Based on this, in some embodiments, the authorization information in the authentication method provided by the embodiments of the present disclosure includes a server identifier and a right identifier.

After receiving the server identifier and the authority identifier sent by a certain service server, the authentication server may, for example, combine the server identifier and the authority identifier, and add one server identifier to each authority identifier to form a unique identifier authority.

The following are exemplary: the server identification of the first service server is A, and the server identification of the second service server is B. The authority identifiers of the first service server and the second service server are the same, as shown in table 1.

The authentication server combines the server identifier and the authority identifier to obtain: a01, A02, A03, A04, A05, B01, B02, B03, B04 and B05. When the entitlement information includes a01, it indicates that the service server provides a daily check function. When the entitlement information includes B04, it indicates that the service server two provides a function of viewing all check records.

When the authentication server generates the authorization information, the authorization management of the entire authorization management work can be performed by using Role-Based Access Control (RBAC for short) with respect to the authority range of the login account (user). Or using RBAC3, a unified rights management model. Three main tables of users, roles and resources are defined, the users are associated with the roles, the roles are associated with the resources, and the users obtain the authorities of the roles by becoming members of proper roles, so that the authority management of the users is simple and flexible.

For example, in a banking application, the borrowing and depositing operation authority is assigned to a receiving role, the loan approving operation authority is assigned to a manager role, and the user can be in which role, namely, the authority of which role can be enjoyed.

In some embodiments, as shown in fig. 3, the entitlement information includes a server identifier, and the authentication method further includes:

500. and the service server verifies the received authorization information and the IP of the service server.

That is, after receiving the entitlement information, the service server performs validity verification on the server identifier, and if the server identifier carried in the entitlement information corresponds to its own IP, executes the entitlement information. If the server identifier does not correspond to the own IP, the authorization information is not executed, an alarm may be given to the authentication server, or other specific operations may be executed.

Based on this, the authentication method provided by the embodiment of the present disclosure is exemplified by a specific embodiment below.

An authentication method, comprising:

the service server grants the self management authority to the authentication server through the authority granting interface provided by the authentication server, after the verification is passed, the service server establishes connection with the authentication server, and generates a unique server identifier.

And repeating the steps until all the service servers which need to be uniformly managed by the authentication server authorize the authentication server to finish the steps.

When a user accesses the service server through the terminal device, login information is input, and the authentication server needs to verify the login information. The login information can be that the user sends the login information to the service server through the terminal equipment, and the service server forwards the login information to the authentication server; the user may send login information to the authentication server through the terminal device.

After receiving the login information, the authentication server judges whether the login information is received within a period of time before the login information is received, and if the same login information is received, the authentication server jumps to a service server which is operated by a user. If the user does not receive the authentication request, the current user is indicated to be not logged in any service server, and the current user needs to be authenticated first. And during verification, jumping to a unified verification page for verification, verifying a short message check code, a common password, a CA (certificate Authority) and the like, and jumping to a service server which is operated by a user after verification is completed.

The service server judges whether the user has authority endowment by judging whether the authority endowment information is received or not, and if the authority endowment information is not received, the service server requests the authentication server to send the authority endowment information to the service server according to the authority of the user; and if the authorization information is received, the service server provides the function operation corresponding to the user authorization according to the authorization information.

After unified authentication, the user enters the service server, and the inside of the service server can distribute internal authority according to the role of personnel, so that the user is limited from performing which operations. The authentication server is connected with a plurality of service servers, but each service server has respective authority design, so that unified authority management of the service servers with different authority is very complicated, and the related range is very wide. The authentication method provided by the embodiment of the disclosure solves the problem by setting the authentication server, so as to reduce the modification amount of the service server and make the service server hardly modified. The core idea of the authentication server is that: the authentication server manages only the entitlement information, instead of directly managing any actual entitlement. The service server obtains the real operation authority through identifying the empowerment information, so that the unified authority authentication is realized, and the method is simple, low in cost and wide in application range.

The embodiment of the disclosure further provides an authentication system, which includes an authentication server, at least one service server, and at least one terminal device.

And the terminal equipment is used for sending login information to the service server, wherein the login information comprises a target account and a login password.

And the service server is used for forwarding the login information to the authentication server.

And the authentication server is used for verifying the login information and sending the authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding functional operation.

That is, a plurality of service servers are collectively managed by the authentication server.

In some embodiments, the authentication server is specifically configured to: judging whether the target account logs in the authentication server or not; and if the target account is not logged in the authentication server, the authentication server verifies the login information.

In some embodiments, the service server is further configured to apply for joining in management of the authentication server; the authentication server is further configured to generate a server identifier, where the server identifier corresponds to the IP of the service server.

In some embodiments, the service server is further configured to send a permission identifier to the authentication server, where the permission identifier is used to indicate at least one of a functional permission and a digital permission of the service server.

In some embodiments, the entitlement information includes the server identifier, and the service server is further configured to verify the received entitlement information with an IP of the service server.

Based on the authentication method described in the embodiment corresponding to fig. 2 and fig. 3, an embodiment of the present disclosure further provides a computer-readable storage medium, for example, the non-transitory computer-readable storage medium may be a Read Only Memory (ROM), a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like. The storage medium stores computer instructions for executing the authentication method described in the embodiment corresponding to fig. 2 and fig. 3, which is not described herein again.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. An authentication method, comprising:

the method comprises the steps that terminal equipment sends login information to a service server, wherein the login information comprises a target account and a login password;

the service server forwards the login information to an authentication server;

the authentication server verifies the login information;

and the authentication server sends authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding function operation.

2. The authentication method according to claim 1, wherein before the authentication server verifies the login information, the authentication method further comprises:

the authentication server judges whether the target account logs in the authentication server or not;

and if the target account is not logged in the authentication server, the authentication server verifies the login information.

3. The authentication method according to claim 1, further comprising:

the service server applies for joining the management of the authentication server;

and under the condition of agreeing to the application of the service server, the authentication server generates a server identifier, and the server identifier corresponds to the IP of the service server.

4. The authentication method according to claim 1, further comprising:

and the service server sends an authority identifier to the authentication server, wherein the authority identifier is used for indicating at least one of the function authority and the digital authority of the service server.

5. The authentication method according to claim 3, wherein the entitlement information includes the server identification, the authentication method further comprising:

and the service server verifies the received authorization information and the IP of the service server.

6. An authentication system, characterized in that the authentication system comprises: the system comprises an authentication server, at least one service server and at least one terminal device;

the terminal equipment is used for sending login information to the service server, wherein the login information comprises a target account and a login password;

the service server is used for forwarding the login information to an authentication server;

the authentication server is used for verifying the login information and sending the authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding function operation.

7. The authentication system of claim 6, wherein the authentication server is specifically configured to:

judging whether the target account logs in the authentication server or not; and if the target account is not logged in the authentication server, the authentication server verifies the login information.

8. The authentication system of claim 6, wherein the service server is further configured to apply for joining the management of the authentication server;

the authentication server is further configured to generate a server identifier, where the server identifier corresponds to the IP of the service server.

9. The authentication system of claim 6, wherein the service server is further configured to send a permission identifier to the authentication server, and the permission identifier is configured to indicate at least one of a functional permission and a digital permission of the service server.

10. The authentication system of claim 8, wherein the entitlement information comprises the server identifier, and wherein the service server is further configured to verify the received entitlement information with an IP of the service server.