CN102316080A - Function for supporting anonymous verification of central authentication service in same master domain - Google Patents
Function for supporting anonymous verification of central authentication service in same master domain Download PDFInfo
- Publication number
- CN102316080A CN102316080A CN2010102221481A CN201010222148A CN102316080A CN 102316080 A CN102316080 A CN 102316080A CN 2010102221481 A CN2010102221481 A CN 2010102221481A CN 201010222148 A CN201010222148 A CN 201010222148A CN 102316080 A CN102316080 A CN 102316080A
- Authority
- CN
- China
- Prior art keywords
- client
- operation system
- service
- hearbeat
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method for supporting anonymous verification of a central authentication service in the same master domain. The method comprises the following steps that: a, when a user accesses a first service system in a plurality of service systems through a client, a client plugin of the central authentication service in the first service system judges whether the client has a service ticket (ST) for accessing the first service system; b, if the client has the ST, a ticket verification service unit is required to verify the validity of the ST, and if the ST is invalid, the client is orientated to a login service unit; c, whether the client has a ticket granting cookie (TGC) is judged; d, if the client does not have the TGC, and whether the first service system allows anonymous access is judged; e, when the first service system allows anonymous access, the client is orientated to the first service system, and a secret key stkey assigned with a notlogin is returned simultaneously; f, the client plugin of the central authentication service of the first service system sets local heartbeat Local_hearbeat to be equal to global heartbeat Global_hearbeat; and g, the client anonymously accesses the first service system.
Description
Technical field
The present invention relates to a kind of anonymous authentication system and method, more particularly, relate to the system and method for the anonymous authentication of a kind of CAS of support under same main territory.
Background technology
CAS (center authentication service; Central Authentication Service) service provides unified authentication service for a plurality of front end systems of enterprise; Make a number of the account between a plurality of systems, only need once login, promptly can same number of the account visit a plurality of systems.Therefore CAS provides user's login authentication service, then directly the page is directed to log in page for login user not.
At present; The CAS that increases income of popular Yale University's research and development designs according to the CAS standard fully; Supported the whole central process in the CAS standard, but do not realized anonymous checking, and do not had to realize by anonymity to login with by detection that signs in to anonymous process and conversion.The present invention is the expansion to the CAS standard, satisfies wider business demand.
Fig. 1 shows the basis of the cas system of Yale University and realizes principle.
Cas system shown in Figure 1 comprises: application system server 101, CAS server 102 and client 103.As shown in Figure 1, in step 1, when the user passes through the browse request application system of client 103; The CAS client plug-in (CAS Client) of disposing in the application system server 101 analyzes in this request whether comprise ST (Service Ticket), if do not have, active user's not login as yet is described then; So request is redirected to CAS server 102 entry address; And transmit Service (that is, the application system address that visit), successfully go back to later this address so that login.(step 2).Then, in step 3, the user inputs authentication information logins such as user name, password.If login successfully; In step 4, CAS server 102 will produce a unique Ticket, and buffer memory is to treat checking in the future; System is redirected to the Service address automatically afterwards, and for client 103 browsers a Ticket GrantingCookie (TGC) is set.Client 103 browsers send access request again to the application system server 101 of correspondence, and carry ST according to the address in the redirect response.In step 5 and 6, the CAS Client of application system server 101 is after the Ticket that takes Service and new generation, to the 102 request authentications of CAS server, to guarantee the legitimacy of Ticket.
As shown in Figure 1, based on this cas system, the user only needs the application system is once logined, and can obtain to visit the mandate of all operation systems in this application system.Yet; Application system all is redirected to CAS server 102 in any not log-in request and logins, and same set of URL (URL, Uniform Resource Locator) is asked; It only can verify that it can not support the anonymous access function to listed request.
Also have a UCenter product that it should be noted that Comsenz, its mode through the cookie of the backstage api and the overall situation realizes under a plurality of Comsenz sharing of user's logging status between the product.This product can't be CAS, does not also solve XSS (cross-site scripting attack, Cross Site Script) problem in addition, is one of CAS problem that must solve and solve XSS.
The correlation technique of more than introducing does not expand the anonymous authentication function on the CAS basis, and the problem in the like product, is the part in the problem of anonymous authentication solution yet.
Summary of the invention
Additional aspects of the present invention and advantage part will be set forth in the description of back, also have part from describe, to find out significantly, perhaps can in practice of the present invention, obtain.
