Method for authenticating user identity, device and electronic equipmentTechnical field
The present invention relates to computer science security technology areas, and in particular to a kind of method for authenticating user identity, device andElectronic equipment.
Background technology
In computer science, safety is an important issue always project, and big to hacker attack is taken precautions against, small arrive prevents notAuthorized user accesses shielded content.Safety is ubiquitous, in existing safe practice, has had and related peace much may be implementedThe module of all risk insurance protective function, plug-in unit.In enterprise-level application development, wherein with the Spring Security in SpringMVC framesIt is the most famous, it is also the most commonly used.Technical staff is generally by realizing that its relevant interface realizes its function.
Realize the general process of authenticating user identification as shown in Figure 1, certificate manager in Spring Security(AuthenticationManager) it is a pluggable component based on interface, supplier's manager(ProviderManager) it is one of certificate manager realization, it recognizes the delegate responsibility for verifying identity to one or moreDemonstrate,prove supplier (AuthenticationProvider).Wherein, DaoAuthencationProvider is one and most common recognizesDemonstrate,prove supplier.
DaoAuthencationProvider supports to carry out the authentication of simple data base-oriented, that is, uses dataAccess object (Dao) retrieves user information from relational database.Specifically, DaoAuthencationProvider passes throughUserDetailService attributes retrieve user information (UserDetails) from database.Achieving required user nameAfter password, DaoAuthencationProvider by comparing the username and password that is retrieved from database andThe main body and voucher being passed to by Authencation objects from certificate manager complete authentication.When above-mentioned user name andPassword matches with main body and voucher, then user is by authentication, while returning to certificate manager one and filling is completedGood Authentication objects;Otherwise, can dish out an AuthenticationException, show that authentication is lostIt loses.
However, being limited in that in above-mentioned certification supplier DaoAuthencationProvider, is to be based on dataLibrary carries out user information retrieval, i.e., needs to establish database in configuration, and create role's table in lane database, establish userDependence between information;When carrying out authenticating user identification, needing to extract data from database, operating process is complicated,Application flexibility is relatively low.
Invention content
In view of this, an embodiment of the present invention provides a kind of user ID authentication method, device and electronic equipment, to solveThe low problem of authenticating user identification flexibility.
First aspect present invention provides a kind of method for authenticating user identity, includes the following steps:
Obtain username and password input by user;
It searches in the preconfigured expansible markup language XML node and whether there is and the matched master of the user nameBody identifies, wherein the information of the expansible markup language XML node includes main body mark and its corresponding voucher, Mei GekeExtension flag Language XML node corresponds to a main body mark;
When it is present, the voucher in the information of the expansible markup language XML node found is obtained;
The user identity is authenticated using the voucher and the password that get.
Pass through disposal subject mark and its corresponding voucher in expansible markup language XML node in the present invention, you canWith directly specified main body mark and voucher in XML node, when configuring relevant main body, XML is relatively easy, saves and establishes numberAccording to library, and the process of dependence is established in the database, can realize the configuration of more intuitive main body relevant information;ThisOutside, by the relevant information of disposal subject in XML node, when for authentication, related letter need to be only carried out from nodeThe lookup of breath, matching speed is fast, efficient, i.e. authenticating user identification flexibility is higher.
With reference to first aspect, in first aspect first embodiment, in the expansible markup language XML node informationVoucher include first password prefix and the first Crypted password, first password prefix main body mark corresponding with the voucherIt is corresponding.
In the present invention, voucher (i.e. the password of user setting) is stored in XML node after encryption, i.e., in XMLWhat is stored in node is not the password of user setting, but to the first password prefix and after the password encryption of user settingOne Crypted password avoids the possibility of the extraneous password for being directly obtained user setting, can ensure in voucher in XML nodeIn secure storage, improve the safety of subscriber authentication;In addition, the process being encrypted in the password to user settingIn, in conjunction with user name, further improve the reliability of verification.
First embodiment with reference to first aspect, in first aspect second embodiment, using the voucher that gets andThe password is authenticated the user identity, including:
The password input by user is encrypted using predetermined encryption algorithm, the second password prefix and second is obtained and addsPassword;
Judge whether the second password prefix and the first password prefix are identical;
When differing, then authenticating user identification fails.
The present invention is during verifying password input by user, it is only necessary to the second password formed after encryptionPrefix is compared with the first password prefix in voucher, does not need to carry out complicated judgement, you can determines that user inputsPassword whether mistake, the verification method efficiency is higher.
Second embodiment with reference to first aspect, it is further comprising the steps of in first aspect third embodiment:
When the second password prefix is identical as the first password prefix, judge second Crypted password with it is describedWhether the first Crypted password is identical;
When identical, then authenticating user identification passes through.
The present invention is in the case of password prefix matching, it is also necessary to judge whether Crypted password matches, for ensureing passwordThe safety of verification.Specifically, in user in the case of Modify password, password prefix is identical, but Crypted password not phaseTogether, if only if password comparison prefix, subscriber authentication mistake can be led to so that the user of no mandate gets shieldedContent further improves the reliability of subscriber authentication.
With reference to first aspect, in the 4th embodiment of first aspect, the information of the XML node further includes permission letterBreath;When certification by when, according to the authority information, discharge corresponding permission to user.
Second embodiment with reference to first aspect further includes in the 5th embodiment of first aspect:
Receive the request of user's Modify password and modified password;
The modified password is encrypted using the predetermined encryption algorithm, obtains third password prefix and encryptionPassword, wherein the third password prefix is identical as the first password prefix;
Update the voucher in the information of the expansible markup language XML node, wherein the Crypted password is after updatingThe first Crypted password.
In the present invention, after user's Modify password, the Crypted password in the information for the XML node that timely updates ensures XML sectionsThe voucher stored in point information is identical as after user's change, avoids the mistake caused by the delay between modification and actual storageDifference improves the reliability of authenticating user identification.
According to second aspect, the present invention also provides a kind of authenticating user identification devices, including:
First acquisition module, for obtaining username and password input by user;
Searching module, for search in the preconfigured expansible markup language XML node with the presence or absence of with it is describedThe matched main body mark of user name, wherein the information of the expansible markup language XML node includes main body mark and its corresponds toVoucher, each expansible markup language XML node corresponds to a main body mark;
Second acquisition module, for when exist identified with the matched main body of the user name when, obtain expanding of findingOpen up the voucher in the information of markup language XML node;
Authentication module, for being authenticated to the user identity using the voucher and the password that get.
Pass through disposal subject mark and its corresponding voucher in expansible markup language XML node in the present invention, you canWith directly specified main body mark and voucher in XML node, when configuring relevant main body, XML is relatively easy, saves and establishes numberAccording to library, and the process of dependence is established in the database, can realize the configuration of more intuitive main body relevant information;ThisOutside, by the relevant information of disposal subject in XML node, when for authentication, related letter need to be only carried out from nodeThe lookup of breath, matching speed is fast, efficient, i.e. authenticating user identification flexibility is higher.
In conjunction with second aspect, in second aspect first embodiment, in the expansible markup language XML node informationVoucher include first password prefix and the first Crypted password, first password prefix main body mark corresponding with the voucherIt is corresponding.
According to the third aspect, the present invention also provides a kind of electronic equipment, including:Memory and processor, the storageConnection is communicated between device and the processor, computer instruction is stored in the memory, the processor is by holdingThe row computer instruction, to execute user's body described in any one embodiment of first aspect or first aspectIdentity authentication method.
According to fourth aspect, the present invention also provides a kind of computer readable storage medium, the computer-readable storageMedia storage has a computer instruction, and the computer instruction is used to make the computer to execute first aspect or first aspectMethod for authenticating user identity described in any one embodiment.
Description of the drawings
The features and advantages of the present invention can be more clearly understood by reference to attached drawing, attached drawing is schematically without that should manageSolution is carries out any restrictions to the present invention, in the accompanying drawings:
Fig. 1 shows the system block diagram for realizing authenticating user identification in the prior art;
Fig. 2 shows a method flow diagrams specifically illustrated of method for authenticating user identity in the embodiment of the present invention 1;
Fig. 3 shows a method flow diagram specifically illustrated of method for authenticating user identity in the embodiment of the present invention 2;
Fig. 4 shows a method flow diagram specifically illustrated of method for authenticating user identity in the embodiment of the present invention 3;
Fig. 5 shows a system block diagram specifically illustrated of method for authenticating user identity in the embodiment of the present invention 4;
Fig. 6 shows a structural schematic diagram specifically illustrated of authenticating user identification device in the embodiment of the present invention 5;
Fig. 7 shows another structural schematic diagram specifically illustrated of authenticating user identification device in the embodiment of the present invention 5;
Fig. 8 shows a structural schematic diagram specifically illustrated of electronic equipment in the embodiment of the present invention 6.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present inventionIn attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment isA part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those skilled in the art are not havingThere is the every other embodiment obtained under the premise of making creative work, shall fall within the protection scope of the present invention.
Embodiment 1
The present embodiment provides a kind of method for authenticating user identity, can be used in authenticating user identification device, as shown in Fig. 2,This approach includes the following steps:
S11 obtains username and password input by user.
User needs to input username and password before obtaining shielded content.Authenticating user identification device obtainsTo the username and password, it to be used for the certification of subsequent user identity.
S12 is searched in preconfigured expansible markup language XML node and be whether there is and the matched main body mark of user nameKnow, wherein the information of expansible markup language XML node includes main body mark and its corresponding voucher, each expansible markLanguage XML node corresponds to a main body mark.
Wherein, expansible markup language XML node is for being configured to the storage relevant information of user identity, i.e. a nodeInformation correspond to same user all identity informations.The information of node includes main body mark and its corresponding voucher, toolBody, main body mark is matched with user name, the password match of voucher and user preset.
Optionally, voucher can be directly identical as the password of user preset, can also be in authenticating user identification deviceThe password of user preset formed after one or many encryptions, can also be that its elsewhere is carried out to the password of user presetIt is formed after reason.
Further, when needing to Add User, it is only necessary to which, by changing XML, the form for increasing node is realized, Neng GoushiNow dynamic configuration.
When being verified to username and password input by user, user identity is authenticated device and is searched whether from XMLIn the presence of with the matched principals credentials of user name, that is, first by user name whether match carry out user identity verification.
Wherein, when in expansible markup language XML node with the presence or absence of being identified with the matched main body of user name, step is executedRapid S13;Otherwise, subscriber authentication failure is indicated.
S13 obtains the voucher in the information of the expansible markup language XML node found when it is present.
It is identified with the matched main body of user name input by user when authenticating user identification device is found in XML nodeWhen, indicate there is the corresponding identity information of the user name in xml at this time;Then, it needs to recognize password input by userCard.Specifically, authenticating user identification device obtains voucher corresponding with main body mark from XML node.
S14 is authenticated user identity using the voucher and password that get.
Authenticating user identification device is according to the processing method for forming voucher to the password of user preset, to input by user closeCode carries out identical operation so that voucher carries out recognizing for user identity with after treated password comparison condition having the sameCard.
This method passes through disposal subject mark and its corresponding voucher in expansible markup language XML node, you can withDirectly specified main body mark and voucher in XML node, when configuring relevant main body, XML is relatively easy, saves and establishes dataLibrary, and the process of dependence is established in the database, it can realize the configuration of more intuitive main body relevant information;ThisOutside, by the relevant information of disposal subject in XML node, when for authentication, related letter need to be only carried out from nodeThe lookup of breath, matching speed is fast, efficient, i.e. authenticating user identification flexibility is higher.
Embodiment 2
The present embodiment provides a kind of method for authenticating user identity, can be used in authenticating user identification device, as shown in figure 3,This approach includes the following steps:
S21 obtains username and password input by user.
Identical as 1 step S11 of embodiment, details are not described herein.
S22 is searched in preconfigured expansible markup language XML node and be whether there is and the matched main body mark of user nameKnow, wherein the information of expansible markup language XML node includes main body mark and its corresponding voucher, each expansible markLanguage XML node corresponds to a main body mark.
Voucher in expansible markup language XML node information includes first password prefix and the first Crypted password.SpecificallyGround, user identity identification device are encrypted the preset password of user using predetermined encryption algorithm, while in ciphering processIn conjunction with user name, first password prefix and the first Crypted password are formed.Wherein, first password prefix main body mark corresponding with voucherKnow and corresponds to, i.e., it is identical to the first password prefix formed after the preset password encryption of user when main body mark is identical.
For example, the password of user preset is abc, the voucher formed after encryption is 0000+sfewfwfwf, wherein 0000 isFirst password prefix, sfewfwfwf are the first Crypted password.
In addition, predetermined encryption algorithm can be encryption function, it can be random number or other forms, need to only guaranteePreset password is encrypted.
S23 obtains the voucher in the information of the expansible markup language XML node found when it is present.
Identical as 1 step S13 of embodiment, details are not described herein.
S24 is authenticated user identity using the voucher and password that get.
Wherein, voucher includes therefore first password prefix and the first Crypted password are recognized to password input by userWhen card, it is also desirable to be encrypted in the same way to password, be formed and correspond to password prefix and encryption that user inputs passwordPassword.Specifically, include the following steps:
S241 is encrypted password input by user using predetermined encryption algorithm, obtains the second password prefix and secondCrypted password.
Authenticating user identification device adds password input by user according to the identical encryption method of preset passwordIt is close, obtain the second password prefix and the second Crypted password.
S242 judges whether the second password prefix and first password prefix are identical.
Authenticating user identification device compares first password prefix first and whether the second password prefix is identical, to judge userWhether authentication fails.
When whether the second password prefix and first password prefix are identical, step S244 is executed;Otherwise, step is executedS243。
S243, authenticating user identification failure.
Wherein, when the second password prefix and first password prefix differ, it can directly judge user identity at this timeThe certification of password need not be encrypted in authentification failure again.
S244 judges whether the second Crypted password is identical as the first Crypted password.
When identical, authenticating user identification device also need to carry out again the second Crypted password and the first Crypted password whether phaseSame judgement, ensures the reliability of authenticating user identification.
S245, authenticating user identification pass through.
When the second Crypted password is identical as the first Crypted password, authenticating user identification passes through at this time, and user can obtainCorresponding shielded content.
Optionally, further include authority information corresponding with main body mark in the information of XML node, each main body mark corresponds toPermission may be identical, it is also possible to differ.Therefore, it is distinguished by authority information, to ensure that user can only be obtained fromProtected content in own permission further improves the safety of protected content.
As a kind of optional embodiment of the present embodiment, step S244 can be omitted, i.e., in the second password prefix and theWhen one password prefix is identical, it is believed that authenticating user identification passes through at this time.
The voucher (i.e. corresponding with the password of user setting) that the present invention stores in XML node information is deposited after encryptionIn XML node, i.e., what is stored in XML node is not the password of user setting for storage, but to the password of user settingEncrypted first password prefix and the first Crypted password avoid the possibility of the extraneous password for being directly obtained user settingProperty, it can ensure the secure storage in XML node in voucher, improve the safety of subscriber authentication;In addition, toDuring the password of family setting is encrypted, in conjunction with user name, the reliability of verification is further improved.
In addition, during being verified to password input by user, it is defeated to user first with predetermined encryption algorithmThe password entered is encrypted, and forms the second password prefix, need to only utilize the second password prefix and the first password prefix in voucherBe compared, do not need to carry out complicated judgement, you can determine password input by user whether mistake, verification method effectRate is higher.
The step details not being described in detail in the present embodiment, please refers to embodiment 1, details are not described herein.
Embodiment 3
The present embodiment provides a kind of method for authenticating user identity, can be used in authenticating user identification device, as shown in figure 4,This approach includes the following steps:
S31 obtains username and password input by user.
Identical as 2 step S21 of embodiment, details are not described herein.
S32 is searched in preconfigured expansible markup language XML node and be whether there is and the matched main body mark of user nameKnow, wherein the information of expansible markup language XML node includes main body mark and its corresponding voucher, each expansible markLanguage XML node corresponds to a main body mark.
Identical as 2 step S22 of embodiment, details are not described herein.
S33 receives the request of user's Modify password and modified password.
User Modify password, authenticating user identification device can receive the request of user's Modify password according to actual needs,And receive the modified password of user.
S34 is encrypted modified password using predetermined encryption algorithm, obtains third password prefix and encrypts closeCode, wherein third password prefix is identical as first password prefix.
Authenticating user identification device is encrypted modified password using identical predetermined encryption algorithm, is corresponded toThe third password prefix and Crypted password of password after modification.Wherein, due to needing to combine user name in ciphering process, becauseThis, the third password prefix obtained after encryption is identical as first password prefix.
S35 updates the voucher in the information of expansible markup language XML node, wherein Crypted password is updated theOne Crypted password.
After authenticating user identification device obtains third password prefix and Crypted password after the password encryption changed user,Need to timely update expansible markup language XML node information in voucher.Specifically, the first Crypted password is replaced with and is addedPassword, by the first Crypted password labeled as expired.
For example, user entitled 123, the password before modification is abc, and the voucher stored in XML node is 0000+sfewfwfwf;Same user, modified password are bcd, and the voucher stored in XML node is 0000+122222212.
S36 obtains the voucher in the information of the expansible markup language XML node found.
Identical as 2 step S23 of embodiment, details are not described herein.
S37 is authenticated the user identity using the voucher and password that get.
Identical as 2 step S24 of embodiment, details are not described herein.
In the present invention, after user's Modify password, the Crypted password in the information for the XML node that timely updates ensures XML sectionsThe voucher stored in point information is identical as after user's change, avoids the mistake caused by the delay between modification and actual storageDifference, i.e. user can not be authenticated using the password before modification to be passed through, and the reliability of authenticating user identification is further improved.
It should be noted that step S33 to S35 is not limited to after step s 32 in the present embodiment, only it need to ensure stepS33 to S35 is before step S36.
The step details not being described in detail in the present embodiment, please refers to embodiment 2, details are not described herein.
Embodiment 5
The present embodiment provides a kind of concrete application example of method for authenticating user identity, the system block diagram that this method is realizedAs shown in figure 5,
1. first against AuthenticationManager, as certificate manager, Spring it verification process is entrustedIt goes to realize to AuthenticationProvider interfaces.In the prior art, this interface has one of acquiescence to realize,DaoAuthenticationProvider, it is limited in that, obtains the UserDetails objects of User DetailOnly there are one parameters (username) by implementation method loadUserByUsername for realizing, page cryptographic parameter can not be primaryIt is incoming.The present invention is mainly wherein realized by rewriteeing, and is obtained user password relevant information using the XML of dynamic and configurable, is realizedCertification.
2. seeing Fig. 5, XmlAuthenticationProvider passes through realizationThe realization of retrieveUser methods is passed through user name by AbstractUserDetailsAuthenticationProviderPassword, which obtains, obtains related data in XML.
3. in these obtained XML datas, containing the essential information of user, authentication information, authority information realizes processIt is as follows:
1) user inputs user name, password
2) SpringSecurity obtains the input information of user, by information comparison in user name and XML, such as there is userInformation, acquire limit information, then verify user password whether with password prefix matching.XML has user password prefix,When the password prefix and XML configurations match of user, certification passes through, otherwise authentification failure.
3) user password change does not influence password prefix.
4) it so realizes, user no longer creates role's table in lane database, new plus record, can be in XML directlyIt specifies.
Embodiment 5
The present embodiment provides a kind of authenticating user identification device, it can be used for executing embodiment 1 to any one of embodiment 3 instituteThe method for authenticating user identity stated, as shown in fig. 6, the device includes:
First acquisition module 41, for obtaining username and password input by user.
Searching module 42 whether there is and user name for searching in preconfigured expansible markup language XML nodeMatched main body mark, wherein the information of expansible markup language XML node includes main body mark and its corresponding voucher, oftenA expansible markup language XML node corresponds to a main body mark.
Second acquisition module 43, for when exist identified with the matched main body of user name when, obtain find it is expansibleVoucher in the information of markup language XML node.
Authentication module 44, for being authenticated to user identity using the voucher and password that get.
By disposal subject mark and its corresponding voucher in expansible markup language XML node in the present embodiment, i.e.,Main body mark and voucher can be directly specified in XML node, when configuring relevant main body, XML is relatively easy, saves foundationDatabase, and the process of dependence is established in the database, it can realize the configuration of more intuitive main body relevant information;In addition, by the relevant information of disposal subject in XML node, when for authentication, correlation only need to be carried out from nodeThe lookup of information, matching speed is fast, efficient, i.e. authenticating user identification flexibility is higher.
As a kind of optional embodiment of the present embodiment, as shown in fig. 7, authentication module 44 further includes:
First encryption unit 441 obtains second for password input by user to be encrypted using predetermined encryption algorithmPassword prefix and the second Crypted password.
First judging unit 442, for judging whether the second password prefix and the first password prefix are identical.
First authentication unit 443 fails for authenticating user identification.
Optionally, which further includes:
Second judgment unit 444, for judging whether the second Crypted password is identical as the first Crypted password.
Second authentication unit 445 fails for authenticating user identification.
As another optional embodiment of the present embodiment, as shown in fig. 7, authenticating user identification device further includes:
Receiving module 45, the request for receiving user's Modify password and modified password.
It is close to obtain third for modified password to be encrypted using predetermined encryption algorithm for second encrypting module 46Code prefix and Crypted password, wherein third password prefix is identical as first password prefix.
Update module 47, the voucher in information for updating expansible markup language XML node, wherein Crypted passwordFor updated first Crypted password.
Embodiment 6
The embodiment of the present invention additionally provides a kind of electronic equipment, as shown in figure 8, the electronic equipment may include processor 51With memory 52, wherein processor 51 can be connected with memory 52 by bus or other modes, to pass through bus in Fig. 8For connection.
Processor 51 can be central processing unit (Central Processing Unit, CPU).Processor 51 can be withFor other general processors, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit(Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,The combination of the chips such as discrete hardware components or above-mentioned all kinds of chips.
Memory 52 is used as a kind of non-transient computer readable storage medium, can be used for storing non-transient software program, non-Transient computer executable program and module, as the corresponding program of method for authenticating user identity in the embodiment of the present invention refers toOrder/module (for example, the first acquisition module 41 shown in fig. 6, searching module 42, the second acquisition module 43 and authentication module 44).Processor 51 is stored in non-transient software program, instruction and module in memory 52 by operation, to execute processorVarious function application and data processing, that is, realize above method embodiment in method for authenticating user identity.
Memory 52 may include storing program area and storage data field, wherein storing program area can storage program area,At least one required application program of function;Storage data field can store the data etc. that processor 51 is created.In addition, storageDevice 52 may include high-speed random access memory, can also include non-transient memory, for example, at least a magnetic disk storagePart, flush memory device or other non-transient solid-state memories.In some embodiments, it includes relative to place that memory 52 is optionalThe remotely located memory of device 51 is managed, these remote memories can pass through network connection to processor 51.The reality of above-mentioned networkExample includes but not limited to internet, intranet, LAN, mobile radio communication and combinations thereof.
One or more of modules are stored in the memory 52, when being executed by the processor 51, are executedMethod for authenticating user identity in embodiment as in Figure 2-4.
Above-mentioned electronic equipment detail can be corresponded to refering to corresponding associated description in Fig. 2 to embodiment shown in Fig. 4Understood with effect, details are not described herein again.
It is that can lead to it will be understood by those skilled in the art that realizing all or part of flow in above-described embodiment methodIt crosses computer program and is completed to instruct relevant hardware, the program can be stored in a computer read/write memory mediumIn, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, the storage medium can be magneticDish, CD, read-only memory (ROM) or random access memory (RAM) etc..
Although being described in conjunction with the accompanying the embodiment of the present invention, those skilled in the art can not depart from the present inventionSpirit and scope in the case of various modifications and variations can be made, such modifications and variations are each fallen within by appended claims instituteWithin the scope of restriction.