CN103036945A - Single sign on system - Google Patents
Single sign on system Download PDFInfo
- Publication number
- CN103036945A CN103036945A CN2012104555433A CN201210455543A CN103036945A CN 103036945 A CN103036945 A CN 103036945A CN 2012104555433 A CN2012104555433 A CN 2012104555433A CN 201210455543 A CN201210455543 A CN 201210455543A CN 103036945 A CN103036945 A CN 103036945A
- Authority
- CN
- China
- Prior art keywords
- client
- access
- service
- service end
- filter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
A single sign on system comprises an access-side, a client-side and a server-side. The access-side, the client-side and the server-side are respectively composed of more than one computer. The access-side, the client-side and the server-side are connected pairwise. The access-side is used for sending Web access requests. The client-side is used for verifying whether the Web access requests contain one service credential. The server-side is used for verifying the authentication information of an access-side user. By adopting the single sign on system, when the access-side accesses different resources held by different client-sides, due to the fact that the server-side can provide the service credential for the client-side after once legal login of the user, the client-side regards the service credential provided by the server-side to be legal, and accordingly repeated logging-in and repeated inputting of verification information are not needed.
Description
Technical field
A kind of login system is specially a kind of central service login system.
Prior art
At present each service sub-system of enterprises has independently login and Verification System, and when using different subservice systems, each user must register and login in each service sub-system, the service sub-system of can the user selecting.The many groups of management user name passwords are very easy to obscure, and switch frequently login also brought inconvenience to user's use between each service sub-system.
Summary of the invention
In order to solve the problems of the technologies described above, the present invention proposes a kind of single-node login system, comprises access end, client,
Service end; Described access end, described client, each is comprised of described service end an above computer; Described
Access end, described client, described service end is connected to each other in twos.
Wherein said client arranges filter; Described access end is used for sending the web access request;
Described client is used for the described web access request of verification and whether comprises a service evidence 1;
Verification succeeds, described access end access purpose resource address;
The verification failure, the directed described web access request of described client is to described service end, and the purpose resource address of transmission access is to described service end;
Described service end is used for the log-on message of authentication-access end subscriber;
Login failure, described service end will not respond;
Login successfully, described service end produces a service evidence 2 at random, be stored to described service end buffer memory, the information storage that access end is logined successfully is to described client-cache, return service voucher 2 is to described access end, to described web access request is directed to described purpose resource address, access end access resources.
Wherein, when disposing several described clients and a described service end, a described service end and several described visitors
The family end is corresponding respectively, and nothing is contacted directly between the described client.
Wherein, when disposing several described clients and a described service end, described access end successively order respectively to described
Client is sent the web access request, and described client is mutual according to described order and described service end.
Wherein, when disposing several described clients and a described service end, and described access end according to described order respectively
When sending the web access request to described client, be in described client verification first cis-position of the second cis-position
The service evidence of described client verification succeeds is depending on the service evidence of the described client verification succeeds of the first cis-position
Legal, verification succeeds.
Wherein, described access end, described client, the mutual employing SSL agreement between the described service end.
Wherein, client and service end have supplied proxy mode.
After adopting the single sign-on system schema, during different resource that access end access different clients is held, because clothes
Be engaged in holding can providing service evidence to client after by legal logging in of user, the client looks closely service end institute
The service evidence that provides is legal, and then does not need to repeat to log in input validation information.
Description of drawings
Fig. 1 is an embodiment schematic diagram of single-node login system of the present invention.
Embodiment
As shown in Figure 1, in a preferred embodiment of the present invention, service end comprises a computer, and client comprises two computers, is respectively pc1 and pc2.Access end is subscriber computer, and subscriber computer is accessed respectively experimental data base 1, experimental data base 2.
Subscriber computer is submitted web and is accessed to service end pc1, and whether service end pc1 verified users place computer holds service evidence ticket.Service end pc1 finds subscriber computer without service evidence by verification, generates the service parameter and subscriber computer is redirected the service end computer.Service end computer invokes authentication strategy, authentication success generates service evidence ticket, return service voucher ticket1, subscriber computer uses service evidence ticket1 access client pc1, client pc1 transfers to service end service for checking credentials voucher ticket1 validity, is proved to be successful service end return service voucher ticket2 to subscriber computer.Subscriber computer successful access experimental data base 1.Subscriber computer uses service evidence ticket2 access client pc2, client pc2 transfers to service end service for checking credentials voucher ticket2 validity, be proved to be successful service end return service voucher ticket3 to subscriber computer, subscriber computer uses service evidence ticket3 access client pc2, client pc2 transfers to service end service for checking credentials voucher ticket3 validity, be proved to be successful, service end writes buffer memory session to client pc2, client pc2 returns the information that is proved to be successful to subscriber computer, subscriber computer successful access laboratory data 2.
The concrete operations mode:
The service end Application Certificate imports, and certificate file is uploaded to the service end application server, be kept at C: bstsso.cer
Enter the employed JDK catalogue of client application:
cd?$JAVA_HOME
Import certificate:
keytool?-import?-alias?bstsso?-keypass?changeit?-keystore?./jre/lib/security/cacerts?-file?/home/bstsso.cer
Check that certificate imports situation:
keytool?-list?-alias?bstsso?-keystore?./jre/lib/security/cacerts
Additional required class bag under client application WEB-INF/lib:
cas-client-core-3.2.1.jar
Casclient core classes bag, can obtain from following path:
svn://192.168.3.17/BSTPRJ/BSTBOSS-V1.0/2-SRC/02-Branch/cas-client-3.2.1/modules/cas-client-core-3.2.1.jar
commons-logging-1.1.jar
The daily record associated class can be obtained from following path, if existing such bag in the source item just needn't repeat:
svn://192.168.3.17/BSTPRJ/BSTBOSS-V1.0/2-SRC/02-Branch/cas-client-3.2.1/modules/commons-logging-1.1.jar
In the WEB-INF/web.xml of client application configuration file, load corresponding filter and listener configuration, as follows:
<filter>
<filter-name>CAS?Single?Sign?Out?Filter</filter-name>
<filter-class>
org.jasig.cas.client.session.SingleSignOutFilter
</filter-class>
</filter>
<filter>
<filter-name>CAS?Authentication?Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://?sso.b114.com.cn:8443/cas/login</param-value>
</init-param>
<init-param>
<!-serverName parameter uses corresponding domain name according to client and the address situation is adjusted--〉
<param-name>serverName</param-name>
<param-value>http://192.168.184.1:8080</param-value>
<!--
<param-name>service</param-name>
<param-value>http://192.168.184.1:8080/cas-client1/index.jsp</param-value>
-->
</init-param>
</filter>
<filter>
<filter-name>CAS?Validation?Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceiving?ticketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://?sso.b114.com.cn:8443/cas</param-value>
</init-param>
<init-param>
<!-serverName parameter uses corresponding domain name according to client and the address situation is adjusted--〉
<param-name>serverName</param-name>
<param-value>http://192.168.184.1:8080</param-value>
<!--
<param-name>service</param-name>
<param-value>http://192.168.184.1:8080/cas-client1/index.jsp</param-value>
-->
</init-param>
</filter>
<filter>
<filter-name>CAS?HttpServletRequest?Wrapper?Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS?Assertion?Thread?Local?Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.AssertionThreadLocalFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS?Single?Sign?Out?Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS?Authentication?Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS?Validation?Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS?HttpServletRequest?Wrapper?Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS?Assertion?Thread?Local?Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</listener-class>
</listener>
Restart CASClient and use, the access CASClient page, as:
http://192.168.3.244:9080/simpleApp/index.jsp
Can show the CASServer login interface when accessing for the first time, successfully the correct index.jsp page that shows after the login.
Claims (6)
1. a single-node login system comprises access end, client, service end; Described access end, described client, each is comprised of described service end an above computer; Described access end, described client, described service end is connected to each other in twos, it is characterized in that:
Described client arranges filter; Described access end is used for sending the web access request;
Described client is used for the described web access request of verification and whether comprises a service evidence 1;
Verification succeeds, described access end access purpose resource address;
The verification failure, the directed described web access request of described client is to described service end, and the purpose resource address of transmission access is to described service end;
Described service end is used for the log-on message of authentication-access end subscriber;
Login failure, described service end will not respond;
Login successfully, described service end produces a service evidence 2 at random, be stored to described service end buffer memory, the information storage that access end is logined successfully is to described client-cache, return service voucher 2 is to described access end, to described web access request is directed to described purpose resource address, access end access resources.
2. single-node login system according to claim 1 is characterized in that: when disposing several described clients and a described service end, a described service end is corresponding respectively with several described clients, and nothing is contacted directly between the described client.
3. single-node login system according to claim 1, it is characterized in that: when disposing several described clients and a described service end, described access end successively order sends the web access request to described client respectively, and described client is mutual according to described order and described service end.
4. single-node login system according to claim 3, it is characterized in that: when disposing several described clients and a described service end, and when described access end sends the web access request to described client respectively according to described order, be in the service evidence of described client verification succeeds of described client verification first cis-position of the second cis-position, service evidence depending on the described client verification succeeds of the first cis-position is legal, verification succeeds.
5. single-node login system according to claim 1 is characterized in that: described access end, described client, the mutual employing SSL agreement between the described service end.
6. single-node login system according to claim 1, it is characterized in that: client and service end have supplied proxy mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012104555433A CN103036945A (en) | 2012-11-14 | 2012-11-14 | Single sign on system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012104555433A CN103036945A (en) | 2012-11-14 | 2012-11-14 | Single sign on system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103036945A true CN103036945A (en) | 2013-04-10 |
Family
ID=48023417
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012104555433A Pending CN103036945A (en) | 2012-11-14 | 2012-11-14 | Single sign on system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103036945A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713271A (en) * | 2016-11-25 | 2017-05-24 | 国云科技股份有限公司 | Web system log in constraint method based on single sign-on |
| CN106790308A (en) * | 2017-03-28 | 2017-05-31 | 北京中电普华信息技术有限公司 | A kind of user authen method, apparatus and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060031592A1 (en) * | 2001-12-19 | 2006-02-09 | Hinton Heather M | System and method for user enrollment in an e-community |
| CN102316080A (en) * | 2010-06-30 | 2012-01-11 | 百度在线网络技术(北京)有限公司 | Function for supporting anonymous verification of central authentication service in same master domain |
| CN102571822A (en) * | 2012-02-27 | 2012-07-11 | 杭州闪亮科技有限公司 | Single sign-on system and implementation method thereof |
-
2012
- 2012-11-14 CN CN2012104555433A patent/CN103036945A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060031592A1 (en) * | 2001-12-19 | 2006-02-09 | Hinton Heather M | System and method for user enrollment in an e-community |
| CN102316080A (en) * | 2010-06-30 | 2012-01-11 | 百度在线网络技术(北京)有限公司 | Function for supporting anonymous verification of central authentication service in same master domain |
| CN102571822A (en) * | 2012-02-27 | 2012-07-11 | 杭州闪亮科技有限公司 | Single sign-on system and implementation method thereof |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713271A (en) * | 2016-11-25 | 2017-05-24 | 国云科技股份有限公司 | Web system log in constraint method based on single sign-on |
| CN106713271B (en) * | 2016-11-25 | 2020-05-22 | 国云科技股份有限公司 | Web system login constraint method based on single sign-on |
| CN106790308A (en) * | 2017-03-28 | 2017-05-31 | 北京中电普华信息技术有限公司 | A kind of user authen method, apparatus and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107948167B (en) | Single sign-on method and device | |
| WO2017028804A1 (en) | Web real-time communication platform authentication and access method and device | |
| CN109165500B (en) | Single sign-on authentication system and method based on cross-domain technology | |
| CN105007280B (en) | A kind of application login method and device | |
| CN105959267B (en) | Main token acquisition methods, single-point logging method and system in Single Sign-On Technology Used | |
| US8990911B2 (en) | System and method for single sign-on to resources across a network | |
| CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
| CN102469075A (en) | Integration authentication method based on WEB single sign on | |
| CN102624720B (en) | Method, device and system for identity authentication | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| CN103475666B (en) | A kind of digital signature authentication method of Internet of Things resource | |
| US8832857B2 (en) | Unsecured asset detection via correlated authentication anomalies | |
| CN104378376A (en) | SOA-based single-point login method, authentication server and browser | |
| CN104836803B (en) | Single-point logging method based on session mechanism | |
| CN115021991A (en) | Single sign-on for unmanaged mobile devices | |
| CN105917630A (en) | Redirect to inspection proxy using single-sign-on bootstrapping | |
| CN108809988A (en) | A kind of authentication method and system of request | |
| CN102984169A (en) | Single sign-on method, equipment and system | |
| JP2010531516A (en) | Device provisioning and domain join emulation over insecure networks | |
| CN104113551A (en) | Platform authorization method, platform server side, application client side and system | |
| KR20130109322A (en) | Apparatus and method to enable a user authentication in a communication system | |
| WO2014048749A1 (en) | Inter-domain single sign-on | |
| CN109495486B (en) | Single-page Web application integration CAS method based on JWT | |
| CN112039889B (en) | Password-free login method, device, equipment and storage medium | |
| CN105991518B (en) | Network access verifying method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130410 |