CN115442136A - Application system access method and device - Google Patents
Application system access method and device Download PDFInfo
- Publication number
- CN115442136A CN115442136A CN202211070849.7A CN202211070849A CN115442136A CN 115442136 A CN115442136 A CN 115442136A CN 202211070849 A CN202211070849 A CN 202211070849A CN 115442136 A CN115442136 A CN 115442136A
- Authority
- CN
- China
- Prior art keywords
- client
- application system
- accessed
- access
- bill
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an application system access method and a device, which relate to the technical field of network security, wherein the method comprises the following steps: receiving an authorization request sent by a client, wherein the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed; according to a plurality of pre-stored client identity information, performing identity authentication on the client identity information in the authorization request; after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed; encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill; and sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code. The invention can improve the identity authentication and authorization efficiency when the application system accesses.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an application system access method and device.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
At present, in a service scenario, if a client needs to access a certain application system, the client needs to be authenticated by an identity authentication system first, and then can access the application system only after being authorized by the identity authentication system. For example, a mobile banking APP authenticates a user name and a password in an identity authentication system, and after the authentication is passed, authorization is obtained from a file uploading and downloading module, and then file uploading and downloading can be performed. The authentication and authorization efficiency of the access mode is low, and when the application system is subject to a large amount of accesses, the client cannot give timely feedback, so that poor experience is brought to the client.
Disclosure of Invention
The embodiment of the invention provides an application system access method, which is used for improving the identity authentication and authorization efficiency during the access of an application system and improving the customer experience, and comprises the following steps:
receiving an authorization request sent by a client, wherein the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed;
according to a plurality of pre-stored client identity information, performing identity authentication on the client identity information in the authorization request;
after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request;
encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill;
and sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code.
The embodiment of the invention also provides an application system access device, which is used for improving the identity authentication and authorization efficiency when the application system is accessed and improving the customer experience, and the device comprises:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving an authorization request sent by a client, and the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed;
the identity authentication module is used for performing identity authentication on the client identity information in the authorization request according to a plurality of pre-stored client identity information;
the bill generating module is used for generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request after the identity authentication is passed;
the authorization code generation module is used for encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill;
and the sending module is used for sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the application system access method when executing the computer program.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the application system access method is implemented.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the application system access method is implemented.
In the embodiment of the invention, an authorization request sent by a client is received, wherein the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed; according to a plurality of pre-stored client identity information, performing identity authentication on the client identity information in the authorization request; after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request; encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill; and sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code. Compared with the prior technical scheme that different systems respectively perform identity authentication and authorization during access of the application system, the identity of the client is authenticated through the same system, after the identity authentication is passed, a bill only used for accessing the application system to be accessed is generated, the bill is converted into an authorization code and is sent to the client, and the client can access the application system to be accessed through the authorization code, so that the identity authentication and authorization efficiency of the application system can be improved, and the user experience is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a flowchart of an application system access method provided in an embodiment of the present invention;
fig. 2 is a flowchart of an access verification method when an application system to be accessed is accessed through an authorization code according to an embodiment of the present invention;
fig. 3 is a flowchart of access by using an application system access method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an application system access device provided in an embodiment of the present invention;
fig. 5 is a schematic diagram of a computer device provided in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
In the description of the present specification, the terms "comprising," "including," "having," "containing," and the like are used in an open-ended fashion, i.e., to mean including, but not limited to. Reference to the description of the terms "one embodiment," "a particular embodiment," "some embodiments," "for example," etc., means that a particular feature, structure, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. The sequence of steps involved in the embodiments is for illustrative purposes to illustrate the implementation of the present application, and the sequence of steps is not limited and can be adjusted as needed.
Research shows that in a service scene, if a client needs to access a certain application system, the client needs to be authenticated by an identity authentication system and then can access the application system only after being authorized by the application system. Specifically, the front-end system a generally accesses the service of the application system C only when the authentication performed by the authentication system B is successful and the authorization permission of the application system C is obtained. In the access mode, different systems respectively perform identity authentication and authorization, so that the authentication and authorization efficiency is low, and when an application system faces a large amount of access, the application system cannot give timely feedback to a client, thereby bringing poor experience to the client.
In view of the above research, the embodiment of the present invention provides a solution that can integrate identity authentication and access authorization.
As shown in fig. 1, a flowchart of an application system access method provided in an embodiment of the present invention may include the following steps:
102, performing identity authentication on the client identity information in the authorization request according to a plurality of pieces of client identity information stored in advance;
103, after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request;
and 105, sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code.
In the embodiment of the invention, an authorization request sent by a client is received, wherein the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed; according to a plurality of pre-stored client identity information, performing identity authentication on the client identity information in the authorization request; after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request; encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill; and sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code. Compared with the prior technical scheme that different systems respectively perform identity authentication and authorization during access of the application system, the identity of the client is authenticated through the same system, after the identity authentication is passed, a bill only used for accessing the application system to be accessed is generated, the bill is converted into an authorization code and is sent to the client, and the client can access the application system to be accessed through the authorization code, so that the identity authentication and authorization efficiency of the application system can be improved, and the client experience is improved.
The application system access method can be applied to an application system T which provides identity authentication and access authorization at the same time, and the application system T manages all client identity information.
For the step 101, the client may be a client corresponding to a service consumer, and the service consumer may be a user, a process, or an application system requesting access. Accordingly, the client identity information may be an element provided by the service consumer for representing the identity of the service consumer, for example, the element of the identity of the service consumer may be: a username (identification of the process or application requesting access) and password, a user fingerprint, a user iris, etc.
As for the step 102, the application system T may obtain the client identity information corresponding to the client identity information in the authorization request from the pre-stored plurality of client identity information, compare the client identity information and the client identity information, and if the identity information is consistent, indicate that the identity authentication is passed.
For step 103, after the identity authentication is passed, a first ticket which can only be used for accessing the application system to be accessed may be generated according to the client identity information, the client IP address, and the identifier of the application system to be accessed in the authorization request through a preset ticket generating algorithm.
In specific implementation, the bill generation algorithm may adopt cryptographic algorithms such as HMAC and AES.
In the embodiment of the present invention, in order to further improve security during access, after generating the first ticket for accessing the application system to be accessed, the method may further include:
and setting the validity period information of the first bill.
In particular, the validity period information of the first ticket may include time range information that the first ticket may be used, or number information that the first ticket may be used, and the like. For example, the expiration information of the first ticket may be valid for a long period of time, or for one time.
To protect the security of the ticket, an authorization code corresponding to the first ticket may be replaced with the first ticket in step 104. Specifically, an encryption key is generated, and the first ticket is encrypted by using the encryption key to obtain an authorization code uniquely corresponding to the first ticket. The application system T stores the association of the encryption key and the authorization code. Wherein different first tickets correspond to different encryption keys.
Meanwhile, after the authorization code is generated, the client and the application system to be accessed are mutually trusted systems, and the application system T can also store the mutually trusted relationship between the client and the application system to be accessed.
For the step 105, the authorization code is sent to the client, so that the client accesses the application system to be accessed through the authorization code.
In summary, the application system T has the function of performing both identity authentication and authorized access to the application system to be accessed.
As shown in fig. 2, a flowchart of an access verification method for accessing an application system to be accessed through an authorization code according to an embodiment of the present invention is provided, where the method includes the following steps:
and step 204, if the second ticket is consistent with the first ticket corresponding to the authorization code and the validity period information of the first ticket is not invalid, sending indication information allowing access to the application system to be accessed.
Aiming at the step 201, the service consumer initiates an access request to the application system to be accessed through the client corresponding to the service consumer. The access request may carry an authorization code, client identity information, and a client IP address.
After receiving the access request, the application system to be accessed needs to send the identifier of the application system to be accessed, the authorization code in the access request sent by the client, the client identity information, and the client IP address to the application system T for access verification, that is, the application system T receives the access verification request sent by the application system to be accessed.
For step 202, the application system T first generates a second ticket according to the identifier of the application system to be accessed sent by the application system to be accessed, the client identity information and the client IP address carried in the access request, through a preset ticket generating algorithm (the same as the ticket generating algorithm for generating the first ticket).
For step 203, the second ticket may be compared with the first ticket corresponding to the authorization code, so as to verify the consistency of the tickets.
In this embodiment of the present invention, because the authorization code is obtained after encrypting the first ticket, in this embodiment of the present invention, before step 203, the method may further include:
and decrypting the authorization code to obtain the first bill corresponding to the authorization code.
In specific implementation, according to the association relationship between the encryption key stored in the application system T and the authorization code, the authorization code is decrypted by using the encryption key associated with the authorization code, and the first ticket corresponding to the authorization code is obtained.
For the above step 204, if the second ticket is identical to the first ticket corresponding to the authorization code and the validity period information of the first ticket is not invalid, it indicates that the authorization code is verified to be passed, and the application system T may send the indication information of allowing access to the application system to be accessed.
In the embodiment of the present invention, in order to further implement protection of resources in an application system to be accessed, the indication information may include access control information, and the access control information may include resource information allowed to be accessed when the application system to be accessed is accessed, and validity period information for accessing the resource information;
the sending, by the application system T, the indication of permission to access to the application system to be accessed may include:
and sending the access control information to the application system to be accessed in the form of session control information so that the application system to be accessed verifies the authority of the client to access the resources of the application system to be accessed according to the session control information.
In specific implementation, after the authorization code uniquely corresponding to the first ticket is obtained in the application system T, a mapping relationship between the authorization code and the access control information of the application system may be further established and stored in the access control relationship table of the application system, so as to implement security control on information, such as resource information allowed to be accessed when accessing the application system to be accessed, and validity period information of the access resource information.
The resource information may include information such as a service and an interface in the application system to be accessed.
In specific implementation, when the application system T sends the indication information including the access control information to the application system to be accessed, the indication information may be sent in the form of session control information.
Wherein, the form of the session control information refers to session.
It should be noted that session is a server session technology, and means that a client sends a request to a server resource for the first time, and a session is established until one party disconnects. The session is stored on the server, and when the client accesses the server, the server records the client information on the server in a certain form. When the client accesses again, the client state only needs to be searched from the session.
It can be understood that, in the embodiment of the present invention, the session is used to access a protected resource (i.e., resource information allowed to be accessed when accessing the application system to be accessed and validity period information of accessing the resource information), the session control information carries a session ID, the application system to be accessed sends the session ID to the client, and the client can access the application system to be accessed by carrying the session ID when accessing the application system for the second time, at this time, the application system T only checks the validity of the session corresponding to the session ID, and the above-mentioned complicated authentication and authorization procedures do not need to be repeated.
In order to more clearly understand the above application system access method, a specific example is described below.
Fig. 3 is a flowchart of access by using the above access method of the application system. As shown in fig. 3, the following steps may be included:
1. the service consumer (i.e. the client corresponding to the service consumer) requests the identity authentication/authorization from the identity authentication and authorization mutual trust system (i.e. the application system T) to apply for the authorization code.
In this step, the service consumer sends the client identity information, the client IP address and the identifier of the service providing system (i.e. the application system to be accessed) to the identity authentication and authorization mutual trust system.
2. The identity authentication authorization mutual trust system allows the request and returns an authorization code.
In the step, the identity authentication, authorization and mutual trust system performs identity authentication on the client identity information sent by the service consumer according to a plurality of pre-stored client identity information; after the authentication is passed, generating a bill (namely a first bill) only used for accessing the service providing system according to the client identity information, the client IP address and the identification of the service providing system sent by the service consumer; in order to protect the security of the bill, the bill is encrypted and replaced by an authorization code corresponding to the bill; an authorization code is returned to the service consumer.
3. The service consumer provides an authorization code to request service from the service providing system.
In this step, when accessing the service of the service providing system, the service consumer sends an authorization code, client identity information, and a client IP address to the service providing system.
4. The service providing system calls an identity authentication authorization mutual trust system to verify the authorization code request.
In this step, the service providing system sends the identifier of the service providing system, the authorization code sent by the service consumer, the client identity information and the client IP address to the identity authentication and authorization mutual trust system for verification.
The identity authentication authorization mutual trust system firstly generates a bill to be verified (namely a second bill) according to the identification of the service providing system, the client identity information and the client IP address; then, the bill to be verified is compared with the bill decrypted by the authorization code, if the comparison is consistent and the comparison is within the validity period, the verification is considered to be passed, at this time, a special session is issued to the service providing system for accessing the protected resource (the session includes the control of the validity period), a session ID is provided when the service consumer accesses next time (the complex flow is omitted), the validity of the session is verified by the identity authentication and authorization mutual trust system, and whether the corresponding service can be provided for the service consumer is judged.
5. And the identity authentication authorization mutual trust system returns a verification result.
6. And the service providing system provides services according to the verification result returned by the identity authentication and authorization mutual trust system.
To sum up, the embodiment of the present invention integrates identity authentication and access authorization into an application system, and the application system completes identity authentication, ticket generation, authorized access, ticket verification, etc., separates the responsibility for identity authentication and authorization from the responsibility for providing services, requests the system to issue and verify the authorization code in combination with the authorization code and the ticket, and performs access control on the protected application system resources by issuing the session.
In the technical scheme of the application, the data acquisition, storage, use, processing and the like all conform to relevant regulations of national laws and regulations
The embodiment of the present invention further provides an application system access apparatus, as described in the following embodiments. Because the principle of the device for solving the problems is similar to the application system access method, the implementation of the device can refer to the implementation of the application system access method, and repeated details are not repeated.
As shown in fig. 4, a schematic diagram of an application system access apparatus provided in an embodiment of the present invention, the apparatus may include:
a receiving module 401, configured to receive an authorization request sent by a client, where the authorization request includes client identity information, a client IP address, and an identifier of an application system to be accessed;
an identity authentication module 402, configured to perform identity authentication on the client identity information in the authorization request according to a plurality of pre-stored client identity information;
the ticket generating module 403 is configured to generate a first ticket for accessing the application system to be accessed according to the client identity information, the client IP address, and the identifier of the application system to be accessed in the authorization request after the identity authentication passes;
an authorization code generation module 404, configured to encrypt the first ticket to obtain an authorization code uniquely corresponding to the first ticket;
a sending module 405, configured to send the authorization code to the client, so that the client accesses the application system to be accessed through the authorization code.
In the embodiment of the present invention, the system may further include a validity period setting module, configured to, after the ticket generating module generates the first ticket for accessing the application system to be accessed according to the client identity information, the client IP address, and the identifier of the application system to be accessed in the authorization request:
and setting the validity period information of the first bill.
In this embodiment of the present invention, an access verification module may be further included, configured to:
after a client sends an access request to an application system to be accessed, receiving an access verification request sent by the application system to be accessed; the access verification request comprises an identifier of an application system to be accessed, and an authorization code, client identity information and a client IP address carried in the access request;
generating a second bill according to the identifier of the application system to be accessed, the client identity information and the client IP address carried in the access request;
comparing the second bill with the first bill corresponding to the authorization code;
and if the second bill is consistent with the first bill corresponding to the authorization code and the validity period information of the first bill is not invalid, sending indication information allowing access to the application system to be accessed.
In this embodiment of the present invention, the access verification module may be further configured to, before comparing the second ticket with the first ticket corresponding to the authorization code:
and decrypting the authorization code to obtain the first bill corresponding to the authorization code.
In this embodiment of the present invention, the indication information may include access control information, where the access control information may include resource information allowed to be accessed when accessing the application system to be accessed, and validity period information for accessing the resource information;
the access verification module may be further configured to:
and sending the access control information to the application system to be accessed in the form of session control information so that the application system to be accessed verifies the authority of the client to access the resources of the application system to be accessed according to the session control information.
An embodiment of the present invention further provides a computer device, as shown in fig. 5, which is a schematic diagram of the computer device in the embodiment of the present invention, where the computer device 500 includes a memory 510, a processor 520, and a computer program 530 stored in the memory 510 and capable of running on the processor 520, and when the processor 520 executes the computer program 530, the application system access method is implemented.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the application system access method is implemented.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the application system access method is implemented.
In the embodiment of the invention, an authorization request sent by a client is received, wherein the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed; according to a plurality of pieces of client identity information stored in advance, identity authentication is carried out on the client identity information in the authorization request; after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request; encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill; and sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code. Compared with the prior technical scheme that different systems respectively perform identity authentication and authorization during access of the application system, the identity of the client is authenticated through the same system, after the identity authentication is passed, a bill only used for accessing the application system to be accessed is generated, the bill is converted into an authorization code and is sent to the client, and the client can access the application system to be accessed through the authorization code, so that the identity authentication and authorization efficiency of the application system can be improved, and the user experience is improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (13)
1. An application system access method, comprising:
receiving an authorization request sent by a client, wherein the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed;
according to a plurality of pieces of client identity information stored in advance, identity authentication is carried out on the client identity information in the authorization request;
after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request;
encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill;
and sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code.
2. The method of claim 1, wherein after generating the first ticket for accessing the application system to be accessed according to the client identity information, the client IP address, and the identifier of the application system to be accessed in the authorization request, the method further comprises:
and setting validity period information of the first bill.
3. The method of claim 2, further comprising:
after a client sends an access request to an application system to be accessed, receiving an access verification request sent by the application system to be accessed; the access verification request comprises an identifier of an application system to be accessed, and an authorization code, client identity information and a client IP address carried in the access request;
generating a second bill according to the identifier of the application system to be accessed, the client identity information and the client IP address carried in the access request;
comparing the second bill with the first bill corresponding to the authorization code;
and if the second bill is consistent with the first bill corresponding to the authorization code and the validity period information of the first bill is not invalid, sending indication information allowing access to the application system to be accessed.
4. The method of claim 3, wherein prior to comparing the second ticket to the first ticket corresponding to the authorization code, further comprising:
and decrypting the authorization code to obtain the first bill corresponding to the authorization code.
5. The method according to claim 3, wherein the indication information includes access control information including resource information that is allowed to be accessed when accessing the application system to be accessed, and validity period information for accessing the resource information;
sending the indication information of access permission to the application system to be accessed, including:
and sending the access control information to the application system to be accessed in the form of session control information so that the application system to be accessed verifies the authority of the client to access the resources of the application system to be accessed according to the session control information.
6. An application system access apparatus, comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving an authorization request sent by a client, and the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed;
the identity authentication module is used for performing identity authentication on the client identity information in the authorization request according to a plurality of pre-stored client identity information;
the bill generating module is used for generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request after the identity authentication is passed;
the authorization code generation module is used for encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill;
and the sending module is used for sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code.
7. The apparatus of claim 6, further comprising a validity period setting module, configured to, after the ticket generating module generates the first ticket for accessing the application system to be accessed according to the client identity information, the client IP address, and the identification of the application system to be accessed in the authorization request:
and setting the validity period information of the first bill.
8. The apparatus of claim 7, further comprising an access validation module to:
after a client sends an access request to an application system to be accessed, receiving an access verification request sent by the application system to be accessed; the access verification request comprises an identifier of an application system to be accessed, and an authorization code, client identity information and a client IP address carried in the access request;
generating a second bill according to the identifier of the application system to be accessed, the client identity information and the client IP address carried in the access request;
comparing the second bill with the first bill corresponding to the authorization code;
and if the second bill is consistent with the first bill corresponding to the authorization code and the validity period information of the first bill is not invalid, sending indication information allowing access to the application system to be accessed.
9. The apparatus of claim 8, wherein the access validation module is further configured to, prior to comparing the second ticket to the first ticket corresponding to the authorization code:
and decrypting the authorization code to obtain the first bill corresponding to the authorization code.
10. The apparatus of claim 8, wherein the indication information includes access control information, the access control information including resource information that is allowed to be accessed when accessing an application to be accessed, and validity period information for accessing the resource information;
an access validation module further to:
and sending the access control information to the application system to be accessed in the form of session control information so that the application system to be accessed verifies the authority of the client to access the resources of the application system to be accessed according to the session control information.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 5 when executing the computer program.
12. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5.
13. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211070849.7A CN115442136A (en) | 2022-09-02 | 2022-09-02 | Application system access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211070849.7A CN115442136A (en) | 2022-09-02 | 2022-09-02 | Application system access method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115442136A true CN115442136A (en) | 2022-12-06 |
Family
ID=84248122
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211070849.7A Pending CN115442136A (en) | 2022-09-02 | 2022-09-02 | Application system access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115442136A (en) |
-
2022
- 2022-09-02 CN CN202211070849.7A patent/CN115442136A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11799656B2 (en) | Security authentication method and device | |
| CN107743133B (en) | Mobile terminal and access control method and system based on trusted security environment | |
| CN109005155B (en) | Identity authentication method and device | |
| CN110784491A (en) | Internet of things safety management system | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| US20200412554A1 (en) | Id as service based on blockchain | |
| CN103236931B (en) | A kind of auth method based on TPM and system and relevant device | |
| CN111625829A (en) | Application activation method and device based on trusted execution environment | |
| CN111800378B (en) | Login authentication method, device, system and storage medium | |
| WO2012067847A1 (en) | System and method for end to end encryption | |
| KR101817152B1 (en) | Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential | |
| CN107920052B (en) | Encryption method and intelligent device | |
| US11526596B2 (en) | Remote processing of credential requests | |
| CN111401901B (en) | Authentication method and device of biological payment device, computer device and storage medium | |
| KR20210095093A (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| US20220417028A1 (en) | Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession | |
| CN106936588A (en) | A kind of trustship method, the apparatus and system of hardware controls lock | |
| CN113572791B (en) | Video Internet of things big data encryption service method, system and device | |
| CN115277168A (en) | Method, device and system for accessing server | |
| CN111770087A (en) | Service node verification method and related equipment | |
| CN115065542A (en) | Permission verification method and device, processor and electronic equipment | |
| KR102372503B1 (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| JPH05298174A (en) | Remote file access system | |
| CN111131160A (en) | User, service and data authentication system | |
| CN115795446A (en) | Method for processing data in trusted computing platform and management device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |