Summary of the invention
The technical problem to be solved by the present invention is to provide a kind of sign-on access method, system and storage medium, both guarantee industryThe information security of business subsystem, and unified entry system is made to have good dynamic retractility.
The technical solution adopted by the present invention is that the sign-on access method, is applied to unified entry system side, the methodInclude:
When unified entry system, which receives the user, is directed to the access request of any service sub-system, user is logged inInformation and service sub-system authentication token information are sent to the service sub-system, are verified for the service sub-system.
Further, the access request that the user is directed to any service sub-system is received in the unified entry systemBefore, the method, further includes:
Characteristic information of the unified entry system according to the service sub-system got in advance, generates the businessSubsystem authentication token information simultaneously saves;
Wherein, the characteristic information of the service sub-system includes: the account information of the service sub-system, alternatively, describedThe account information of service sub-system and the corresponding unique encodings information of the service sub-system;The account of the service sub-system is believedBreath includes: service sub-system title and service sub-system password.
Further, described that user login information and the service sub-system authentication token information are sent to the industryBusiness subsystem include:
User is stepped on by REST (Representational State Transfer, declarative state transmitting) modeRecord information and the service sub-system authentication token information are sent to the service sub-system.
Further, the characteristic information for the service sub-system that the foundation is got in advance generates businessSystem authentication token information, comprising:
Token is generated by the account information of random data sequence character string and the service sub-system;
The token is encrypted to obtain the service sub-system authentication token information, alternatively, to the token and instituteThe corresponding unique encodings information of service sub-system is stated to be encrypted to obtain the service sub-system authentication token information.
Further, it is described the token is encrypted to obtain the service sub-system authentication token information include:
The token is hashed and generates identifying code;
The identifying code and the token by hash are encrypted to obtain the service sub-system authentication token letterBreath;
It is described that the token and the corresponding unique encodings information of the service sub-system are encrypted to obtain the businessSubsystem authentication token information includes:
The token is hashed and generates identifying code;
The identifying code, the corresponding unique encodings information of the service sub-system and the token by hashing are carried outEncryption obtains the service sub-system authentication token information.
The present invention also provides a kind of sign-on access methods, comprising:
Service sub-system receives the user login information that unified entry system is sent and service sub-system authentication token letterBreath;
The service sub-system believes the user login information received and the service sub-system authentication tokenBreath is verified, and to the unified entry system back-checking result.
It further, is interacted in a manner of REST between the service sub-system and the unified entry system.
Further, the described pair of user login information received and service sub-system authentication token information carry outVerification, comprising:
Judge locally whether preserved the user login information received, wherein the user login information packetIt includes: user information, alternatively, user information and encrypted message;
In the case where the judgment result is yes;
Whether the token that the service sub-system authentication token information that judgment basis receives obtains is effective, alternatively, sentencingThe token and the corresponding unique encodings of service sub-system that the service sub-system authentication token information that disconnected foundation receives obtainsWhether information is effective.
Further, the token and service sub-system obtained according to the service sub-system authentication token information receivedThe mode of corresponding unique encodings information, comprising:
The service sub-system authentication token information is decrypted to obtain token and the corresponding unique encodings letter of service sub-systemBreath;
Solution hash is carried out to the token and obtains the account information of random data sequence character string and service sub-system;It is describedThe account information of service sub-system includes: service sub-system title and service sub-system password.
Further, the token and industry that the service sub-system authentication token information that the judgment basis receives obtainsWhether the corresponding unique encodings information of subsystem of being engaged in is effective, comprising:
Whether before the deadline A1: judging the token, if so then execute step A2, otherwise determine the token received andThe corresponding unique encodings information of service sub-system is invalid;
A2: judge locally whether preserved the business subsystem decrypted to the service sub-system authentication token informationIt unites the account information of corresponding unique encodings information and the service sub-system obtained according to the token, if so, determining to connectThe corresponding unique encodings information of the token and service sub-system received is effective, otherwise determines the token received and service sub-systemCorresponding unique encodings information is invalid.
The present invention also provides a kind of unified entry systems, comprising: first communication module, first memory and the first processingDevice, in which:
The first communication module is configured to carry out communication interaction with user and service sub-system;
The first memory is stored with authentication management program;
First processor is configured to execute the authentication management program to realize such as the step of above-mentioned sign-on access method.
The present invention also provides a kind of service sub-systems, comprising: second communication module, second memory and second processor,Wherein:
The second communication module is configured to carry out communication interaction with unified entry system;
The second memory is stored with certification accreditation process;
Second processor is configured to execute the certification accreditation process to realize such as the step of above-mentioned sign-on access method.
The present invention also provides being stored with computer program in computer storage medium described in a kind of computer storage medium, instituteIt states and realizes when computer program is executed by processor such as the step of above-mentioned sign-on access method.
By adopting the above technical scheme, the present invention at least has the advantage that
Sign-on access method, system and storage medium of the present invention pass through unified login for current client userExisting efficiency of service is high during system access service sub-system, Service Source waste and data structure are single etc. asksTopic, provides a kind of solution, while ensuring system availability, improves the real-time of system processing and accurateProperty.The present invention can improve efficiency of service, save Service Source, and mobile application is given to provide good service, but can be reduced operation atThis, improves user experience and increases the income of operator.
Specific embodiment
Further to illustrate the present invention to reach the technical means and efficacy that predetermined purpose is taken, below in conjunction with attached drawingAnd preferred embodiment, the present invention is described in detail as after.
First embodiment of the invention, a kind of sign-on access method are applied to unified entry system, as shown in Figure 1, this methodComprising the following specific steps
Step S101, unified entry system generate service sub-system authentication token information simultaneously for each service sub-systemIt saves, the service sub-system authentication token information is also configured in corresponding service sub-system.
Specifically, the service sub-system authentication token information includes: service sub-system in first optional exampleAccount information.
In second optional example, the service sub-system authentication token information includes: the account of service sub-systemInformation and the corresponding unique encodings information of service sub-system.
The account information of service sub-system includes: service sub-system title and service sub-system password;
Unified entry system is with user and is to be interacted between service sub-system in a manner of REST.Such as: uniformly step onUser login information and the service sub-system authentication token information are sent to the business by REST mode by recording systemSubsystem.
In step s101, the characteristic information for the service sub-system that can be got in advance, the spy of the service sub-systemReference breath includes: the account information of the service sub-system, alternatively, the account information of the service sub-system and businessThe corresponding unique encodings information of system;The account information of the service sub-system includes: service sub-system title and business subsystemSystem password.
Unified entry system is directed to each service sub-system, according to the feature of the service sub-system got in advanceInformation generates service sub-system authentication token information, comprising:
A1: it is directed to any service sub-system, passes through the account of random data sequence character string and any service sub-systemFamily information generates token;
A2: the token is encrypted to obtain any service sub-system authentication token information, alternatively, to the orderBoard and the corresponding unique encodings information of any service sub-system are encrypted to obtain any service sub-system certification orderBoard information.
Further, it in step A2, is encrypted to the token or to the token and unique encoded informationObtain any service sub-system authentication token information, comprising:
The token is hashed and generates identifying code;
In first optional example, the identifying code and the token by hash are combined and encryptedObtain any service sub-system authentication token information;
In second optional example, the identifying code, the corresponding unique encodings of any service sub-system are believedBreath and the token by hashing, which combine, is encrypted to obtain any service sub-system authentication token information.
User is logged in and is believed when receiving access request of the user for any service sub-system by step S102Breath and any service sub-system authentication token information are sent to any service sub-system, for any businessSystem is verified.
Mainly using REST lightweight service technology is based on, REST technological service has a characteristic that the embodiment of the present invention
1) data buffer storage.Data can be cached as needed based on REST system, it is possible to reduce server-side and visitorInformation transmission, raising performance between the end of family, increase user experience.Service sub-system caches the visit from unified entry systemIt asks request, improves the speed of access.
2) system structure stratification.In one system based on REST, client can be with one or more serverIt interactively communicates, good system level structure is convenient for the maintenance of operation maintenance personnel and integrating for other application.Such as: the present invention is implementedExample, different service sub-system (classes can be logged in by unified entry system (similar to the unified login entrance of client)It is similar to server).
3) data structure is abundant.The form of expression gives corresponding contents by requirement when client request resource, general to returnThe formats such as XML, JSON, XHML.Such as: unified entry system (enters similar to the unified login of client in the embodiment of the present inventionMouthful) to service sub-system (be similar to server) request resource when, client can not only make PC machine that can also move with mobile terminalDynamic terminal can request the resource of the various formats such as XML, JSON, XHML to service sub-system, and the client of the prior art is onlyIt can be PC machine, and not support mobile terminal and above-mentioned multiple format.
4) stateless.In a REST system, server-side (being similar to unified login entrance) can't save related visitorAny state at family end (being similar to service sub-system).That is, client itself is responsible for the maintenance of User Status, and everySecondary transmission requires to provide enough information when requesting.Such as: the user side in the embodiment of the present invention sends user's logging requestWhen, after unified entry system (similar to the unified login entrance of client) can combine user login information together with registration ciphertextService sub-system (being similar to server) is sent to be verified.
5) unified interface.One REST system is needed using unified interface (the i.e. unified login of the embodiment of the present inventionSystem) complete the interaction between unified interface and service sub-system.This makes each service sub-system in REST systemIt can complete alone to develop.In conclusion problems of the prior art can be solved fundamentally.
Furthermore it is possible to which the corresponding one kind that is programmed to of the method for the embodiment of the present invention is logged in access service.It shouldService will log in access process and be issued as REST service, call for local user and remote user, while use crypto token sideThe service sub-system authentication token information preservation that formula inputs administrator is in unified entry system and configuration in service sub-systemIn, which is not used Session and is saved service sub-system relevant authentication information in a manner of session, but passes through solution secret orderBoard ciphertext obtains service sub-system authentication token information, has both guaranteed the information security of user, and it is good that server is hadDynamic retractility etc..
The user side of the embodiment of the present invention can be PC machine installation browser (such as: IE, Firefox, chrome) orPerson's cell phone client (App or iOS).Such as: certain enterprise management system or Large-Scale Interconnected net portal, having logged in some in user isOther subsystems are there is no need to log in after system, all applications of accessible relevant subsystem.
Second embodiment of the invention, a kind of sign-on access method are applied to service sub-system, as shown in Fig. 2, this method is alsoComprising the following specific steps
Step S201, service sub-system is in the service sub-system authentication token information that itself is locally configured;The business subsystemSystem authentication token information is also stored in unified entry system.
Step S202, service sub-system receive unified entry system and log in letter based on the user that the access request of user is sentWhen breath and service sub-system authentication token information, the user login information and the service sub-system certification received is enabledBoard information is verified, and to the unified entry system back-checking result.
Specifically, interacted in a manner of REST between service sub-system and unified entry system.
In step S202, the described pair of user login information received and service sub-system authentication token informationIt is verified, comprising:
A1: judge locally whether preserved the user login information received, if so, thening follow the steps A2;It is noThen follow the steps A3;The user login information includes: user information, alternatively, user information and encrypted message;
A2: the obtained token of service sub-system authentication token information that judgment basis receives or obtained token and industryWhether the corresponding unique encodings information of subsystem of being engaged in is effective, if so, to unified entry system back-checking successful information;OtherwiseExecute step A3;
A3: to unified entry system back-checking failure information.
Optionally, in step A2, the token and industry that obtain token according to service sub-system authentication token information or obtainThe mode for the corresponding unique encodings information of subsystem of being engaged in, comprising:
In first optional example, service sub-system authentication token information is decrypted to obtain token;
In second optional example, service sub-system authentication token information is decrypted to obtain token and service sub-systemCorresponding unique encodings information;
Solution hash is carried out to the token and obtains the account information of random data sequence character string and service sub-system;BusinessThe account information of subsystem includes: service sub-system title and service sub-system password.
Further, in step A2, the service sub-system authentication token information that the judgment basis receives is obtainedToken and the corresponding unique encodings information of service sub-system it is whether effective, comprising:
Whether before the deadline B1: judging the token, if so then execute step B2, otherwise determine the token received andThe corresponding unique encodings information of service sub-system is invalid;
B2: judge locally whether preserved the business subsystem decrypted to the service sub-system authentication token informationIt unites the account information of corresponding unique encodings information and the service sub-system obtained according to the token, if so, determining to connectThe corresponding unique encodings information of the token and service sub-system received is effective, otherwise determines the token received and service sub-systemCorresponding unique encodings information is invalid.
In embodiments of the present invention due to introducing the relevant information for using token mode storage service subsystem to authenticate, simultaneouslyThe interaction between user, unified entry system and service sub-system is realized using REST mode, both guarantees service sub-systemInformation security, and unified entry system is made to have good dynamic retractility.
The user side of the embodiment of the present invention can be PC machine installation browser (such as: IE, Firefox, chrome) orPerson's cell phone client (App or iOS).Such as: certain enterprise management system or Large-Scale Interconnected net portal, having logged in some in user isOther subsystems are there is no need to log in after system, all applications of accessible relevant subsystem.
Third embodiment of the invention, a kind of unified entry system, as shown in figure 3, including consisting of part: the first communicationModule 301, first memory 302 and first processor 303, in which:
First communication module 301 is configured to carry out communication interaction with user side and service sub-system;
First memory 302 is stored with authentication management program;
First processor 303 is configured to execute the authentication management program to realize such as first embodiment of the invention orDescribed in two embodiments the step of sign-on access method.
Fourth embodiment of the invention, a kind of service sub-system, as shown in figure 4, including consisting of part: the second communication mouldBlock 401, second memory 402 and second processor 403, in which:
Second communication module 401 is configured to carry out communication interaction with unified entry system;
Second memory 402 is stored with certification accreditation process;
Second processor 403 is configured to execute the certification accreditation process to realize such as third embodiment of the invention orDescribed in four embodiments the step of sign-on access method.
Fifth embodiment of the invention, a kind of computer storage medium are stored with computer in the computer storage mediumProgram realizes the sign-on access method as described in the present invention first or two embodiments when the computer program is executed by processorThe step of.
In Project Realization, the software in the embodiment of the present invention computer storage medium may operate in required generalIt is realized on hardware platform, naturally it is also possible to which by hardware, but in many cases, the former is more preferably embodiment.Based in this wayUnderstanding, in computer storage medium of the invention (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that oneEquipment (can be server, client) executes method described in the embodiment of the present invention.
By the explanation of specific embodiment, the present invention can should be reached technological means that predetermined purpose is taken andEffect is able to more deeply and specifically understand, however appended diagram is only to provide reference and description and is used, and is not used to thisInvention limits.