CN110198540B - Portal authentication method and device - Google Patents

Portal authentication method and device Download PDF

Info

Publication number
CN110198540B
CN110198540B CN201910384008.5A CN201910384008A CN110198540B CN 110198540 B CN110198540 B CN 110198540B CN 201910384008 A CN201910384008 A CN 201910384008A CN 110198540 B CN110198540 B CN 110198540B
Authority
CN
China
Prior art keywords
server
authentication
authentication information
information
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910384008.5A
Other languages
Chinese (zh)
Other versions
CN110198540A (en
Inventor
范泰然
徐勇刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201910384008.5A priority Critical patent/CN110198540B/en
Publication of CN110198540A publication Critical patent/CN110198540A/en
Application granted granted Critical
Publication of CN110198540B publication Critical patent/CN110198540B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a Portal authentication method and a Portal authentication device. The authentication method can be applied to a private cloud authentication server and comprises the following steps: receiving an authentication request sent by a wireless terminal through access equipment, wherein the authentication request comprises user information; sending an authentication information query request to the second server according to the user information so that the second server forwards the authentication information query request to the third server; receiving a first authentication information response sent by the second server, wherein the first authentication information response comprises user authentication information, and the user authentication information is sent by the third server after inquiring the user authentication information matched with the user information; and carrying out validity authentication on the user corresponding to the wireless terminal according to the user authentication information. Compared with the prior art, the password information such as AppSecret and the like does not need to be transmitted in the whole authentication process, so that potential safety hazards can be greatly reduced, and the safety is improved.

