[go: up one dir, main page]

CN101771676A - Setting and authentication method for cross-domain authorization and relevant device and system - Google Patents

Setting and authentication method for cross-domain authorization and relevant device and system Download PDF

Info

Publication number
CN101771676A
CN101771676A CN200810242174A CN200810242174A CN101771676A CN 101771676 A CN101771676 A CN 101771676A CN 200810242174 A CN200810242174 A CN 200810242174A CN 200810242174 A CN200810242174 A CN 200810242174A CN 101771676 A CN101771676 A CN 101771676A
Authority
CN
China
Prior art keywords
page
user
information
server
resource information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200810242174A
Other languages
Chinese (zh)
Other versions
CN101771676B (en
Inventor
孙谦
胡立新
谭东晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 200810242174 priority Critical patent/CN101771676B/en
Priority to PCT/CN2009/076318 priority patent/WO2010075798A1/en
Publication of CN101771676A publication Critical patent/CN101771676A/en
Application granted granted Critical
Publication of CN101771676B publication Critical patent/CN101771676B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本发明公开了一种跨域授权的设置方法,该方法包括步骤:接收用户访问资源信息的请求;根据所述请求显示包含资源信息的第一页面,所述第一页面是处于第一域的第一服务器提供的;根据所述第一页面显示包含所述用户的关系信息的第二页面,所述第二页面是处于第二域的第二服务器提供的;接收用户在所述第二页面选择对应于所述资源信息的关系信息;向所述第一服务器发送所述资源信息和在第二页面中选择的关系信息,以便于第一服务器存储所述选择的关系信息与资源信息的对应记录,并将所述对应记录作为访问所述资源信息的授权信息。本发明实施例还公开了一种跨域授权的鉴权方法、终端、相关装置及系统,采用本发明实施例,可以实现将用户处于第一域的资源信息授权给第二域的关系信息,从而可以提高用户体验。

Figure 200810242174

The invention discloses a method for setting cross-domain authorization. The method includes the steps of: receiving a user's request for accessing resource information; displaying a first page containing resource information according to the request, and the first page is in the first domain provided by the first server; according to the first page, a second page containing the relationship information of the user is displayed, and the second page is provided by the second server in the second domain; Selecting the relationship information corresponding to the resource information; sending the resource information and the relationship information selected on the second page to the first server, so that the first server stores the correspondence between the selected relationship information and the resource information record, and use the corresponding record as authorization information for accessing the resource information. The embodiment of the present invention also discloses an authentication method, terminal, related device and system for cross-domain authorization. By adopting the embodiment of the present invention, the resource information of the user in the first domain can be authorized to the relationship information of the second domain, Thereby, user experience can be improved.

Figure 200810242174

Description

一种跨域授权的设置、鉴权方法、相关装置及系统 A cross-domain authorization setting, authentication method, related device and system

技术领域technical field

本发明涉及计算机应用领域,尤其涉及一种跨域授权的设置、签权方法、相关装置及系统。The invention relates to the field of computer applications, in particular to a cross-domain authorization setting, a signing method, a related device and a system.

背景技术Background technique

SNS(Social Network Site)网站,中文一般称为社交网站服务器,是基于社会网络关系系统思想建立的网络虚拟社交网络平台。从Myspace到Facebook、开心网和校内网等,国内外的社交网站服务器已经走向成熟,成为越来越多人日常生活的一部分。同时出现了大量提供给社交网站平台中用户的各种应用,该应用一般是应用服务器提供的,正是这些丰富多彩的社交应用,真正为用户带来了价值。应用网站服务器往往是和社交网站服务器分离独立的,可以由不同的业务提供商运营,且应用网站服务器与社交网站服务器一般位于不同的域中。用户在应用网站服务器中可以有很多的资源信息,如照片、视频、日记、微型博客、网址收藏或位置信息等,而在社交网站服务器中则存储着用户的关系信息,如联系人(也称为好友列表等)和群组等信息。SNS (Social Network Site) website, commonly known as social networking site server in Chinese, is a network virtual social network platform based on the idea of social network relationship system. From Myspace to Facebook, Kaixin.com and Xiaonei.com, social network servers at home and abroad have matured and become a part of daily life for more and more people. At the same time, there are a large number of various applications provided to users in the social networking site platform. The applications are generally provided by the application server. It is these rich and colorful social applications that really bring value to users. The application website server and the social networking website server are often separated and independent, and may be operated by different service providers, and the application website server and the social networking website server are generally located in different domains. Users can have a lot of resource information in the application website server, such as photos, videos, diaries, micro-blogs, URL favorites or location information, etc., while the user's relationship information is stored in the social networking website server, such as contacts (also called information such as friend lists, etc.) and groups.

用户希望将自己在应用网站服务器的资源能够有限制的分享给自己在社交网站中的某些联系人或指定的群组,如果关系信息和资源信息在同一域内时通过普通的权限设置即可实现,而如果不在同一域内时,则应用网站服务器不能未经许可而随意访问用户在社交网站服务器的关系信息,这样,如何实现将应用网站服务器中的资源信息授权给不同域中的关系信息的用户即跨域授权是一个目前需要解决的问题。Users want to share their resources on the application website server with certain contacts or designated groups in social networking sites with restrictions. If the relationship information and resource information are in the same domain, it can be realized through ordinary permission settings. , and if they are not in the same domain, the application website server cannot freely access the user’s relationship information on the social networking website server without permission. In this way, how to authorize the resource information in the application website server to the user of the relationship information in different domains That is, cross-domain authorization is a problem that needs to be solved at present.

发明内容Contents of the invention

本发明实施例提供一种跨域授权的设置、签权方法、相关装置及系统,以实现将用户处于第一域的资源信息授权给第二域的关系信息,从而可以提高用户体验。Embodiments of the present invention provide a cross-domain authorization setting, signing method, related device and system, so as to authorize the user's resource information in the first domain to the relationship information in the second domain, thereby improving user experience.

本发明实施例提供一种跨域授权的设置方法,包括:An embodiment of the present invention provides a method for setting cross-domain authorization, including:

接收用户访问资源信息的请求;Receive requests from users to access resource information;

根据上述请求显示包含所述用户的资源信息的第一页面,所述第一页面是处于第一域的第一服务器提供的;displaying a first page containing resource information of the user according to the above request, where the first page is provided by a first server in the first domain;

根据上述第一页面显示包含上述用户的关系信息的第二页面,所述第二页面是处于第二域的第二服务器提供的;displaying a second page containing the relationship information of the user according to the first page, the second page being provided by a second server in the second domain;

接收用户在上述第二页面选择对应于上述资源信息的关系信息;Receiving the user's selection of relationship information corresponding to the above resource information on the above second page;

向上述第一服务器发送上述资源信息和上述用户在第二页面中选择的关系信息,以便于第一服务器存储上述选择的关系信息与资源信息的对应记录,并将上述对应记录作为访问上述资源信息的授权信息。Send the resource information and the relationship information selected by the user on the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and resource information, and uses the corresponding record as the resource information for accessing the resource information authorization information.

本发明实施例还提供一种跨域授权的鉴权方法,其包括:The embodiment of the present invention also provides an authentication method for cross-domain authorization, which includes:

接收用户通过终端访问处于第一域第一服务器中资源信息的请求;receiving a request from a user to access resource information in the first server in the first domain through the terminal;

获取上述资源信息对应的授权信息,上述授权信息记录有上述资源信息对应的处于第二域第二服务器的关系信息;Obtain authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;

判断上述用户是否属于上述关系信息;Determine whether the above-mentioned user belongs to the above-mentioned relationship information;

如果是,则允许所述用户访问上述资源信息,否则拒绝上述用户访问上述资源信息。If so, allow the user to access the above resource information, otherwise deny the above user to access the above resource information.

本发明实施例还提供一种跨域授权的鉴权方法,其包括:The embodiment of the present invention also provides an authentication method for cross-domain authorization, which includes:

接收用户通过终端的请求;Receive the user's request through the terminal;

根据上述请求获取上述用户的授权信息;Obtain the authorization information of the above user according to the above request;

根据上述授权信息获取上述用户被授权访问的资源信息;Obtain resource information that the above user is authorized to access according to the above authorization information;

将所述资源信息发送给所述终端。Send the resource information to the terminal.

本发明实施例还提供一种跨域授权的设置方法,其包括:The embodiment of the present invention also provides a method for setting cross-domain authorization, which includes:

接收用户通过终端发送的访问资源信息的请求;Receive the request for accessing resource information sent by the user through the terminal;

根据上述请求向终端发送包含有资源信息的第一页面,以便于上述终端根据所述第一页面向第二域的第二服务器发送获取关系信息的获取请求,且上述终端获取所述第二服务器发送的关系信息并将上述关系信息显示在第二页面;Send a first page containing resource information to the terminal according to the above request, so that the above terminal sends an acquisition request for obtaining relationship information to a second server in the second domain according to the first page, and the above terminal obtains the second server Send the relationship information and display the above relationship information on the second page;

接收终端发送的资源信息和用户在所述第二页面选择对应于上述资源信息的关系信息,存储所述选择的关系信息与资源信息的对应记录,并将所述对应记录作为访问上述资源信息的授权信息。receiving the resource information sent by the terminal and the relationship information corresponding to the above-mentioned resource information selected by the user on the second page, storing the corresponding records of the selected relationship information and resource information, and using the corresponding record as a key to access the above-mentioned resource information authorization information.

本发明实施例还提供一种终端,其包括:The embodiment of the present invention also provides a terminal, which includes:

请求接收模块,用于接收用户访问资源信息的请求;A request receiving module, configured to receive a user's request for accessing resource information;

显示模块,用于根据上述请求显示包含有位于第一域的所述用户的资源信息的第一页面,根据上述第一页面显示包含有位于第二域的所述用户的关系信息的第二页面;A display module, configured to display the first page containing the resource information of the user located in the first domain according to the above request, and display the second page containing the relationship information of the user located in the second domain according to the above first page ;

关系信息接收模块,用于接收用户在上述第二页面选择对应于上述资源信息的关系信息;A relationship information receiving module, configured to receive the relationship information corresponding to the resource information selected by the user on the second page;

发送模块,用于向第一服务器发送上述资源信息和在第二页面中选择的关系信息,以便于第一服务器存储上述选择的关系信息与资源信息的对应记录,并将上述对应记录作为访问所述资源信息的授权信息。A sending module, configured to send the above resource information and the relationship information selected on the second page to the first server, so that the first server stores the corresponding record of the above selected relationship information and resource information, and uses the above corresponding record as the access location Authorization information for the above resource information.

本发明实施例还提供一种服务器,其特征在于,包括:The embodiment of the present invention also provides a server, which is characterized in that it includes:

接收模块,用于接收用户通过终端的请求;a receiving module, configured to receive a user's request through the terminal;

获取模块,用于根据上述请求获取上述用户的授权信息,并根据上述授权信息获取所述用户被授权访问的资源信息;An obtaining module, configured to obtain authorization information of the user according to the above request, and obtain resource information that the user is authorized to access according to the authorization information;

发送模块,用于将上述资源信息发送给所述终端。A sending module, configured to send the above resource information to the terminal.

本发明实施例还提供一种服务器,其包括:The embodiment of the present invention also provides a server, which includes:

接收模块,用于接收用户通过终端访问处于第一域第一服务器中资源信息的请求;A receiving module, configured to receive a request from a user to access resource information in the first server in the first domain through the terminal;

获取模块,用于获取上述资源信息对应的授权信息,上述授权信息记录有上述资源信息对应的处于第二域第二服务器的关系信息;An acquisition module, configured to acquire authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;

处理模块,用于判断上述用户是否属于所述关系信息;在判断为是时允许上述用户访问上述资源信息,在判断为否时拒绝上述用户访问上述资源信息。A processing module, configured to judge whether the user belongs to the relationship information; if the judgment is yes, allow the user to access the resource information; if the judgment is no, deny the user access to the resource information.

本发明实施例还提供一种服务器,其包括:The embodiment of the present invention also provides a server, which includes:

接收模块,用于接收用户通过终端发送的请求;A receiving module, configured to receive a request sent by the user through the terminal;

发送模块,用于根据上述请求向终端发送包含有资源信息的第一页面,以便于上述终端根据所述第一页面向第二域的第二服务器发送获取关系信息的获取请求,且所述终端获取所述第二服务器发送的关系信息并将上述关系信息显示在第二页面;A sending module, configured to send a first page containing resource information to the terminal according to the above request, so that the above terminal sends an acquisition request for obtaining relationship information to a second server in the second domain according to the first page, and the terminal Obtaining the relationship information sent by the second server and displaying the above relationship information on the second page;

存储模块,用于接收终端发送的资源信息和用户在所述第二页面选择对应于上述资源信息的关系信息,存储所述选择的关系信息与资源信息的对应记录,并将上述对应记录作为访问所述资源信息的授权信息。A storage module, configured to receive the resource information sent by the terminal and the relationship information corresponding to the above resource information selected by the user on the second page, store the corresponding record of the selected relationship information and resource information, and use the above corresponding record as an access Authorization information of the resource information.

本发明实施例还提供一种跨域授权的系统,其特征在于,包括:The embodiment of the present invention also provides a cross-domain authorization system, which is characterized in that it includes:

第一服务器,位于第一域,用于接收用户通过终端发送的请求;根据上述请求向终端发送包含有资源信息的第一页面,以便于上述终端根据所述第一页面向第二域的第二服务器发送获取关系信息的获取请求,且上述终端获取所述第二服务器发送的关系信息并将上述关系信息显示在第二页面;接收终端发送的资源信息和用户在所述第二页面选择对应于所述资源信息的关系信息,存储上述选择的关系信息与资源信息的对应记录,并将所述对应记录作为访问上述资源信息的授权信息;The first server, located in the first domain, is used to receive the request sent by the user through the terminal; send the first page containing resource information to the terminal according to the above request, so that the above terminal sends the first page to the second domain in the second domain according to the first page. The second server sends an acquisition request for acquiring relationship information, and the terminal acquires the relationship information sent by the second server and displays the relationship information on the second page; the resource information sent by the receiving terminal corresponds to the user's selection on the second page Based on the relationship information of the resource information, store the corresponding records of the selected relationship information and resource information, and use the corresponding records as authorization information for accessing the resource information;

第二服务器,位于第二域,用于向上述终端发送上述用户的关系信息。The second server, located in the second domain, is configured to send the relationship information of the above-mentioned user to the above-mentioned terminal.

采用本发明实施例提供的跨域授权的设置、鉴权方法、终端、服务器及系统,可以实现了将用户处于第一域的资源信息授权给位于该用户在另一个域的关系信息如联系人、群组等,从而提高用户的体验。用户可以直接利用第二服务器中自己已有的关系信息来对第一服务器中的资源进行关联授权,即用户可从自己的视角来方便得对资源进行共享授权。By adopting the cross-domain authorization setting, authentication method, terminal, server and system provided by the embodiment of the present invention, the resource information of the user in the first domain can be authorized to the relationship information of the user in another domain, such as contacts , groups, etc., thereby improving the user experience. Users can directly use their existing relationship information in the second server to associate and authorize resources in the first server, that is, users can conveniently share and authorize resources from their own perspective.

附图说明Description of drawings

图1为本发明一种实施例提供的一种跨域授权的设置方法的流程图;FIG. 1 is a flowchart of a method for setting cross-domain authorization provided by an embodiment of the present invention;

图2为本发明又一种实施例提供的一种跨域授权的设置方法的流程图;FIG. 2 is a flow chart of a method for setting cross-domain authorization provided by another embodiment of the present invention;

图3为本发明又一种实施例提供的一种跨域授权的设置方法的示意图;FIG. 3 is a schematic diagram of a cross-domain authorization setting method provided by another embodiment of the present invention;

图4为本发明另一种实施例提供的一种跨域授权的设置方法的流程图;FIG. 4 is a flowchart of a method for setting cross-domain authorization provided by another embodiment of the present invention;

图5为本发明实施例提供的一种跨域授权的设置方法中终端的浏览器的示意图;FIG. 5 is a schematic diagram of a terminal browser in a method for setting cross-domain authorization provided by an embodiment of the present invention;

图6为本发明一种实施例提供的一种跨域授权的鉴权方法的流程图;FIG. 6 is a flow chart of an authentication method for cross-domain authorization provided by an embodiment of the present invention;

图7为本发明又一种实施例提供的一种跨域授权的鉴权方法的流程图;FIG. 7 is a flow chart of an authentication method for cross-domain authorization provided by another embodiment of the present invention;

图8为本发明另一种实施例提供的一种跨域授权的鉴权方法的流程图;FIG. 8 is a flow chart of an authentication method for cross-domain authorization provided by another embodiment of the present invention;

图9为本发明一种实施例提供的一种终端的结构示意图;FIG. 9 is a schematic structural diagram of a terminal provided by an embodiment of the present invention;

图10为本发明一种实施例提供的一种服务器的结构示意图;FIG. 10 is a schematic structural diagram of a server provided by an embodiment of the present invention;

图11为本发明又一种实施例提供的一种服务器的结构示意图;FIG. 11 is a schematic structural diagram of a server provided by another embodiment of the present invention;

图12为本发明另一种实施例提供的一种服务器的结构示意图;FIG. 12 is a schematic structural diagram of a server provided by another embodiment of the present invention;

图13为本发明一种实施例提供的一种跨域授权的系统的结构示意图。Fig. 13 is a schematic structural diagram of a cross-domain authorization system provided by an embodiment of the present invention.

具体实施方式Detailed ways

本发明实施例提供一种跨域授权的设置方法,请参图1所示,其包括:An embodiment of the present invention provides a method for setting cross-domain authorization, as shown in Figure 1, which includes:

101:接收用户访问资源信息的请求;101: Receive a request from a user to access resource information;

102:根据上述请求显示包含上述用户的资源信息的第一页面,上述第一页面是处于第一域的第一服务器提供的;102: Display the first page containing the resource information of the user according to the above request, where the first page is provided by the first server in the first domain;

103:根据上述第一页面显示包含上述用户的关系信息的第二页面,上述第二页面是处于第二域的第二服务器提供的;103: Display a second page containing the relationship information of the user according to the first page, where the second page is provided by a second server in the second domain;

104:接收用户在上述第二页面选择对应于上述资源信息的关系信息;104: Receive the user's selection of relationship information corresponding to the above resource information on the above second page;

105:向上述第一服务器发送上述资源信息和在第二页面中选择的关系信息,以便于第一服务器存储上述选择的关系信息与资源信息的对应记录,并将上述对应记录作为访问上述资源信息的授权信息。105: Send the above-mentioned resource information and the relationship information selected on the second page to the above-mentioned first server, so that the first server stores the corresponding record of the above-mentioned selected relationship information and resource information, and uses the above-mentioned corresponding record as access to the above-mentioned resource information authorization information.

采用上述实施例,可以实现将用户处于第一域的资源信息授权给第二域的关系信息,从而可以提高用户体验。By adopting the foregoing embodiments, it is possible to authorize the resource information of the user in the first domain to the relationship information of the second domain, thereby improving user experience.

本发明提供的另外一种实施例中,处于第一域中的第一服务器,其存储有用户的资源信息,如照片、视频、网址收藏,博客日志等;处于与第一域不同的第二域中的第二服务器,其存储有该用户的联系人和群组等关系信息。如图2所示,本发明实施例提供的一种跨域授权的设置方法主要包括以下步骤:In another embodiment provided by the present invention, the first server in the first domain stores the user's resource information, such as photos, videos, website favorites, blog logs, etc.; The second server in the domain stores relationship information such as contacts and groups of the user. As shown in Figure 2, a method for setting cross-domain authorization provided by an embodiment of the present invention mainly includes the following steps:

步骤201、终端接收用户的访问资源信息的请求。Step 201, the terminal receives a user's request to access resource information.

用户通过终端第一服务器中的资源信息,该访问方式可以采用OpenID技术,即第一服务器作为OpenID(开放身份标识)的依赖方,第二服务器作为OpenID的提供方,第一服务器接收用户使用OpenID身份标识进行,根据OpenID协议通过重定向方式,终端的浏览器会被前转到第二服务器的第二页面上对用户进行认证,用户提供密码或其它认证信息如指纹等,通过上述认证后再通过重定向返回到第一服务器在终端上显示的第一页面,该第一页面上包含有有用户的资源信息,如照片、视频、网址收藏,博客日志等。The user passes through the resource information in the first server of the terminal. The access method can use OpenID technology, that is, the first server is the relying party of OpenID (Open ID), the second server is the provider of OpenID, and the first server receives the user's OpenID. According to the OpenID protocol, through redirection, the browser of the terminal will be forwarded to the second page of the second server to authenticate the user. The user provides a password or other authentication information such as fingerprints, etc. After passing the above authentication, Return to the first page displayed on the terminal by the first server through redirection, and the first page contains resource information of the user, such as photos, videos, URL favorites, blog logs, and the like.

第一服务器亦可以在终端的浏览器端设置会话cookie用于维持当前的用户会话,后续该用户访问第一服务器时就不必再进行认证。如果该终端的浏览器禁用cookie,可以直接在HTTP请求和响应消息中携带会话信息以维持当前用户会话。这两种维持会话的方式都是互联网业务中的常用技术,此处不再赘述。The first server can also set a session cookie on the browser side of the terminal to maintain the current user session, so that the user does not need to perform authentication when subsequently accessing the first server. If the browser of the terminal disables cookies, the session information can be directly carried in the HTTP request and response messages to maintain the current user session. These two ways of maintaining sessions are commonly used technologies in Internet services, and will not be repeated here.

除了可以采用OpenID技术外,还可以采用其他的跨域身份认证技术如单点(SSO,Single Sign On),包括OpenSSO和微软Passport等,来简化用户的资源信息的授权过程,用户可以通过终端的浏览器登录一次第一服务器,后续需要对资源信息授权时用户浏览器可直接访问第二服务器获取用户的关系信息,而无需再次在第二服务器进行认证。In addition to using OpenID technology, other cross-domain authentication technologies such as Single Sign On (SSO, Single Sign On), including OpenSSO and Microsoft Passport, can also be used to simplify the authorization process of user resource information. The browser logs in to the first server once, and the user's browser can directly access the second server to obtain the user's relationship information when authorization of resource information is required later, without the need for authentication on the second server again.

当然如果不想使用额外的跨域身份认证技术,也可以让用户在访问第一服务器后再访问第二服务器以获取用户的关系信息,即再单独一次第二服务器即可。Of course, if you don't want to use additional cross-domain authentication technology, you can also let the user access the second server after accessing the first server to obtain the user's relationship information, that is, just separate the second server again.

步骤202、第一服务器通过用户终端的浏览器显示第一页面,即第一服务器中的资源信息的授权页面,该第一页面中显示有资源信息,以及确定授权的按钮或超链接。该第一页面中的超文本代码(包括脚本代码)都由第一服务器生成,且由该第一服务器发送到用户终端的浏览器端显示。Step 202, the first server displays the first page through the browser of the user terminal, that is, the authorization page of resource information in the first server, and the first page displays resource information and a button or hyperlink for confirming authorization. The hypertext codes (including script codes) in the first page are all generated by the first server, and sent by the first server to the browser end of the user terminal for display.

步骤203、根据上述第一页面显示包含关系信息的第二页面。Step 203, displaying a second page containing relationship information according to the first page.

终端的浏览器还显示有包括用户的关系信息的第二页面,该第二页面的超文本代码(包括脚本代码)由第二服务器生成。该第二页面可以有多种显示方式,如在第一页面中以iframe(Inline Frame,内联框架)的形式显示,或者当在第一页面点击某个按钮或链接时,弹出一个新的浏览器页面显示用户的关系信息如联系人和群组等。The browser of the terminal also displays a second page including the relationship information of the user, and the hypertext code (including script code) of the second page is generated by the second server. The second page can be displayed in a variety of ways, such as being displayed in the form of an iframe (Inline Frame, inline frame) on the first page, or when a button or link is clicked on the first page, a new browsing page will pop up. The browser page displays the user's relationship information such as contacts and groups.

第二页面中又包括一个指向第一服务器的iframe框架页面,称为第三页面,一般设为隐藏风格。通过上述第二页面中指向第一服务器的iframe框架页面,可以突破浏览器中无法直接进行跨域通信的限制,使第一服务器与第二服务器可以通过用户的浏览器进行信息的传递和交流。The second page also includes an iframe frame page pointing to the first server, which is called the third page, and is generally set as a hidden style. Through the iframe frame page pointing to the first server in the above second page, the limitation of direct cross-domain communication in the browser can be broken, so that the first server and the second server can transmit and communicate information through the user's browser.

请参图3所示,第一页面中以iframe的形式显示第二页面,可见通过一个从第一服务器的第一页面到第二服务器的第二页面,再到第一服务器的第三页面,再回到第一服务器的第一页面这样的一个环状信息传递通道,实现了关系信息在浏览器内的跨域传递,使第一服务器可以方便地获得第二服务器中的用户的关系信息,从而对应用中的资源进行授权。Please refer to Figure 3, the second page is displayed in the form of iframe in the first page, it can be seen that through a first page from the first server to the second page of the second server, and then to the third page of the first server, Going back to the first page of the first server, such a circular information transmission channel realizes the cross-domain transmission of relationship information in the browser, so that the first server can easily obtain the relationship information of users in the second server, Thereby authorizing the resources in the application.

第二页面可以通过在第一页面中设置第二页面的源地址来进行显示,如可以在第一页面的javascript脚本函数中对iframe形式的第二页面的源地址属性进行设置,举例如下:The second page can be displayed by setting the source address of the second page in the first page. For example, the source address attribute of the second page in iframe form can be set in the javascript script function of the first page, for example as follows:

iframe1.src=“http://snsexample.com/relationship.php”;iframe1.src="http://snsexample.com/relationship.php";

而对于弹出形式的第二页面,直接使用超链接地址如:For the second page in the pop-up form, directly use the hyperlink address such as:

<a href=″http://snsexample.com/relationship.php″target=″_blank″>显示群组和联系人</a><a href="http://snsexample.com/relationship.php"target="_blank">Display groups and contacts</a>

或者按钮的点击事件对应脚本打开新页面如:Or the script corresponding to the click event of the button opens a new page, such as:

window.open(′http://snsexample.com/relationship.Php′);window.open('http://snsexample.com/relationship.Php');

如果用户通过终端第一服务器时是由第二服务器进行身份认证,如采用OpenID或单点等方式,即用户在步骤101通过第二服务器的身份认证时,第二服务器可以在用户的终端的浏览器端设置相应的会话cookie项,该cookie项的数据可以包括会话标识等会话信息,在当前会话内用户访问第二服务器就可以不必进行认证了。即第二页面先获取用户的终端的浏览器端的cookie数据,然后携带cookie数据向第二服务器请求获取该用户的关系信息,并将得到的关系信息显示在本页面中。If the user is authenticated by the second server when passing through the first server of the terminal, such as using OpenID or a single point, that is, when the user passes the identity authentication of the second server in step 101, the second server can browse through the user's terminal. The corresponding session cookie item is set at the server end, and the data of the cookie item may include session information such as a session ID, so that the user does not need to perform authentication when accessing the second server in the current session. That is, the second page first obtains the cookie data of the browser of the user's terminal, and then carries the cookie data to request the second server to obtain the user's relationship information, and displays the obtained relationship information on the page.

如果第一服务器与第二服务器不能采用OpenID或单点等方式使用户只在一个服务器中进行身份认证,则用户在第一服务器上之后,由于第二页面对应的第二服务器没有相应的会话信息如cookie数据,则第二页面显示用户的关系信息之前,要提示用户先第二服务器上进行身份认证。If the first server and the second server cannot use OpenID or single point to make the user authenticate in only one server, after the user is on the first server, because the second server corresponding to the second page does not have corresponding session information Such as cookie data, before the second page displays the user's relationship information, the user should be prompted to perform identity authentication on the second server.

如图4所示,第一页面中包含资源信息,如照片,还有一个确定授权的按钮。在第一页面中可以采用内联框架的形式包含第二页面,第二页面显示的关系信息中可以包括联系人列表,联系人可以分组显示,如分组为同事、同学和家人等,在每个联系人或分组名称前面显示一个复选框。另外还可以显示用户创建或参与的一些公共群组以及群组成员,供用户选择。无论是联系人的分组,还是公共群组,都可以用唯一的组标识来表示。第二页面显示的可以是联系人的姓名或昵称,以及群组的名称,但在实际的信息传送时,使用的一般是联系人的用户标识,以及组标识。As shown in Figure 4, the first page contains resource information, such as photos, and a button to confirm authorization. The first page can contain the second page in the form of an inline frame, and the relationship information displayed on the second page can include a contact list, and the contacts can be displayed in groups, such as colleagues, classmates, and family members. A checkbox is displayed in front of the contact or group name. In addition, some public groups and group members created or joined by the user may also be displayed for the user to select. Whether it is a group of contacts or a public group, it can be represented by a unique group identifier. The second page may display the name or nickname of the contact, and the name of the group, but in actual information transmission, the user ID and group ID of the contact are generally used.

除了上述的联系人和群组,第二服务器还可以检测最近与用户曾经有过通信的其他用户,如在第二服务器中有过发送消息,邮件,通过电话的记录,然后将这些用户也显示在第二页面中。未来电信网和互联网紧密融合,在电信运营商运营的第二服务器中,很容易获得用户的通信记录(如短信,电话等),与用户有过通信联系的人不一定会在上述用户的联系人和群组中,但有时用户却希望能与这些有过通信联系的人临时分享一些资源,这些人(可以称为临时联系人)的信息实际上也属于用户的关系数据。In addition to the above-mentioned contacts and groups, the second server can also detect other users who have recently communicated with the user, such as sending messages, emails, and phone calls in the second server, and then display these users in the second page. In the future, the telecommunications network and the Internet will be closely integrated. In the second server operated by the telecommunications operator, it is easy to obtain the user's communication records (such as text messages, phone calls, etc.), and those who have communicated with the user may not necessarily be in the above-mentioned user's contact. People and groups, but sometimes the user wishes to temporarily share some resources with these people who have communication contacts, and the information of these people (which can be called temporary contacts) actually also belongs to the user's relationship data.

另外,由于用户可能对当前的资源信息已经授权给了一些关系信息如联系人或群组,第一页面还可以从第一服务器请求获取该用户对当前资源信息的已有授权信息,并将已获得授权的联系人和群组信息等作为第二页面源地址URL(统一资源定位符)的参数传递给第二页面。举例如下:In addition, since the user may have authorized some relationship information such as contacts or groups for the current resource information, the first page may also request to obtain the user's existing authorization information for the current resource information from the first server, and The authorized contact and group information are passed to the second page as parameters of the second page source address URL (Uniform Resource Locator). Examples are as follows:

iframe1.src=“http://snsexample.com/relationship.php#groups=group1”;iframe1.src="http://snsexample.com/relationship.php#groups=group1";

其中书签中的参数即该上述地址“#”后面的部分表示当前资源已经授权给了群组group1。The parameter in the bookmark, that is, the part after the above-mentioned address "#" indicates that the current resource has been authorized to the group group1.

除了使用书签参数外,也可以使用在源地址的查询字符串“?”后包含参数,如:In addition to using bookmark parameters, you can also use parameters included after the query string "?" of the source address, such as:

iframe1.src=“http://snsexample.com/relationshiP.Php?groups=group1”;iframe1.src="http://snsexample.com/relationshipP.Php?groups=group1";

当然在需要使用同一个地址,通过iframe的URL传送大量信息的情况下,书签“#”是最好的方式。Of course, the bookmark "#" is the best way to use the same address and transmit a large amount of information through the URL of the iframe.

第二页面可以在本窗口加载事件(window.onLoad)发生时,在当前页面地址中获取上述参数,然后在显示用户的关系信息时,根据上述参数将已经获得授权的群组如group1设置为选中状态。由此用户可以了解哪些关系信息如联系人或群组已经获得授权访问当前资源信息。参数中同时包括群组和联系人的例子如下:The second page can obtain the above parameters in the current page address when the window loading event (window.onLoad) occurs, and then set the authorized group such as group1 as selected according to the above parameters when displaying the user's relationship information state. In this way, the user can know which relationship information such as contacts or groups has been authorized to access the current resource information. Examples of parameters that include both groups and contacts are as follows:

iframe1.src=“http://snsexample.com/relationshiP.Php#groups=group1&iframe1.src="http://snsexample.com/relationshipP.Php#groups=group1&

contacts=usera+userb”;contacts=usera+userb";

上述地址中的参数表示当前资源已经被授权给了群组group1以及联系人usera和userb。group1为组标识,usera和userb为用户标识。The parameters in the above address indicate that the current resource has been authorized to the group group1 and the contacts usera and userb. group1 is the group ID, usera and userb are user IDs.

步骤204、用户在第二页面中选择关系信息,并将用户所选择的关系信息传递给第三页面。第二页面在用户通过终端选择或取消选择群组或联系人的事件发生时(如对应联系人或群组的复选框的onClick事件),都将当前选中的关系信息(群组或联系人)传递给第三页面,其传递的方法可以通过设置第三页面的源地址属性指定第三页面的页面地址,并将用户选择的关系信息包含在地址参数中传送给第三页面。所设置的第三页面的源地址举例如下:Step 204, the user selects relationship information on the second page, and transmits the relationship information selected by the user to the third page. On the second page, when the user selects or deselects a group or contact event through the terminal (such as the onClick event of the check box corresponding to the contact or group), the currently selected relationship information (group or contact ) to the third page, the method of delivery can specify the page address of the third page by setting the source address attribute of the third page, and include the relationship information selected by the user in the address parameter and send it to the third page. The source address of the third page set is as follows:

iframe2.src=“http://appexample.com/auth.php#groups=group1+group2&iframe2.src="http://appexample.com/auth.php#groups=group1+group2&

             contacts=usera+userb+userc”;Contacts=usera+userb+userc”;

上述地址中的参数表示当前资源被选择授权给群组group1和group2以及联系人usera、userb和userc。The parameter in the above address indicates that the current resource is selected and authorized to groups group1 and group2 and contacts usera, userb and userc.

步骤205、第三页面将第二页面发送的用户选择的关系信息传递给第一页面。第三页面设置一个定时器函数,每隔一预定的时间间隔如500毫秒执行一次,在当前页面地址中的参数里获取用户选择的关系信息,当其有变化时就传递给第一页面。由于预定的时间间隔很短(一般小于1秒),第三页面获取的这些关系信息可以实时反映用户在第二页面做出的授权选择,然后将这些关系信息(如“groups=group1+group2&contacts=usera+userb+userc”)传递给第一页面的相应脚本程序处理。因为第三页面和第一页面位于同一域内,即都在第一服务器中,没有跨域通信的问题,关系信息可以正常的进行传递。对于内联框架形式的第二页面,第三页面中的处理脚本举例如下:Step 205, the third page transmits the relationship information selected by the user sent by the second page to the first page. The third page sets a timer function, executes once every predetermined time interval such as 500 milliseconds, obtains the relationship information selected by the user in the parameters in the current page address, and passes it to the first page when it changes. Since the predetermined time interval is very short (generally less than 1 second), the relationship information acquired by the third page can reflect the authorization choice made by the user on the second page in real time, and then these relationship information (such as "groups=group1+group2&contacts= usera+userb+userc") to the corresponding script program on the first page for processing. Because the third page and the first page are located in the same domain, that is, both are in the first server, there is no problem of cross-domain communication, and the relationship information can be transmitted normally. For the second page in the form of an inline frame, an example of the processing script in the third page is as follows:

function transmit(){function transmit(){

   parent.parent.receive(window.location.hash);parent.parent.receive(window.location.hash);

}}

setInterval(transmit,500);setInterval(transmit, 500);

上述脚本在每隔500毫秒执行一次上述transmit()函数,将本页面的源地址中的参数(即window.location.hash对应的内容)传递给第一页面(即对象parent.parent)的相应脚本程序(即上述receive函数)处理。The above script executes the above transmit() function every 500 milliseconds, and passes the parameters in the source address of this page (that is, the content corresponding to window.location.hash) to the corresponding script on the first page (that is, the object parent.parent) The program (ie, the above-mentioned receive function) processes.

对于弹出形式的第二页面,第三页面中的处理脚本举例如下:For the second page in the pop-up form, the processing script in the third page is as follows:

function transmit(){function transmit(){

   parent.opener.receive(window.location.hash);parent.opener.receive(window.location.hash);

}}

setInterval(transmit,500);setInterval(transmit, 500);

其中第一页面对应的为parent.opener对象,这与内联框架形式的第二页面时不同。The first page corresponds to the parent.opener object, which is different from the second page in the form of an inline frame.

步骤206、在用户确定为所选择的联系人和/或群组授权资源信息后,第一页面将用户最终所选择的关系信息和资源信息等提交给第一服务器。Step 206, after the user determines to authorize resource information for the selected contacts and/or groups, the first page submits the relationship information and resource information finally selected by the user to the first server.

第一页面中包括一个确定授权的按钮或超链接,可以命名为“共享”或“确定”等。当该按钮被用户激活后,第一页面将用户最终所选择的关系信息和资源信息等提交给第一服务器服务器。第一服务器存储用户所选择的关系信息与资源信息的对应记录,并将该对应记录作为访问该资源信息的授权信息。另外,上述授权信息中还可以包含授权时间,即第一页面将用户最终所选择的关系信息和对应的资源信息等提交给第一服务器的时间。The first page includes a button or a hyperlink to confirm authorization, which can be named "Share" or "OK". When the button is activated by the user, the first page submits the relationship information and resource information finally selected by the user to the first server. The first server stores the corresponding record of the relationship information and resource information selected by the user, and uses the corresponding record as authorization information for accessing the resource information. In addition, the authorization information may also include authorization time, that is, the time when the first page submits the relationship information and corresponding resource information finally selected by the user to the first server.

由以上步骤可见,第一服务器和第二服务器之间仅在终端的浏览器端就完成了对应资源信息的关系信息的传送,如已授权的关系信息从第一服务器的第一页面传送给第二服务器的第二页面,以及用户选择的关系信息从第二服务器的第二页面经第三页面传送给第一页面。不必在第一服务器和第二服务器之间直接传送任何数据,即可完成跨域的资源授权,实现简单高效,充分利用了终端的计算能力。可以使缺乏关系信息的第一服务器充分利用第二服务器中的用户关系信息来增强自身应用的社交功能,吸引更多的用户访问。It can be seen from the above steps that the transmission of the relationship information corresponding to the resource information is completed between the first server and the second server only on the browser side of the terminal, such as the authorized relationship information is transmitted from the first page of the first server to the second server. The second page of the second server and the relationship information selected by the user are transmitted from the second page of the second server to the first page via the third page. Cross-domain resource authorization can be completed without directly transmitting any data between the first server and the second server, which is simple and efficient, and fully utilizes the computing capability of the terminal. The first server that lacks relationship information can make full use of the user relationship information in the second server to enhance the social function of its own application and attract more users to visit.

本发明的另一实施例提供的一种跨域授权的设置方法中,如果用户的终端浏览器禁用cookie,为了保证跨域信息传递的安全性,在信息传递之前,首先在第一域与第二域之间交换密码,以后传递信息时都要带上密码,在接收到传递的信息时先要对密码进行验证。请参图5所示,具体过程如下:Another embodiment of the present invention provides a method for setting cross-domain authorization. If the user's terminal browser disables cookies, in order to ensure the security of cross-domain information transmission, before the information is transmitted, firstly, between the first domain and the second domain. The passwords are exchanged between the two domains, and the passwords must be carried when transmitting information in the future, and the passwords must be verified when receiving the transmitted information. Please refer to Figure 5, the specific process is as follows:

步骤301、第一页面获取第一密码。该第一密码可以由第一页面自行利用随机函数生成,或者从第一服务器请求获取第一密码。因为有些浏览器自身并不能利用随机函数生成安全性较高的密码,因此建议采用从服务器获取密码的方式,密码可以为一个随机字符串。可以使用第一服务器与用户浏览器之间的会话标识(Session ID)作为第一密码,因为会话标识通常都是一个不可预测的随机字符串。Step 301, the first page acquires the first password. The first password may be generated by the first page itself using a random function, or the first password may be requested from the first server. Because some browsers themselves cannot use the random function to generate a password with high security, it is recommended to use the method of obtaining the password from the server. The password can be a random string. The session ID (Session ID) between the first server and the user's browser can be used as the first password, because the session ID is usually an unpredictable random character string.

步骤302、第一页面将上述第一密码传递给第二页面。在第二页面的窗口加载事件(window.onLoad)中,获取第一页面在第二页面的源地址中设置的密码参数,如可在书签参数中包含密码。第二页面将收到的第一密码缓存,用于后续进行密码验证。Step 302, the first page transmits the above-mentioned first password to the second page. In the window loading event (window.onLoad) of the second page, the password parameter set in the source address of the second page of the first page is obtained, for example, the password may be included in the bookmark parameter. The second page caches the received first password for subsequent password verification.

步骤303、第二页面获取第二密码,并将该第二密码发送给第三页面。该第二密码同样可以由第二页面自行生成,或者从第二服务器请求获取第二密码,并将第二密码传递给第三页面,也可以使用第二服务器与用户浏览器之间的会话标识(Session ID)作为第二密码。Step 303, the second page obtains the second password, and sends the second password to the third page. The second password can also be generated by the second page itself, or request the second password from the second server, and pass the second password to the third page, or use the session identifier between the second server and the user's browser (Session ID) as the second password.

步骤304、第三页面再将第二密码传递给第一页面。第一页面缓存该第二密码,用于后续进行密码验证。至此完成了第一服务器与第二服务器之间的跨域密码交换。Step 304, the third page transmits the second password to the first page. The first page caches the second password for subsequent password verification. So far, the cross-domain password exchange between the first server and the second server is completed.

步骤305、在后续传送用户选择的关系信息时,第一页面和第二页面都要在设置的URL书签参数中分别带上各自域所对应的密码。如第一页面在设置第二页面的源地址属性时,携带密码举例如下:Step 305 , when subsequently transmitting the relationship information selected by the user, both the first page and the second page should carry the passwords corresponding to the respective domains in the set URL bookmark parameters. For example, when setting the source address attribute of the second page on the first page, the example of carrying the password is as follows:

iframe1.src=“http://snsexample.com/relationship.php#groups=group1&iframe1.src="http://snsexample.com/relationship.php#groups=group1&

            password=qw3e45s32328f3nl”;     password=qw3e45s32328f3nl";

上述地址的书签参数中除了关系信息外,还包括第一密码“qw3e45s32328f3nl”。In addition to the relationship information, the bookmark parameter of the above address also includes the first password "qw3e45s32328f3nl".

步骤306、第二页面对密码进行验证。在第二页面的窗口加载事件中,取出本窗口地址中书签参数中的密码如上述密码“qw3e45s32328f3nl”,然后将该密码与之前缓存的第一密码进行对比验证,验证通过后才进行后续处理。如后续的步骤中需要取出参数中的已授权的关系信息。Step 306, the second page verifies the password. In the window loading event of the second page, take out the password in the bookmark parameter in the address of this window, such as the above-mentioned password "qw3e45s32328f3nl", and then compare and verify the password with the first cached password before, and proceed to subsequent processing after the verification is passed. For example, in the subsequent steps, the authorized relationship information in the parameters needs to be taken out.

步骤307、第二页面将用户所选择的关系信息传递给第三页面时,也携带第二密码。Step 307, when the second page transmits the relationship information selected by the user to the third page, it also carries the second password.

步骤308、第三页面进行密码验证。在第三页面的窗口定时器函数中,取出本窗口地址中书签参数中的密码,然后将该密码与之前缓存的第二密码进行对比验证,验证通过后才进行后续处理。Step 308, the third page performs password verification. In the window timer function on the third page, take out the password in the bookmark parameter in the address of this window, and then compare and verify the password with the previously cached second password, and proceed to subsequent processing after the verification is passed.

这样在当前浏览器实例之外的其他地方访问第二页面或第三页面对应地址的请求,由于无法获得上述密码,因此不会泄漏用户的关系信息或资源授权信息等。In this way, the request to access the corresponding address of the second page or the third page in other places other than the current browser instance will not leak the user's relationship information or resource authorization information, etc., because the password cannot be obtained.

本发明一种实施例提供的一种跨域授权的鉴权方法中,描述了其他用户访问第一服务器中资源信息时的鉴权处理过程。为描述清楚,将拥有第一服务器中资源信息的用户称为第一用户,要访问第一用户的资源信息的用户为第二用户。假设第一用户将第一服务器中的资源信息如相册P已经授权给了群组A,群组A中的成员包含第二用户。请参见图6,该实施例的步骤如下:An authentication method for cross-domain authorization provided by an embodiment of the present invention describes an authentication process when other users access resource information in the first server. For clarity of description, the user who owns the resource information in the first server is referred to as the first user, and the user who wants to access the resource information of the first user is referred to as the second user. Assume that the first user has authorized resource information in the first server, such as album P, to group A, and the members in group A include the second user. Please refer to Fig. 6, the steps of this embodiment are as follows:

步骤401、第一服务器接收第二用户访问第一用户的资源信息如相册P的请求,该资源信息处于上述处于第一域中的第一服务器中,上述请求可以为第二用户使用如OpenID进行,也可以通过其他方式进行。Step 401, the first server receives a request from a second user to access resource information of the first user such as album P, the resource information is located in the above-mentioned first server in the first domain, and the above-mentioned request can be performed by the second user using, for example, OpenID , can also be done in other ways.

步骤402、第一服务器查询并获得第一用户对该资源信息的授权信息,该授权信息记录有该资源信息对应的处于第二域第二服务器的关系信息。Step 402, the first server queries and obtains the authorization information of the first user for the resource information, and the authorization information records the relationship information of the resource information corresponding to the second server in the second domain.

步骤403、第一服务器判断第二用户是否属于上述关系信息。Step 403, the first server judges whether the second user belongs to the above relationship information.

步骤404、如果是,则第一服务器允许第二用户访问上述资源信息,否则拒绝第二用户访问上述资源信息。Step 404, if yes, the first server allows the second user to access the above resource information, otherwise denies the second user to access the above resource information.

通过上述实施例提供的方法,第一服务器能通过对用户的验证,将另一用户授权的资源信息共享给该用户,从而可以提高用户体验。Through the method provided in the foregoing embodiments, the first server can share resource information authorized by another user with the user through authentication of the user, thereby improving user experience.

为了让第一服务器尽量少的获得用户的关系信息,如第二用户所归属的全部群组,而且第二用户所归属的全部群组可能很多,第二服务器也不便于全部传递给第一服务器,即本实施例中第一服务器仅存储有第一用户的资源信息所对应的联系人信息和群组的标识,而不保存群组中的具体联系人。本发明又一种实施例提供的跨域授权的鉴权方法的步骤具体请参见图7:In order for the first server to obtain as little user relationship information as possible, such as all groups to which the second user belongs, and there may be many groups to which the second user belongs, it is not convenient for the second server to pass all of them to the first server , that is, in this embodiment, the first server only stores the contact information corresponding to the resource information of the first user and the identifier of the group, but does not store specific contacts in the group. For the steps of the authentication method for cross-domain authorization provided by another embodiment of the present invention, please refer to Figure 7 for details:

步骤501、第一服务器接收第二用户访问第一用户的资源信息如相册P的请求。该第二用户上述第一服务器可以采用OpenID的方式,也可以采用其他的方式。Step 501, the first server receives a request from a second user to access the resource information of the first user, such as album P. The above-mentioned first server for the second user may use OpenID or other methods.

步骤502、第一服务器根据上述资源信息获取第一用户对该资源信息的授权信息记录,并判断第二用户是否为已被授权的联系人(包括临时联系人),如果是,则允许第二用户访问,结束本流程;否则执行步骤503。Step 502, the first server obtains the authorization information record of the first user for the resource information according to the above resource information, and judges whether the second user is an authorized contact (including a temporary contact), and if so, allows the second user to If the user accesses, end this process; otherwise, go to step 503.

步骤503、第一服务器将第一用户对该资源的授权信息记录中所授权的群组标识以及第二用户的标识发送给第二服务器,请求第二服务器判定第二用户是否为上述所授权的群组的成员。当第二用户为所授权的群组中至少其中之一的成员时,则第二服务器返回肯定的判定结果。Step 503: The first server sends the group ID authorized by the first user to the resource authorization information record and the ID of the second user to the second server, and requests the second server to determine whether the second user is the above-mentioned authorized user. members of the group. When the second user is a member of at least one of the authorized groups, the second server returns an affirmative determination result.

步骤504、第一服务器接收第二服务器返回的判定结果,如果判定结果为肯定结果,则第一服务器允许第二用户访问,否则禁止访问。Step 504, the first server receives the determination result returned by the second server, if the determination result is positive, the first server allows the second user to access, otherwise prohibits the access.

通过上述实施例提供的方法,第一服务器能通过对用户的验证,将另一用户授权的资源信息共享给该用户,从而可以提高用户体验。Through the method provided in the foregoing embodiments, the first server can share resource information authorized by another user with the user through authentication of the user, thereby improving user experience.

为了在用户登录第一服务器后,即可显示该用户有权限访问的其他用户共享的资源,方便用户获知自己有哪些可访问的资源,本发明另一种实施例提供的一种跨域授权的鉴权方法请参照图8,主要包括步骤:In order to display the resources shared by other users that the user has the right to access after the user logs in to the first server, so that the user can know which resources he has access to, another embodiment of the present invention provides a cross-domain authorized Please refer to Figure 8 for the authentication method, which mainly includes steps:

步骤601、第一服务器接收第二用户的访问请求,并在存储的授权信息中检索出上述第二用户所归属的群组所对应的被授权访问的资源信息,以及第二用户自身对应的被授权访问的资源信息。由于被检索出的资源可能很多,因此可以用对应的授权时间来筛选资源,如只检索出授权时间为预定时期内(如最近一周内)的被授权访问的资源,或者最新的(授权时间最接近当前时间)预定数量(如最近被授权的前10项)资源等。Step 601. The first server receives the second user's access request, and retrieves the authorized access resource information corresponding to the group to which the second user belongs, and the authorized access resource information corresponding to the second user itself from the stored authorization information. Authorized access resource information. Since there may be many retrieved resources, the corresponding authorization time can be used to filter the resources, such as only retrieving the resources authorized to access within a predetermined period of time (such as within the last week), or the latest (authorization time is the latest) close to the current time) a predetermined amount (such as the top 10 recently authorized) resources, etc.

步骤602、将上述资源信息显示在第二用户后的页面中。通过上述方案,可见为用户提供了一个个性化的后的首页,显示用户可以访问的资源。尤其是那些最近被共享的资源。Step 602, display the above resource information on the page behind the second user. Through the above solution, it can be seen that a personalized final home page is provided for the user, displaying the resources that the user can access. Especially those resources that have been shared recently.

本发明实施例提供的方法能使用户登录第一服务器后,即可显示该用户有权限访问的其他用户共享的资源信息,从而提高用户体验。The method provided by the embodiment of the present invention enables the user to display resource information shared by other users that the user has access to after logging in to the first server, thereby improving user experience.

本发明一种实施例提供一种终端7,请参图9所示,其包括:An embodiment of the present invention provides a terminal 7, as shown in FIG. 9, which includes:

请求接收模块71,用于接收用户访问资源信息的请求;A request receiving module 71, configured to receive a request from a user to access resource information;

显示模块72,用于根据上述请求显示包含有位于第一域的上述用户的资源信息的第一页面,根据上述第一页面显示包含有位于第二域的所述用户的关系信息的第二页面;The display module 72 is configured to display the first page containing the resource information of the user located in the first domain according to the above request, and display the second page containing the relationship information of the user located in the second domain according to the above-mentioned first page ;

关系信息接收模块73,用于接收用户在上述第二页面选择对应于上述资源信息的关系信息;A relationship information receiving module 73, configured to receive the relationship information corresponding to the resource information selected by the user on the second page;

发送模块74,用于向第一服务器发送上述资源信息和所述用户在第二页面中选择的关系信息,以便于第一服务器存储上述选择的关系信息与资源信息的对应记录,并将上述对应记录作为访问上述资源信息的授权信息。The sending module 74 is configured to send the above-mentioned resource information and the relationship information selected by the user on the second page to the first server, so that the first server stores the corresponding record of the above-mentioned selected relationship information and resource information, and stores the above-mentioned corresponding Record as authorization information for accessing the above resource information.

进一步地,further,

请求接收模块71还用于接收第一服务器根据上述请求发送的已有授权信息,上述已有授权信息中包括用户已选择的关系信息与资源信息的对应记录;The request receiving module 71 is also configured to receive the existing authorization information sent by the first server according to the above request, the above existing authorization information includes the corresponding record of the relationship information and resource information selected by the user;

上述显示模块72还用于:根据上述已有授权信息在第二页面中显示上述用户已选择的关系信息。The display module 72 is further configured to: display the relationship information selected by the user on the second page according to the existing authorization information.

进一步地,上述第二页面为位于第一页面中的内联框架页面或为在第一页面里点击超链接或按钮打开的新页面。Further, the above-mentioned second page is an inline frame page located in the first page or a new page opened by clicking a hyperlink or a button on the first page.

本发明实施例提供一种服务器8,请参图10所示,其包括:An embodiment of the present invention provides a server 8, as shown in FIG. 10, which includes:

接收模块81,用于接收用户通过终端的请求;A receiving module 81, configured to receive a user's request through the terminal;

获取模块82,用于根据上述请求获取上述用户的授权信息,并根据上述授权信息获取上述用户被授权访问的资源信息;An obtaining module 82, configured to obtain authorization information of the above user according to the above request, and obtain resource information that the above user is authorized to access according to the above authorization information;

发送模块83,用于将上述资源信息发送给上述终端。The sending module 83 is configured to send the above resource information to the above terminal.

进一步地,上述获取模块82具体用于:根据上述授权信息获取上述用户在最近预定时间的被授权访问的资源信息或为预定数量的最新被授权访问的资源信息;上述发送模块具体用于:将上述用户在最近预定时间的被授权访问的资源信息或为预定数量的最新被授权访问的资源信息发送给上述终端。Further, the acquisition module 82 is specifically configured to: obtain the resource information authorized to be accessed by the user at the latest predetermined time or the latest resource information authorized to access a predetermined number according to the authorization information; the sending module is specifically configured to: The resource information that the above user is authorized to access at the latest predetermined time or the latest resource information that is a predetermined number of authorized access is sent to the above terminal.

本发明实施例还提供一种服务器9,请参图11所示,其包括:The embodiment of the present invention also provides a server 9, as shown in FIG. 11, which includes:

接收模块91,用于接收用户通过终端访问处于第一域第一服务器中资源信息的请求;The receiving module 91 is configured to receive a user's request for accessing resource information in the first server in the first domain through the terminal;

获取模块92,用于获取上述资源信息对应的授权信息,上述授权信息记录有上述资源信息对应的处于第二域第二服务器的关系信息;An acquisition module 92, configured to acquire authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;

处理模块93,用于判断上述用户是否属于上述关系信息;在判断为是时允许上述用户访问上述资源信息,在判断为否时拒绝上述用户访问上述资源信息。The processing module 93 is configured to judge whether the above-mentioned user belongs to the above-mentioned relationship information; if the judgment is yes, the above-mentioned user is allowed to access the above-mentioned resource information, and when the judgment is no, the above-mentioned user is denied to access the above-mentioned resource information.

进一步地,上述关系信息包括联系人或群组;Further, the above relationship information includes contacts or groups;

上述处理模块93具体用于:判断上述用户是否属于上述关系信息中的联系人,如果是,则允许上述用户访问上述资源信息,并结束本流程;若否,则将上述关系信息中的群组以及上述用户的标识发送给第二服务器,以便于第二服务器判断所述用户是否属于上述群组;接收上述第二服务器发送的判断结果,若上述判断结果为是,则允许用户访问所述资源信息,否则拒绝上述用户访问所述资源信息。The above-mentioned processing module 93 is specifically used to: determine whether the above-mentioned user belongs to the contact person in the above-mentioned relationship information, if yes, then allow the above-mentioned user to access the above-mentioned resource information, and end this process; if not, then delete the group in the above-mentioned relationship information And the identification of the above-mentioned user is sent to the second server, so that the second server can judge whether the user belongs to the above-mentioned group; receive the judgment result sent by the above-mentioned second server, and if the above-mentioned judgment result is yes, then allow the user to access the resource information, otherwise deny the user access to the resource information.

本发明实施例还提供一种服务器10,请参图12所示,其包括:The embodiment of the present invention also provides a server 10, as shown in FIG. 12, which includes:

接收模块101,用于接收用户通过终端发送的请求;A receiving module 101, configured to receive a request sent by a user through a terminal;

发送模块102,用于根据上述请求向终端发送包含有资源信息的第一页面,以便于上述终端根据所述第一页面向第二域的第二服务器发送获取关系信息的获取请求,且上述终端获取所述第二服务器发送的关系信息并将所述关系信息显示在第二页面;The sending module 102 is configured to send a first page containing resource information to the terminal according to the above request, so that the above terminal sends an acquisition request for obtaining relationship information to a second server in the second domain according to the first page, and the above terminal Obtaining the relationship information sent by the second server and displaying the relationship information on a second page;

存储模块103,用于接收终端发送的资源信息和用户在上述第二页面选择对应于上述资源信息的关系信息,存储上述选择的关系信息与资源信息的对应记录,并将上述对应记录作为访问上述资源信息的授权信息。The storage module 103 is configured to receive the resource information sent by the terminal and the relationship information corresponding to the resource information selected by the user on the second page, store the corresponding record between the selected relationship information and the resource information, and use the above corresponding record as an access to the above-mentioned Authorization information for resource information.

进一步地,further,

上述发送模块102还用于:根据上述请求向终端发送存储的已有授权信息,上述已有授权信息中包括用户已选择的关系信息与资源信息的对应记录。The above sending module 102 is further configured to: send stored existing authorization information to the terminal according to the above request, the above existing authorization information includes corresponding records of relationship information and resource information selected by the user.

本发明实施例还提供一种跨域授权的系统11,请参图13所示,其包括:The embodiment of the present invention also provides a cross-domain authorization system 11, as shown in Figure 13, which includes:

第一服务器111,位于第一域,用于接收用户通过终端发送的请求;The first server 111, located in the first domain, is configured to receive a request sent by the user through the terminal;

根据上述请求向终端发送包含有资源信息的第一页面,以便于上述终端根据所述第一页面向第二域的第二服务器112发送获取关系信息的获取请求,且上述终端获取所述第二服务器112发送的关系信息并将上述关系信息显示在第二页面;接收终端发送的资源信息和用户在上述第二页面选择对应于上述资源信息的关系信息,存储上述选择的关系信息与资源信息的对应记录,并将上述对应记录作为访问所述资源信息的授权信息;Send the first page containing resource information to the terminal according to the above request, so that the above terminal sends an acquisition request for obtaining relationship information to the second server 112 of the second domain according to the first page, and the above terminal obtains the second The relationship information sent by the server 112 and display the above relationship information on the second page; receiving the resource information sent by the terminal and the relationship information corresponding to the above resource information selected by the user on the second page, and storing the above selected relationship information and resource information. Corresponding records, using the above corresponding records as authorization information for accessing the resource information;

第二服务器112,位于第二域,用于向所述终端发送上述用户的关系信息。The second server 112, located in the second domain, is configured to send the above-mentioned user relationship information to the terminal.

通过上述实施例提供的终端、服务器及系统,可以实现将用户处于第一域的资源信息授权给第二域的关系信息,从而可以提高用户体验。Through the terminal, server, and system provided in the above embodiments, it is possible to authorize the resource information of the user in the first domain to the relationship information of the second domain, thereby improving user experience.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在运行时,执行上述实施例方法中的全部或部分步骤。上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be executed when running , performing all or part of the steps in the methods of the foregoing embodiments. The storage medium mentioned above may be a read-only memory, a magnetic disk or an optical disk, and the like.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (25)

1. the method to set up of a cross-domain authorization is characterized in that, comprising:
Receive the request of user access resources information;
Demonstration comprises first page of described user's resource information according to described request, and described first page is that first server that is in first territory provides;
Show second page of the relation information that comprises described user according to described first page, described second page is that the second server that is in second territory provides;
Receive the user at the relation information of described second page selection corresponding to described resource information;
Send the relation information that described resource information and described user select to described first server in second page, so that the relation information of the described selection of first server stores and the corresponding record of resource information, and with the authorization message of described corresponding record as the described resource information of visit.
2. the method for claim 1 is characterized in that, also comprises:
Receive first server according to the existing authorization message that described request sends, comprise the relation information that the user has selected and the corresponding record of resource information in the described existing authorization message;
Described second page that includes described user's relation information according to described first page demonstration is specially:
Described first page receives described existing authorization message and described existing authorization message is sent to second page;
Second page shows the relation information that the user has selected in the described existing authorization message.
3. method as claimed in claim 2 is characterized in that:
Described second page is the inline frame page that is arranged in first page, described first page sends to second page with described existing authorization message and is specially: described first page is specified the page address of second page by the source address attribute that second page is set, and described existing authorization message is included in sends second page in the address parameter to; Or
The new page that described second page is opened for clickable hyperlinks or button in first page, described first page sends to second page with described existing authorization message and is specially: described first page is included in described existing authorization message second page that sends second server in the address parameter to by described hyperlink or button corresponding page address are set.
4. method as claimed in claim 3 is characterized in that:
Described second page shows that the relation information that the user has selected in the described existing authorization message is specially:
Described second page takes out the parameter that includes existing authorization message in second page address in the window load events, and according to described existing authorization message, the relation information that explicit user has been selected.
5. as the described method of claim 1-4, it is characterized in that: include the 3rd page that points to first page in described second page, described the 3rd page is the inline frame page;
Described reception user selects to be specially corresponding to the relation information of described resource information at described second page: described first page receives second page and specifies the page address of the 3rd page by the source address attribute that described the 3rd page is set, and user-selected relation information is included in sends first page in the address parameter to.
6. method as claimed in claim 5, it is characterized in that: whether the address parameter that described the 3rd page detects in the source address attribute of described the 3rd page within the predetermined time changes, and when described address parameter changes the address parameter that changes is sent to described first page.
7. method as claimed in claim 6, it is characterized in that: described the 3rd page sends to first page with user-selected relation information and is specially: described the 3rd page is handled parameter in the described source address attribute by the script function of calling first page, sends user-selected relation information to first page.
8. method as claimed in claim 5 is characterized in that: also comprise:
First page and second page generate password separately respectively;
First page and the exchange of second page and preservation the other side's password;
When the information of carrying out between follow-up first page and second page transmits, first page or second page generate the password of respectively making a fresh start and send to the other side, first page or second page verify the new password that the password preserved and the other side send over, and just handles accordingly when the new password that the other side is sended over when first page or second page is proved to be successful.
9. method as claimed in claim 5 is characterized in that: relation information that described user selects or existing authorization message are by sending in query string parameter that is arranged on the page address or the bookmark parameter.
10. the method for authenticating of a cross-domain authorization is characterized in that, comprising:
Receive the user is in resource information in first server of first territory by terminal access request;
Obtain the authorization message of described resource information correspondence, described authorization message records the relation information that is in the second territory second server of described resource information correspondence;
Judge whether described user belongs to described relation information;
If then allow the described resource information of described user capture, otherwise refuse the described resource information of described user capture.
11. method as claimed in claim 10 is characterized in that:
Described relation information comprises contact person or group;
Describedly judge whether described user belongs to described relation information; If then allow the described resource information of described user capture, otherwise the step of refusing the described resource information of described user capture is specially:
Judge whether described user belongs to the contact person in the described relation information, if, then allow the described resource information of described user capture, and process ends; If not, then carry out following step:
Group in the described relation information and described user's sign is sent to second server, whether belong to described group so that second server is judged described user;
Receive the judged result that described second server sends, if described judged result for being, then allows the described resource information of user capture, otherwise refuses the described resource information of described user capture.
12. the method for authenticating of a cross-domain authorization is characterized in that, comprising:
Receive the access request of user by terminal;
Obtain authorization message according to described request corresponding to described user;
Obtain described user according to described authorization message and be authorized to accessed resources information;
Described resource information is sent to described terminal.
13. method as claimed in claim 12 is characterized in that, comprising:
Describedly obtain described user according to described authorization message and be authorized to accessed resources information and be specially:
Obtain described user being authorized to accessed resources information or being authorized to accessed resources information for predetermined quantity up-to-date according to described authorization message in nearest scheduled time;
Described described resource information is presented on the page behind the described user is specially:
With described user being authorized to accessed resources information or sending to described terminal in nearest scheduled time for predetermined quantity up-to-date is authorized to accessed resources information.
14. the method to set up of a cross-domain authorization is characterized in that, comprising:
Receive the request of user by the access resources information of terminal transmission;
Send first page of the resource information that includes described user to terminal according to described request, so that described terminal sends the request of obtaining of the relation information that obtains described user according to described first page to the second server in second territory, and described terminal is obtained the described user's that described second server sends relation information and described relation information is presented at second page;
Resource information that receiving terminal sends and user are at the relation information of described second page selection corresponding to described resource information, store the relation information of described selection and the corresponding record of resource information, and with the authorization message of described corresponding record as the described resource information of visit.
15. method as claimed in claim 14 is characterized in that, also comprises:
Send the existing authorization message of storage according to described request to terminal, comprise the relation information that the user has selected and the corresponding record of resource information in the described existing authorization message.
16. a terminal is characterized in that, comprising:
The request receiver module is used to receive the request of user access resources information;
Display module is used for showing according to described request first page of the resource information include the described user who is positioned at first territory, shows second page of the relation information that includes the described user who is positioned at second territory according to described first page;
The relation information receiver module is used to receive the user at the relation information of described second page selection corresponding to described resource information;
Sending module, be used for sending the relation information that described resource information and described user select at second page to first server, so that the relation information of the described selection of first server stores and the corresponding record of resource information, and with the authorization message of described corresponding record as the described resource information of visit.
17. terminal as claimed in claim 16 is characterized in that:
Described receiver module also is used to receive first server according to the existing authorization message that described request sends, and comprises the relation information that the user has selected and the corresponding record of resource information in the described existing authorization message;
Described display module also is used for: show the relation information that described user has selected according to described existing authorization message at second page.
18. as claim 16 or 17 described terminals, described second page is the new page that is arranged in the inline frame page of first page or opens for clickable hyperlinks or button in first page.
19. a server is characterized in that, comprising:
Receiver module is used to receive the access request that the user sends by terminal;
Acquisition module is used for obtaining according to described request described user's authorization message, and obtains described user according to described authorization message and be authorized to accessed resources information;
Sending module is used for described resource information is sent to described terminal.
20. server as claimed in claim 19, it is characterized in that described acquisition module specifically is used for: obtain described user being authorized to accessed resources information or being authorized to accessed resources information for predetermined quantity up-to-date in nearest scheduled time according to described authorization message; Described sending module specifically is used for: with described user being authorized to accessed resources information or sending to described terminal for predetermined quantity up-to-date is authorized to accessed resources information in nearest scheduled time.
21. a server is characterized in that, comprising:
Receiver module is used for receiving the user is in the resource information of first territory, first server by terminal access request;
Acquisition module is used to obtain the authorization message of described resource information correspondence, and described authorization message records the relation information that is in the second territory second server of described resource information correspondence;
Processing module is used to judge whether described user belongs to described relation information; Allow the described resource information of described user capture when being being judged as, when being judged as not, refuse the described resource information of described user capture.
22. server as claimed in claim 21 is characterized in that: described relation information comprises contact person or group;
Described processing module specifically is used for: judge whether described user belongs to the contact person of described relation information, if, then allow the described resource information of described user capture, and process ends; If not, then the sign with group in the described relation information and described user sends to second server, whether belongs to described group so that second server is judged described user; Receive the judged result that described second server sends, if described judged result for being, then allows the described resource information of user capture, otherwise refuses the described resource information of described user capture.
23. a server is characterized in that, comprising:
Receiver module is used to receive the request that the user sends by terminal;
Sending module, be used for sending first page that includes resource information to terminal according to described request, so that described terminal sends the request of obtaining of obtaining relation information according to the second server of described first page to second territory, and described terminal is obtained the relation information of described second server transmission and described relation information is presented at second page;
Memory module, be used for resource information that receiving terminal sends and user and select relation information corresponding to described resource information at described second page, store the relation information of described selection and the corresponding record of resource information, and with the authorization message of described corresponding record as the described resource information of visit.
24. server as claimed in claim 23 is characterized in that,
Sending module also is used for sending the existing authorization message of storage according to described request to terminal, comprises the relation information that the user has selected and the corresponding record of resource information in the described existing authorization message.
25. the system of a cross-domain authorization is characterized in that, comprising:
First server is positioned at first territory, is used to receive the request of user by the access resources information of terminal transmission; Send first page of the resource information that includes described user to terminal according to described request, so that described terminal sends the request of obtaining of obtaining relation information according to described first page to the second server that is positioned at second territory, and described terminal is obtained the relation information of described second server transmission and described relation information is presented at second page; Resource information that receiving terminal sends and user are at the relation information of described second page selection corresponding to described resource information, store the relation information of described selection and the corresponding record of resource information, and with the authorization message of described corresponding record as the described resource information of visit;
Second server is positioned at second territory, is used for sending to described terminal described user's relation information.
CN 200810242174 2008-12-31 2008-12-31 Setting and authentication method for cross-domain authorization and relevant device and system Expired - Fee Related CN101771676B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN 200810242174 CN101771676B (en) 2008-12-31 2008-12-31 Setting and authentication method for cross-domain authorization and relevant device and system
PCT/CN2009/076318 WO2010075798A1 (en) 2008-12-31 2009-12-31 Configuration and authentication method for cross-domain authorization, the equipment and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200810242174 CN101771676B (en) 2008-12-31 2008-12-31 Setting and authentication method for cross-domain authorization and relevant device and system

Publications (2)

Publication Number Publication Date
CN101771676A true CN101771676A (en) 2010-07-07
CN101771676B CN101771676B (en) 2013-04-24

Family

ID=42309830

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810242174 Expired - Fee Related CN101771676B (en) 2008-12-31 2008-12-31 Setting and authentication method for cross-domain authorization and relevant device and system

Country Status (2)

Country Link
CN (1) CN101771676B (en)
WO (1) WO2010075798A1 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143091A (en) * 2010-08-06 2011-08-03 华为技术有限公司 Cross-domain operation realization method, system, server and browser
CN102694779A (en) * 2011-03-24 2012-09-26 中兴通讯股份有限公司 Combination authentication system and authentication method
CN103391192A (en) * 2013-07-16 2013-11-13 国家电网公司 Cross-safety-domain access control system and method based on privacy protection
CN104486458A (en) * 2014-12-15 2015-04-01 北京国双科技有限公司 Cross-domain session data processing method and device
CN105183851A (en) * 2015-09-08 2015-12-23 上海上讯信息技术股份有限公司 Interaction method and device overcoming browser same-origin policy limit
CN105409186A (en) * 2013-06-06 2016-03-16 耐瑞唯信有限公司 System and method for user authentication
CN105472029A (en) * 2015-12-29 2016-04-06 锐达互动科技股份有限公司 Single sign-on method and system based on cache
CN106161361A (en) * 2015-04-03 2016-11-23 北京神州泰岳软件股份有限公司 The access method of a kind of cross-domain resource and device
CN106663152A (en) * 2014-06-02 2017-05-10 美国精宇电子科技公司 Systems and methods for controlling media distribution
CN106708878A (en) * 2015-11-16 2017-05-24 北京国双科技有限公司 Terminal identification method and device
CN104618217B (en) * 2014-03-24 2018-09-04 腾讯科技(北京)有限公司 Share method, terminal, server and the system of resource
CN108595512A (en) * 2018-03-23 2018-09-28 华迪计算机集团有限公司 A kind of information retrieval method and equipment across security domain
CN110300133A (en) * 2018-03-22 2019-10-01 财付通支付科技有限公司 Cross-domain data transmission method, apparatus, equipment and storage medium
CN110502880A (en) * 2019-07-30 2019-11-26 同济大学 A Heterogeneous Identity Association Method Based on Attribute Aggregation
CN115643253A (en) * 2022-10-14 2023-01-24 中国银行股份有限公司 Cross-domain file request method and device and business service system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115883530A (en) * 2022-11-28 2023-03-31 北京锐安科技有限公司 Page processing method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093666A1 (en) * 2000-11-10 2003-05-15 Jonathan Millen Cross-domain access control
US20030120948A1 (en) * 2001-12-21 2003-06-26 Schmidt Donald E. Authentication and authorization across autonomous network systems
CN1627683A (en) * 2003-12-09 2005-06-15 鸿富锦精密工业(深圳)有限公司 Unitary authentication authorization management system and method
CN1633085A (en) * 2004-12-29 2005-06-29 北京邮电大学 An access control method based on mapping between non-hierarchical roles
CN1953455A (en) * 2006-11-15 2007-04-25 北京北大方正电子有限公司 A method, module and server to control access to network resource
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A Cross-Domain Access Control System Realizing Role and Group Mapping Based on Cross-Domain Authorization Intermediary

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093666A1 (en) * 2000-11-10 2003-05-15 Jonathan Millen Cross-domain access control
US20030120948A1 (en) * 2001-12-21 2003-06-26 Schmidt Donald E. Authentication and authorization across autonomous network systems
CN1627683A (en) * 2003-12-09 2005-06-15 鸿富锦精密工业(深圳)有限公司 Unitary authentication authorization management system and method
CN1633085A (en) * 2004-12-29 2005-06-29 北京邮电大学 An access control method based on mapping between non-hierarchical roles
CN1953455A (en) * 2006-11-15 2007-04-25 北京北大方正电子有限公司 A method, module and server to control access to network resource
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A Cross-Domain Access Control System Realizing Role and Group Mapping Based on Cross-Domain Authorization Intermediary

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143091A (en) * 2010-08-06 2011-08-03 华为技术有限公司 Cross-domain operation realization method, system, server and browser
CN102143091B (en) * 2010-08-06 2014-07-16 华为技术有限公司 Cross-domain operation realization method, system, server and browser
CN102694779B (en) * 2011-03-24 2017-03-29 中兴通讯股份有限公司 Combination attestation system and authentication method
CN102694779A (en) * 2011-03-24 2012-09-26 中兴通讯股份有限公司 Combination authentication system and authentication method
CN105409186A (en) * 2013-06-06 2016-03-16 耐瑞唯信有限公司 System and method for user authentication
CN105409186B (en) * 2013-06-06 2018-12-04 耐瑞唯信有限公司 system and method for user authentication
CN103391192B (en) * 2013-07-16 2016-09-21 国家电网公司 A kind of based on secret protection across security domain access control system and control method thereof
CN103391192A (en) * 2013-07-16 2013-11-13 国家电网公司 Cross-safety-domain access control system and method based on privacy protection
CN104618217B (en) * 2014-03-24 2018-09-04 腾讯科技(北京)有限公司 Share method, terminal, server and the system of resource
CN106663152A (en) * 2014-06-02 2017-05-10 美国精宇电子科技公司 Systems and methods for controlling media distribution
CN104486458A (en) * 2014-12-15 2015-04-01 北京国双科技有限公司 Cross-domain session data processing method and device
CN106161361B (en) * 2015-04-03 2018-10-02 北京神州泰岳软件股份有限公司 A kind of access method and device of cross-domain resource
CN106161361A (en) * 2015-04-03 2016-11-23 北京神州泰岳软件股份有限公司 The access method of a kind of cross-domain resource and device
CN105183851A (en) * 2015-09-08 2015-12-23 上海上讯信息技术股份有限公司 Interaction method and device overcoming browser same-origin policy limit
CN106708878A (en) * 2015-11-16 2017-05-24 北京国双科技有限公司 Terminal identification method and device
CN106708878B (en) * 2015-11-16 2020-06-16 北京国双科技有限公司 Terminal identification method and device
CN105472029A (en) * 2015-12-29 2016-04-06 锐达互动科技股份有限公司 Single sign-on method and system based on cache
CN105472029B (en) * 2015-12-29 2019-06-21 锐达互动科技股份有限公司 A kind of method and system of the single-sign-on based on caching
CN110300133A (en) * 2018-03-22 2019-10-01 财付通支付科技有限公司 Cross-domain data transmission method, apparatus, equipment and storage medium
CN110300133B (en) * 2018-03-22 2023-04-28 财付通支付科技有限公司 Cross-domain data transmission method, device, equipment and storage medium
CN108595512A (en) * 2018-03-23 2018-09-28 华迪计算机集团有限公司 A kind of information retrieval method and equipment across security domain
CN110502880A (en) * 2019-07-30 2019-11-26 同济大学 A Heterogeneous Identity Association Method Based on Attribute Aggregation
CN110502880B (en) * 2019-07-30 2021-06-04 同济大学 A Heterogeneous Identity Association Method Based on Attribute Aggregation
CN115643253A (en) * 2022-10-14 2023-01-24 中国银行股份有限公司 Cross-domain file request method and device and business service system

Also Published As

Publication number Publication date
CN101771676B (en) 2013-04-24
WO2010075798A1 (en) 2010-07-08

Similar Documents

Publication Publication Date Title
CN101771676B (en) Setting and authentication method for cross-domain authorization and relevant device and system
US11658979B2 (en) Systems and methods for efficient and secure temporary anonymous access to media content
US20240333701A1 (en) Secure authentication for accessing remote resources
CN104065616B (en) Single-point logging method and system
EP2383946B1 (en) Method, server and system for providing resource for an access user
US8438382B2 (en) Credential management system and method
KR101148627B1 (en) Method and apparatus for preventing phishing attacks
CN102843311B (en) Based on information fusion method and the server of SNS
CN101771532B (en) Method, device and system for realizing resource sharing
CN107251528B (en) Method and apparatus for providing data originating within a service provider network
US20130074167A1 (en) Authenticating Linked Accounts
CN102413151B (en) Network resource sharing method and system
HK1244127A1 (en) Network identification as a service
CN102932414A (en) Method and system for combining address book and social network
WO2014019427A1 (en) Network accessing method, application server and system
CN108200040A (en) Mobile client exempts from method, system, browser and the mobile terminal of close login
US20160212123A1 (en) System and method for providing a certificate by way of a browser extension
CN103220307B (en) Method for subscribing, subscription authorization method and Feeds generation servers
US10382914B2 (en) Techniques to leverage data from mobile headers
AU2014200729A1 (en) An improved authentication method
JP2014044670A (en) Service authentication method and system which constitute closed communication environment in open communication environment
CN103795741B (en) Server and server side user self-service portal home page realizing method
KR101412223B1 (en) Auto connecting system of social network and method of the same
JP2017049881A (en) Server apparatus, server apparatus control method, and program
WO2015027298A1 (en) Proxy system with integrated identity management

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130424

CF01 Termination of patent right due to non-payment of annual fee