CN107493280B - User authentication method, intelligent gateway and authentication server - Google Patents
User authentication method, intelligent gateway and authentication serverDownload PDFInfo
- Publication number
- CN107493280B CN107493280BCN201710698908.8ACN201710698908ACN107493280BCN 107493280 BCN107493280 BCN 107493280BCN 201710698908 ACN201710698908 ACN 201710698908ACN 107493280 BCN107493280 BCN 107493280B
- Authority
- CN
- China
- Prior art keywords
- service
- user
- authentication
- gateway
- identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Translated fromChinese
Description
Translated fromChinese技术领域technical field
本发明实施例涉及通信技术领域,尤其涉及一种用户认证的方法、智能网关及认证服务器。Embodiments of the present invention relate to the field of communication technologies, and in particular, to a method for user authentication, an intelligent gateway, and an authentication server.
背景技术Background technique
随着移动互联网的高速发展和移动应用的广泛普及,用户对智能网关的需求也与日俱增。智能网关是多网络接入和内网管理的枢纽,它作为运营商、第三方业务系统提供网络服务的通道,除了提供运营商的宽带数据、语音和视频等服务外,还提供游戏类业务、视频点播、位置服务等第三方业务系统的应用和服务,极大地改善了用户的联网体验。With the rapid development of the mobile Internet and the widespread popularity of mobile applications, users' demands for intelligent gateways are also increasing day by day. The intelligent gateway is the hub of multi-network access and intranet management. It acts as a channel for operators and third-party business systems to provide network services. In addition to providing operators' broadband data, voice and video services, it also provides game services, The applications and services of third-party business systems such as video-on-demand and location-based services have greatly improved the user's networking experience.
随着第三方业务系统的迅速发展,第三方业务系统越来越多,所提供的第三方业务的种类越来越丰富。目前,用户若要访问第三方业务系统,需要经过相应的业务提供商所开放的第三方业务平台进行验证。用户在访问不同的第三方业务系统时,由于业务提供商不同,其对应的第三方业务平台对客户的验证过程也不相同,给用户访问第三方业务系统带来极大的不便,且对于不同的第三方业务系统,其对应的第三方业务平台对用户的认证方法不同,不能实现对用户的统一认证。With the rapid development of third-party business systems, there are more and more third-party business systems, and the types of third-party services provided are more and more abundant. At present, if a user wants to access a third-party service system, it needs to be verified by a third-party service platform opened by a corresponding service provider. When users access different third-party business systems, due to different service providers, the corresponding third-party business platforms have different verification processes for customers, which brings great inconvenience to users when accessing third-party business systems. The third-party business system of the system has different authentication methods for users on its corresponding third-party business platform, and cannot achieve unified authentication for users.
发明内容SUMMARY OF THE INVENTION
本发明实施例提供一种用户认证的方法、智能网关及认证服务器,以解决目前用户在访问不同的第三方业务系统时,由于业务提供商不同,其对应的第三方业务平台对客户的验证过程也不相同,给用户访问第三方业务系统带来极大的不便,且对于不同的第三方业务系统,其对应的第三方业务平台对用户的认证方法不同,不能实现对用户的统一认证的问题。Embodiments of the present invention provide a user authentication method, an intelligent gateway, and an authentication server, so as to solve the problem that when a user accesses different third-party service systems, the corresponding third-party service platform verifies the customer due to different service providers. They are also different, which brings great inconvenience to users in accessing third-party business systems, and for different third-party business systems, the corresponding third-party business platforms have different authentication methods for users, and cannot achieve unified authentication for users. .
本发明实施例的一个方面是提供一种用户认证的方法,包括:One aspect of the embodiments of the present invention is to provide a method for user authentication, including:
智能网关接收用户通过终端发送的第一业务访问请求,所述第一业务访问请求包括用户登录信息和所述用户请求访问的目标业务的特征信息;The intelligent gateway receives a first service access request sent by the user through the terminal, where the first service access request includes user login information and feature information of the target service that the user requests to access;
所述智能网关根据第一业务访问请求中的所述目标业务的特征信息,确定所述目标业务的业务标识;The intelligent gateway determines the service identifier of the target service according to the feature information of the target service in the first service access request;
所述智能网关向认证服务器发送第一用户认证请求,所述第一用户认证请求包括所述智能网关的网关标识和所述目标业务的业务标识,以使所述认证服务器根据所述网关标识和所述业务标识生成认证令牌,并向所述智能网关反馈所述认证令牌;The intelligent gateway sends a first user authentication request to the authentication server, where the first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service, so that the authentication server can perform the authentication according to the gateway identifier and the service identifier of the target service. The service identifier generates an authentication token, and feeds back the authentication token to the intelligent gateway;
所述智能网关接收所述认证服务器发送的所述认证令牌;receiving, by the intelligent gateway, the authentication token sent by the authentication server;
所述智能网关向第三方业务系统发送第二业务访问请求,所述第二业务访问请求包括所述认证令牌、所述网关标识、所述目标业务的业务标识和所述用户登录信息,以使所述第三方业务系统向所述认证服务器发送第二用户认证请求,所述第二用户认证请求包括所述认证令牌、所述网关标识、所述目标业务的业务标识和所述用户登录信息,从而由认证服务器对所述用户进行认证处理,并根据认证处理结果向所述第三方业务系统反馈所述用户访问所述目标业务的权限信息。The intelligent gateway sends a second service access request to the third-party service system, where the second service access request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information to causing the third-party service system to send a second user authentication request to the authentication server, where the second user authentication request includes the authentication token, the gateway identifier, the service identifier of the target service and the user login information, so that the authentication server performs authentication processing on the user, and feeds back the permission information of the user to access the target service to the third-party service system according to the authentication processing result.
本发明实施例的另一个方面是提供一种用户认证的方法,包括:Another aspect of the embodiments of the present invention is to provide a method for user authentication, including:
认证服务器接收智能网关发送的第一用户认证请求,所述第一用户认证请求包括所述智能网关的网关标识和用户请求访问的目标业务的业务标识;The authentication server receives the first user authentication request sent by the intelligent gateway, where the first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service that the user requests to access;
所述认证服务器根据所述网关标识和所述业务标识生成认证令牌,并将所述认证令牌与所述网关标识和所述业务标识对应存储;The authentication server generates an authentication token according to the gateway identifier and the service identifier, and stores the authentication token corresponding to the gateway identifier and the service identifier;
所述认证服务器将所述认证令牌发送给所述智能网关,以使所述智能网关在接收到所述认证令牌后向第三方业务系统发送第二业务访问请求,所述第二业务访问请求包括所述认证令牌、所述智能网关的网关标识、所述目标业务的业务标识和所述用户登录信息,从而使所述第三方业务系统向认证服务器发送第二用户认证请求;The authentication server sends the authentication token to the intelligent gateway, so that the intelligent gateway sends a second service access request to the third-party service system after receiving the authentication token, and the second service access The request includes the authentication token, the gateway identifier of the intelligent gateway, the service identifier of the target service, and the user login information, so that the third-party service system sends a second user authentication request to the authentication server;
所述认证服务器接收所述第三方业务系统发送的所述第二用户认证请求,所述第二用户认证请求包括所述认证令牌、所述智能网关的网关标识、所述目标业务的业务标识和所述用户登录信息;The authentication server receives the second user authentication request sent by the third-party service system, where the second user authentication request includes the authentication token, the gateway identifier of the intelligent gateway, and the service identifier of the target service and said user login information;
所述认证服务器根据所述第二用户认证请求进行用户认证处理,并根据所述认证处理结果向所述第三方业务系统发送所述用户访问所述目标业务的权限信息。The authentication server performs user authentication processing according to the second user authentication request, and sends, to the third-party service system, permission information for the user to access the target service according to the authentication processing result.
本发明实施例的另一个方面是提供一种智能网关,包括:网关模块和深度包检测模块,Another aspect of the embodiments of the present invention is to provide an intelligent gateway, including: a gateway module and a deep packet inspection module,
所述网关模块用于智能网关接收用户通过终端发送的第一业务访问请求,所述第一业务访问请求包括用户登录信息和所述用户请求访问的目标业务的特征信息;The gateway module is used for the intelligent gateway to receive a first service access request sent by a user through a terminal, where the first service access request includes user login information and feature information of the target service that the user requests to access;
所述深度包检测模块,用于所述智能网关根据第一业务访问请求中的所述目标业务的特征信息,确定所述目标业务的业务标识;The deep packet inspection module is used for the intelligent gateway to determine the service identifier of the target service according to the characteristic information of the target service in the first service access request;
所述网关模块还用于所述智能网关向认证服务器发送第一用户认证请求,所述第一用户认证请求包括所述智能网关的网关标识和所述目标业务的业务标识,以使所述认证服务器根据所述网关标识和所述业务标识生成认证令牌,并向所述智能网关反馈所述认证令牌;The gateway module is further configured for the intelligent gateway to send a first user authentication request to the authentication server, where the first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service, so that the authentication The server generates an authentication token according to the gateway identifier and the service identifier, and feeds back the authentication token to the intelligent gateway;
所述网关模块还用于所述智能网关接收所述认证服务器发送的所述认证令牌;The gateway module is further configured for the intelligent gateway to receive the authentication token sent by the authentication server;
所述网关模块还用于所述智能网关向第三方业务系统发送第二业务访问请求,所述第二业务访问请求包括所述认证令牌、所述网关标识、所述目标业务的业务标识和所述用户登录信息,以使所述第三方业务系统向所述认证服务器发送第二用户认证请求,所述第二用户认证请求包括所述认证令牌、所述网关标识、所述目标业务的业务标识和所述用户登录信息,从而由认证服务器对所述用户进行认证处理,并根据认证处理结果向所述第三方业务系统反馈所述用户访问所述目标业务的权限信息。The gateway module is further configured for the intelligent gateway to send a second service access request to a third-party service system, where the second service access request includes the authentication token, the gateway identifier, the service identifier of the target service and the the user login information, so that the third-party service system sends a second user authentication request to the authentication server, where the second user authentication request includes the authentication token, the gateway identifier, the target service The service identifier and the user login information, so that the authentication server performs authentication processing on the user, and feeds back the permission information of the user to access the target service to the third-party service system according to the authentication processing result.
本发明实施例的另一个方面是提供一种认证服务器,包括:处理器、存储器、以及存储在所述存储器上并可以由所述处理器运行的计算机程序,Another aspect of the embodiments of the present invention is to provide an authentication server, including: a processor, a memory, and a computer program stored on the memory and executable by the processor,
所述处理器运行所述计算机程序时实现上述用户认证的方法。The above-mentioned user authentication method is implemented when the processor runs the computer program.
本发明实施例所提供的用户认证的方法、智能网关及认证服务器,通过智能网关在接收到用户通过终端发送的第一业务访问请求之后,向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,由认证服务器根据网关标识和业务标识生成认证令牌,并反馈给智能网关,由智能网关向第三方业务系统发送携带有认证令牌、网关标识、目标业务的业务标识和用户登录信息的第二业务访问请求,使得第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,从而由认证服务器对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息,实现了由认证服务器统一对通过智能网关发起第三方业务的访问请求的用户进行认证,从而使得用户访问第三方业务系统更加方便快捷。In the user authentication method, the intelligent gateway and the authentication server provided by the embodiments of the present invention, after receiving the first service access request sent by the user through the terminal through the intelligent gateway, the first user authentication request is sent to the authentication server, and the first user authentication The request includes the gateway identifier of the intelligent gateway and the service identifier of the target service. The authentication server generates an authentication token according to the gateway identifier and the service identifier, and feeds it back to the intelligent gateway. The second service access request of the ID, the service ID of the target service and the user login information, so that the third-party service system sends a second user authentication request to the authentication server, and the second user authentication request includes the authentication token, the gateway ID, and the service of the target service. ID and user login information, so that the authentication server performs authentication processing on the user, and feeds back the user's access authority information to the target service to the third-party service system according to the authentication processing result. The user of the access request is authenticated, so that the user can access the third-party business system more conveniently and quickly.
附图说明Description of drawings
图1为本发明实施例一提供的用户认证的方法的流程图;1 is a flowchart of a method for user authentication provided in Embodiment 1 of the present invention;
图2为本发明实施例二提供的用户认证的方法的流程图;2 is a flowchart of a method for user authentication provided in Embodiment 2 of the present invention;
图3为本发明实施例三提供的用户认证的方法的流程图;3 is a flowchart of a method for user authentication provided in Embodiment 3 of the present invention;
图4为本发明实施例四提供的用户认证的方法的流程图;4 is a flowchart of a method for user authentication provided in Embodiment 4 of the present invention;
图5为本发明实施例五提供的用户认证的方法的信令图;5 is a signaling diagram of a method for user authentication provided in Embodiment 5 of the present invention;
图6为本发明实施例六提供的智能网关的结构示意图;6 is a schematic structural diagram of an intelligent gateway according to Embodiment 6 of the present invention;
图7为本发明实施例八提供的认证服务器的结构示意图。FIG. 7 is a schematic structural diagram of an authentication server according to Embodiment 8 of the present invention.
具体实施方式Detailed ways
为使本发明的技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
本发明实施例中,智能网关,也称为智能家庭网关,是智能化家居服务的核心,具备智能家居控制枢纽及无线路由两大功能,智能网关通过宽带接入等方式连接到业务网络或互联网。各种家庭网络终端在通过智能网关实现设备互联的同时,还通过家庭网关访问宽带IP网络,并与宽带IP网络上的业务平台或其它各类终端配合,进一步为用户提供更广泛的家庭网络业务能力。In the embodiment of the present invention, the smart gateway, also called the smart home gateway, is the core of the smart home service, and has two functions of the smart home control hub and the wireless routing. The smart gateway is connected to the business network or the Internet through broadband access and other means. . Various home network terminals can access the broadband IP network through the home gateway while realizing the device interconnection through the intelligent gateway, and cooperate with the service platform or other various terminals on the broadband IP network to further provide users with a wider range of home network services. ability.
深度包检测(Deep Packet Inspection,简称DPI)技术,是一种基于应用层的流量检测和控制技术,当IP数据包、传输控制协议(Transmission Control Protocol,简称TCP)数据流、或者用户数据报协议(User Datagram Protocol,简称UDP)数据流通过基于DPI技术的带宽管理系统时,该系统通过深入读取IP数据包载荷的内容来对应用层信息进行重组,从而可以得到整个应用程序的内容,并可以进一步识别出相应的业务流。Deep Packet Inspection (DPI) technology is an application layer-based traffic detection and control technology. When IP data packets, Transmission Control Protocol (TCP) data streams, or user datagram protocols When the data stream (User Datagram Protocol, UDP for short) passes through the bandwidth management system based on DPI technology, the system reorganizes the application layer information by deeply reading the content of the IP data packet payload, so as to obtain the content of the entire application, and The corresponding traffic flow can be further identified.
网关管理客户端用于与智能网关交互实现相应操控功能,是用户用于操控智能网关的客户端。通过网关管理客户端用户可以对智能网关的各种业务进行控制,并且可以查看网关的使用情况等,可以对智能网关进行远程管理,在局域网内部时网关管理客户端可以直接与智能网关交互实现相应操控功能,在公众网络则通过智能网关管理平台实现与智能网关的交互。The gateway management client is used to interact with the intelligent gateway to realize corresponding control functions, and is the client used by the user to control the intelligent gateway. Through the gateway management client, users can control various services of the smart gateway, and can view the usage of the gateway, etc., and can remotely manage the smart gateway. When inside the local area network, the gateway management client can directly interact with the smart gateway to achieve corresponding In the public network, the interaction with the intelligent gateway is realized through the intelligent gateway management platform.
实施例一Example 1
图1为本发明实施例一提供的用户认证的方法的流程图。本发明实施例针对目前用户在访问不同的第三方业务系统时,由于业务提供商不同,其对应的第三方业务平台对客户的验证过程也不相同,给用户访问第三方业务系统带来极大的不便,且对于不同的第三方业务系统,其对应的第三方业务平台对用户的认证方法不同,不能实现对用户的统一认证的问题,提供了用户认证方法。如图1所示,该方法具体步骤如下:FIG. 1 is a flowchart of a method for user authentication provided by Embodiment 1 of the present invention. The embodiment of the present invention is aimed at that when users access different third-party business systems, due to different service providers, the corresponding third-party business platforms have different verification processes for customers, which brings great advantages to users accessing third-party business systems. It is inconvenient, and for different third-party business systems, the corresponding third-party business platforms have different authentication methods for users, which cannot realize the problem of unified authentication for users. A user authentication method is provided. As shown in Figure 1, the specific steps of the method are as follows:
步骤S101、智能网关接收用户通过终端发送的第一业务访问请求,第一业务访问请求包括用户登录信息和用户请求访问的目标业务的特征信息。Step S101: The intelligent gateway receives a first service access request sent by a user through a terminal, where the first service access request includes user login information and feature information of the target service that the user requests to access.
其中,目标业务是指用户当前所请求访问的业务,目标业务可以是任意一项第三方业务。用户登录信息至少包括对应于所述目标业务的用户账号和登录密码。The target service refers to the service currently requested by the user to access, and the target service may be any third-party service. The user login information includes at least a user account and a login password corresponding to the target service.
本实施例中,终端可以是手机、平板电脑、个人计算机(personal computer,简称PC)、智能家电、智能手环等能够通过智能网关访问第三方业务系统的设备。用户请求使用第三方业务时,可以在安装有该第三方业务对应的第三方应用软件的终端上,通过第三方应用软件向智能网关发出第一业务访问请求,经过智能网关的处理和转发向第三方业务系统传输。In this embodiment, the terminal may be a mobile phone, a tablet computer, a personal computer (PC for short), a smart home appliance, a smart bracelet, or other devices that can access a third-party service system through a smart gateway. When a user requests to use a third-party service, he or she can send a first service access request to the intelligent gateway through the third-party application software on a terminal installed with the third-party application software corresponding to the third-party service, which is processed and forwarded by the intelligent gateway to the third-party service. Three-party business system transmission.
步骤S102、智能网关根据第一业务访问请求中的目标业务的特征信息,确定目标业务的业务标识。Step S102, the intelligent gateway determines the service identifier of the target service according to the characteristic information of the target service in the first service access request.
本实施例中,智能网关可以提取第一业务访问请求中的目标业务的特征信息,根据预先存储的业务信息数据库中存储的已知的所有业务的特征信息及其他相关信息,确定出用户请求访问的目标业务时哪项业务,并确定目标业务的业务标识。In this embodiment, the intelligent gateway can extract the feature information of the target service in the first service access request, and determine the user request access according to the known feature information and other related information of all services stored in the pre-stored service information database. Which business is the target business, and determine the business ID of the target business.
步骤S103、智能网关向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,以使认证服务器根据网关标识和业务标识生成认证令牌,并向智能网关反馈认证令牌。Step S103, the intelligent gateway sends a first user authentication request to the authentication server, and the first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service, so that the authentication server generates an authentication token according to the gateway identifier and the service identifier, and sends the authentication token to the authentication server. The smart gateway feeds back the authentication token.
其中,所述认证令牌为认证服务器根据网关标识和业务标识按照预先设定的算法计算得到的字符序列。例如,可以由认证服务器根据预先设定的消息摘要算法对网关标识和业务标识组成的字符序列进行加密得到。The authentication token is a character sequence calculated by the authentication server according to the gateway identifier and the service identifier according to a preset algorithm. For example, it can be obtained by encrypting the character sequence composed of the gateway ID and the service ID by the authentication server according to a preset message digest algorithm.
步骤S104、智能网关接收认证服务器发送的认证令牌。Step S104, the intelligent gateway receives the authentication token sent by the authentication server.
步骤S105、智能网关向第三方业务系统发送第二业务访问请求,第二业务访问请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,以使第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,从而由认证服务器对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息。Step S105, the intelligent gateway sends a second service access request to the third-party service system, and the second service access request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information, so that the third-party service system sends the authentication server to the authentication server. The second user authentication request. The second user authentication request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information, so that the authentication server performs authentication processing on the user and feeds back to the third-party service system according to the authentication processing result. User's permission information to access the target business.
其中,第三方业务系统为用户提供各种业务功能,用户通过在终端上安装相应的应用软件,通过智能网关向第三方业务系统发送访问业务的请求。The third-party service system provides various service functions for the user, and the user sends a request for accessing the service to the third-party service system through the intelligent gateway by installing corresponding application software on the terminal.
本实施例中,智能网关向第三方业务系统发送第二业务访问请求,第三方业务系统在接收到智能网关发送的第二业务访问请求后,向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,使得认证服务器对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息。第三方业务系统在接收到用户访问目标业务的权限信息之后,根据用户访问目标业务的权限信息对智能网关发出的第二业务访问请求做出响应。In this embodiment, the intelligent gateway sends the second service access request to the third-party service system, and after receiving the second service access request sent by the intelligent gateway, the third-party service system sends the second user authentication request to the authentication server, and the second user The authentication request includes the authentication token, gateway identifier, service identifier of the target service and user login information, so that the authentication server performs authentication processing on the user, and feeds back the user's permission information to the target service to the third-party service system according to the authentication processing result. After receiving the permission information of the user to access the target service, the third-party service system responds to the second service access request sent by the intelligent gateway according to the permission information of the user to access the target service.
本发明实施例通过智能网关在接收到用户通过终端发送的第一业务访问请求之后,向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,由认证服务器根据网关标识和业务标识生成认证令牌,并反馈给智能网关,由智能网关向第三方业务系统发送携带有认证令牌、网关标识、目标业务的业务标识和用户登录信息的第二业务访问请求,使得第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,从而由认证服务器对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息,实现了由认证服务器统一对通过智能网关发起第三方业务的访问请求的用户进行认证,从而使得用户访问第三方业务系统更加方便快捷。In this embodiment of the present invention, after receiving the first service access request sent by the user through the terminal, the intelligent gateway sends the first user authentication request to the authentication server. The first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service. The authentication server generates an authentication token according to the gateway identifier and the service identifier, and feeds it back to the intelligent gateway. The intelligent gateway sends the second-party service system carrying the authentication token, the gateway identifier, the service identifier of the target service and the user login information to the third-party service system. Service access request, so that the third-party service system sends a second user authentication request to the authentication server, and the second user authentication request includes the authentication token, gateway ID, service ID of the target service, and user login information, so that the authentication server authenticates the user processing, and feedback the user's permission information for accessing the target service to the third-party service system according to the authentication processing result, so that the authentication server can uniformly authenticate the user who initiates the access request of the third-party service through the intelligent gateway, so that the user can access the third-party service. The system is more convenient and fast.
实施例二Embodiment 2
图2为本发明实施例二提供的用户认证的方法的流程图。在上述实施例一的基础上,本实施例中,在智能网关向认证服务器发送第一用户认证请求之前,还包括:智能网关根据目标业务的业务标识和预先设定的网关业务权限,确定是否允许通过智能网关访问目标业务;若确定允许通过智能网关访问目标业务,智能网关向认证服务器发送第一用户认证请求。如图2所示,该方法具体步骤如下:FIG. 2 is a flowchart of a method for user authentication provided by Embodiment 2 of the present invention. On the basis of the above-mentioned first embodiment, in this embodiment, before the intelligent gateway sends the first user authentication request to the authentication server, the method further includes: the intelligent gateway determines whether to The target service is allowed to be accessed through the intelligent gateway; if it is determined that the target service is allowed to be accessed through the intelligent gateway, the intelligent gateway sends a first user authentication request to the authentication server. As shown in Figure 2, the specific steps of the method are as follows:
步骤S201、智能网关接收用户通过终端发送的第一业务访问请求,第一业务访问请求包括用户登录信息和用户请求访问的目标业务的特征信息。Step S201: The intelligent gateway receives a first service access request sent by a user through a terminal, where the first service access request includes user login information and feature information of the target service that the user requests to access.
其中,目标业务是指用户当前所请求访问的业务,目标业务可以是任意一项第三方业务。用户登录信息至少包括对应于目标业务的用户账号和登录密码。目标业务的特征信息是指能够用于表征目标业务的业务特征的、具有代表性的相关信息。目标业务的特征信息可以是数据传输使用的端口、协议类型、特征字符串、流量行为特征等信息。例如,识别垃圾邮件业务,具体可通过发送邮件的速率、目的邮件地址的数目、变化频率,源邮件地址的数目、变化频率,邮件被拒绝的频率等参数,识别出垃圾邮件。The target service refers to the service currently requested by the user to access, and the target service may be any third-party service. The user login information includes at least a user account and a login password corresponding to the target service. The feature information of the target service refers to representative relevant information that can be used to characterize the service features of the target service. The characteristic information of the target service may be information such as the port used for data transmission, the type of the protocol, the characteristic string, and the characteristic of the traffic behavior. For example, to identify spam services, spam can be identified by parameters such as the rate of sending emails, the number of destination email addresses, the frequency of change, the number of source email addresses, the frequency of change, and the frequency of email rejections.
本实施例中,终端可以是手机、平板电脑、个人计算机(personal computer,简称PC)、智能家电、智能手环等能够通过智能网关访问第三方业务系统的设备。用户请求使用第三方业务时,可以在安装有该第三方业务对应的第三方应用软件的终端上,通过第三方应用软件向智能网关发出第一业务访问请求,经过智能网关的处理和转发向第三方业务系统传输。In this embodiment, the terminal may be a mobile phone, a tablet computer, a personal computer (PC for short), a smart home appliance, a smart bracelet, or other devices that can access a third-party service system through a smart gateway. When a user requests to use a third-party service, he or she can send a first service access request to the intelligent gateway through the third-party application software on a terminal installed with the third-party application software corresponding to the third-party service, which is processed and forwarded by the intelligent gateway to the third-party service. Three-party business system transmission.
步骤S202、智能网关根据第一业务访问请求中的目标业务的特征信息,确定目标业务的业务标识。Step S202, the intelligent gateway determines the service identifier of the target service according to the characteristic information of the target service in the first service access request.
本实施例中,智能网关可以提取第一业务访问请求中的目标业务的特征信息,根据预先存储的业务信息数据库中存储的已知的所有业务的特征信息及其他相关信息,确定出用户请求访问的目标业务时哪项业务,并确定目标业务的业务标识。In this embodiment, the intelligent gateway can extract the feature information of the target service in the first service access request, and determine the user request access according to the known feature information and other related information of all services stored in the pre-stored service information database. Which business is the target business, and determine the business ID of the target business.
具体地,智能网关根据第一业务访问请求中的目标业务的特征信息,确定目标业务的业务标识,具体可以采用如下方式实现:Specifically, the intelligent gateway determines the service identifier of the target service according to the feature information of the target service in the first service access request, which may be implemented in the following manner:
智能网关获取第一业务访问请求中的目标业务的特征信息;智能网关从预存的业务信息数据库中获取特征信息与目标业务的特征信息一致的业务信息;智能网关确定目标业务的业务标识为业务信息对应的业务标识。The intelligent gateway obtains the characteristic information of the target service in the first service access request; the intelligent gateway obtains service information whose characteristic information is consistent with the characteristic information of the target service from a pre-stored service information database; the intelligent gateway determines that the service identifier of the target service is service information The corresponding business ID.
其中,预存的业务信息数据库中存储有所有已知业务的业务标识及其对应的业务特征信息。The pre-stored service information database stores service identifiers of all known services and their corresponding service feature information.
