中的用户信息,这时执行第二实施例中步骤S60,通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息,得到的结果就是:Redis服务器中不存在会话标识对应的用户信息,则此时单点登录设备输出提示信息,以使用户重新登录。When the single sign-on device detects that the storage time of the user information in the Redis server reaches the timeout period, the single sign-on device deletes the user information in the Redis server, and then executes step S60 in the second embodiment, and loads through the preset The interface queries the Redis server corresponding to the Redis address information, and determines whether the user information corresponding to the session identifier exists in the Redis server. The result obtained is: the user information corresponding to the session identifier does not exist in the Redis server, then the single The login device outputs prompt information to enable the user to log in again.
本实施例中单点登录设备将用户信息写入Redis地址信息对应的Redis服务器之后,单点登录设备还可以设用户信息的保存时间,以减少Redis服务器资源占用,并进一步地提高安全性。After the single sign-on device in this embodiment writes the user information into the Redis server corresponding to the Redis address information, the single sign-on device may also set the storage time of the user information to reduce the resource occupation of the Redis server and further improve security.
参照图5,本申请实施例还提供一种单点登录装置,所述单点登录装置包括:5, an embodiment of the present application further provides a single sign-on device, the single sign-on device includes:
地址获取模块10,配置为检测到接入方服务启动,从预设配置中心获取Redis地址信息;The address obtaining module 10 is configured to detect that the access party service is started, and obtain Redis address information from the preset configuration center;
请求判断模块20,配置为接收到操作请求,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求;The request judgment module 20 is configured to receive an operation request, and determine whether the operation request is a login request according to the network address of the operation request;
账户登录模块30,配置为确定所述操作请求是登录请求后,获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户;The account login module 30 is configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and log in to the account corresponding to the user information;
信息写入模块40,配置为确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器。The information writing module 40 is configured to generate a session identifier after determining that the account is successfully logged in, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information.
在一实施例中,所述信息写入模块,包括:In an embodiment, the information writing module includes:
第一写入单元,配置为确定所述账户登录成功后,通过预设拦截器生成会话标识,并将所述会话标识写入Cookie;The first writing unit is configured to generate a session identifier through a preset interceptor after determining that the account is successfully logged in, and write the session identifier into a Cookie;
第二写入单元,配置为调用预设网络接口中的set方法,将所述用户信息写入所述Redis地址信息对应的Redis服务器。The second writing unit is configured to call the set method in the preset network interface to write the user information into the Redis server corresponding to the Redis address information.
在一实施例中,所述单点登录装置,包括:In an embodiment, the single sign-on device includes:
标识获取模块,配置为确定所述操作请求不是登录请求后,通过预设加载接口从Cookie中获取所述操作请求对应的会话标识;An identification acquisition module, configured to, after determining that the operation request is not a login request, obtain the session identifier corresponding to the operation request from the Cookie through a preset loading interface;
信息查询模块,配置为通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息;An information query module, configured to query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server;
访问执行模块,配置为确定所述Redis服务器中存在所述会话标识对应的用户信息后,访问所述接入方接口执行所述操作请求。The access execution module is configured to, after determining that the user information corresponding to the session identifier exists in the Redis server, access the access party interface to execute the operation request.
在一实施例中,所述单点登录装置,还包括:In an embodiment, the single sign-on device further includes:
时间设置模块,配置为设置所述Redis服务器中所述用户信息的超时时间;A time setting module configured to set the timeout period of the user information in the Redis server;
信息删除模块,配置为检测到所述用户信息的保存时间到达所述超时时间时,删除所述Redis服务器中的所述用户信息;An information deletion module configured to delete the user information in the Redis server when detecting that the storage time of the user information reaches the timeout period;
登录提示模块,配置为确定所述Redis服务器中不存在所述会话标识对应的用户信息后,输出提示信息,以提示用户重新登录。The login prompt module is configured to output prompt information to prompt the user to log in again after determining that the user information corresponding to the session identifier does not exist in the Redis server.
在一实施例中,所述账户登录模块,包括:In an embodiment, the account login module includes:
信息验证单元,配置为确定所述操作请求是登录请求后,获取所述登录请求对应的用户信息,并验证所述用户信息;An information verification unit configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and verify the user information;
提示输出单元,配置为确定所述用户信息验证不通过后,输出提示信息,以提示用户输入新的用户信息;The prompt output unit is configured to output prompt information to prompt the user to input new user information after determining that the user information verification fails;
账户登录单元,配置为确定所述用户信息验证通过后,登录所述用户信息对应的账户。The account login unit is configured to log in to the account corresponding to the user information after determining that the user information is verified.
本申请单点登录装置中各个功能模块执行时,实现如上述单点登录方法的步骤,本实施例中不作赘述。When each functional module in the single sign-on device of the present application is executed, the steps of the single sign-on method described above are implemented, which will not be repeated in this embodiment.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that in this article, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or system including a series of elements not only includes those elements, It also includes other elements not explicitly listed, or elements inherent to the process, method, article, or system. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, article or system that includes the element.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the foregoing embodiments of the present application are only for description, and do not represent the advantages and disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better.的实施方式。 Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM) as described above. , Magnetic disk, optical disk), including several instructions to make a terminal device (can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the method described in each embodiment of the present application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only preferred embodiments of this application, and do not limit the scope of this application. Any equivalent structure or equivalent process transformation made using the content of the description and drawings of this application, or directly or indirectly used in other related technical fields , The same reason is included in the scope of patent protection of this application.