The problem that exists to prior art proposes the present invention.Technical problem to be solved by this invention comprises:
1, in the system that supports CAS, under the situation of not logining cas system,, is responsible for anonymous authentication by CAS to allowing the system of anonymous access
Have a plurality of systems (for example first A of system, second B of system, tertiary system system C... ... etc.) use CAS; The B system uses a cover page URL both to support the visit under the non-login situation; Also support the visit under the login situation, and, on the page, have different demonstrations according to situation about whether logining.For this type systematic of B, can not image scale accurate CAS is such directly to redirect to log in page with it, but needs CAS to system unified interface to be provided, and supports anonymous authentication.
Purpose: CAS provides accordant interface to system, supports simultaneously anonymous and non-anonymous way to satisfy business demand.
2, in the system that supports CAS, provide by anonymity to login with by detection that signs in to anonymous process and conversion
As above-mentioned the 1st said, when the user just with anonymous way visit B system, in browser, use number of the account successfully to login thereafter at CAS, the B system of anonymous access visits again/switch to login mode when refreshing before returning; Otherwise,, after link is withdrawed from click thereafter, visit again the identical URL of B system and should switch to non-login mode when in login mode visit B system.In like manner if after using first number of the account to switch to second number of the account again before, visit again the B system and then also should correctly switch.
Purpose: mostly present browser is many Tab (label), and time is everlasting and carries out different operation among the different tab, as doing login at first tab; After the success entering system; Done at other tab again and withdrawed from or switched to other numbers of the account, when first tab asks, should be able to correctly detect variation more again.
3, in the system that supports CAS, realize the isolation of logging status
Because business demand is flexible and changeable, CAS is given birth to by system combination, the system described in above-mentioned the 1st; Suppose among A, B, the C set M{m_user1, m_user2; M_user3; The user of m...} can only can not be in logging status in A, the last logging status that is in of C on B, then need CAS to realize the isolation of logging status.Let after user's login of set among the M, be in logging status, and when getting into the B system, be still the anonymous authentication state that is in A, C system.
Purpose: have certain business rule between the multisystem, CAS satisfies business demand after integrating when need offer convenience.
The invention discloses a kind of method of supporting the anonymous authentication of center authentication service under same main territory; Comprise: when a. passed through first operation system in a plurality of operation systems of client-access as the user, the center authentication service client terminal plug-in unit in first operation system judged whether client exists the service ticket ST that visits first operation system; If b. there is ST, then ask the note validating service unit to verify whether said ST is legal, when said ST is illegal, client is directed to the login service unit; C. judge whether client exists overall situation login bill TGC; If d. there is not TGC, judge then whether first operation system allows anonymous access; E. when first operation system allowed anonymous access, with directed first operation system of returning of client, return assignment was not for logining the key stkey of notlogin simultaneously; F. the center authentication service client terminal plug-in unit of first operation system is provided with local heartbeat Local_hearbeat=overall situation heartbeat Global_hearbeat; G. client anonymous access first operation system.
The invention also discloses a kind of system that supports the anonymous authentication of center authentication service under same main territory; Comprise: dispose a plurality of operation systems of center authentication service client terminal plug-in unit respectively, be used to receive the service request of client transmission and judge through center authentication service client terminal plug-in unit whether client exists the service ticket ST of access service system; Request note validating service unit verifies whether said ST is legal; And, local heartbeat Local_hearbeat=overall situation heartbeat Global_hearbeat is set when when the login service unit receives key stkey, when stkey=does not login notlogin, allow client anonymous access operation system; The note validating service unit is used for the ST checking request that receiving center authentication service client terminal plug-in unit sends, and when the said ST of checking is illegal, client is directed to the login service unit; And the login service unit, be used for when client is directed to the login service unit, judge whether client exists overall situation login bill TGC; When not having TGC, judge whether this operation system allows anonymous access; When allowing anonymous access, with the directed operation system of returning of client, return assignment is the stkey of notlogin simultaneously.
The present invention to business transparent, satisfy the anonymous authentication demand, reduce the operation system complexity, and can accomplish that the user gathers the isolation to the logging status of system.
CAS of the present invention supports anonymous authentication, supports anonymous and method that non-anonymous authentication is switched each other and the isolation of supporting logging status.
Description of drawings
In conjunction with the drawings the preferred embodiments of the present invention are described in detail, above-mentioned and other purposes of the present invention, characteristic and advantage will become apparent, and wherein identical label is specified the unit of same structure, and therein:
Fig. 1 shows the basis of the cas system of Yale University and realizes principle;
Fig. 2 shows the cas system block architecture diagram according to the embodiment of the invention; And
Fig. 3 shows the method flow diagram according to the anonymous authentication of the support CAS of the embodiment of the invention.