本实施例中,智能网关包括网关模块和深度包检测模块,网关模块用于获取第一业务访问请求中的目标业务的特征信息,然后将目标业务的特征信息发送给深度包检测模块,深度包检测模块从预存的业务信息数据库中获取特征信息与目标业务的特征信息一致的业务信息,并将业务信息对应的业务标识作为目标业务的业务标识。In this embodiment, the intelligent gateway includes a gateway module and a deep packet inspection module. The gateway module is used to obtain the characteristic information of the target service in the first service access request, and then send the characteristic information of the target service to the deep packet inspection module. The detection module obtains the service information whose characteristic information is consistent with the characteristic information of the target service from the pre-stored service information database, and uses the service identifier corresponding to the service information as the service identifier of the target service.
另外,深度包检测模块可以为独立于智能网关的设立的DPI数据中心服务器,预存的业务信息数据库存储在DPI数据中心服务器上,DPI数据中心服务器目标业务的特征信息与预存的业务信息数据库中业务的特征信息进行比对,从预存的业务信息数据库中获取特征信息与目标业务的特征信息一致的业务信息,从而确定目标业务的业务标识,并将目标业务的业务标识反馈给网关。In addition, the deep packet inspection module can be a DPI data center server established independently of the intelligent gateway. The pre-stored service information database is stored on the DPI data center server, and the feature information of the target service of the DPI data center server is related to the pre-stored service information database. The feature information of the target service is compared, and the service information whose feature information is consistent with the feature information of the target service is obtained from the pre-stored service information database, thereby determining the service identifier of the target service, and feeding back the service identifier of the target service to the gateway.
认证服务器接收用户通过网关管理客户端发送的网关业务授权指令,网关业务授权指令至少包括网关标识和授权业务标识;其中,授权业务标识包括用户想要为网关标识对应的智能网关设定的网关业务权限中所有允许通过该智能网关访问的业务的业务标识;认证服务器对应存储所述网关标识和授权业务标识,并将所述网关标识和授权业务标识发送给该网关标识对应的智能网关的DPI策略配置服务器,DPI策略配置服务器根据所述网关标识和授权业务标识向该网关标识对应的网关发送DPI策略配置指令,智能网关根据DPI策略配置指令配置网关的深度包检测模块的DPI功能。本实施例中,配置网关的DPI功能可以采用现有技术中的方法实现,本实施例此处不再赘述。The authentication server receives the gateway service authorization instruction sent by the user through the gateway management client, and the gateway service authorization instruction includes at least the gateway identifier and the authorization service identifier; wherein, the authorization service identifier includes the gateway service that the user wants to set for the intelligent gateway corresponding to the gateway identifier The service identifiers of all services that are allowed to be accessed through the intelligent gateway in the authority; the authentication server stores the gateway identifier and the authorized service identifier correspondingly, and sends the gateway identifier and the authorized service identifier to the DPI policy of the intelligent gateway corresponding to the gateway identifier A configuration server, the DPI policy configuration server sends a DPI policy configuration instruction to the gateway corresponding to the gateway identifier according to the gateway identifier and the authorized service identifier, and the intelligent gateway configures the DPI function of the deep packet inspection module of the gateway according to the DPI policy configuration instruction. In this embodiment, the function of configuring the DPI of the gateway may be implemented by a method in the prior art, which will not be repeated here in this embodiment.
本发明实施例中,智能网关根据第一业务访问请求中的目标业务的特征信息确定目标业务的业务标识具体还可以采用现有的任意一种DPI技术来实现,本发明实施例此处不再赘述。In this embodiment of the present invention, the intelligent gateway determines the service identifier of the target service according to the feature information of the target service in the first service access request. Specifically, any existing DPI technology may be used to implement it, which is not described herein in this embodiment of the present invention. Repeat.
步骤S203、智能网关根据目标业务的业务标识和预先设定的网关业务权限,确定是否允许通过智能网关访问目标业务。Step S203, the intelligent gateway determines whether to allow access to the target service through the intelligent gateway according to the service identifier of the target service and the preset gateway service authority.
其中,预先设定的网关业务权限是指预先设定的智能网关具有哪些业务的访问权限。另外,用户通过网关管理客户端预先进行设定智能网关的网关业务权限之前,还包括用户的网关管理账号与智能网关绑定的过程,具体采用如下方式实现:Wherein, the preset gateway service authority refers to the access authority of which services the preset intelligent gateway has. In addition, before the user pre-sets the gateway service authority of the smart gateway through the gateway management client, it also includes the process of binding the user's gateway management account to the smart gateway, which is implemented in the following ways:
用户通过网关管理客户端发送网关管理账号授权请求给认证服务器,网关管理账号授权请求携带网关管理账号及网关标识;认证服务器将网关管理账号及网关进行绑定。The user sends a gateway management account authorization request to the authentication server through the gateway management client, and the gateway management account authorization request carries the gateway management account and the gateway identifier; the authentication server binds the gateway management account and the gateway.
步骤S204、若确定允许通过智能网关访问目标业务,智能网关向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,以使认证服务器根据网关标识和业务标识生成认证令牌,并向智能网关反馈认证令牌。Step S204, if it is determined that the target service is allowed to be accessed through the intelligent gateway, the intelligent gateway sends a first user authentication request to the authentication server, and the first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service, so that the authentication server is based on the gateway identifier. Generate an authentication token with the business ID, and feed back the authentication token to the smart gateway.
其中,认证令牌为认证服务器根据网关标识和业务标识按照预先设定的算法计算得到的字符序列。例如,可以由认证服务器根据预先设定的哈希算法对网关标识和业务标识组成的字符序列进行加密得到。The authentication token is a character sequence calculated by the authentication server according to the gateway identifier and the service identifier according to a preset algorithm. For example, it can be obtained by encrypting the character sequence composed of the gateway ID and the service ID by the authentication server according to a preset hash algorithm.
步骤S205、智能网关接收认证服务器发送的认证令牌。Step S205, the intelligent gateway receives the authentication token sent by the authentication server.
步骤S206、智能网关向第三方业务系统发送第二业务访问请求,第二业务访问请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,以使第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,从而由认证服务器对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息。Step S206, the intelligent gateway sends a second service access request to the third-party service system, and the second service access request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information, so that the third-party service system sends the authentication server to the authentication server. The second user authentication request. The second user authentication request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information, so that the authentication server performs authentication processing on the user and feeds back to the third-party service system according to the authentication processing result. User's permission information to access the target business.
其中,第三方业务系统为用户提供各种业务功能,用户通过在终端上安装相应的应用软件,通过智能网关向第三方业务系统发送访问业务的请求。The third-party service system provides various service functions for the user, and the user sends a request for accessing the service to the third-party service system through the intelligent gateway by installing corresponding application software on the terminal.
本实施例中,智能网关向第三方业务系统发送第二业务访问请求,第三方业务系统在接收到智能网关发送的第二业务访问请求后,向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,使得认证服务器对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息。第三方业务系统在接收到用户访问目标业务的权限信息之后,根据用户访问目标业务的权限信息对智能网关发出的第二业务访问请求做出响应。In this embodiment, the intelligent gateway sends the second service access request to the third-party service system, and after receiving the second service access request sent by the intelligent gateway, the third-party service system sends the second user authentication request to the authentication server, and the second user The authentication request includes the authentication token, gateway identifier, service identifier of the target service and user login information, so that the authentication server performs authentication processing on the user, and feeds back the user's permission information to the target service to the third-party service system according to the authentication processing result. After receiving the permission information of the user to access the target service, the third-party service system responds to the second service access request sent by the intelligent gateway according to the permission information of the user to access the target service.
本发明实施例通过智能网关在接收到用户通过终端发送的第一业务访问请求之后,智能网关根据确定的目标业务的业务标识和预先设定的网关业务权限,确定是否允许通过智能网关访问目标业务,若确定允许通过智能网关访问目标业务,则智能网关向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,由认证服务器根据网关标识和业务标识生成认证令牌,并反馈给智能网关,由智能网关向第三方业务系统发送携带有认证令牌、网关标识、目标业务的业务标识和用户登录信息的第二业务访问请求,使得第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,从而由认证服务器对有用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息,实现了由认证服务器统一对通过智能网关发起第三方业务的访问请求的用户进行认证,从而使得用户访问第三方业务系统更加方便快捷。In this embodiment of the present invention, after the intelligent gateway receives the first service access request sent by the user through the terminal, the intelligent gateway determines whether to allow access to the target service through the intelligent gateway according to the determined service identifier of the target service and the preset gateway service authority , if it is determined that the target service is allowed to be accessed through the intelligent gateway, the intelligent gateway sends a first user authentication request to the authentication server. The identification generates an authentication token and feeds it back to the intelligent gateway, and the intelligent gateway sends a second service access request carrying the authentication token, gateway identification, service identification of the target service and user login information to the third-party service system, so that the third-party service The system sends a second user authentication request to the authentication server, and the second user authentication request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information, so that the authentication server performs authentication processing on the existing user, and according to the authentication processing result Feedback the user's permission information for accessing the target service to the third-party service system, so that the authentication server can uniformly authenticate the user who initiates the access request of the third-party service through the intelligent gateway, thus making the user's access to the third-party service system more convenient and fast.
实施例三Embodiment 3
图3为本发明实施例三提供的用户认证的方法的流程图。本发明实施例针对目前用户在访问不同的第三方业务系统时,由于业务提供商不同,其对应的第三方业务平台对客户的验证过程也不相同,给用户访问第三方业务系统带来极大的不便,且对于不同的第三方业务系统,其对应的第三方业务平台对用户的认证方法不同,不能实现对用户的统一认证的问题,提供了用户认证方法。如图3所示,该方法具体步骤如下:FIG. 3 is a flowchart of a method for user authentication provided in Embodiment 3 of the present invention. The embodiment of the present invention is aimed at that when users access different third-party business systems, due to different service providers, the corresponding third-party business platforms have different verification processes for customers, which brings great advantages to users accessing third-party business systems. It is inconvenient, and for different third-party business systems, the corresponding third-party business platforms have different authentication methods for users, which cannot realize the problem of unified authentication for users. A user authentication method is provided. As shown in Figure 3, the specific steps of the method are as follows:
步骤S301、认证服务器接收智能网关发送的第一用户认证请求,第一用户认证请求包括智能网关的网关标识和用户请求访问的目标业务的业务标识。Step S301: The authentication server receives a first user authentication request sent by the intelligent gateway, where the first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service that the user requests to access.
其中,目标业务是指用户当前所请求访问的业务,目标业务可以是任意一项第三方业务。目标业务的业务标识是由智能网关从接收到的第一业务访问请求中的目标业务的特征信息来确定的。The target service refers to the service currently requested by the user to access, and the target service may be any third-party service. The service identifier of the target service is determined by the intelligent gateway from the characteristic information of the target service in the first service access request received.
本实施例中,认证服务器可以与多个智能网关进行通信完成用户认证的过程,本实施例仅以认证服务器与一个智能网关的交互过程为例,对用户认证的过程进行说明。In this embodiment, the authentication server may communicate with multiple intelligent gateways to complete the user authentication process. This embodiment only takes the interaction process between the authentication server and one intelligent gateway as an example to describe the user authentication process.
步骤S302、认证服务器根据网关标识和业务标识生成认证令牌,并将认证令牌与网关标识和业务标识对应存储。Step S302, the authentication server generates an authentication token according to the gateway identifier and the service identifier, and stores the authentication token corresponding to the gateway identifier and the service identifier.
本实施例中,认证服务器根据网关标识和业务标识按照预先设定的算法计算得到的字符序列。其中,预先设定的算法可以是预先设定的任意一种加密算法,预先设定的算法可以由技术人员根据实际需要预先设定,本实施例对于根据何种算法计算得到认证令牌不做具体限定。In this embodiment, the authentication server calculates the character sequence according to the gateway identifier and the service identifier according to a preset algorithm. The preset algorithm may be any preset encryption algorithm, and the preset algorithm may be preset by a technician according to actual needs. This embodiment does not make any difference regarding which algorithm is used to obtain the authentication token. Specific restrictions.
例如,预先设定的算法可以是哈希算法,认证令牌可以由认证服务器根据预先设定的哈希算法对网关标识和业务标识组成的字符序列进行加密得到。For example, the preset algorithm may be a hash algorithm, and the authentication token may be obtained by the authentication server encrypting a character sequence composed of the gateway identifier and the service identifier according to the preset hash algorithm.
步骤S303、认证服务器将认证令牌发送给智能网关,以使智能网关在接收到认证令牌后向第三方业务系统发送第二业务访问请求,第二业务访问请求包括认证令牌、智能网关的网关标识、目标业务的业务标识和用户登录信息,从而使第三方业务系统向认证服务器发送第二用户认证请求。Step S303, the authentication server sends the authentication token to the intelligent gateway, so that the intelligent gateway sends a second service access request to the third-party service system after receiving the authentication token, and the second service access request includes the authentication token and the information of the intelligent gateway. The gateway identifier, the service identifier of the target service, and the user login information, so that the third-party service system sends a second user authentication request to the authentication server.
本发明实施例中,当认证服务器生成认证令牌后,将认证令牌发送给智能网关,然后,由智能网关向第三方业务系统发送第二业务访问请求,第三方业务系统不会自行对用户进行认证,而是根据第二业务访问请求中携带的认证令牌、智能网关的网关标识、目标业务的业务标识和用户登录信息,向认证服务器发送第二用户认证请求,由认证服务器统一地对用户进行认证。In the embodiment of the present invention, after the authentication server generates the authentication token, the authentication token is sent to the intelligent gateway, and then the intelligent gateway sends the second service access request to the third-party service system, and the third-party service system will not automatically check the user For authentication, it sends a second user authentication request to the authentication server according to the authentication token carried in the second service access request, the gateway identifier of the intelligent gateway, the service identifier of the target service, and the user login information, and the authentication server uniformly authenticates the user. User authenticates.
步骤S304、认证服务器接收第三方业务系统发送的第二用户认证请求,第二用户认证请求包括认证令牌、智能网关的网关标识、目标业务的业务标识和用户登录信息。Step S304: The authentication server receives the second user authentication request sent by the third-party service system, where the second user authentication request includes the authentication token, the gateway identifier of the intelligent gateway, the service identifier of the target service, and the user login information.
其中,用户登录信息至少包括对应于目标业务的用户账号和登录密码。The user login information includes at least a user account and a login password corresponding to the target service.
步骤S305、认证服务器根据第二用户认证请求进行用户认证处理,并根据认证处理结果向第三方业务系统发送用户访问目标业务的权限信息。Step S305 , the authentication server performs user authentication processing according to the second user authentication request, and sends permission information of the user to access the target service to the third-party service system according to the authentication processing result.
本实施例中,认证服务器在接收到第三方业务系统发送的第二用户认证请求之后,根据第二用户认证请求对认证令牌和用户登录信息进行验证,并在认证令牌和用户登录信息都验证通过后,向第三方业务系统发送用户访问目标业务的权限信息,从而使得第三方业务系统根据接收到的用户访问目标业务的权限信息响应智能网关的第二业务访问请求。In this embodiment, after receiving the second user authentication request sent by the third-party service system, the authentication server verifies the authentication token and the user login information according to the second user authentication request, and verifies both the authentication token and the user login information. After the verification is passed, the authorization information of the user to access the target service is sent to the third-party service system, so that the third-party service system responds to the second service access request of the intelligent gateway according to the received authorization information of the user to access the target service.
本发明实施例通过认证服务器接收智能网关发送的第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,根据网关标识和业务标识生成认证令牌,并反馈给智能网关,使得智能网关向第三方业务系统发送携带有认证令牌、网关标识、目标业务的业务标识和用户登录信息的第二业务访问请求,从而使第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息;认证服务器在接收到第二用户认证请求后,对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息,实现了由认证服务器统一对通过智能网关发起第三方业务的访问请求的用户进行认证,从而使得用户访问第三方业务系统更加方便快捷。In this embodiment of the present invention, the authentication server receives the first user authentication request sent by the intelligent gateway. The first user authentication request includes the gateway identification of the intelligent gateway and the service identification of the target service, generates an authentication token according to the gateway identification and the service identification, and feeds it back to The intelligent gateway enables the intelligent gateway to send the second service access request carrying the authentication token, the gateway identifier, the service identifier of the target service and the user login information to the third-party service system, so that the third-party service system sends the second user's login information to the authentication server The authentication request, the second user authentication request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information; the authentication server, after receiving the second user authentication request, performs authentication processing on the user, and sends the authentication processing result to the user. The third-party service system feeds back the user's permission information for accessing the target service, so that the authentication server can uniformly authenticate the user who initiates the access request of the third-party service through the intelligent gateway, thus making the user's access to the third-party service system more convenient and fast.
实施例四Embodiment 4
图4为本发明实施例四提供的用户认证的方法的流程图。在上述实施例三的基础上,本实施例中,认证服务器根据第二用户认证请求进行用户认证处理,并根据认证处理结果向第三方业务系统发送用户访问目标业务的权限信息,包括:认证服务器根据第二用户认证请求,对第三方业务系统发送的认证令牌进行验证处理;若确定对第三方业务系统发送的认证令牌验证通过,则认证服务器根据目标业务的业务标识和存储的业务数据,对用户登录信息进行验证;若对用户登录信息的验证通过,则向第三方业务系统发送用户访问目标业务的权限信息。如图4所示,该方法具体步骤如下:FIG. 4 is a flowchart of a method for user authentication provided in Embodiment 4 of the present invention. On the basis of the above-mentioned third embodiment, in this embodiment, the authentication server performs user authentication processing according to the second user authentication request, and sends permission information for the user to access the target service to the third-party service system according to the authentication processing result, including: the authentication server According to the second user authentication request, the authentication token sent by the third-party service system is verified; if it is determined that the authentication token sent by the third-party service system has passed the verification, the authentication server will use the service identifier of the target service and the stored service data. , verifies the user's login information; if the verification of the user's login information is passed, the user's permission information for accessing the target service is sent to the third-party business system. As shown in Figure 4, the specific steps of the method are as follows:
步骤S401、认证服务器接收智能网关发送的第一用户认证请求,第一用户认证请求包括智能网关的网关标识和用户请求访问的目标业务的业务标识。Step S401: The authentication server receives a first user authentication request sent by the intelligent gateway, where the first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service that the user requests to access.
其中,目标业务是指用户当前所请求访问的业务,目标业务可以是任意一项第三方业务。目标业务的业务标识是由智能网关从接收到的第一业务访问请求中的目标业务的特征信息来确定的。The target service refers to the service currently requested by the user to access, and the target service may be any third-party service. The service identifier of the target service is determined by the intelligent gateway from the characteristic information of the target service in the first service access request received.
该步骤与上述步骤S301类似,本实施例此处不再赘述。This step is similar to the above-mentioned step S301, and details are not described herein again in this embodiment.
步骤S402、认证服务器根据网关标识和业务标识生成认证令牌,并将认证令牌与网关标识和业务标识对应存储。Step S402, the authentication server generates an authentication token according to the gateway identifier and the service identifier, and stores the authentication token corresponding to the gateway identifier and the service identifier.
该步骤与上述步骤S302类似,本实施例此处不再赘述。This step is similar to the foregoing step S302, and details are not described here in this embodiment.
步骤S403、认证服务器将认证令牌发送给智能网关,以使智能网关在接收到认证令牌后向第三方业务系统发送第二业务访问请求,第二业务访问请求包括认证令牌、智能网关的网关标识、目标业务的业务标识和用户登录信息,从而使第三方业务系统向认证服务器发送第二用户认证请求。Step S403, the authentication server sends the authentication token to the intelligent gateway, so that the intelligent gateway sends a second service access request to the third-party service system after receiving the authentication token, and the second service access request includes the authentication token and the information of the intelligent gateway. The gateway identifier, the service identifier of the target service, and the user login information, so that the third-party service system sends a second user authentication request to the authentication server.
该步骤与上述步骤S303类似,本实施例此处不再赘述。This step is similar to the above-mentioned step S303, and details are not described herein again in this embodiment.
步骤S404、认证服务器接收第三方业务系统发送的第二用户认证请求,第二用户认证请求包括认证令牌、智能网关的网关标识、目标业务的业务标识和用户登录信息。Step S404: The authentication server receives the second user authentication request sent by the third-party service system, where the second user authentication request includes the authentication token, the gateway identifier of the intelligent gateway, the service identifier of the target service, and the user login information.
步骤S405、认证服务器根据第二用户认证请求,对第二用户认证请求中的认证令牌进行验证处理。Step S405: The authentication server performs verification processing on the authentication token in the second user authentication request according to the second user authentication request.
该步骤中,认证服务器对第二用户认证请求中的认证令牌进行验证,具体可以采用如下方式实现:In this step, the authentication server verifies the authentication token in the authentication request of the second user, which may be implemented in the following manner:
认证服务器获取目标令牌,目标令牌为与智能网关的网关标识和目标业务的业务标识和网关标识对应存储的认证令牌;认证服务器判断第二用户认证请求中的认证令牌与目标令牌是否一致;若判断结果为第二用户认证请求中的认证令牌与目标令牌一致,则认证服务器确定对第二用户认证请求中的认证令牌验证通过;若判断结果为第二用户认证请求中的认证令牌与目标令牌不一致,则向第三方业务系统发送认证令牌验证失败消息,说明有可能发生了第三方业务系统的非法接入,以使第三方业务系统拒绝用户访问目标业务。The authentication server obtains the target token, and the target token is the authentication token stored corresponding to the gateway identifier of the intelligent gateway and the service identifier and gateway identifier of the target service; the authentication server determines the authentication token in the authentication request of the second user and the target token Whether it is consistent; if the judgment result is that the authentication token in the second user authentication request is consistent with the target token, the authentication server determines that the authentication token in the second user authentication request has passed the verification; if the judgment result is the second user authentication request If the authentication token in the authentication token is inconsistent with the target token, an authentication token verification failure message is sent to the third-party business system, indicating that there may be illegal access to the third-party business system, so that the third-party business system refuses the user to access the target business. .
步骤S406、若确定对第二用户认证请求中的认证令牌验证通过,则认证服务器根据目标业务的业务标识和存储的业务数据,对用户登录信息进行验证。Step S406: If it is determined that the authentication token in the second user authentication request is verified, the authentication server verifies the user login information according to the service identifier of the target service and the stored service data.
其中,用户登录信息至少包括用户用于访问目标业务的账号信息、登录时输入的用户账号和密码。另外,用户登录信息还可以包括其他任意一种现有技术中可以对用户的身份进行验证的信息,本实施例此处不做具体限定。另外,认证服务器对用户登录信息的验证方法可以采用现有技术中对相应类型的用户登录时输入的信息进行验证的方法来实现,本实施例此处不再赘述。The user login information includes at least account information used by the user to access the target service, and the user account and password entered when logging in. In addition, the user login information may also include any other information that can verify the user's identity in the prior art, which is not specifically limited in this embodiment. In addition, the method for verifying user login information by the authentication server may be implemented by a method in the prior art for verifying information input by a corresponding type of user when logging in, which will not be repeated in this embodiment.
该步骤中,认证服务器在对第二用户认证请求中的认证令牌验证通过后,认证服务器继续对用户登录信息进行验证,以对用户身份信息进行验证,若对用户登录信息的验证通过,则认为用户为合法的用户;若对用户登录信息的验证未通过,则认为用户为不合法的用户,则向第三方业务系统发送用户登录信息验证失败消息,以使第三方业务系统拒绝用户访问目标业务。In this step, after the authentication server successfully verifies the authentication token in the second user authentication request, the authentication server continues to verify the user login information to verify the user identity information. If the verification of the user login information is passed, then The user is considered to be a legitimate user; if the verification of the user's login information fails, the user is considered to be an illegal user, and a user login information verification failure message is sent to the third-party business system, so that the third-party business system refuses the user to access the target business.
例如,用户登录信息可以为用户输入的用户账号和密码,认证服务器验证用户输入的用户账号和密码正确后,可以认为用户为合法用户。For example, the user login information may be the user account and password entered by the user. After the authentication server verifies that the user account and password entered by the user are correct, the user may be considered as a legitimate user.
步骤S407、若对用户登录信息的验证通过,则向第三方业务系统发送用户访问目标业务的权限信息。Step S407: If the verification of the user's login information is passed, the user's permission information for accessing the target service is sent to the third-party service system.
本实施例中,认证服务器预先存储有用户业务权限信息,该用户业务权限信息包括任一用户访问任一第三业务的权限信息,可以根据第三方业务系统对用户授予访问权限的改变而实时地更新,以确保用户对第三方业务的访问权限的准确性。In this embodiment, the authentication server pre-stores user service authority information, and the user service authority information includes authority information for any user to access any third service, which can be updated in real time according to the change of the access authority granted to the user by the third-party service system. Updates to ensure the accuracy of user access to third-party businesses.
可选地,当第三方业务系统授予、更改、或者撤销用户访问目标业务的访问权限时,认证服务器更新存储的用户业务权限信息。Optionally, when the third-party service system grants, modifies, or revokes the user's access authority to access the target service, the authentication server updates the stored user service authority information.
该步骤中,认证服务器若对用户登录信息的验证通过,获取该用户访问目标业务的权限信息,并将用户访问目标业务的权限信息发送给第三方业务系统,以使第三方业务系统根据用户访问目标业务的权限信息响应智能网关的第二业务访问请求,从而使智能网关响应通过终端发出的第一业务访问请求。In this step, if the verification of the user's login information is passed, the authentication server obtains the user's permission information for accessing the target service, and sends the user's permission information for accessing the target service to the third-party service system, so that the third-party service system can access the target service according to the user's access information. The permission information of the target service responds to the second service access request of the intelligent gateway, so that the intelligent gateway responds to the first service access request sent by the terminal.
上述步骤S405-S407为认证服务器根据第二用户认证请求进行用户认证处理,并根据认证处理结果向第三方业务系统发送用户访问目标业务的权限信息的过程。The above steps S405-S407 are processes in which the authentication server performs user authentication processing according to the second user authentication request, and sends the user's permission information for accessing the target service to the third-party service system according to the authentication processing result.
本发明实施例提供了认证服务器根据第二用户认证请求进行用户认证处理,并根据认证处理结果向第三方业务系统发送用户访问目标业务的权限信息的过程,实现了由认证服务器统一对通过智能网关发起第三方业务的访问请求的用户进行认证,从而使得用户访问第三方业务系统更加方便快捷。The embodiment of the present invention provides a process in which the authentication server performs user authentication processing according to the second user authentication request, and sends the authorization information of the user to access the target service to the third-party service system according to the authentication processing result, so as to realize the unified authentication server through the intelligent gateway. The user who initiates the access request of the third-party service is authenticated, thereby making it more convenient and quicker for the user to access the third-party service system.
实施例五Embodiment 5
图5为本发明实施例五提供的用户认证的方法的信令图。如图5所示,该方法包括如下步骤:FIG. 5 is a signaling diagram of a method for user authentication provided by Embodiment 5 of the present invention. As shown in Figure 5, the method includes the following steps:
步骤S501、用户通过终端向智能网关发送的第一业务访问请求;Step S501, a first service access request sent by a user to an intelligent gateway through a terminal;
步骤S502、智能网关根据第一业务访问请求中的目标业务的特征信息,确定目标业务的业务标识;Step S502, the intelligent gateway determines the service identifier of the target service according to the feature information of the target service in the first service access request;
步骤S503、智能网关向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识;Step S503, the intelligent gateway sends a first user authentication request to the authentication server, where the first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service;
步骤S504、认证服务器根据网关标识和业务标识生成认证令牌,并将认证令牌与网关标识和业务标识对应存储;Step S504, the authentication server generates an authentication token according to the gateway identifier and the service identifier, and stores the authentication token corresponding to the gateway identifier and the service identifier;
步骤S505、认证服务器向智能网关反馈认证令牌;Step S505, the authentication server feeds back an authentication token to the intelligent gateway;
步骤S506、智能网关向第三方业务系统发送第二业务访问请求,第二业务访问请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息;Step S506, the intelligent gateway sends a second service access request to the third-party service system, where the second service access request includes an authentication token, a gateway identifier, a service identifier of the target service, and user login information;
步骤S507、第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息;Step S507, the third-party service system sends a second user authentication request to the authentication server, where the second user authentication request includes an authentication token, a gateway identifier, a service identifier of the target service, and user login information;
步骤S508、认证服务器根据第二用户认证请求进行用户认证处理;Step S508, the authentication server performs user authentication processing according to the second user authentication request;
步骤S509、认证服务器根据认证处理结果向第三方业务系统发送用户访问目标业务的权限信息;Step S509, the authentication server sends the permission information of the user to access the target service to the third-party service system according to the authentication processing result;
在完成对用户认证的过程之后,第三方业务系统根据接收到的用户访问目标业务的权限信息响应用户的业务访问请求,可选地,该方法还可以包括步骤S510-S511,已完成对用户访问目标业务的响应。After completing the process of user authentication, the third-party service system responds to the user's service access request according to the received permission information of the user to access the target service. Optionally, the method may further include steps S510-S511. The response of the target business.
步骤S510、第三方业务系统根据用户访问目标业务的权限信息响应智能网关的第二业务访问请求;Step S510, the third-party service system responds to the second service access request of the intelligent gateway according to the permission information of the user to access the target service;
步骤S511、智能网关响应通过终端发出的第一业务访问请求。Step S511, the intelligent gateway responds to the first service access request sent by the terminal.
本发明实施例提供了用户认证过程中智能网关、认证服务器和第三方业务系统之间的交互过程。The embodiment of the present invention provides an interaction process among the intelligent gateway, the authentication server and the third-party business system in the user authentication process.
实施例六Embodiment 6
图6为本发明实施例六提供的智能网关的结构示意图。本发明实施例提供的智能网关可以执行上述实施例一所提供的用户认证方法的处理流程,如图6所示,智能网关60包括:网关模块601和深度包检测模块602。FIG. 6 is a schematic structural diagram of an intelligent gateway according to Embodiment 6 of the present invention. The intelligent gateway provided in this embodiment of the present invention may execute the processing flow of the user authentication method provided in the first embodiment. As shown in FIG. 6 , the
具体地,网关模块601用于智能网关接收用户通过终端发送的第一业务访问请求,第一业务访问请求包括用户登录信息和用户请求访问的目标业务的特征信息。Specifically, the
深度包检测模块602用于智能网关根据第一业务访问请求中的目标业务的特征信息,确定目标业务的业务标识。The deep
网关模块601还用于智能网关向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,以使认证服务器根据网关标识和业务标识生成认证令牌,并向智能网关反馈认证令牌。The
网关模块601还用于智能网关接收认证服务器发送的认证令牌。The
网关模块601还用于智能网关向第三方业务系统发送第二业务访问请求,第二业务访问请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,以使第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,从而由认证服务器对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息。The
本发明实施例提供的智能网关可以具体用于执行上述实施例一所提供的方法实施例,具体功能此处不再赘述。The intelligent gateway provided in the embodiment of the present invention may be specifically used to execute the method embodiment provided in the above-mentioned embodiment 1, and the specific functions will not be repeated here.
本发明实施例通过智能网关在接收到用户通过终端发送的第一业务访问请求之后,向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,由认证服务器根据网关标识和业务标识生成认证令牌,并反馈给智能网关,由智能网关向第三方业务系统发送携带有认证令牌、网关标识、目标业务的业务标识和用户登录信息的第二业务访问请求,使得第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,从而由认证服务器对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息,实现了由认证服务器统一对通过智能网关发起第三方业务的访问请求的用户进行认证,从而使得用户访问第三方业务系统更加方便快捷。In this embodiment of the present invention, after receiving the first service access request sent by the user through the terminal, the intelligent gateway sends the first user authentication request to the authentication server. The first user authentication request includes the gateway identifier of the intelligent gateway and the service identifier of the target service. The authentication server generates an authentication token according to the gateway identifier and the service identifier, and feeds it back to the intelligent gateway. The intelligent gateway sends the second-party service system carrying the authentication token, the gateway identifier, the service identifier of the target service and the user login information to the third-party service system. Service access request, so that the third-party service system sends a second user authentication request to the authentication server, and the second user authentication request includes the authentication token, gateway ID, service ID of the target service, and user login information, so that the authentication server authenticates the user processing, and feedback the user's permission information for accessing the target service to the third-party service system according to the authentication processing result, so that the authentication server can uniformly authenticate the user who initiates the access request of the third-party service through the intelligent gateway, so that the user can access the third-party service. The system is more convenient and fast.
实施例七Embodiment 7
在上述实施例六的基础上,本实施例中,深度包检测模块还用于:智能网关获取第一业务访问请求中的目标业务的特征信息;智能网关从预存的业务信息数据库中获取特征信息与目标业务的特征信息一致的业务信息;智能网关确定目标业务的业务标识为业务信息对应的业务标识。On the basis of the sixth embodiment, in this embodiment, the deep packet inspection module is further configured to: the intelligent gateway obtains the feature information of the target service in the first service access request; the intelligent gateway obtains the feature information from the pre-stored service information database Service information consistent with the feature information of the target service; the intelligent gateway determines the service identifier of the target service as the service identifier corresponding to the service information.
网关模块还用于:智能网关根据目标业务的业务标识和预先设定的网关业务权限,确定是否允许通过智能网关访问目标业务;若确定允许通过智能网关访问目标业务,智能网关向认证服务器发送第一用户认证请求。The gateway module is also used for: the intelligent gateway determines whether to allow access to the target service through the intelligent gateway according to the service identifier of the target service and the preset gateway service authority; if it is determined that the target service is allowed to be accessed through the intelligent gateway, the intelligent gateway sends the first A user authentication request.
本发明实施例提供的智能网关可以具体用于执行上述实施例二所提供的方法实施例,具体功能此处不再赘述。The intelligent gateway provided in the embodiment of the present invention may be specifically used to execute the method embodiment provided in the foregoing embodiment 2, and the specific functions will not be repeated here.
本发明实施例通过智能网关在接收到用户通过终端发送的第一业务访问请求之后,智能网关根据确定的目标业务的业务标识和预先设定的网关业务权限,确定是否允许通过智能网关访问目标业务,若确定允许通过智能网关访问目标业务,则智能网关向认证服务器发送第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,由认证服务器根据网关标识和业务标识生成认证令牌,并反馈给智能网关,由智能网关向第三方业务系统发送携带有认证令牌、网关标识、目标业务的业务标识和用户登录信息的第二业务访问请求,使得第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息,从而由认证服务器对有用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息,实现了由认证服务器统一对通过智能网关发起第三方业务的访问请求的用户进行认证,从而使得用户访问第三方业务系统更加方便快捷。In this embodiment of the present invention, after the intelligent gateway receives the first service access request sent by the user through the terminal, the intelligent gateway determines whether to allow access to the target service through the intelligent gateway according to the determined service identifier of the target service and the preset gateway service authority , if it is determined that the target service is allowed to be accessed through the intelligent gateway, the intelligent gateway sends a first user authentication request to the authentication server. The identification generates an authentication token and feeds it back to the intelligent gateway, and the intelligent gateway sends a second service access request carrying the authentication token, gateway identification, service identification of the target service and user login information to the third-party service system, so that the third-party service The system sends a second user authentication request to the authentication server, and the second user authentication request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information, so that the authentication server performs authentication processing on the existing user, and according to the authentication processing result Feedback the user's permission information for accessing the target service to the third-party service system, so that the authentication server can uniformly authenticate the user who initiates the access request of the third-party service through the intelligent gateway, thus making the user's access to the third-party service system more convenient and fast.
实施例八Embodiment 8
图7为本发明实施例八提供的认证服务器的结构示意图。本发明实施例提供的认证服务器可以执行上述实施例二所提供的用户认证方法的处理流程,如图7所示,认证服务器70包括:处理器701、存储器702、以及存储在存储器702上并可以由处理器701运行的计算机程序。FIG. 7 is a schematic structural diagram of an authentication server according to Embodiment 8 of the present invention. The authentication server provided in this embodiment of the present invention can execute the processing flow of the user authentication method provided in the second embodiment. As shown in FIG. 7 , the
处理器701运行计算机程序时可以实现上述实施例二和实施例三所提供的用户认证的方法,具体功能此处不再赘述。When the
本发明实施例通过认证服务器接收智能网关发送的第一用户认证请求,第一用户认证请求包括智能网关的网关标识和目标业务的业务标识,根据网关标识和业务标识生成认证令牌,并反馈给智能网关,使得智能网关向第三方业务系统发送携带有认证令牌、网关标识、目标业务的业务标识和用户登录信息的第二业务访问请求,从而使第三方业务系统向认证服务器发送第二用户认证请求,第二用户认证请求包括认证令牌、网关标识、目标业务的业务标识和用户登录信息;认证服务器在接收到第二用户认证请求后,对用户进行认证处理,并根据认证处理结果向第三方业务系统反馈用户访问目标业务的权限信息,实现了由认证服务器统一对通过智能网关发起第三方业务的访问请求的用户进行认证,从而使得用户访问第三方业务系统更加方便快捷。In this embodiment of the present invention, the authentication server receives the first user authentication request sent by the intelligent gateway. The first user authentication request includes the gateway identification of the intelligent gateway and the service identification of the target service, generates an authentication token according to the gateway identification and the service identification, and feeds it back to The intelligent gateway enables the intelligent gateway to send the second service access request carrying the authentication token, the gateway identifier, the service identifier of the target service and the user login information to the third-party service system, so that the third-party service system sends the second user's login information to the authentication server The authentication request, the second user authentication request includes the authentication token, the gateway identifier, the service identifier of the target service, and the user login information; the authentication server, after receiving the second user authentication request, performs authentication processing on the user, and sends the authentication processing result to the user. The third-party service system feeds back the user's permission information for accessing the target service, so that the authentication server can uniformly authenticate the user who initiates the access request of the third-party service through the intelligent gateway, thus making the user's access to the third-party service system more convenient and fast.
在本发明所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or can be implemented in the form of hardware plus software functional units.
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-mentioned integrated units implemented in the form of software functional units can be stored in a computer-readable storage medium. The above-mentioned software functional unit is stored in a storage medium, and includes several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to execute the methods described in the various embodiments of the present invention. some steps. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes .
本领域技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of the description, only the division of the above functional modules is used for illustration. The internal structure is divided into different functional modules to complete all or part of the functions described above. For the specific working process of the apparatus described above, reference may be made to the corresponding process in the foregoing method embodiments, and details are not described herein again.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features thereof can be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention. scope.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710698908.8ACN107493280B (en) | 2017-08-15 | 2017-08-15 | User authentication method, intelligent gateway and authentication server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710698908.8ACN107493280B (en) | 2017-08-15 | 2017-08-15 | User authentication method, intelligent gateway and authentication server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107493280A CN107493280A (en) | 2017-12-19 |
| CN107493280Btrue CN107493280B (en) | 2020-10-09 |
Family
ID=60646177
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710698908.8AActiveCN107493280B (en) | 2017-08-15 | 2017-08-15 | User authentication method, intelligent gateway and authentication server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107493280B (en) |
Families Citing this family (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110022279B (en)* | 2018-01-08 | 2021-11-26 | 普天信息技术有限公司 | Method and system for authentication in micro-service system |
| CN108600209B (en)* | 2018-04-16 | 2021-06-22 | 新华三信息安全技术有限公司 | Information processing method and device |
| CN108768987B (en)* | 2018-05-17 | 2021-03-02 | 中国联合网络通信集团有限公司 | Data interaction method, device and system |
| CN108683684B (en)* | 2018-06-13 | 2021-03-09 | 北京云中融信网络科技有限公司 | Method, device and system for logging in target instant messaging application |
| CN110611643A (en)* | 2018-06-15 | 2019-12-24 | 上海仪电(集团)有限公司中央研究院 | Cloud pipe end data security interaction system and method based on intelligent gateway |
| CN109413032B (en)* | 2018-09-03 | 2023-04-07 | 中国平安人寿保险股份有限公司 | Single sign-on method, computer readable storage medium and gateway |
| CN109474435B (en)* | 2018-12-12 | 2021-10-01 | 中国移动通信集团江苏有限公司 | Method, device, device, system and medium for multiple service relay authentication |
| CN111385279A (en)* | 2018-12-28 | 2020-07-07 | 深圳市优必选科技有限公司 | Service access authority system and method |
| CN110311899A (en)* | 2019-06-17 | 2019-10-08 | 平安医疗健康管理股份有限公司 | Multiservice system access method, device and server |
| CN110535957B (en)* | 2019-09-02 | 2021-04-23 | 珠海格力电器股份有限公司 | Data calling method of service application platform and service application platform system |
| CN112953719B (en)* | 2019-11-26 | 2023-03-07 | 北京京东尚科信息技术有限公司 | Token authentication method and device |
| CN111147453A (en)* | 2019-12-11 | 2020-05-12 | 东软集团股份有限公司 | System login method and integrated login system |
| CN111510453B (en)* | 2020-04-15 | 2023-02-03 | 深信服科技股份有限公司 | Business system access method, device, system and medium |
| CN113542201B (en)* | 2020-04-20 | 2023-04-21 | 上海云盾信息技术有限公司 | Access control method and equipment for Internet service |
| CN111698250B (en)* | 2020-06-11 | 2023-11-28 | 腾讯科技(深圳)有限公司 | Access request processing method and device, electronic equipment and computer storage medium |
| CN111738602A (en)* | 2020-06-23 | 2020-10-02 | 杭州米克曼尼网络科技有限公司 | an e-commerce system |
| CN111756737B (en)* | 2020-06-24 | 2023-10-13 | 中国平安财产保险股份有限公司 | Data transmission method, device, system, computer equipment and readable storage medium |
| CN112367299B (en)* | 2020-10-16 | 2023-04-18 | 深圳市科漫达智能管理科技有限公司 | Application program interface API management method and related device |
| CN112188493B (en)* | 2020-10-22 | 2023-08-15 | 深圳云之家网络有限公司 | Authentication method, system and related equipment |
| CN112380517B (en)* | 2020-11-17 | 2022-09-16 | 上海福君基因生物科技有限公司 | Cloud platform management method and system based on unified biological information authentication |
| CN114765547A (en)* | 2020-12-31 | 2022-07-19 | 北京千里日成科技有限公司 | Business system access method, device, equipment and storage medium |
| CN114021093A (en)* | 2021-11-15 | 2022-02-08 | 北京天融信网络安全技术有限公司 | Information processing method, system and electronic device |
| CN114143056B (en)* | 2021-11-24 | 2024-04-05 | 上海派拉软件股份有限公司 | Terminal access method and device, electronic equipment and storage medium |
| CN114500066B (en)* | 2022-02-08 | 2025-05-16 | 北京沃东天骏信息技术有限公司 | Information processing method, gateway and communication system |
| CN115865433B (en)* | 2022-11-17 | 2024-07-02 | 中国联合网络通信集团有限公司 | Service data request method, device and storage medium |
| CN116132116A (en)* | 2022-12-26 | 2023-05-16 | 联通雄安产业互联网有限公司 | An intelligent gateway management method and system based on industrial identification secondary nodes |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7487537B2 (en)* | 2003-10-14 | 2009-02-03 | International Business Machines Corporation | Method and apparatus for pervasive authentication domains |
| EP2635993B1 (en)* | 2010-11-05 | 2019-07-24 | Telefonaktiebolaget LM Ericsson (publ) | Registration server, gateway apparatus and method for providing a secret value to devices |
| CN103188076B (en)* | 2011-12-27 | 2016-06-29 | 中国移动通信集团江苏有限公司 | A kind of method and system realizing multiple terminals unified certification |
| CN104253787A (en)* | 2013-06-26 | 2014-12-31 | 华为技术有限公司 | Service authentication method and system |
| CN104144167B (en)* | 2014-08-15 | 2017-05-17 | 深圳市蜂联科技有限公司 | User login authentication method of open intelligent gateway platform |
| CN106302475B (en)* | 2016-08-18 | 2019-09-10 | 中国联合网络通信集团有限公司 | Family's Internet service authorization method and server |
| CN107786571A (en)* | 2017-11-07 | 2018-03-09 | 昆山云景商务服务有限公司 | A kind of method of user's unified certification |
- 2017
- 2017-08-15CNCN201710698908.8Apatent/CN107493280B/enactiveActive
Also Published As
| Publication number | Publication date |
|---|---|
| CN107493280A (en) | 2017-12-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107493280B (en) | User authentication method, intelligent gateway and authentication server | |
| JP5736511B2 (en) | Zero sign-on authentication | |
| US9515888B2 (en) | Wireless local area network gateway configuration | |
| CN105027529B (en) | Method and apparatus for authenticating user access to network resources | |
| US9648006B2 (en) | System and method for communicating with a client application | |
| JP6655616B2 (en) | Establish communication between mobile terminals | |
| CN100417152C (en) | Distributed Network Authentication and Access Control System | |
| JP2020064668A (en) | Network connection automatization | |
| EP3308499B1 (en) | Service provider certificate management | |
| CN113544670B (en) | Server-based setup for connecting the device to a local area network | |
| US9204345B1 (en) | Socially-aware cloud control of network devices | |
| US20110030047A1 (en) | Method, apparatus and system for protecting user information | |
| CN101986598B (en) | Authentication method, server and system | |
| CN105306203A (en) | Account login method, device and system | |
| CN102984261B (en) | Network service login method, equipment and system based on mobile telephone terminal | |
| US8769623B2 (en) | Grouping multiple network addresses of a subscriber into a single communication session | |
| CN109460647B (en) | Multi-device secure login method | |
| US20230421583A1 (en) | Systems, methods, and storage media for abstracting session information for an application in an identity infrastructure | |
| CN115996381A (en) | A network security management and control method, system, device and medium for a wireless private network | |
| US11463429B2 (en) | Network controls for application access secured by transport layer security (TLS) using single sign on (SSO) flow | |
| CN103685201A (en) | Method and system for WLAN user fixed network access | |
| CN110943992B (en) | Entrance authentication system, method, device, computer equipment and storage medium | |
| CN104518874A (en) | Network access control method and system | |
| JP2009217722A (en) | Authentication processing system, authentication device, management device, authentication processing method, authentication processing program and management processing program | |
| US20230362016A1 (en) | Secure application computing environment in a federated edge cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |