CN114329387A - Single sign-on control method, system, electronic device and computer-readable medium - Google Patents

Abstract

The invention discloses a single sign-on control method, a single sign-on control system, electronic equipment and a computer readable medium, and relates to the technical field of big data access. One embodiment of the method comprises: receiving a login request from a client to generate corresponding user login information, searching a service system with access authority of a user, and returning the service system to the client; responding to the selection of a user on a target system in a business system, generating a skip request according to the login request and the link address of the target system, and sending the skip request to the target system so that the target system generates a reverse verification request according to the skip request; and receiving a reverse verification request from the target system, verifying whether the verification information of the reverse verification request is consistent with the user login information or not, obtaining a verification result and sending the verification result to the target system so as to ensure that the target system is verified successfully and allow the user to access. According to the method, a user can safely and efficiently access a plurality of service systems only by memorizing the website and the user information of the login page.

Description

Single sign-on control method, system, electronic device and computer-readable medium

technical field

The present invention relates to the technical field of big data data access, and in particular, to a single sign-on control method, system, electronic device and computer-readable medium.

Background technique

B/S structure (Browser/Server, browser/server model) is a network structure model after the rise of WEB. It has low cost of ownership, convenient maintenance, strong distribution, and simple development. It can be realized in the network without installing any special software. It can be operated anywhere, the client has zero maintenance, the system is easy to expand, and it can be used as long as there is a computer with Internet access.

With the popularization of B/S systems, more and more enterprises have established their own B/S systems, and enterprises may establish multiple business systems at different development stages and with different business requirements, and these business systems are often independent. The addresses are complex and diverse, and the user information is different. The user needs to remember the complicated website information and user information in the process of using, which seriously restricts the user's office efficiency.

SUMMARY OF THE INVENTION

In view of this, embodiments of the present invention provide a single sign-on control method, system, electronic device, and computer-readable medium. The method uses a unified login portal to respond to a user's login request, and searches for a business system to which the user has access rights , so that the user can choose the target system, and then access the target system through two handshakes, so that the user only needs to remember the login page and user information, and can access multiple business systems safely and efficiently, improving office efficiency.

To achieve the above object, according to an aspect of the embodiments of the present invention, a single sign-on control method is provided.

A single sign-on control method according to an embodiment of the present invention includes: receiving a login request from a client through a login page, generating corresponding user login information according to the login request, searching for a business system to which the user has access rights, returning the business system to the client;

In response to the user's selection of the target system in the business system, according to the login request and the link address of the target system, a jump request is generated and sent to the target system, so that the target system can be The above jump request is generated, and a reverse verification request is generated;

Receive the reverse verification request from the target system, verify whether the verification information of the reverse verification request is consistent with the user login information, obtain the verification result and send it to the target system, so that the target system It is determined that the verification is successful, and the user is allowed to access.

Optionally, generating a jump request according to the login request and the link address of the target system includes:

Extract the specified target field from the login request, and splicing the target field with the login timestamp when the user logs in to obtain a parameter string;

Encrypt and encode the parameter string to obtain an encoding result, and add the encoding result as a parameter to the link address of the target system to obtain a jump request.

Optionally, the target field includes a user ID;

The reverse verification request is generated in the following ways:

Transcoding and decrypting the parameters of the jump request;

The decrypted user ID and the login timestamp are spliced to generate the reverse verification request.

Optionally, after the step of generating corresponding user login information, the method further includes:

saving the user login information to a database; wherein the user login information includes the user ID and the login timestamp;

The verification information of the reverse verification request is consistent with the user login information, and the verification result is obtained, including:

According to the user ID of the reverse verification request, query the login timestamp of the same user ID from the database;

Compare the login timestamp obtained by the query with the login timestamp obtained by decryption. If the login timestamp obtained by the query is consistent with the login timestamp obtained by decryption, the verification is successful; otherwise, the verification fails;

After the step of obtaining the verification result, the method further includes: deleting the login timestamp corresponding to the user ID in the database.

Optionally, after the step of obtaining the verification result, the method further includes:

Determine that the verification result indicates that the verification is successful, and obtain the user permission information configured for the user;

Sending the user authority information to the target system, so that the target system displays a page according to the user authority information.

Optionally, before the step of acquiring the user permission information configured for the user, the method further includes:

Receive the user authority information configured for the user, and establish an association relationship between the user's basic user information and the user authority information; wherein the user authority information is based on the user department, user level, user type and authority One or more configurations in the bitmap, the permission bitmap is used to define the menu permission of the user.

Optionally, before the step of receiving the login request from the client through the login page, the method further includes:

receiving a verification code acquisition request from the client, and forwarding the verification code acquisition request to a short message system, so that the short message system sends a verification code to the client;

Receive the verification code sending status fed back by the short message system, and send the verification code sending status to the client, so that the user submits the login request after filling in the verification code.