Description

Portal authentication method and device
Technical Field
The application relates to the technical field of network authentication, in particular to a Portal authentication method and a Portal authentication device.
Background
With the rapid development of mobile internet technology and the widespread of mobile terminals (such as mobile phones, notebooks, tablet computers, etc.), more and more users are used to access the internet anytime and anywhere by using mobile terminals, and access to the internet is widely achieved by using Portal authentication modes in public places such as stations, airports, shopping malls, etc. Portal authentication is also commonly referred to as Web (network) authentication, and Portal authentication Web sites are commonly referred to as Web portals. When the user is not authenticated to surf the internet, the access equipment forces the mobile terminal to log in a specific site, and the user can freely access the service in the site through the mobile terminal. When the user needs to use other information in the internet, authentication must be performed on the portal website, and only the user after the authentication can use the internet resources.
With the widespread popularization of social software such as wechat, microblog and easy-to-communicate, social software-based authentication methods are more and more, and social authentication is one of Portal authentication, for example, WiFi authentication by wechat is a more typical extended authentication method based on Portal authentication.
At present, the main flow of WiFi (Wireless Fidelity, infinitum Fidelity) authentication is shown in fig. 1, a WiFi provider opens a WiFi function in a WiFi platform based on its public number of a WiFi, and builds a private cloud authentication server, when a Wireless terminal needs to access the internet, an access device returns an authentication login page through redirection, a user can select a WiFi connection mode by using a WiFi authentication in the authentication login page, the access device forwards an authentication request to the private cloud authentication server, the private cloud authentication server requests an interface access credential from the WiFi provider according to an Application Identity (Application Identity, Application id, a unique identification code of a public number) and an Application Secret (Application Secret, an Application password, a developer password of a public number) and requests a real-name authentication information of the user from the WiFi platform according to the interface access, after the private cloud authentication server passes the authentication information, and returning an authentication certificate to the wireless terminal, and returning an authentication success page after the authentication verification is carried out on the wireless terminal, so as to allow the wireless terminal to access the Internet.
The above embodiment has at least the following problems:
1) every time a new private cloud is newly deployed, an export public network IP (Internet Protocol) address of the private cloud authentication server needs to be added to a white list on the WeChat platform, which indicates that the IP address has the authority of applying for an interface access certificate, and the IP address is messy and inconvenient to maintain in the past.
2) AppSecret is a password for checking the identity of a WiFi provider developer, and if the password is frequently used, the potential safety hazard is great.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for Portal authentication, which solve the problem in the related art that a first server needs to send information such as a password to a third server to obtain user authentication information, thereby resulting in a large potential safety hazard, and the problem that the third server is inconvenient to manage the IP address of the first server.
A first aspect of the present application provides an authentication method applied to a first server, including:
receiving an authentication request sent by a wireless terminal through access equipment, wherein the authentication request comprises user information;
sending an authentication information query request to a second server according to the user information so that the second server forwards the authentication information query request to a third server;
receiving a first authentication information response sent by the second server, wherein the first authentication information response comprises user authentication information, and the user authentication information is sent by the third server after inquiring the user authentication information matched with the user information;
and carrying out validity authentication on the user corresponding to the wireless terminal according to the user authentication information.
A second aspect of the present application provides an authentication method applied to a second server, the method including:
receiving an authentication information query request sent by a first server, and sending the authentication information query request to a third server;
receiving a first authentication information response sent by the third server, wherein the first authentication information response comprises user authentication information which is sent after the third server inquires the user authentication information matched with the user information;
and sending a first authentication information response request to the first server so that the first server carries out validity authentication on the user according to the user authentication information.
A third aspect of the present application provides an authentication apparatus, applied to a first server, including:
the authentication request receiving module is used for receiving an authentication request sent by the wireless terminal through the access equipment, wherein the authentication request comprises user information;
the query request sending module is used for sending an authentication information query request to the second server according to the user information so as to enable the second server to forward the authentication information query request to the third server;
the authentication information receiving module is used for receiving a first authentication information response sent by the second server, wherein the first authentication information response comprises user authentication information, and the user authentication information is sent by the third server after inquiring the user authentication information matched with the user information;
and the authentication module is used for carrying out validity authentication on the user corresponding to the wireless terminal according to the user authentication information.
A fourth aspect of the present application provides an authentication apparatus applied to a second server, including:
the query request forwarding module is used for receiving the authentication information query request sent by the first server and sending the authentication information query request to the third server;
the first response receiving module is used for receiving a first authentication information response sent by the third server, wherein the first authentication information response comprises user authentication information which is sent by the third server after the third server inquires user authentication information matched with the user information;
and the first response forwarding module is used for sending a first authentication information response request to the first server so that the first server performs validity authentication on the user according to the user authentication information.
In the authentication method provided by the first aspect of the present application, after receiving an authentication request sent by a wireless terminal through an access device, a first server may send an authentication information query request to a second server according to user information, so that the second server forwards the authentication information query request to a third server, and receives a first authentication information response including user authentication information sent by the second server; and then, according to the user authentication information, the first server carries out validity authentication on the user corresponding to the wireless terminal.
Compared with the prior art, the method has the advantages that the second server is additionally arranged between the first server and the third server, so that the first server can inquire the user authentication information through the second server, and the first server does not directly read the user authentication information from the third server any more, so that the trouble that the third server increases and manages the IP address can be effectively avoided, and the maintenance and operation cost is reduced; meanwhile, the first server is not required to provide password information such as AppSecret in the whole process, so that potential safety hazards can be greatly reduced, and safety is improved.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 shows a schematic flow diagram of WiFi authentication for wechat provided in the prior art;
FIG. 2 illustrates a schematic diagram of an application scenario provided by some embodiments of the present application;
FIG. 3 illustrates a flow chart of an authentication method provided by some embodiments of the present application;
fig. 4 is a flow chart illustrating adding check domain name information to a real-name authentication information server according to some embodiments of the present application;
FIG. 5 illustrates a flow chart of another authentication method provided by some embodiments of the present application;
FIG. 6 illustrates a flow chart of an authentication method provided by some embodiments of the present application;
fig. 7 illustrates a schematic diagram of an authentication device provided by some embodiments of the present application;
fig. 8 shows a schematic diagram of another authentication device provided by some embodiments of the present application;
fig. 9 illustrates a schematic diagram of an electronic device provided by some embodiments of the present application.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which this application belongs.
Some of the terms referred to in the description of the embodiments of the present application are explained below:
private cloud: the cloud service is built for the independent use of the client, and in the embodiment of the application, the WiFi provider can utilize the private cloud to connect WiFi for the user to perform authentication service.
Public cloud: the cloud service provided by a third party provider for a user can be used, the core attribute of the public cloud is shared resource service, and the private cloud can access the public cloud to obtain the shared resource service.
WeChat connection WiFi authentication: the function is introduced by WeChat and used for quickly connecting WiFi hot spots, Portal authentication can be accessed, and the function is characterized in that the WeChat side real-name authentication information of a terminal user is used as a certificate when the WiFi use right is requested.
AppID: the developer identification of the public number in the WeChat public platform is also the unique identification code of the public number.
AppSecret: developer password of public number.
In addition, the terms "first" and "second", etc. are used to distinguish different objects, rather than to describe a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
For the convenience of understanding the following description of the embodiments, and for the brief description of the related concepts and information of the embodiments of the present application, first, with respect to the WiFi authentication procedure in the prior art shown in fig. 1, in practical applications, at least the following problems exist:
problem 1): because the real-name authentication information server only allows 80-port access in consideration of safety, and the 80-port is adopted to be recorded in a public security department, most private cloud authentication servers do not have the 80-port, so if the private cloud authentication server calls the real-name authentication information from the real-name authentication information server, the IP address of the real-name authentication information server needs to be added into an IP address white list of the real-name authentication information server, and when the number of the private cloud authentication servers is large, great disturbance is brought to IP address management on one side of the real-name authentication information server, and the problems of IP address disorder, difficult maintenance and the like are caused.
Problem 2): the private cloud authentication server calls real-name authentication information from the real-name authentication information server, and also needs to provide an AppID of a public number and an AppSecret application interface access certificate, wherein the AppSecret is a developer identity password of the public number, and great potential safety hazards are brought by frequent use.
Problem 3): in practical application, the number of times that the private cloud authentication server calls the interface access certificate is limited, each public number only allows a certain number of times of calling every day, and if a plurality of parties know the AppID and the AppSecret of the public number, it may happen that one party calls too many times, so that other parties have no authority to apply for the certificate on the day.
Problem 4): for safety, in practical applications, the real-name authentication information server specifies that the interface access credentials are only valid, i.e. only the newly applied credentials are valid, and none of the other credentials are valid, which further stimulates the multi-party call, and aggravates the above problem 3).
In view of the above problem, please refer to fig. 2, which shows a schematic diagram of an application scenario provided in an embodiment of the present application, as shown in fig. 2, in the embodiment of the present application, a public cloud server is additionally arranged between a private cloud authentication server and a real-name authentication information server, and the public cloud server has an 80 port, and can directly access the real-name authentication information server and retrieve real-name authentication information. In this way, the private cloud authentication server can authorize the public cloud server to call the real-name authentication information for the public cloud server, and since the private cloud authentication server does not call the real-name authentication information from the real-name authentication information server directly, there are no management and security problems such as IP address confusion and AppSecret leakage, and thus the above-mentioned problems (problems 1), 2)3) and 4) of the embodiment shown in fig. 1 can be effectively avoided).
In the following description of the embodiments, reference is made to the schematic illustration of the application scenario shown in fig. 2 and the above description.
The embodiments of the present application provide an authentication method and apparatus, which are described below with reference to the accompanying drawings.
Referring to fig. 3, which illustrates a flowchart of an authentication method provided in some embodiments of the present application, as shown in the figure, the authentication method, for a first server, may include the following steps:
step S101: receiving an authentication request sent by a wireless terminal through access equipment, wherein the authentication request comprises user information;
step S102: sending an authentication information query request to a second server according to the user information so that the second server forwards the authentication information query request to a third server;
step S103: receiving a first authentication information response sent by the second server, wherein the first authentication information response comprises user authentication information, and the user authentication information is sent by the third server after inquiring the user authentication information matched with the user information;
step S104: and carrying out validity authentication on the user corresponding to the wireless terminal according to the user authentication information.
In any implementation manner of the embodiment of the present application, the first server may include, but is not limited to, a private cloud authentication server, the second server may include, but is not limited to, a public cloud server, and the third server may include, but is not limited to, a real-name authentication information server, where the public cloud server has an authorized port (i.e., a port registered in the public security department, such as an 80 port, an 8080 port, etc.) for obtaining user authentication information, and the user authentication information may refer to real-name authentication information of a user.
Based on this, in the authentication method provided in the embodiment of the present application, after receiving the authentication request from the wireless terminal uploaded by the access device, the private cloud authentication server may query, according to the user information, the real-name authentication information of the user from the real-name authentication information server through the public cloud server, and then authenticate the user according to the queried real-name authentication information. Compared with the prior art, the method has the advantages that the third-party public cloud server is added, so that the private cloud servers can inquire the real-name authentication information through the public cloud server, and the private cloud server does not directly read the real-name authentication information from the real-name authentication information server any more, so that the troubles of adding and managing IP addresses can be effectively avoided, and the maintenance and operation cost is reduced; meanwhile, the whole process does not need a private cloud authentication server to provide password information such as AppSecret and the like, so that potential safety hazards can be greatly reduced, and the safety is improved.
In the embodiment of the present application, the private cloud server may not have a port registered in the public security department, such as 80 ports, and the private cloud server is not registered in the public security department, so that it is not allowed to query the real-name authentication information at will.
If the private cloud server directly queries the real-name authentication information from the real-name authentication information server, confidential information such as AppID and AppSecret needs to be transmitted to the real-name authentication information server, and the number of queries is limited, thereby causing problems 2), 3), and 4), and the real-name authentication information server also takes on tasks such as IP management for security, thereby causing problem 1).
The public cloud server may be a server having a port such as 80 ports which is registered in the public security department, after the public security department records and obtains the authorization of the real-name authentication information server, the real-name authentication information can be inquired more freely and directly without sending secret-related information, the inquiry frequency is not limited or more, therefore, by introducing the public cloud server and adopting the authentication method described in the embodiment of the present application, the above problems 2), 3) and 4) can be effectively solved, and since all the private cloud authentication servers query real-name authentication information through the public cloud server, the problems of IP address management, maintenance and the like of the real-name authentication information server can be avoided, so that the problem 1) can be effectively solved by introducing the public cloud server and adopting the authentication method for authentication in the embodiment of the application.
In Portal authentication, for security considerations, real-name authentication of a user requesting authentication is required, and therefore, in some embodiments of the present application, real-name authentication information of the user needs to be queried from a real-name authentication information server according to user information of the user, where the user information may include, but is not limited to, a network account number, a mobile phone number, and other information of the user, and according to the user information, whether the user has performed real-name authentication information can be queried through the real-name authentication information server, if the real-name authentication information is found, it is determined that the user has performed real-name authentication, and further access to the internet can be granted, otherwise, if the real-name authentication information of the user is not found, the user is denied further access to the internet.
Accordingly, in some embodiments, the method may further include: and if the first authentication information response sent by the second server is not received, sending the first authentication response to the wireless terminal through the access equipment, wherein the first authentication response comprises information indicating authentication failure.
For example, if the first server does not inquire the real-name authentication information of the user, a first authentication response may be sent to the wireless terminal used by the user through the access device, and the first authentication response may include information indicating that the real-name authentication fails.
In addition, if the first server passes the validity authentication of the user, the first server may send a second authentication response to the wireless terminal used by the user through the access device, where the first authentication response may include information indicating that the real-name authentication is successful.
In addition to any of the above embodiments, the real-name authentication information server may be a server storing real-name authentication information, but the function is not limited to this, and for example, in an actual application, since the wechat server requires real-name authentication and stores a large amount of real-name authentication information, the wechat server becomes a typical real-name authentication information server, and in the following exemplary description, the real-name authentication information server may be understood by taking the wechat server as an example.
The wechat server has a function of serving as a wechat public platform and managing wechat public numbers, wherein, as mentioned above, the WiFi provider can activate the wechat WiFi function in the wechat public numbers, in practical application, in order to activate the wechat WiFi function, it is necessary to provide verification domain name information of the WiFi provider, and after the wechat provider passes the verification, the wechat server can be used successfully.
Based on the above description, considering that the embodiment of the present application needs to access the wechat server (i.e. the real-name authentication information server) by using the public cloud server, and therefore, the domain name of the public cloud server needs to be checked, and accordingly, in some embodiments, before sending the authentication information query request to the second server according to the user information, the method may further include:
sending a registration request to a second server;
receiving a registration response sent by the second server for the registration request, wherein the registration response comprises check domain name information;
and sending the check domain name information to the third server so that the third server opens the authority for inquiring the user authentication information for the second server according to the check domain name information.
The check domain name information may include a domain name of the second server and identification information allocated by the second server to the first server, for example, the check domain name information may include a domain name of a public cloud server and identification information allocated by the public cloud server to a private cloud authentication server, where the identification information may be an identification allocated by the public cloud server according to network environment configuration information of the private cloud authentication server in order to distinguish multiple private cloud authentication servers.
In some embodiments, please refer to fig. 4, which is a schematic flowchart illustrating a process of adding check domain name information to a real-name authentication information server according to some embodiments of the present application, where as shown in the figure, the process may include the following steps:
step S301: the private cloud authentication server initiates a registration request to the public cloud server by using the network environment configuration information (such as IP address, domain name, port and the like);
step S302: the public cloud server distributes identification information for the private cloud authentication server according to the network environment configuration information, and generates verification domain name information according to the identification information and the domain name of the public cloud server and returns the verification domain name information to the private cloud authentication server;
step S303: the private cloud authentication server adds the check domain name information to the real-name authentication information server, so that the real-name authentication information server opens the authority for inquiring and calling the real-name authentication information for the public cloud server, wherein the domain name of the public cloud server is used for identifying and pushing the message to the public cloud server by the real-name authentication information server, and the identification information is used for distinguishing the private cloud authentication servers connected with the public cloud server so as to facilitate message forwarding and the like.
Step S304: and after the real-name authentication information server passes the verification of the verification domain name information, the registration is completed, and the authorization of the inquiry authority of the public cloud server is realized.
Through the implementation mode, the authority for inquiring the real-name authentication information can be smoothly opened for the public cloud server, and the public cloud server identifies the private cloud authentication server, so that the smooth implementation of the embodiment of the application is ensured.
In the foregoing embodiment, an authentication method for a first server is provided, and correspondingly, the present application also provides an authentication method for a second server, where the authentication method for the second server is implemented in cooperation with the authentication method for the first server, and belongs to the same inventive concept, so that the following description of an embodiment of the authentication method for the second server can be understood by referring to the foregoing description of the embodiment of the authentication method for the first server, and some contents are not described again.
Referring to fig. 5, which shows a flowchart of another authentication method provided in some embodiments of the present application, as shown, the authentication method, for the second server, may include the following steps:
step S201: receiving an authentication information query request sent by a first server, and sending the authentication information query request to a third server;
step S202: receiving a first authentication information response sent by a third server, wherein the first authentication information response comprises user authentication information, and the user authentication information is sent after the third server inquires user authentication information matched with the user information;
step S203: and sending a first authentication information response request to the first server so that the first server carries out validity authentication on the user according to the user authentication information.
The authentication method for the second server provided by the embodiment of the present application and the authentication method for the first server provided by the foregoing embodiment of the present application have the same inventive concept, and at least have the following corresponding advantages: with reference to the application scenario shown in fig. 1 and the above description about the application scenario, based on the authentication method provided in this embodiment, a public cloud server may be used to replace a private cloud authentication server to retrieve real-name authentication information from a real-name authentication information server, so that, in the case of no need to set an IP address white list and transmit secret-related information such as AppSecret, the authority may be queried according to the pre-opened real-name authentication information, corresponding real-name authentication information may be directly queried from the real-name authentication information server, and the real-name authentication information is returned to the private cloud authentication server; meanwhile, the whole process does not need a private cloud authentication server to provide password information such as AppSecret and the like, so that potential safety hazards can be greatly reduced, and the safety is improved.
In some implementations of embodiments of the present application, the second server may include an authorization port that obtains user authentication information;
sending the authentication information query request to the third server may include:
and sending an authentication information inquiry request to the third server through the authorized port.
The authorized port may be a port authorized by the third server and capable of directly obtaining real-name authentication information from the third server, and for network security needs, the authorized port may be a port registered in the police department, such as an 80 port, an 8080 port, and the like.
In some implementations of the embodiment of the present application, before receiving the authentication information query request sent by the first server, the method may further include:
receiving a registration request sent by a first server;
allocating identification information for identifying the first server according to the registration request;
generating check domain name information according to the identification information and the domain name of the second server;
and sending check domain name information to the first server.
For example, the check domain name information may include a domain name of the public cloud server and identification information allocated by the public cloud server for the private cloud authentication server.
Through the implementation mode, the authority for inquiring the real-name authentication information can be opened for the public cloud server, and the smooth implementation of the embodiment of the application is ensured.
In some implementations of the embodiment of the present application, after sending the check domain name information to the first server, the method may further include:
acquiring routing information between a third server and a first server;
and adding the routing information to the routing table so as to forward the data transmitted between the third server and the first server according to the routing information.
The routing information may include first routing information for forwarding data to the first server and second routing information for forwarding data to the third server, where the routing information may be obtained according to a registration request sent by the first server, for example, the registration request may include information such as an IP address of the first server and an IP address of the third server, and the second server may determine, with the IP address of the first server as a destination address, information such as an output interface corresponding to the destination address and a next hop IP address according to an existing arbitrary routing algorithm, so as to generate the first routing information; in addition, the second server may determine information such as an output interface, a next hop IP address, and the like corresponding to the destination address according to an existing arbitrary routing algorithm with the IP address of the third server as the destination address, thereby generating second routing information; the first routing information and the second routing information form routing information between the third server and the first server. The above description is only an exemplary illustration of the embodiments of the present application and does not imply any limitation.
In the embodiment, by determining the routing information, when the real-name authentication information server pushes the message, the public cloud server can directly forward the message pushed by the real-name authentication information server to the private cloud authentication server according to the routing information, so that the function of the private cloud authentication server is not affected.
After the routing information is determined, the routing information can be added to a routing table of a public cloud server, in the embodiment of the application, the public cloud server can automatically and dynamically modify the routing table according to the newly determined routing information, taking the public cloud server as an nginx server as an example, and the nginx obtains the routing information by reading a local configuration file, so that the configuration file can be automatically modified through codes according to the routing information between the real-name authentication information server and the private cloud authentication server, and the configuration file is read again to complete the modification of the routing table, wherein the modification of the configuration file comprises the addition of the newly determined routing information to the routing table, and the smooth realization of message forwarding between the real-name authentication information server and the private cloud authentication server is ensured.
For better understanding of the foregoing embodiments of the present application, please refer to fig. 6, which shows a flowchart of an authentication method provided in some specific embodiments of the present application, and the authentication method for the first server and the authentication method for the second server provided in any of the foregoing embodiments may be mutually referred to and understood with the following exemplary description, and some contents are not repeated. As shown in fig. 6, the whole authentication process of the wireless terminal can be divided into two phases: the authentication phase and the authorization phase may specifically include the following steps:
and an authentication stage:
step S401: the wireless terminal requests a Portal page according to the operation of a user;
step S402: the access equipment returns a login page;
step S403: the user selects Portal authentication, and the wireless terminal sends an authentication request to a private cloud authentication server;
step S404: the private cloud server sends a real-name authentication information query request to the public cloud server;
step S405: the public cloud server inquires real-name authentication information of the user from a real-name authentication information server;
step S406: inquiring real-name authentication information, and returning the real-name authentication information of the user by the real-name authentication information server;
step S407: the public cloud server returns the real-name authentication information to the private cloud authentication server;
step S408: and the authentication stage is completed, the user is determined to have performed real-name authentication, and the authentication internet surfing can be further applied to send an authentication certificate to the wireless terminal.
And (3) an authorization stage:
step S409: the wireless terminal initiates internet authentication;
step S410: the access equipment uploads information such as an MAC address and an IP address of the wireless terminal to a private cloud authentication server for verification;
step S411: the private cloud authentication server returns a login success page to the access equipment after the verification is passed;
step S412: the access device returns a login success page to the wireless terminal, and the wireless terminal can access the internet.
Through the above exemplary illustration, compared with the prior art, by adding the third-party public cloud server, the private cloud server can query the real-name authentication information through the public cloud server, and since the private cloud server does not directly read the real-name authentication information from the real-name authentication information server any more, the trouble of adding and managing the IP address can be effectively avoided, and the maintenance and operation cost can be reduced; meanwhile, the whole process does not need a private cloud authentication server to provide password information such as AppSecret and the like, so that potential safety hazards can be greatly reduced, and the safety is improved.
In the foregoing embodiment, an authentication method for a first server is provided, and correspondingly, an authentication apparatus for a first server is also provided. The authentication device provided in the embodiment of the present application may implement the authentication method for the first server, and the authentication device may be implemented by software, hardware, or a combination of software and hardware. For example, the authentication means may comprise integrated or separate functional modules or units to perform the corresponding steps in the authentication method for the first server described above. Please refer to fig. 7, which illustrates a schematic diagram of an authentication device according to some embodiments of the present application. Since the apparatus embodiments are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for relevant points. The device embodiments described below are merely illustrative.
As shown in fig. 7, the authentication apparatus 10, applied to the first server, may include:
an authentication request receiving module 101, configured to receive an authentication request sent by a wireless terminal through an access device, where the authentication request includes user information;
the real-name information query module 102 is configured to send an authentication information query request to the second server according to the user information, so that the second server forwards the authentication information query request to the third server;
the user authentication module 103 is configured to receive a first authentication information response sent by the second server, where the first authentication information response includes user authentication information, and the user authentication information is sent by the third server after querying user authentication information matched with the user information;
and the authentication module 104 is configured to perform validity authentication on the user corresponding to the wireless terminal according to the user authentication information.
In some modifications of the embodiments of the present application, the apparatus 10 may further include:
a registration request sending module, configured to send a registration request to a second server;
the check domain name receiving module is used for receiving a registration response sent by the second server aiming at the registration request, and the registration response comprises check domain name information;
and the check domain name sending module is used for sending check domain name information to the third server so that the third server opens the authority for inquiring the user authentication information for the second server according to the check domain name information.
In some variations of the embodiments of the present application, the apparatus 10 may further include:
and the authentication failure processing module is used for sending a first authentication response to the wireless terminal through the access equipment if the first authentication information response sent by the second server is not received, wherein the first authentication response comprises information representing authentication failure.
In some variations of the embodiments of the present application, the first server may include a private cloud authentication server, the second server may include a public cloud server, the public cloud server has an authorization port for obtaining user authentication information, the third server may include a real-name authentication information server, and the user authentication information may include real-name authentication information of a user.
The authentication device 10 provided in the embodiment of the present application and the authentication method provided in the foregoing embodiment of the present application have the same advantageous effects based on the same inventive concept.
In the above embodiment, an authentication method for a second server is provided, and correspondingly, the present application also provides an authentication apparatus for a second server. The authentication device for the second server provided in the embodiment of the present application may implement the authentication method for the second server, and the authentication device for the second server may be implemented by software, hardware, or a combination of software and hardware. For example, the authentication means for the second server may comprise integrated or separate functional modules or units to perform the corresponding steps in the authentication method for the second server described above. Please refer to fig. 8, which illustrates a schematic diagram of another authentication apparatus provided in some embodiments of the present application. Since the apparatus embodiments are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for relevant points. The device embodiments described below are merely illustrative.
As shown in fig. 8, the authentication apparatus 20, applied to the second server, may include:
the query request forwarding module 201 is configured to receive an authentication information query request sent by a first server, and send the authentication information query request to a third server;
a first response receiving module 202, configured to receive a first authentication information response sent by the third server, where the first authentication information response includes user authentication information, and the user authentication information is sent by the third server after querying user authentication information matching the user information;
the first response forwarding module 203 is configured to send a first authentication information response request to the first server, so that the first server performs validity authentication on the user according to the user authentication information.
In some implementations of embodiments of the present application, the second server includes an authorization port that obtains user authentication information;
the query request forwarding module 201 may include:
and the authorized port forwarding unit is used for sending an authentication information query request to the third server through the authorized port.
In some implementations of the embodiments of the present application, the apparatus 20 may further include:
a registration request receiving module, configured to receive a registration request sent by a first server;
the identification information distribution module is used for distributing identification information for identifying the first server according to the registration request;
the verification domain name information generating module is used for generating verification domain name information according to the identification information and the domain name of the second server;
and the check domain name information sending module is used for sending the check domain name information to the first server.
In some implementations of the embodiments of the present application, the apparatus 20 may further include:
the routing information acquisition module is used for acquiring routing information between the third server and the first server;
and the routing table updating module is used for adding the routing information to the routing table so as to forward the data transmitted between the third server and the first server according to the routing information.
The authentication device 20 provided in the embodiment of the present application has the same advantageous effects as the authentication method for the second server provided in the foregoing embodiment of the present application.
The embodiment of the present application further provides an electronic device corresponding to the authentication method for the first server and the authentication method for the second server provided in the foregoing embodiments, where the electronic device may be a server, specifically, a single server, or a distributed server cluster, so as to execute the authentication method for the first server or the authentication method for the second server.
Please refer to fig. 9, which illustrates a schematic diagram of an electronic device according to some embodiments of the present application. As shown in fig. 9, the electronic device 30 includes: the system comprises a processor 300, a memory 301, a bus 302 and a communication interface 303, wherein the processor 300, the communication interface 303 and the memory 301 are connected through the bus 302; the memory 301 stores a computer program operable on the processor 300, and the processor 300 executes the computer program to perform the authentication method for the first server or the authentication method for the second server provided in any of the foregoing embodiments of the present application.
The Memory 301 may include a Random Access Memory (RAM) and a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 303 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
Bus 302 can be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. The memory 301 is configured to store a program, and the processor 300 executes the program after receiving an execution instruction, where the authentication method for the first server or the authentication method for the second server disclosed in any of the foregoing embodiments of the present application may be applied to the processor 300, or implemented by the processor 300.
Processor 300 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the authentication method for the first server or the authentication method for the second server may be implemented by an integrated logic circuit of hardware or an instruction in the form of software in the processor 300. The Processor 300 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 301, and the processor 300 reads the information in the memory 301, and completes the steps of the authentication method for the first server or the authentication method for the second server in combination with the hardware thereof.
The electronic device provided by the embodiment of the present application, the authentication method for the first server and the authentication method for the second server provided by the embodiment of the present application have the same inventive concept, and have the same beneficial effects as the method adopted, operated or implemented by the electronic device.
It should be noted that the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present disclosure, and the present disclosure should be construed as being covered by the claims and the specification.

Claims (10)

1. A Portal authentication method applied to a first server is characterized by comprising the following steps:
receiving an authentication request sent by a wireless terminal through access equipment, wherein the authentication request comprises user information;
sending an authentication information query request to a second server according to the user information so that the second server forwards the authentication information query request to a third server;
receiving a first authentication information response sent by the second server, wherein the first authentication information response comprises user authentication information, and the user authentication information is sent by the third server after inquiring the user authentication information matched with the user information;
according to the user authentication information, carrying out validity authentication on the user corresponding to the wireless terminal;
the first server is a private cloud server; the second server is a public cloud server which is provided with an authorization port for acquiring the user authentication information; the third server is a real-name authentication information server.
2. The method according to claim 1, wherein before sending the authentication information query request to the second server according to the user information, the method further comprises:
sending a registration request to the second server;
receiving a registration response sent by the second server for the registration request, wherein the registration response comprises check domain name information;
and sending the check domain name information to the third server so that the third server opens the authority for inquiring user authentication information for the second server according to the check domain name information.
3. The method according to claim 1, wherein after sending the authentication information query request to the second server according to the user information, the method further comprises:
and if the first authentication information response sent by the second server is not received, sending a first authentication response to the wireless terminal through the access equipment, wherein the first authentication response comprises information indicating authentication failure.
4. The method according to any one of claims 1 to 3, wherein the user authentication information includes real name authentication information of the user.
5. A Portal authentication method applied to a second server is characterized by comprising the following steps:
receiving an authentication information query request sent by a first server, and sending the authentication information query request to a third server;
receiving a first authentication information response sent by the third server, wherein the first authentication information response comprises user authentication information, and the user authentication information is sent after the third server inquires user authentication information matched with the user information;
sending the first authentication information response request to the first server so that the first server carries out validity authentication on the user according to the user authentication information;
the first server is a private cloud server; the second server is a public cloud server which is provided with an authorization port for acquiring the user authentication information; the third server is a real-name authentication information server.
6. The method of claim 5, wherein the second server comprises an authorization port for obtaining the user authentication information;
the sending the authentication information query request to the third server includes:
and sending the authentication information inquiry request to the third server through the authorization port.
7. The method according to claim 5, wherein before receiving the authentication information query request sent by the first server, the method further comprises:
receiving a registration request sent by the first server;
allocating identification information for identifying the first server according to the registration request;
generating check domain name information according to the identification information and the domain name of the second server;
and sending the check domain name information to the first server.
8. The method of claim 7, wherein after sending the check domain name information to the first server, the method further comprises:
acquiring routing information between the third server and the first server;
adding the routing information to a routing table to forward data transmitted between the third server and the first server according to the routing information.
9. A Portal authentication device applied to a first server is characterized by comprising:
the authentication request receiving module is used for receiving an authentication request sent by a wireless terminal through access equipment, wherein the authentication request comprises user information;
the query request sending module is used for sending an authentication information query request to a second server according to the user information so as to enable the second server to forward the authentication information query request to a third server;
the authentication information receiving module is used for receiving a first authentication information response sent by the second server, wherein the first authentication information response comprises user authentication information, and the user authentication information is sent by the third server after inquiring the user authentication information matched with the user information;
the authentication module is used for carrying out validity authentication on the user corresponding to the wireless terminal according to the user authentication information;
the first server is a private cloud server; the second server is a public cloud server which is provided with an authorization port for acquiring the user authentication information; the third server is a real-name authentication information server.
10. A Portal authentication device applied to a second server is characterized by comprising:
the query request forwarding module is used for receiving the authentication information query request sent by the first server and sending the authentication information query request to the third server;
a first response receiving module, configured to receive a first authentication information response sent by the third server, where the first authentication information response includes user authentication information, and the user authentication information is sent by the third server after querying user authentication information matching the user information;
a first response forwarding module, configured to send the first authentication information response request to the first server, so that the first server performs validity authentication on a user according to the user authentication information;
the first server is a private cloud server; the second server is a public cloud server which is provided with an authorization port for acquiring the user authentication information; the third server is a real-name authentication information server.
CN201910384008.5A 2019-05-09 2019-05-09 Portal authentication method and device Active CN110198540B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910384008.5A CN110198540B (en) 2019-05-09 2019-05-09 Portal authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910384008.5A CN110198540B (en) 2019-05-09 2019-05-09 Portal authentication method and device

Publications (2)

Publication Number Publication Date
CN110198540A CN110198540A (en) 2019-09-03
CN110198540B true CN110198540B (en) 2022-05-24

Family

ID=67752664

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910384008.5A Active CN110198540B (en) 2019-05-09 2019-05-09 Portal authentication method and device

Country Status (1)

Country Link
CN (1) CN110198540B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111125567B (en) * 2019-12-23 2024-02-27 五八有限公司 Equipment marking method, device, electronic equipment and storage medium
KR20230045025A (en) * 2020-07-31 2023-04-04 광동 오포 모바일 텔레커뮤니케이션즈 코포레이션 리미티드 Device access authentication method, terminal device and cloud platform

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401884A (en) * 2013-08-16 2013-11-20 深信服网络科技(深圳)有限公司 Authentication method and system for public wireless environment Internet access based on micro message
CN106209912A (en) * 2016-08-30 2016-12-07 迈普通信技术股份有限公司 Access authorization methods, device and system
CN106559405A (en) * 2015-09-30 2017-04-05 华为技术有限公司 A kind of portal authentication method and equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BRPI0519861A2 (en) * 2005-01-28 2009-03-24 Ericsson Telefon Ab L M methods for authenticating a client, and for operating authentication server within a communications system, authentication server, method for operating a client coupled to a communication network, client terminal, and method for authenticating user equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401884A (en) * 2013-08-16 2013-11-20 深信服网络科技(深圳)有限公司 Authentication method and system for public wireless environment Internet access based on micro message
CN106559405A (en) * 2015-09-30 2017-04-05 华为技术有限公司 A kind of portal authentication method and equipment
CN106209912A (en) * 2016-08-30 2016-12-07 迈普通信技术股份有限公司 Access authorization methods, device and system

Also Published As

Publication number Publication date
CN110198540A (en) 2019-09-03

Similar Documents

Publication Publication Date Title
CN109327314B (en) Service data access method, device, electronic equipment and system
TWI608743B (en) Method, server and system for managing wireless network login password sharing function
EP3843364A1 (en) Method, device, and apparatus for processing cloud service in cloud system
WO2021057889A1 (en) Data processing method and apparatus, electronic device, and storage medium
CN109168156B (en) Method, system, medium, computer program product and server for implementing virtual SIM card
KR102299865B1 (en) Method and system related to authentication of users for accessing data networks
CN111742531B (en) Profile information sharing
CN111148088B (en) Method, device, equipment and storage medium for managing mobile terminal and system
CN104104654A (en) Method and device for setting Wifi access authority and Wifi authentication
CN103746983A (en) Access authentication method and authentication server
JP2017534220A (en) Establishing communication between mobile terminals
WO2017080231A1 (en) Method of accessing wireless network and device utilizing same
CN113014593B (en) Access request authentication method and device, storage medium and electronic equipment
CN106559785B (en) Authentication method, device and system, access device and terminal
CN110198540B (en) Portal authentication method and device
CN106453349A (en) An account number login method and apparatus
CN113141260B (en) Secure access method, system and equipment based on software-defined wide area network (SD-WAN)
CN109558710B (en) User login method, device, system and storage medium
CN111093196B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
EP2849470A1 (en) Method, device, and system for implementing function sharing in wireless access hotspot device
US11178534B2 (en) Management of a subscriber entity
CN113055359B (en) IPv6 domain name data privacy protection method based on block chain and related equipment
CN115348643A (en) Wi-Fi network access method and device and computer readable storage medium
CN108769989B (en) Wireless network connection method, wireless access device and equipment
CN114978741B (en) Inter-system authentication method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230625

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.