WO2022262322A1 - Authentication method, apparatus and system, electronic device, and storage medium - Google Patents

Authentication method, apparatus and system, electronic device, and storage medium Download PDF

Info

Publication number
WO2022262322A1
WO2022262322A1 PCT/CN2022/079103 CN2022079103W WO2022262322A1 WO 2022262322 A1 WO2022262322 A1 WO 2022262322A1 CN 2022079103 W CN2022079103 W CN 2022079103W WO 2022262322 A1 WO2022262322 A1 WO 2022262322A1
Authority
WO
WIPO (PCT)
Prior art keywords
service request
identity token
web application
user
user identity
Prior art date
Application number
PCT/CN2022/079103
Other languages
French (fr)
Chinese (zh)
Inventor
邵广玉
韩永亮
李文娟
王洪
Original Assignee
京东方科技集团股份有限公司
北京中祥英科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 京东方科技集团股份有限公司, 北京中祥英科技有限公司 filed Critical 京东方科技集团股份有限公司
Publication of WO2022262322A1 publication Critical patent/WO2022262322A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/101Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
    • G06F21/1014Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to tokens
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present disclosure relates to the technical field of network authentication, and in particular to an authentication method, device, system, electronic equipment and storage medium.
  • the disclosure provides an authentication method, device, system, electronic equipment and storage medium.
  • an authentication method applied to an Internet platform comprising: receiving a first service request sent by a first web application through an authentication module, wherein the first web application is the Any one of a plurality of web applications corresponding to the Internet platform; obtaining the user identity token in the first service request, wherein the user identity token is obtained after the second web application logs in to the Internet platform through an authentication module
  • the second web application is any one of the plurality of web applications; according to the user identity token, the first service request is verified; according to the result of the verification, the control of the The first web application responds to the first service request.
  • it also includes: receiving the login information sent by the second web application through the authentication module, wherein the login information is the second service request received by the second web application without a user identity token Afterwards, the user is prompted for input; determining whether the login information is legal and valid; in response to the login information being legal and valid, generating a user identity token according to the login information, and passing the user identity token through the second web application Return to user.
  • the first service request is intercepted by the intercepting unit in the authentication module, and sent to the Internet platform by the forwarding unit of the authentication module according to the destination address carried in the first service request; and/or,
  • the second service request is intercepted by the interception unit in the authentication module; and/or, the login information is intercepted by the interception unit in the authentication module, and sent by the forwarding unit of the authentication module according to the destination address carried in the login information to The interconnection platform.
  • the returning the user identity token to the user through the second web application includes returning the user identity token and a preset identifier to the user through the second web application;
  • the obtaining the user identity token in the first service request includes obtaining the user identity token from the first service request by using the preset identifier.
  • the first service request is generated by the service content input by the user through the browser; and/or, the second service request is generated by the service content input by the user through the browser; and/or, the The login information is generated from the user name and password entered by the user through the browser.
  • the returning the user identity token and the preset identifier to the user through the second web application includes returning the user identity token and the preset identifier through the authentication module to the second web application, so that the second web application returns the user identity token and preset identifier to the browser;
  • the first service request is the service content input by the user through the browser
  • the generating includes generating the first service request from the service content input by the user through the browser, the user identity token in the browser, and the preset identifier.
  • the determining whether the login information is valid or not includes: if there is user information consistent with the login information in the user information stored in the user database, determining that the login information is legal and valid.
  • the verifying the first service request according to the user identity token includes: determining whether the user identity token is legal and valid; and/or determining whether the first service request Whether the requested business content matches the business authority corresponding to the user identity token.
  • determining whether the login information is legal and valid also includes decrypting the login information by using a preset rule; and/or, verifying the first service request according to the user identity token The verification further includes decrypting the user identity token using preset rules.
  • the controlling the first web application to respond to the first service request according to the result of the verification includes: responding to the fact that the user identity token is legal and valid, and the first The business content of a business request matches the business authority corresponding to the user identity token, then control the first web application to process the business content, and return response data to the browser; otherwise, control the The first web application returns prompt information to the browser, where the prompt information is used to represent the verification result.
  • it also includes: receiving a super service request sent by a third web application through the authentication module, wherein the third web application is any one of the plurality of web applications; acquiring the super service request in the super service request The super identity token, wherein, the super identity token is obtained by the super user after registering on the Internet platform through any web application and authentication module; in response to the legal validity of the super identity token, according to the super identity token
  • the service content of the service request adjusts the user information, department information or application information stored in the Internet platform.
  • an authentication device applied to an Internet platform, including: a receiving module, configured to receive a first service request sent by a first web application through the authentication module, wherein the first web application is the Any one of a plurality of web applications corresponding to the Internet platform; an acquisition module, configured to acquire the user identity token in the first service request, wherein the user identity token is the second web application logging in through the authentication module Obtained after the Internet platform, the second web application is any one of the plurality of web applications; a verification module is configured to verify the first service request according to the user identity token a response module, configured to control the first web application to respond to the first service request according to the verification result.
  • an authentication system including: a plurality of web applications, the web applications are used to receive business content input by a user through a browser, and The user identity token generates a first service request, and sends the first service request to an authentication module; the authentication module is configured to receive the first service request sent by the web application, and send the first service request sent to the Internet platform; the Internet platform is configured to receive the first service request sent by the authentication module, and control the corresponding web application according to the verification result of the user identity token in the first service request Respond to the first service request.
  • the web application is further configured to prompt the user to input login information after receiving the second service request input by the user through the browser without the user identity token, and receive the user input through the browser.
  • the login information the authentication module is also used to receive the login information sent by the web application, and send the login information to the Internet platform;
  • the Internet platform is also used to receive the login information sent by the authentication module , and if the login information is valid and valid, generate a user identity token according to the login information, and return the user identity token to the browser through the authentication module and the corresponding web application.
  • the authentication module is in the form of a plug-in; the authentication module includes an intercepting unit and a forwarding unit, wherein the intercepting unit is used to intercept information related to the Internet platform, and the forwarding unit is used to forward Information related to said internet platform.
  • an authentication system including: an authentication module configured to receive the first service request sent by the web application, and send the first service request to an Internet platform; the The Internet platform is configured to receive the first service request sent by the authentication module, and control the corresponding web application to respond to the first service request according to the verification result of the user identity token in the first service request. to respond.
  • an electronic device the device includes a memory and a processor, the memory is used to store computer instructions executable on the processor, and the processor is used to execute the computer instructions When implementing the method described in the first aspect.
  • a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the method described in the first aspect is implemented.
  • the first web application is controlled to respond to the first service request.
  • the user identity token is obtained by the second web application after logging in to the Internet platform through the authentication module, and the first web application and the second web application are any one of multiple web applications corresponding to the Internet platform, that is, any web application
  • the identity token obtained after the application logs in to the Internet platform can be carried in the service request by the web application or other web applications, so that the service request can be verified by the Internet platform, and then the web application can respond to the service request, avoiding the Applications are inconvenient to log in to different application systems independently, which improves the efficiency of business processing; at the same time, reducing the number of login times can protect user information security.
  • Fig. 1 is a flowchart of an authentication method shown in some embodiments of the present disclosure
  • Fig. 2 is a schematic structural diagram of an authentication system shown in some embodiments of the present disclosure
  • Fig. 3 is a flowchart of an authentication method shown in other embodiments of the present disclosure.
  • Fig. 4 is a schematic structural diagram of an authentication device shown in some embodiments of the present disclosure.
  • Fig. 5 is a schematic structural diagram of an electronic device shown in some embodiments of the present disclosure.
  • first, second, third, etc. may be used in the present disclosure to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of the present disclosure, first information may also be called second information, and similarly, second information may also be called first information. Depending on the context, the word “if” as used herein may be interpreted as “at” or "when” or
  • each subsystem independently stores user names and passwords. Users must register multiple times and switch logins frequently to use different subsystems. The operation process is cumbersome and the user experience is poor. To transmit user names and passwords, it is easy to leak user privacy information and security information.
  • FIG. 1 shows the flow of the authentication method, including steps S101 to S104.
  • the method can be applied to the Internet platform.
  • the Internet platform 230 can be the server side of the authentication system of the enterprise, and the Internet platform corresponds to a plurality of web applications 210.
  • the Internet platform 230 needs to be used to verify the legitimacy of the service request, that is, the web application can verify the legitimacy of the service request in a remote verification (remote) manner.
  • the plurality of web applications 210 may be product applications in various fields such as smart factories, smart parks, and smart Internet of Things incubated within the enterprise. Users who use these web applications 210 to process business requests may be enterprise staff, managers, and the like.
  • step S101 a first service request sent by a first web application through an authentication module is received, wherein the first web application is any one of multiple web applications corresponding to the Internet platform.
  • the first service request can be generated by the service content input by the user through the browser, the user identity token and the preset identifier in the browser, for example, the preset identifier can be set in the cookie of the Http request header.
  • the user identity token and the preset identifier can be obtained after the second web application logs into the Internet platform through the authentication module, the user identity token can be generated by the Internet platform according to the logged-in user information, and the preset identifier can be It is pre-stored in the configuration file of Hualian platform.
  • the second web application is any one of the plurality of web applications.
  • the first web application and the second web application may be the same or different.
  • the authentication system includes an authentication module 220 in addition to the Internet platform 230 and its corresponding web applications 210 .
  • the authentication module can be in the form of a plug-in, and the authentication module can have an intercepting unit and a forwarding unit, wherein the intercepting unit is used to intercept information related to the Internet platform, and the forwarding unit is used to forward information related to the Internet platform information.
  • the authentication module in the form of a plug-in can be an SDK developed in JAVA language.
  • the plug-in encapsulates the interception unit and the forwarding unit based on Spring Aop.
  • the packaged plug-in can be introduced into the project service (such as the Internet platform or web application) through the project management tool Maven.
  • the first service request can be intercepted by the intercepting unit in the authentication module, and sent to the Internet platform by the forwarding unit of the authentication module according to the destination address carried in the first service request.
  • the authentication module can also have an abstract class for unified authentication and an annotation class for skipping authentication.
  • the authentication module can intercept and forward the methods in the abstract class so that business requests can be authenticated.
  • the authentication module can also let go of the annotation class Included business requests, because these business requests do not require authentication.
  • the interception unit filters all business requests, intercepts the first business request, and does not intercept other business requests.
  • the interception function of the interception unit can enable the first business request requiring Internet platform authentication to be sent to the Internet platform, and at the same time Avoid sending other business requests to the Internet platform by mistake, so that the authentication of the Internet platform is targeted and efficient.
  • step S102 the user identity token in the first service request is obtained.
  • the preset identifier carried by the first service request can be pre-stored in the configuration file of the Internet platform, so the user identity token can be obtained from the first service request by using the preset identifier.
  • the user identity token can be obtained from the Http request header through a preset identifier.
  • step S103 the first service request is verified according to the user identity token.
  • the user identity token may first be decrypted by using a preset rule, and then the first service request is verified according to the user identity token.
  • a preset rule For example, when the Internet platform returns the user identity token to the second web application, it will use preset rules for encryption, so it can use the same rule to decrypt the user identity token before verifying the first service request. That is to say, the encryption and confidentiality rules are only stored on the Internet platform, but not in the browser, that is, the user can only carry the user identity token when initiating a business request, but cannot decrypt the user identity token, which further increases security of user information.
  • the Internet platform verifies the first service request in a local verification (local) manner, which can verify whether the user identity token carried by the first service request is legal and valid. For example, the Internet platform returns the user
  • the identity token will be stored synchronously in the token database, so when verifying whether the user identity token is legal and valid, the user identity token stored in the token database can be compared with the user identity token carried in the first service request, If there is a user token consistent with the user identity token carried in the first service request among the user identity tokens stored in the token database, it can be determined that the user identity token carried in the first service request is legal and valid.
  • Checking the first service request may also determine whether the service content of the first service request matches the service authority corresponding to the user identity token.
  • the Internet platform when the Internet platform stores the user's identity token, it will store the user's corresponding business authority synchronously.
  • the user's identity token when the user's identity token is legal and valid, it can compare the business content of the first business request with the user's business curve. to determine whether the two match.
  • step S104 the first web application is controlled to respond to the first service request according to the verification result.
  • the first web application in response to the legal validity of the user identity token and the service content requested by the first service matches the service authority corresponding to the user identity token, the first web application is controlled to The business content is processed, and response data is returned to the browser; otherwise, the first web application is controlled to return prompt information to the browser, wherein the prompt information is used to represent the verification result.
  • the first web application is controlled to respond to the first service request.
  • the user identity token is obtained by the second web application after logging in to the Internet platform through the authentication module, and the first web application and the second web application are any one of multiple web applications corresponding to the Internet platform, that is, any web application
  • the identity token obtained after the application logs in to the Internet platform can be carried in the service request by the web application or other web applications, so that the service request can be verified by the Internet platform, and then the web application can respond to the service request, avoiding the Applications are inconvenient to log in to different application systems independently, which improves the efficiency of business processing; at the same time, reducing the number of login times can protect user information security.
  • the second web application may enable the user to obtain a user identity token as shown in FIG. 3 , including steps S301 to S303.
  • step S301 receiving the login information sent by the second web application through the authentication module, wherein the login information is prompting the user to input after the second web application receives a second service request without a user identity token of.
  • the second service request may be generated by service content input by the user through the browser, for example, may be generated by inputting the service content in the application interface of the second web application displayed by the browser.
  • the authentication module intercepts and checks whether it has a user identity token. If it carries a user identity token, it forwards the second service request to the Internet platform;
  • the application interface of the second web application function displays a login page to prompt the user to log in.
  • the user can generate login information through the user name and password input by the browser, and encrypt the login information using preset rules, and the login information is generated and After encryption, it is intercepted by the intercepting unit in the authentication module, and sent to the Internet platform by the forwarding unit of the authentication module according to the destination address carried in the login information.
  • rules for encrypting login information and the rules for encrypting user identity tokens may be the same or different.
  • step S302 it is determined whether the login information is legal and valid.
  • the Internet platform can store user information of legitimate users in the user database, and user information can be generated or updated by a super user's super business request, and the super user can be an enterprise manager, etc. Therefore, when verifying the login information, the user information stored in the user database can be compared with the user information in the login information. If there is user information consistent with the login information in the user information stored in the user database, the login can be determined. The information is legal and valid. In addition, if the login information is encrypted after it is generated, it is necessary to decrypt the login information by using preset rules before determining whether the login information is legal and valid.
  • step S303 in response to the login information being valid and valid, a user identity token is generated according to the login information, and the user identity token is returned to the user through the second web application.
  • the user identity token may be encrypted according to preset rules.
  • the preset identifier can also be returned to the user through the second web application.
  • the encryption rule can decrypt the user identity token when receiving the service request carrying the user identity token; the preset identifier can be used to obtain the user identity token when receiving the service request carrying the user identity token Card.
  • the user identity token and preset identifier may be returned to the second web application through the authentication module, so that the second web application returns the user identity token and preset identifier to the browser.
  • the browser After the browser receives the user identity token, it can store it.
  • the user identity token and the preset identifier are stored in the browser in the form of key-value pairs through the set-cookie method of Http Respose.
  • the authentication method further includes the following management steps: first, receiving a super service request sent by a third web application through the authentication module, wherein the third web application is the plurality of web applications any one of; Next, obtain the super identity token in the super service request, wherein the super identity token is obtained by the super user after registering on the Internet platform through any web application and authentication module; Finally, in response to the legality and validity of the super identity token, the user information, department information or application information stored in the Internet platform is adjusted according to the service content requested by the super service.
  • the super user can be the management personnel of the enterprise. After registration, the management personnel will be assigned a super user nameplate to distinguish them from ordinary users. The management personnel can manage user information, department information and application information through super business requests, which is convenient and reliable.
  • This embodiment combines the requirements of the industrial Internet platform to realize the unified management and authentication of users. Multiple applications can be integrated on the platform. Users only need one login authentication to access any application system authorized by single sign-on, avoiding frequent Switch login to improve work efficiency and user experience. At the same time, in the process of product application development, it can reduce the development work of the user management authentication module, and only need to focus on the development of business processes, thereby speeding up the development progress and providing better production services.
  • an authentication device which is applied to an Internet platform. Please refer to FIG. 4 , which shows a schematic structural diagram of the device.
  • the device includes:
  • the receiving module 401 is configured to receive the first service request sent by the first web application through the authentication module, wherein the first web application is any one of multiple web applications corresponding to the Internet platform;
  • Obtaining module 402 configured to obtain the user identity token in the first service request, wherein the user identity token is obtained after the second web application logs into the Internet platform through the authentication module, and the second web application
  • the application is any one of the plurality of web applications
  • a verification module 403, configured to verify the first service request according to the user identity token
  • the response module 404 is configured to control the first web application to respond to the first service request according to the verification result.
  • an authentication system is provided, please refer to accompanying drawing 2, which shows the structure of the authentication system, including:
  • a plurality of web applications 210 the web application is used to receive the service content input by the user through the browser, and generate a first service request according to the service content and the user identity token in the browser, and send the second service request A service request is sent to the authentication module;
  • An authentication module 220 configured to receive the first service request sent by the web application, and send the first service request to an Internet platform;
  • the Internet platform 230 is configured to receive the first service request sent by the authentication module, and control the corresponding web application to verify the first service request according to the verification result of the user identity token in the first service request. Respond to a business request.
  • the web application is further configured to prompt the user to input login information after receiving the second service request input by the user through the browser without the user identity token, and receive the The login information input by the browser;
  • the authentication module is also used to receive the login information sent by the web application, and send the login information to the Internet platform;
  • the Internet platform is also used to receive the login information sent by the authentication module login information, and generate a user identity token according to the login information when the login information is legal and valid, and return the user identity token to the browser through the authentication module and the corresponding web application .
  • the authentication module is in the form of a plug-in; the authentication module includes an intercepting unit and a forwarding unit, wherein the intercepting unit is used to intercept information related to the Internet platform, and the forwarding unit Used to forward information related to the Internet platform.
  • an authentication system including: an authentication module configured to receive the first service request sent by the web application, and send the first service request to an Internet platform; the The Internet platform is configured to receive the first service request sent by the authentication module, and control the corresponding web application to respond to the first service request according to the verification result of the user identity token in the first service request. to respond.
  • some embodiments of the present disclosure provide an electronic device, the device includes a memory and a processor, the memory is used to store computer instructions that can be run on the processor, and the processor is used to execute the When the above computer instructions are used, device registration is performed based on the method described in the first aspect.
  • Some embodiments of the present disclosure provide a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the method described in the first aspect is implemented.
  • first and second are used for descriptive purposes only, and should not be understood as indicating or implying relative importance.
  • plurality means two or more, unless otherwise clearly defined.

Abstract

The present disclosure relates to an authentication method, apparatus and system, an electronic device, and a storage medium. The method is applied to an Internet platform, and comprises: receiving a first service request sent by a first web application by means of an authentication module, wherein the first web application is any one of multiple web applications corresponding to the Internet platform; obtaining a user identity token of the first service request, wherein the user identity token is obtained after a second web application logs in to the Internet platform by means of the authentication module, and the second web application is any one of the multiple web applications; verifying the first service request according to the user identity token; and controlling, according to a verification result, the first web application to respond to the first service request.

Description

认证方法、装置、系统、电子设备及存储介质Authentication method, device, system, electronic equipment and storage medium 技术领域technical field
本公开涉及网络认证技术领域,尤其涉及一种认证方法、装置、系统、电子设备及存储介质。The present disclosure relates to the technical field of network authentication, and in particular to an authentication method, device, system, electronic equipment and storage medium.
背景技术Background technique
随着工业互联信息化的不断发展,企业内部孵化了智能工厂、智慧园区、智慧物联等多个领域的产品应用,为企业的生产管理做出了巨大的贡献,但各个应用之间具有相互独立的登录体系,使用时需要单独输入用户名和密码来登录不同的应用系统,造成了使用上的诸多不便,同时也不利于产品的组合推广和营销。With the continuous development of industrial interconnection and informatization, the company has incubated product applications in multiple fields such as smart factories, smart parks, and smart IoT, which have made great contributions to the production management of the company. However, each application has mutual The independent login system requires a separate user name and password to log in to different application systems, which causes a lot of inconvenience in use, and is also not conducive to product combination promotion and marketing.
发明内容Contents of the invention
本公开提供一种认证方法、装置、系统、电子设备及存储介质。The disclosure provides an authentication method, device, system, electronic equipment and storage medium.
根据本公开的一些实施例,提供一种认证方法,应用于互联网平台,所述方法包括:接收第一web应用通过认证模块发送的第一业务请求,其中,所述第一web应用为所述互联网平台对应的多个web应用中的任意一个;获取所述第一业务请求中的用户身份令牌,其中,所述用户身份令牌为第二web应用通过认证模块登录所述互联网平台后得到的,所述第二web应用为所述多个web应用中的任意一个;根据所述用户身份令牌,对所述第一业务请求进行校验;根据所述校验的结果,控制所述第一web应用对所述第一业务请求进行响应。According to some embodiments of the present disclosure, there is provided an authentication method applied to an Internet platform, the method comprising: receiving a first service request sent by a first web application through an authentication module, wherein the first web application is the Any one of a plurality of web applications corresponding to the Internet platform; obtaining the user identity token in the first service request, wherein the user identity token is obtained after the second web application logs in to the Internet platform through an authentication module The second web application is any one of the plurality of web applications; according to the user identity token, the first service request is verified; according to the result of the verification, the control of the The first web application responds to the first service request.
在一个实施例中,还包括:接收所述第二web应用通过认证模块发送的登录信息,其中,所述登录信息是在所述第二web应用接收到无用户身份令牌的第二业务请求后提示用户输入的;确定所述登录信息是否合法有效;响应于所述登录信息合法有效,根据所述登录信息生成用户身份令牌,并将所述用户身份令牌通过所述第二web应用返回至用户。In one embodiment, it also includes: receiving the login information sent by the second web application through the authentication module, wherein the login information is the second service request received by the second web application without a user identity token Afterwards, the user is prompted for input; determining whether the login information is legal and valid; in response to the login information being legal and valid, generating a user identity token according to the login information, and passing the user identity token through the second web application Return to user.
在一个实施例中,所述第一业务请求由认证模块中的拦截单元拦截,并由认证模块的转发单元根据所述第一业务请求携带的目的地址发送至所述互联网平台;和/或,所述第二业务请求由认证模块中的拦截单元拦截;和/或,所述登录信息由认证模块中的拦截单元拦截,并由认证模块的转发单元根据所述登录信息携带的目的地址发送至所述互联望平台。In one embodiment, the first service request is intercepted by the intercepting unit in the authentication module, and sent to the Internet platform by the forwarding unit of the authentication module according to the destination address carried in the first service request; and/or, The second service request is intercepted by the interception unit in the authentication module; and/or, the login information is intercepted by the interception unit in the authentication module, and sent by the forwarding unit of the authentication module according to the destination address carried in the login information to The interconnection platform.
在一个实施例中,所述将所述用户身份令牌通过所述第二web应用返回至用户,包括将所述用户身份令牌和预设标识符通过所述第二web应用返回至用户;所述获取所述第一业务请求中的用户身份令牌,包括利用所述预设标识符,从所述第一业务请求中获取所述用户身份令牌。In one embodiment, the returning the user identity token to the user through the second web application includes returning the user identity token and a preset identifier to the user through the second web application; The obtaining the user identity token in the first service request includes obtaining the user identity token from the first service request by using the preset identifier.
在一个实施例中,所述第一业务请求由用户通过浏览器输入的业务内容生成;和/或,所述第二业务请求由用户通过浏览器输入的业务内容生成;和/或,所述登录信息由用户通过浏览器输入的用户名和密码生成。In one embodiment, the first service request is generated by the service content input by the user through the browser; and/or, the second service request is generated by the service content input by the user through the browser; and/or, the The login information is generated from the user name and password entered by the user through the browser.
在一个实施例中,所述将所述用户身份令牌和预设标识符通过所述第二web应用返回至用户,包括将所述用户身份令牌和预设标识符通过所述认证模块返回至所述第二web应用,以使所述第二web应用将所述用户身份令牌和预设标识符返回至所述浏览器;所述第一业务请求由用户通过 浏览器输入的业务内容生成,包括所述第一业务请求由用户通过浏览器输入的业务内容,和浏览器内的所述用户身份令牌以及所述预设标识符生成。In one embodiment, the returning the user identity token and the preset identifier to the user through the second web application includes returning the user identity token and the preset identifier through the authentication module to the second web application, so that the second web application returns the user identity token and preset identifier to the browser; the first service request is the service content input by the user through the browser The generating includes generating the first service request from the service content input by the user through the browser, the user identity token in the browser, and the preset identifier.
在一个实施例中,所述确定所述登录信息是否合法有效,包括:若用户数据库内存储的用户信息中,存在与所述登录信息一致的用户信息,确定所述登录信息合法有效。In one embodiment, the determining whether the login information is valid or not includes: if there is user information consistent with the login information in the user information stored in the user database, determining that the login information is legal and valid.
在一个实施例中,所述根据所述用户身份令牌,对所述第一业务请求进行校验,包括:确定所述用户身份令牌是否合法有效;和/或,确定所述第一业务请求的业务内容,与所述用户身份令牌对应的业务权限是否匹配。In one embodiment, the verifying the first service request according to the user identity token includes: determining whether the user identity token is legal and valid; and/or determining whether the first service request Whether the requested business content matches the business authority corresponding to the user identity token.
在一个实施例中,确定所述登录信息是否合法有效,还包括利用预设规则解密所述登录信息;和/或,所述根据所述用户身份令牌,对所述第一业务请求进行校验,还包括利用预设规则解密所述用户身份令牌。In one embodiment, determining whether the login information is legal and valid also includes decrypting the login information by using a preset rule; and/or, verifying the first service request according to the user identity token The verification further includes decrypting the user identity token using preset rules.
在一个实施例中,所述根据所述校验的结果,控制所述第一web应用对所述第一业务请求进行响应,包括:响应于所述用户身份令牌合法有效,且所述第一业务请求的业务内容,与所述用户身份令牌对应的业务权限相匹配,则控制所述第一web应用对所述业务内容进行处理,并向浏览器返回响应数据;否则,控制所述第一web应用向所述浏览器返回提示信息,其中,所述提示信息用于表征所述校验的结果。In one embodiment, the controlling the first web application to respond to the first service request according to the result of the verification includes: responding to the fact that the user identity token is legal and valid, and the first The business content of a business request matches the business authority corresponding to the user identity token, then control the first web application to process the business content, and return response data to the browser; otherwise, control the The first web application returns prompt information to the browser, where the prompt information is used to represent the verification result.
在一个实施例中,还包括:接收第三web应用通过认证模块发送的超级业务请求,其中,所述第三web应用为所述多个web应用中的任意一个;获取所述超级业务请求中的超级身份令牌,其中,所述超级身份令牌为超级用户通过任意一个web应用和认证模块在所述互联网平台注册后得到的;响应于所述超级身份令牌合法有效,根据所述超级业务请求的业务内容对所述互联网平台中存储的用户信息、部门信息或应用信息进行调整。In one embodiment, it also includes: receiving a super service request sent by a third web application through the authentication module, wherein the third web application is any one of the plurality of web applications; acquiring the super service request in the super service request The super identity token, wherein, the super identity token is obtained by the super user after registering on the Internet platform through any web application and authentication module; in response to the legal validity of the super identity token, according to the super identity token The service content of the service request adjusts the user information, department information or application information stored in the Internet platform.
根据本公开一些实施例,提供一种认证装置,应用于互联网平台,包括:接收模块,用于接收第一web应用通过认证模块发送的第一业务请求,其中,所述第一web应用为所述互联网平台对应的多个web应用中的任意一个;获取模块,用于获取所述第一业务请求中的用户身份令牌,其中,所述用户身份令牌为第二web应用通过认证模块登录所述互联网平台后得到的,所述第二web应用为所述多个web应用中的任意一个;校验模块,用于根据所述用户身份令牌,对所述第一业务请求进行校验;响应模块,用于根据所述校验的结果,控制所述第一web应用对所述第一业务请求进行响应。According to some embodiments of the present disclosure, there is provided an authentication device applied to an Internet platform, including: a receiving module, configured to receive a first service request sent by a first web application through the authentication module, wherein the first web application is the Any one of a plurality of web applications corresponding to the Internet platform; an acquisition module, configured to acquire the user identity token in the first service request, wherein the user identity token is the second web application logging in through the authentication module Obtained after the Internet platform, the second web application is any one of the plurality of web applications; a verification module is configured to verify the first service request according to the user identity token a response module, configured to control the first web application to respond to the first service request according to the verification result.
根据本公开的一些实施例,提供一种认证系统,包括:多个web应用,所述web应用用于接收用户通过浏览器输入的业务内容,并根据所述业务内容和所述浏览器内的用户身份令牌生成第一业务请求,以及将所述第一业务请求发送至认证模块;认证模块,用于接收所述web应用发送的所述第一业务请求,并将所述第一业务请求发送至互联网平台;所述互联网平台,用于接收所述认证模块发送的第一业务请求,并根据所述第一业务请求内的用户身份令牌的校验结果,控制对应的所述web应用对所述第一业务请求进行响应。According to some embodiments of the present disclosure, an authentication system is provided, including: a plurality of web applications, the web applications are used to receive business content input by a user through a browser, and The user identity token generates a first service request, and sends the first service request to an authentication module; the authentication module is configured to receive the first service request sent by the web application, and send the first service request sent to the Internet platform; the Internet platform is configured to receive the first service request sent by the authentication module, and control the corresponding web application according to the verification result of the user identity token in the first service request Respond to the first service request.
在一个实施例中,所述web应用还用于在接收到用户通过浏览器输入的无用户身份令牌的第二业务请求后提示用户输入登录信息,并接收所述用户通过所述浏览器输入的登录信息;所述认证模块还用于接收所述web应用发送的登录信息,并将所述登录信息发送至所述互联网平台;所述互联网平台还用于接收所述认证模块发送的登录信息,并在所述登录信息合法有效的情况下根据所述登录信息生成用户身份令牌,以及将所述用户身份令牌通过认证模块和对应的所述web应用返回至所述浏览器。In one embodiment, the web application is further configured to prompt the user to input login information after receiving the second service request input by the user through the browser without the user identity token, and receive the user input through the browser. the login information; the authentication module is also used to receive the login information sent by the web application, and send the login information to the Internet platform; the Internet platform is also used to receive the login information sent by the authentication module , and if the login information is valid and valid, generate a user identity token according to the login information, and return the user identity token to the browser through the authentication module and the corresponding web application.
在一个实施例中,所述认证模块为插件形式;所述认证模块包括拦截单元和转发单元,其中,所述拦截单元用于拦截与所述互联网平台相关的信息,所述转发单元用于转发与所述互联网平台相关的信息。In one embodiment, the authentication module is in the form of a plug-in; the authentication module includes an intercepting unit and a forwarding unit, wherein the intercepting unit is used to intercept information related to the Internet platform, and the forwarding unit is used to forward Information related to said internet platform.
根据本公开的一些实施例,提供一种认证系统,包括:认证模块,用于接收所述web应用发送的所述第一业务请求,并将所述第一业务请求发送至互联网平台;所述互联网平台,用于接收所述认证模块发送的第一业务请求,并根据所述第一业务请求内的用户身份令牌的校验结果,控制对应的所述web应用对所述第一业务请求进行响应。According to some embodiments of the present disclosure, an authentication system is provided, including: an authentication module configured to receive the first service request sent by the web application, and send the first service request to an Internet platform; the The Internet platform is configured to receive the first service request sent by the authentication module, and control the corresponding web application to respond to the first service request according to the verification result of the user identity token in the first service request. to respond.
根据本公开的一些实施例,提供一种电子设备,所述设备包括存储器、处理器,所述存储器用于存储可在处理器上运行的计算机指令,所述处理器用于在执行所述计算机指令时实现第一方面所述的方法。According to some embodiments of the present disclosure, there is provided an electronic device, the device includes a memory and a processor, the memory is used to store computer instructions executable on the processor, and the processor is used to execute the computer instructions When implementing the method described in the first aspect.
根据本公开的一些实施例,提供一种计算机可读存储介质,其上存储有计算机程序,所述程序被处理器执行时实现第一方面所述的方法。According to some embodiments of the present disclosure, there is provided a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the method described in the first aspect is implemented.
根据上述实施例可知,通过接收第一web应用通过认证模块发送的第一业务请求,并获取第一业务请求中的用户身份令牌,以及根据用户身份令牌对第一业务请求进行校验,最后根据校验结果,控制第一web应用对第一业务请求进行响应。由于用户身份令牌是由第二web应用通过认证模块登录互联网平台后得到的,而第一web应用和第二web应用均是互联网平台对应的多个web应用中的任意一个,即任意一个web应用登录互联网平台后得到的身份令牌,可以被该web应用或其他web应用携带在业务请求中,从而业务请求可以互联网平台的验证,进而web应用可以对该业务请求进行响应,避免了各个web应用均独立登录不同的应用系统造成的使用不便,提高了业务处理的效率;同时,减少登录次数能够保护用户的信息安全。According to the above embodiment, it can be seen that by receiving the first service request sent by the first web application through the authentication module, obtaining the user identity token in the first service request, and verifying the first service request according to the user identity token, Finally, according to the verification result, the first web application is controlled to respond to the first service request. Since the user identity token is obtained by the second web application after logging in to the Internet platform through the authentication module, and the first web application and the second web application are any one of multiple web applications corresponding to the Internet platform, that is, any web application The identity token obtained after the application logs in to the Internet platform can be carried in the service request by the web application or other web applications, so that the service request can be verified by the Internet platform, and then the web application can respond to the service request, avoiding the Applications are inconvenient to log in to different application systems independently, which improves the efficiency of business processing; at the same time, reducing the number of login times can protect user information security.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本公开。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure.
附图说明Description of drawings
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本公开的实施例,并与说明书一起用于解释本公开的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description serve to explain the principles of the disclosure.
图1是本公开一些实施例示出的认证方法的流程图;Fig. 1 is a flowchart of an authentication method shown in some embodiments of the present disclosure;
图2是本公开一些实施例示出的认证系统的结构示意图;Fig. 2 is a schematic structural diagram of an authentication system shown in some embodiments of the present disclosure;
图3是本公开另一些实施例示出的认证方法的流程图;Fig. 3 is a flowchart of an authentication method shown in other embodiments of the present disclosure;
图4是本公开一些实施例示出的认证装置的结构示意图;Fig. 4 is a schematic structural diagram of an authentication device shown in some embodiments of the present disclosure;
图5是本公开一些实施例示出的电子设备的结构示意图。Fig. 5 is a schematic structural diagram of an electronic device shown in some embodiments of the present disclosure.
具体实施方式detailed description
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本公开相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本公开的一些方面相一致的装置和方法的例子。Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatuses and methods consistent with aspects of the present disclosure as recited in the appended claims.
在本公开使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本公开。在本公开和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terminology used in the present disclosure is for the purpose of describing particular embodiments only, and is not intended to limit the present disclosure. As used in this disclosure and the appended claims, the singular forms "a", "the", and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It should also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.
应当理解,尽管在本公开可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本公开范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或It should be understood that although the terms first, second, third, etc. may be used in the present disclosure to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of the present disclosure, first information may also be called second information, and similarly, second information may also be called first information. Depending on the context, the word "if" as used herein may be interpreted as "at" or "when" or
“响应于确定”。"Responsive to OK".
对于由多个子系统构成的企业应用,每个子系统独立存储用户名和密码,用户必须多次注册,频繁切换登录才可以使用不同的子系统,操作过程繁琐,用户体验差,同时每一次登录系统都要传输用户名和密码,容易泄露用户隐私信息和安全信息。For an enterprise application composed of multiple subsystems, each subsystem independently stores user names and passwords. Users must register multiple times and switch logins frequently to use different subsystems. The operation process is cumbersome and the user experience is poor. To transmit user names and passwords, it is easy to leak user privacy information and security information.
基于此,本公开的一些实施例提供了一种认证方法,请参照图1,其示出了该认证方法的流程,包括步骤S101至步骤S104。Based on this, some embodiments of the present disclosure provide an authentication method, please refer to FIG. 1 , which shows the flow of the authentication method, including steps S101 to S104.
其中,该方法可以应用于互联网平台。如图2所示,该互联网平台230可以是企业的认证系统的服务器端,该互联网平台对应多个web应用210,web应用210是搭载在互联网平台上运行的,因此web应用210处理业务请求时需要通过该互联网平台230验证业务请求的合法性,也就是web应用可以采用远程验证(remote)的方式验证业务请求的合法性。多个web应用210可以是企业内部孵化的智能工厂、智慧园区和智慧物联等多个领域的产品应用。使用这些web应用210处理业务请求的用户可以是企业工作人员、管理人员等。Wherein, the method can be applied to the Internet platform. As shown in Figure 2, the Internet platform 230 can be the server side of the authentication system of the enterprise, and the Internet platform corresponds to a plurality of web applications 210. The Internet platform 230 needs to be used to verify the legitimacy of the service request, that is, the web application can verify the legitimacy of the service request in a remote verification (remote) manner. The plurality of web applications 210 may be product applications in various fields such as smart factories, smart parks, and smart Internet of Things incubated within the enterprise. Users who use these web applications 210 to process business requests may be enterprise staff, managers, and the like.
在步骤S101中,接收第一web应用通过认证模块发送的第一业务请求,其中,所述第一web应用为所述互联网平台对应的多个web应用中的任意一个。In step S101, a first service request sent by a first web application through an authentication module is received, wherein the first web application is any one of multiple web applications corresponding to the Internet platform.
其中,第一业务请求可以由用户通过浏览器输入的业务内容,和浏览器内的用户身份令牌以及预设标识符生成,例如,预设标识符可以设置到Http请求头的cookie中。其中,用户身份令牌和预设标识符可以为第二web应用通过认证模块登录所述互联网平台后得到的,用户身份令牌可以是互联网平台根据登录的用户信息生成的,预设标识符可以是花联网平台的配置文件中预先存储的。所述第二web应用为所述多个web应用中的任意一个。第一web应用和第二web应用可以相同,也可以不同。Wherein, the first service request can be generated by the service content input by the user through the browser, the user identity token and the preset identifier in the browser, for example, the preset identifier can be set in the cookie of the Http request header. Wherein, the user identity token and the preset identifier can be obtained after the second web application logs into the Internet platform through the authentication module, the user identity token can be generated by the Internet platform according to the logged-in user information, and the preset identifier can be It is pre-stored in the configuration file of Hualian platform. The second web application is any one of the plurality of web applications. The first web application and the second web application may be the same or different.
请继续参照附图2,认证系统除互联网平台230和其对应的多个web应用210之外,还包括认证模块220。认证模块可以为插件形式,且认证模块可以具有拦截单元和转发单元,其中,所述拦截单元用于拦截与所述互联网平台相关的信息,所述转发单元用于转发与所述互联网平台相关的信息。插件形式的认证模块可以是一个JAVA语言开发的SDK,插件中基于Spring Aop封装了拦截单元和转发单元,通过项目管理工具Maven可以将封装好的插件引入到项目服务(例如互联网平台或web应用)中进行打包运行,然后项目服务就可以调用插件中的相关功能(拦截功能、转发功能等)。因此,第一业务请求可以由认证模块中的拦截单元拦截,并由认证模块的转发单元根据所述第一业务请求携带的目的地址发送至所述互联网平台。认证模块还可以具有统一认证的抽象类和用于跳过认证的注解类,认证模块可以实现抽象类中的方法进行拦截、转发,以使业务请求得到认证,认证模块还可以放过注解类中包含的业务请求,因为这些业务请求是不需要认证的。拦截单元对所有业务请求进行过滤,对第一业务请求进行拦截,对其他业务请求不进行拦截,拦截单元的拦截作用可以使需要互联网平台认证的第一业务请求能够被发送到互联网平台,同时又避免其他业务请求错误发送至互联网平台,从而使互联网平台的认证具有针对性,且效率较高。Please continue to refer to FIG. 2 , the authentication system includes an authentication module 220 in addition to the Internet platform 230 and its corresponding web applications 210 . The authentication module can be in the form of a plug-in, and the authentication module can have an intercepting unit and a forwarding unit, wherein the intercepting unit is used to intercept information related to the Internet platform, and the forwarding unit is used to forward information related to the Internet platform information. The authentication module in the form of a plug-in can be an SDK developed in JAVA language. The plug-in encapsulates the interception unit and the forwarding unit based on Spring Aop. The packaged plug-in can be introduced into the project service (such as the Internet platform or web application) through the project management tool Maven. Package and run in the plug-in, and then the project service can call the relevant functions in the plug-in (interception function, forwarding function, etc.). Therefore, the first service request can be intercepted by the intercepting unit in the authentication module, and sent to the Internet platform by the forwarding unit of the authentication module according to the destination address carried in the first service request. The authentication module can also have an abstract class for unified authentication and an annotation class for skipping authentication. The authentication module can intercept and forward the methods in the abstract class so that business requests can be authenticated. The authentication module can also let go of the annotation class Included business requests, because these business requests do not require authentication. The interception unit filters all business requests, intercepts the first business request, and does not intercept other business requests. The interception function of the interception unit can enable the first business request requiring Internet platform authentication to be sent to the Internet platform, and at the same time Avoid sending other business requests to the Internet platform by mistake, so that the authentication of the Internet platform is targeted and efficient.
在步骤S102中,获取所述第一业务请求中的用户身份令牌。In step S102, the user identity token in the first service request is obtained.
其中,第一业务请求所携带的预设标识符可以预先存储在互联网平台的配置文件中,因此可以利用所述预设标识符,从所述第一业务请求中获取所述用户身份令牌。例如,可以通过预设标识符从Http请求头中获取用户身份令牌。可以理解的是,上述获取第一业务请求中用户身份令牌的方式仅为一个可以实现的示例,并非对获取用户身份令牌的方式的限定。Wherein, the preset identifier carried by the first service request can be pre-stored in the configuration file of the Internet platform, so the user identity token can be obtained from the first service request by using the preset identifier. For example, the user identity token can be obtained from the Http request header through a preset identifier. It can be understood that, the above-mentioned manner of obtaining the user identity token in the first service request is only a realizable example, and is not a limitation to the manner of obtaining the user identity token.
在步骤S103中,根据所述用户身份令牌,对所述第一业务请求进行校验。In step S103, the first service request is verified according to the user identity token.
其中,可以先利用预设规则解密所述用户身份令牌,再根据用户身份令牌对第一业务请求进行验证。例如,互联网平台在向第二web应用返回用户身份令牌时会利用预设规则进行加密,因此可以在验证第一业务请求前利用同样的规则对用户身份令牌进行解密。也就是说,加密和机密的规则仅存储在互联网平台,而浏览器是未存储的,即用户只能在发起业务请求时携带该用户身份令牌,而无法解密用户身份令牌,这进一步增加了用户信息的安全性。Wherein, the user identity token may first be decrypted by using a preset rule, and then the first service request is verified according to the user identity token. For example, when the Internet platform returns the user identity token to the second web application, it will use preset rules for encryption, so it can use the same rule to decrypt the user identity token before verifying the first service request. That is to say, the encryption and confidentiality rules are only stored on the Internet platform, but not in the browser, that is, the user can only carry the user identity token when initiating a business request, but cannot decrypt the user identity token, which further increases security of user information.
在一个示例中,互联网平台对第一业务请求进行校验,可以采用本地验证(local)的方式,可以验证第一业务请求所携带的用户身份令牌是否合法有效,例如,互联网平台在返回用户身份令牌时会在令牌数据库中进行同步存储,因此在验证用户身份令牌是否合法有效时,可以比较令牌数据库中存储的用户身份令牌和第一业务请求携带的用户身份令牌,若令牌数据库中存储的用户身份令牌中,存在于第一业务请求携带的用户身份令牌一致的用户令牌,则可以确定第一业务请求携带的用户身份令牌合法有效。对第一业务请求进行校验,还可以确定所述第一业务请求的业务内容,与所述用户身份令牌对应的业务权限是否匹配。例如,互联网平台在存储用户身份令牌时,会将该用户对应的业务权限进行同步存储,当用户身份令牌为合法有效时,可以比较第一业务请求的业务内容和该用户的业务曲线,以确定二者是否匹配。In one example, the Internet platform verifies the first service request in a local verification (local) manner, which can verify whether the user identity token carried by the first service request is legal and valid. For example, the Internet platform returns the user The identity token will be stored synchronously in the token database, so when verifying whether the user identity token is legal and valid, the user identity token stored in the token database can be compared with the user identity token carried in the first service request, If there is a user token consistent with the user identity token carried in the first service request among the user identity tokens stored in the token database, it can be determined that the user identity token carried in the first service request is legal and valid. Checking the first service request may also determine whether the service content of the first service request matches the service authority corresponding to the user identity token. For example, when the Internet platform stores the user's identity token, it will store the user's corresponding business authority synchronously. When the user's identity token is legal and valid, it can compare the business content of the first business request with the user's business curve. to determine whether the two match.
在步骤S104中,根据所述校验的结果,控制所述第一web应用对所述第一业务请求进行响应。In step S104, the first web application is controlled to respond to the first service request according to the verification result.
在一个示例中,响应于所述用户身份令牌合法有效,且所述第一业务请求的业务内容,与所述用户身份令牌对应的业务权限相匹配,则控制所述第一web应用对所述业务内容进行处理,并向浏览器返回响应数据;否则,控制所述第一web应用向所述浏览器返回提示信息,其中,所述提示信息用于表征所述校验的结果。In one example, in response to the legal validity of the user identity token and the service content requested by the first service matches the service authority corresponding to the user identity token, the first web application is controlled to The business content is processed, and response data is returned to the browser; otherwise, the first web application is controlled to return prompt information to the browser, wherein the prompt information is used to represent the verification result.
根据上述实施例可知,通过接收第一web应用通过认证模块发送的第一业务请求,并获取第一业务请求中的用户身份令牌,以及根据用户身份令牌对第一业务请求进行校验,最后根据校验结果,控制第一web应用对第一业务请求进行响应。由于用户身份令牌是由第二web应用通过认证模块登录互联网平台后得到的,而第一web应用和第二web应用均是互联网平台对应的多个web应用中的任意一个,即任意一个web应用登录互联网平台后得到的身份令牌,可以被该web应用或其他web应用携带在业务请求中,从而业务请求可以互联网平台的验证,进而web应用可以对该业务请求进行响应,避免了各个web应用均独立登录不同的应用系统造成的使用不便,提高了业务处理的效率;同时,减少登录次数能够保护用户的信息安全。According to the above embodiment, it can be seen that by receiving the first service request sent by the first web application through the authentication module, obtaining the user identity token in the first service request, and verifying the first service request according to the user identity token, Finally, according to the verification result, the first web application is controlled to respond to the first service request. Since the user identity token is obtained by the second web application after logging in to the Internet platform through the authentication module, and the first web application and the second web application are any one of multiple web applications corresponding to the Internet platform, that is, any web application The identity token obtained after the application logs in to the Internet platform can be carried in the service request by the web application or other web applications, so that the service request can be verified by the Internet platform, and then the web application can respond to the service request, avoiding the Applications are inconvenient to log in to different application systems independently, which improves the efficiency of business processing; at the same time, reducing the number of login times can protect user information security.
本公开的一些实施例中,第二web应用可以按照如图3所示的方式使用户获得用户身份令牌,包括步骤S301至步骤S303。In some embodiments of the present disclosure, the second web application may enable the user to obtain a user identity token as shown in FIG. 3 , including steps S301 to S303.
在步骤S301中,接收所述第二web应用通过认证模块发送的登录 信息,其中,所述登录信息是在所述第二web应用接收到无用户身份令牌的第二业务请求后提示用户输入的。In step S301, receiving the login information sent by the second web application through the authentication module, wherein the login information is prompting the user to input after the second web application receives a second service request without a user identity token of.
其中,第二业务请求可以由用户通过浏览器输入的业务内容生成,例如可以在浏览器显示的第二web应用的应用界面中输入业务内容而生成。第二业务请求生成后,由认证模块拦截并检验其是否具有用户身份令牌,若携带有用户身份令牌则将第二业务请求转发至互联网平台,若未携带用户身份令牌则在浏览器的第二web应用功能的应用界面中显示登录页面,以提示用户进行登录,用户可以通过浏览器输入的用户名和密码生成登录信息,并对登录信息利用预设规则进行加密,而登录信息生成和加密后由认证模块中的拦截单元拦截,并由认证模块的转发单元根据所述登录信息携带的目的地址发送至所述互联网平台。Wherein, the second service request may be generated by service content input by the user through the browser, for example, may be generated by inputting the service content in the application interface of the second web application displayed by the browser. After the second service request is generated, the authentication module intercepts and checks whether it has a user identity token. If it carries a user identity token, it forwards the second service request to the Internet platform; The application interface of the second web application function displays a login page to prompt the user to log in. The user can generate login information through the user name and password input by the browser, and encrypt the login information using preset rules, and the login information is generated and After encryption, it is intercepted by the intercepting unit in the authentication module, and sent to the Internet platform by the forwarding unit of the authentication module according to the destination address carried in the login information.
需要注意的是,登录信息加密的规则和用户身份令牌加密的规则可以相同,也可以不同。It should be noted that the rules for encrypting login information and the rules for encrypting user identity tokens may be the same or different.
在步骤S302中,确定所述登录信息是否合法有效。In step S302, it is determined whether the login information is legal and valid.
互联网平台可以在用户数据库内存储合法用户的用户信息,用户信息可以由超级用户的超级业务请求生成或更新,超级用户可以是企业的管理人员等。因此验证登录信息时,可以比较用户数据库内存储的用户信息和登录信息内的用户信息,若用户数据库内存储的用户信息中,存在与所述登录信息一致的用户信息,则可以确定所述登录信息合法有效。另外,若登录信息在生成后被加密,则确定登录信息是否合法有效前还需要利用预设规则对登录信息进行解密。The Internet platform can store user information of legitimate users in the user database, and user information can be generated or updated by a super user's super business request, and the super user can be an enterprise manager, etc. Therefore, when verifying the login information, the user information stored in the user database can be compared with the user information in the login information. If there is user information consistent with the login information in the user information stored in the user database, the login can be determined. The information is legal and valid. In addition, if the login information is encrypted after it is generated, it is necessary to decrypt the login information by using preset rules before determining whether the login information is legal and valid.
在步骤S303中,响应于所述登录信息合法有效,根据所述登录信息生成用户身份令牌,并将所述用户身份令牌通过所述第二web应用返回至用户。In step S303, in response to the login information being valid and valid, a user identity token is generated according to the login information, and the user identity token is returned to the user through the second web application.
其中,返回用户身份令牌前,可以按照预设规则对用户身份令牌进行加密。返回用户身份令牌时,还可以将预设标识符一并通过第二web应用返回至用户。该加密规则能够在收到携带用户身份令牌的业务请求时,对用户身份令牌进行解密;该预设标识符能够在收到携带用户身份令牌的业务请求时,用于获取用户身份令牌。Wherein, before returning the user identity token, the user identity token may be encrypted according to preset rules. When returning the user identity token, the preset identifier can also be returned to the user through the second web application. The encryption rule can decrypt the user identity token when receiving the service request carrying the user identity token; the preset identifier can be used to obtain the user identity token when receiving the service request carrying the user identity token Card.
可以将所述用户身份令牌和预设标识符通过所述认证模块返回至所述第二web应用,以使所述第二web应用将所述用户身份令牌和预设标识符返回至所述浏览器。浏览器接收到用户身份令牌后可以进行存储,例如,通过Http Respose的set-cookie方法将用户身份令牌和预设标识符以键值对的形式存储在浏览器中。在用户通过浏览器输入业务内容以生成第一业务请求时,将上述业务内容、用户身份令牌和预设标识符生成第一业务请求。The user identity token and preset identifier may be returned to the second web application through the authentication module, so that the second web application returns the user identity token and preset identifier to the browser. After the browser receives the user identity token, it can store it. For example, the user identity token and the preset identifier are stored in the browser in the form of key-value pairs through the set-cookie method of Http Respose. When the user inputs the service content through the browser to generate the first service request, the above service content, the user identity token and the preset identifier are used to generate the first service request.
本公开的一些实施例中,所述认证方法还包括下述管理步骤:首先,接收第三web应用通过认证模块发送的超级业务请求,其中,所述第三web应用为所述多个web应用中的任意一个;接下来,获取所述超级业务请求中的超级身份令牌,其中,所述超级身份令牌为超级用户通过任意一个web应用和认证模块在所述互联网平台注册后得到的;最后,响应于所述超级身份令牌合法有效,根据所述超级业务请求的业务内容对所述互联网平台中存储的用户信息、部门信息或应用信息进行调整。超级用户可以是企业的管理人员,管理人员注册后会分配超级用户名牌,以区别于普通用户,管理人员通过超级业务请求对用户信息、部门信息和应用信息进行管理,方便可靠。In some embodiments of the present disclosure, the authentication method further includes the following management steps: first, receiving a super service request sent by a third web application through the authentication module, wherein the third web application is the plurality of web applications any one of; Next, obtain the super identity token in the super service request, wherein the super identity token is obtained by the super user after registering on the Internet platform through any web application and authentication module; Finally, in response to the legality and validity of the super identity token, the user information, department information or application information stored in the Internet platform is adjusted according to the service content requested by the super service. The super user can be the management personnel of the enterprise. After registration, the management personnel will be assigned a super user nameplate to distinguish them from ordinary users. The management personnel can manage user information, department information and application information through super business requests, which is convenient and reliable.
本实施例结合工业互联网平台的需求,实现了用户的统一管理认证,可以将多个应用集成在平台上,用户只需要一次登录认证,就可以访问任意单点登录授权访问的应用系统,避免频繁切换登录,提高工作效率,提 升用户体验。同时在产品应用开发过程中,可以减少用户管理认证模块的开发工作,只需要专注于业务流程的开发工作,从而加快开发进度和提供更好的产服务。This embodiment combines the requirements of the industrial Internet platform to realize the unified management and authentication of users. Multiple applications can be integrated on the platform. Users only need one login authentication to access any application system authorized by single sign-on, avoiding frequent Switch login to improve work efficiency and user experience. At the same time, in the process of product application development, it can reduce the development work of the user management authentication module, and only need to focus on the development of business processes, thereby speeding up the development progress and providing better production services.
根据本公开的一些实施例,提供一种认证装置,应用于互联网平台,请参照附图4,其示出了该装置的结构示意图,所述装置包括:According to some embodiments of the present disclosure, an authentication device is provided, which is applied to an Internet platform. Please refer to FIG. 4 , which shows a schematic structural diagram of the device. The device includes:
接收模块401,用于接收第一web应用通过认证模块发送的第一业务请求,其中,所述第一web应用为所述互联网平台对应的多个web应用中的任意一个;The receiving module 401 is configured to receive the first service request sent by the first web application through the authentication module, wherein the first web application is any one of multiple web applications corresponding to the Internet platform;
获取模块402,用于获取所述第一业务请求中的用户身份令牌,其中,所述用户身份令牌为第二web应用通过认证模块登录所述互联网平台后得到的,所述第二web应用为所述多个web应用中的任意一个;Obtaining module 402, configured to obtain the user identity token in the first service request, wherein the user identity token is obtained after the second web application logs into the Internet platform through the authentication module, and the second web application The application is any one of the plurality of web applications;
校验模块403,用于根据所述用户身份令牌,对所述第一业务请求进行校验;A verification module 403, configured to verify the first service request according to the user identity token;
响应模块404,用于根据所述校验的结果,控制所述第一web应用对所述第一业务请求进行响应。The response module 404 is configured to control the first web application to respond to the first service request according to the verification result.
根据本公开的一些实施例,提供一种认证系统,请参照附图2,其示出了该认证系统的结构,包括:According to some embodiments of the present disclosure, an authentication system is provided, please refer to accompanying drawing 2, which shows the structure of the authentication system, including:
多个web应用210,所述web应用用于接收用户通过浏览器输入的业务内容,并根据所述业务内容和所述浏览器内的用户身份令牌生成第一业务请求,以及将所述第一业务请求发送至认证模块;A plurality of web applications 210, the web application is used to receive the service content input by the user through the browser, and generate a first service request according to the service content and the user identity token in the browser, and send the second service request A service request is sent to the authentication module;
认证模块220,用于接收所述web应用发送的所述第一业务请求,并将所述第一业务请求发送至互联网平台;An authentication module 220, configured to receive the first service request sent by the web application, and send the first service request to an Internet platform;
所述互联网平台230,用于接收所述认证模块发送的第一业务请求,并根据所述第一业务请求内的用户身份令牌的校验结果,控制对应的所述web应用对所述第一业务请求进行响应。The Internet platform 230 is configured to receive the first service request sent by the authentication module, and control the corresponding web application to verify the first service request according to the verification result of the user identity token in the first service request. Respond to a business request.
在本公开的一些实施例中,所述web应用还用于在接收到用户通过浏览器输入的无用户身份令牌的第二业务请求后提示用户输入登录信息,并接收所述用户通过所述浏览器输入的登录信息;所述认证模块还用于接收所述web应用发送的登录信息,并将所述登录信息发送至所述互联网平台;所述互联网平台还用于接收所述认证模块发送的登录信息,并在所述登录信息合法有效的情况下根据所述登录信息生成用户身份令牌,以及将所述用户身份令牌通过认证模块和对应的所述web应用返回至所述浏览器。In some embodiments of the present disclosure, the web application is further configured to prompt the user to input login information after receiving the second service request input by the user through the browser without the user identity token, and receive the The login information input by the browser; the authentication module is also used to receive the login information sent by the web application, and send the login information to the Internet platform; the Internet platform is also used to receive the login information sent by the authentication module login information, and generate a user identity token according to the login information when the login information is legal and valid, and return the user identity token to the browser through the authentication module and the corresponding web application .
在本公开的一些实施例中,所述认证模块为插件形式;所述认证模块包括拦截单元和转发单元,其中,所述拦截单元用于拦截与所述互联网平台相关的信息,所述转发单元用于转发与所述互联网平台相关的信息。In some embodiments of the present disclosure, the authentication module is in the form of a plug-in; the authentication module includes an intercepting unit and a forwarding unit, wherein the intercepting unit is used to intercept information related to the Internet platform, and the forwarding unit Used to forward information related to the Internet platform.
根据本公开的一些实施例,提供一种认证系统,包括:认证模块,用于接收所述web应用发送的所述第一业务请求,并将所述第一业务请求发送至互联网平台;所述互联网平台,用于接收所述认证模块发送的第一业务请求,并根据所述第一业务请求内的用户身份令牌的校验结果,控制对应的所述web应用对所述第一业务请求进行响应。According to some embodiments of the present disclosure, an authentication system is provided, including: an authentication module configured to receive the first service request sent by the web application, and send the first service request to an Internet platform; the The Internet platform is configured to receive the first service request sent by the authentication module, and control the corresponding web application to respond to the first service request according to the verification result of the user identity token in the first service request. to respond.
关于上述实施例中的装置,其中各个模块及网络执行操作的具体方式已经在第一方面有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。With regard to the apparatus in the above embodiment, the specific manner in which each module and network perform operations has been described in detail in the embodiment of the method in the first aspect, and will not be described in detail here.
请参照附图5,本公开一些实施例提供一种电子设备,所述设备包括存储器、处理器,所述存储器用于存储可在处理器上运行的计算机指令,所述处理器用于在执行所述计算机指令时基于第一方面所述的方法进行设备注册。Please refer to FIG. 5 , some embodiments of the present disclosure provide an electronic device, the device includes a memory and a processor, the memory is used to store computer instructions that can be run on the processor, and the processor is used to execute the When the above computer instructions are used, device registration is performed based on the method described in the first aspect.
本公开一些实施例提供一种计算机可读存储介质,其上存储有计算 机程序,所述程序被处理器执行时实现第一方面所述的方法。Some embodiments of the present disclosure provide a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the method described in the first aspect is implemented.
本公开的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。The various component embodiments of the present disclosure may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof.
应该理解的是,虽然附图的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,其可以以其他的顺序执行。而且,附图的流程图中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,其执行顺序也不必然是依次进行,而是可以与其他步骤或者其他步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flow chart of the accompanying drawings are displayed sequentially according to the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some of the steps in the flowcharts of the accompanying drawings may include multiple sub-steps or multiple stages, and these sub-steps or stages are not necessarily executed at the same time, but may be executed at different times, and the order of execution is also It is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.
在本公开中,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性。术语“多个”指两个或两个以上,除非另有明确的限定。In the present disclosure, the terms "first" and "second" are used for descriptive purposes only, and should not be understood as indicating or implying relative importance. The term "plurality" means two or more, unless otherwise clearly defined.
本领域技术人员在考虑说明书及实践这里公开的公开后,将容易想到本公开的其它实施方案。本公开旨在涵盖本公开的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本公开的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本公开的真正范围和精神由下面的权利要求指出。Other embodiments of the disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. The present disclosure is intended to cover any modification, use or adaptation of the present disclosure. These modifications, uses or adaptations follow the general principles of the present disclosure and include common knowledge or conventional technical means in the technical field not disclosed in the present disclosure. . The specification and examples are to be considered exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
应当理解的是,本公开并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本公开的范围仅由所附的权利要求来限制。It should be understood that the present disclosure is not limited to the precise constructions which have been described above and shown in the drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (18)

  1. 一种认证方法,其特征在于,应用于互联网平台,所述方法包括:An authentication method is characterized in that it is applied to an Internet platform, and the method comprises:
    接收第一web应用通过认证模块发送的第一业务请求,其中,所述第一web应用为所述互联网平台对应的多个web应用中的任意一个;receiving a first service request sent by a first web application through an authentication module, wherein the first web application is any one of a plurality of web applications corresponding to the Internet platform;
    获取所述第一业务请求中的用户身份令牌,其中,所述用户身份令牌为第二web应用通过认证模块登录所述互联网平台后得到的,所述第二web应用为所述多个web应用中的任意一个;Obtaining the user identity token in the first service request, wherein the user identity token is obtained after the second web application logs into the Internet platform through the authentication module, and the second web application is the any of the web applications;
    根据所述用户身份令牌,对所述第一业务请求进行校验;Verifying the first service request according to the user identity token;
    根据所述校验的结果,控制所述第一web应用对所述第一业务请求进行响应。According to the verification result, control the first web application to respond to the first service request.
  2. 根据权利要求1所述的认证方法,其特征在于,还包括:The authentication method according to claim 1, further comprising:
    接收所述第二web应用通过认证模块发送的登录信息,其中,所述登录信息是在所述第二web应用接收到无用户身份令牌的第二业务请求后提示用户输入的;receiving the login information sent by the second web application through the authentication module, wherein the login information is prompted for the user to input after the second web application receives a second service request without a user identity token;
    确定所述登录信息是否合法有效;Determine whether the login information is legal and valid;
    响应于所述登录信息合法有效,根据所述登录信息生成用户身份令牌,并将所述用户身份令牌通过所述第二web应用返回至用户。In response to the login information being legal and valid, generating a user identity token according to the login information, and returning the user identity token to the user through the second web application.
  3. 根据权利要求2所述的认证方法,其特征在于,所述第一业务请求由认证模块中的拦截单元拦截,并由认证模块的转发单元根据所述第一业务请求携带的目的地址发送至所述互联网平台;和/或,The authentication method according to claim 2, wherein the first service request is intercepted by the intercepting unit in the authentication module, and sent to the said first service request by the forwarding unit of the authentication module according to the destination address carried in the first service request. the aforementioned internet platforms; and/or,
    所述第二业务请求由认证模块中的拦截单元拦截;和/或,The second service request is intercepted by an interception unit in the authentication module; and/or,
    所述登录信息由认证模块中的拦截单元拦截,并由认证模块的转发单元根据所述登录信息携带的目的地址发送至所述互联网平台。The login information is intercepted by the intercepting unit in the authentication module, and sent to the Internet platform by the forwarding unit of the authentication module according to the destination address carried in the login information.
  4. 根据权利要求2所述的认证方法,其特征在于,所述将所述用户身份令牌通过所述第二web应用返回至用户,包括:The authentication method according to claim 2, wherein the returning the user identity token to the user through the second web application comprises:
    将所述用户身份令牌和预设标识符通过所述第二web应用返回至用户;returning the user identity token and the preset identifier to the user through the second web application;
    所述获取所述第一业务请求中的用户身份令牌,包括:The acquisition of the user identity token in the first service request includes:
    利用所述预设标识符,从所述第一业务请求中获取所述用户身份令牌。The user identity token is obtained from the first service request by using the preset identifier.
  5. 根据权利要求4所述的认证方法,其特征在于,所述第一业务请求由用户通过浏览器输入的业务内容生成;和/或,The authentication method according to claim 4, wherein the first service request is generated by the service content input by the user through the browser; and/or,
    所述第二业务请求由用户通过浏览器输入的业务内容生成;和/或,The second service request is generated by the service content input by the user through the browser; and/or,
    所述登录信息由用户通过浏览器输入的用户名和密码生成。The login information is generated by the user name and password input by the user through the browser.
  6. 根据权利要求5所述的认证方法,其特征在于,所述将所述用户身份令牌和预设标识符通过所述第二web应用返回至用户,包括:The authentication method according to claim 5, wherein the returning the user identity token and the preset identifier to the user through the second web application comprises:
    将所述用户身份令牌和预设标识符通过所述认证模块返回至所述第二web应用,以使所述第二web应用将所述用户身份令牌和预设标识符返回至所述浏览器;returning the user identity token and preset identifier to the second web application through the authentication module, so that the second web application returns the user identity token and preset identifier to the browser;
    所述第一业务请求由用户通过浏览器输入的业务内容生成,包括:The first service request is generated by the service content input by the user through the browser, including:
    所述第一业务请求由用户通过浏览器输入的业务内容,和浏览器内的所述用户身份令牌以及所述预设标识符生成。The first service request is generated by the service content input by the user through the browser, the user identity token and the preset identifier in the browser.
  7. 根据权利要求5所述的认证方法,其特征在于,所述确定所述登录信息是否合法有效,包括:The authentication method according to claim 5, wherein the determining whether the login information is valid or not includes:
    若用户数据库内存储的用户信息中,存在与所述登录信息一致的用户信息,确定所述登录信息合法有效。If there is user information consistent with the login information among the user information stored in the user database, it is determined that the login information is legal and valid.
  8. 根据权利要求7所述的认证方法,其特征在于,所述根据所述用户身份令牌,对所述第一业务请求进行校验,包括:The authentication method according to claim 7, wherein said verifying said first service request according to said user identity token comprises:
    确定所述用户身份令牌是否合法有效;和/或,determining whether said user identity token is legally valid; and/or,
    确定所述第一业务请求的业务内容,与所述用户身份令牌对应的业务权限是否匹配。Determine whether the service content of the first service request matches the service authority corresponding to the user identity token.
  9. 根据权利要求8所述的认证方法,其特征在于,所述确定所述登录信息是否合法有效,还包括:The authentication method according to claim 8, wherein the determining whether the login information is valid or not further includes:
    利用预设规则解密所述登录信息;和/或,Decrypt the login information using preset rules; and/or,
    所述根据所述用户身份令牌,对所述第一业务请求进行校验,还包括:The verifying the first service request according to the user identity token further includes:
    利用预设规则解密所述用户身份令牌。The user identity token is decrypted using preset rules.
  10. 根据权利要求1或8所述的认证方法,其特征在于,所述根据所述校验的结果,控制所述第一web应用对所述第一业务请求进行响应,包括:The authentication method according to claim 1 or 8, wherein the controlling the first web application to respond to the first service request according to the verification result comprises:
    响应于所述用户身份令牌合法有效,且所述第一业务请求的业务内容,与所述用户身份令牌对应的业务权限相匹配,则控制所述第一web应用对所述业务内容进行处理,并向浏览器返回响应数据;In response to the fact that the user identity token is legal and valid, and the service content requested by the first service matches the service authority corresponding to the user identity token, control the first web application to perform Process and return response data to the browser;
    否则,控制所述第一web应用向所述浏览器返回提示信息,其中,所述提示信息用于表征所述校验的结果。Otherwise, control the first web application to return prompt information to the browser, where the prompt information is used to represent the verification result.
  11. 根据权利要求1所述的认证方法,其特征在于,还包括:The authentication method according to claim 1, further comprising:
    接收第三web应用通过认证模块发送的超级业务请求,其中,所述第三web应用为所述多个web应用中的任意一个;receiving a super service request sent by a third web application through the authentication module, wherein the third web application is any one of the plurality of web applications;
    获取所述超级业务请求中的超级身份令牌,其中,所述超级身份令牌为超级用户通过任意一个web应用和认证模块在所述互联网平台注册后得到的;Obtain the super identity token in the super service request, wherein the super identity token is obtained by the super user after registering on the Internet platform through any web application and authentication module;
    响应于所述超级身份令牌合法有效,根据所述超级业务请求的业务内容对所述互联网平台中存储的用户信息、部门信息或应用信息进行调整。In response to the legality and validity of the super identity token, adjust the user information, department information or application information stored in the Internet platform according to the service content requested by the super service.
  12. 一种认证装置,其特征在于,应用于互联网平台,所述装置包括:An authentication device is characterized in that it is applied to an Internet platform, and the device includes:
    接收模块,用于接收第一web应用通过认证模块发送的第一业务请求,其中,所述第一web应用为所述互联网平台对应的多个web应用中的任意一个;A receiving module, configured to receive a first service request sent by a first web application through an authentication module, wherein the first web application is any one of a plurality of web applications corresponding to the Internet platform;
    获取模块,用于获取所述第一业务请求中的用户身份令牌,其中,所述用户身份令牌为第二web应用通过认证模块登录所述互联网平台后得到的,所述第二web应用为所述多个web应用中的任意一个;An acquisition module, configured to acquire the user identity token in the first service request, wherein the user identity token is obtained after the second web application logs into the Internet platform through the authentication module, and the second web application Any one of the plurality of web applications;
    校验模块,用于根据所述用户身份令牌,对所述第一业务请求进行校验;A verification module, configured to verify the first service request according to the user identity token;
    响应模块,用于根据所述校验的结果,控制所述第一web应用对所述第一业务请求进行响应。A response module, configured to control the first web application to respond to the first service request according to the verification result.
  13. 一种认证系统,其特征在于,包括:An authentication system, characterized in that it includes:
    多个web应用,所述web应用用于接收用户通过浏览器输入的业务内容,并根据所述业务内容和所述浏览器内的用户身份令牌生成第一业务请 求,以及将所述第一业务请求发送至认证模块;A plurality of web applications, the web applications are used to receive the service content input by the user through the browser, and generate a first service request according to the service content and the user identity token in the browser, and transfer the first service request to The business request is sent to the authentication module;
    认证模块,用于接收所述web应用发送的所述第一业务请求,并将所述第一业务请求发送至互联网平台;An authentication module, configured to receive the first service request sent by the web application, and send the first service request to an Internet platform;
    所述互联网平台,用于接收所述认证模块发送的第一业务请求,并根据所述第一业务请求内的用户身份令牌的校验结果,控制对应的所述web应用对所述第一业务请求进行响应。The Internet platform is configured to receive the first service request sent by the authentication module, and control the corresponding web application to verify the first service request according to the verification result of the user identity token in the first service request. Respond to business requests.
  14. 根据权利要求13所述的认证系统,其特征在于,所述web应用还用于在接收到用户通过浏览器输入的无用户身份令牌的第二业务请求后提示用户输入登录信息,并接收所述用户通过所述浏览器输入的登录信息;The authentication system according to claim 13, wherein the web application is further configured to prompt the user to input login information after receiving the second service request without the user identity token input by the user through the browser, and receive the the login information entered by the user through the browser;
    所述认证模块还用于接收所述web应用发送的登录信息,并将所述登录信息发送至所述互联网平台;The authentication module is also used to receive the login information sent by the web application, and send the login information to the Internet platform;
    所述互联网平台还用于接收所述认证模块发送的登录信息,并在所述登录信息合法有效的情况下根据所述登录信息生成用户身份令牌,以及将所述用户身份令牌通过认证模块和对应的所述web应用返回至所述浏览器。The Internet platform is also used to receive the login information sent by the authentication module, and generate a user identity token according to the login information when the login information is legal and valid, and pass the user identity token through the authentication module and the corresponding web application is returned to the browser.
  15. 根据权利要求13或14所述的认证系统,其特征在于,所述认证模块为插件形式;所述认证模块包括拦截单元和转发单元,其中,所述拦截单元用于拦截与所述互联网平台相关的信息,所述转发单元用于转发与所述互联网平台相关的信息。The authentication system according to claim 13 or 14, wherein the authentication module is in the form of a plug-in; the authentication module includes an interception unit and a forwarding unit, wherein the interception unit is used to intercept information related to the Internet platform information, the forwarding unit is used to forward the information related to the Internet platform.
  16. 一种认证系统,其特征在于,包括:An authentication system, characterized in that it includes:
    认证模块,用于接收web应用发送的第一业务请求,并将所述第一业务请求发送至互联网平台;An authentication module, configured to receive the first service request sent by the web application, and send the first service request to the Internet platform;
    所述互联网平台,用于接收所述认证模块发送的第一业务请求,并根据所述第一业务请求内的用户身份令牌的校验结果,控制对应的所述web应用对所述第一业务请求进行响应。The Internet platform is configured to receive the first service request sent by the authentication module, and control the corresponding web application to verify the first service request according to the verification result of the user identity token in the first service request. Respond to business requests.
  17. 一种电子设备,其特征在于,所述设备包括存储器、处理器,所述存储器用于存储可在处理器上运行的计算机指令,所述处理器用于在执行所述计算机指令时实现权利要求1至11中任一项所述的方法。An electronic device, characterized in that the device comprises a memory and a processor, the memory is used to store computer instructions executable on the processor, and the processor is used to implement claim 1 when executing the computer instructions The method described in any one of to 11.
  18. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述程序被处理器执行时实现权利要求1至11任一项所述的方法。A computer-readable storage medium, on which a computer program is stored, wherein, when the program is executed by a processor, the method according to any one of claims 1 to 11 is implemented.
PCT/CN2022/079103 2021-06-18 2022-03-03 Authentication method, apparatus and system, electronic device, and storage medium WO2022262322A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110680646.9A CN113297562A (en) 2021-06-18 2021-06-18 Authentication method, device, system, electronic equipment and storage medium
CN202110680646.9 2021-06-18

Publications (1)

Publication Number Publication Date
WO2022262322A1 true WO2022262322A1 (en) 2022-12-22

Family

ID=77328860

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/079103 WO2022262322A1 (en) 2021-06-18 2022-03-03 Authentication method, apparatus and system, electronic device, and storage medium

Country Status (2)

Country Link
CN (1) CN113297562A (en)
WO (1) WO2022262322A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113297562A (en) * 2021-06-18 2021-08-24 北京中祥英科技有限公司 Authentication method, device, system, electronic equipment and storage medium
CN114513350A (en) * 2022-02-08 2022-05-17 中国农业银行股份有限公司 Identity verification method, system and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser
EP3334115A1 (en) * 2016-12-07 2018-06-13 Swisscom AG User authentication based on token
CN110730171A (en) * 2019-10-10 2020-01-24 北京东软望海科技有限公司 Service request processing method, device and system, electronic equipment and storage medium
CN113297562A (en) * 2021-06-18 2021-08-24 北京中祥英科技有限公司 Authentication method, device, system, electronic equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457376B (en) * 2010-10-29 2016-02-10 中兴通讯股份有限公司 A kind of method and system of cloud computing service unified certification
CN105847220A (en) * 2015-01-14 2016-08-10 北京神州泰岳软件股份有限公司 Authentication method and system, and service platform
CN110417730B (en) * 2019-06-17 2022-07-19 平安科技(深圳)有限公司 Unified access method of multiple application programs and related equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser
EP3334115A1 (en) * 2016-12-07 2018-06-13 Swisscom AG User authentication based on token
CN110730171A (en) * 2019-10-10 2020-01-24 北京东软望海科技有限公司 Service request processing method, device and system, electronic equipment and storage medium
CN113297562A (en) * 2021-06-18 2021-08-24 北京中祥英科技有限公司 Authentication method, device, system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113297562A (en) 2021-08-24

Similar Documents

Publication Publication Date Title
US10904234B2 (en) Systems and methods of device based customer authentication and authorization
TWI659313B (en) Automatic login method and device between multiple websites
JP6643373B2 (en) Information processing system, control method and program therefor
US10003587B2 (en) Authority transfer system, method, and authentication server system by determining whether endpoints are in same or in different web domain
US8532620B2 (en) Trusted mobile device based security
US9094212B2 (en) Multi-server authentication token data exchange
EP1914658B1 (en) Identity controlled data center
US20220255931A1 (en) Domain unrestricted mobile initiated login
WO2015196659A1 (en) Method and device for authenticating connection between desktop cloud client and serving end
US20140189799A1 (en) Multi-factor authorization for authorizing a third-party application to use a resource
US20050120214A1 (en) Systems and methods for enhancing security of communication over a public network
WO2022262322A1 (en) Authentication method, apparatus and system, electronic device, and storage medium
US20180091490A1 (en) Authentication framework for a client of a remote database
US11870766B2 (en) Integration of legacy authentication with cloud-based authentication
US20170279798A1 (en) Multi-factor authentication system and method
CN108027799A (en) The safety container platform for accessing and disposing for the resource in equipment that is unregulated and not protected
US20120311331A1 (en) Logon verification apparatus, system and method for performing logon verification
US20220224535A1 (en) Dynamic authorization and access management
US11233776B1 (en) Providing content including sensitive data
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
US20230262045A1 (en) Secure management of a robotic process automation environment
WO2016084822A1 (en) Server system and method for controlling multiple service systems
WO2022144024A1 (en) Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization
JP2012079231A (en) Authentication information management device and authentication information management method
JP2020053100A (en) Information processing system, control method thereof and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22823814

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE