CN101997685B - Single sign-on method, single sign-on system and associated equipment - Google Patents

Single sign-on method, single sign-on system and associated equipment Download PDF

Info

Publication number
CN101997685B
CN101997685B CN 200910171267 CN200910171267A CN101997685B CN 101997685 B CN101997685 B CN 101997685B CN 200910171267 CN200910171267 CN 200910171267 CN 200910171267 A CN200910171267 A CN 200910171267A CN 101997685 B CN101997685 B CN 101997685B
Authority
CN
China
Prior art keywords
url
server
request
user
authorization information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN 200910171267
Other languages
Chinese (zh)
Other versions
CN101997685A (en
Inventor
彭卫
孔勇伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN 200910171267 priority Critical patent/CN101997685B/en
Publication of CN101997685A publication Critical patent/CN101997685A/en
Priority to HK11103953.6A priority patent/HK1149862A1/en
Application granted granted Critical
Publication of CN101997685B publication Critical patent/CN101997685B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a single sign-on method, single sign-on system and associated equipment, aims at solving the problem of the prior art which gives illegal users the chance to personate the legal user to view the destination page. The method comprises the following steps: a client treatment unit sends a registration request to a web service unit, the web service unit determines the unique uniform resource locator (URL) which is corresponded to the destination page URL within the registration request and sends a registration response which comprises the local URL to the client treatment unit, the client treatment unit sends a logon request which comprises an identification information and the local URL to a shared server after receiving the registration response, a single sign-on device indicates a web browser to send a request message for accessing the local URL to the web service unit according to the indication sent by the shared server which successfully checks the user identification according to the identification information in the registration request and the web service unit indicates the web browser to access the corresponding destination page URL according to the request message.

Description

Single-point logging method, single-node login system and relevant device
Technical field
The application relates to technical field of the computer network, relates in particular to a kind of single-point logging method, a kind of single-sign-on equipment, a kind ofly exempts to step on server and a kind of single-node login system.
Background technology
Along with the fast development of information technology and network technology, the diverse network application system is more and more, for example network mailbox, professional forum, Bulletin Board Systems (BBS, Bulletin Board System) etc.The user must login according to the username and password of prior agreement before each network application system that uses wherein, and the user must remember to login the required username and password of each network system for this reason, and for the user, it is very inconvenient to operate.
In order to address the above problem, single-sign-on (SSO, Single Sign-on) technology is arisen at the historic moment.The SSO technology can facilitate for the user accesses a plurality of network application systems, and the user is in login during first network application system, can be directed to by client to exempt to step on server and login; Exempt to step on the log-on messages such as user name that server provides according to the user, password (or client obtain after user cipher is encrypted authorization information) and carry out authentication, if by authentication, return to one of user and authenticate authority ticket; The user can carry this ticket when other network application systems of subsequent access, other network application systems can be according to this ticket to the legitimacy of exempting to step on checking ticket in the server after receiving user's access request, if this ticket is legal, the user just can need not again to login and directly access other application systems.
Accompanying drawing 1 be the user in the logging in network application system first time, and exempting to step on the schematic diagram that server carries out proof procedure.
Step 101, step 102, the user sends the single-sign-on request message by client, web browser to exempting to step on server, URL(uniform resource locator) (the URL of the target web that comprises user ID UID, the first signing messages in this message and want to access, Uniform Resource Locator), wherein the first signing messages to be client to the URL of UID, password and target web be encrypted obtains after processing;
Step 103, after exempting to step on server and receiving the single-sign-on request, find password corresponding to UID according to the UID that comprises in the single-sign-on request, and according to the encryption method of being scheduled to client in advance, the URL of the target web that comprises in UID, the password that finds and the single-sign-on request is encrypted, obtain the second signing messages, and the first signing messages and the second signing messages compared, when the two is consistent, is user assignment ticket, and enters step 104;
Step 104 sends to web browser with the ticket that distributes, and the indication web browser jumps among the URL of the target web that comprises in the single-sign-on request message;
Step 105, page browser sends a request message to the target application system, and this message comprises URL and the ticket of the target web of asking;
Step 106, the network application system that target web is corresponding carries out authentication to ticket;
Step 107, objective network application system are returned the content of pages of the target web of asking to the user after step 106 authentication success.
If the single-sign-on request message that above-mentioned steps 102 sends is adopted hacker software to be truncated to by other malicious users, other users just can send request to exempting to step on server so, pretend to be this user's access destination network application system after being proved to be successful.
For fear of the problems referred to above, exempt to step on server has been determined this ticket when the user issues ticket effective time, such as 5 minutes etc., after exceeding effective time, use this ticket can't ask the content of pages of target application system.Yet, even set short ticket effective time, still be difficult to avoid malicious user to pretend to be in the short period of time validated user access destination network application system.
Summary of the invention
The embodiment of the present application provides a kind of single-point logging method, and in order to solve in existing Single Sign-On Technology Used, the disabled user pretends to be the problem of the validated user access destination page.
Accordingly, the embodiment of the present application also provides a kind of single-sign-on equipment, has exempted to step on server and a kind of single-node login system.
The technical scheme that the embodiment of the present application provides is as follows:
A kind of single-point logging method comprises:
Client process unit in the single-sign-on equipment sends registration request to the web service unit;
The web service unit determine with registration request in the unique corresponding local URL of target web URL that comprises, and store the corresponding relation of described local URL and target web URL, and the registration that will comprise described local URL responds and sends to the client process unit;
The client process unit receives registration and responds the backward logging request that the server transmission comprises authorization information and described local URL of exempting to step on;
Single-sign-on equipment receives exempts to step on server based on the indication of the authorization information in the logging request to the rear transmission of subscriber authentication success, and the web browser in the indication single-point logging device sends the request message of the local URL of access to the web service unit;
The web service unit is according to described request message, when the corresponding relation of the local URL that determines to store request access and target pages URL, and target pages URL corresponding to indication web browser access.
A kind of single-point logging method comprises:
Exempt to step on after server receives the logging request that single-sign-on equipment sends, search password corresponding to user ID that comprises in the logging request, and
According to the local URL that comprises in user ID, the password that finds, the logging request, obtain the server end authorization information, and
After determining authorization information that logging request comprises and the server end authorization information be consistent, indicate the web browser in the described single-sign-on equipment to access described local URL, wherein, described local URL is unique corresponding with the target pages URL that the user will access.
A kind of single-sign-on equipment comprises:
The client process unit is used for sending to the web service unit registration request, and sends the logging request that comprises the local URL that comprises in authorization information and the registration response to exempting to step on server after receiving corresponding registration response;
The web service unit, be used for receiving registration request, definite unique corresponding local URL of target web URL that comprises with registration request, and store the corresponding relation of described local URL and target web URL, send the registration response that comprises described local URL to the client process unit, and the accessed web page request of sending according to the web browser in this single-sign-on equipment, when determining to store the corresponding relation of local URL in the web-page requests and target pages URL, indicate target pages URL corresponding to described web browser access.
A kind ofly exempt to step on server, comprising:
Receiving element is used for receiving the logging request that single-sign-on equipment is sent;
Search the unit, be used for searching password corresponding to user ID that logging request comprises;
Determining unit, be used for according to the method for single-sign-on equipment agreement, the user ID and the local URL that comprise according to logging request, and search the password that the unit finds obtain the server end authorization information;