Claims (12)

  1. 一种单点登录方法,所述单点登录方法包括如下步骤:A single sign-on method, which includes the following steps:
    检测到接入方服务启动,从预设配置中心获取Redis地址信息;It is detected that the access party service is started, and the Redis address information is obtained from the preset configuration center;
    接收到操作请求,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求;After receiving the operation request, determine whether the operation request is a login request according to the network address of the operation request;
    确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户;Determining that the operation request is a login request, acquiring user information corresponding to the login request, and logging in to an account corresponding to the user information;
    确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器。After it is determined that the account login is successful, a session identifier is generated, the session identifier is written into a Cookie, and the user information is written into the Redis server corresponding to the Redis address information.
  2. 如权利要求1所述单点登录方法,其中,所述“在所述账户登录成功时,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器”的步骤,包括:The single sign-on method according to claim 1, wherein said "when the account login is successful, a session identifier is generated, the session identifier is written into a Cookie, and the user information is written into the Redis address information The steps of the corresponding Redis server include:
    确定所述账户登录成功后,通过预设拦截器生成会话标识,并将所述会话标识写入Cookie;After determining that the account is successfully logged in, generate a session identifier through a preset interceptor, and write the session identifier into a Cookie;
    调用预设网络接口中的set方法,将所述用户信息写入所述Redis地址信息对应的Redis服务器。The set method in the preset network interface is called to write the user information into the Redis server corresponding to the Redis address information.
  3. 如权利要求1所述单点登录方法,其中,所述“接收到操作请求,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求”的步骤之后,包括:The single sign-on method according to claim 1, wherein after the step of "receiving an operation request, and judging whether the operation request is a login request according to the network address of the operation request", it comprises:
    确定所述操作请求不是登录请求,则通过预设加载接口从Cookie中获取所述操作请求对应的会话标识;Determine that the operation request is not a login request, then obtain the session identifier corresponding to the operation request from the Cookie through the preset loading interface;
    通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息;Query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server;
    确定所述Redis服务器中存在所述会话标识对应的用户信息,则访问所述接入方接口执行所述操作请求。It is determined that the user information corresponding to the session identifier exists in the Redis server, then accessing the access party interface to execute the operation request.
  4. 如权利要求3所述单点登录方法,其中,所述“确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器”的步骤之后,还包括:The single sign-on method according to claim 3, wherein the "after determining that the account login is successful, generate a session identifier, write the session identifier into a Cookie, and write the user information into the Redis address information After the steps of "corresponding Redis server", it also includes:
    设置所述Redis服务器中所述用户信息的超时时间;Setting the timeout period of the user information in the Redis server;
    检测到所述用户信息的保存时间到达所述超时时间,删除所述Redis服务器中的所述用户信息;Detecting that the storage time of the user information reaches the timeout period, deleting the user information in the Redis server;
    所述“通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息”的步骤之后,还包括:After the step of "querying the Redis server corresponding to the Redis address information through the preset loading interface, and judging whether the user information corresponding to the session identifier exists in the Redis server", the method further includes:
    确定所述Redis服务器中不存在所述会话标识对应的用户信息,则输出提示信息,以提示用户重新登录。If it is determined that the user information corresponding to the session identifier does not exist in the Redis server, prompt information is output to prompt the user to log in again.
  5. 如权利要求1至4任意一项所述单点登录方法,其中,所述“确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户”的步骤,包括:The single sign-on method according to any one of claims 1 to 4, wherein the "determine that the operation request is a login request, then obtain the user information corresponding to the login request, and log in to the account corresponding to the user information "The steps include:
    确定所述操作请求是登录请求,则获取所述登录请求对应的用户信息,并验证所述用户信息;Determining that the operation request is a login request, acquiring user information corresponding to the login request, and verifying the user information;
    确定所述用户信息验证不通过,则输出提示信息,以提示用户输入新的用户信息;If it is determined that the user information verification fails, output a prompt message to prompt the user to input new user information;
    确定所述用户信息验证通过,则登录所述用户信息对应的账户。If it is determined that the user information is verified, log in to the account corresponding to the user information.
  6. 一种单点登录装置,其中,所述单点登录装置包括:A single sign-on device, wherein the single sign-on device includes:
    地址获取模块,配置为检测到接入方服务启动,从预设配置中心获取Redis地址信息;The address obtaining module is configured to detect that the access party service is started and obtain the Redis address information from the preset configuration center;
    请求判断模块,配置为接收到操作请求,根据所述操作请求的网络地址,判断所述操作请求是否为登录请求;The request judgment module is configured to receive the operation request, and determine whether the operation request is a login request according to the network address of the operation request;
    账户登录模块,配置为确定所述操作请求是登录请求后,获取所述登录请求对应的用户信息,并登录所述用户信息对应的账户;The account login module is configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and log in to the account corresponding to the user information;
    信息写入模块,配置为确定所述账户登录成功后,生成会话标识,将所述会话标识写入Cookie,并将所述用户信息写入所述Redis地址信息对应的Redis服务器。The information writing module is configured to generate a session identifier after determining that the account is successfully logged in, write the session identifier into a Cookie, and write the user information into the Redis server corresponding to the Redis address information.
  7. 如权利要求6所述单点登录装置,其中,所述信息写入模块,包括:7. The single sign-on device according to claim 6, wherein the information writing module comprises:
    第一写入单元,配置为确定所述账户登录成功后,通过预设拦截器生成会话标识,并将所述会话标识写入Cookie;The first writing unit is configured to generate a session identifier through a preset interceptor after determining that the account is successfully logged in, and write the session identifier into a Cookie;
    第二写入单元,配置为调用预设网络接口中的set方法,将所述用户信息写入所述Redis地址信息对应的Redis服务器。The second writing unit is configured to call the set method in the preset network interface to write the user information into the Redis server corresponding to the Redis address information.
  8. 如权利要求6所述单点登录装置,其中,所述单点登录装置,包括:8. The single sign-on device of claim 6, wherein the single sign-on device comprises:
    标识获取模块,配置为确定所述操作请求不是登录请求后,通过预设加载接口从Cookie中获取所述操作请求对应的会话标识;An identification acquisition module, configured to, after determining that the operation request is not a login request, obtain the session identifier corresponding to the operation request from the Cookie through a preset loading interface;
    信息查询模块,配置为通过所述预设加载接口查询所述Redis地址信息对应的Redis服务器,判断所述Redis服务器中是否存在所述会话标识对应的用户信息;An information query module, configured to query the Redis server corresponding to the Redis address information through the preset loading interface, and determine whether the user information corresponding to the session identifier exists in the Redis server;
    访问执行模块,配置为确定所述Redis服务器中存在所述会话标识对应的用户信息后,访问所述接入方接口执行所述操作请求。The access execution module is configured to, after determining that the user information corresponding to the session identifier exists in the Redis server, access the access party interface to execute the operation request.
  9. 如权利要求8所述单点登录装置,其中,所述单点登录装置,还包括:The single sign-on device according to claim 8, wherein the single sign-on device further comprises:
    时间设置模块,配置为设置所述Redis服务器中所述用户信息的超时时间;A time setting module configured to set the timeout period of the user information in the Redis server;
    信息删除模块,配置为检测到所述用户信息的保存时间到达所述超时时间时,删除所述Redis服务器中的所述用户信息;An information deletion module configured to delete the user information in the Redis server when detecting that the storage time of the user information reaches the timeout period;
    登录提示模块,配置为确定所述Redis服务器中不存在所述会话标识对应的用户信息后,输出提示信息,以提示用户重新登录。The login prompt module is configured to output prompt information to prompt the user to log in again after determining that the user information corresponding to the session identifier does not exist in the Redis server.
  10. 如权利要求6至9任意一项所述单点登录装置,其中,所述账户登录模块,包括:The single sign-on device according to any one of claims 6 to 9, wherein the account login module includes:
    信息验证单元,配置为确定所述操作请求是登录请求后,获取所述登录请求对应的用户信息,并验证所述用户信息;An information verification unit configured to, after determining that the operation request is a login request, obtain user information corresponding to the login request, and verify the user information;
    提示输出单元,配置为确定所述用户信息验证不通过后,输出提示信息,以提示用户输入新的用户信息;The prompt output unit is configured to output prompt information to prompt the user to input new user information after determining that the user information verification fails;
    账户登录单元,配置为确定所述用户信息验证通过后,登录所述用户信息对应的账户。The account login unit is configured to log in to the account corresponding to the user information after determining that the user information is verified.
  11. 一种单点登录设备,所述单点登录设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的单点登录对应的计算机程序,所述单点登录对应的计算机程序被所述处理器执行时实现如权利要求1至5中任一项所述单点登录方法的步骤。A single sign-on device, the single sign-on device comprising: a memory, a processor, and a computer program corresponding to the single sign-on stored on the memory and run on the processor, the single sign-on corresponding When the computer program of is executed by the processor, the steps of the single sign-on method according to any one of claims 1 to 5 are realized.
  12. 一种计算机可读存储介质,所述计算机可读存储介质上存储有单点登录对应的计算机程序,所述单点登录对应的计算机程序被处理器执行时实现如权利要求1至5中任一项所述单点登录方法的步骤。A computer-readable storage medium having a computer program corresponding to single sign-on stored on the computer-readable storage medium, and when the computer program corresponding to single sign-on is executed by a processor, the computer program implements any one of claims 1 to 5 Steps of the single sign-on method described in item.
PCT/CN2020/106349 2019-08-09 2020-07-31 Single log-in method, apparatus and device, and computer-readable storage medium WO2021027600A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910742748.1A CN110430205B (en) 2019-08-09 2019-08-09 Single sign-on method, device, equipment and computer readable storage medium
CN201910742748.1 2019-08-09

Publications (1)

Publication Number Publication Date
WO2021027600A1 true WO2021027600A1 (en) 2021-02-18

Family

ID=68415762

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/106349 WO2021027600A1 (en) 2019-08-09 2020-07-31 Single log-in method, apparatus and device, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN110430205B (en)
WO (1) WO2021027600A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115866016A (en) * 2022-11-16 2023-03-28 浪潮智慧科技有限公司 Global exit method, device and medium
CN116150037A (en) * 2023-04-19 2023-05-23 云账户技术(天津)有限公司 Method and device for managing user login state in use case

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110430205B (en) * 2019-08-09 2023-04-18 深圳前海微众银行股份有限公司 Single sign-on method, device, equipment and computer readable storage medium
CN111581631B (en) * 2020-05-12 2023-03-10 西安腾营信息科技有限公司 Single sign-on method based on redis
CN111859068A (en) * 2020-07-02 2020-10-30 中移(杭州)信息技术有限公司 Message tracking method, device, server and storage medium
CN111970333A (en) * 2020-07-29 2020-11-20 深圳市钱海网络技术有限公司 Method and device for realizing coexistence of two sessions based on same client
CN111949308A (en) * 2020-08-07 2020-11-17 北京字节跳动网络技术有限公司 Software package publishing method and device
CN113194079B (en) * 2021-04-23 2022-09-09 平安科技(深圳)有限公司 Login verification method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108683651A (en) * 2018-05-04 2018-10-19 山东汇贸电子口岸有限公司 A kind of single-point logging method, server-side and system
CN108737541A (en) * 2018-05-18 2018-11-02 成都九洲迪飞科技有限责任公司 A kind of WEB conversation management systems and management method
US20190132397A1 (en) * 2017-10-30 2019-05-02 International Business Machines Corporation Session Handling for Multi-User Multi-Tenant Web Applications
CN110430205A (en) * 2019-08-09 2019-11-08 深圳前海微众银行股份有限公司 Single-point logging method, device, equipment and computer readable storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104967604B (en) * 2015-04-21 2018-07-20 深圳市腾讯计算机系统有限公司 Login method and system
CN107770140A (en) * 2016-08-22 2018-03-06 南京中兴软件有限责任公司 A kind of single sign-on authentication method and device
CN107070880A (en) * 2017-02-16 2017-08-18 济南浪潮高新科技投资发展有限公司 A kind of method and system of single-sign-on, a kind of authentication center's server
CN107483418A (en) * 2017-07-27 2017-12-15 阿里巴巴集团控股有限公司 Login process method, method for processing business, device and server
CN108600203B (en) * 2018-04-11 2021-05-14 四川长虹电器股份有限公司 Cookie-based safe single sign-on method and unified authentication service system thereof
CN109246076B (en) * 2018-08-01 2022-11-04 北京奇虎科技有限公司 Method and device for single sign-on to multiple systems
CN109936579A (en) * 2019-03-21 2019-06-25 广东瑞恩科技有限公司 Single-point logging method, device, equipment and computer readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190132397A1 (en) * 2017-10-30 2019-05-02 International Business Machines Corporation Session Handling for Multi-User Multi-Tenant Web Applications
CN108683651A (en) * 2018-05-04 2018-10-19 山东汇贸电子口岸有限公司 A kind of single-point logging method, server-side and system
