Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has the element of identical or similar functions from start to finish.Be exemplary below by the embodiment being described with reference to the drawings, be intended to for explaining the present invention, and can not be interpreted as limitation of the present invention.
Login system and the method for the application A PP of the embodiment of the present invention are described below with reference to accompanying drawing.
Fig. 1 is the structural representation of the login system of application A PP according to an embodiment of the invention, and as shown in Figure 1, this system comprises: an APP110, first server 120, the 2nd APP130 and second server 140, wherein:
The one APP110, for send the service request of the identification information that comprises an APP110 to the 2nd APP130, receives the enciphered message from the 2nd APP130, and sends enciphered message to first server 120.
The 2nd APP130 is used for obtaining according to service request the information of an AP110, and obtains user's login sessions information, then the encryption request of inclusion information, service request and login sessions information is sent to second server; Send the enciphered message from second server 140 to an APP1.
Second server 140 for according to encrypt request generate enciphered message, and to the 2nd APP130 send enciphered message.
The enciphered message that first server 120 sends for receiving an APP110, is decrypted enciphered message, and obtains the account of an APP110 according to decrypted result, and provides login service for account.
Wherein, above-mentioned identification information is for unique identification the one APP110, identification information can be the application identities ID (IDentity) of an APP110, this application ID is obtained for an APP110 registers on the 2nd APP service provider's open platform, and the information of an above-mentioned APP can comprise bag name and the packet signature of an APP.
In an embodiment of the present invention, the 2nd APP130 is also for preserving in advance the information of an APP110.
In inventive embodiment, second server 140 specifically for: whether the information that judges the APP110 that carries in the request of encryption consistent with the information of an APP110 who obtains from database, if both are consistent, according to login sessions information acquisition user profile, and obtain system timestamp, then use preset-key encrypting user information and system timestamp to generate enciphered message.
Above-mentioned user profile can include but not limited to user ID ID and user name, above-mentioned first server 120 specifically for: according to the key of an APP110, enciphered message is decrypted, and judge whether system timestamp and the time difference between the current system time exceed predetermined threshold value, if do not exceed, obtain the account of an APP110 who matches with user profile, and provide login service for account.
Below with a concrete implementation to describing according to the login system of the application A PP of the embodiment of the present invention.Be understandable that, only for illustrative purposes, embodiments of the invention are not limited to this to following process.
As shown in Figure 2, to carry out mutual process as follows for the login system of this application A PP:
S201, an APP110 is for sending the service request of the identification information that comprises an APP110 to the 2nd APP130.
Particularly, a background service (service) interface that an APP110 provides by calling the 2nd APP130, is sent to the application ID that comprises an APP110 in the 2nd APP130.
S202, the 2nd APP130 receives the service request that an APP110 sends, and obtains the information of an APP110 according to service request, and obtains user's login sessions information.
Particularly, the background service of the 2nd APP130 receives after the service request of an APP110 transmission, the 2nd APP130 obtains the user's of current login the 2nd APP130 login sessions information from the privately owned storage in this locality, and calling system obtain service request bag name, the packet signature information of a corresponding APP110.
S203, the encryption request of the information that comprises login sessions information, an APP110 and service request is sent to second server 140 by the 2nd APP130.
S204, second server 140 receives the request of encryption, and generates enciphered message according to the request of encryption.
Particularly, second server 140 receives after the request of encryption, from database, obtain according to the application ID in service request bag name and the packet signature information that an APP110 is corresponding, and judge that whether bag name that in the request of encryption, the APP110 that carries is corresponding bag name and the packet signature information corresponding with an APP110 who obtains with packet signature information is consistent from database, if inconsistent, return to error message to the 2nd APP130; If consistent, second server 140 is according to user ID and the user name of the current login user of login sessions information acquisition in the request of encrypting, from database, obtain again the authority information of an APP110, such as access authorization code etc., and obtaining after current system timestamp, the data such as user ID by preset-key to above-mentioned acquisition, user name, authority information, current system timestamp are encrypted to generate enciphered message.
Above-mentioned second server 140 authenticates by the bag name to an APP110 and packet signature information, and relevant information is encrypted, thus, the problem that service interface that malice APP directly calls an APP and provide is attacked can be provided, and solve returned content and intercepted the problem of utilizing by malice APP.
S205, second server 140 returns to enciphered message to the 2nd APP130.
S206, the 2nd APP130 receives the enciphered message that sends of second server 140, and response using enciphered message as service request is back to an APP110.
S207, the response of the service request that APP110 reception the 2nd APP130 returns is enciphered message, and the response of service request is sent to first server 120.
S208, first server 120 receives the enciphered message that an APP110 sends, and enciphered message is decrypted, and obtains the account of an APP110 according to decrypted result, and provide login service for account.
Particularly, first server 120 is decrypted to obtain user profile and system timestamp by preset-key to enciphered message, and judge deciphering after system timestamp and the time difference between the system timestamp of current first server 120 whether exceed predetermined threshold value, if exceed predetermined threshold value, can judge that current request is a Replay Attack request, directly return to corresponding error message, if do not exceed predetermined threshold value, judge in first server 120 in the account system of a corresponding APP110 and whether have the account information matching with user profile, if have, obtain corresponding account, and provide login service for this account.If no, according to the account of the one APP110 of user profile auto registration, and then for this account provides login service, now, user in an APP110 by the operation interface of seeing after login.
The login system embodiment of above-mentioned application A PP, the one APP sends service request to the 2nd APP, and receive the enciphered message that the 2nd APP obtains from second server, and enciphered message is sent to first server, first server is decrypted enciphered message, and according to the account of decrypted result acquisition the one APP, and provide login service for this account, above-mentioned login process is all carried out in backstage, operate without user, login after the 2nd APP user, if user opens an APP who has cooperative relationship with the 2nd APP, this system will initiatively be logined an APP, thus, remove the running cost that user once initiatively logins from, and user directly enters the operation interface after login opening after an APP, user can not see the page jump in any login process, login process smoothness, and the login authorization page of transferring corresponding without the need for first server, also avoided an APP to leak the risk of user profile.
In order to realize above-described embodiment, the present invention also proposes the login method of a kind of application A PP.
Fig. 3 is the flow chart of the login method of application A PP according to an embodiment of the invention.As shown in Figure 3, the method comprises:
S301, the one APP sends the service request of the identification information that comprises an APP to the 2nd APP, so that the 2nd APP obtains the information of an APP according to service request, and obtain user's login sessions information, then the encryption request of inclusion information, service request and login sessions information is sent to second server, so that second server generates enciphered message according to the request of encryption.
Wherein, above-mentioned identification information is for unique identification the one APP, identification information can be the application identities ID (IDentity) of the first APP, the information of the one APP can include but not limited to bag name and the packet signature of an APP, above-mentioned enciphered message be second server judge in the request of encryption the information of an APP of carrying and the information of an APP who obtains from database consistent after, according to login sessions information acquisition user profile, and obtain system timestamp, then use preset-key encrypting user information and system timestamp to obtain.Wherein, user profile can include but not limited to user ID and user name.
S302, an APP receives the enciphered message that the 2nd APP obtains from second server.
S303, an APP sends enciphered message to first server, so that first server is decrypted enciphered message, obtains the account of an APP according to decrypted result, and provides login service for account.
Wherein, the account of an above-mentioned APP is after first server is decrypted enciphered message according to preset-key, judge whether system timestamp and the time difference between the current system time exceed predetermined threshold value, if do not exceed, obtain according to user profile, particularly, first server is decrypted to obtain user profile and the system timestamp in enciphered message according to preset-key to enciphered message, and judge deciphering after system timestamp and the difference between the system timestamp of current first server whether exceed predetermined threshold value, if exceed predetermined threshold value, can judge that current request is a Replay Attack request, directly return to corresponding error message, if do not exceed predetermined threshold value, judge in the account system of an APP and whether have the account information matching with user profile, if have, obtain the account of a corresponding APP, and provide automatic login service for this account, if there is no the account information matching with user profile, according to the account of the one APP of user profile auto registration, and then provide the service that automatically logs in for this account.
In sum, the method of this embodiment is being logined after the 2nd APP for user, if opening one, user has an APP of cooperative relationship with the 2nd APP, user is without initiatively login, and the information that the 2nd APP is logined according to user in backstage is the account that user initiatively logins an APP, and login process is completely transparent to user, user can not see the redirect of any interface, directly see the operation interface after login, this has removed the initiatively running cost of login of user from, has improved user's sign-in experience.
