CN110287682B

Movatterモバイル変換

Info

Publication number: CN110287682B
Application number: CN201910585136.6A
Authority: CN
Inventors: 袁春旭; 赵军; 杜超超; 李川; 孙悦; 郭晓鹏
Original assignee: Beijing Trusfort Technology Co ltd
Current assignee: Beijing Trusfort Technology Co ltd
Priority date: 2019-07-01
Filing date: 2019-07-01
Publication date: 2020-12-04
Anticipated expiration: 2039-07-01
Also published as: CN110287682A

Abstract

Translated fromChinese

本申请提供了一种登录方法、装置及系统，包括：接收用户终端发送的登录请求，并基于登陆请求中携带的用户的第一身份信息进行验证，当验证通过后，向用户终端反馈业务站点列表；接收用户终端发送的第一访问请求；其中，第一访问请求中携带有用户基于业务站点列表选择的目标业务站点的标识信息；基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令；当接收到用户终端发送的第二访问请求后，从业务服务器获取与目标业务站点对应的页面信息，并将页面信息发送给用户终端。通过这种方法可以提高单点登录的安全性。

The present application provides a login method, device and system, including: receiving a login request sent by a user terminal, and verifying based on the user's first identity information carried in the login request, and feeding back a service site to the user terminal after the verification is passed list; receive the first access request sent by the user terminal; wherein, the first access request carries the identification information of the target service site selected by the user based on the service site list; based on the first access request, and the pre-stored login corresponding to the user The credential is authenticated at the target service site, and after the identity authentication is passed, the user terminal is fed back an access permission instruction corresponding to the target service site; after receiving the second access request sent by the user terminal, the service server is obtained from the service server. The page information corresponding to the site is sent to the user terminal. In this way, the security of single sign-on can be improved.

Description

Translated fromChinese

一种登录方法、装置及系统A login method, device and system

技术领域technical field

本申请涉及信息处理技术领域，尤其是涉及一种登录方法、装置及系统。The present application relates to the technical field of information processing, and in particular, to a login method, device and system.

背景技术Background technique

单点登录方式是指为多个应用系统，设置统一的登录接口，用户只需登录一次，便可访问该接口下的所有应用系统。Single sign-on means that a unified login interface is set up for multiple application systems. Users only need to log in once to access all application systems under this interface.

目前，单点登录的访问方法主要有两种，一种是用户终端登录代理服务后，通过预先存储在用户终端的应用系统的身份信息，或者从代理服务器获取的身份信息，实现对应用系统的登录，但这种方式因为需要将通过用户终端凭借身份信息实现对应用系统的登录，安全性较低；另外一种是通过协议改造的方式，但这种方式需要改变应用系统原有的登录方式，方式繁琐。At present, there are mainly two access methods for single sign-on. One is that after the user terminal logs in to the proxy service, the identity information of the application system pre-stored in the user terminal or the identity information obtained from the proxy server is used to realize the access to the application system. Login, but this method needs to log in to the application system through the user terminal with identity information, and the security is low; the other is the method of protocol transformation, but this method needs to change the original login method of the application system , the method is cumbersome.

发明内容SUMMARY OF THE INVENTION

有鉴于此，本申请的目的在于提供一种登陆方法、装置及系统，以提高单点登录方式中的安全性。In view of this, the purpose of the present application is to provide a login method, device and system to improve the security in the single sign-on method.

第一方面，本申请实施例提供了一种登陆方法，应用于反向代理服务器，包括：In the first aspect, an embodiment of the present application provides a login method, which is applied to a reverse proxy server, including:

接收用户终端发送的登录请求，并基于登陆请求中携带的用户的第一身份信息进行验证，当验证通过后，向用户终端反馈业务站点列表；receiving a login request sent by the user terminal, and verifying based on the user's first identity information carried in the login request, and feeding back a list of service sites to the user terminal after the verification is passed;

接收用户终端发送的第一访问请求；其中，第一访问请求中携带有用户基于业务站点列表选择的目标业务站点的标识信息；Receive the first access request sent by the user terminal; wherein, the first access request carries the identification information of the target service site selected by the user based on the service site list;

基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令，其中，允许访问指令用于指示用户终端再次发起访问请求；Based on the first access request and the pre-stored login credentials corresponding to the user, identity authentication is performed at the target service site, and after the identity authentication is passed, an access permission instruction corresponding to the target service site is fed back to the user terminal, wherein the access permission instruction Used to instruct the user terminal to initiate an access request again;

当接收到用户终端发送的第二访问请求后，从业务服务器获取与目标业务站点对应的页面信息，并将页面信息发送给用户终端。After receiving the second access request sent by the user terminal, the page information corresponding to the target service site is acquired from the service server, and the page information is sent to the user terminal.

结合第一方面，本申请实施例提供了第一方面的第一种可能的实施方式，其中，业务站点列表中携带有凭证随机数；第一访问请求中携带有基于凭证随机数生成的随机数；In conjunction with the first aspect, the embodiment of the present application provides the first possible implementation of the first aspect, wherein the business site list carries a credential random number; the first access request carries a random number generated based on the credential random number ;

在基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证之前，方法还包括：Before performing identity authentication on the target business site based on the first access request and the pre-stored login credentials corresponding to the user, the method further includes:

基于第一访问请求中携带的随机数与业务站点列表中携带的凭证随机数进行安全性验证；若验证通过，则基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证。Security verification is performed based on the random number carried in the first access request and the credential random number carried in the business site list; if the verification is passed, the target business site is based on the first access request and the pre-stored login credentials corresponding to the user Authenticate.

结合第一方面，本申请实施例提供了第一方面的第二种可能的实施方式，其中，在向用户终端反馈与目标业务站点对应的允许访问指令之前，方法还包括：In conjunction with the first aspect, the embodiment of the present application provides a second possible implementation manner of the first aspect, wherein, before feeding back an access permission instruction corresponding to the target service site to the user terminal, the method further includes:

将用户终端在业务服务器的登录状态由未登录更改为已登录；Change the login status of the user terminal in the service server from not logged in to logged in;

从业务服务器获取与目标业务站点对应的页面信息，包括：Obtain page information corresponding to the target business site from the business server, including:

检测用户终端在业务服务器的登录状态是否为已登录；Detect whether the login status of the user terminal in the service server is logged in;

如果是，则从业务服务器获取与目标业务站点对应的页面信息。If yes, obtain the page information corresponding to the target business site from the business server.

结合第一方面的第二种可能的实施方式，本申请实施例提供了第一方面的第三种可能的实施方式，其中，在从业务服务器获取与目标业务站点对应的页面信息之前，方法还包括：In conjunction with the second possible implementation manner of the first aspect, the embodiment of the present application provides the third possible implementation manner of the first aspect, wherein, before acquiring the page information corresponding to the target business site from the business server, the method further include:

确定用户终端在业务服务器的登录时间；Determine the login time of the user terminal in the service server;

检测接收到第二访问请求的时间与登录时间之间的时间差是否小于预设的时间差阈值；Detecting whether the time difference between the time when the second access request is received and the login time is less than a preset time difference threshold;

若时间差小于时间差阈值，将用户终端发送的访问请求发送至业务服务器。If the time difference is less than the time difference threshold, the access request sent by the user terminal is sent to the service server.