CN108737541A (en) * 2018-05-18 2018-11-02 成都九洲迪飞科技有限责任公司 A kind of WEB conversation management systems and management method
CN110430205A (en) * 2019-08-09 2019-11-08 深圳前海微众银行股份有限公司 Single-point logging method, device, equipment and computer readable storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115866016A (en) * 2022-11-16 2023-03-28 浪潮智慧科技有限公司 Global exit method, device and medium
CN115866016B (en) * 2022-11-16 2023-10-17 浪潮智慧科技有限公司 Global exit method, equipment and medium
CN116150037A (en) * 2023-04-19 2023-05-23 云账户技术(天津)有限公司 Method and device for managing user login state in use case

Also Published As

Publication number Publication date
CN110430205B (en) 2023-04-18
CN110430205A (en) 2019-11-08

Similar Documents

Publication Publication Date Title
WO2021027600A1 (en) Single log-in method, apparatus and device, and computer-readable storage medium
CN109587133B (en) Single sign-on system and method
JP5530562B2 (en) Validating domain name system record updates
US9094398B2 (en) Enhancing directory service authentication and authorization using contextual information
CN112261172B (en) Service addressing access method, device, system, equipment and medium
WO2017004947A1 (en) Method and apparatus for preventing domain name hijacking
US20100100950A1 (en) Context-based adaptive authentication for data and services access in a network
CN110324338B (en) Data interaction method, device, fort machine and computer readable storage medium
WO2021013033A1 (en) File operation method, apparatus, device, and system, and computer readable storage medium
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
WO2018024176A1 (en) Device and method preventing repeated logins of same user
US11171964B1 (en) Authentication using device and user identity
CN115189897A (en) Access processing method and device for zero trust network, electronic equipment and storage medium
CN111371811B (en) Resource calling method, resource calling device, client and service server
WO2016201780A1 (en) Gateway management method and apparatus
CN113065161A (en) Security control method and device for Redis database
CN115913583A (en) Business data access method, device and equipment and computer storage medium
US8418227B2 (en) Keystroke logger for Unix-based systems
US10187473B2 (en) Gateway policy enforcement and service metadata binding
US9143520B2 (en) Method and apparatus for computer network security
CN110430211A (en) A kind of virtualization cloud desktop system and operating method
CN117082147B (en) Application network access control method, system, device and medium
CN112751844B (en) Portal authentication method and device and electronic equipment
CN115834252B (en) Service access method and system
TW201824887A (en) System for using authentication server to implement free login in server group and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20852787

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20852787

Country of ref document: EP

Kind code of ref document: A1