Embodiment
To the present invention fully be described with reference to the accompanying drawing that the embodiment of the invention is shown below.Yet the present invention can realize with many different forms, and not will be understood that and be limited to embodiment described here.On the contrary, these embodiment are provided so that make the disclosure thorough and complete, and will give full expression to scope of the present invention to those skilled in the art.In the accompanying drawings, for the sake of clarity amplified assembly.
Here with reference to block diagram and the flow chart description exemplary embodiment of the present supported according to method, device (system) and the computer program of the embodiment of the invention.Should be appreciated that each square frame of flow chart and/or block diagram and the combinations of blocks of flow chart and/or block diagram can realize through computer program instructions.These computer program instructions can offer the processor of all-purpose computer, special-purpose computer or other programmable data processing unit to produce machine, and the means of appointed function/action in realization flow figure and/or the block diagram square frame are created in the feasible instruction of carrying out through the processor of computer or other programmable data processing unit.
These computer program instructions also can be stored in the computer-readable memory; Can vectoring computer or other programmable data processing unit move with ad hoc fashion, make the instruction that is stored in the computer-readable memory produce the manufacturing article that comprise the instruction means of appointed function/action in realization flow figure and/or the block diagram square frame.
Computer program instructions can also be loaded on computer or other programmable data processing unit; Cause on computer or other programmable devices carrying out the sequence of operations step and produce computer implemented processing, make the instruction of carrying out on computer or other programmable devices that the step of appointed function/action in realization flow figure and/or the block diagram square frame is provided.Each square frame can be represented code module, segment or part, and it comprises one or more executable instructions that are used for realizing specified.Shall also be noted that in other were realized, the function that marks in the square frame possibly take place not according to the order that marks among the figure.For example, according to related function, two square frames that illustrate continuously possibly carried out in fact basically concomitantly, and perhaps square frame possibly carried out with opposite order sometimes.
Symbol and term
Only if definition is arranged in addition, all terms used herein (comprising technology and scientific terminology) have the common identical meanings of understanding with those skilled in the art.It should also be understood that; Such as those terms that in common dictionary, define should be interpreted as have with they contexts in correlation technique in the corresponding to implication of implication; And do not use idealized or extremely formal meaning explain, only if definition so clearly here.
To use the following symbol in the detailed description below:
Global_Heartbeat: under the cookie territory of login service unit, indicate the variable name of each login sequence number.
Local_Heartbeat: under the cookie territory of operation system, indicate user's value of the Global_Heartbeat when the operation system activity at last.According to principle of the present invention, when logining generation and user, can Local_Heartbeat be updated to the value consistent with Global_Heartbeat, and reach the stable of certain state to this system activity.
ST: service ticket (Service Ticket), the login service unit offers the bill of operation system.
Stkey: the disposable key of operation system is distributed in the login service unit; Can get relevant informations such as ST with this key; The effective property of this key (for example, can be provided with 1 minute then lost efficacy), stkey for example is; According to the character string that calculation of parameter such as server time, random number, server name are come out, this character string for example has 21 characters.
TGC: overall situation login bill (Ticket Granting Cookie), under the cookie territory of login service unit.
M: user's set.
N: user's set.
URL: URL (Uniform Resource Locator).
Fig. 2 shows the block architecture diagram according to the exemplary cas system of the embodiment of the invention.
As shown in Figure 2, this cas system comprises: client 201 (that is browser), internet 202, operation system set 203, login service unit 204 and note validating service unit 205.Wherein operation system set 203 comprises a plurality of different service system 2031,2032,2033 and 2034; And a plurality of CAS Client (CAS client plug-in) 2031 ', 2032 ', 2033 ' and 2034 ' that in corresponding of a plurality of operation systems, dispose.When the CASClient that is provided by cas system that in operation system, disposes is responsible for finding not login to the redirect inquiry of login service unit 204, and the checking of taking behind stkey or the ST note validating service unit 205.
For succinctly, only schematically show 4 different service systems among Fig. 2, yet it will be understood by those skilled in the art that this operation system set 203 can comprise i operation system as required, wherein i is a natural number.
The user passes through client 201 via one or more operation systems and login service unit 204 in the internet 202 access service system sets 203.
Data such as the user name that login service unit 204 is imported through process user, password, registering service system identifier, identifying code are handled login.Thereby the user is carried out authentication, and handle by the redirect of one of operation system next inquiry of whether logining and answer.
In login service unit 204; Store access configuration; For example;
is when the user successfully logins said login service unit 204 in set
set; Login service unit 204 writes in the cookie item of client 201 and comprises: under .domain.com, and Global_Heartbeat=value1; At cas.domain.com, overall situation login bill TGC=n bit string, etc.TGC is a browser overall situation login bill, as long as the user successfully logins cas system in this client 201, then under cas.domain.com, has TGC to exist.
Note validating service unit 205 handle login service unit 204 to its read-write and operation system 203 to its inquiring and authenticating.
CAS Client (center authentication service client terminal plug-in unit) is the Agent that cas system is placed on operation system; With class libraries (for example; The logical code storehouse) mode is deployed in each operation system respectively; Be responsible for note validating service unit 205 and login service unit 204 and operation system 203 between communicate by letter, for note validating service unit 205 provides service ticket ST, for operation system 203 provides the current login user information according to service ticket ST acquisition.And upgrade information such as the Local_Heartbeat that keeps verifying logic among the cookie of client 201 and ST.For example, A operation system 2031 writes in the cookie item of client 201 and comprises: under a.domain.com, and Local_Heartbeat=valueA; Access tickets ST=stA, etc.B operation system 2032 writes in the cookie item of client 201 and comprises: under b.domain.com, and Local_Heartbeat=valueB; Access tickets ST=stB, etc.
Cas system among the application supports anonymous authentication to depend on the configuration of cookie item in the client 201.In cookie, have only Global_Heartbeat to write under this main territory of .domain.com, thereby can guarantee that * .domain.com can visit.And other all cookie all write in the cookie subdomain, all write under the a.domain.com like the ST and the Local_Heartbeat of A system, and only own service can have access to.
After the user successfully logined said login service unit 204, login service unit 204 write TGC under the cas.domain.com in the cookie of client 201; Under .domain.com, upgrade Global_Heartbeat.And redirected client 201 arrives one of operation system 203, for example operation system A 2031 (one time key (stkey) of subsidiary its generation among the URL).The CASClient 2031 ' of operation system A 2031 upgrades the cookie of client 201, upgrades the Local_Heartbeat=Global_Heartbeat under the a.domain.com.And CAS Client 2031 ' obtains ST and user profile according to the key stkey that login service unit 204 provides from note validating service unit 205; And ST is updated to the cookie of client 201, the user profile of current login user is provided for operation system A 2031 simultaneously.
Wherein, ST and TGC are that the backstage guarantees to lose efficacy simultaneously, and the out-of-service time is a parameter that can dispose, and this out-of-service time is a time span that prolongs with visit, for example, supposes that the out-of-service time is 1 hour, if not visit in promptly 1 hour was then lost efficacy; If one hour the 20th minute visit is arranged, then the time was delayed 1 hour since the 20th minute again.
Fig. 3 shows the method flow diagram according to the anonymous authentication of the support CAS of the embodiment of the invention.
As shown in Figure 3, wherein square frame 340 is represented anonymous authentication, and square frame 325 is represented login authentication.Whole process is accomplished the support of anonymous authentication according to whether supporting anonymous authentication, user to gather the judgement to access control, Global_Heartbeat and the Local_Heartbeat of system.
The support of anonymous authentication and non-anonymous authentication: whether support that anonymous authentication is that operation system is self-determining,, have only operation system 203 to be provided with and support the anonymous authentication function, when satisfying condition, just get into step 340 like Fig. 3 step 365.Need be by one of the CAS Client 2031 '-2034 ' of operation system among Fig. 2 203 and the 204 logic supports of login service unit.
By anonymity to login with by detection that signs in to anonymous process and conversion: in step 330, when condition satisfies, keep original verification mode.If promptly former login authentication is before this then still verified with the login authentication mode,, then still adopt the anonymous way checking if be originally anonymous authentication.When only 330 Rule of judgment is false in steps; Explain that verification mode needs conversion; Possibly be to convert the login mode checking to by anonymous way; Also possibly be conversely, also might still be anonymous authentication (logging status isolation), and this process of flow process as shown in Figure 3 can be accomplished according to this step and make inspection and conversion by oneself.The process of whole mutual conversion need be by one of CAS Client 2031 '-2034 ' of operation system among Fig. 2 203, login service unit 204 and the 205 logic supports of note validating service unit.
The isolation of logging status: like the judgement of step 350, even the number of the account login is arranged, but do not allow the user capture of M set, then system still should be in not logging status, still uses the anonymous way checking.Need be by one of the CAS Client 2031 '-2034 ' of operation system among Fig. 2 203 and the 204 logic supports of login service unit.
Below in conjunction with Fig. 2 and Fig. 3, the anonymous authentication method of CAS of supporting according to the present invention is described in detail.
In step 305, the user 1, the user in the M set for example, through client 201 via the X of internet access services system.
In step 310, the CAS Client among the operation system X through judge client 201 local cookie whether have can the X of access service system ST.If ST is arranged, in step 315, operation system X sends the note validating services request to examine user identity via the CAS Client that is deployed in wherein to note validating service unit 205.
Does note validating service unit 205 judge whether service ticket legal in step 320?
If judge that in step 320 service ticket is illegal, then in step 335, note validating service unit 205 is directed to login service unit 204 with client 201.
In the cookie of client 201 is judged in step 345 login service unit 204, whether there is overall situation login bill TGC, confirms that whether the user is users of 204 success logins in the login service unit.
If judge not have TGC, in step 365, login service unit 204 judges whether operation system X allows anonymous access.When allowing anonymous access, in step 375, login service unit 204 is with the client 201 directed operation system X that return, and return assignment is not for logining the key stkey of notlogin simultaneously.In step 385, the center authentication service client terminal plug-in unit of operation system X is provided with local heartbeat Local_hearbeat=overall situation heartbeat Global_hearbeat.In step 340, allow client 201 anonymous access operation system X.
Does then in step 350, login service unit 204 judge that the user 1 affiliated user of client 201 gathers the access rights of M, promptly allows the X of access service system if judge to have TGC? If do not allow the X of access service system, then return step 375.
If allow the access service X of system, then 204 redirected 201 times operation system X of client in step 355 login service unit attach the one time key stkey that login service unit 204 produces in URL.In step 370, the Local_Heartbeat=Global_Heartbeat among the cookie of the CAS Client of operation system X renewal client 201 under the x.domain.com territory.In step 380, the CAS Client of operation system X sends ST according to one time key stkey to note validating service unit 205 and generates request, obtains ST and user profile from note validating service unit 205, and returns step 325.
If do not have ST in step 310 judgement, in step 330, the CAS Client among the operation system X judges whether the Local_hearbeat in the client equals Global_hearbeat.If Local_hearbeat is not equal to Global_hearbeat, then return step 335.
If Local_hearbeat equals Global_hearbeat, then return step 340 and allow anonymous access.
If judge that in step 320 service ticket is legal, then in step 325, note validating service unit 205 returns verifies result and user profile to CAS Client so that for operation system X provides user profile, and granted access.
If when step 365 judgement did not allow anonymous access, then step 360 redirected the client to the log in page of operation system X.The user logins in information such as log in page input username and passwords through client 201.When authentication is logined successfully, among the provisional version file cookie of login service unit 204 in client 201, upgrade Global_hearbeat and write TGC, and client 201 is redirected to operation system X, return stkey simultaneously.The CAS Client of operation system X is provided with Local_hearbeat=Global_hearbeat; Send ST according to stkey to note validating service unit 205 and generate request; Obtain ST and user profile from note validating service unit 205, and write ST among the provisional version file cookie in client 201; While authorized client 201 X of access service system.
Below, in conjunction with concrete example, the present invention will be described.
Specific embodiment 1: have a plurality of systems such as A, B, C to use CAS, the B system need use a cover page logic promptly to support the visit under the non-login situation, also supports the visit under the login situation, and on the page, has different demonstrations according to whether logining.For this type systematic of B, can not image scale accurate CAS is such directly to redirect to log in page with it, but needs CAS to system unified interface to be provided, and supports anonymous authentication.The example of Baidu: Help Center (support.***.com) simultaneously for netizen and the client of Baidu provide information service, unified page logic needs to support simultaneously the checking of anonymous and non-anonymity.Satisfied this demand after using the CAS that supports anonymous access.
Specific embodiment 2: of 1; When the user just visits the B system with anonymous way; Thereafter in browser, use number of the account successfully to login at CAS, the B system of anonymous access before returning needs system can detect login automatically and also is in logging status in the B system.The example of Baidu: Baidu optimizes assistant (editor.***.com), and systems such as Help Center all support this switching.
Specific embodiment 3: because business demand is flexible and changeable, CAS is given birth to by system combination, like 1 described system; Suppose to have only set M{m_user1, m_user2 among A, B, the C; M_user3; The user of m...} can be in logging status on the B again in A, the last logging status that is in of C, then needs CAS to realize the isolation of logging status.Let after user's login of set among the M, be in logging status, and when getting into the B system, be still the anonymous authentication state that is in A, C system.The example of Baidu: Help Center (support.***.com) only supports at present to let and participates in Baidu's popularization and the user of alliance of Baidu use, do not support other users, and the user who then is not supported carries out according to anonymous authentication in the Help Center after gathering login CAS
The present invention to business transparent, satisfy the anonymous authentication demand, reduce the operation system complexity, and can accomplish that the user gathers the isolation to the logging status of system.
Although the present invention describes with reference to its specific preferred embodiment, it should be appreciated by those skilled in the art, under the situation that does not break away from the spirit and scope of the present invention that are defined by the following claims, can carry out the various modifications of form and details to it.
Claims (18)
1. method of supporting the anonymous authentication of center authentication service under same main territory comprises:
A. when the user passed through first operation system in a plurality of operation systems of client-access, the center authentication service client terminal plug-in unit in first operation system judged whether client exists the service ticket ST that visits first operation system;
If b. there is ST, then ask the note validating service unit to verify whether said ST is legal, when said ST is illegal, client is directed to the login service unit;
C. judge whether client exists overall situation login bill TGC;
If d. there is not TGC, judge then whether first operation system allows anonymous access;
E. when first operation system allowed anonymous access, with directed first operation system of returning of client, return assignment was not for logining the key stkey of notlogin simultaneously;
F. the center authentication service client terminal plug-in unit of first operation system is provided with local heartbeat Local_hearbeat=overall situation heartbeat Global_hearbeat;
G. client anonymous access first operation system.
2. the method for claim 1 further comprises:
If have TGC, judge that then whether client has the authority of visit first operation system, when not having access rights, returns step e in step c judgement.
3. method as claimed in claim 2 further comprises:
If client has the access rights to first operation system,, return the stkey of generation simultaneously then with directed first operation system of returning of client;
The center authentication service client terminal plug-in unit of first operation system is provided with Local_hearbeat=Global_hearbeat; Stkey according to this generation obtains ST and user profile from the note validating service unit, and writes ST among the provisional version file cookie in client;
Authorized client is visited first operation system.
4. method as claimed in claim 3 further comprises:
If do not have ST in step a judgement, judge then whether Local_hearbeat equals Global_hearbeat;
When Local_hearbeat is not equal to Global_hearbeat, client is directed to the login service unit, return step c simultaneously;
When Local_hearbeat equals Global_hearbeat, return step g.
5. method as claimed in claim 4 further comprises:
When step b judges that ST is legal, the note validating service unit returns checking result and user profile to center authentication service client terminal plug-in unit, and authorized client is visited first operation system.
6. method as claimed in claim 5 further comprises:
When the steps d judgement does not allow anonymous access, redirect the client to the log in page of first operation system;
The user logins in information such as log in page input username and passwords;
If authentication is logined successfully, among the provisional version file cookie of login service unit in client, upgrade Global_hearbeat and write TGC, and redirect the client to first operation system, return the stkey of generation simultaneously;
The center authentication service client terminal plug-in unit of first operation system is provided with Local_hearbeat=Global_hearbeat; Obtain ST and user profile according to the stkey that generates from the note validating service unit, and write ST among the provisional version file cookie in client; And
Authorized client is visited first operation system.
7. method as claimed in claim 6 wherein comprises among the provisional version file cookie in client: at the Global_hearbeat under the main territory, at the TGC under the login service unit subdomain, Local_hearbeat and the ST under each operation system subdomain respectively.
8. method as claimed in claim 7, wherein ST and TGC are that the backstage guarantees to lose efficacy simultaneously, its out-of-service time is the time that prolongs with visit.
9. method as claimed in claim 8, wherein stkey is an one time key.
10. system that supports the anonymous authentication of center authentication service under same main territory comprises:
Dispose a plurality of operation systems of center authentication service client terminal plug-in unit respectively, be used to receive the service request of client transmission and judge through center authentication service client terminal plug-in unit whether client exists the service ticket ST of access service system; Request note validating service unit verifies whether said ST is legal; And, local heartbeat Local_hearbeat=overall situation heartbeat Global_hearbeat is set when when the login service unit receives key stkey, when stkey=does not login notlogin, allow client anonymous access operation system;
The note validating service unit is used for the ST checking request that receiving center authentication service client terminal plug-in unit sends, and when the said ST of checking is illegal, client is directed to the login service unit; And
The login service unit is used for when client is directed to the login service unit, judges whether client exists overall situation login bill TGC; When not having TGC, judge whether this operation system allows anonymous access; When allowing anonymous access, with the directed operation system of returning of client, return assignment is the stkey of notlogin simultaneously.
11. system as claimed in claim 10; Wherein, The login service unit judges further whether this client has the authority of this operation system of visit when there is TGC in judgement, when the access rights that do not have this operation system; Also with directed this operation system of returning of client, return assignment is the stkey of notlogin simultaneously.
12. system as claimed in claim 11, wherein, the login service unit with directed this operation system of returning of client, generates and returns stkey simultaneously when judging that client has the access rights to this operation system;
When the note validating service unit generates request at the ST of receiving center authentication service client terminal plug-in unit, generate ST and ST and user profile are returned operation system according to stkey;
Operation system is when receiving the stkey that returns the login service unit; Send ST to the note validating service unit and generate request; After receiving the ST of generation from the note validating service unit, ST is write among the provisional version file cookie in the client, and the visit of authorized client.
13. system as claimed in claim 12, wherein, center authentication service client terminal plug-in unit judges whether Local_hearbeat equals Global_hearbeat when judging that there is not ST in client; When Local_hearbeat is not equal to Global_hearbeat, client is directed to the login service unit; When Local_hearbeat equals Global_hearbeat, allow client anonymous access operation system.
14. system as claimed in claim 13, wherein, the note validating service unit returns checking result and user profile, authorized client access service system to center authentication service client terminal plug-in unit when judging that ST is legal.
15. system as claimed in claim 14 wherein, when the login service unit does not allow anonymous access in judgement, redirects the client to the log in page of operation system; After authenticated is successfully logined through client, among the provisional version file cookie in client, upgrade Global_hearbeat and write TGC, and redirect the client to first operation system, generate and return stkey simultaneously.
16. system as claimed in claim 15 wherein comprises among the provisional version file cookie in client: at the Global_hearbeat under the main territory, at the TGC under the login service unit subdomain, Local_hearbeat and the ST under each operation system subdomain respectively.
17. system as claimed in claim 16, wherein ST and TGC are that the backstage guarantees to lose efficacy simultaneously, and its out-of-service time is the time that prolongs with visit.
18. system as claimed in claim 17, wherein stkey is an one time key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010222148.1A CN102316080B (en) | 2010-06-30 | 2010-06-30 | Support center authentication service anonymous authentication function under same main territory |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010222148.1A CN102316080B (en) | 2010-06-30 | 2010-06-30 | Support center authentication service anonymous authentication function under same main territory |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102316080A true CN102316080A (en) | 2012-01-11 |
| CN102316080B CN102316080B (en) | 2016-06-01 |
Family
ID=45428904
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010222148.1A Active CN102316080B (en) | 2010-06-30 | 2010-06-30 | Support center authentication service anonymous authentication function under same main territory |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102316080B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571822A (en) * | 2012-02-27 | 2012-07-11 | 杭州闪亮科技有限公司 | Single sign-on system and implementation method thereof |
| CN102710660A (en) * | 2012-06-26 | 2012-10-03 | 苏州微逸浪科技有限公司 | Access control method of next generation data protection system |
| CN102761870A (en) * | 2012-07-24 | 2012-10-31 | 中兴通讯股份有限公司 | Terminal authentication and service authentication method, system and terminal |
| CN103036945A (en) * | 2012-11-14 | 2013-04-10 | 上海百事通信息技术有限公司 | Single sign on system |
| CN104901932A (en) * | 2014-07-30 | 2015-09-09 | 易兴旺 | Secure login method based on CPK (Combined Public Key Cryptosystem) identity authentication technology |
| CN105162779A (en) * | 2015-08-20 | 2015-12-16 | 南威软件股份有限公司 | Method for using uniform user authentication in multiple systems |
| CN107623694A (en) * | 2017-09-30 | 2018-01-23 | 南威软件股份有限公司 | A kind of Anonymous authorization method based on URL access path |
| CN107786552A (en) * | 2017-10-19 | 2018-03-09 | 用友网络科技股份有限公司 | Single-point logging method, system and computer equipment |
| CN109547458A (en) * | 2018-12-10 | 2019-03-29 | 平安科技(深圳)有限公司 | Login validation method, device, computer equipment and storage medium |
| CN110445744A (en) * | 2018-05-02 | 2019-11-12 | 阿里巴巴集团控股有限公司 | A kind of data processing method and device |
| CN114697055A (en) * | 2020-12-28 | 2022-07-01 | ***通信集团终端有限公司 | Method, device, equipment and system for service access |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050283621A1 (en) * | 2004-03-19 | 2005-12-22 | Yoshinori Sato | Control of data linkability |
| CN1819516A (en) * | 2004-11-17 | 2006-08-16 | 中兴通讯股份有限公司 | System and method for realizing controlled anonymous service |
| CN101217374A (en) * | 2008-01-18 | 2008-07-09 | 北京工业大学 | A protection method on user privacy in three-party conversation |
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
-
2010
- 2010-06-30 CN CN201010222148.1A patent/CN102316080B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050283621A1 (en) * | 2004-03-19 | 2005-12-22 | Yoshinori Sato | Control of data linkability |
| CN1819516A (en) * | 2004-11-17 | 2006-08-16 | 中兴通讯股份有限公司 | System and method for realizing controlled anonymous service |
| CN101217374A (en) * | 2008-01-18 | 2008-07-09 | 北京工业大学 | A protection method on user privacy in three-party conversation |
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
Non-Patent Citations (1)
| Title |
|---|
| 张齐等: "基于用户映射的CAS单点登录***设计与实现", 《信息通信技术》, 15 August 2009 (2009-08-15) * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571822A (en) * | 2012-02-27 | 2012-07-11 | 杭州闪亮科技有限公司 | Single sign-on system and implementation method thereof |
| CN102710660A (en) * | 2012-06-26 | 2012-10-03 | 苏州微逸浪科技有限公司 | Access control method of next generation data protection system |
| CN102761870A (en) * | 2012-07-24 | 2012-10-31 | 中兴通讯股份有限公司 | Terminal authentication and service authentication method, system and terminal |
| CN102761870B (en) * | 2012-07-24 | 2015-06-03 | 中兴通讯股份有限公司 | Terminal authentication and service authentication method, system and terminal |
| US9445269B2 (en) | 2012-07-24 | 2016-09-13 | Zte Corporation | Terminal identity verification and service authentication method, system and terminal |
| CN103036945A (en) * | 2012-11-14 | 2013-04-10 | 上海百事通信息技术有限公司 | Single sign on system |
| CN104901932A (en) * | 2014-07-30 | 2015-09-09 | 易兴旺 | Secure login method based on CPK (Combined Public Key Cryptosystem) identity authentication technology |
| CN105162779B (en) * | 2015-08-20 | 2018-08-17 | 南威软件股份有限公司 | The method that multisystem uses unifying user authentication |
| CN105162779A (en) * | 2015-08-20 | 2015-12-16 | 南威软件股份有限公司 | Method for using uniform user authentication in multiple systems |
| CN107623694A (en) * | 2017-09-30 | 2018-01-23 | 南威软件股份有限公司 | A kind of Anonymous authorization method based on URL access path |
| CN107786552A (en) * | 2017-10-19 | 2018-03-09 | 用友网络科技股份有限公司 | Single-point logging method, system and computer equipment |
| CN110445744A (en) * | 2018-05-02 | 2019-11-12 | 阿里巴巴集团控股有限公司 | A kind of data processing method and device |
| CN110445744B (en) * | 2018-05-02 | 2022-06-28 | 阿里巴巴集团控股有限公司 | Data processing method and device |
| CN109547458A (en) * | 2018-12-10 | 2019-03-29 | 平安科技(深圳)有限公司 | Login validation method, device, computer equipment and storage medium |
| CN109547458B (en) * | 2018-12-10 | 2023-01-13 | 平安科技(深圳)有限公司 | Login verification method and device, computer equipment and storage medium |
| CN114697055A (en) * | 2020-12-28 | 2022-07-01 | ***通信集团终端有限公司 | Method, device, equipment and system for service access |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102316080B (en) | 2016-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102316080A (en) | Function for supporting anonymous verification of central authentication service in same master domain | |
| CN110915183B (en) | Block chain authentication via hard/soft token validation | |
| CN108200099B (en) | Mobile application, personal status relationship management | |
| US9491155B1 (en) | Account generation based on external credentials | |
| KR101721032B1 (en) | Security challenge assisted password proxy | |
| CN104025503B (en) | Use the webpage certification of client platform root of trust | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| CN103428179B (en) | A kind of log in the method for many domain names website, system and device | |
| CN104378376A (en) | SOA-based single-point login method, authentication server and browser | |
| CN108289101B (en) | Information processing method and device | |
| US11012233B1 (en) | Method for providing authentication service by using decentralized identity and server using the same | |
| US9391982B1 (en) | Network authentication of multiple profile accesses from a single remote device | |
| CN102598577A (en) | Authentication using cloud authentication | |
| Ferry et al. | Security evaluation of the OAuth 2.0 framework | |
| CN102112991B (en) | An apparatus for managing user authentication | |
| CN103220344A (en) | Method and system for using microblog authorization | |
| US20150180849A1 (en) | Mobile token | |
| CN107743702A (en) | The single-sign-on of trustship mobile device | |
| US11582229B2 (en) | Systems and methods of application single sign on | |
| JP2021527858A (en) | Location-based access to access-controlled resources | |
| JP4897503B2 (en) | Account linking system, account linking method, linkage server device | |
| US20210019707A1 (en) | Workflow service email integration | |
| CN103634111A (en) | Single sign-on method and system as well as single sign-on client-side | |
| CN109600342B (en) | Unified authentication method and device based on single-point technology | |
| US20220070002A1 (en) | Multi-service scep-certificate based authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |