TW201438451A - Authentication method and system for backend service integration by proxy server - Google Patents
Authentication method and system for backend service integration by proxy server Download PDFInfo
- Publication number
- TW201438451A TW201438451A TW102109438A TW102109438A TW201438451A TW 201438451 A TW201438451 A TW 201438451A TW 102109438 A TW102109438 A TW 102109438A TW 102109438 A TW102109438 A TW 102109438A TW 201438451 A TW201438451 A TW 201438451A
- Authority
- TW
- Taiwan
- Prior art keywords
- authentication
- terminal device
- application system
- application
- proxy
- Prior art date
Links
Landscapes
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
本發明係關於一種服務認證之方法與系統,特別係一種以代理伺服整合後端服務認證之方法與系統。 The present invention relates to a method and system for service authentication, and in particular to a method and system for proxy server integration backend service authentication.
電子化服務普及後,組織常建立諸多應用系統,各應用系統都有其身分驗證機制,造成在使用不同的應用系統時,必須不斷進行身分驗證,其重複性的登入步驟,非常麻煩。因此,單一簽入(Single Sign On,SSO)理念因應而生,透過身分驗證機制的集中管理,讓終端裝置只需通過一次身分驗證,就能登入使用經整合後的各個應用系統,不再需要重複登入,能大幅提高應用系統操作的便利性。但單一簽入的本質是在協助使用者端進行多個應用系統之帳號密碼管理,其作法多係透過單一簽入系統預先記錄應用系統的帳號密碼,如單一登入管理方法及系統(台灣公開號:201209625),其作法係由一單一簽入系統預先編輯各應用系統的登入網址及該網址的登入認證信息資料,並於使用者端的使用者介面生成關聯至該認證信息資料的快捷鍵,使用者端僅需觸發該快捷鍵,該單一簽入系統即可自動依據與該快捷鍵所關聯到的應用系統登入網址及該網址的登入認證信息資料,提供使用者端自動登入該應用系統。但此作法必須在使用者端有取得應用系統帳號密碼的情況下才能進行,並且單一簽入系統亦必須將使用者端登入應用系統的帳號密碼紀 錄於該單一簽入系統中。 After the popularization of electronic services, organizations often establish a variety of application systems. Each application system has its own identity verification mechanism, which makes it necessary to continuously perform identity verification when using different application systems. The repetitive login procedure is very troublesome. Therefore, the concept of Single Sign On (SSO) is born. Through the centralized management of the identity verification mechanism, the terminal device can log in and use the integrated application system with one identity verification. Repeated login can greatly improve the convenience of the application system. However, the essence of a single check-in is to assist the user to perform account password management for multiple application systems. The method is to pre-record the account password of the application system through a single check-in system, such as a single login management method and system (Taiwan Public No. :201209625), the method is to pre-edit the login URL of each application system and the login authentication information data of the website by a single check-in system, and generate a shortcut key associated with the authentication information data on the user interface of the user end, and use The user only needs to trigger the shortcut key, and the single check-in system can automatically provide the user to automatically log in to the application system according to the application login URL associated with the shortcut key and the login authentication information of the website. However, this method must be performed only when the user has obtained the password of the application system account, and the single sign-in system must also log the user account to the account password of the application system. Recorded in this single check-in system.
於使用者端終端裝置安裝帳號密碼管理程式亦是簡化使用者端身分驗證的常用方法,如管理網站登入資訊之系統與方法(台灣專利公告號:567427),於使用者端安裝一應用程式,該應用程式可以儲存管理使用者端登入網站的登入資訊,當使用者端欲連線登入網站時,則該應用程式可以透過所儲存的登入資訊自動登入網站。但此作法的缺點在於使用者端必須安裝應用程式,當使用者端終端裝置升級或更換時,應用程式必須重新安裝,而且,此作法缺乏對角色權限控管,應用程式只是儲存管理使用者登入資訊,並提供快速登入網站功能,卻無法依不同的使用者端提供登入網站的不同權限以做進一步管理。 Installing the account password management program on the user terminal device is also a common method for simplifying user identity verification, such as a system and method for managing website login information (Taiwan Patent Publication No.: 567427), and installing an application on the user side. The application can store the login information of the user's login website. When the user wants to connect to the website, the application can automatically log in to the website through the stored login information. However, the disadvantage of this method is that the application must be installed on the user side. When the user terminal device is upgraded or replaced, the application must be reinstalled. Moreover, this method lacks the role permission control, and the application only stores the management user login. Information, and provide quick access to the website function, but can not provide different permissions to log in to the website for different users to further manage.
另外,現行使用服務代理系統簡化身分驗證的方法,如路徑映射整合網路之服務代理系統(台灣專利公告號:I271973),該服務代理系統提供一單一入口對外服務,並根據一個事先定義的表格,在表格內定義出路徑與資源(網址)的關係,當使用者端連線要求服務時,則服務代理系統會根據表格的定義,代理向後端資源提出服務要求,在取得回應的內容後,再將內容傳送給使用者端。此作法主要係透過對網路工作狀態(Session)的管理而達成整合服務與身分驗證的目的,由服務代理系統與後端資源建立Session,且服務代理系統亦與使用者端建立Session,透過兩Session互相關連達到身分關證的目的,但服務代理系統可與後端資源建立Session的基礎是源自後端資源信任來自服務代理系統的連線,否則使用者端必須透過服務代理系統於後端應用系統再進行認證。 In addition, the current use of the service agent system to simplify the method of identity verification, such as the path mapping integrated network service agent system (Taiwan Patent Bulletin No.: I271973), the service agent system provides a single entry to the external service, and according to a pre-defined form Define the relationship between the path and the resource (URL) in the form. When the user terminal requests the service, the service agent system will provide the service request to the backend resource according to the definition of the form. After obtaining the content of the response, The content is then delivered to the user. This method mainly achieves the purpose of integration service and identity verification through the management of the network working state (Session). The service agent system establishes a session with the back-end resource, and the service agent system also establishes a session with the user end, through two The session inter-related connection achieves the purpose of identity certification, but the service agent system can establish a session with the back-end resources based on the connection from the back-end resources to trust the connection from the service proxy system. Otherwise, the client must pass the service proxy system to the back-end. The application system is then certified.
綜上所述,透過單一簽入系統預先紀錄應用系統的帳號密碼,則必須在使用者端有取得應用系統帳號密碼的情況下才能進行;於使用者端終端裝置安裝帳號密碼管理程 式之作法,於使用者端必須安裝應用程式,且缺乏對角色權限控管;現行服務代理系統多以使用路徑映射整合網站方式完成代理身分驗證,其認證處理之技術係透過Session管理達成,且必須建立在後端資源信任來自服務代理系統的連線的基礎上。 In summary, the account password of the application system is recorded in advance through a single check-in system, and the user must obtain the password of the application system account; the account password management process is installed on the user terminal device. In the case of the application, the application must be installed on the user side, and the role permission control is lacking; the current service agent system uses the path mapping integration website to complete the agent identity verification, and the technology of the authentication process is achieved through the session management, and Must be based on the connection of the backend resource trust from the service proxy system.
有鑑於上述舊有習知技術之諸多缺點,乃亟思加以改良創新,並基於對資訊系統演進的了解,經過縝密的資料研蒐、評估考量、測試驗證與改良,終於成功研發完成本發明「以代理伺服整合後端服務認證之方法與系統」。 In view of the many shortcomings of the above-mentioned old and well-known technologies, Nai Si has made improvements and innovations, and based on the understanding of the evolution of information systems, after careful data research, evaluation considerations, test verification and improvement, the invention has finally been successfully developed. Method and system for proxy server integration for back-end service authentication."
本發明之目的在提供一種以代理伺服整合後端服務認證之方法與系統,其透過一代理伺服系統提供一終端裝置自動登入一應用系統,使得該終端裝置經本發明之代理伺服整合後端服務認證系統認證後,即可連線該應用系統,並可保持登入狀態,且該終端裝置毋須另外進行帳號密碼登入驗證也毋須取得該應用系統的帳號密碼。 The object of the present invention is to provide a method and system for proxy server integrated backend service authentication, which provides a terminal device to automatically log in to an application system through a proxy servo system, so that the terminal device is authenticated by the proxy server of the present invention. After the system is authenticated, the application system can be connected and the login status can be maintained, and the terminal device does not need to perform additional account password login verification, and the account password of the application system is not required.
根據本發明之一目的係提供一種以代理伺服整合後端服務認證之系統,用以提供一終端裝置自動登入一應用系統,其包括一映射轉址管理模組、一帳號對映管理模組、一應用系統登入網址管理模組、一自動登入模組、以及一過濾包裝模組;其中該映射轉址管理模組,用以管理一映射轉址資料,並儲存於一映射轉址資料庫;該帳號對映管理模組,用以管理該終端裝置登入該應用系統之帳號密碼資料與角色權限,並儲存於一網址與帳號對映資料庫;該應用系統登入網址管理模組,用以管理一應用系統登入網址,並儲存於該網址與帳號對映資料庫;該自動登入模組,用以認證該終端裝置,並提供該終端裝置認證登入與連線該應用系統;該過濾包裝模組用以接收該終端裝置透過通訊協定請求連線該應 用系統之一請求訊息,並依該請求訊息讀取映射轉址資料庫資料及呼叫該自動登入模組進行處理,並將請求訊息之處理結果回傳該終端裝置。 According to an aspect of the present invention, a system for proxy-based integrated back-end service authentication is provided for providing a terminal device to automatically log in to an application system, which includes a mapping and forwarding management module, an account mapping management module, An application system login URL management module, an automatic login module, and a filter packaging module; wherein the mapping forwarding management module is configured to manage a mapping address data and store the data in a mapping address database; The account mapping management module is configured to manage account password data and role rights of the terminal device to log in to the application system, and store the information in a website and account mapping database; the application system login URL management module is used to manage An application system login URL is stored in the website and the account mapping database; the automatic login module is used to authenticate the terminal device, and the terminal device is authenticated to log in and connect to the application system; the filter packaging module Used to receive the terminal device requesting connection through a communication protocol The system requests the message by one of the systems, and reads the mapping address database data according to the request message and calls the automatic login module for processing, and returns the processing result of the request message to the terminal device.
本發明之一種以代理伺服整合後端服務認證之系統,其作法是透過該過濾包裝模組接收該終端裝置透過通訊協定請求連線該應用系統之一請求訊息,並依請求訊息過濾分類並進行處理;當該過濾包裝模組接收到該請求訊息帶有一裝置認證憑證,則呼叫該自動登入模組進行認證登入該應用系統,則該自動登入模組將代理該終端裝置與該應用系統進行認證,於該網址與帳號對映資料庫讀取該終端裝置登入該應用系統之帳號密碼資料,並代理該終端裝置連線該應用系統進行認證,若認證通過則該自動登入模組取得該應用系統回傳之一應用系統認證憑證,由該過濾包裝模組將該應用系統認證憑證回傳該終端裝置,若認證失敗則產生認證失敗訊息,由該過濾包裝模組將認證失敗訊息回傳該終端裝置;當該過濾包裝模組接收到該請求訊息帶有該應用系統認證憑證,則依請求訊息查詢該映射轉址資料庫資料,以取得該終端裝置擬連線之該應用系統之實際網址,並將該終端裝置轉址連線該應用系統;當該過濾包裝模組接收到該請求訊息未帶有裝置認證憑證與應用系統認證憑證,則呼叫該自動登入模組進行終端裝置認證,若認證通過則產生該裝置認證憑證,由該過濾包裝模組將該裝置認證憑證回傳該終端裝置,若認證失敗則產生認證失敗訊息,由該過濾包裝模組將認證失敗訊息回傳該終端裝置。 A system for proxy-based integrated back-end service authentication according to the present invention is configured to receive, by the filter packaging module, the terminal device to request a message requested by one of the application systems through a communication protocol, and filter and classify according to the request message. Processing; when the filter package module receives the request message with a device authentication certificate, and calls the automatic login module to authenticate and log in to the application system, the automatic login module will authenticate the terminal device and the application system. The account and the account mapping database read the account password data of the terminal device login to the application system, and the terminal device is connected to the application system for authentication. If the authentication is passed, the automatic login module obtains the application system. Returning one of the application system authentication credentials, the application packaging system certificate is returned to the terminal device by the filter packaging module, and if the authentication fails, an authentication failure message is generated, and the filtering and packaging module returns the authentication failure message to the terminal. Device; when the filter package module receives the request message with the application system authentication And querying the mapping address database data according to the request message to obtain the actual website address of the application system to be connected to the terminal device, and connecting the terminal device to the application system; when the filter packaging module receives When the request message does not have the device authentication certificate and the application system authentication certificate, the automatic login module is called to perform terminal device authentication, and if the authentication is passed, the device authentication certificate is generated, and the device is authenticated by the filter packaging module. And transmitting the terminal device, if the authentication fails, generating an authentication failure message, and the filtering and packaging module returns the authentication failure message to the terminal device.
根據本發明之一目的所提供之一種以代理伺服整合後端服務認證之方法,其步驟為:該代理伺服系統接收該終端裝置透過通訊協定請求連線該應用系統之一請求訊息;當該請求訊息帶有一裝置認證憑證,該代理伺服系統則 代理該終端裝置與該應用系統進行認證,並將認證通過所取得之一應用系統認證憑證回傳該終端裝置,其中該終端裝置登入該應用系統之帳號密碼資料,以及該應用系統之登入網址均儲存於一網址與帳號對映資料庫;當該請求訊息未帶有該裝置認證憑證,該代理伺服系統進行該終端裝置認證,認證通過後則產生該裝置認證憑證並回傳該終端裝置。 A method for proxy back-end service authentication by proxy servo according to one aspect of the present invention, wherein the proxy servo system receives the request by the terminal device to connect to the application system through a communication protocol; when the request is The message carries a device authentication certificate, and the proxy servo system Representing the terminal device to perform authentication with the application system, and returning the authentication to the terminal device by using one of the obtained application system authentication credentials, wherein the terminal device logs in the account password data of the application system, and the login URL of the application system is The server is stored in a website and an account mapping database. When the request message does not have the device authentication certificate, the agent server performs the terminal device authentication. After the authentication is passed, the device authentication certificate is generated and the terminal device is returned.
其中,當該請求訊息帶有一裝置認證憑證時,該代理伺服系統代理該終端裝置與該應用系統進行認證並將認證通過所取得之應用系統認證憑證回傳該終端裝置之步驟改為:對於該終端裝置所請求連線之該應用系統,該代理伺服系統於該映射轉址資料庫讀取該應用系統之映射轉址資料;該代理伺服系統於該網址與帳號對映資料庫讀取該應用系統登入網址;若所讀取之該應用系統之映射轉址資料為該應用系統登入網址,則該代理伺服系統代理該終端裝置與該應用系統進行認證,並將認證通過所取得之應用系統認證憑證回傳該終端裝置;若所讀取之該應用系統之映射轉址資料不為該應用系統登入網址,則該代理伺服系統透過通訊協定將該終端裝置連線轉址至該應用系統網址,其中該應用系統映射轉址資料儲存於一映射轉址資料庫。 Wherein, when the request message carries a device authentication credential, the proxy server system authenticates the terminal device with the application system, and the step of returning the authentication through the obtained application system authentication credential to the terminal device is changed to: The application system that the terminal device requests to connect, the proxy servo system reads the mapping address data of the application system in the mapping address database; the proxy servo system reads the application in the website and the account mapping database a system login URL; if the mapped mapping information of the application system is the application login URL, the proxy server authenticates the terminal device and the application system, and authenticates the obtained application system authentication The voucher returns the terminal device; if the mapped mapping information of the application system is not the login URL of the application system, the proxy servo system forwards the terminal device to the application system URL through a communication protocol. The application system mapping forwarding data is stored in a mapping address database.
本發明所提供的一種以代理伺服整合後端服務認證之方法與系統,與現行的方法與系統相較,具備了以下優點: The method and system for proxy-server integrated back-end service authentication provided by the present invention have the following advantages compared with the current method and system:
1.本發明毋須於終端裝置安裝應用程式,終端裝置透過本發明連線應用系統,可輕易達到整合身份驗證之目的。 1. The present invention does not require an application to be installed in a terminal device, and the terminal device can easily achieve the purpose of integrated authentication through the connection application system of the present invention.
2.本發明統一管理各終端裝置使用應用系統之帳號密 碼,終端裝置毋須取得應用系統帳號密碼,本發明對服務提供者而言,可以迅速包裝新應用系統成為總體服務之一部分。 2. The present invention uniformly manages the account password of each terminal device using the application system The code terminal device does not need to obtain the application system account password. The present invention can quickly package the new application system as part of the overall service for the service provider.
3.本發明可依角色設定終端裝置使用應用系統,非常彈性,例如;依終端裝置帳號之屬性值邏輯關係對應應用系統之角色權限,讓多個同性質終端裝置帳號可使用應用系統的同一帳號進行應用系統操作,也可以是各個終端裝置帳號均擁有專屬的應用系統帳號,但擁有相同的應用系統角色權限。 3. The present invention can be used to set the terminal device to use the application system according to the role, which is very flexible. For example, according to the attribute value of the terminal device account, the logical relationship corresponds to the role permission of the application system, so that multiple accounts of the same nature terminal device can use the same account of the application system. For the application system operation, each terminal device account has a dedicated application system account, but has the same application system role rights.
100‧‧‧終端裝置 100‧‧‧ Terminal devices
200‧‧‧代理伺服整合後端服務認證之系統 200‧‧‧Agent Servo Integrated Backend Service Certification System
210‧‧‧過濾包裝模組 210‧‧‧Filter packaging module
220‧‧‧自動登入模組 220‧‧‧Automatic login module
230‧‧‧映射轉址管理模組 230‧‧‧Map Transfer Management Module
240‧‧‧帳號對映管理模組 240‧‧‧ account mapping management module
250‧‧‧應用系統登入網址管理模組 250‧‧‧Application Login URL Management Module
260‧‧‧映射轉址資料庫 260‧‧‧Map Transfer Database
270‧‧‧網址與帳號對映資料庫 270‧‧‧Website and account mapping database
300‧‧‧應用系統 300‧‧‧Application System
S401~S413‧‧‧代理伺服整合後端服務認證之方法之步驟流程 S401~S413‧‧‧Procedures for the method of proxy servo integration back-end service authentication
S501~S507‧‧‧代理伺服整合後端服務認證之方法之應用系統認證案例示意圖 Schematic diagram of application system certification for S501~S507‧‧‧ proxy servo integration back-end service authentication method
第1圖為本發明一種以代理伺服整合後端服務認證之系統架構圖。 FIG. 1 is a system architecture diagram of a proxy servo integration backend service authentication according to the present invention.
第2圖為本發明一種以代理伺服整合後端服務認證之方法步驟流程圖。 2 is a flow chart showing the steps of a method for proxy server integration backend service authentication according to the present invention.
第3圖為本發明一種以代理伺服整合後端服務認證之方法應用系統認證案例示意圖。 FIG. 3 is a schematic diagram of a method for applying system authentication by means of proxy servo integration backend service authentication according to the present invention.
本發明之目的在提供一種以代理伺服整合後端服務認證之方法與系統,用以提供一終端裝置自動登入一應用系統,使得該終端裝置經本發明之代理伺服整合後端服務認證系統認證後,即可連線該應用系統,並可保持登入狀態,且該終端裝置毋須另外進行帳號密碼登入驗證也毋須取得該應用系統的帳號密碼。 The object of the present invention is to provide a method and system for proxy server integrated backend service authentication, which is used to provide a terminal device to automatically log in to an application system, so that the terminal device is authenticated by the proxy servo integrated backend service authentication system of the present invention. The application system can be connected, and the login status can be maintained, and the terminal device does not need to perform additional account password login verification, and the account password of the application system is not required.
本發明之一實施例可參照第1圖之系統架構圖,本發明之目的在提供一種以代理伺服整合後端服務認證之系統200,其包括一過濾包裝模組210、一自動登入模組220、 一映射轉址管理模組230、一帳號對映管理模組240、以及一應用系統登入網址管理模組250;其中,該映射轉址管理模組230用以管理一映射轉址資料,並儲存於一映射轉址資料庫260;該帳號對映管理模組240用以管理該終端裝置100之帳號密碼資料、該終端裝置100登入該應用系統300之帳號密碼資料與角色權限,並儲存於一網址與帳號對映資料庫270;該應用系統登入網址管理模組250用以管理一應用系統登入網址,並儲存於該網址與帳號對映資料庫270;該自動登入模組220用以認證該終端裝置100,並提供該終端裝置100認證登入與連線該應用系統300;該過濾包裝模組210用以接收該終端裝置100透過通訊協定請求連線該應用系統300之一請求訊息,並依該請求訊息讀取映射轉址資料庫260資料及呼叫該自動登入模組220,並將請求回應結果回傳該終端裝置100;其中,該通訊協定可為超文件傳輸協定(Hyper Text Transfer Protocol,HTTP)、超文件傳輸安全協定(Hyper Text Transfer Protocol Security,HTTPS)或網際網路通訊協定。 An embodiment of the present invention can be referred to the system architecture diagram of FIG. 1. The purpose of the present invention is to provide a system 200 for proxy server integration backend service authentication, which includes a filter package module 210 and an automatic login module 220. , a mapping and forwarding management module 230, an account mapping management module 240, and an application system login URL management module 250; wherein the mapping and forwarding management module 230 is configured to manage a mapping address data and store The mapping mapping database 260 is configured to manage the account password data of the terminal device 100, the account password data and the role permission of the terminal device 100 to log in to the application system 300, and store the same in a a website and account mapping database 270; the application system login website management module 250 is configured to manage an application system login URL and stored in the website and account mapping database 270; the automatic login module 220 is configured to authenticate the The terminal device 100 provides the terminal device 100 for authenticating the login and connection to the application system 300. The filter package module 210 is configured to receive the request message from the terminal device 100 via the communication protocol to connect the application system 300. The request message reads the mapping address database 260 data and calls the automatic login module 220, and returns the request response result to the terminal device 100; wherein, the communication protocol Can be a HTTP (Hyper Text Transfer Protocol, HTTP), secure hypertext transfer protocol (Hyper Text Transfer Protocol Security, HTTPS) or Internet Protocol.
其中,該過濾包裝模組210包含一請求訊息分類處理單元以及一請求訊息結果回應單元,分別說明如下: The filter package module 210 includes a request message classification processing unit and a request message result response unit, which are respectively described as follows:
1.請求訊息分類處理單元:用以依請求訊息過濾分類並進行處理如下:該請求訊息分類處理單元於接收到該請求訊息帶有一裝置認證憑證,則呼叫該自動登入模組220進行認證登入該應用系統300;該請求訊息分類處理單元於接收到該請求訊息帶有一應用系統認證憑證,則依請求訊息查詢該映射轉址資料庫資料260,轉址連線該應用系統300;該請求訊息分類處理單元所接收到之請求訊息未帶有該裝置認證憑證與該應用系統認證憑證,則呼叫該自動登入模組220進行終端裝置100認證。 1. The request message classification processing unit is configured to filter the classification according to the request message and process the following: the request message classification processing unit receives the request message with a device authentication certificate, and then calls the automatic login module 220 to perform authentication and login. The application system 300; the request message classification processing unit receives the application message with an application system authentication certificate, queries the mapping address database data 260 according to the request message, and forwards the connection to the application system 300; the request message classification When the request message received by the processing unit does not carry the device authentication certificate and the application system authentication certificate, the automatic login module 220 is called to perform terminal device 100 authentication.
2.請求訊息結果回應單元:用以將該請求訊息之處理結果包裝為該回應結果訊息回傳該終端裝置100,其中該回應結果訊息可為裝置認證憑證、應用系統認證憑證、連線應用系統訊息或錯誤訊息。 The request message result response unit is configured to package the processing result of the request message into the response result message and send the message back to the terminal device 100, where the response result message may be a device authentication certificate, an application system authentication certificate, a connection application system. Message or error message.
其中,該自動登入模組220包含一裝置認證單元以及一應用系統認證登入單元,分別說明如下: The automatic login module 220 includes a device authentication unit and an application system authentication login unit, which are respectively described as follows:
1.裝置認證單元:用以認證該終端裝置100,其係輸出一裝置認證畫面提供該終端裝置進行身份驗證,並於該終端裝置認證通過後產生裝置認證憑證,由該過濾包裝模組210將該裝置認證憑證回傳該終端裝置100。 1. Device authentication unit: for authenticating the terminal device 100, which outputs a device authentication screen to provide the terminal device for identity verification, and generates device authentication credentials after the terminal device passes the authentication, and the filter package module 210 The device authentication certificate is transmitted back to the terminal device 100.
2.應用系統認證登入單元:用以代理該終端裝置100與該應用系統300進行認證,應用系統認證登入單元於該網址與帳號對映資料庫270讀取該終端裝置100登入該應用系統300之帳號密碼資料,並連線該應用系統300進行認證,應用系統認證登入單元於代理該終端裝置100通過該應用系統300認證後取得應用系統認證憑證,由該過濾包裝模組210將該應用系統認證憑證回傳該終端裝置100。 2. The application system authentication login unit is configured to authenticate the terminal device 100 and the application system 300, and the application system authentication login unit reads the terminal device 100 and logs into the application system 300 at the website and the account mapping database 270. The account password data is connected to the application system 300 for authentication. The application system authentication login unit obtains the application system authentication certificate after the terminal device 100 authenticates the application system 300, and the application package system is authenticated by the filter package module 210. The certificate is returned to the terminal device 100.
其中,該映射轉址管理模組230係輸出一映射轉址管理畫面,提供新增、修改、刪除該應用系統300之映射轉址資料,並儲存於該映射轉址資料庫260。 The mapping and forwarding management module 230 outputs a mapping and forwarding management screen, and adds, modifies, and deletes the mapping and forwarding data of the application system 300, and stores the mapping information in the mapping and forwarding database 260.
其中,該帳號對映管理模組240係輸出一應用系統帳號對映管理畫面,提供新增、修改、刪除該終端裝置100登入該應用系統300之角色權限與帳號密碼資料,並儲存於該網址與帳號對映資料庫270;其中,該帳號對映管理模組240提供依該終端裝置100之帳號屬性值設定該終端裝置100登入該應用系統300之角色權限之對應關係,使得不同的終端裝置若其終端裝置帳號屬性值邏輯相同,則擁有相同的角色權限。 The account mapping management module 240 outputs an application system account mapping management screen, and provides, adds, and deletes the role permission and account password information of the terminal device 100 to log in to the application system 300, and stores the password information in the website. And the account mapping database 270; wherein the account mapping management module 240 provides a correspondence between the role rights of the terminal device 100 to log in to the application system 300 according to the account attribute value of the terminal device 100, so that different terminal devices are enabled. If the terminal device account attribute values are logically the same, they have the same role rights.
其中,該應用系統登入網址管理模組250係輸出一應用系統登入網址管理畫面,提供新增、修改、刪除該應用系統登入網址,並儲存於該網址與帳號對映資料庫270。 The application login URL management module 250 outputs an application login URL management screen, and provides the addition, modification, and deletion of the application login URL, and stores the URL and the account mapping database 270.
本發明所提供的一種以代理伺服整合後端服務認證之方法,係透過一代理伺服系統提供一終端裝置自動登入一應用系統,其步驟流程圖可參照第2圖,其步驟如下:該代理伺服系統接收該終端裝置透過通訊協定請求連線該應用系統之一請求訊息S401;該代理伺服系統檢視該請求訊息是否帶有一裝置認證憑證S402,當該請求訊息帶有裝置認證憑證,該代理伺服系統則代理該終端裝置與該應用系統進行認證,其中該終端裝置登入該應用系統之帳號密碼資料,以及該應用系統之登入網址均儲存於一網址與帳號對映資料庫;當該請求訊息未帶有該裝置認證憑證,該代理伺服系統進行該終端裝置認證S412。 The method for proxy server integrated backend service authentication provided by the present invention provides a terminal device to automatically log in to an application system through a proxy servo system. The flow chart of the steps can be referred to FIG. 2, and the steps are as follows: Receiving, by the system, the terminal device, by using a communication protocol, to request a request message S401 of the application system; the agent servo system checks whether the request message carries a device authentication certificate S402, and when the request message has a device authentication certificate, the proxy server system And the terminal device is authenticated by the application system, wherein the terminal device logs in the account password data of the application system, and the login URL of the application system is stored in a website and an account mapping database; when the request message is not There is the device authentication certificate, and the agent servo system performs the terminal device authentication S412.
其中,當該請求訊息帶有裝置認證憑證,該代理伺服系統則代理該終端裝置與該應用系統進行認證之步驟如下:對於該終端裝置所請求連線之該應用系統,該代理伺服系統於該映射轉址資料庫讀取該應用系統之映射轉址資料S403,若該映射轉址資料庫不存在該應用系統之映射轉址資料,則該代理伺服系統將錯誤訊息回傳該終端裝置S404;該代理伺服系統於該網址與帳號對映資料庫讀取該應用系統登入網址,並檢視該映射轉址資料是否為該應用系統登入網址S405;當所讀取之該應用系統之映射轉址資料為該應用系統登入網址,於該網址與帳號對映資料庫讀取該終端裝置登入該應用系統之角色權限與帳號密碼資料S406,若該網址與帳號對映資料庫不存在對應之應用系統之角色權限與帳號密碼資 料,則該代理伺服系統將錯誤訊息回傳該終端裝置S404;若該網址與帳號對映資料庫存在對應之應用系統之角色權限與帳號密碼資料,則該代理伺服系統連線該應用系統並以該終端裝置登入該應用系統之帳號密碼資料進行認證S407,若認證通過則產生該應用系統認證憑證,若認證失敗則產生一認證失敗訊息S408;當所讀取之該應用系統之映射轉址資料不為該應用系統登入網址,則該代理伺服系統透過通訊協定將該終端裝置連線轉址至該應用系統網址S410。 Wherein, when the request message carries the device authentication certificate, the proxy server system performs the authentication of the terminal device and the application system as follows: for the application system that the terminal device requests to connect, the proxy server system is configured to The mapping address database reads the mapping data S403 of the application system, if the mapping address database does not have the mapping address data of the application system, the proxy servo system returns an error message to the terminal device S404; The proxy server reads the application login URL in the website and the account mapping database, and checks whether the mapping address information is the application login URL S405; when the mapped mapping information of the application system is read Logging in to the application system, and reading the role permission and account password data S406 of the terminal device to log in to the application system in the website and the account mapping database, if the website and the account mapping database do not have corresponding application systems Role permissions and account passwords The agent servo system returns an error message to the terminal device S404; if the URL and the account mapping data inventory are in the corresponding application system role rights and account password data, the proxy server system connects the application system and The authentication is performed by the terminal device logging in the account password data of the application system. If the authentication is passed, the application system authentication certificate is generated. If the authentication fails, an authentication failure message S408 is generated; when the mapping of the application system is read. If the data is not the application login URL, the proxy server relays the terminal device to the application system URL S410 through a communication protocol.
本發明所提供的一種以代理伺服整合後端服務認證之方法,其應用系統認證案例示意圖可參照第3圖,說明如下:S501:代理伺服系統RP接收到終端裝置Client1以HTTPS通訊協定連線登入,代理伺服系統RP驗證終端裝置Client1通過身分認證,其中,代理伺服系統RP之網址為www.rp.com.tw,終端裝置Client1之帳號屬性值為|(uid=CHT)(&(role=ABC)(!group=XYZ))),該帳號屬性值邏輯規則為帳號識別碼不為CHT,或帳號角色識別碼等於ABC且群組識別碼不為XYZ;S502:代理伺服系統RP接收到終端裝置Client1以HTTPS通訊協定請求連線應用系統AP1,其中,該請求訊息www.abc.com.tw/AP1/login.html?sessionId=F0EA68BD83969B858F6F292159BE48D7,包含裝置認證憑證sessionId=F0EA68BD83969B858F6F292159BE48D7與連線應用系統之URI為/AP1;S503:代理伺服系統RP於映射轉址資料庫取得應用系統AP1之映射轉址資料為http://10.0.0.101/theAP1/login.htm;S504:代理伺服系統RP於網址與帳號對映資料庫取得應用系統登入網址為http://10.0.0.101/theAP1/login.do; S505:代理伺服系統RP依終端裝置Client1之帳號屬性值,於網址與帳號對映資料庫取得該終端裝置登入應用系統AP1之帳號密碼為xxx/yyy;S506:代理伺服系統RP以代理終端裝置Client1之帳號密碼xxx/yyy連線應用系統AP1進行登入驗證;S507:代理伺服系統RP成功登入應用系統AP1並取得應用系統認證憑證,代理伺服系統RP將應用系統認證憑證回傳終端裝置Client1。 The invention provides a method for proxy back-end service authentication by proxy servo. The schematic diagram of the application system authentication case can be referred to FIG. 3, and the following is as follows: S501: The proxy servo system RP receives the terminal device Client1 and logs in through the HTTPS protocol. The proxy server RP verifies that the terminal device Client1 is authenticated by identity. The URL of the proxy server system RP is www.rp.com.tw , and the account attribute value of the terminal device Client1 is | (uid=CHT) (&(role=ABC) (!group=XYZ))), the account attribute value logic rule is that the account identification code is not CHT, or the account role identification code is equal to ABC and the group identification code is not XYZ; S502: the proxy servo system RP receives the terminal device Client1 requests to connect to the application system AP1 by using the HTTPS protocol, wherein the request message is www.abc.com.tw/AP1/login.html? sessionId=F0EA68BD83969B858F6F292159BE48D7 , including the device authentication certificate sessionId=F0EA68BD83969B858F6F292159BE48D7 and the URI of the connection application system is /AP1 ; S503: the proxy servo system RP obtains the mapping address data of the application system AP1 in the mapping address database as http://10.0. 0.101/theAP1/login.htm ; S504: The proxy server system RP obtains the application login URL of the website and the account mapping database as http://10.0.0.101/theAP1/login.do; S505: the proxy servo system RP depends on the terminal The account attribute value of the device Client1 is obtained by the website and the account mapping database, and the account password of the terminal device login application system AP1 is xxx/yyy; S506: the proxy server system RP is connected with the account password xxx/yyy of the client terminal device Client1. The application system AP1 performs login verification; S507: the proxy servo system RP successfully logs in to the application system AP1 and obtains the application system authentication credential, and the proxy servo system RP returns the application system authentication credential to the terminal device Client1.
上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.
綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請貴局核准本件發明專利申請案,以勵發明,至感德便。 To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.
100‧‧‧終端裝置 100‧‧‧ Terminal devices
200‧‧‧代理伺服整合後端服務認證之系統 200‧‧‧Agent Servo Integrated Backend Service Certification System
210‧‧‧過濾包裝模組 210‧‧‧Filter packaging module
220‧‧‧自動登入模組 220‧‧‧Automatic login module
230‧‧‧映射轉址管理模組 230‧‧‧Map Transfer Management Module
240‧‧‧帳號對映管理模組 240‧‧‧ account mapping management module
250‧‧‧應用系統登入網址管理模組 250‧‧‧Application Login URL Management Module
260‧‧‧映射轉址資料庫 260‧‧‧Map Transfer Database
270‧‧‧網址與帳號對映資料庫 270‧‧‧Website and account mapping database
300‧‧‧應用系統 300‧‧‧Application System
Claims (18)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW102109438A TWI527419B (en) | 2013-03-18 | 2013-03-18 | Method and System of Integrating Backend Service Authentication with Proxy Servo |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW102109438A TWI527419B (en) | 2013-03-18 | 2013-03-18 | Method and System of Integrating Backend Service Authentication with Proxy Servo |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201438451A true TW201438451A (en) | 2014-10-01 |
| TWI527419B TWI527419B (en) | 2016-03-21 |
Family
ID=52113536
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW102109438A TWI527419B (en) | 2013-03-18 | 2013-03-18 | Method and System of Integrating Backend Service Authentication with Proxy Servo |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI527419B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI640886B (en) * | 2017-01-19 | 2018-11-11 | 富邦人壽保險股份有限公司 | Login method and login authentication device |
| US20210243182A1 (en) * | 2020-01-30 | 2021-08-05 | Canon Kabushiki Kaisha | Information processing apparatus, information processing method, and storage medium |
| TWI822087B (en) * | 2021-06-30 | 2023-11-11 | 日商樂天集團股份有限公司 | Service provision system, service provision method and program product |
-
2013
- 2013-03-18 TW TW102109438A patent/TWI527419B/en not_active IP Right Cessation
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI640886B (en) * | 2017-01-19 | 2018-11-11 | 富邦人壽保險股份有限公司 | Login method and login authentication device |
| US20210243182A1 (en) * | 2020-01-30 | 2021-08-05 | Canon Kabushiki Kaisha | Information processing apparatus, information processing method, and storage medium |
| US11843595B2 (en) * | 2020-01-30 | 2023-12-12 | Canon Kabushiki Kaisha | Information processing apparatus, information processing method, and storage medium |
| TWI822087B (en) * | 2021-06-30 | 2023-11-11 | 日商樂天集團股份有限公司 | Service provision system, service provision method and program product |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI527419B (en) | 2016-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10880292B2 (en) | Seamless transition between WEB and API resource access | |
| US10581827B2 (en) | Using application level authentication for network login | |
| US11316689B2 (en) | Trusted token relay infrastructure | |
| WO2021136290A1 (en) | Identity authentication method and apparatus, and related device | |
| US9258292B2 (en) | Adapting federated web identity protocols | |
| US9130926B2 (en) | Authorization messaging with integral delegation data | |
| JP6033990B2 (en) | Multiple resource servers with a single flexible and pluggable OAuth server, OAuth protected REST OAuth permission management service, and OAuth service for mobile application single sign-on | |
| US8627409B2 (en) | Framework for automated dissemination of security metadata for distributed trust establishment | |
| US8412156B2 (en) | Managing automatic log in to internet target resources | |
| US9338007B1 (en) | Secure delegated authentication for applications | |
| US20140013409A1 (en) | Single sign on for cloud | |
| CN115021991A (en) | Single sign-on for unmanaged mobile devices | |
| CN107637044B (en) | Secure in-band service detection | |
| JP2020057363A (en) | Method and program for security assertion markup language (saml) service provider-initiated single sign-on | |
| US11936639B2 (en) | Using client certificates to communicate trusted information | |
| JP2017107342A (en) | Authentication cooperation system, authentication cooperation method, authorization server, application server, and program | |
| WO2013071087A1 (en) | Single sign on for cloud | |
| US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
| US20170149790A1 (en) | Authentication control device and authentication control method | |
| CN103384198A (en) | User identity identification service method and system on basis of mailbox | |
| EP2915309B1 (en) | Utilizing authentication scheme for single sign-on between servers | |
| JP2017523508A (en) | Secure integrated cloud storage | |
| TWI527419B (en) | Method and System of Integrating Backend Service Authentication with Proxy Servo | |
| US9948648B1 (en) | System and method for enforcing access control to publicly-accessible web applications | |
| US20160234199A1 (en) | Method and apparatus for providing authentication based on aggregated attribute in federated identity management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MM4A | Annulment or lapse of patent due to non-payment of fees |