CN114374529B - Resource access method, device, system, electronic device, medium and program - Google Patents

Abstract

The invention provides a resource access method, a device, a system, an electronic device, a medium and a program, wherein the method comprises the following steps: sending a login request to an enterprise portal server so that the enterprise portal server can carry out identity authentication on a user; receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes; sending a verification request to a virtual private network server through a virtual private network client to enable the virtual private network server to verify the identity of a user; wherein the authentication request carries the authorization credential; and under the condition that the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by utilizing the virtual private network client so as to access intranet resources through the encrypted communication tunnel. The invention realizes silent login without repeated input of identity authentication information by the user, thereby improving the security of the process of logging in the virtual private network server.

Description

Resource access method, device, system, electronic device, medium and program

Technical Field

The present invention relates to the field of Internet technology, and in particular to a resource access method, device, system, electronic device, medium and program.

Background technique

With the popularity of the Web and the rise of remote work, more and more companies are using virtual private network technology to allow employees to access the corporate network. As the scale of enterprises grows, the identities of corporate employees are also diverse, including regular employees, outsourced employees, and so on. Employees of various identities have the need to access the corporate network, and employees of different identities can access different corporate applications. Some applications can be accessed directly on the Internet, while others can only be accessed after connecting to the virtual private network through a virtual private network client.

Since the Web browser and the VPN client are different applications, they cannot share sessions between different applications due to the security policy restrictions of the operating system. Therefore, when users log in to the enterprise portal server through a Web browser, they need to log in and authenticate. When accessing the intranet resources of the enterprise network, they need to access the VPN and log in to the VPN server again. Repeated login not only brings a bad user experience, but also increases the risk of password leakage due to multiple account and password input, which reduces the security of the entire system.

In order to access the intranet resources of the enterprise network in the prior art, multiple logins are required, the login process is relatively complicated, and the security is low. There is an urgent need for a technical solution that can overcome the above-mentioned shortcomings.

Summary of the invention

The present invention provides a resource access method, system, electronic device, storage medium and program to solve the defects of the prior art that multiple logins are required during access to the internal network resources of an enterprise, the login process is relatively complicated and the security is low, and realize fast and secure login.

The present invention provides a resource access method, comprising:

Sending a login request to the enterprise portal server so that the enterprise portal server can authenticate the user;

Receiving the authorization credential returned by the enterprise portal server when the login request is approved;

Sending a verification request to a virtual private network server through a virtual private network client, so that the virtual private network server can authenticate the user; wherein the verification request carries the authorization credential;

When the verification request is successfully verified, the virtual private network client is used to establish an encrypted communication tunnel with the virtual private network server to access intranet resources through the encrypted communication tunnel.

According to a resource access method provided by the present invention, after sending a login request to the enterprise portal server and before sending a verification request to the virtual private network server through the virtual private network client, the method further includes:

Detecting whether the virtual private network client is installed;

In the case where the virtual private network client is not detected, prompting to install the virtual private network client; after the installation is completed, executing the step of detecting whether the virtual private network client is installed again;

In case the virtual private network client is detected, the virtual private network client is started.

According to a resource access method provided by the present invention, the verification request carries the IP address information of the initiator of the verification request, and the authorization credential carries the IP address information of the initiator of the login request, so that the virtual network server can verify the consistency of the IP addresses.

The present invention also provides a resource access method, comprising:

Receiving a verification request sent by a user terminal; wherein the verification request carries an authorization certificate;

Requesting user information from the enterprise portal server according to the authorization credential;

Receiving user information returned by the enterprise portal server, and verifying the verification request according to the user information;

If the verification is successful, verification success information is sent to the user terminal, and an encrypted communication tunnel is established between the user terminal and the user terminal, so that the user terminal can access intranet resources through the encrypted communication tunnel.

According to a resource access method provided by the present invention, the verification request carries the IP address information of the initiator of the verification request, and the authorization credential carries the IP address information of the initiator of the login request;

Correspondingly, after receiving the verification request from the user terminal and before requesting the user information from the enterprise portal server according to the authorization credential, the method further includes:

If the IP address information of the initiator of the verification request carried in the verification request is inconsistent with the IP address information of the initiator of the login request carried in the authorization credential, confirming that the verification request fails the verification;

When the IP address information of the initiator of the verification request carried in the verification request is consistent with the IP address information of the initiator of the login request carried in the authorization credential, the step of requesting user information from the enterprise portal server according to the authorization credential is performed.

The present invention also provides a resource access method, comprising: receiving a login request sent by a user terminal;

If the login request is approved, sending an authorization certificate to the user terminal;

receiving a user information request sent by a virtual private network server;

In the case where the user information request carries the authorization ticket, the corresponding user information is sent to the virtual private network server according to the authorization ticket, so that the virtual private network server can verify the verification request sent by the user terminal.

According to a resource access method provided by the present invention, when the login request is passed, after sending the authorization credential to the user terminal, the method further includes:

In response to the open resource access request of the user terminal, an open resource link is returned to the user terminal so that the user terminal can access the corresponding open resource.

According to a resource access method provided by the present invention, when the user information request carries the authorization credential, after sending the corresponding user information to the virtual private network server according to the authorization credential, the method further includes:

When the verification request corresponding to the authorization credential passes, the intranet resource access request of the user terminal is responded to, and the intranet resource link is returned to the user terminal so that the user terminal can access the corresponding intranet resource by using the encrypted communication tunnel established with the virtual private network server.

The present invention also provides a resource access device, comprising:

A login request sending unit, used to send a login request to the enterprise portal server so that the enterprise portal server can authenticate the user;

An authorization credential receiving unit, configured to receive the authorization credential returned by the enterprise portal server when the login request is approved;

A verification request sending unit, used to send a verification request to a virtual private network server through a virtual private network client, so that the virtual private network server can authenticate the identity of the user; wherein the verification request carries the authorization credential;

The first encryption communication unit is used to establish an encrypted communication tunnel between the virtual private network client and the virtual private network server when the verification request is verified successfully, so as to access the intranet resources through the encrypted communication tunnel.