To achieve the above object, according to another aspect of the embodiments of the present invention, a single sign-on control system is provided.

A single sign-on control system according to an embodiment of the present invention includes: a search module, configured to receive a log-in request from a client through a log-in page, generate corresponding user log-in information according to the log-in request, and search for a user who has access rights. a business system, returning the business system to the client;

The generating module is configured to, in response to the user's selection of the target system in the business system, generate a jump request according to the login request and the link address of the target system and send it to the target system, so that all The target system generates a reverse verification request according to the jump request;

A verification module, configured to receive a reverse verification request from the target system, verify whether the verification information of the reverse verification request is consistent with the user login information, obtain a verification result and send it to the target system, In order for the target system to determine that the verification is successful, the user is allowed to access.

Optionally, the generating module is also used for

Extract the specified target field from the login request, and splicing the target field with the login timestamp when the user logs in to obtain a parameter string; and

Encrypt and encode the parameter string to obtain an encoding result, and add the encoding result as a parameter to the link address of the target system to obtain a jump request.

Optionally, the target field includes a user ID;

The reverse verification request is generated in the following ways:

Transcoding and decrypting the parameters of the jump request;

The decrypted user ID and the login timestamp are spliced to generate the reverse verification request.

Optionally, the system further includes:

a saving module, configured to save the user login information to a database; wherein the user login information includes the user ID and the login timestamp;

a deletion module, configured to delete the login timestamp corresponding to the user ID in the database after obtaining the verification result;

The verification module is further configured to query the login timestamp of the same user ID from the database according to the user ID of the reverse verification request; and

Compare the login timestamp obtained by the query with the login timestamp obtained by decryption. If the login timestamp obtained by the query is consistent with the login timestamp obtained by the decryption, the verification succeeds; otherwise, the verification fails.

Optionally, the system further includes:

an authority acquisition module, configured to determine that the verification result indicates that the verification is successful, and acquire user authority information configured for the user; and

Sending the user authority information to the target system, so that the target system displays a page according to the user authority information.

Optionally, the system further includes:

Establishing module, configured to receive the user authority information configured for the user, and establish an association relationship between the basic user information of the user and the user authority information; wherein, the user authority information is based on the user department, user level , user type and one or more configurations in the permission bitmap, where the permission bitmap is used to define the menu permission of the user.

Optionally, the system further includes:

a verification code acquisition module, configured to receive a verification code acquisition request from the client, and forward the verification code acquisition request to a short message system, so that the short message system sends a verification code to the client; and

Receive the verification code sending status fed back by the short message system, and send the verification code sending status to the client, so that the user submits the login request after filling in the verification code.

To achieve the above object, according to yet another aspect of the embodiments of the present invention, an electronic device is provided.

An electronic device according to an embodiment of the present invention includes: one or more processors; and a storage device configured to store one or more programs, when the one or more programs are executed by the one or more processors, The one or more processors are caused to implement a single sign-on control method according to an embodiment of the present invention.

To achieve the above object, according to yet another aspect of the embodiments of the present invention, a computer-readable medium is provided.

A computer-readable medium according to an embodiment of the present invention stores a computer program thereon, and when the program is executed by a processor, a single sign-on control method according to an embodiment of the present invention is implemented.

To achieve the above object, according to yet another aspect of the embodiments of the present invention, a computer program product is provided.

A computer program product according to an embodiment of the present invention includes a computer program, which implements a single sign-on control method according to an embodiment of the present invention when the program is executed by a processor.

An embodiment of the above invention has the following advantages or beneficial effects: using a unified login portal to respond to a user's login request, and searching for a business system that the user has access rights to, so that the user can select a target system, and then use a two-way handshake method. Accessing the target system enables users to safely and efficiently access multiple business systems by simply remembering the login page and user information, thereby improving office efficiency. By encrypting the link address that jumps to the target system, sensitive information leakage and malicious tampering are prevented.

By transcoding and decrypting the received jump request, the decrypted user ID and login timestamp are obtained, which is convenient for subsequent decryption and verification. Compare the login timestamp obtained by decryption with the login timestamp saved when the same user logs in to realize reverse verification to ensure the correctness of the login information; at the same time, after the comparison, clear the saved login timestamp to ensure that the jump link can only be used. Use once.

Based on the configured user permission information, the page is displayed to the user, so that the user can only see and operate the page content to which they have permission. It supports a variety of permission control strategies, and can be refined to the permission control of menu-level permissions to meet the permission control requirements of business systems. Requesting login in the form of dynamic verification code further ensures login security and avoids brute force login.

Further effects of the above non-conventional alternatives will be described below in conjunction with specific embodiments.

Description of drawings

The accompanying drawings are used for better understanding of the present invention and do not constitute an improper limitation of the present invention. in:

1 is a schematic diagram of main steps of a single sign-on control method according to an embodiment of the present invention;

2 is a schematic diagram of a main flow of a single sign-on control method according to an embodiment of the present invention;

3 is a schematic diagram of a user management entity according to an embodiment of the present invention;

Fig. 4 is the sequence diagram of the embodiment of the present invention that uses user ID and password to perform login authentication;

5 is a sequence diagram of using a mobile phone number and a verification code to perform login authentication according to an embodiment of the present invention;

6 is a sequence diagram of the first handshake authentication according to an embodiment of the present invention;

7 is a sequence diagram of a second handshake authentication according to an embodiment of the present invention;

8 is a schematic diagram of main modules of a single sign-on control system according to an embodiment of the present invention;

FIG. 9 is an exemplary system architecture diagram to which an embodiment of the present invention may be applied;

FIG. 10 is a schematic structural diagram of a computer system suitable for implementing an electronic device according to an embodiment of the present invention.

Detailed ways

Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, which include various details of the embodiments of the present invention to facilitate understanding and should be considered as exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted from the following description for clarity and conciseness.

The acquisition, storage, use, and processing of data in the technical solution of this application are in compliance with the relevant provisions of national laws and regulations.

The terms involved in the embodiments of the present invention are explained below.

B/S architecture: that is, the application system established by the browser and server architecture mode.

SMS: The full English name is Short Message Service, which means short message service, which is a store and forward service.

URL: The full English name is Uniform Resource Locator, which means Uniform Resource Locator.

IP: Internet Protocol, is the protocol for interconnection between networks.

Single sign-on: English full name is Single Sign On, abbreviated as SSO, which is defined as in multiple application systems, users only need to log in once to access all mutually trusted application systems.

FIG. 1 is a schematic diagram of main steps of a single sign-on control method according to an embodiment of the present invention. As shown in FIG. 1 , the single sign-on control method according to the embodiment of the present invention is implemented by a single sign-on control system, and mainly includes the following steps:

Step S101: Receive a login request from a client through a login page, generate corresponding user login information according to the login request, search for a business system to which the user has access rights, and return the business system to the client. The user opens the login page using the client to send a login request to the single sign-on control system. The login request may include a user ID and password, or may be a user ID and a verification code. The user ID can be a unique ID such as a user name and a mobile phone number.

The single sign-on control system verifies the login request. After the verification is passed, the user is allowed to log in, and based on the login request, the corresponding user login information is generated. The user login information may include a user ID, a login timestamp, and may also include a client address and a server address (ie, the IP address of the server of the single sign-on control system). The single sign-on control system also searches for business systems to which the user has access rights based on the user ID, and returns these business systems to the client, so that the user can select the system he wants to log in to as the target system.

Step S102: In response to the user's selection of the target system in the business system, according to the login request and the link address of the target system, generate a jump request and send it to the target system, so that the target The system generates a reverse verification request according to the jump request. After the user successfully logs in to the single sign-on control system, he or she selects to enter the target system through the system selection page. The single sign-on control system generates a jump request based on the login request and the link address of the target system to request jumping to the target system. The target system receives the jump request, obtains the request information, and returns the jump success information. This completes the first handshake authentication.

In a preferred embodiment, the single sign-on control system encrypts the link address (URL) of the target system, and then sends a jump request to the target system to prevent leakage of sensitive information and malicious tampering. Specifically, the specified target field can be extracted from the login request first, and the target field and the login timestamp can be spliced to obtain a parameter string; then the parameter string is encrypted and encoded to obtain the encoding result, and the encoding result is added as a parameter to the target The link address of the system, you can get the jump request.

Step S103: Receive the reverse verification request from the target system, verify whether the verification information of the reverse verification request is consistent with the user login information, obtain the verification result and send it to the target system, so that all The target system determines that the verification is successful and allows the user to access. The target system sends a reverse verification request to the single sign-on control system to verify the legitimacy of the user ID and login timestamp. The reverse authentication request includes the user ID and the login timestamp.

After receiving the reverse verification request, the single sign-on control system verifies whether the user ID and login timestamp sent by the target system are consistent with the user ID and login timestamp in the user login information, and feeds back the verification result to the target system. Based on the verification result, the target system establishes a session with the user's client if the verification is successful, and allows the user to access; if the verification fails, returns a rejection page. This completes the second handshake authentication.

This embodiment establishes a single sign-on control system under the condition of ensuring the original functions of the business system. Users can access multiple business systems safely and efficiently with a unified login address and unique user information. Various problems caused by the business system and multiple login methods have improved office efficiency; at the same time, the information security of logged-in users is ensured through two handshakes.

FIG. 2 is a schematic diagram of a main flow of a single sign-on control method according to an embodiment of the present invention.

As shown in FIG. 2 , the single sign-on control method according to the embodiment of the present invention mainly includes the following steps:

Step S201: Receive the configured basic user information and user authority information to construct a user management system. Establish a multi-level user management system, including basic user information, user authority information, and the relationship between user basic information and user authority information.

Among them, the basic user information is used to save the basic feature information of the unique user, which may include user ID, organization number, login password, contact information, etc. The user ID is the unique user ID for logging in to the system; the organization ID is the organization to which the user belongs and is used for Different institutions provide different permissions; the login password, encrypted and stored, is used for user login verification; the contact information is used to provide the login method of the mobile phone number verification code.

User permission information is used to save permission information applicable to different system permission control methods. It can be used to provide control permissions such as user level, user department, and user type. It can also control the specific menu permissions of each user through permission bitmaps. In an embodiment, the user permission information may be configured according to one or more of the user department, user level, user type and permission bitmap. For example, user authority information includes user ID, channel ID, department ID, user level, user type, and permission bitmap.

Among them, the channel number is the unique number of the business system; the department number is used to distinguish the user rights of different departments; the user level is used to distinguish the user rights of different levels; the user type provides different user types for the business system to distinguish different user rights; The bitmap is used to define the specific menu function authority of the user. The content of the authority bitmap can be of the following types: 0, no authority; 1, query authority; 2, maintenance authority; 3, review authority, etc.

FIG. 3 is a schematic diagram of a user management entity according to an embodiment of the present invention. As shown in FIG. 3 , the basic user information includes user name, organization number, login password, mobile phone number, user status, etc., and user permission information includes user level, user type, permission bitmap, and the like. A primary key (PK) is used to associate user basic information with user authority information.

Step S202: The user sends a login request to the single sign-on control system by using the client, and performs unified login authentication through the single sign-on control system. The login authentication method can be the user ID and password, or the mobile phone number and verification code bound to the user.

In the embodiment, it is assumed that the user is UserA, and the single sign-on control system is Channel System. Assuming that the enterprise employee UserA needs to access the target system System A, unified login authentication can be performed through the Channel System. The above two login authentication methods are described below with reference to FIG. 4 and FIG. 5 .

FIG. 4 is a sequence diagram of performing login authentication using a user ID and a password according to an embodiment of the present invention. As shown in Figure 4, the implementation process of the user using the user ID and password for login authentication is as follows:

Step S401: UserA opens the unified login page through the client, and enters the user ID and password to log in to the Channel System.

Step S402: The Channel System verifies the correctness of the user ID and password submitted by UserA, and after the verification is successful, allows UserA to log in, generates user login information and saves it to the database, loads the corresponding user authority information, and determines which business systems UserA has access authority to , that is, the authority of the "channel number" in Figure 3. User login information includes: user ID, login timestamp, client address and server address.

Step S403: Channel System displays to UserA the business systems that it has access rights to through the system selection page. Assuming that these business systems include System A, the display content includes the entry of System A.

FIG. 5 is a sequence diagram of login authentication using a mobile phone number and a verification code according to an embodiment of the present invention. As shown in Figure 5, the implementation process for the user to use the bound mobile phone number and verification code for login authentication is as follows:

Step S501: UserA opens the unified login page through the client, inputs the mobile phone number bound to itself, and sends a verification code acquisition request to the Channel System.

Step S502: After receiving the verification code acquisition request from UserA, the Channel System forwards the verification code acquisition request to System SMS (Short Message System).

Step S503: System SMS sends a verification code to the bound mobile phone number of UserA.

Step S504: The System SMS feeds back the verification code sending status to the Channel System.

Step S505: After receiving the verification code sending status, the Channel System sends the verification code sending status to UserA. In the embodiment, the Channel System displays the verification code sending status to UserA in the form of a page.

Step S506: After receiving the verification code, UserA fills in the verification code and submits a login request.

Step S507: After receiving the verification code, the Channel System sends it to the System SMS to judge the correctness of the verification code.

Step S508: The System SMS returns the verification result of the verification code to the Channel System.

Step S509: After receiving the verification result, the Channel System determines that the verification is successful, allows UserA to log in, generates user login information and saves it to the database, loads the corresponding user authority information, and determines which business system access authority UserA has, that is, in FIG. 3 . "Channel ID" permission.

Step S510: The Channel System displays to UserA the business systems that it has access rights to through the system selection page. Assuming that these business systems include System A, the display content includes the entry of System A.

Step S203: After the login authentication is passed, the user logs in to the single sign-on control system, selects a target system that has access rights through the system selection page, and performs the first handshake authentication. After UserA successfully logs in to the Channel System, based on the system selection page returned by the Channel System, he selects the target system System A from the business systems he has access rights to, and then performs the first handshake authentication.

FIG. 6 is a sequence diagram of the first handshake authentication according to an embodiment of the present invention. As shown in FIG. 6 , the implementation process of the first handshake authentication in the embodiment of the present invention is as follows:

Step S601: UserA selects to enter System A through the system selection page.

Step S602: The Channel System encrypts the URL entry of System A, obtains a jump request, and sends the jump request to System A. Specifically, the specified target field is extracted from the login request, and the target field is spliced with the login timestamp when the user logs in to obtain a parameter string; then the parameter string is encrypted and encoded to obtain an encoding result, and the encoding result is added as a parameter The link address to the target system to get the jump request.

In the embodiment, the target fields are user ID (USERID), channel number (CHNA1_NO), server address (IP) and port (PORT). If the login timestamp is represented by TIMESTAMP, you can use a connector, such as "&", to concatenate the target field and the login timestamp to obtain a parameter string. At this point, the parameter string is as follows:

USERID=001&TIMESTAMP=20131108142213301&CHNAL_NO=15&IP=XXX.XXX.XXX.XXX&PORT=7001

Use an encryption algorithm to encrypt the above parameter string. The encryption algorithm can be optional, for example:

urlDisturb ud=new urlDisturb();

String strEncode=new String(ud.encode(parameter string.getBytes()));

After encryption, the encrypted string can also be encoded to prevent special characters in the encrypted string from being decrypted after being transcoded by the browser. In the embodiment, use URLEncoder encoding method to encode:

strURLEncode=URLEncoder.encode(strEncode)

The final jump request can be:

http://System A IP:PORT/System A_WEB/loginAction.do? PARAM=strURLEncode

Step S603: After receiving the jump request, System A decrypts the jump request and obtains the request information. According to the reverse process of encryption and encoding, the parameter (PARAM) of the jump request is transcoded and decrypted. Take URLEncoder encoding as an example, you need to use URLDecoder to transcode:

strURLDecode=URLDecoder.decode(strURLEncode)

Then use the corresponding decryption algorithm to decrypt the transcoding result, for example, the decryption algorithm is:

urlDisturb ud=new urlDisturb();

String deUrl=new String(ud.decode(strURLDecode.getBytes()));

Step S604: System A feeds back response information of successful jumping to the Channel System.

Step S204: The target system calls back to obtain the user authority information of the user management system, and performs the second handshake authentication. After receiving the jump request, System A initiates reverse verification to the Channel System again to verify the legitimacy of the user's login information and obtain user permission information.

FIG. 7 is a sequence diagram of a second handshake authentication according to an embodiment of the present invention. As shown in FIG. 7 , the implementation process of the second handshake authentication according to the embodiment of the present invention is as follows:

Step S701: System A initiates a reverse verification request to Channel System to verify the legitimacy of USERID and TIMESTAMP. System A splices the decrypted user ID and login timestamp (which may also include the channel number) into a reverse verification request, and reversely calls the Channel System according to the server address.

In the embodiment, the request format of the reverse authentication request may be: http://Channel System_ip:port/svcManager/UserSingleLoginServlet? xml=xml format message

Step S702: The Channel System verifies whether the user ID and login timestamp sent from System A are consistent with the user login information stored in the database. It can be seen from Figure 4 and Figure 5 that when the user clicks Channel System to jump to System A, the user login information has been saved to the database.

Channel System queries the login timestamp of the same user ID from the database according to the user ID of the reverse verification request; then compares the login timestamp obtained by the query with the decryption timestamp returned by System A. If the stamp is consistent with the login timestamp obtained by decryption, the verification succeeds; otherwise, the verification fails.

Step S703: The Channel System returns the verification result to System A, and returns the user permission information when the verification is successful. If the verification is successful, obtain the user permission information configured for UserA, and send the user permission information to System A. If the verification fails, an error message is returned to System A. Then delete the login timestamp corresponding to the user ID in the database to ensure that the jump link can only be used once.

Step S704: After the System A receives the verification result, if the verification result indicates that the verification is successful, it establishes a session with UserA, and displays relevant functions according to the user permission information; if the verification result indicates that the verification fails, it returns a rejection page.

It can be seen from the above description that a single sign-on control system is established in this embodiment. The system uses a unified login entry to establish a unified user management system, and the user only needs to remember the user password of the single sign-on control system. , there is no need to memorize the user passwords of multiple sets of business systems, which seriously reduces the user's burden; at the same time, it supports a variety of permission control strategies, supports the distinction between organizations, organization levels, departments, and user types, and can also be refined to menu-level permission control, which can be adapted to the needs of users. Compatible with the permission control requirements of most business systems; at the same time, through two handshakes and encryption coding, the information security of logged-in users is guaranteed.

FIG. 8 is a schematic diagram of main modules of a single sign-on control system according to an embodiment of the present invention. As shown in FIG. 8 , the single sign-on control system 800 according to the embodiment of the present invention mainly includes:

A search module 801 is configured to receive a login request from a client through a login page, generate corresponding user login information according to the login request, search for a business system to which the user has access rights, and return the business system to the client . The user opens the login page using the client to send a login request to the single sign-on control system. The login request may include a user ID and password, or may be a user ID and a verification code. The user ID can be a unique ID such as a user name and a mobile phone number.

The single sign-on control system verifies the login request. After the verification is passed, the user is allowed to log in, and based on the login request, the corresponding user login information is generated. The user login information may include a user ID, a login timestamp, and may also include a client address and a server address. The single sign-on control system also searches for business systems to which the user has access rights based on the user ID, and returns these business systems to the client, so that the user can select the system he wants to log in to as the target system.

The generating module 802 is configured to, in response to the user's selection of the target system in the business system, generate a jump request according to the login request and the link address of the target system and send it to the target system, so that The target system generates a reverse verification request according to the jump request.

After the user successfully logs in to the single sign-on control system, he or she selects to enter the target system through the system selection page. The single sign-on control system generates a jump request based on the login request and the link address of the target system to request jumping to the target system. The target system receives the jump request, obtains the request information, and returns the jump success information. This completes the first handshake authentication.

A verification module 803, configured to receive a reverse verification request from the target system, verify whether the verification information of the reverse verification request is consistent with the user login information, obtain a verification result and send it to the target system , so that the target system determines that the verification is successful and allows the user to access. The target system sends a reverse verification request to the single sign-on control system to verify the legitimacy of the user ID and login timestamp. The reverse authentication request includes the user ID and the login timestamp.

After receiving the reverse verification request, the single sign-on control system verifies whether the user ID and login timestamp sent by the target system are consistent with the user ID and login timestamp in the user login information, and feeds back the verification result to the target system. Based on the verification result, the target system establishes a session with the user's client if the verification is successful, and allows the user to access; if the verification fails, returns a rejection page. This completes the second handshake authentication.

In addition, the single sign-on control system 800 in this embodiment of the present invention may further include: a saving module, a deletion module, a permission acquisition module, a creation module, and a verification code acquisition module (not shown in FIG. 8 ). Wherein, the saving module is configured to save the user login information to a database; wherein, the user login information includes the user ID and the login timestamp. A deletion module, configured to delete the login timestamp corresponding to the user ID in the database after the verification result is obtained.

an authority acquisition module, configured to determine that the verification result indicates that verification is successful, and acquire user authority information configured for the user; and send the user authority information to the target system, so that the target system can The above user permission information is displayed on the page.

Establishing module, configured to receive the user authority information configured for the user, and establish an association relationship between the basic user information of the user and the user authority information; wherein, the user authority information is based on the user department, user level , user type and one or more configurations in the permission bitmap, where the permission bitmap is used to define the menu permission of the user.

A verification code acquisition module, configured to receive a verification code acquisition request from the client, forward the verification code acquisition request to a short message system, so that the short message system sends a verification code to the client; and receive the short message The verification code sending status returned by the system is sent to the client, so that the user submits the login request after filling in the verification code.

It can be seen from the above description that a unified login entry is used to respond to the user's login request, and to find the business system that the user has access rights to, so that the user can select the target system, and then access the target system through two handshakes, so that the user only has access to the target system. You need to remember a website information and user information, you can access multiple business systems safely and efficiently, and improve office efficiency. By encrypting the link address that jumps to the target system, sensitive information leakage and malicious tampering are prevented.

FIG. 9 shows an exemplary system architecture 900 of a single sign-on control method or a single sign-on control system to which embodiments of the present invention may be applied.

As shown in FIG. 9 , the system architecture 900 may include terminal devices 901 , 902 , and 903 , a network 904 and a server 905 . The network 904 is a medium used to provide a communication link between the terminal devices 901 , 902 , 903 and the server 905 . The user can use the terminal devices 901, 902, 903 to interact with the server 905 through the network 904 to receive or send messages and the like.

The server 905 may be a server that provides various services, for example, a background management server that provides support for users to log in requests sent by the terminal devices 901 , 902 , and 903 . The background management server can generate user login information, return to the business system to which the user has authority, generate jump requests, verify whether the information is consistent, etc., and feed back the processing results (such as verification results) to the terminal device.

It should be noted that the single sign-on control method provided by the embodiment of the present invention is generally executed by the server 905 , and accordingly, the single sign-on control system is generally set in the server 905 .

It should be understood that the numbers of terminal devices, networks and servers in FIG. 9 are only illustrative. There can be any number of terminal devices, networks and servers according to implementation needs.

According to embodiments of the present invention, the present invention also provides an electronic device, a computer-readable medium, and a computer program product.

The electronic device of the present invention comprises: one or more processors; storage means for storing one or more programs, when the one or more programs are executed by the one or more processors, so that the one or more programs A plurality of processors implement a single sign-on control method according to an embodiment of the present invention.

The computer-readable medium of the present invention stores a computer program thereon, and when the program is executed by a processor, a single sign-on control method according to an embodiment of the present invention is implemented.

The computer program product of the present invention includes a computer program, which implements a single sign-on control method according to an embodiment of the present invention when the program is executed by a processor.

Referring next to FIG. 10 , it shows a schematic structural diagram of a computer system 1000 suitable for implementing the electronic device of the embodiment of the present invention. The terminal device shown in FIG. 10 is only an example, and should not impose any limitations on the functions and scope of use of the embodiments of the present invention.

As shown in FIG. 10, a computer system 1000 includes a central processing unit (CPU) 1001, which can be loaded into a random access memory (RAM) 1003 according to a program stored in a read only memory (ROM) 1002 or a program from a storage section 1008 Instead, various appropriate actions and processes are performed. In the RAM 1003, various programs and data necessary for the operation of the system 1000 are also stored. The CPU 1001 , the ROM 1002 , and the RAM 1003 are connected to each other through a bus 1004 . An input/output (I/O) interface 1005 is also connected to the bus 1004 .

The following components are connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, etc.; an output section 1007 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 1008 including a hard disk, etc. ; and a communication section 1009 including a network interface card such as a LAN card, a modem, and the like. The communication section 1009 performs communication processing via a network such as the Internet. A drive 1010 is also connected to the I/O interface 1005 as needed. A removable medium 1011, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 1010 as needed so that a computer program read therefrom is installed into the storage section 1008 as needed.

In particular, the processes described above with reference to the flowcharts may be implemented as computer software programs in accordance with the disclosed embodiments of the present invention. For example, embodiments disclosed herein include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 1009, and/or installed from the removable medium 1011. When the computer program is executed by the central processing unit (CPU) 1001, the above-described functions defined in the system of the present invention are executed.

The modules involved in the embodiments of the present invention may be implemented in a software manner, and may also be implemented in a hardware manner. The described modules can also be set in the processor, for example, it can be described as: a processor includes a search module, a generation module and a verification module. Among them, the names of these modules do not constitute a limitation of the module itself under certain circumstances. For example, the search module can also be described as "receiving a login request from a client, and generating corresponding user login information according to the login request. , and find the business system that the user has access rights to, and return the business system to the client's module".

As another aspect, the present invention also provides a computer-readable medium, which may be included in the device described in the above embodiments; or may exist alone without being assembled into the device. The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by a device, the device includes: receiving a login request from a client, and generating a corresponding user login request according to the login request information, and look up the business system to which the user has access rights, and return the business system to the client; in response to the user's selection of the target system in the business system, according to the login request and the target system link address, generate a jump request and send it to the target system, so that the target system can generate a reverse verification request according to the jump request; receive a reverse verification request from the target system, verify all Whether the verification information of the reverse verification request is consistent with the user login information, the verification result is obtained and sent to the target system, so that the target system determines that the verification is successful and allows the user to access.

According to the technical solution of the embodiment of the present invention, a unified login portal is used to respond to the user's login request, and the business system to which the user has access rights is searched for the user to select the target system, and subsequently the target system is accessed by two handshakes, so that Users only need to remember the website information and user information of the login page, and they can access multiple business systems safely and efficiently, improving office efficiency. By encrypting the link address that jumps to the target system, sensitive information leakage and malicious tampering are prevented.

The above-mentioned specific embodiments do not constitute a limitation on the protection scope of the present invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modifications, equivalent replacements and improvements made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (17)

1. A single sign-on control method, characterized in that, comprising: Receive a login request from the client through the login page, generate corresponding user login information according to the login request, search for a business system to which the user has access rights, and return the business system to the client; In response to the user's selection of the target system in the business system, according to the login request and the link address of the target system, a jump request is generated and sent to the target system, so that the target system can be The above jump request is generated, and a reverse verification request is generated; Receive a reverse verification request from the target system, verify whether the verification information of the reverse verification request is consistent with the user login information, obtain a verification result and send it to the target system, so that the target system It is determined that the verification is successful, and the user is allowed to access. 2. The method according to claim 1, wherein, generating a jump request according to the login request and the link address of the target system, comprising: Extract the specified target field from the login request, and splicing the target field with the login timestamp when the user logs in to obtain a parameter string; Encrypt and encode the parameter string to obtain an encoding result, and add the encoding result as a parameter to the link address of the target system to obtain a jump request. 3. The method according to claim 2, wherein the target field comprises a user identification; The reverse verification request is generated in the following ways: Transcoding and decrypting the parameters of the jump request; The decrypted user ID and the login timestamp are spliced to generate the reverse verification request. 4. The method according to claim 3, wherein after the step of generating corresponding user login information, the method further comprises: saving the user login information to a database; wherein the user login information includes the user ID and the login timestamp; The verification information of the reverse verification request is consistent with the user login information, and the verification result is obtained, including: According to the user ID of the reverse verification request, query the login timestamp of the same user ID from the database; Compare the login timestamp obtained by the query with the login timestamp obtained by decryption. If the login timestamp obtained by the query is consistent with the login timestamp obtained by decryption, the verification is successful; otherwise, the verification fails; After the step of obtaining the verification result, the method further includes: deleting the login timestamp corresponding to the user ID in the database. 5. The method according to claim 1, wherein after the step of obtaining the verification result, the method further comprises: Determine that the verification result indicates that the verification is successful, and obtain the user permission information configured for the user; Sending the user authority information to the target system, so that the target system displays a page according to the user authority information. 6. The method according to claim 5, wherein before the step of acquiring the user permission information configured for the user, the method further comprises: Receive the user authority information configured for the user, and establish an association relationship between the user's basic user information and the user authority information; wherein the user authority information is based on the user department, user level, user type and authority One or more configurations in the bitmap, the permission bitmap is used to define the menu permission of the user. 7. The method according to any one of claims 1 to 6, wherein before the step of receiving a login request from a client through a login page, the method further comprises: receiving a verification code acquisition request from the client, and forwarding the verification code acquisition request to a short message system, so that the short message system sends a verification code to the client; Receive the verification code sending status fed back by the short message system, and send the verification code sending status to the client, so that the user submits the login request after filling in the verification code. 8. A single sign-on control system, comprising: a search module, configured to receive a login request from a client through a login page, generate corresponding user login information according to the login request, search for a business system to which the user has access rights, and return the business system to the client; The generating module is configured to, in response to the user's selection of the target system in the business system, generate a jump request according to the login request and the link address of the target system and send it to the target system, so that all The target system generates a reverse verification request according to the jump request; A verification module, configured to receive a reverse verification request from the target system, verify whether the verification information of the reverse verification request is consistent with the user login information, obtain a verification result and send it to the target system, In order for the target system to determine that the verification is successful, the user is allowed to access. 9. The system according to claim 8, wherein the generating module is further configured to Extract the specified target field from the login request, and splicing the target field with the login timestamp when the user logs in to obtain a parameter string; and Encrypt and encode the parameter string to obtain an encoding result, and add the encoding result as a parameter to the link address of the target system to obtain a jump request. 10. The system of claim 9, wherein the target field comprises a user identification; The reverse verification request is generated in the following ways: Transcoding and decrypting the parameters of the jump request; The decrypted user ID and the login timestamp are spliced to generate the reverse verification request. 11. The system of claim 10, wherein the system further comprises: a saving module, configured to save the user login information to a database; wherein the user login information includes the user ID and the login timestamp; a deletion module, configured to delete the login timestamp corresponding to the user ID in the database after obtaining the verification result; The verification module is further configured to query the login timestamp of the same user ID from the database according to the user ID of the reverse verification request; and Compare the login timestamp obtained by the query with the login timestamp obtained by decryption. If the login timestamp obtained by the query is consistent with the login timestamp obtained by the decryption, the verification succeeds; otherwise, the verification fails. 12. The system of claim 8, wherein the system further comprises: an authority acquisition module, configured to determine that the verification result indicates that the verification is successful, and acquire user authority information configured for the user; and Sending the user authority information to the target system, so that the target system displays a page according to the user authority information. 13. The system of claim 12, wherein the system further comprises: Establishing module, configured to receive the user authority information configured for the user, and establish an association relationship between the basic user information of the user and the user authority information; wherein, the user authority information is based on the user department, user level , user type and one or more configurations in the permission bitmap, where the permission bitmap is used to define the menu permission of the user. 14. The system according to any one of claims 8 to 13, wherein the system further comprises: a verification code acquisition module, configured to receive a verification code acquisition request from the client, and forward the verification code acquisition request to a short message system, so that the short message system sends a verification code to the client; and Receive the verification code sending status fed back by the short message system, and send the verification code sending status to the client, so that the user submits the login request after filling in the verification code. 15. An electronic device, comprising: one or more processors; storage means for storing one or more programs, The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-7. 16. A computer-readable medium on which a computer program is stored, characterized in that, when the program is executed by a processor, the method according to any one of claims 1-7 is implemented. 17. A computer program product, comprising a computer program, characterized in that, when the program is executed by a processor, the method according to any one of claims 1-7 is implemented.

Images