CN111131301A

Movatterモバイル変換

Info

Publication number: CN111131301A
Application number: CN201911408143.5A
Authority: CN
Inventors: 何政雷; 张启亮; 黄凯
Original assignee: Jiangsu Xugong Information Technology Co ltd
Current assignee: Jiangsu Xugong Information Technology Co ltd
Priority date: 2019-12-31
Filing date: 2019-12-31
Publication date: 2020-05-08

Abstract

The invention discloses a uniform authentication authorization scheme, which consists of an authorization module, a resource module and a client sdk, wherein the authorization module is mainly responsible for client verification and user information authentication and issuing a JWT token after the authentication is successful; the resource module is mainly responsible for the management of the externally opened resources at the service end; the client sdk cooperates with the server authorization module to complete the authentication authorization process, obtain the JWT token issued by the server, obtain the user information, and obtain the resources specified and opened by the server through the JWT token. The barrier between systems developed based on Java in an enterprise can be broken through, unified management and control of basic information such as user authority can be realized, and the operation management cost of the enterprise is reduced. The access of each subsystem and the access of an external system are controlled in a refining way through a uniform authentication authorization center, so that the credibility of an access system is ensured; the consistency of basic information sources such as user authority and the like can realize the communication of all systems in an enterprise, and the use cost of staff is reduced.

Description

Unified authentication and authorization scheme

Technical Field

The invention relates to a unified authentication and authorization scheme, and belongs to the technical field of information.

Background

With the development of internet applications, more and more application systems are deployed on servers in different regions, and the systems are independent in geographical location and are connected together by using a network. Along with the continuous expansion of the scale, the pressure on managers is increased.

In a common method for logging in and authenticating an application system, each system usually has an independent authentication module and authority data, so that when the systems are too many, each system needs to be logged in through authentication of a corresponding system once, and the authentication mode causes frequent login operation, inconvenient use of a user and low multi-system login efficiency. Meanwhile, due to the heterogeneous data, the personnel information cannot be intercommunicated, and the change of the user information requires the synchronous maintenance of multiple systems, so that the maintenance cost is greatly increased.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a uniform authentication and authorization scheme for realizing information intercommunication, improving the multi-system login efficiency and reducing the production cost.

In order to achieve the purpose, the invention adopts the technical scheme that: a unified authentication and authorization scheme is characterized by comprising the following steps;

the method comprises the following steps: the third-party system introduces an authorization client sdk, introduces necessary dependent configuration, increases parameters such as a trusted client ID and a key registered by an authorization server and an authorization server root address by a configuration file, and creates a security control class to start spring security authority control and OAuth2.0 authorization flow;

step two: authentication control core class configuration and an allowed authentication mode of client authentication, wherein the acquisition processes of four OAuth2.0 tokens including an authorization code, a hidden type token, a password type token and a client certificate are supported; the authentication control class loads cache class, password encryption class and JWT encryption class of the registered client through configuration, enhances control of self-defined data transmission and the like, and configures URL link control, login and logout and WEB security control parameters; the resource control class is matched with the safety control class to control the opening of a server-side interface;

step three: the Web browser accesses a client interface, a client system detects that a user has no authorization information through an accessed client sdk security control core class, and redirects the client to an authorization server, the authorization server authenticates whether the client is registered in advance, and the client information is correct and jumps to an authorization server login page; otherwise reject the authentication request of the customer end;

step four: the authorization server logs in the page and fills out the authentication information correctly, the authorization server "user authentication type" preserves the login information after the authentication succeeds, the client system initiates OAuth2.0 token acquisition flow through https safe communication channel; the authorization server acquires account login information and generates a temporary authorization code; calling back a URL registered by the client, confirming that the client is not forged, carrying an authorization code by the client to initiate a request for applying the electronic token, and realizing encryption of account information by a JWT token realization class of an authorization server and generating the electronic token which accords with a JWT specification to be issued to the client;

step five: the Web browser acquires and stores the electronic token, when a user needs to quit the system, the user can log off the current system and clear the local token in the client browser, and when the user accesses other systems again, the user cannot directly access the system, and the user can be redirected to an authentication login page of the authorization server to perform identity authentication again;

further, the client system inherits the client sdk security control class and interacts with the authorization server through the "security control class".

Furthermore, the authorization server 'authentication control class' in the second step adopts an Adapter mode.

Further, the token encryption storage of the "JWT token implementation class" of the authorization server in the fourth step adopts a template mode, so as to encrypt the token and store the template.

The invention has the beneficial effects that: the method breaks the old system login and authority control mode, realizes the safe verification and authorization process by realizing OAuth2.0 open standard, solves the problem of cross-domain identity verification by using JWT, simultaneously uses an encrypted HTTPS protocol for transmission, protects information safety, reduces the probability of stealing, and the controlled system integration client sdk is accessed into the unified authentication and authorization center, thereby realizing the unified authentication and authorization center to take over the login and authority control of the controlled system, and realizing high safety, high availability and high universality at the company level. The barrier between systems developed based on Java in an enterprise is broken through, unified management and control of basic information such as user authority and the like are achieved, and the operation management cost of the enterprise is reduced. The access of each subsystem and the access of an external system can be detailed and controlled through the unified authentication authorization center, and the credibility of the access system is ensured. Meanwhile, the consistency of basic information sources such as user rights and the like can realize the communication of all systems in an enterprise, and reports beneficial to decision can be obtained through data extraction and aggregation analysis. The enterprise staff can log in through the unified authentication and authorization center without recording each system account, so that the use cost of the staff is reduced.

Drawings

FIG. 1 is a diagram of unified authentication login according to the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood, however, that the description herein of specific embodiments is only intended to illustrate the invention and not to limit the scope of the invention.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs, and the terms used herein in the specification of the present invention are for the purpose of describing particular embodiments only and are not intended to limit the present invention.

As shown in fig. 1, a unified authentication and authorization scheme includes the following steps;

step two: the method comprises the steps of authentication control core class configuration and an allowed authentication mode of client authentication, wherein four OAuth2.0 token acquisition processes of an authorization code (authorization-code), a hidden (identifier), a password (password) and a client certificate (client certificate) are supported; the authentication control class is used for loading cache class, password encryption class and JWT encryption class of the registered client side through configuration, enhancing control of user-defined data transmission and the like, and the security control class is used for configuring URL link control, login logout and WEB security control parameters. The resource control class is matched with the safety control class to control the opening of a server-side interface;

step five: the Web browser acquires and stores the electronic token, when a user needs to quit the system, the user can log off the current system and clear the local token in the client browser, and when the user accesses other systems again, the user cannot directly access the system, and the user can be redirected to an authentication login page of the authorization server to perform identity authentication again; thereby realizing 'unified login, unified authentication and unified logout' of the user;

the client system inherits the client sdk security control class and interacts with the authorization server through the "security control class".

And the authorization server of the second step adopts an Adapter mode for authentication control.

And the token encryption storage of the 'JWT token implementation class' of the authorization server in the step four adopts a template mode to encrypt the token and store the template.

The scheme discloses a solution for realizing unified authentication authorization based on a java language and a springsecurity framework system. The method realizes a safe verification and authorization process through an OAuth2.0 open standard, solves the problem of cross-domain identity verification by using JWT, and simultaneously transmits by using an encrypted HTTPS protocol, thereby protecting information safety and reducing the probability of being stolen. The scheme mainly comprises an authorization module, a resource module and a client sdk, wherein the authorization module is mainly responsible for client verification and user information authentication and issuing a JWT token after the authentication is successful; the resource module is mainly responsible for the management of the externally opened resources at the service end; the client sdk cooperates with the server authorization module to complete the authentication authorization process, and obtains the JWT token issued by the server, obtains the user information, and can obtain the resources specified and opened by the server through the JWT token.

The user accesses the third party application system, detects whether the token is owned by the third party system integrated client sdk, and if the token is not owned, the authorization server first verifies the validity of the third party application system. And after passing the verification, guiding the user to a login page of the authorization server to perform identity authentication. And after the identity authentication is passed, the authorization server issues the temporary token to the third-party application system through the registered callback URL. And the third-party website acquires the access token from the authorization server according to the temporary token. And accessing the resources opened by the authorization server according to the token. If the user needs to log out of the system, the user can log out of the current system and clear the local token in the client browser, and then when the user accesses the third-party system again, the user cannot directly access the system, and the user can be redirected to the authentication login page of the authorization server to perform identity authentication again; therefore, the user can realize 'unified login, unified authentication and unified logout'.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents or improvements made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims

1. A unified authentication and authorization scheme is characterized by comprising the following steps;

2. The unified authentication and authorization scheme according to claim 1, wherein the authorization server "authentication control class" of step two adopts Adapter mode.

3. The unified authentication and authorization scheme according to claim 1, wherein the JWT token implementation class token encryption storage of the authorization server of step four employs a template method for encrypting the token and storing the template.