The present invention also provides a resource access device, comprising:

A verification request receiving unit, configured to receive a verification request sent by a user terminal; wherein the verification request carries an authorization certificate;

A user information request unit, configured to request user information from the enterprise portal server according to the authorization credential;

A verification request verification unit, configured to receive the user information returned by the enterprise portal server and verify the verification request according to the user information;

The second encryption communication unit is used to send verification pass information to the user terminal when the verification is passed, and establish an encrypted communication tunnel with the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel.

The present invention also provides a resource access device, comprising:

A login request receiving unit, used to receive a login request sent by a user terminal;

An authorization credential sending unit, configured to send an authorization credential to the user terminal if the login request is approved;

An information request receiving unit, used to receive a user information request sent by a virtual private network server;

The user information sending unit is used to send corresponding user information to the virtual private network server according to the authorization certificate when the user information request carries the authorization certificate, so that the virtual private network server can verify the verification request sent by the user terminal.

The present invention also provides a resource access method system, comprising: a user terminal, a virtual private network server, and an enterprise portal server;

The user terminal is used to send a login request to the enterprise portal server so that the enterprise portal server can authenticate the user; receive the authorization certificate returned by the enterprise portal server when the login request is passed; send a verification request to the virtual private network server through the virtual private network client so that the virtual private network server can authenticate the user; wherein the verification request carries the authorization certificate; when the verification request is passed, the virtual private network client is used to establish an encrypted communication tunnel with the virtual private network server to access intranet resources through the encrypted communication tunnel;

The virtual private network server is used to receive a verification request sent by a user terminal; wherein the verification request carries an authorization credential; based on the authorization credential, request user information from the enterprise portal server; receive the user information returned by the enterprise portal server, and verify the verification request based on the user information; if the verification is successful, send verification success information to the user terminal, and establish an encrypted communication tunnel with the user terminal, so that the user terminal can access intranet resources through the encrypted communication tunnel;

The enterprise portal server is used to receive a login request sent by a user terminal; if the login request is approved, send an authorization credential to the user terminal; receive a user information request sent by a virtual private network server; if the user information request carries the authorization credential, send corresponding user information to the virtual private network server based on the authorization credential, so that the virtual private network server can verify the verification request sent by the user terminal.

The present invention also provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, all or part of the steps of any of the resource access methods described above are implemented.

The present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, all or part of the steps of any of the resource access methods described above are implemented.

The present invention provides a resource access method, device, system, electronic device, medium and program. In this embodiment, after directly logging into an enterprise portal server through the Internet, a verification request carrying an authorization credential is automatically sent to a virtual private network server to achieve silent login without the need for the user to repeatedly enter identity authentication information. Since the authorization credential is a non-plaintext encrypted string and is not the identity authentication information of the user logging into the enterprise portal, the security of the process of logging into the virtual private network server is improved; and, when the verification request is verified, the user terminal establishes an encrypted communication tunnel with the virtual private network server through the virtual private network client, which facilitates safe and convenient access to intranet resources managed in the enterprise portal server.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the technical solutions in the present invention or the prior art, the following briefly introduces the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

FIG1 is a network structure diagram corresponding to a resource access method provided by the present invention;

FIG2 is a schematic diagram of a flow chart of a resource access method provided by the present invention;

FIG3 is a schematic flow chart of another resource access method provided by the present invention;

FIG4 is a flow chart of another resource access method provided by the present invention;

FIG5 is a schematic diagram of the structure of a resource access device provided by the present invention;

FIG6 is a schematic diagram of the structure of another resource access device provided by the present invention;

7 is a schematic diagram of the structure of another resource access device provided by the present invention;

FIG8 is a schematic diagram of the structure of a resource access system provided by the present invention;

FIG. 9 is a schematic diagram of the structure of an electronic device provided by the present invention.

Detailed ways

In order to make the purpose, technical solution and advantages of the present invention clearer, the technical solution of the present invention will be clearly and completely described below in conjunction with the drawings of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

Web portal refers to a website that organizes, stores and presents information from different sources in a uniform form. Users can filter and obtain all content published on the portal website based on information source, information type, keyword search and other methods. Enterprise portal refers to the Web portal system built by the enterprise IT department for enterprise employees. Employees can quickly access the network resources provided by the enterprise through the enterprise portal system and obtain enterprise notifications, news and other information. The enterprise portal is an important information channel for enterprises to employees.

With the rise of remote work, employees need to access the enterprise portal remotely. However, employees can only access the open resources in the enterprise portal (i.e., resources that are open to the Internet and can be accessed after directly connecting and logging in through the Internet) by logging in remotely through the Internet. For the internal network resources (i.e., intranet resources) with a higher security level in the enterprise portal, it is necessary to connect to a virtual private network (VPN) to access them. Therefore, remote employees need to enter their account and password multiple times when accessing intranet resources (the account and password for the two logins may or may not be the same). Repeated login not only brings a bad user experience, but also increases the risk of user password leakage due to multiple account and password input, reducing the security of the entire system.

The present invention provides a resource access method, device, system, electronic device, medium and program, so that after logging into the enterprise portal, enterprise employees can log in to the virtual private network conveniently and imperceptibly as needed to access the internal network resources of the enterprise.

The following describes a resource access method, device, system, electronic device, medium and program of the present invention in conjunction with Figures 1 to 9.

To facilitate understanding of a resource access method provided by the present invention, the network structure corresponding to the resource access method provided by the present invention is first described below. Figure 1 is a network structure diagram corresponding to a resource access method provided by the present invention. As shown in Figure 1, the enterprise network is divided into an Internet accessible part and an Internet inaccessible part. The Internet accessible part of the enterprise network is deployed with an enterprise portal server, and the enterprise portal server manages open resource links (or open resource entrances) and intranet resource links (or intranet resource entrances). Among them, open resources have lower security requirements and can be directly obtained by logging in through the Internet (data resources, service resources), and intranet resources have higher security requirements and cannot be directly obtained by logging in through the Internet (data resources, service resources). User terminals on the Internet can directly log in to the enterprise portal server through a browser, but after logging in to the enterprise portal server directly through the Internet, they can only access the open resource links managed by the enterprise portal server, and access the open resource servers deployed in the Internet accessible part of the enterprise network through the open resource links; user terminals on the Internet can also connect to the virtual private network server through a virtual private network client, obtain the intranet resource link in the enterprise portal, and then access the intranet resource server deployed in the Internet inaccessible part of the enterprise network through the virtual private network server, and access the intranet resources corresponding to the intranet resource link. The virtual private network provides an encrypted communication tunnel for external network user terminals to access the enterprise portal server, so that they can safely access intranet resources.

FIG2 is a flow chart of a resource access method provided by the present invention. The method is applied to a user terminal. As shown in FIG2 , the method includes:

S21, sending a login request to the enterprise portal server so that the enterprise portal server can authenticate the user;

Specifically, the user terminal is located on the Internet, and the enterprise portal server is deployed in the part of the enterprise network that is directly accessible from the Internet. The user terminal sends a login request to the enterprise portal server so that the enterprise portal can authenticate the user identity. The login client that sends the login request can be a browser installed on the user terminal, that is, the login request is sent to the enterprise portal server through the browser login webpage.

The login request carries identity authentication information, for example, the user's account number and password information, or the user's biometric information (such as voice, fingerprint, face, iris, etc.), so that the enterprise portal server can authenticate the user's identity.

S22, receiving the authorization certificate returned by the enterprise portal server when the login request is approved;

Specifically, the enterprise portal server authenticates the user according to the identity authentication information carried in the login request. If the authentication is successful, the user terminal can directly access the open resource link in the enterprise portal server (without passing through the virtual private network server mentioned below), and then obtain the corresponding open resources. In addition, if the authentication is successful, the enterprise portal server also returns an authorization credential, which can be a non-plaintext encrypted string, and the authorization credential can be used for third-party applications to access the enterprise portal server. The authorization credential can also be set as credential information with a certain survival time, so that third-party applications can temporarily access the enterprise portal server within the survival time period to improve the security of enterprise portal management.

It is understandable that, when the enterprise portal server fails to authenticate the login request, it returns a feedback message indicating that the authentication failed. Furthermore, the user can be prompted to re-enter the identity authentication information at the user terminal.

S23, sending a verification request to a virtual private network server through a virtual private network client, so that the virtual private network server can authenticate the user; wherein the verification request carries the authorization credential;

Specifically, after receiving the authorization credential returned by the enterprise portal server, the browser in the user terminal that sends the login request passes the authorization credential to the virtual private client installed in the user terminal, and the virtual private client sends a verification request with the authorization credential to the virtual private network server to obtain the virtual private network service. It should be noted that the virtual private client automatically sends the verification request based on the authorization credential, and this process does not require account, password information or user's biometric information, etc., and does not require manual input by the user, thus realizing silent login.

In addition, it should be noted that when the user terminal is located in the enterprise intranet, it does not need to connect to the virtual private network and can directly access the intranet resources with corresponding permissions. Furthermore, for the identity authentication of the intranet user terminal, a quick verification can be performed based on the IP address of the login request. If it is confirmed that the IP address of the login request belongs to the intranet IP address, the verification is directly determined to be passed.

S24. When the verification request is successfully verified, the virtual private network client is used to establish an encrypted communication tunnel with the virtual private network server to access intranet resources through the encrypted communication tunnel.

Specifically, when the virtual private network server verifies the verification request, it provides the user terminal with a virtual private network service and establishes an encrypted communication tunnel between the user terminal and the virtual private network server. After the encrypted communication tunnel is established, the communication information between the user terminal and the virtual private network server is all encrypted data, thereby improving the security of data transmission in the network. At this time, after the user terminal obtains the intranet resource link in the enterprise portal, it can access the intranet resource server corresponding to the intranet resource link through the virtual private network server to obtain the corresponding intranet resources.

In addition, it should be noted that a virtual private network (VPN) can be divided into a client-based available VPN and a network-based available VPN. A client-based available VPN is a virtual private network created between a single user and a remote network. A client-based available VPN usually involves an application. The user usually manually starts the available VPN client and logs in with a username and password for identity authentication. The client creates an encrypted tunnel between the user's computer and the remote network so that the user can access the remote network through the encrypted tunnel; a network-based available VPN can securely connect two networks across untrusted networks. The present invention is a user single-point remote login, so a client-based virtual private network is used.

In this embodiment, after directly logging into the enterprise portal server through the Internet, a verification request carrying the authorization credentials is automatically sent to the virtual private network server to achieve silent login without the need for the user to repeatedly enter the identity authentication information. Since the authorization credential is a non-plaintext encrypted string and is not the identity authentication information of the user logging into the enterprise portal server, the security of the process of logging into the virtual private network server is improved; and, if the verification request is verified successfully, the user terminal establishes an encrypted communication tunnel with the virtual private network server through the virtual private network client, which facilitates safe and convenient access to the intranet resources managed in the enterprise portal server.

Based on any of the above embodiments, in one embodiment, after sending a login request to the enterprise portal server and before sending a verification request to the virtual private network server through the virtual private network client, the method further includes:

Detecting whether the virtual private network client is installed;

In the case where the virtual private network client is not detected, prompting to install the virtual private network client; after the installation is completed, executing the step of detecting whether the virtual private network client is installed again;

In case the virtual private network client is detected, the virtual private network client is started.

Specifically, a specific local port can be used for monitoring, and the monitoring port can return the expected response information, which is used to detect and determine the installation status of the virtual private network client in the user terminal. The detection process can be completed through an integrated JavaScript SDK, or it can be implemented by a program written by the user according to needs. If the virtual private network client is not detected, a prompt will be given to install the virtual private network client. After the installation is completed, the previous step of detecting the installation status of the virtual private network client in the user terminal will be returned to so as to smoothly start the virtual private network client by itself; if the virtual private network client is detected, the virtual private network client will be started so as to automatically send a verification request to the virtual private network server to establish an encrypted communication tunnel with the enterprise portal server.

In this implementation, the virtual private network client is automatically detected and automatically started, eliminating the need for the user to repeatedly manually enter a password to connect to the virtual private network, thereby improving the user experience.

Based on any of the above embodiments, in one embodiment, the verification request carries the IP address information of the initiator of the verification request, and the authorization credential carries the IP address information of the initiator of the login request, so that the virtual network server can verify the consistency of the IP addresses.

Specifically, for the implementation of silent login to connect to a virtual private network server, the user terminal passes the authorization credential obtained by the browser that logs into the enterprise portal server to the virtual private network client for connecting to the virtual private network server. In order to prevent the authorization credential from being stolen/tampered by hackers through XSS vulnerabilities, the virtual private network client needs to verify the consistency of the user's IP source when logging into the virtual private network server. Specifically, the IP address information of the initiator of the verification request needs to be carried in the verification request, and the IP address information of the initiator of the login request needs to be carried in the authorization credential, so that after receiving the verification request, the virtual network server can verify the IP address of the initiator of the verification request with the IP address of the initiator of the login request carried in the authorization credential. If the two are consistent, it means that the authorization credential has not been stolen/tampered with. If the two are inconsistent, it means that there may be vulnerabilities such as XSS, and the user terminal will issue an alarm prompt.

It should be noted that XSS vulnerability refers to the process of injecting malicious instruction codes into web pages, causing users to load and execute web programs maliciously created by attackers. These malicious web programs are usually JavaScript, but in fact they can also include Java, VBScript, ActiveX, Flash or even ordinary HTML. After the attack is successful, the attacker may obtain various contents including but not limited to higher permissions (such as executing dangerous operations), private web content, sessions and cookies.

In this embodiment, by carrying the IP address information of the initiator of the verification request in the verification request and carrying the IP address information of the initiator of the login request in the authorization credential, so that the virtual network server can verify the consistency of the IP address, the security of the silent login process is further guaranteed.

Based on any of the above embodiments, in one embodiment, the virtual private network client is a virtual private network client based on the secure socket layer protocol, and the virtual private network server is a virtual private network server based on the secure socket layer protocol.

Specifically, the virtual private network (SSLVPN) based on the Secure Sockets Layer protocol will not be affected by the conversion devices (NAT devices) such as firewalls installed between the client and the server, and has strong penetration capabilities; it can be connected to the corresponding network resources at any location and using any device, and is the best choice for remote secure access for enterprises. Among them, the Secure Sockets Layer protocol (SSL protocol) includes the SSL record protocol and the handshake protocol, which together provide authentication, encryption and anti-tampering functions for application access connections. Compared with the IKE (Internet Key Exchange Protocol) protocol in the IPSEC protocol system, the SSL handshake protocol is mainly used for mutual authentication between the server and the client, and negotiates encryption algorithms and MAC (Message Authentication Code) algorithms to generate encryption and authentication keys used in the SSL record protocol.

In this embodiment, an encrypted communication tunnel between a user terminal and an enterprise portal server is conveniently and securely established by adopting a virtual private network client based on the secure socket layer protocol and a virtual private network server based on the secure socket layer protocol.

Based on any of the above embodiments, in one embodiment, the method further includes:

Display the resources in the enterprise portal server that can be accessed at the current moment in the first color;

Resources in the enterprise portal server that are currently inaccessible are displayed in a second color.

Specifically, the user terminal also displays the resources in the enterprise portal server in different colors. For example, after logging in through a browser, the open resources in the enterprise portal server that can be accessed are displayed as a white background, and the intranet resources in the enterprise portal server that cannot be accessed are displayed as a gray background. For another example, after the user terminal silently logs in and connects to the virtual private network server, the user terminal can access the open resources and intranet resources in the enterprise portal server, and at this time, they are all adjusted to a white background. Of course, the font color can also be set. The specific color settings of the first color and the second color can be adjusted according to user needs, and there is no limitation here.

In addition, when performing silent login, the user may be prompted in the user terminal, for example, a prompt "currently logging into a virtual private network" may be given.

In this embodiment, by displaying resources in the enterprise portal server that are currently accessible in the first color and displaying resources in the enterprise portal server that are currently inaccessible in the second color, resources are displayed differently, thereby improving user experience.

FIG3 is a flow chart of another resource access method provided by the present invention, which is applied to a virtual private network server. As shown in FIG3 , the method includes:

S31, receiving a verification request sent by a user terminal; wherein the verification request carries an authorization certificate;

S32, requesting user information from the enterprise portal server according to the authorization credential;

S33, receiving the user information returned by the enterprise portal server, and verifying the verification request according to the user information;

S34. If the verification is successful, send verification success information to the user terminal, and establish an encrypted communication tunnel between the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel.

Specifically, the virtual private network server is located in the Internet-accessible part of the enterprise network. After receiving the verification request sent by the user terminal, the virtual private network server confirms whether the user is a legitimate user based on the verification request and determines whether to provide virtual private network services; the verification request carries the authorization certificate obtained when the user directly connects to the Internet to log in to the enterprise portal server, and the virtual private network server requests user information from the enterprise portal server based on the authorization certificate. User information includes: user name, whether the user has remote access rights to intranet resources, etc. After receiving the user information returned by the enterprise portal server based on the authorization certificate, the virtual private network server verifies the verification request based on the user information to confirm whether the user is legitimate and whether the user has the authority to remotely access intranet resources, etc. If the verification is successful, the virtual private network server sends verification success information to the user terminal and establishes an encrypted communication tunnel between the user terminal and the virtual private network server so that the user terminal can access intranet resources through the encrypted communication tunnel.

It should be noted that before executing this method, the virtual private network server and the enterprise portal server need to be pre-configured and connected, such as configuring the communication address, port number, authorization credential format, user information format, etc., so as to smoothly execute the subsequent silent login process.

In this embodiment, user information is requested from the enterprise portal server based on the user credentials carried in the verification request sent by the user terminal, and the verification request sent by the user terminal is verified accordingly. Since the authorization credential is a non-plaintext encrypted string and is not the identity authentication information of the user logging into the enterprise portal server, the security of silent login to the virtual private network server is improved; by requesting user information from the enterprise portal server based on the authorization credential, the user's remote access rights to enterprise intranet resources are accurately and conveniently managed.

Based on any of the above embodiments, in one embodiment, the verification request carries the IP address information of the initiator of the verification request, and the authorization credential carries the IP address information of the initiator of the login request;

Correspondingly, after receiving the verification request from the user terminal and before requesting the user information from the enterprise portal server according to the authorization credential, the method further includes:

If the IP address information of the initiator of the verification request carried in the verification request is inconsistent with the IP address information of the initiator of the login request carried in the authorization credential, confirming that the verification request fails the verification;

When the IP address information of the initiator of the verification request carried in the verification request is consistent with the IP address information of the initiator of the login request carried in the authorization credential, the step of requesting user information from the enterprise portal server according to the authorization credential is performed.

Specifically, the user terminal passes the authorization credential obtained by the login client of the enterprise portal to the virtual private network client for connecting to the virtual private network server. In order to prevent the authorization credential from being stolen/tampered by hackers through XSS vulnerabilities, the virtual private network server needs to verify the consistency of the user's IP source when the virtual private network client logs in to the virtual private network server. Specifically, the IP address information of the initiator of the verification request needs to be carried in the verification request, and the IP address information of the initiator of the login request needs to be carried in the authorization credential, so that after receiving the verification request, the virtual network server can verify the IP address of the initiator of the verification request and the IP address of the initiator of the login request carried in the authorization credential. If the two are consistent, it means that the authorization credential has not been stolen/tampered with, and the next verification operation can be performed; if the two are inconsistent, it means that there may be vulnerabilities such as XSS, and a verification failure message is sent to the user terminal so that the user terminal can issue an alarm prompt.

It should be noted that XSS vulnerability refers to the process of injecting malicious instruction codes into web pages, causing users to load and execute web programs maliciously created by attackers. These malicious web programs are usually JavaScript, but in fact they can also include Java, VBScript, ActiveX, Flash or even ordinary HTML. After the attack is successful, the attacker may obtain various contents including but not limited to higher permissions (such as executing some operations), private web content, sessions and cookies.

In this embodiment, by carrying the IP address information of the initiator of the verification request in the verification request, carrying the IP address information of the initiator of the login request in the authorization credential, and verifying the consistency of the IP address through the virtual network server, the security of the silent login process is further guaranteed.

FIG4 is a flow chart of another resource access method provided by the present invention, which is applied to an enterprise portal server. As shown in FIG4 , the method includes:

S41, receiving a login request sent by a user terminal;

S42: if the login request is approved, sending an authorization certificate to the user terminal;

S43, receiving a user information request sent by a virtual private network server;

S44. When the user information request carries the authorization credential, the corresponding user information is sent to the virtual private network server according to the authorization credential, so that the virtual private network server can verify the verification request sent by the user terminal.

Specifically, the enterprise portal server is deployed in the part of the enterprise network that can be accessed by the Internet. After receiving the login request sent by the user terminal through the Internet, the enterprise portal server authenticates the user identity information according to the identity authentication information carried in the login request to determine whether to approve the user's login request. The enterprise portal server can configure the identity authentication function itself, for example, authenticate the login request of the user terminal according to the pre-stored user identity information database, and can also forward the identity authentication information in the login request to the identity authentication platform for authentication. The identity authentication platform provides centralized identity authentication functions for multiple parties.

If the user identity authentication fails, the login request is rejected and the user terminal prompts the user to log in again; if the authentication is successful, the user's login request is approved and an authorization credential is sent to the user. The authorization credential can be a non-plaintext encrypted string, which can be used by third-party applications to access the enterprise portal server. The authorization credential can also be set as credential information with a certain survival time, so that third-party applications can temporarily access the enterprise portal server within the survival time period to improve the security of enterprise portal management.

The enterprise portal server also receives a user information request sent by the virtual private network server, and returns the corresponding user information according to the authorization credential. Specifically, when the enterprise portal server receives the user's login request and generates the authorization credential, it also records the corresponding relationship between the authorization credential and the user information, so that when receiving the user information request sent by the virtual private network server, the corresponding user information is returned according to the authorization credential. In addition, for the authorization credential with a certain survival time, the enterprise portal server also needs to determine whether the time of the current verification request is within the survival time period of the authorization credential, and only return the user information corresponding to the authorization credential if it is within the survival time period. After receiving the user information, the virtual private network server can verify the verification request sent by the user terminal.

In this embodiment, the enterprise portal server returns an authorization credential to the user terminal that has passed the login request, which is used for authentication during the process of logging into the virtual private network to access intranet resources. No user identity authentication information is required, thereby improving security. The corresponding user information is returned to the virtual private network based on the authorization credential so that the virtual private network server can verify and determine whether to establish an encrypted communication tunnel. The process of user remote access to the enterprise portal server is conveniently managed, thereby improving convenience.

Based on any of the above embodiments, in one embodiment, when the login request is passed, after sending the authorization credential to the user terminal, the method further includes:

In response to the open resource access request of the user terminal, an open resource link is returned to the user terminal so that the user terminal can access the corresponding open resource.

Specifically, when the login request of the user terminal to directly log in to the enterprise portal server through the Internet is authenticated, the user terminal can directly access the open resource link in the enterprise portal server, access the open resource server deployed in the Internet accessible part of the enterprise network through the open resource link, and obtain the corresponding open resources.

In this embodiment, an open resource service is provided for users who log in to the enterprise portal server directly through the Internet and pass the login.

Based on any of the above embodiments, in one embodiment, when the user information request carries the authorization credential, after sending the corresponding user information to the virtual private network server according to the authorization credential, the method further includes:

When the verification request corresponding to the authorization credential passes, the intranet resource access request of the user terminal is responded to, and the intranet resource link is returned to the user terminal so that the user terminal can access the corresponding intranet resource by using the encrypted communication tunnel established with the virtual private network server.

Specifically, after the virtual network server verifies the user terminal's verification request based on the user information, an encrypted communication tunnel is established between the virtual private network server and the user terminal. After the user terminal obtains the intranet resource link in the enterprise portal, it can obtain the corresponding intranet resource through the encrypted communication tunnel. Since the data in the encrypted communication tunnel is encrypted data, users can safely access the enterprise intranet resources remotely.

In this embodiment, when the verification request corresponding to the authorization credential is verified, the encrypted communication tunnel established between the dedicated network server and the user terminal provides the user with intranet resource services conveniently and securely.

Based on any of the above embodiments, in one embodiment, after receiving the login request sent by the user terminal, and before sending the authorization credential to the user terminal if the login request is approved, the method further includes:

Forwarding the login request to the identity authentication platform for authentication;

Determine whether the login request is passed based on the authentication result returned by the identity authentication platform.

Specifically, the enterprise portal server can configure the identity authentication function itself, and can also forward the identity authentication information in the login request to the identity authentication platform for authentication. The identity authentication platform provides centralized identity authentication functions for multiple parties.

Correspondingly, the virtual private network server can also verify the verification request of the user terminal through the identity authentication platform. After receiving the verification request from the user terminal, the virtual private network server requests the user information from the identity authentication platform according to the authorization certificate, receives the user information returned by the identity authentication platform, and verifies the verification request of the user terminal according to the user information. If the verification is successful, it sends the verification pass information to the user terminal and establishes an encrypted communication tunnel between the user terminal and the virtual private network server.

In this embodiment, the login request is forwarded to the identity authentication platform for authentication, so that the user identity information is authenticated at a low cost and conveniently.

The resource access device provided by the present invention is described below. The resource access device described below and the resource access method described above can be referenced to each other.

FIG5 is a schematic diagram of the structure of a resource access device (corresponding to the user terminal 51 below) provided by the present invention. As shown in FIG5 , the device includes:

A login request sending unit 511 is used to send a login request to the enterprise portal server so that the enterprise portal server can authenticate the user;

The authorization credential receiving unit 512 is used to receive the authorization credential returned by the enterprise portal server when the login request is approved;

The verification request sending unit 513 is used to send a verification request to the virtual private network server through the virtual private network client, so that the virtual private network server can authenticate the user; wherein the verification request carries the authorization certificate;

The first encryption communication unit 514 is used to establish an encrypted communication tunnel between the virtual private network client and the virtual private network server by using the virtual private network client when the verification request is verified successfully, so as to access the intranet resources through the encrypted communication tunnel.

Based on the above embodiment, in one embodiment, the device further includes:

A detection unit, used to detect whether the virtual private network client is installed;

an installation prompting unit, configured to prompt the installation of the virtual private network client if the virtual private network client is not detected; and to perform the step of detecting whether the virtual private network client is installed again after the installation is completed;

The starting unit is used to start the virtual private network client when the virtual private network client is detected.

Based on any of the above embodiments, in one embodiment, the verification request carries the IP address information of the initiator of the verification request, and the authorization credential carries the IP address information of the initiator of the login request, so that the virtual network server can verify the consistency of the IP addresses.

Based on any of the above embodiments, in one embodiment, the virtual private network client is a virtual private network client based on the secure socket layer protocol, and the virtual private network server is a virtual private network server based on the secure socket layer protocol.

Based on any of the above embodiments, in one embodiment, the device further includes:

A first display unit, used to display resources in the enterprise portal server that are currently accessible in a first color;

The second display unit is used to display the resources in the enterprise portal server that are currently inaccessible in a second color.

FIG6 is a schematic diagram of the structure of a resource access device (corresponding to the virtual private network server 61 below) provided by the present invention. As shown in FIG6 , the device includes:

The verification request receiving unit 611 is used to receive a verification request sent by a user terminal; wherein the verification request carries an authorization certificate;

A user information request unit 612, configured to request user information from the enterprise portal server according to the authorization credential;

The verification request verification unit 613 is used to receive the user information returned by the enterprise portal server and verify the verification request according to the user information;

The second encryption communication unit 614 is used to send a verification pass message to the user terminal when the verification is passed, and to establish an encrypted communication tunnel with the user terminal so that the user terminal can access the intranet resources through the encrypted communication tunnel.

Based on any of the above embodiments, in one embodiment, the verification request carries the IP address information of the initiator of the verification request, and the authorization credential carries the IP address information of the initiator of the login request; accordingly, the device further includes:

A first pre-verification unit, configured to confirm that the verification request fails verification if the IP address information of the verification request initiator carried in the verification request is inconsistent with the IP address information of the login request initiator carried in the authorization credential;

The second pre-verification unit is used to execute the step of requesting user information from the enterprise portal server according to the authorization credential when the IP address information of the verification request initiator carried in the verification request is consistent with the IP address information of the login request initiator carried in the authorization credential.

FIG. 7 is a schematic diagram of the structure of a resource access device (corresponding to the enterprise portal server 71 below) provided by the present invention. As shown in FIG. 7 , the device includes:

A login request receiving unit 711, configured to receive a login request sent by a user terminal;

The authorization credential sending unit 712 is used to send the authorization credential to the user terminal if the login request is approved;

The information request receiving unit 713 is used to receive a user information request sent by a virtual private network server;

The user information sending unit 714 is used to send corresponding user information to the virtual private network server according to the authorization certificate when the user information request carries the authorization certificate, so that the virtual private network server can verify the verification request sent by the user terminal.

Based on any of the above embodiments, in one embodiment, the device further includes:

The open resource response unit is used to respond to the open resource access request of the user terminal and return an open resource link to the user terminal so that the user terminal can access the corresponding open resource.

Based on any of the above embodiments, in one embodiment, the device further includes:

The intranet resource response unit is used to respond to the intranet resource access request of the user terminal when the verification request corresponding to the authorization credential passes, and return the intranet resource link to the user terminal so that the user terminal can access the corresponding intranet resource by using the encrypted communication tunnel established with the virtual private network server.

A resource access system provided by the present invention is described below. The resource access system described below and the resource access method described above can be referred to in correspondence with each other. FIG8 is a schematic diagram of the structure of a resource access system provided by the present invention. As shown in FIG8, the system includes: a user terminal 51, a virtual private network server 61, and an enterprise portal server 71;

The user terminal 51 includes:

A login request sending unit, used to send a login request to the enterprise portal server so that the enterprise portal server can authenticate the user;

An authorization credential receiving unit, configured to receive the authorization credential returned by the enterprise portal server when the login request is approved;

A verification request sending unit, used to send a verification request to a virtual private network server through a virtual private network client, so that the virtual private network server can authenticate the identity of the user; wherein the verification request carries the authorization credential;

The first encryption communication unit is used to establish an encrypted communication tunnel between the virtual private network client and the virtual private network server when the verification request is verified successfully, so as to access the intranet resources through the encrypted communication tunnel.

The virtual private network server 61 comprises:

A verification request receiving unit, configured to receive a verification request sent by a user terminal; wherein the verification request carries an authorization certificate;

A user information request unit, configured to request user information from the enterprise portal server according to the authorization credential;

A verification request verification unit, configured to receive the user information returned by the enterprise portal server and verify the verification request according to the user information;

The second encryption communication unit is used to send verification pass information to the user terminal when the verification is passed, and establish an encrypted communication tunnel with the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel.

The enterprise portal server 71 includes:

A login request receiving unit, used to receive a login request sent by a user terminal;

An authorization credential sending unit, configured to send an authorization credential to the user terminal if the login request is approved;

An information request receiving unit, used to receive a user information request sent by a virtual private network server;

The user information sending unit is used to send corresponding user information to the virtual private network server according to the authorization certificate when the user information request carries the authorization certificate, so that the virtual private network server can verify the verification request sent by the user terminal.

In this embodiment, after the user terminal directly logs in to the enterprise portal server through the Internet, it automatically sends a verification request carrying the authorization credential to the virtual private network server, thereby realizing silent login without the need for the user to repeatedly enter the identity authentication information. Since the authorization credential is a non-plaintext encrypted string and is not the identity authentication information of the user logging in to the enterprise portal, the security of the silent login process to the virtual private network server is improved; in addition, an encrypted communication tunnel is established between the user terminal and the virtual private network server, so that the user terminal can safely and conveniently access the intranet resources managed in the enterprise portal server.

The following describes the interaction process between the execution entities in the resource access method provided by the present invention through a preferred embodiment:

Preparation Phase:

①. The SSLVPN server and the enterprise Web portal server complete authentication connection and network resource configuration.

②. IT personnel pre-install the SSLVPN client on employees' user terminals.

Login phase:

① When enterprise employees need to work remotely at home or on business trips, they can log in to the enterprise web portal server through the user terminal using the account and password assigned by the enterprise to the employee;

② The enterprise Web portal server authenticates the login request through the unified identity authentication platform, receives the authentication result of the unified identity authentication platform, obtains the authorization certificate, and returns the authentication result and authorization certificate to the user's Web browser;

③. The user terminal queries the SSLVPN client through the port provided by the SDK. If it is detected that the SSLVPN client is not installed, it prompts to install the SSLVPN client. If the SSLVPN client is detected, it starts the SSLVPN client.

④. The web browser passes the user's authorization credentials to the SSLVPN client;

⑤. The SSLVPN client initiates a verification request to the SSLVPN server, and the verification request carries the authorization certificate;

⑥. The SSLVPN server requests and obtains user information from the unified identity authentication platform based on the authorization credentials;

⑦. The SSLVPN server verifies the user authentication request based on the returned user information. If the verification is successful, an encrypted communication tunnel is established between the user terminal and the SSLVPN server.

In this embodiment, after the user terminal directly logs in to the enterprise portal server through the Internet, it automatically sends a verification request carrying the authorization credential to the virtual private network server, thereby realizing silent login without the need for the user to repeatedly enter the identity authentication information. Since the authorization credential is a non-plaintext encrypted string and is not the identity authentication information of the user logging in to the enterprise portal server, the security of the silent login process to the virtual private network server is improved; in addition, an encrypted communication tunnel is established between the user terminal and the virtual private network server, so that the user terminal can safely and conveniently access the intranet resources managed in the enterprise portal server.

FIG9 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG9 , the electronic device may include: a processor 910, a communication interface 920, a memory 930, and a communication bus 940, wherein the processor 910, the communication interface 920, and the memory 930 communicate with each other through the communication bus 940. The processor 910 may call the logic instructions in the memory 930 to execute all or part of the steps of the resource access methods provided above.

In addition, the logic instructions in the above-mentioned memory 930 can be implemented in the form of a software functional unit and can be stored in a computer-readable storage medium when it is sold or used as an independent product. Based on such an understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art or the part of the technical solution, can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.

On the other hand, the present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium, and the computer program includes program instructions. When the program instructions are executed by a computer, the computer can execute all or part of the steps of the above-mentioned resource access methods.

On the other hand, the present invention further provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, is implemented to perform all or part of the steps of the resource access methods provided above.

The device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the scheme of this embodiment. Those of ordinary skill in the art may understand and implement it without creative effort.

Through the description of the above implementation methods, those skilled in the art can clearly understand that each implementation method can be implemented by means of software plus a necessary general hardware platform, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solution is essentially or the part that contributes to the prior art can be embodied in the form of a software product, and the computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, a disk, an optical disk, etc., including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods described in each embodiment or some parts of the embodiments.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit it. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or make equivalent replacements for some of the technical features therein. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (15)

1. A resource access method, characterized in that it is applied to a user terminal, the user terminal is a terminal located on the Internet, and the method comprises: Sending a login request to an enterprise portal server so that the enterprise portal server can authenticate the user; the enterprise portal server is deployed in a part of the enterprise network that is directly accessible via the Internet; Receiving the authorization credential returned by the enterprise portal server when the login request is approved; the authorization credential is a non-plaintext encrypted string, not the identity authentication information of the user logging into the enterprise portal server; Sending a verification request to a virtual private network server through a virtual private network client, so that the virtual private network server can authenticate the user; wherein the verification request carries the authorization credential; When the verification request is successfully verified, the virtual private network client is used to establish an encrypted communication tunnel with the virtual private network server to access intranet resources through the encrypted communication tunnel. The intranet resource server corresponding to the intranet resources is deployed in a part of the enterprise network that is not accessible to the Internet. 2. The resource access method according to claim 1, characterized in that after sending the login request to the enterprise portal server and before sending the verification request to the virtual private network server through the virtual private network client, the method further comprises: Detecting whether the virtual private network client is installed; In the case where the virtual private network client is not detected, prompting to install the virtual private network client; after the installation is completed, executing the step of detecting whether the virtual private network client is installed again; In case the virtual private network client is detected, the virtual private network client is started. 3. The resource access method according to claim 1 is characterized in that the verification request carries the IP address information of the initiator of the verification request, and the authorization certificate carries the IP address information of the initiator of the login request, so that the virtual network server can verify the consistency of the IP address. 4. A resource access method, characterized by comprising: Receive a verification request sent by a user terminal; wherein the verification request is a verification request sent by the user terminal to a virtual private network server through a virtual private network client; the verification request carries an authorization credential; the user terminal is a terminal located on the Internet; the authorization credential is a non-plaintext encrypted string, and is not the identity authentication information of the user logging into the enterprise portal server; the enterprise portal server is deployed in a portion of the enterprise network that is directly accessible to the Internet; Requesting user information from the enterprise portal server according to the authorization credential; Receiving user information returned by the enterprise portal server, and verifying the verification request according to the user information; If the verification is successful, verification success information is sent to the user terminal, and an encrypted communication tunnel is established between the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel. The intranet resource server corresponding to the intranet resources is deployed in the Internet-inaccessible part of the enterprise network. 5. A resource access method according to claim 4, characterized in that the verification request carries the IP address information of the initiator of the verification request, and the authorization certificate carries the IP address information of the initiator of the login request; Correspondingly, after receiving the verification request from the user terminal and before requesting the user information from the enterprise portal server according to the authorization credential, the method further includes: If the IP address information of the initiator of the verification request carried in the verification request is inconsistent with the IP address information of the initiator of the login request carried in the authorization credential, confirming that the verification request fails the verification; When the IP address information of the initiator of the verification request carried in the verification request is consistent with the IP address information of the initiator of the login request carried in the authorization credential, the step of requesting user information from the enterprise portal server according to the authorization credential is performed. 6. A resource access method, characterized by comprising: Receiving a login request sent by a user terminal; the user terminal is a terminal located on the Internet; In the case where the login request is approved, an authorization credential is sent to the user terminal; the authorization credential is a non-plaintext encrypted string, not the identity authentication information of the user logging into the enterprise portal server; the enterprise portal server is deployed in the part of the enterprise network that can be directly accessed by the Internet; receiving a user information request sent by a virtual private network server; In the case where the user information request carries the authorization credential, the corresponding user information is sent to the virtual private network server based on the authorization credential, so that the virtual private network server can verify the verification request sent by the user terminal, and in the case where the verification request is verified successfully, the virtual private network client is used to establish an encrypted communication tunnel with the virtual private network server to access intranet resources through the encrypted communication tunnel. The intranet resource server corresponding to the intranet resource is deployed in a part of the enterprise network that is not accessible to the Internet. 7. A resource access method according to claim 6, characterized in that, when the login request is passed, after sending the authorization certificate to the user terminal, the method further comprises: In response to the open resource access request of the user terminal, an open resource link is returned to the user terminal so that the user terminal can access the corresponding open resource. 8. A resource access method according to claim 6, characterized in that, when the user information request carries the authorization credential, after sending the corresponding user information to the virtual private network server according to the authorization credential, the method further comprises: When the verification request corresponding to the authorization credential passes, the intranet resource access request of the user terminal is responded to, and the intranet resource link is returned to the user terminal so that the user terminal can access the corresponding intranet resource by using the encrypted communication tunnel established with the virtual private network server. 9. A resource access device, characterized in that it is applied to a user terminal, the user terminal is a terminal located on the Internet, and the device comprises: A login request sending unit, used to send a login request to an enterprise portal server so that the enterprise portal server can authenticate the user; the enterprise portal server is deployed in a part of the enterprise network that can be directly accessed by the Internet; An authorization credential receiving unit, used to receive the authorization credential returned by the enterprise portal server when the login request is passed; the authorization credential is a non-plaintext encrypted string, not the identity authentication information of the user logging into the enterprise portal server; A verification request sending unit, used to send a verification request to a virtual private network server through a virtual private network client, so that the virtual private network server can authenticate the identity of the user; wherein the verification request carries the authorization credential; The first encryption communication unit is used to establish an encrypted communication tunnel between the virtual private network client and the virtual private network server when the verification request is verified successfully, so as to access intranet resources through the encrypted communication tunnel. The intranet resource server corresponding to the intranet resources is deployed in a part of the enterprise network that is not accessible to the Internet. 10. A resource access device, comprising: A verification request receiving unit, used for receiving a verification request sent by a user terminal; wherein the verification request is a verification request sent by the user terminal to a virtual private network server through a virtual private network client; the verification request carries an authorization credential; the user terminal is a terminal located on the Internet; the authorization credential is a non-plaintext encrypted string, and is not the identity authentication information of the user logging into the enterprise portal server; the enterprise portal server is deployed in a portion of the enterprise network that is directly accessible to the Internet; A user information request unit, configured to request user information from the enterprise portal server according to the authorization credential; A verification request verification unit, configured to receive the user information returned by the enterprise portal server and verify the verification request according to the user information; The second encryption communication unit is used to send verification success information to the user terminal when the verification is successful, and to establish an encrypted communication tunnel with the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel. The intranet resource server corresponding to the intranet resources is deployed in the Internet-inaccessible part of the enterprise network. 11. A resource access device, comprising: A login request receiving unit, configured to receive a login request sent by a user terminal; the user terminal is a terminal located on the Internet; An authorization credential sending unit is used to send an authorization credential to the user terminal if the login request is passed; the authorization credential is a non-plaintext encrypted string, not the identity authentication information of the user logging into the enterprise portal server; the enterprise portal server is deployed in the part of the enterprise network that can be directly accessed by the Internet; An information request receiving unit, used to receive a user information request sent by a virtual private network server; The user information sending unit is used to send corresponding user information to the virtual private network server according to the authorization credential when the user information request carries the authorization credential, so that the virtual private network server can verify the verification request sent by the user terminal, and when the verification request is verified, use the virtual private network client to establish an encrypted communication tunnel with the virtual private network server to access intranet resources through the encrypted communication tunnel, and the intranet resource server corresponding to the intranet resource is deployed in the Internet-inaccessible part of the enterprise network. 12. A resource access system, characterized by comprising: a user terminal, a virtual private network server, and an enterprise portal server; The user terminal executes the steps of the resource access method according to any one of claims 1 to 3; The virtual private network server executes the steps of the resource access method according to any one of claims 4-5; The enterprise portal server executes the steps of the resource access method as described in any one of claims 6 to 8. 13. An electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, it implements all or part of the steps of the resource access method as described in any one of claims 1 to 3, or implements all or part of the steps of the resource access method as described in any one of claims 4 to 5, or implements all or part of the steps of the resource access method as described in any one of claims 6 to 8. 14. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that when the computer program is executed by a processor, it implements all or part of the steps of the resource access method as described in any one of claims 1 to 3, or implements all or part of the steps of the resource access method as described in any one of claims 4 to 5, or implements all or part of the steps of the resource access method as described in any one of claims 6 to 8. 15. A computer program product, comprising computer executable instructions, wherein the instructions, when executed, are used to implement all or part of the steps of the resource access method as described in any one of claims 1 to 3, or to implement all or part of the steps of the resource access method as described in any one of claims 4 to 5, or to implement all or part of the steps of the resource access method as described in any one of claims 6 to 8.