The login method embodiment of above-mentioned application A PP, the one APP sends service request to the 2nd APP, so that the 2nd APP obtains the information of an APP, obtain user's login sessions information, then by inclusion information, the encryption request of service request and login sessions information is sent to second server, so that second server generates enciphered message according to the request of encryption, the one APP receives the enciphered message that the 2nd APP obtains from second server, and the one APP enciphered message is sent to first server, so that first server is deciphered enciphered message, and provide login service according to decrypted result to the account of an APP, above-mentioned login process is all carried out in backstage, operate without user, login after the 2nd APP user, if user opens an APP who has cooperative relationship with the 2nd APP, this system will initiatively be logined an APP, thus, remove the running cost that user once initiatively logins from, and user directly enters the operation interface after login opening after an APP, user can not see the page jump in any login process, login process smoothness, and the login authorization page of transferring corresponding without the need for first server, also avoided an APP to leak the risk of user profile.
In the description of this specification, the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means to be contained at least one embodiment of the present invention or example in conjunction with specific features, structure, material or the feature of this embodiment or example description.In this manual, to the schematic statement of above-mentioned term not must for be identical embodiment or example.And, specific features, structure, material or the feature of description can one or more embodiment in office or example in suitable mode combination.In addition,, not conflicting in the situation that, those skilled in the art can carry out combination and combination by the feature of the different embodiment that describe in this specification or example and different embodiment or example.
In addition, term " first ", " second " be only for describing object, and can not be interpreted as instruction or hint relative importance or the implicit quantity that indicates indicated technical characterictic.Thus, at least one this feature can be expressed or impliedly be comprised to the feature that is limited with " first ", " second ".In description of the invention, the implication of " multiple " is at least two, for example two, and three etc., unless otherwise expressly limited specifically.
Any process of otherwise describing in flow chart or at this or method are described and can be understood to, represent to comprise that one or more is for realizing module, fragment or the part of code of executable instruction of step of specific logical function or process, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by contrary order, carry out function, this should be understood by embodiments of the invention person of ordinary skill in the field.
The logic and/or the step that in flow chart, represent or otherwise describe at this, for example, can be considered to the sequencing list of the executable instruction for realizing logic function, may be embodied in any computer-readable medium, use for instruction execution system, device or equipment (as computer based system, comprise that the system of processor or other can and carry out the system of instruction from instruction execution system, device or equipment instruction fetch), or use in conjunction with these instruction execution systems, device or equipment.With regard to this specification, " computer-readable medium " can be anyly can comprise, device that storage, communication, propagation or transmission procedure use for instruction execution system, device or equipment or in conjunction with these instruction execution systems, device or equipment.The example more specifically (non-exhaustive list) of computer-readable medium comprises following: the electrical connection section (electronic installation) with one or more wirings, portable computer diskette box (magnetic device), random access memory (RAM), read-only memory (ROM), the erasable read-only memory (EPROM or flash memory) of editing, fiber device, and portable optic disk read-only memory (CDROM).In addition, computer-readable medium can be even paper or other the suitable medium that can print described program thereon, because can be for example by paper or other media be carried out to optical scanner, then edit, decipher or process in electronics mode and obtain described program with other suitable methods if desired, be then stored in computer storage.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple steps or method can realize with being stored in software or the firmware carried out in memory and by suitable instruction execution system.For example, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: there is the discrete logic for data-signal being realized to the logic gates of logic function, there is the application-specific integrated circuit (ASIC) of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is can carry out the hardware that instruction is relevant by program to complete, described program can be stored in a kind of computer-readable recording medium, this program, in the time carrying out, comprises step of embodiment of the method one or a combination set of.
In addition, the each functional unit in each embodiment of the present invention can be integrated in a processing module, can be also that the independent physics of unit exists, and also can be integrated in a module two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and also can adopt the form of software function module to realize.If described integrated module realizes and during as production marketing independently or use, also can be stored in a computer read/write memory medium using the form of software function module.
The above-mentioned storage medium of mentioning can be read-only memory, disk or CD etc.Although illustrated and described embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, and those of ordinary skill in the art can change above-described embodiment within the scope of the invention, amendment, replacement and modification.