结合第一方面的第三种可能的实施方式，本申请实施例提供了第一方面的第四种可能的实施方式，其中，基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，包括：With reference to the third possible implementation manner of the first aspect, the embodiment of the present application provides the fourth possible implementation manner of the first aspect, wherein based on the first access request and the pre-stored login credentials corresponding to the user, The target business site is authenticated, including:

基于第一访问请求中携带的第一身份信息和目标业务站点的标识信息，获取登录凭证；Obtain a login credential based on the first identity information and the identification information of the target business site carried in the first access request;

基于登陆凭证向目标业务站点发送身份认证请求，以使目标业务站点基于身份认证请求中的登录凭证进行身份认证。An identity authentication request is sent to the target business site based on the login credentials, so that the target business site performs identity authentication based on the login credentials in the identity authentication request.

第二方面，本申请实施例提供了一种登陆方法，应用于用户终端，包括：In a second aspect, an embodiment of the present application provides a login method, which is applied to a user terminal, including:

在接收到用户输入的登录指令后，向反向代理服务器发送登录请求；After receiving the login instruction input by the user, send a login request to the reverse proxy server;

接收代理服务器根据登陆请求反馈的业务站点列表；Receive the list of business sites fed back by the proxy server according to the login request;

当接收到用户基于业务站点列表输入的对目标业务站点的选择指令时，向反向代理服务器发送第一访问请求；其中，第一访问请求用于指示反向代理服务器基于预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令；When receiving the selection instruction for the target service site input by the user based on the service site list, send a first access request to the reverse proxy server; wherein the first access request is used to instruct the reverse proxy server to correspond to the user based on the pre-stored The login credentials of the user are authenticated at the target business site, and after the identity authentication is passed, the user terminal is fed back the permission access instruction corresponding to the target business site;

在接收反向代理服务器基于第一访问请求反馈的与目标业务站点对应的允许访问指令后，向反向代理服务器发送第二访问请求；其中，第二访问请求用于指示反向代理服务器从业务服务器获取与目标业务站点对应的页面信息；After receiving the access permission instruction corresponding to the target service site fed back by the reverse proxy server based on the first access request, a second access request is sent to the reverse proxy server; wherein the second access request is used to instruct the reverse proxy server from the service The server obtains page information corresponding to the target business site;

接收反向代理服务器转发的目标业务站点的页面信息。Receive page information of the target business site forwarded by the reverse proxy server.

第三方面，本申请实施例提供了一种登陆系统，包括用户终端、以及反向代理服务器：In a third aspect, an embodiment of the present application provides a login system, including a user terminal and a reverse proxy server:

用户终端，用于在接收到用户发起的登录指令后，向反向代理服务器发送登录请求；接收代理服务器根据登陆请求反馈的业务站点列表；当接收到用户基于业务站点列表输入的对目标业务站点的选择指令时，向反向代理服务器发送第一访问请求；在接收反向代理服务器基于第一访问请求反馈的与目标业务站点对应的允许访问指令后，向反向代理服务器发送第二访问请求；接收反向代理服务器转发的目标业务站点的页面信息；The user terminal is used to send a login request to the reverse proxy server after receiving the login instruction initiated by the user; receive the business site list fed back by the proxy server according to the login request; When the selection instruction is selected, send the first access request to the reverse proxy server; after receiving the permission access instruction corresponding to the target business site fed back by the reverse proxy server based on the first access request, send the second access request to the reverse proxy server ; Receive the page information of the target business site forwarded by the reverse proxy server;

第一访问请求用于指示反向代理服务器基于预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的页面信息；The first access request is used to instruct the reverse proxy server to perform identity authentication on the target service site based on the pre-stored login credentials corresponding to the user, and after passing the identity authentication, feed back page information corresponding to the target service site to the user terminal;

第二访问请求用于指示反向代理服务器从业务服务器获取与目标业务站点对应的页面信息；The second access request is used to instruct the reverse proxy server to obtain page information corresponding to the target business site from the business server;

反向代理服务器，用于接收用户终端发送的登录请求，并基于登陆请求中携带的用户的第一身份信息进行验证，当验证通过后，向用户终端反馈业务站点列表；当接收到用户终端发送的第一访问请求后，基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令；当接收到用户终端发送的第二访问请求后，从业务服务器获取与目标业务站点对应的页面信息，并将页面信息发送给用户终端。The reverse proxy server is used to receive the login request sent by the user terminal, and perform verification based on the user's first identity information carried in the login request. When the verification is passed, it feeds back the service site list to the user terminal; After the first access request, based on the first access request and the pre-stored login credentials corresponding to the user, identity authentication is performed at the target business site, and after the identity authentication is passed, the allowed access corresponding to the target business site is fed back to the user terminal. instruction; after receiving the second access request sent by the user terminal, obtain the page information corresponding to the target service site from the service server, and send the page information to the user terminal.

结合第三方面，本申请实施例提供了第三方面的第一种可能的实施方式，其中，业务站点列表中携带有凭证随机数；第一访问请求中携带有基于凭证随机数生成的随机数；In conjunction with the third aspect, the embodiment of the present application provides the first possible implementation of the third aspect, wherein the business site list carries a credential random number; the first access request carries a random number generated based on the credential random number ;

反向代理服务器，在基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证之前，还用于：The reverse proxy server, before performing identity authentication on the target business site based on the first access request and the pre-stored login credentials corresponding to the user, is also used for:

结合第三方面，本申请实施例提供了第三方面的第二种可能的实施方式，其中，反向代理服务器，在向用户终端反馈与目标业务站点对应的允许访问指令之前，还用于：In conjunction with the third aspect, the embodiment of the present application provides a second possible implementation manner of the third aspect, wherein the reverse proxy server, before feeding back an access permission instruction corresponding to the target service site to the user terminal, is also used for:

反向代理服务器，具体用于采用下述步骤从业务服务器获取与目标业务站点对应的页面信息：A reverse proxy server, which is specifically used to obtain the page information corresponding to the target business site from the business server by adopting the following steps:

结合第三方面的第二种可能的实施方式，本申请实施例提供了第三方面的第三种可能的实施方式，其中，反向代理服务器，在从业务服务器获取与目标业务站点对应的页面信息之前，还用于：With reference to the second possible implementation manner of the third aspect, the embodiment of the present application provides the third possible implementation manner of the third aspect, wherein the reverse proxy server acquires the page corresponding to the target business site from the business server Before information, also used to:

结合第三方面，本申请实施例提供了第三方面的第四种可能的实施方式，其中，反向代理服务器，在基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证时，具体用于：In conjunction with the third aspect, the embodiment of the present application provides a fourth possible implementation manner of the third aspect, wherein the reverse proxy server, based on the first access request and the pre-stored login credentials corresponding to the user, When the site performs identity authentication, it is specifically used for:

第四方面，本申请实施例提供了一种登陆装置，包括：In a fourth aspect, an embodiment of the present application provides a login device, including:

第一验证模块，用于接收用户终端发送的登录请求，并基于登陆请求中携带的用户的第一身份信息进行验证，当验证通过后，向用户终端反馈业务站点列表；a first verification module, configured to receive a login request sent by the user terminal, and perform verification based on the first identity information of the user carried in the login request, and when the verification is passed, feed back the service site list to the user terminal;

第一接收模块，用于接收用户终端发送的第一访问请求；其中，第一访问请求中携带有用户基于业务站点列表选择的目标业务站点的标识信息；a first receiving module, configured to receive a first access request sent by a user terminal; wherein the first access request carries the identification information of the target service site selected by the user based on the service site list;

第二验证模块，用于基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令，其中，允许访问指令用于指示用户终端再次发起访问请求；The second verification module is configured to perform identity authentication on the target service site based on the first access request and the pre-stored login credentials corresponding to the user, and after the identity authentication is passed, feedback the permitted access corresponding to the target service site to the user terminal instruction, wherein the access permission instruction is used to instruct the user terminal to initiate the access request again;

页面信息转发模块，用于当接收到用户终端发送的第二访问请求后，从业务服务器获取与目标业务站点对应的页面信息，并将页面信息发送给用户终端。The page information forwarding module is configured to acquire page information corresponding to the target service site from the service server after receiving the second access request sent by the user terminal, and send the page information to the user terminal.

结合第四方面，本申请实施例提供了第四方面的第一种可能的实施方式，其中，业务站点列表中携带有凭证随机数；第一访问请求中携带有基于凭证随机数生成的随机数；In conjunction with the fourth aspect, the embodiment of the present application provides the first possible implementation of the fourth aspect, wherein the business site list carries a credential random number; the first access request carries a random number generated based on the credential random number ;

第二验证模块，在基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证之前，还用于：The second verification module, before performing identity authentication on the target business site based on the first access request and the pre-stored login credentials corresponding to the user, is also used for:

结合第四方面，本申请实施例提供了第四方面的第二种可能的实施方式，其中，第二验证模块，在向用户终端反馈与目标业务站点对应的允许访问指令之前，还用于：In conjunction with the fourth aspect, the embodiment of the present application provides a second possible implementation manner of the fourth aspect, wherein the second verification module, before feeding back the access permission instruction corresponding to the target service site to the user terminal, is also used for:

页面信息转发模块，在从业务服务器获取与目标业务站点对应的页面信息时，具体用于：The page information forwarding module, when acquiring the page information corresponding to the target business site from the business server, is specifically used for:

结合第四方面的第二种可能的实施方式，本申请实施例提供了第四方面的第三种可能的实施方式，其中，第二验证模块，在从业务服务器获取与目标业务站点对应的页面信息之前，还用于：With reference to the second possible implementation manner of the fourth aspect, the embodiment of the present application provides the third possible implementation manner of the fourth aspect, wherein the second verification module acquires the page corresponding to the target business site from the business server Before information, also used to:

结合第四方面，本申请实施例提供了第二方面的第四种可能的实施方式，其中，第二验证模块，在基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证时，具体用于：In conjunction with the fourth aspect, the embodiment of the present application provides a fourth possible implementation manner of the second aspect, wherein the second verification module is based on the first access request and the pre-stored login credentials corresponding to the user in the target service When the site performs identity authentication, it is specifically used for:

第五方面，本申请实施例提供了另外一种登陆装置，包括：In a fifth aspect, an embodiment of the present application provides another login device, including:

第一发送模块，用于在接收到用户输入的登录指令后，向反向代理服务器发送登录请求；a first sending module, configured to send a login request to the reverse proxy server after receiving the login instruction input by the user;

第二接收模块，用于接收代理服务器根据登陆请求反馈的业务站点列表；The second receiving module is used for receiving the business site list fed back by the proxy server according to the login request;

第二发送模块，用于当接收到用户基于业务站点列表输入的对目标业务站点的选择指令时，向反向代理服务器发送第一访问请求；其中，第一访问请求用于指示反向代理服务器基于预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令；The second sending module is configured to send a first access request to the reverse proxy server when receiving a selection instruction for the target service site input by the user based on the service site list; wherein the first access request is used to indicate the reverse proxy server Perform identity authentication on the target business site based on the pre-stored login credentials corresponding to the user, and after the identity authentication is passed, feedback an access permission instruction corresponding to the target business site to the user terminal;

第三发送模块，用于在接收反向代理服务器基于第一访问请求反馈的与目标业务站点对应的允许访问指令后，向反向代理服务器发送第二访问请求；其中，第二访问请求用于指示反向代理服务器从业务服务器获取与目标业务站点对应的页面信息；The third sending module is configured to send a second access request to the reverse proxy server after receiving the access permission instruction corresponding to the target business site fed back by the reverse proxy server based on the first access request; wherein the second access request is used for Instruct the reverse proxy server to obtain page information corresponding to the target business site from the business server;

第三接收模块，用于接收反向代理服务器转发的目标业务站点的页面信息。The third receiving module is configured to receive the page information of the target business site forwarded by the reverse proxy server.

第六方面，本申请实施例还提供一种电子设备，包括：处理器、存储器和总线，所述存储器存储有所述处理器可执行的机器可读指令，当电子设备运行时，所述处理器与所述存储器之间通过总线通信，所述机器可读指令被所述处理器执行时执行上述第一方面，或第一方面的任一种可能的实施方式，或第二方面，或第二方面的任一种可能的实施方式中的步骤。In a sixth aspect, embodiments of the present application further provide an electronic device, including: a processor, a memory, and a bus, where the memory stores machine-readable instructions executable by the processor, and when the electronic device runs, the processing A bus communicates between the processor and the memory, and when the machine-readable instructions are executed by the processor, the above-mentioned first aspect, or any possible implementation manner of the first aspect, or the second aspect, or the first aspect is performed. Steps in any possible implementation of the two aspects.

第七方面，本申请实施例还提供一种计算机可读存储介质，该计算机可读存储介质上存储有计算机程序，该计算机程序被处理器运行时执行上述第一方面，或第一方面的任一种可能的实施方式，或第二方面，或第二方面的任一种可能的实施方式中的步骤。In a seventh aspect, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and the computer program is executed by a processor to execute the first aspect, or any of the first aspect. A possible implementation, or the second aspect, or steps in any possible implementation of the second aspect.

本申请实施例提供的登陆方法、装置及系统，在接收到用户终端发送的对目标业务站点的第一访问请求之后，并非将查找到的登陆凭证发给用户终端并由用户终端发起登录请求，而是由反向代理服务器凭借登陆凭证在业务服务器进行身份认证，并在认证成功，且接收到用户终端发送的第二访问请求之后，由反向代理服务器直接从目标业务站点获取页面信息，通过这种方法，可以实现不对业务站点的原有系统框架进行改造的前提下，提高单点登录的安全性。In the login method, device and system provided by the embodiments of the present application, after receiving the first access request to the target service site sent by the user terminal, instead of sending the found login credential to the user terminal and initiating the login request by the user terminal, Instead, the reverse proxy server performs identity authentication on the business server by virtue of the login credentials, and after the authentication is successful and after receiving the second access request sent by the user terminal, the reverse proxy server directly obtains the page information from the target business site, and passes This method can improve the security of single sign-on without modifying the original system framework of the business site.

为使本申请的上述目的、特征和优点能更明显易懂，下文特举较佳实施例，并配合所附附图，作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present application more obvious and easy to understand, the preferred embodiments are exemplified below, and are described in detail as follows in conjunction with the accompanying drawings.

附图说明Description of drawings

为了更清楚地说明本申请实施例的技术方案，下面将对实施例中所需要使用的附图作简单地介绍，应当理解，以下附图仅示出了本申请的某些实施例，因此不应被看作是对范围的限定，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他相关的附图。In order to illustrate the technical solutions of the embodiments of the present application more clearly, the following briefly introduces the accompanying drawings that need to be used in the embodiments. It should be understood that the following drawings only show some embodiments of the present application, and therefore do not It should be regarded as a limitation of the scope, and for those of ordinary skill in the art, other related drawings can also be obtained according to these drawings without any creative effort.

图1示出了本申请实施例所提供的一种登录系统的交互流图；FIG. 1 shows an interaction flow diagram of a login system provided by an embodiment of the present application;

图2示出了本申请实施例所提供的一种登录方法的流程示意图；FIG. 2 shows a schematic flowchart of a login method provided by an embodiment of the present application;

图3示出了本申请实施例所提供的另外一种登录方法的流程示意图；FIG. 3 shows a schematic flowchart of another login method provided by an embodiment of the present application;

图4示出了本申请实施例所提供的一种登录装置400的架构示意图；FIG. 4 shows a schematic structural diagram of a login apparatus 400 provided by an embodiment of the present application;

图5示出了本申请实施例所提供的一种登录装置500的架构示意图；FIG. 5 shows a schematic diagram of the architecture of a login apparatus 500 provided by an embodiment of the present application;

图6示出了本申请实施例所提供的电子设备600的结构示意图；FIG. 6 shows a schematic structural diagram of an electronic device 600 provided by an embodiment of the present application;

图7示出了本申请实施例所提供的电子设备700的结构示意图。FIG. 7 shows a schematic structural diagram of an electronic device 700 provided by an embodiment of the present application.

具体实施方式Detailed ways

为使本申请实施例的目的、技术方案和优点更加清楚，下面将结合本申请实施例中附图，对本申请实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。通常在此处附图中描述和示出的本申请实施例的组件可以以各种不同的配置来布置和设计。因此，以下对在附图中提供的本申请的实施例的详细描述并非旨在限制要求保护的本申请的范围，而是仅仅表示本申请的选定实施例。基于本申请的实施例，本领域技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例，都属于本申请保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only It is a part of the embodiments of the present application, but not all of the embodiments. The components of the embodiments of the present application generally described and illustrated in the drawings herein may be arranged and designed in a variety of different configurations. Thus, the following detailed description of the embodiments of the application provided in the accompanying drawings is not intended to limit the scope of the application as claimed, but is merely representative of selected embodiments of the application. Based on the embodiments of the present application, all other embodiments obtained by those skilled in the art without creative work fall within the protection scope of the present application.

为便于对本实施例进行理解，首先对本申请实施例所公开的一种登录进行详细介绍。In order to facilitate understanding of this embodiment, a login disclosed in this embodiment of the present application is first introduced in detail.

实施例一Example 1

参见图1所示,为本申请实施例所提供的一种登录系统的交互流图，其中，该登陆系统包括用户终端、以及反向代理服务器，用户终端与反向代理服务器之间的交互具体包括以下流程：Referring to FIG. 1, an interaction flow diagram of a login system provided by an embodiment of the present application, wherein the login system includes a user terminal and a reverse proxy server, and the interaction between the user terminal and the reverse proxy server is specifically Includes the following processes:

步骤101、用户终端在接收到用户发起的登录指令后，向反向代理服务器发送登录请求。Step 101: After receiving the login instruction initiated by the user, the user terminal sends a login request to the reverse proxy server.

其中，用户终端接收用户发起的登录指令可以是用户在登录界面输入第一身份信息之后，并点击登录按钮之后生成的。The user terminal receives the login instruction initiated by the user, which may be generated after the user inputs the first identity information on the login interface and clicks the login button.

第一身份信息可以是用户的账号密码、用户的指纹信息、用户的声纹信息等，本申请对此并不限制。The first identity information may be the user's account password, the user's fingerprint information, the user's voiceprint information, etc., which is not limited in this application.

步骤102、反向代理服务器基于登陆请求中携带的用户的第一身份信息进行验证，当验证通过后，向用户终端反馈业务站点列表。Step 102: The reverse proxy server performs verification based on the first identity information of the user carried in the login request, and when the verification is passed, feeds back the service site list to the user terminal.

具体的，反向代理服务器可以在存储有用户身份信息的数据库中查找是否存在有第一身份信息，若存在，则确定验证通过。Specifically, the reverse proxy server may look up whether the first identity information exists in the database storing the user identity information, and if it exists, it is determined that the verification is passed.

步骤103、用户终端在接收到用户基于业务站点列表输入的对目标业务站点的选择指令时，向反向代理服务器发送第一访问请求。Step 103: The user terminal sends a first access request to the reverse proxy server when receiving the selection instruction for the target service site input by the user based on the service site list.

步骤104、反向代理服务器在接收到用户终端发送的第一访问请求后，基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令。Step 104: After receiving the first access request sent by the user terminal, the reverse proxy server performs identity authentication at the target service site based on the first access request and the pre-stored login credentials corresponding to the user, and after the identity authentication is passed. , and feed back the access permission instruction corresponding to the target service site to the user terminal.

一种可能的实施方式中，步骤102中反向代理服务器向用户终端反馈的业务站点列表中携带有凭证随机数，用户终端可以基于凭证随机数生成随机数，然后在反向代理服务器发送的第一访问请求中携带有生成的随机数。In a possible implementation, in step 102, the business site list fed back by the reverse proxy server to the user terminal carries the random number of the certificate, and the user terminal can generate a random number based on the random number of the certificate, and then in the No. An access request carries a generated random number.

反向代理服务器在接收到用户终端发送的第一访问请求中，可以先基于第一访问请求中携带的随机数与业务站点列表中携带的凭证随机数进行安全性验证，若验证通过，则向用户终端反馈与目标业务站点对应的允许访问指令。When the reverse proxy server receives the first access request sent by the user terminal, it can first perform security verification based on the random number carried in the first access request and the credential random number carried in the business site list. The user terminal feeds back an access permission instruction corresponding to the target service site.

其中，在基于第一访问请求中携带的随机数与业务站点列表中携带的凭证随机数进行安全性验证时，可以包括以下情况中的任意一种：Wherein, when performing security verification based on the random number carried in the first access request and the credential random number carried in the business site list, it may include any one of the following situations:

情况一、若第一访问请求中携带的随机数与业务站点列表中携带的凭证随机数相同，则确定验证通过。Case 1: If the random number carried in the first access request is the same as the credential random number carried in the business site list, it is determined that the verification is passed.

情况二、若第一访问请求中携带的随机数为用户终端对凭证随机数按照预设加密方法进行加密得到的，则反向代理服务器器在接收到第一访问请求之后，先按照预设加密方法所对应的解密方法进行解密，若解密后的随机数与业务站点列表中携带的凭证随机数相同，则确定验证通过。Situation 2: If the random number carried in the first access request is obtained by encrypting the random number of the credential by the user terminal according to the preset encryption method, the reverse proxy server, after receiving the first access request, first encrypts it according to the preset encryption method. The decryption method corresponding to the method is decrypted, and if the decrypted random number is the same as the credential random number carried in the business site list, it is determined that the verification is passed.

一种可能的实施方式中，反向代理服务器中可以存储用户终端在各个业务服务器的登录状态，若反向代理服务器基于第一访问请求、以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，且身份认证通过，则反向代理服务器可以将用户终端在业务员服务器的登录状态邮未登录更改为已登录。In a possible implementation, the reverse proxy server can store the login status of the user terminal in each service server. If the identity authentication is performed and the identity authentication is passed, the reverse proxy server can change the login status of the user terminal in the operator server from not logged in to logged in.

本申请一示例中，反向代理服务在基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证时，可以是反向代理服务器基于第一访问请求中携带的第一身份信息和目标业务站点的标识信息，获取登录凭证，然后基于登录凭证向目标业务站点，目标业务站点所对应的目标业务服务器在接收到登录凭证后，基于登录凭证进行身份认证。In an example of this application, when the reverse proxy service performs identity authentication at the target business site based on the first access request and the pre-stored login credentials corresponding to the user, the reverse proxy server may be based on the information carried in the first access request. The first identity information and the identification information of the target business site are used to obtain a login credential, and then based on the login credential, the target business server corresponding to the target business site performs identity authentication based on the login credential after receiving the login credential.

其中，登录凭证可以是预先存储在反向代理服务器的数据库中的，同一用户不同业务站点的登录凭证可以是分开存储的。The login credentials may be pre-stored in the database of the reverse proxy server, and the login credentials of the same user at different business sites may be stored separately.

一种可能的应用场景中，用户并未在目标业务站点进行注册，即反向代理服务器无法从数据库中查找到用户在目标业务站点对应的登录凭证，此时，用户可以通过反向代理服务器向目标业务站点发起注册请求，以获取登录凭证，具体注册过程将不再展开说明。In a possible application scenario, the user does not register at the target business site, that is, the reverse proxy server cannot find the user's login credentials corresponding to the target business site from the database. The target business site initiates a registration request to obtain login credentials, and the specific registration process will not be explained.

步骤105、用户终端在接收反向代理服务器反馈的与目标业务站点对应的允许访问指令后，向反向代理服务器发送第二访问请求。Step 105: After receiving the access permission instruction corresponding to the target service site fed back by the reverse proxy server, the user terminal sends a second access request to the reverse proxy server.

步骤106、反向代理服务器在接收到用户终端发送的第二访问请求后，从业务服务器获取与目标业务站点对应的页面信息，并将页面信息发送给用户终端。Step 106: After receiving the second access request sent by the user terminal, the reverse proxy server acquires page information corresponding to the target service site from the service server, and sends the page information to the user terminal.

一种可能的实施方式中，反向代理服务器在接收到用户终端发送的第二访问请求后，在从业务服务器获取与目标业务站点对应的页面信息之前还可以检测用户终端在业务服务器的登录状态是否为已登录，如果是，则从业务服务器获取与目标业务站点对应的页面信息。In a possible implementation manner, after receiving the second access request sent by the user terminal, the reverse proxy server can also detect the login status of the user terminal in the service server before acquiring the page information corresponding to the target service site from the service server. Whether it is logged in, if yes, obtain the page information corresponding to the target business site from the business server.

在另外一种可能的实施方式中，为提高系统的安全性，还可以检测用户终端在业务服务器的登录时间，然后检测接收到第二访问请求的时间与登录时间之间的时间差是否小于预设的时间差阈值，若时间差小于预设的时间差阈值，则从业务服务器获取与目标业务站点对应的页面信息。In another possible implementation, in order to improve the security of the system, it is also possible to detect the login time of the user terminal in the service server, and then detect whether the time difference between the time when the second access request is received and the login time is less than a preset time If the time difference is less than the preset time difference threshold, the page information corresponding to the target service site is obtained from the service server.

具体实施中，反向代理服务器在从业务员服务器获取与目标业务站点对应的页面信息时，可以将用户终端发送的第二访问请求发送到目标业务站点对应的目标业务服务器，然后接收目标业务服务器基于第二访问请求所反馈的页面信息。In a specific implementation, when the reverse proxy server obtains the page information corresponding to the target service site from the salesperson server, the reverse proxy server may send the second access request sent by the user terminal to the target service server corresponding to the target service site, and then receive the target service server. Based on the page information fed back by the second access request.

本申请实施例还提供了一种登录方法，该方法应用于反向代理服务器，参见图2所示，为本申请实施例所提供的一种登录方法的流程示意图，包括以下步骤：An embodiment of the present application also provides a login method, which is applied to a reverse proxy server. Referring to FIG. 2 , a schematic flowchart of a login method provided by an embodiment of the present application includes the following steps:

步骤201、接收用户终端发送的登录请求，并基于登陆请求中携带的用户的第一身份信息进行验证，当验证通过后，向用户终端反馈业务站点列表。Step 201: Receive a login request sent by a user terminal, and perform verification based on the user's first identity information carried in the login request, and when the verification is passed, feed back a service site list to the user terminal.

步骤202、接收用户终端发送的第一访问请求；其中，第一访问请求中携带有用户基于业务站点列表选择的目标业务站点的标识信息。Step 202: Receive a first access request sent by the user terminal; wherein, the first access request carries the identification information of the target service site selected by the user based on the service site list.

步骤203、基于第一访问请求，以及预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令。Step 203: Perform identity authentication on the target service site based on the first access request and the pre-stored login credentials corresponding to the user, and after passing the identity authentication, feed back an access permission instruction corresponding to the target service site to the user terminal.

其中，允许访问指令用于指示用户终端再次发起访问请求。Wherein, the access permission instruction is used to instruct the user terminal to initiate an access request again.

一种可能的实施方式中，所述业务站点列表中携带有凭证随机数；所述第一访问请求中携带有基于所述凭证随机数生成的随机数；In a possible implementation manner, the business site list carries a credential random number; the first access request carries a random number generated based on the credential random number;

在基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证之前，还可以基于所述第一访问请求中携带的所述随机数与所述业务站点列表中携带的凭证随机数进行安全性验证；若验证通过，则基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证。Before performing identity authentication on the target service site based on the first access request and the pre-stored login credentials corresponding to the user, the random number carried in the first access request may also be based on the The security verification is performed using the credential random number carried in the service site list; if the verification is passed, the identity authentication is performed at the target service site based on the first access request and the pre-stored login credentials corresponding to the user.

一种可能的应用场景中，在向所述用户终端反馈与所述目标业务站点对应的允许访问指令之前，还可以将所述用户终端在所述业务服务器的登录状态由未登录更改为已登录；In a possible application scenario, before feeding back an access permission instruction corresponding to the target service site to the user terminal, the login status of the user terminal in the service server can also be changed from not logged in to logged in. ;

所述从所述业务服务器获取与所述目标业务站点对应的页面信息，包括：The obtaining page information corresponding to the target service site from the service server includes:

检测所述用户终端在所述业务服务器的登录状态是否为已登录；Detecting whether the login status of the user terminal in the service server is logged in;

如果是，则从所述业务服务器获取与所述目标业务站点对应的所述页面信息。If yes, obtain the page information corresponding to the target service site from the service server.

在另外一种可能的应用场景中，在从所述业务服务器获取与所述目标业务站点对应的所述页面信息之前，所述方法还包括：In another possible application scenario, before acquiring the page information corresponding to the target service site from the service server, the method further includes:

确定所述用户终端在所述业务服务器的登录时间；determining the login time of the user terminal in the service server;

检测接收到所述第二访问请求的时间与所述登录时间之间的时间差是否小于预设的时间差阈值；Detecting whether the time difference between the time when the second access request is received and the login time is less than a preset time difference threshold;

若所述时间差小于所述时间差阈值，则从业务服务器获取与所述目标业务站点对应的所述页面信息。If the time difference is less than the time difference threshold, obtain the page information corresponding to the target service site from the service server.

本申请一实施方式中，所述基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证，包括：In an embodiment of the present application, the performing identity authentication on the target service site based on the first access request and the pre-stored login credentials corresponding to the user includes:

基于所述第一访问请求中携带的所述第一身份信息和所述目标业务站点的标识信息，获取所述登录凭证；Obtain the login credential based on the first identity information and the identification information of the target service site carried in the first access request;

基于所述登陆凭证向所述目标业务站点发送身份认证请求，以使所述目标业务站点基于所述身份认证请求中的登录凭证进行身份认证。An identity authentication request is sent to the target service site based on the login credential, so that the target service site performs identity authentication based on the login credential in the identity authentication request.

步骤204、当接收到用户终端发送的第二访问请求后，从业务服务器获取与目标业务站点对应的页面信息，并将页面信息发送给用户终端。Step 204: After receiving the second access request sent by the user terminal, obtain page information corresponding to the target service site from the service server, and send the page information to the user terminal.

本实施例还提供另外一种登录方法，应用于用户终端，参见图3所示，为本申请实施例所提供的另外一种登录方法的流程示意图，包括以下步骤：This embodiment also provides another login method, which is applied to a user terminal. Referring to FIG. 3 , a schematic flowchart of another login method provided by this embodiment of the present application includes the following steps:

步骤301、在接收到用户输入的登录指令后，向反向代理服务器发送登录请求。Step 301: After receiving the login instruction input by the user, send a login request to the reverse proxy server.

步骤302、接收代理服务器根据登陆请求反馈的业务站点列表。Step 302: Receive the business site list fed back by the proxy server according to the login request.

步骤303、当接收到用户基于业务站点列表输入的对目标业务站点的选择指令时，向反向代理服务器发送第一访问请求。Step 303: Send a first access request to the reverse proxy server when receiving the selection instruction for the target service site input by the user based on the service site list.

其中，第一访问请求用于指示反向代理服务器基于预先存储的与用户对应的登录凭证在目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与目标业务站点对应的允许访问指令；The first access request is used to instruct the reverse proxy server to perform identity authentication on the target service site based on the pre-stored login credentials corresponding to the user, and after the identity authentication is passed, feed back to the user terminal the permitted access corresponding to the target service site instruction;

步骤304、在接收反向代理服务器基于第一访问请求反馈的与目标业务站点对应的允许访问指令后，向反向代理服务器发送第二访问请求。Step 304: After receiving the access permission instruction corresponding to the target business site fed back by the reverse proxy server based on the first access request, send a second access request to the reverse proxy server.

其中，第二访问请求用于指示反向代理服务器从业务服务器获取与目标业务站点对应的页面信息；Wherein, the second access request is used to instruct the reverse proxy server to obtain page information corresponding to the target business site from the business server;

步骤305、接收反向代理服务器转发的目标业务站点的页面信息。Step 305: Receive page information of the target service site forwarded by the reverse proxy server.

本申请实施例提供的登陆方法、系统，在接收到用户终端发送的对目标业务站点的第一访问请求之后，并非将查找到的登陆凭证发给用户终端并由用户终端发起登录请求，而是由反向代理服务器凭借登陆凭证在业务服务器进行身份认证，并在认证成功，且接收到用户终端发送的第二访问请求之后，由反向代理服务器直接从目标业务站点获取页面信息，通过这种方法，可以在不对业务站点的原有系统框架进行改造的前提下，提高单点登录的安全性。In the login method and system provided by the embodiments of the present application, after receiving the first access request to the target service site sent by the user terminal, instead of sending the found login credential to the user terminal and the user terminal initiates the login request, the user terminal The reverse proxy server performs identity authentication on the business server by virtue of the login credentials, and after the authentication is successful and the second access request sent by the user terminal is received, the reverse proxy server directly obtains page information from the target business site. The method can improve the security of single sign-on without modifying the original system framework of the business site.

实施例二Embodiment 2

本实施例还提供了一种登录装置，参见图4所示，为本申请实施例所提供的一种登录装置400的架构示意图，包括第一验证模块401、第一接收模块402、第二验证模块403、页面信息转发模块404，具体的：This embodiment also provides a login device. Referring to FIG. 4 , a schematic diagram of the architecture of a login device 400 provided in this embodiment of the present application includes a first verification module 401 , a first receiving module 402 , and a second verification module 400 . Module 403, page information forwarding module 404, specifically:

第一验证模块401，用于接收用户终端发送的登录请求，并基于所述登陆请求中携带的用户的第一身份信息进行验证，当验证通过后，向所述用户终端反馈业务站点列表；The first verification module 401 is configured to receive a login request sent by a user terminal, and perform verification based on the user's first identity information carried in the login request, and when the verification is passed, feed back a service site list to the user terminal;

第一接收模块402，用于接收所述用户终端发送的第一访问请求；其中，所述第一访问请求中携带有所述用户基于所述业务站点列表选择的目标业务站点的标识信息；A first receiving module 402, configured to receive a first access request sent by the user terminal; wherein, the first access request carries the identification information of the target service site selected by the user based on the service site list;

第二验证模块403，用于基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证，并在身份认证通过后，向所述用户终端反馈与所述目标业务站点对应的允许访问指令，其中，所述允许访问指令用于指示所述用户终端再次发起访问请求；The second verification module 403 is configured to perform identity authentication on the target service site based on the first access request and the pre-stored login credential corresponding to the user, and after the identity authentication is passed, to the user terminal Feeding back an access permission instruction corresponding to the target service site, wherein the access permission instruction is used to instruct the user terminal to initiate an access request again;

页面信息转发模块404，用于当接收到所述用户终端发送的第二访问请求后，从业务服务器获取与所述目标业务站点对应的页面信息，并将所述页面信息发送给所述用户终端。The page information forwarding module 404 is configured to obtain page information corresponding to the target service site from the service server after receiving the second access request sent by the user terminal, and send the page information to the user terminal .

一种可能的设计中，所述业务站点列表中携带有凭证随机数；所述第一访问请求中携带有基于所述凭证随机数生成的随机数；In a possible design, the business site list carries a credential random number; the first access request carries a random number generated based on the credential random number;

所述第二验证模块403，在基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证之前，还用于：The second verification module 403, before performing identity authentication on the target business site based on the first access request and the pre-stored login credentials corresponding to the user, is further configured to:

基于所述第一访问请求中携带的所述随机数与所述业务站点列表中携带的凭证随机数进行安全性验证；若验证通过，则基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证。Security verification is performed based on the random number carried in the first access request and the credential random number carried in the service site list; if the verification is passed, based on the first access request, and the pre-stored and all The login credentials corresponding to the user are authenticated at the target service site.

一种可能的设计中，所述第二验证模块403，在向所述用户终端反馈与所述目标业务站点对应的允许访问指令之前，还用于：In a possible design, before feeding back an access permission instruction corresponding to the target service site to the user terminal, the second verification module 403 is further configured to:

将所述用户终端在所述业务服务器的登录状态由未登录更改为已登录；changing the login status of the user terminal in the service server from not logged in to logged in;

所述页面信息转发模块404，在从所述业务服务器获取与所述目标业务站点对应的页面信息时，具体用于：The page information forwarding module 404, when acquiring the page information corresponding to the target service site from the service server, is specifically configured to:

一种可能的设计中，所述第二验证模块403，在从所述业务服务器获取与所述目标业务站点对应的所述页面信息之前，还用于：In a possible design, before acquiring the page information corresponding to the target service site from the service server, the second verification module 403 is further configured to:

一种可能的设计中，所述第二验证模块403，在基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证时，具体用于：In a possible design, the second verification module 403 is specifically configured to perform identity authentication on the target business site based on the first access request and the pre-stored login credentials corresponding to the user. :

另外，本申请实施例还提供了另外一种登录装置，参见图5所示，为本实施例所提供的登录装置500的架构示意图，包括第一发送模块501、第二接收模块502、第二发送模块503、第三发送模块504、第三接收模块505，具体的：In addition, an embodiment of the present application also provides another login device. Referring to FIG. 5 , a schematic diagram of the architecture of the login device 500 provided in this embodiment includes a first sending module 501 , a second receiving module 502 , and a second The sending module 503, the third sending module 504, and the third receiving module 505, specifically:

第一发送模块501，用于在接收到用户输入的登录指令后，向反向代理服务器发送登录请求；The first sending module 501 is configured to send a login request to the reverse proxy server after receiving the login instruction input by the user;

第二接收模块502，用于接收所述代理服务器根据所述登陆请求反馈的业务站点列表；A second receiving module 502, configured to receive a business site list fed back by the proxy server according to the login request;

第二发送模块503，用于当接收到用户基于所述业务站点列表输入的对目标业务站点的选择指令时，向所述反向代理服务器发送第一访问请求；其中，所述第一访问请求用于指示所述反向代理服务器基于预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证，并在身份认证通过后，向用户终端反馈与所述目标业务站点对应的页面信息；The second sending module 503 is configured to send a first access request to the reverse proxy server when receiving a selection instruction for a target service site input by a user based on the service site list; wherein, the first access request It is used to instruct the reverse proxy server to perform identity authentication at the target service site based on the pre-stored login credentials corresponding to the user, and after the identity authentication is passed, feed back to the user terminal the information corresponding to the target service site. page information;

第三发送模块504，用于在接收所述反向代理服务器基于所述第一访问请求反馈的与所述目标业务站点对应的允许访问指令后，向所述反向代理服务器发送第二访问请求；其中，所述第二访问请求用于指示所述反向代理服务器从业务服务器获取与所述目标业务站点对应的所述页面信息；The third sending module 504 is configured to send a second access request to the reverse proxy server after receiving the access permission instruction corresponding to the target service site fed back by the reverse proxy server based on the first access request ; wherein, the second access request is used to instruct the reverse proxy server to obtain the page information corresponding to the target service site from a service server;

第三接收模块505，用于接收所述反向代理服务器转发的所述目标业务站点的页面信息。The third receiving module 505 is configured to receive the page information of the target service site forwarded by the reverse proxy server.

本申请实施例提供的登陆装置，在接收到用户终端发送的对目标业务站点的第一访问请求之后，并非将查找到的登陆凭证发给用户终端并由用户终端发起登录请求，而是由反向代理服务器凭借登陆凭证在业务服务器进行身份认证，并在认证成功，且接收到用户终端发送的第二访问请求之后，由反向代理服务器直接从目标业务站点获取页面信息，通过这种方法，可以实现不对业务站点的原有系统框架进行改造的前提下，提高单点登录的安全性。The login device provided by the embodiment of the present application, after receiving the first access request to the target service site sent by the user terminal, instead of sending the found login credentials to the user terminal and the user terminal initiates the login request, the reverse Perform identity authentication on the business server by virtue of the login credentials to the proxy server, and after the authentication is successful and after receiving the second access request sent by the user terminal, the reverse proxy server directly obtains page information from the target business site. Through this method, The security of single sign-on can be improved without modifying the original system framework of the business site.

实施例三Embodiment 3

基于同一技术构思，本申请实施例还提供了一种电子设备。参照图6所示，为本申请实施例提供的电子设备600的结构示意图，包括处理器601、存储器602、和总线603。其中，存储器602用于存储执行指令，包括内存6021和外部存储器6022；这里的内存6021也称内存储器，用于暂时存放处理器601中的运算数据，以及与硬盘等外部存储器6022交换的数据，处理器601通过内存6021与外部存储器6022进行数据交换，当电子设备600运行时，处理器601与存储器602之间通过总线603通信，使得处理器601在执行以下指令：Based on the same technical concept, the embodiments of the present application also provide an electronic device. Referring to FIG. 6 , a schematic structural diagram of an electronic device 600 provided in an embodiment of the present application includes a processor 601 , a memory 602 , and a bus 603 . Among them, the memory 602 is used to store the execution instructions, including the memory 6021 and the external memory 6022; the memory 6021 here is also called the internal memory, and is used to temporarily store the operation data in the processor 601 and the data exchanged with the external memory 6022 such as the hard disk, The processor 601 exchanges data with the external memory 6022 through the memory 6021. When the electronic device 600 is running, the processor 601 communicates with the memory 602 through the bus 603, so that the processor 601 executes the following instructions:

接收用户终端发送的登录请求，并基于所述登陆请求中携带的用户的第一身份信息进行验证，当验证通过后，向所述用户终端反馈业务站点列表；receiving a login request sent by the user terminal, and verifying based on the user's first identity information carried in the login request, and feeding back a list of service sites to the user terminal after the verification is passed;

接收所述用户终端发送的第一访问请求；其中，所述第一访问请求中携带有所述用户基于所述业务站点列表选择的目标业务站点的标识信息；receiving a first access request sent by the user terminal; wherein, the first access request carries the identification information of the target service site selected by the user based on the service site list;

基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证，并在身份认证通过后，向所述用户终端反馈与所述目标业务站点对应的允许访问指令，其中，所述允许访问指令用于指示所述用户终端再次发起访问请求；Based on the first access request and the pre-stored login credentials corresponding to the user, identity authentication is performed at the target service site, and after the identity authentication is passed, the user terminal is fed back to the user terminal corresponding to the target service site The access permission instruction, wherein the access permission instruction is used to instruct the user terminal to initiate an access request again;

当接收到所述用户终端发送的第二访问请求后，从业务服务器获取与所述目标业务站点对应的页面信息，并将所述页面信息发送给所述用户终端。After receiving the second access request sent by the user terminal, the page information corresponding to the target service site is acquired from the service server, and the page information is sent to the user terminal.

一种可能的设计中，处理器601执行的指令中，所述业务站点列表中携带有凭证随机数；所述第一访问请求中携带有基于所述凭证随机数生成的随机数；In a possible design, in the instruction executed by the processor 601, the business site list carries a credential random number; the first access request carries a random number generated based on the credential random number;

在基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证之前，处理器601执行的指令中还包括：Before performing identity authentication on the target business site based on the first access request and the pre-stored login credentials corresponding to the user, the instructions executed by the processor 601 further include:

一种可能的设计中，处理器601执行的指令中，在向所述用户终端反馈与所述目标业务站点对应的允许访问指令之前，还包括：In a possible design, the instructions executed by the processor 601 further include:

一种可能的设计中，处理器601执行的指令中，在从所述业务服务器获取与所述目标业务站点对应的所述页面信息之前，还包括：In a possible design, before acquiring the page information corresponding to the target service site from the service server, the instructions executed by the processor 601 further include:

一种可能的设计中，处理器601执行的指令中，所述基于所述第一访问请求，以及预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证，包括：In a possible design, in the instructions executed by the processor 601, performing identity authentication on the target business site based on the first access request and the pre-stored login credentials corresponding to the user, includes:

基于同一技术构思，本申请实施例还提供了一种电子设备。参照图7所示，为本申请实施例提供的电子设备700的结构示意图，包括处理器701、存储器702、和总线703。其中，存储器702用于存储执行指令，包括内存7021和外部存储器7022；这里的内存7021也称内存储器，用于暂时存放处理器701中的运算数据，以及与硬盘等外部存储器7022交换的数据，处理器701通过内存7021与外部存储器7022进行数据交换，当电子设备700运行时，处理器701与存储器702之间通过总线703通信，使得处理器701在执行以下指令：Based on the same technical concept, the embodiments of the present application also provide an electronic device. Referring to FIG. 7 , a schematic structural diagram of an electronic device 700 provided in an embodiment of the present application includes a processor 701 , a memory 702 , and a bus 703 . Among them, the memory 702 is used to store the execution instructions, including the memory 7021 and the external memory 7022; the memory 7021 here is also called the internal memory, which is used to temporarily store the operation data in the processor 701 and the data exchanged with the external memory 7022 such as the hard disk, The processor 701 exchanges data with the external memory 7022 through the memory 7021. When the electronic device 700 is running, the processor 701 communicates with the memory 702 through the bus 703, so that the processor 701 executes the following instructions:

接收所述代理服务器根据所述登陆请求反馈的业务站点列表；receiving a list of business sites fed back by the proxy server according to the login request;

当接收到用户基于所述业务站点列表输入的对目标业务站点的选择指令时，向所述反向代理服务器发送第一访问请求；其中，所述第一访问请求用于指示所述反向代理服务器基于预先存储的与所述用户对应的登录凭证在所述目标业务站点进行身份认证，并在身份认证通过后，向所述用户终端反馈与所述目标业务站点对应的允许访问指令；When receiving a selection instruction for a target service site input by a user based on the service site list, send a first access request to the reverse proxy server; wherein the first access request is used to instruct the reverse proxy The server performs identity authentication on the target service site based on the pre-stored login credentials corresponding to the user, and after passing the identity authentication, feeds back an access permission instruction corresponding to the target service site to the user terminal;

在接收所述反向代理服务器基于所述第一访问请求反馈的与所述目标业务站点对应的允许访问指令后，向所述反向代理服务器发送第二访问请求；其中，所述第二访问请求用于指示所述反向代理服务器从业务服务器获取与所述目标业务站点对应的所述页面信息；After receiving the access permission instruction corresponding to the target service site that is fed back by the reverse proxy server based on the first access request, a second access request is sent to the reverse proxy server; wherein the second access request is The request is used to instruct the reverse proxy server to obtain the page information corresponding to the target service site from the service server;

接收所述反向代理服务器转发的所述目标业务站点的页面信息。Receive page information of the target service site forwarded by the reverse proxy server.

实施例四Embodiment 4

本申请实施例还提供一种计算机可读存储介质，该计算机可读存储介质上存储有计算机程序，该计算机程序被处理器运行时执行上述任一实施例中所述的登录方法的步骤。Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is run by a processor, the steps of the login method described in any of the foregoing embodiments are executed.

具体地，该存储介质能够为通用的存储介质，如移动磁盘、硬盘等，该存储介质上的计算机程序被运行时，能够执行上述登录方法的步骤，从而提高单点登录方式中的安全性。Specifically, the storage medium can be a general storage medium, such as a removable disk, a hard disk, etc. When the computer program on the storage medium is run, the steps of the above login method can be executed, thereby improving the security in the single sign-on method.

本申请实施例所提供的进行登录方法的计算机程序产品，包括存储了处理器可执行的非易失的程序代码的计算机可读存储介质，所述程序代码包括的指令可用于执行前面方法实施例中所述的方法，具体实现可参见方法实施例，在此不再赘述。The computer program product for the login method provided by the embodiments of the present application includes a computer-readable storage medium storing non-volatile program codes executable by the processor, and the instructions included in the program codes can be used to execute the foregoing method embodiments. For the specific implementation of the method described in , please refer to the method embodiment, which will not be repeated here.

所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，上述描述的系统、装置和单元的具体工作过程，可以参考前述方法实施例中的对应过程，在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

在本申请所提供的几个实施例中，应该理解到，所揭露的系统、装置和方法，可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的，例如，所述单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，又例如，多个单元或组件可以结合或者可以集成到另一个系统，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些通信接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. The apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some communication interfaces, indirect coupling or communication connection of devices or units, which may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个处理器可执行的非易失的计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(Read-OnlyMemory，ROM)、随机存取存储器(Random Access Memory，RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a processor-executable non-volatile computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, removable hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes.

最后应说明的是：以上所述实施例，仅为本申请的具体实施方式，用以说明本申请的技术方案，而非对其限制，本申请的保护范围并不局限于此，尽管参照前述实施例对本申请进行了详细的说明，本领域的普通技术人员应当理解：任何熟悉本技术领域的技术人员在本申请揭露的技术范围内，其依然可以对前述实施例所记载的技术方案进行修改或可轻易想到变化，或者对其中部分技术特征进行等同替换；而这些修改、变化或者替换，并不使相应技术方案的本质脱离本申请实施例技术方案的精神和范围，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应所述以权利要求的保护范围为准。Finally, it should be noted that the above-mentioned embodiments are only specific implementations of the present application, and are used to illustrate the technical solutions of the present application, rather than restricting them. The protection scope of the present application is not limited thereto, although referring to the foregoing The embodiments describe the application in detail, and those of ordinary skill in the art should understand that any person skilled in the art can still modify the technical solutions described in the foregoing embodiments within the technical scope disclosed in the application. Or can easily think of changes, or equivalently replace some of the technical features; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the application, and should be covered in the application. within the scope of protection. Therefore, the protection scope of the present application should be based on the protection scope of the claims.