Judging unit is used for judging whether the server end authorization information of determining unit acquisition is consistent with the authorization information that described logging request comprises;
Indicating member, be used for going out authorization information that server end authorization information and logging request comprise when consistent in judgment unit judges, the local URL that comprises in the web browser request logging request in indication and the described single-sign-on equipment, wherein said local URL is unique corresponding with the target pages URL that the user will access.
A kind of single-node login system comprises single-sign-on equipment and exempts to step on server, wherein,
Single-sign-on equipment, be used for determining and the unique corresponding local URL of target URL, send the logging request that comprises authorization information and described local URL to exempting to step on server, and according to the indication of exempting to step on server, when determining the corresponding relation that stores the local URL that exempts to step on the server indication request and target pages URL, provide the web page server of the corresponding page of target URL to send the request message of access destination page URL to network side;
Exempt to step on server, be used for receiving logging request, and the authorization information that in according to logging request, comprises, after the subscriber authentication success, the URL that comprises in the indication single-point logging device access logging request.
The embodiment of the present application is no longer carried target web URL by client in login request message, but carry predetermined and the unique corresponding local URL of target web URL, exempt to step on server after checking is passed through, indication and client are positioned at the local URL that the web browser request logging request of same computer comprises, the local web server that is positioned at same computer with client is when judging the corresponding relation of the local URL that stores the web browser request and target pages, indicate target pages corresponding to described web browser request, the logging request of having avoided carrying target web URL is obtained by the disabled user and problem that the disabled user that causes pretends to be the validated user access destination page.
Description of drawings
Fig. 1 is the schematic diagram of proof procedure in the existing Single Sign-On Technology Used;
Fig. 2 is the main realization principle flow chart of the embodiment of the present application;
Fig. 3 is the flow chart of the single-point logging method of the embodiment of the present application one proposition;
Fig. 4 is the flow chart of the single-point logging method of the embodiment of the present application two propositions;
Fig. 5 is the flow chart of the single-point logging method of the embodiment of the present application three propositions;
Fig. 6 is the structural representation of the single-sign-on equipment of the embodiment of the present application proposition;
Fig. 7 is the structural representation of exempting to step on server that the embodiment of the present application proposes.
Embodiment
In existing single-sign-on scheme, after the single-sign-on client is intercepted by the disabled user to the login request message of exempting to step on the target web URL that carries user ID UID, signing messages and want to access that server sends, the disabled user just can pretend to be the user after exempt to step on the server request checking, access authentication authority ticket, thereby can the access destination page, therefore there is potential safety hazard.
The embodiment of the present application has proposed no longer to carry target web URL in login request message, but carry predetermined and the unique corresponding local URL of target web URL, exempt to step on server after checking is passed through, the user who indication is sent login request message jumps to local URL, validated user just can obtain target web URL according to the corresponding relation of pre-stored local URL and target web URL like this, and by target web URL access destination webpage; And therefore illegal user can't continue the access destination page because there be not the target web URL corresponding with described local URL in this locality, thereby has avoided the above-mentioned safety problem of existing Single Sign-On Technology Used.
At length set forth to the main realization principle of the embodiment of the present application technical scheme, embodiment and to the beneficial effect that should be able to reach below in conjunction with each accompanying drawing.
As shown in Figure 2, the main realization principle process of the embodiment of the present application is as follows:
Step 10, single-sign-on equipment is to exempting to step on before server sends logging request, determine and the unique corresponding local URL of target web, and store the corresponding relation of this this locality URL and target web URL in the web service unit in the single-sign-on equipment of described local URL is provided;
Step 20, single-sign-on equipment sends login request message to exempting to step on server, comprises the local URL that authorization information and step 10 are determined in this login request message;
Step 30, exempt to step on server according to the authorization information that comprises in the login request message, after being proved to be successful, the web browser in the indication single-point logging device sends the request message of the local URL that comprises in the access login request message to the web service unit in the single-sign-on equipment;
Step 40, described web service unit when determining the corresponding relation of the local URL that stores the web browser request and target pages URL, target pages corresponding to indication web browser access.
The below will according to the application's foregoing invention principle, introduce an embodiment and come the main realization principle of the application's method is explained in detail and illustrates in detail.
Embodiment one,
Please refer to accompanying drawing 3, the flow chart of the single-point logging method that proposes for present embodiment, what single-node login system comprised the single-sign-on equipment that is positioned at user's side and was positioned at network side exempts to step on server, wherein comprise client process unit, web service unit and web browser in the single-sign-on equipment, wherein the client process unit be used for to receive user's input user name, password, need the target pages URL of login, and send logging request to exempting to step on server; This client process unit can be an independently software product, also can be the software product that is improved the browser form that forms on the basis of existing browser.The web service unit can be realized that by existing web page server web page server is be used to providing local page URL, the general designation of the software product of the URL access request of response web browser, for example the Apache series of products of extensive use and unix platform; Web browser is for the indication according to user or other application programs, the general designation of the software product of the URL of access appointment, for example the Internet Explorer series of products of Microsoft.The user should exempt to step on registered user's sign and corresponding password in the server by the client process unit in advance before carrying out single-sign-on.
Step 301, the user inputs the URL of the password of user ID, correspondence and the target web that needs are logined in the client process unit of single-sign-on equipment after, the client process unit is to sending the registration request that comprises target web URL with the web service unit that self is arranged in same single-sign-on equipment, and for example target web URL is Http:// www.targetweb.com/item_detail=23445
Step 302, after the web service unit receives registration request, according to predetermined rule, determine with registration request in the unique corresponding local URL of target web URL that comprises, for example the rule of definite local URL be " Http: // 127.0.0.1:8808/auth? sid="+with registration request in the unique corresponding sign of target web URL that comprises, be above-mentioned target web URL Http:// www.targetweb.com/item_detail=23445The local URL that determines is Http: // 127.0.0.1:8808/auth? sid=123456And self storing the corresponding relation of above-mentioned target web URL with the local URL that determines;
The registration response that step 303, web service unit will comprise the local URL that determines in the step 302 sends to the client process unit;
Step 304, after the client process unit receives the registration response of sending the web service unit, from the registration response, obtain local URL, according in advance with the method for exempting to step on server commitment, user ID according to user's input, password, the local URL that comprises in the registration response, determine the first authorization information, for example, the client process unit at first obtains to comprise this this locality URL, user ID, the character string of password, and according in advance with the encryption method of exempting to step on server commitment, such as MD5 algorithm etc., the character string that obtains is encrypted, in order to improve the fail safe of authorization information, can also ask for counter being listed as of Hash of the character string after the encryption, the Hash of asking for instead is listed as the first authorization information.In order further to improve the fail safe of authorization information, authorization information when making the same target web of each login is all different, when determining authorization information, not only can according to local URL, user ID, password, can also add on this basis current temporal information.
Step 305 after the first authorization information is determined in the client process unit, sends the logging request that comprises the local URL that comprises in user ID, the first authorization information and the registration response to exempting to step on server;
Step 306, after exempting to step on server and receiving the logging request that the client process unit is sent in the step 305, search password corresponding to user ID that comprises in self pre-stored and logging request, and according in advance with the method for definite authorization information of client process unit agreement, such as MD5 algorithm etc., local URL according to user ID, the password that finds, logging request comprise obtains the second authorization information;
Step 307, exempt to step on first authorization information of server to comprising in the logging request that the client process unit is sent in the single-sign-on equipment in the step 305, and the second authorization information of determining in the step 306 compares, when the first authorization information is consistent with the second authorization information, determine to be proved to be successful, enter step 308, otherwise determine authentication failed, abandon this logging request or return login failure information;
Step 308 exempts to step on server after being proved to be successful, the local URL that comprises in the logging request that receives in the web browser accessing step 306 in the indicating user side single-sign-on equipment.Similar with prior art, exempt to step on server when after being proved to be successful, indicating the local URL that comprises in the web browser access logging request, can in Indication message, carry authentication authority.Concrete carrying mode can for authenticating authority as the parameter of the local URL that comprises in the logging request, be indicated the local URL that carries parameter to web browser.In order to improve fail safe, can also according to the cipher mode of web page server agreement, authentication authority is encrypted, the local URL that for example carries the authentication authority after the encryption for " http: // 127.0.0.1/dosth? sid=123456﹠amp; Ticket=JDFU324o329jdcvjcv0374023842--8324-83207230432084 ", wherein the newly-increased part " JDFU324o329jdcvjcv0374023842--8324-83207230432084 " behind the ticket is the authentication authority after encrypting;
Step 309, the web browser in the single-sign-on equipment are according to the indication of exempting to step on server in the step 308, and the web service unit in same single-sign-on equipment sends the request message of accessing above-mentioned local URL;
Step 310, web service unit in the single-sign-on equipment is behind the request message of the local URL of access that receives the web browser transmission, judge in the corresponding relation of local URL and target pages URL of self storage, whether exist in the access request message with the web browser transmission target pages URL corresponding to local URL.If exist, the local URL that the logging request in the description of step 305 comprises determines by registration process in advance, and namely logging request is to be sent by the client process unit in this single-sign-on equipment, enters step 311, otherwise does not carry out subsequent treatment;
Step 311, indication web browser in web service unit sends access request message to web page server corresponding to target web URL.The web service unit can carry authentication authority in Indication message, this authentication authority is according to the predetermined encryption method with exempting to step on server in advance, obtains after the local URL deciphering of carrying in the access request message to web browser in the step 310.
To the registration reciprocal process of step 303, because client process unit and web service unit are arranged in same single-sign-on equipment, so the message in the reciprocal process can not got access to by other disabled users in the network in step 301.
In the present embodiment, the web service unit also can be independent of single-sign-on equipment, for example, one or one group of server is set separately outside single-sign-on equipment.As long as guarantee communication security mutual between this web service unit and the single-sign-on equipment, for example, between web service unit and single-sign-on arrange by private line access etc., the fail safe that can improve the single-sign-on process.
Present embodiment the user to exempting to step on before server sends logging request, pre-determine the local URL corresponding with the target pages URL of user's request, that carry in the logging request no longer is target pages URL, but local URL, even therefore this login request message is intercepted and captured by other disabled users, owing to do not have the target web URL corresponding with local URL in the employed computer of disabled user, therefore the disabled user also can't pretend to be this user's access destination page URL after being proved to be successful, thereby has avoided logging request to be intercepted and captured the problem that the disabled user that may cause pretends to be validated user login target pages by the disabled user.
Embodiment two,
In embodiment one, to determine the first authorization information by the client process unit in the single-sign-on equipment, realized determining in the present embodiment the function of the first authorization information by the web service unit in the single-sign-on equipment, the registration request that the client process unit sends to the web service unit not only should comprise target web URL, user ID and the password that also should comprise user's input, the web service unit is after determining the first authorization information, the first authorization information is informed the client process unit, carry the first authorization information by the client process unit in sending to the logging request of exempting to step on server, detailed process please refer to shown in the accompanying drawing 4.
Step 401, behind the URL of the target web of inputting the password of user ID, correspondence in the client process unit of user in single-sign-on equipment and needing to login, the web service unit of client process unit in the same single-sign-on equipment sends the registration request of password corresponding to the user ID that comprises target web URL, user's input and user ID, and for example target web URL is http://www.targetweb.com/item_detail=23445;
Step 402, after the web service unit receives registration request, according to predetermined rule, determine with registration request in the unique corresponding local URL of target web URL that comprises, the local URL that for example determines is http: // 127.0.0.1:8808/auth? sid=123456; And preserve the corresponding relation of above-mentioned target web URL and the local URL that determines;
Step 403, the web service unit after determining local URL corresponding to target web URL, according in advance with the method for exempting to step on server commitment, according to the local URL that comprises in the user ID of user input, password, the registration response, determine the first authorization information, enter step 404;
Step 404, the web service unit sends the registration response to client, comprises local URL and the first authorization information of determining in the step 403 in the registration response;
Step 405, client process unit after receiving registration response, to network side exempt from step on server and send logging request, comprise the local URL and the first authorization information that comprise in the user ID of user's input and the registration response in the logging request;
Step 406, after exempting to step on server and receiving the logging request that the client process unit in the single-sign-on equipment is sent in the step 405, from logging request, obtain user ID, from the user ID of storage and the corresponding relation of password, find password corresponding to this user ID, and according in advance with single-sign-on equipment in the method for definite authorization information of web service unit agreement, according to the URL that comprises in this user ID, the password that finds and the logging request, determine the second authorization information;
Step 407, exempting to step on the second authorization information of determining in the first authorization information of comprising in the logging request that server sends the client process unit in the single-sign-on equipment in the step 405 and the step 406 compares, when the two is consistent, determine to be proved to be successful, enter step 408, otherwise, abandon this logging request or inform the user rs authentication failure;
Step 408, exempt to step on server after being proved to be successful, the local URL that comprises in the logging request that receives in the web browser accessing step 406 in the indicating user side single-sign-on equipment, similar with step 308, exempting to step on server can be with the parameter of authentication authority as the local URL that comprises in the logging request;
Step 409, web browser are according to the indication of exempting to step on server in the step 408, and the web service unit in same single-sign-on equipment sends the request message of accessing above-mentioned local URL;
Step 410, web service unit in the single-sign-on equipment is behind the request message of the local URL of access that receives the web browser transmission, whether judgement exists target pages URL corresponding to local URL in the access request message that sends with web browser in the corresponding relation of the local URL that self stores and target pages URL.If exist, the local URL that the logging request in the description of step 405 comprises determines by registration process in advance, and namely logging request is to be sent by the client process unit in this single-sign-on equipment, enters step 411, otherwise does not carry out subsequent treatment;
Step 411, indication web browser in web service unit sends access request message to web page server corresponding to target web URL.The web service unit can carry authentication authority in Indication message, this authentication authority is according to the predetermined encryption method with exempting to step on server in advance, obtains after the local URL deciphering of carrying in the access request message to web browser in the step 410.
In like manner, in the present embodiment, the web service unit also can be independent of single-sign-on equipment, for example, one or one group of server is set separately outside single-sign-on equipment.As long as guarantee communication security mutual between this web service unit and the single-sign-on equipment, for example, between web service unit and single-sign-on arrange by private line access etc., the fail safe that can improve the single-sign-on process.
Embodiment three,
In embodiment one or embodiment two, the first authorization information, or second authorization information be by the client process unit, server is stepped on according to the method for agreement in web service unit or exempt from, according to user ID, password, local URL determines, in the present embodiment, when determining authorization information not only according to above-mentioned three kinds of information, also comprise the temporal information when determining the first authorization information, even use like this same computer, when different time is accessed same target web, the authorization information of determining also is different, in order to avoid use other disabled users of same computer to pretend to be validated user to visit this target web.Detailed process please refer to shown in the accompanying drawing 5.
Step 501, behind the URL of the target web of inputting the password of user ID, correspondence in the client process unit of user in single-sign-on equipment and needing to login, the web service unit of client process unit in the same single-sign-on equipment sends the registration request of password corresponding to the user ID that comprises target web URL, user's input and user ID, and for example target web URL is http://www.targetweb.com/item_detail=23445;
Step 502, after the web service unit receives registration request, according to predetermined rule, determine with registration request in the unique corresponding local URL of target web URL that comprises, the local URL that for example determines is http: // 127.0.0.1:8808/auth? sid=123456; And preserve the corresponding relation of above-mentioned target web URL and the local URL that determines;
Step 503, the web service unit is after determining local URL corresponding to target web URL, according in advance with the method for exempting to step on server commitment, local URL and current time information that user ID, password, the registration of inputting according to the user comprises in responding, determine the first authorization information, enter step 504;
Step 504, the web service unit sends the registration response to client, comprises local URL, the first authorization information and this web service unit temporal information when determining the first authorization information of determining in the step 503 in the registration response;
Step 505, the client process unit is after receiving the registration response, to network side exempt from step on server and send logging request, comprise the local URL, the first authorization information and the temporal information that comprise in the user ID of user's input and the registration response in the logging request;
Step 506, after exempting to step on server and receiving the logging request that the client process unit in the single-sign-on equipment is sent in the step 505, from logging request, obtain user ID, from the user ID of storage and the corresponding relation of password, find password corresponding to this user ID, and according in advance with single-sign-on equipment in the method for definite authorization information of web service unit agreement, according to the URL and the temporal information that comprise in this user ID, the password that finds, the logging request, determine the second authorization information;
Step 507, exempting to step on the second authorization information of determining in the first authorization information of comprising in the logging request that server sends the client process unit in the single-sign-on equipment in the step 505 and the step 506 compares, when the two is consistent, determine to be proved to be successful, enter step 508, otherwise, abandon this logging request or inform the user rs authentication failure;
Step 508, exempt to step on server after being proved to be successful, the local URL that comprises in the request logging request that receives in the web browser accessing step 506 in the indicating user side single-sign-on equipment, similar with step 308, exempting to step on server can be with the parameter of authentication authority as the webpage URL that comprises in the logging request;
Step 509, web browser are according to the indication of exempting to step on server in the step 508, and the web service unit in same single-sign-on equipment sends the request message of accessing above-mentioned local URL;
Step 510, web service unit in the single-sign-on equipment is behind the request message of the local URL of access that receives the web browser transmission, whether judgement exists the target pages URL corresponding with local URL in the web browser transmission access request message in the corresponding relation of local URL and the target pages URL of self storage.If exist, the local URL that the logging request in the description of step 505 comprises determines by registration process in advance, and namely logging request is to be sent by the client process unit in this single-sign-on equipment, enters step 511, otherwise does not carry out subsequent treatment;
Step 511, indication web browser in web service unit sends access request message to web page server corresponding to target web URL.The web service unit can carry authentication authority in Indication message, this authentication authority is according to the predetermined encryption method with exempting to step on server in advance, obtains after the local URL deciphering of carrying in the access request message to web browser in the step 510.
Wherein, in order to improve fail safe, the password that comprises in the registration request that client process unit in the step 501 in the single-sign-on equipment sends can for the client process unit according to the encryption method of exempting to step on server commitment, obtain after the password encryption to user's input; Equally, exempt to step on server and be the encryption method according to agreement according to the password that the user ID that comprises in the logging request finds, the user is obtained after this exempts to step on the password encryption of inputting when registering in the server.
In step 503, web service unit in the single-sign-on equipment is according to the user ID of user's input, password, the local URL and the current time information that comprise in the registration response, determine that client determines that the process of the first authorization information is similar in the process of the first authorization information and the step 304: the web service unit at first obtains to comprise this this locality URL, user ID, the character string of password and current time, and according in advance with the encryption method of exempting to step on server commitment, MD5 algorithm for example, the character string that obtains is encrypted, in order to improve the fail safe of authorization information, can also ask for counter being listed as of Hash of the character string after the encryption, the Hash of asking for instead is listed as the first authorization information.
In above-mentioned steps 506, exempt to step on server according to step 503 in determine the similar method of the first authorization information, local URL and temporal information according to user ID, the password that finds, logging request comprise obtain the second authorization information.
Similar with embodiment one, in step 503, the web service unit determines that the function of the first authorization information also can be realized by the client process unit in the same single-sign-on equipment.
Similar with embodiment one, in order to guarantee to authenticate the fail safe of authority transmission, exempt to step on server after being proved to be successful, according in advance with single-sign-on equipment in the encryption method of web service unit agreement, the authentication authority of distributing to the user is encrypted, and the web browser in indication single-point logging device is accessed authentication authority after carrying encryption in the Indication message of local URL, for example, with the parameter of the authentication authority after encrypting as the local URL of request, the web service unit is when judging the corresponding relation of the local URL that there is the web browser request and target pages URL, the authentication authority of the having encrypted deciphering of carrying in the web-page requests message of encryption method to the web browser transmission according to agreement, and the authentication authority after in the Indication message of the target pages that the indication web browser is accessed, carrying deciphering.
In step 510, the web service unit determine logging request be by with web browser be arranged in that the client process unit of same single-sign-on equipment sends after, the corresponding relation of local URL and target pages URL can also be removed, memory space can be saved like this.
Correspondingly, please refer to accompanying drawing 6, the structural representation of a kind of single-sign-on equipment that proposes for the application, this single-sign-on equipment comprises client process unit 601, web service unit 602 and web browser 603, wherein,
Client process unit 601 is used for to the web service unit 602 and sends registration requests, and after receiving corresponding registration response to network side exempt from step on server and send the logging request that comprises the local URL that comprises in authorization information and the registration response;
Web service unit 602, be used for receiving registration request, definite unique corresponding local URL of target web URL that comprises with registration request, and store the corresponding relation of described local URL and target web URL, 601 send the registration response that comprises described local URL to the client process unit, and the request message of the accessed web page of sending according to web browser 603, when determining to store the corresponding relation of local URL in the web-page requests message and target pages URL, target pages URL corresponding to indication web browser 603 access;
Web browser 603, be used for exempting to step on the indication that server sends after to the subscriber authentication success based on the authorization information of logging request according to network side, the request message of the accessed web page that comprises local URL that sends to web page server 602, and according to the indication of web service unit 602, the web page server corresponding to target URL sends access request message.
Above-mentioned single-sign-on equipment can be arranged in user's same computer, and its part also can be positioned at independently of one another many computers or have the equipment of data processing function.
Accordingly, what the application also provided a kind of network side exempts to step on server, please refer to accompanying drawing 7, and this exempts to step on, and server comprises receiving element 701, searches unit 702, determining unit 703, judging unit 704 and indicating member 705, wherein,
Receiving element 701 is used for receiving the logging request that above-mentioned single-sign-on equipment is sent;
Search unit 702, be used for searching password corresponding to user ID that logging request comprises;
Determining unit 703, be used for according to the method for single-sign-on equipment agreement, the user ID and the local URL that comprise according to logging request, and search the password that the unit finds obtain the server end authorization information;
Judging unit 704 is used for judging whether the server end authorization information of determining unit 703 acquisitions is consistent with the authorization information that described logging request comprises;
Indicating member 705, be used for judging authorization information that server end authorization information and logging request comprise when consistent at judging unit 704, the local URL that comprises in the web browser request logging request in indication and the described single-sign-on equipment, wherein said local URL is unique corresponding with the target pages URL that the user will access.
For the convenience of describing, be divided into various unit with function when describing above system and describe respectively.Certainly, when implementing the application, can in same or a plurality of softwares and/or hardware, realize the function of each unit.
Obviously, those skilled in the art can carry out various changes and modification and the spirit and scope that do not break away from the application to the application.Like this, if these of the application are revised and modification belongs within the scope of the application's claim and equivalent technologies thereof, then the application also is intended to comprise these changes and modification interior.

Claims (14)

1. a single-point logging method is characterized in that, comprising:
Client process unit in the single-sign-on equipment sends registration request to the web service unit;
The web service unit determine with registration request in the unique corresponding local URL of target web URL that comprises, and store the corresponding relation of described local URL and target web URL, and the registration that will comprise described local URL responds and sends to the client process unit;
The client process unit receives registration and responds the backward logging request that the server transmission comprises authorization information and described local URL of exempting to step on;
Single-sign-on equipment receives exempts to step on server based on the indication of the authorization information in the logging request to the rear transmission of subscriber authentication success, and the web browser in the indication single-point logging device sends the request message of the local URL of access to the web service unit;
The web service unit is according to described request message, when the corresponding relation of the local URL that determines to store request access and target pages URL, and target pages URL corresponding to indication web browser access.
2. the method for claim 1, it is characterized in that, described authorization information is after the client process unit receives registration response, according in advance with the method for exempting to step on server commitment, the local URL that comprises in user ID, password and the registration response according to user's input determines.
3. the method for claim 1, it is characterized in that, described authorization information is after the web service unit receives registration request, according to the method for exempting to step on server commitment, according to determining with the unique corresponding local URL of target web, user ID that registration request comprises and password of determining;
The web service unit is included in this authorization information in the registration response and sends to client after determining authorization information.
4. method as claimed in claim 3 is characterized in that, authorization information is determined according to user ID and password and current time information that described local URL, registration request comprise in the web service unit;
The registration response that the web service unit sends to client also comprises described temporal information;
The client process unit also comprises described temporal information to exempting to step on the logging request that server sends;
Exempt to step on server and verify according to the authorization information that comprises in the logging request, specifically comprise:
Exempt to step on password corresponding to user ID that comprises in the whois lookup logging request, and
Local URL and temporal information according to this user ID, the password that finds, logging request comprise obtain the server end authorization information, and
Whether the server end authorization information of judging the authorization information that comprises in the logging request and acquisition is consistent, when consistent, determines to be proved to be successful; Otherwise, authentication failed.
5. method as claimed in claim 4 is characterized in that, the web service unit according to the method for exempting to step on server commitment, the user ID and password and the current time information that comprise according to local URL, registration request obtain authorization information, specifically comprise:
The web service unit obtains to comprise the character string of described local URL, user ID, password and current time information, and
According to the encryption method of exempting to step on server commitment the character string that obtains being encrypted, and
Ask for counter being listed as of Hash of the character string after the encryption;
The web service unit instead is listed as the Hash of asking for as authorization information.
6. such as the described method of arbitrary claim in the claims 1 to 3, it is characterized in that, exempt to step on server according to the authorization information that comprises in the logging request, user identity is verified, specifically comprise:
Exempt to step on password corresponding to user ID that comprises in the whois lookup logging request, and
Local URL according to this user ID, the password that finds and logging request comprise obtains the server end authorization information, and
Whether the server end authorization information of judging the authorization information that comprises in the logging request and acquisition is consistent, when consistent, determines to be proved to be successful; Otherwise, authentication failed.
7. the method for claim 1 is characterized in that, the password that comprises in the registration request be the client process unit according to the encryption method of exempting to step on server commitment, obtain after the password encryption to user's input;
Exempt to step on server and be the encryption method according to agreement according to the password that the user ID that comprises in the logging request finds, the user is obtained after this exempts to step on the password encryption of inputting when registering in the server.
8. the method for claim 1, it is characterized in that, exempt to step on server to after the subscriber authentication success, when indicating the local URL of web browser request in the single-point logging device, also comprise according to single-sign-on equipment in the encryption method of web service unit agreement, the authentication authority of distributing to the user is encrypted, and the web browser in indication single-point logging device is accessed the step of the authentication authority after carrying encryption in the Indication message of local URL; And
The web service unit is behind the corresponding relation of determining the local URL that stores web browser access and target pages URL, also comprise: the authentication authority of the having encrypted deciphering of carrying in the request message of the accessed web page that web browser is sent, and the authentication authority after in the Indication message of target pages URL corresponding to indication web browser access, carrying deciphering.
9. such as the described method of arbitrary claim in the claims 1 to 3, it is characterized in that, the local URL and the corresponding relation of target pages URL that stores web browser access determined in the web service unit, and behind the target pages URL of indication web browser access correspondence, also comprises:
The described local URL of storage and the corresponding relation of target pages URL are removed in the web service unit.
10. the method for claim 1 is characterized in that, described web service unit and client process unit are positioned at same single-sign-on equipment, or described web service unit is independent of single-sign-on equipment.
11. a single-point logging method is characterized in that, comprising:
Exempt to step on after server receives the logging request that single-sign-on equipment sends, search password corresponding to user ID that comprises in the logging request, and
According to the local URL that comprises in user ID, the password that finds, the logging request, obtain the server end authorization information, and
After determining authorization information that logging request comprises and the server end authorization information be consistent, indicate the web browser in the described single-sign-on equipment to access described local URL, wherein, described local URL is unique corresponding with the target pages URL that the user will access.
12. a single-sign-on equipment is characterized in that, comprising:
The client process unit is used for sending to the web service unit registration request, and sends the logging request that comprises the local URL that comprises in authorization information and the registration response to exempting to step on server after receiving corresponding registration response;
The web service unit, be used for receiving registration request, definite unique corresponding local URL of target web URL that comprises with registration request, and store the corresponding relation of described local URL and target web URL, send the registration response that comprises described local URL to the client process unit, and the accessed web page request of sending according to the web browser in this single-sign-on equipment, when determining to store the corresponding relation of local URL in the web-page requests and target pages URL, indicate target pages URL corresponding to described web browser access.
13. exempt to step on server for one kind, it is characterized in that, comprising:
Receiving element is used for receiving the logging request that single-sign-on equipment is sent;
Search the unit, be used for searching password corresponding to user ID that logging request comprises;
Determining unit, be used for according to the method for single-sign-on equipment agreement, the user ID and the local URL that comprise according to logging request, and search the password that the unit finds obtain the server end authorization information;
Judging unit is used for judging whether the server end authorization information of determining unit acquisition is consistent with the authorization information that described logging request comprises;
Indicating member, be used for going out authorization information that server end authorization information and logging request comprise when consistent in judgment unit judges, indicate the local URL that comprises in the web browser access logging request in the described single-sign-on equipment, wherein said local URL is unique corresponding with the target pages URL that the user will access.
14. a single-node login system is characterized in that, comprises single-sign-on equipment and exempts to step on server, wherein,
Single-sign-on equipment, be used for determining and the unique corresponding local URL of target URL, send the logging request that comprises authorization information and described local URL to exempting to step on server, and according to the indication of exempting to step on server, when determining the corresponding relation that stores the local URL that exempts to step on the server indication request and target pages URL, provide the web page server of the corresponding page of target URL to send the request message of access destination page URL to network side;
Exempt to step on server, be used for receiving logging request, and the authorization information that in according to logging request, comprises, after the subscriber authentication success, the URL that comprises in the indication single-point logging device access logging request.
CN 200910171267 2009-08-27 2009-08-27 Single sign-on method, single sign-on system and associated equipment Active CN101997685B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN 200910171267 CN101997685B (en) 2009-08-27 2009-08-27 Single sign-on method, single sign-on system and associated equipment
HK11103953.6A HK1149862A1 (en) 2009-08-27 2011-04-19 Single sign-on method, single sign-on system and relevant device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910171267 CN101997685B (en) 2009-08-27 2009-08-27 Single sign-on method, single sign-on system and associated equipment

Publications (2)

Publication Number Publication Date
CN101997685A CN101997685A (en) 2011-03-30
CN101997685B true CN101997685B (en) 2013-05-29

Family

ID=43787333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910171267 Active CN101997685B (en) 2009-08-27 2009-08-27 Single sign-on method, single sign-on system and associated equipment

Country Status (2)

Country Link
CN (1) CN101997685B (en)
HK (1) HK1149862A1 (en)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102497443B (en) * 2011-12-23 2015-04-22 王艾勉 Vehicle-mounted station based on Internet, system and communication method thereof
CN102420836A (en) * 2012-01-12 2012-04-18 中国电子科技集团公司第十五研究所 Sign-on method and sign-on management system for service information system
CN102624737B (en) * 2012-03-27 2015-05-06 武汉理工大学 Single sign-on integrated method for Form identity authentication in single login system
CN103916372B (en) * 2013-01-07 2017-07-21 中国银联股份有限公司 A kind of third party's log-on message trustship method and system
CN103209168B (en) * 2013-01-30 2017-03-08 广东欧珀移动通信有限公司 A kind of method and system for realizing single-sign-on
CN104125558B (en) * 2013-04-26 2017-11-03 中国移动通信集团上海有限公司 A kind of client-based method for processing business, equipment and system
CN104219194B (en) * 2013-05-29 2018-04-03 财付通支付科技有限公司 Data information sharing method, data information pull method, equipment and system
CN104378395B (en) * 2013-08-14 2019-02-05 华为技术有限公司 Access the method and device of OTT application, server push message
US9787658B2 (en) 2013-10-17 2017-10-10 Tencent Technology (Shenzhen) Company Limited Login system based on server, login server, and verification method thereof
CN104144054B (en) * 2013-10-17 2015-07-22 腾讯科技(深圳)有限公司 Login system based on server, login server and verification method of login server
CN103634111B (en) * 2013-11-19 2017-09-26 北京国双科技有限公司 Single-point logging method and system and single sign-on client-side
CN104038474A (en) * 2014-05-09 2014-09-10 深信服网络科技(深圳)有限公司 Internet access detection method and device
CN104394133B (en) * 2014-11-14 2017-12-22 百度在线网络技术(北京)有限公司 Login method and login system
CN104579682A (en) * 2014-12-30 2015-04-29 华夏银行股份有限公司 Access method and system for multi-service server
CN105072108B (en) * 2015-08-04 2018-10-19 小米科技有限责任公司 Transmission method, the apparatus and system of user information
CN105956136B (en) * 2016-05-11 2020-08-11 腾讯科技(深圳)有限公司 Method and device for acquiring login information
CN106533678B (en) * 2016-07-06 2019-09-13 天津米游科技有限公司 A kind of login method and its system based on multi-signature
CN105978914B (en) * 2016-07-18 2019-05-21 北京小米移动软件有限公司 Web access method and device
CN110324296B (en) * 2018-03-30 2021-11-26 武汉斗鱼网络科技有限公司 Bullet screen server connection method and device and client
CN110753018A (en) * 2018-07-23 2020-02-04 北京国双科技有限公司 Login authentication method and system
CN112579998B (en) * 2019-09-30 2023-09-26 北京京东尚科信息技术有限公司 Webpage access method, management system and electronic equipment in information interaction platform
CN111404921B (en) * 2020-03-12 2022-05-17 广州市百果园信息技术有限公司 Webpage application access method, device, equipment, system and storage medium
CN112613022A (en) * 2020-12-25 2021-04-06 航天信息股份有限公司 Method and system for user single sign-on service system
CN112765583A (en) * 2021-01-27 2021-05-07 海尔数字科技(青岛)有限公司 Single sign-on method, device, equipment and medium
CN113609425A (en) * 2021-07-15 2021-11-05 西安四叶草信息技术有限公司 Webpage data processing method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101075875A (en) * 2007-06-14 2007-11-21 中国电信股份有限公司 Method and system for realizing monopoint login between gate and system
CN101179387A (en) * 2007-12-12 2008-05-14 江苏省电力公司 Digital certificate and multilevel field based unified identification management and authentication method
US7404204B2 (en) * 2004-02-06 2008-07-22 Hewlett-Packard Development Company, L.P. System and method for authentication via a single sign-on server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030188193A1 (en) * 2002-03-28 2003-10-02 International Business Machines Corporation Single sign on for kerberos authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7404204B2 (en) * 2004-02-06 2008-07-22 Hewlett-Packard Development Company, L.P. System and method for authentication via a single sign-on server
CN101075875A (en) * 2007-06-14 2007-11-21 中国电信股份有限公司 Method and system for realizing monopoint login between gate and system
CN101179387A (en) * 2007-12-12 2008-05-14 江苏省电力公司 Digital certificate and multilevel field based unified identification management and authentication method

Also Published As

Publication number Publication date
HK1149862A1 (en) 2011-10-14
CN101997685A (en) 2011-03-30

Similar Documents

Publication Publication Date Title
CN101997685B (en) Single sign-on method, single sign-on system and associated equipment
CN101227468B (en) Method, device and system for authenticating user to network
EP2314046B1 (en) Credential management system and method
US8832787B1 (en) Implementing single sign-on across a heterogeneous collection of client/server and web-based applications
US8474014B2 (en) Methods for the secure use of one-time passwords
CN100438421C (en) Method and system for conducting user verification to sub position of network position
EP2258094B1 (en) Devolved authentication
CN102624739B (en) Authentication and authorization method and system applied to client platform
CN102098317B (en) Data transmitting method and system applied to cloud system
CN108111473B (en) Unified management method, device and system for hybrid cloud
CN102752319B (en) Cloud computing secure access method, device and system
US20100077467A1 (en) Authentication service for seamless application operation
CN103051630A (en) Method, device and system for implementing authorization of third-party application based on open platform
CN103067338A (en) Third party application centralized safety management method and system and corresponding communication system
CN104735065A (en) Data processing method, electronic device and server
CN104426659A (en) Dynamic password generating method, authentication method, authentication system and corresponding equipment
CN101540757A (en) Method and system for identifying network and identification equipment
CN105657474A (en) Anti-stealing link method and system using identity-based signature in video application
CN106453378A (en) Data authentication method, apparatus and system
CN109218334B (en) Data processing method, device, access control equipment, authentication server and system
CN1635738A (en) General authentication authorization service system and method
CN111988275A (en) Single sign-on method, single sign-on server cluster and electronic equipment
CN116248351A (en) Resource access method and device, electronic equipment and storage medium
CN109729045B (en) Single sign-on method, system, server and storage medium
US20100250607A1 (en) Personal information management apparatus and personal information management method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1149862

Country of ref document: HK

C14 Grant of patent or utility model
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: GR

Ref document number: 1149862

Country of ref document: HK