[go: up one dir, main page]

CN115442136A - Application system access method and device - Google Patents

Application system access method and device Download PDF

Info

Publication number
CN115442136A
CN115442136A CN202211070849.7A CN202211070849A CN115442136A CN 115442136 A CN115442136 A CN 115442136A CN 202211070849 A CN202211070849 A CN 202211070849A CN 115442136 A CN115442136 A CN 115442136A
Authority
CN
China
Prior art keywords
client
application system
accessed
access
bill
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211070849.7A
Other languages
Chinese (zh)
Inventor
李鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202211070849.7A priority Critical patent/CN115442136A/en
Publication of CN115442136A publication Critical patent/CN115442136A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an application system access method and a device, which relate to the technical field of network security, wherein the method comprises the following steps: receiving an authorization request sent by a client, wherein the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed; according to a plurality of pre-stored client identity information, performing identity authentication on the client identity information in the authorization request; after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed; encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill; and sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code. The invention can improve the identity authentication and authorization efficiency when the application system accesses.

Description

应用系统访问方法及装置Application system access method and device

技术领域technical field

本发明涉及网络安全技术领域,尤其涉及一种应用系统访问方法及装置。The invention relates to the technical field of network security, in particular to an application system access method and device.

背景技术Background technique

本部分旨在为权利要求书中陈述的本发明实施例提供背景或上下文。此处的描述不因为包括在本部分中就承认是现有技术。This section is intended to provide a background or context to embodiments of the invention that are recited in the claims. The descriptions herein are not admitted to be prior art by inclusion in this section.

目前,在一个业务场景中,若客户需要访问某一个应用系统,需要先由身份认证系统进行身份认证,然后经过该应用系统的授权才可以访问。例如,手机银行APP在身份认证系统进行用户名、密码认证,认证通过之后从文件上传下载模块获得授权,才可进行文件上传下载。这种访问方式的认证授权效率较低,在应用系统面临大量的访问时,无法给予客户及时的反馈,给客户带来了较差的体验。At present, in a business scenario, if a customer needs to access a certain application system, it needs to be authenticated by the identity authentication system first, and then can only be accessed after being authorized by the application system. For example, the mobile banking APP performs user name and password authentication in the identity authentication system. After passing the authentication, it can obtain authorization from the file upload and download module before uploading and downloading files. The authentication and authorization efficiency of this access method is low, and when the application system is faced with a large number of accesses, it cannot give customers timely feedback, which brings poor experience to customers.

发明内容Contents of the invention

本发明实施例提供一种应用系统访问方法,用以提高应用系统访问时的身份认证和授权效率,改善客户体验,该方法包括:An embodiment of the present invention provides an application system access method to improve identity authentication and authorization efficiency during application system access and improve customer experience. The method includes:

接收客户端发送的授权请求,所述授权请求包括客户端身份信息、客户端IP地址和待访问应用系统的标识;receiving the authorization request sent by the client, the authorization request including client identity information, client IP address and the identification of the application system to be accessed;

根据预先存储的多个客户端身份信息,对授权请求中的客户端身份信息进行身份认证;Perform identity authentication on the client identity information in the authorization request according to multiple pre-stored client identity information;

在身份认证通过之后,根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成用于访问待访问应用系统的第一票据;After the identity authentication is passed, generate a first ticket for accessing the application system to be accessed according to the identity information of the client, the IP address of the client and the identification of the application system to be accessed in the authorization request;

对第一票据进行加密,得到第一票据唯一对应的授权码;Encrypt the first ticket to obtain the unique authorization code corresponding to the first ticket;

将授权码发送至客户端,以使客户端通过授权码访问待访问应用系统。Send the authorization code to the client, so that the client accesses the application system to be accessed through the authorization code.

本发明实施例还提供一种应用系统访问装置,用以提高应用系统访问时的身份认证和授权效率,改善客户体验,该装置包括:An embodiment of the present invention also provides an application system access device, which is used to improve the efficiency of identity authentication and authorization during application system access and improve customer experience. The device includes:

接收模块,用于接收客户端发送的授权请求,所述授权请求包括客户端身份信息、客户端IP地址和待访问应用系统的标识;The receiving module is used to receive the authorization request sent by the client, and the authorization request includes the client identity information, the client IP address and the identification of the application system to be accessed;

身份认证模块,用于根据预先存储的多个客户端身份信息,对授权请求中的客户端身份信息进行身份认证;An identity authentication module, configured to perform identity authentication on the client identity information in the authorization request according to a plurality of pre-stored client identity information;

票据生成模块,用于在身份认证通过之后,根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成用于访问待访问应用系统的第一票据;A ticket generation module, configured to generate a first ticket for accessing the application system to be accessed according to the identity information of the client in the authorization request, the IP address of the client and the identification of the application system to be accessed after the identity authentication is passed;

授权码生成模块,用于对第一票据进行加密,得到第一票据唯一对应的授权码;An authorization code generation module, configured to encrypt the first ticket to obtain a unique authorization code corresponding to the first ticket;

发送模块,用于将授权码发送至客户端,以使客户端通过授权码访问待访问应用系统。The sending module is configured to send the authorization code to the client, so that the client accesses the application system to be accessed through the authorization code.

本发明实施例还提供一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现上述应用系统访问方法。An embodiment of the present invention also provides a computer device, including a memory, a processor, and a computer program stored in the memory and operable on the processor. When the processor executes the computer program, the above method for accessing the application system is implemented.

本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述应用系统访问方法。An embodiment of the present invention also provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the above method for accessing the application system is implemented.

本发明实施例还提供一种计算机程序产品,所述计算机程序产品包括计算机程序,所述计算机程序被处理器执行时实现上述应用系统访问方法。An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the above method for accessing the application system is implemented.

本发明实施例中,接收客户端发送的授权请求,所述授权请求包括客户端身份信息、客户端IP地址和待访问应用系统的标识;根据预先存储的多个客户端身份信息,对授权请求中的客户端身份信息进行身份认证;在身份认证通过之后,根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成用于访问待访问应用系统的第一票据;对第一票据进行加密,得到第一票据唯一对应的授权码;将授权码发送至客户端,以使客户端通过授权码访问待访问应用系统。与现有的应用系统访问时由不同的系统分别进行身份认证和授权的技术方案相比,通过同一个系统对客户端的身份进行认证,在身份认证通过之后,生成仅用于访问待访问应用系统的票据,将该票据转化为授权码发送至客户端,客户端可以通过授权码访问待访问应用系统,从而可以提高应用系统的身份认证和授权效率,改善客户体验。In the embodiment of the present invention, the authorization request sent by the client is received, and the authorization request includes the identity information of the client, the IP address of the client and the identification of the application system to be accessed; according to a plurality of identity information of the clients stored in advance, the authorization request After the identity authentication is passed, according to the identity information of the client in the authorization request, the IP address of the client and the identification of the application system to be accessed, a first ticket for accessing the application system to be accessed is generated; Encrypting the first ticket to obtain an authorization code uniquely corresponding to the first ticket; sending the authorization code to the client, so that the client accesses the application system to be accessed through the authorization code. Compared with the existing technical solutions in which different systems perform identity authentication and authorization when accessing application systems, the identity of the client is authenticated through the same system. The ticket is converted into an authorization code and sent to the client. The client can access the application system to be accessed through the authorization code, thereby improving the identity authentication and authorization efficiency of the application system and improving customer experience.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。在附图中:In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work. In the attached picture:

图1为本发明实施例中提供的一种应用系统访问方法的流程图;FIG. 1 is a flowchart of an application system access method provided in an embodiment of the present invention;

图2为本发明实施例中提供的通过授权码访问待访问应用系统时的访问验证方法的流程图;FIG. 2 is a flow chart of an access verification method when accessing an application system to be accessed through an authorization code provided in an embodiment of the present invention;

图3为本发明实施例中提供的利用应用系统访问方法进行访问的流程图;FIG. 3 is a flow chart of accessing using an application system accessing method provided in an embodiment of the present invention;

图4为本发明实施例中提供的一种应用系统访问装置的示意图;FIG. 4 is a schematic diagram of an application system access device provided in an embodiment of the present invention;

图5为本发明实施例中提供的一种计算机设备的示意图。Fig. 5 is a schematic diagram of a computer device provided in an embodiment of the present invention.

具体实施方式detailed description

为使本发明实施例的目的、技术方案和优点更加清楚明白,下面结合附图对本发明实施例做进一步详细说明。在此,本发明的示意性实施例及其说明用于解释本发明,但并不作为对本发明的限定。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention more clear, the embodiments of the present invention will be further described in detail below in conjunction with the accompanying drawings. Here, the exemplary embodiments and descriptions of the present invention are used to explain the present invention, but not to limit the present invention.

在本说明书的描述中,所使用的“包含”、“包括”、“具有”、“含有”等,均为开放性的用语,即意指包含但不限于。参考术语“一个实施例”、“一个具体实施例”、“一些实施例”、“例如”等的描述意指结合该实施例或示例描述的具体特征、结构或者特点包含于本申请的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。各实施例中涉及的步骤顺序用于示意性说明本申请的实施,其中的步骤顺序不作限定,可根据需要作适当调整。In the description of this specification, the words "comprising", "comprising", "having", "containing" and so on are all open terms, meaning including but not limited to. A description referring to the terms "one embodiment," "a particular embodiment," "some embodiments," "for example," etc., means that a particular feature, structure, or characteristic described in connection with the embodiment or example is included in at least one of the present application. Examples or examples. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the described specific features, structures or characteristics may be combined in any suitable manner in any one or more embodiments or examples. The sequence of steps involved in each embodiment is used to schematically illustrate the implementation of the present application, and the sequence of steps therein is not limited and can be appropriately adjusted as required.

经研究发现,在一个业务场景中,若客户需要访问某一个应用系统,需要先由身份认证系统进行身份认证,然后经过该应用系统的授权才可以访问。具体的,前端系统A通常在身份认证系统B进行身份认证成功,并且获得应用系统C的授权许可的情况下,才可访问应用系统C的服务。这种访问方式由不同的系统分别进行身份认证和授权,导致认证授权效率较低,在应用系统面临大量的访问时,无法给予客户及时的反馈,给客户带来了较差的体验。After research, it is found that in a business scenario, if a customer needs to access a certain application system, the identity authentication system needs to be authenticated first, and then the application system can be authorized to access. Specifically, the front-end system A can usually access the services of the application system C only after the identity authentication system B has successfully authenticated and obtained authorization from the application system C. This type of access is authenticated and authorized by different systems, resulting in low authentication and authorization efficiency. When the application system is faced with a large number of accesses, it cannot give customers timely feedback, which brings poor experience to customers.

针对上述研究,本发明实施例提供一种可以集身份认证、访问授权于一体的解决方案。In view of the above research, the embodiment of the present invention provides a solution that can integrate identity authentication and access authorization.

如图1所示,为本发明实施例提供的一种应用系统访问方法的流程图,该方法可以包括以下步骤:As shown in FIG. 1, it is a flow chart of an application system access method provided by an embodiment of the present invention. The method may include the following steps:

步骤101,接收客户端发送的授权请求,所述授权请求包括客户端身份信息、客户端IP地址和待访问应用系统的标识;Step 101, receiving an authorization request sent by the client, the authorization request including the identity information of the client, the IP address of the client and the identification of the application system to be accessed;

步骤102,根据预先存储的多个客户端身份信息,对授权请求中的客户端身份信息进行身份认证;Step 102, perform identity authentication on the client identity information in the authorization request according to a plurality of pre-stored client identity information;

步骤103,在身份认证通过之后,根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成用于访问待访问应用系统的第一票据;Step 103, after the identity authentication is passed, generate a first ticket for accessing the application system to be accessed according to the identity information of the client, the IP address of the client and the identification of the application system to be accessed in the authorization request;

步骤104,对第一票据进行加密,得到第一票据唯一对应的授权码;Step 104, encrypting the first ticket to obtain the unique authorization code corresponding to the first ticket;

步骤105,将授权码发送至客户端,以使客户端通过授权码访问待访问应用系统。Step 105, sending the authorization code to the client, so that the client accesses the application system to be accessed through the authorization code.

本发明实施例中,接收客户端发送的授权请求,所述授权请求包括客户端身份信息、客户端IP地址和待访问应用系统的标识;根据预先存储的多个客户端身份信息,对授权请求中的客户端身份信息进行身份认证;在身份认证通过之后,根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成用于访问待访问应用系统的第一票据;对第一票据进行加密,得到第一票据唯一对应的授权码;将授权码发送至客户端,以使客户端通过授权码访问待访问应用系统。与现有的应用系统访问时由不同的系统分别进行身份认证和授权的技术方案相比,通过同一个系统对客户端的身份进行认证,在身份认证通过之后,生成仅用于访问待访问应用系统的票据,将该票据转化为授权码发送至客户端,客户端可以通过授权码访问待访问应用系统,从而可以提高应用系统的身份认证和授权效率,改善客户体验。In the embodiment of the present invention, the authorization request sent by the client is received, and the authorization request includes the identity information of the client, the IP address of the client and the identification of the application system to be accessed; according to a plurality of identity information of the clients stored in advance, the authorization request After the identity authentication is passed, according to the identity information of the client in the authorization request, the IP address of the client and the identification of the application system to be accessed, a first ticket for accessing the application system to be accessed is generated; Encrypting the first ticket to obtain an authorization code uniquely corresponding to the first ticket; sending the authorization code to the client, so that the client accesses the application system to be accessed through the authorization code. Compared with the existing technical solutions in which different systems perform identity authentication and authorization when accessing application systems, the identity of the client is authenticated through the same system. The ticket is converted into an authorization code and sent to the client. The client can access the application system to be accessed through the authorization code, thereby improving the identity authentication and authorization efficiency of the application system and improving customer experience.

上述应用系统访问方法可以是应用于同时提供身份认证和访问授权的应用系统T,应用系统T管理了所有客户端身份信息。The above application system access method may be applied to the application system T that provides identity authentication and access authorization at the same time, and the application system T manages all client identity information.

针对上述步骤101,上述客户端可以是服务消费者所对应的客户端,服务消费者可以是用户、进程或请求访问的应用系统等。相应的,客户端身份信息可以是由服务消费者提供的用于表示服务消费者身份的要素,例如,服务消费者身份的要素可以是:用户名(进程或请求访问的应用系统的标识)和密码、用户指纹、用户虹膜等。With regard to the above step 101, the above client may be a client corresponding to a service consumer, and the service consumer may be a user, a process, or an application system requesting access. Correspondingly, the client identity information may be an element provided by the service consumer to represent the identity of the service consumer. For example, the elements of the identity of the service consumer may be: username (identification of the process or application system requesting access) and Password, user fingerprint, user iris, etc.

针对上述步骤102,应用系统T可以从预先存储的多个客户端身份信息中,获取与授权请求中的客户端身份信息对应的客户端身份信息,将两者进行对比,若身份信息一致,则说明身份认证通过。For the above step 102, the application system T can obtain the client identity information corresponding to the client identity information in the authorization request from the multiple pre-stored client identity information, compare the two, and if the identity information is consistent, then Indicates that the identity authentication is passed.

针对上述步骤103,在身份认证通过之后,可以通过预先设定的票据生成算法,根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成只能用于访问待访问应用系统的第一票据。For the above step 103, after the identity authentication is passed, a pre-set ticket generation algorithm can be used to generate a ticket that can only be used to access the ticket to be accessed according to the client identity information, client IP address and the identification of the application system to be accessed in the authorization request. Application system's first ticket.

具体实施时,票据生成算法可以采用HMAC、AES等密码算法。During specific implementation, the ticket generation algorithm may adopt cryptographic algorithms such as HMAC and AES.

本发明实施例中,为了进一步提高访问时的安全性,在生成用于访问待访问应用系统的第一票据之后,还可以包括:In the embodiment of the present invention, in order to further improve the security during access, after generating the first ticket for accessing the application system to be accessed, it may further include:

设置第一票据的有效期信息。The validity period information of the first ticket is set.

具体实施时,第一票据的有效期信息可以包括第一票据可以使用的时间范围信息、或者第一票据可以使用的次数信息等等。例如,第一票据的有效期信息可以为长期有效,或者一次有效。During specific implementation, the validity period information of the first ticket may include information about a time range in which the first ticket can be used, or information about the number of times the first ticket can be used, and the like. For example, the validity period information of the first note may be valid for a long time, or valid for one time.

针对上述步骤104,为了保护票据的安全性,可以为第一票据置换一个与之对应的授权码。具体的,生成一个加密密钥,利用该加密密钥对第一票据进行加密,得到第一票据唯一对应的授权码。应用系统T存储加密密钥与授权码的关联关系。其中,不同的第一票据对应不同的加密密钥。For the above step 104, in order to protect the security of the note, a corresponding authorization code may be replaced for the first note. Specifically, an encryption key is generated, and the encryption key is used to encrypt the first note to obtain a unique authorization code corresponding to the first note. The application system T stores the association relationship between the encryption key and the authorization code. Wherein, different first notes correspond to different encryption keys.

同时,在授权码生成后,客户端与待访问应用系统为互信系统,应用系统T还可以存储客户端与待访问应用系统的互信关系。At the same time, after the authorization code is generated, the client and the application system to be accessed are a mutual trust system, and the application system T can also store the mutual trust relationship between the client and the application system to be accessed.

针对上述步骤105,将上述授权码发送至客户端,以使客户端通过授权码访问待访问应用系统。For the above step 105, the above authorization code is sent to the client, so that the client accesses the application system to be accessed through the authorization code.

综上,应用系统T既承担身份认证的功能,又承担了针对待访问应用系统进行授权访问的功能。To sum up, the application system T not only undertakes the function of identity authentication, but also undertakes the function of authorizing access to the application system to be accessed.

如图2所示,为本发明实施例提供的通过授权码访问待访问应用系统时的访问验证方法的流程图,该方法可以包括以下步骤:As shown in Figure 2, it is a flow chart of the access verification method when accessing the application system to be accessed through the authorization code provided by the embodiment of the present invention, the method may include the following steps:

步骤201,在客户端向待访问应用系统发送访问请求之后,接收待访问应用系统发送的访问验证请求;所述访问验证请求包括待访问应用系统的标识、以及访问请求中携带的授权码、客户端身份信息和客户端IP地址;Step 201, after the client sends an access request to the application system to be accessed, it receives an access verification request sent by the application system to be accessed; the access verification request includes the identification of the application system to be accessed, the authorization code carried in the access request, the client Client identity information and client IP address;

步骤202,根据待访问应用系统的标识、以及访问请求中携带的客户端身份信息和客户端IP地址,生成第二票据;Step 202, generating a second ticket according to the identifier of the application system to be accessed, and the client identity information and client IP address carried in the access request;

步骤203,将第二票据和授权码对应的第一票据进行对比;Step 203, comparing the second ticket with the first ticket corresponding to the authorization code;

步骤204,若第二票据和授权码对应的第一票据一致,且第一票据的有效期信息未失效的情况下,向待访问应用系统发送允许访问的指示信息。Step 204, if the second ticket is consistent with the first ticket corresponding to the authorization code, and the validity period information of the first ticket is not expired, send access permission instruction information to the application system to be accessed.

针对上述步骤201,服务消费者通过服务消费者所对应的客户端向待访问应用系统发起访问请求。其中,该访问请求中可以携带有授权码、客户端身份信息和客户端IP地址。For the above step 201, the service consumer initiates an access request to the application system to be accessed through the client corresponding to the service consumer. Wherein, the access request may carry an authorization code, client identity information and client IP address.

待访问应用系统在接收到访问请求后,需要将待访问应用系统的标识、和客户端发送的访问请求中的授权码、客户端身份信息和客户端IP地址发送至应用系统T进行访问验证,即应用系统T接收待访问应用系统发送的访问验证请求。After receiving the access request, the application system to be accessed needs to send the identification of the application system to be accessed, the authorization code in the access request sent by the client, the client identity information and the client IP address to the application system T for access verification. That is, the application system T receives the access verification request sent by the application system to be accessed.

针对上述步骤202,应用系统T首先通过预先设定的票据生成算法(与上述生成第一票据的票据生成算法相同),根据待访问应用系统发送的待访问应用系统的标识、以及访问请求中携带的客户端身份信息和客户端IP地址,生成第二票据。For the above step 202, the application system T first uses a preset ticket generation algorithm (the same as the above-mentioned ticket generation algorithm for generating the first ticket), according to the identification of the application system to be accessed sent by the application system to be accessed and the information carried in the access request. The client identity information and the client IP address are used to generate a second ticket.

针对上述步骤203,可以将第二票据和授权码对应的第一票据进行对比,验证票据的一致性。For the above step 203, the second ticket can be compared with the first ticket corresponding to the authorization code to verify the consistency of the tickets.

本发明实施例中,由于授权码是对第一票据加密之后得到的,因此,本发明实施例中,上述步骤203之前,还可以包括:In the embodiment of the present invention, since the authorization code is obtained after encrypting the first ticket, in the embodiment of the present invention, before the above step 203, it may also include:

对授权码进行解密,得到授权码对应的第一票据。The authorization code is decrypted to obtain the first ticket corresponding to the authorization code.

具体实施时,根据应用系统T存储的加密密钥与授权码的关联关系,利用授权码关联的加密密钥,对授权码进行解密,得到授权码对应的第一票据。During specific implementation, according to the association relationship between the encryption key and the authorization code stored in the application system T, the encryption key associated with the authorization code is used to decrypt the authorization code to obtain the first ticket corresponding to the authorization code.

针对上述步骤204,若第二票据和授权码对应的第一票据一致,且第一票据的有效期信息未失效的情况下,说明该授权码验证通过,应用系统T可以向待访问应用系统发送允许访问的指示信息。For the above step 204, if the second ticket is consistent with the first ticket corresponding to the authorization code, and the validity period information of the first ticket has not expired, it means that the authorization code has passed the verification, and the application system T can send a permission to the application system to be accessed. Instructions for accessing.

本发明实施例中,为了进一步实现对待访问应用系统中资源的保护,所述指示信息可以包括访问控制信息,所述访问控制信息可以包括访问待访问应用系统时允许访问的资源信息、和访问所述资源信息的有效期信息;In the embodiment of the present invention, in order to further realize the protection of resources in the application system to be accessed, the indication information may include access control information, and the access control information may include resource information that is allowed to be accessed when accessing the application system to be accessed, and access The validity period information of the above resource information;

应用系统T向待访问应用系统发送允许访问的指示,可以包括:The application system T sends an instruction to allow access to the application system to be accessed, which may include:

将访问控制信息以会话控制信息的形式发送至待访问应用系统,以使待访问应用系统根据会话控制信息对客户端访问待访问应用系统资源的权限进行验证。The access control information is sent to the application system to be accessed in the form of session control information, so that the application system to be accessed can verify the authority of the client to access the resources of the application system to be accessed according to the session control information.

具体实施时,应用系统T中在得到第一票据唯一对应的授权码之后,还可以建立授权码与应用系统访问控制信息的映射关系,存储在应用系统访问控制关系表中,实现对访问待访问应用系统时允许访问的资源信息、和访问资源信息的有效期信息等信息进行安全控制。During specific implementation, after the application system T obtains the authorization code uniquely corresponding to the first ticket, it can also establish a mapping relationship between the authorization code and the application system access control information, store it in the application system access control relationship table, and realize the access control information Information such as the resource information that is allowed to be accessed when the application system is used, and the validity period information of the access resource information are used for security control.

其中,资源信息可以包括待访问应用系统中的服务、接口等信息。Wherein, the resource information may include information such as services and interfaces in the application system to be accessed.

具体实施时,应用系统T在向待访问应用系统发送包含访问控制信息的指示信息时,可以是以会话控制信息的形式发送。During specific implementation, when the application system T sends the indication information including the access control information to the application system to be accessed, it may send it in the form of session control information.

其中,会话控制信息的形式是指session。Wherein, the form of the session control information refers to session.

需要说明的是,session是一种服务端会话技术,是指客户端第一次给服务器资源发送请求,会话建立,直到有一方断开为止。session是保存在服务器上,客户端访问服务器的时候,服务器把客户端信息以某种形式记录在服务器上。在客户端再次访问时只需要从该session中查找该客户的状态就可以了。It should be noted that session is a server-side conversation technology, which means that the client sends a request to the server resource for the first time, and the session is established until one party disconnects. The session is saved on the server. When the client accesses the server, the server records the client information on the server in some form. When the client visits again, it only needs to find the status of the client from the session.

可以理解的是,在本发明实施例中,session是用于访问受保护的资源(即访问待访问应用系统时允许访问的资源信息、和访问所述资源信息的有效期信息),会话控制信息中携带有session ID,待访问应用系统将session ID发送至客户端,客户端在第二次访问待访问应用系统时,可以携带session ID进行访问,此时,应用系统T仅校验session ID所对应session的有效性即可,不需要重复进行上述复杂的认证和授权流程。It can be understood that, in the embodiment of the present invention, the session is used to access protected resources (that is, the resource information allowed to be accessed when accessing the application system to be accessed, and the validity period information for accessing the resource information), and the session control information It carries the session ID, and the application system to be accessed sends the session ID to the client. When the client accesses the application system to be accessed for the second time, it can carry the session ID for access. At this time, the application system T only verifies the session ID corresponding to The validity of the session is sufficient, and there is no need to repeat the above-mentioned complex authentication and authorization processes.

为了能更清楚地理解上述应用系统访问方法,下面以一个具体的示例进行说明。In order to understand the above-mentioned method for accessing the application system more clearly, a specific example is used below to illustrate.

图3为利用上述应用系统访问方法进行访问的流程图。如图3所示,可以包括以下步骤:FIG. 3 is a flow chart of accessing using the above-mentioned application system accessing method. As shown in Figure 3, the following steps may be included:

1.服务消费者(即服务消费者对应的客户端)向身份认证授权互信系统(即上述应用系统T)请求身份认证/授权,申请授权码。1. The service consumer (that is, the client corresponding to the service consumer) requests identity authentication/authorization from the identity authentication and authorization mutual trust system (that is, the above-mentioned application system T) and applies for an authorization code.

此步骤中,服务消费者将客户端身份信息、客户端IP地址和服务提供系统(即待访问应用系统)的标识发送至身份认证授权互信系统。In this step, the service consumer sends the identity information of the client, the IP address of the client and the identification of the service providing system (that is, the application system to be accessed) to the identity authentication and authorization mutual trust system.

2.身份认证授权互信系统允许请求,返回授权码。2. The identity authentication and authorization mutual trust system allows the request and returns an authorization code.

此步骤中,身份认证授权互信系统根据预先存储的多个客户端身份信息,对服务消费者发送的客户端身份信息进行身份认证;在认证通过之后,根据服务消费者发送的客户端身份信息、客户端IP地址和服务提供系统的标识,生成只能用于访问服务提供系统的票据(即第一票据);并为了保护票据的安全性,对票据加密,置换为一个与之对应的授权码;向服务消费者返回授权码。In this step, the identity authentication authorization mutual trust system performs identity authentication on the client identity information sent by the service consumer according to multiple pre-stored client identity information; after passing the authentication, according to the client identity information sent by the service consumer, The IP address of the client and the identification of the service provider system generate a ticket (the first ticket) that can only be used to access the service provider system; and in order to protect the security of the ticket, encrypt the ticket and replace it with a corresponding authorization code ; Return an authorization code to the service consumer.

3.服务消费者提供授权码,向服务提供系统请求服务。3. The service consumer provides the authorization code and requests the service from the service providing system.

此步骤中,服务消费者在访问服务提供系统的服务时,向服务提供系统发送授权码、以及客户端身份信息和客户端IP地址。In this step, when the service consumer accesses the service of the service providing system, it sends an authorization code, client identity information and client IP address to the service providing system.

4.服务提供系统调用身份认证授权互信系统验证授权码请求。4. The service providing system calls the identity authentication authorization mutual trust system to verify the authorization code request.

此步骤中,服务提供系统将服务提供系统的标识、以及服务消费者发送的授权码、客户端身份信息和客户端IP地址发送至身份认证授权互信系统,用于进行验证。In this step, the service providing system sends the identification of the service providing system, the authorization code sent by the service consumer, the client identity information and the client IP address to the identity authentication and authorization mutual trust system for verification.

身份认证授权互信系统首先根据服务提供系统的标识、以及客户端身份信息和客户端IP地址,生成一个待验证的票据(即第二票据);然后,将待验证的票据与授权码解密后的票据进行比对,若比对一致且在有效期内则认为验证通过,此时,向服务提供系统颁发专用会话session,用于访问受保护的资源(session包括有效期的控制),在服务消费者下次访问时提供session ID(免去上述复杂流程),身份认证授权互信系统校验session的有效性,判断是否可以为服务消费者提供相应服务。The identity authentication and authorization mutual trust system first generates a ticket to be verified (that is, the second ticket) according to the identification of the service providing system, the client's identity information and the client's IP address; then, the ticket to be verified and the decrypted authorization code The ticket is compared, if the comparison is consistent and within the validity period, the verification is considered to be passed. At this time, a dedicated session session is issued to the service provider system for accessing protected resources (session includes the control of the validity period). Under the service consumer The session ID is provided during the first visit (removing the above-mentioned complex process), and the identity authentication authorization mutual trust system verifies the validity of the session to determine whether it can provide corresponding services for service consumers.

5.身份认证授权互信系统返回验证结果。5. The identity authentication and authorization mutual trust system returns the verification result.

6.服务提供系统根据身份认证授权互信系统返回验证结果提供服务。6. The service providing system provides services according to the verification results returned by the identity authentication and authorization mutual trust system.

综上,本发明实施例将身份认证、访问授权融入一个应用系统中,由该应用系统完成身份认证、票据生成、授权访问、票据验证等,将身份认证、授权的责任和提供服务的责任分离开来,并结合授权码、票据,请求系统进行授权码的颁发和验证,并通过颁发专用会话session,对受保护的应用系统资源进行访问控制。To sum up, the embodiment of the present invention integrates identity authentication and access authorization into an application system, and the application system completes identity authentication, ticket generation, authorized access, ticket verification, etc., and separates the responsibilities of identity authentication and authorization from the responsibilities of providing services Combined with the authorization code and ticket, the system is requested to issue and verify the authorization code, and through the issuance of a dedicated session, access control is performed on the protected application system resources.

本申请技术方案中对数据的获取、存储、使用、处理等均符合国家法律法规的相关规定The acquisition, storage, use, and processing of data in the technical solution of this application are in compliance with the relevant provisions of national laws and regulations

本发明实施例中还提供了一种应用系统访问装置,如下面的实施例所述。由于该装置解决问题的原理与应用系统访问方法相似,因此该装置的实施可以参见应用系统访问方法的实施,重复之处不再赘述。An embodiment of the present invention also provides an application system access device, as described in the following embodiments. Since the problem-solving principle of the device is similar to that of the application system access method, the implementation of the device can refer to the implementation of the application system access method, and repeated descriptions will not be repeated.

如图4所示,为本发明实施例提供的一种应用系统访问装置的示意图,该装置可以包括:As shown in Figure 4, it is a schematic diagram of an application system access device provided by an embodiment of the present invention, the device may include:

接收模块401,用于接收客户端发送的授权请求,所述授权请求包括客户端身份信息、客户端IP地址和待访问应用系统的标识;The receiving module 401 is configured to receive an authorization request sent by the client, where the authorization request includes the client identity information, the client IP address and the identification of the application system to be accessed;

身份认证模块402,用于根据预先存储的多个客户端身份信息,对授权请求中的客户端身份信息进行身份认证;An identity authentication module 402, configured to perform identity authentication on the client identity information in the authorization request according to a plurality of pre-stored client identity information;

票据生成模块403,用于在身份认证通过之后,根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成用于访问待访问应用系统的第一票据;The ticket generating module 403 is configured to generate a first ticket for accessing the application system to be accessed according to the identity information of the client in the authorization request, the IP address of the client and the identification of the application system to be accessed after the identity authentication is passed;

授权码生成模块404,用于对第一票据进行加密,得到第一票据唯一对应的授权码;An authorization code generating module 404, configured to encrypt the first note to obtain a unique authorization code corresponding to the first note;

发送模块405,用于将授权码发送至客户端,以使客户端通过授权码访问待访问应用系统。The sending module 405 is configured to send the authorization code to the client, so that the client accesses the application system to be accessed through the authorization code.

本发明实施例中,还可以包括有效期设置模块,用于在票据生成模块根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成用于访问待访问应用系统的第一票据之后:In the embodiment of the present invention, a validity period setting module may also be included, which is used to generate the first authentication for accessing the application system to be accessed according to the identity information of the client in the authorization request, the IP address of the client, and the identification of the application system to be accessed in the ticket generation module. After a note:

设置第一票据的有效期信息。The validity period information of the first ticket is set.

本发明实施例中,还可以包括访问验证模块,用于:In the embodiment of the present invention, an access verification module may also be included for:

在客户端向待访问应用系统发送访问请求之后,接收待访问应用系统发送的访问验证请求;所述访问验证请求包括待访问应用系统的标识、以及访问请求中携带的授权码、客户端身份信息和客户端IP地址;After the client sends an access request to the application system to be accessed, it receives the access verification request sent by the application system to be accessed; the access verification request includes the identification of the application system to be accessed, the authorization code carried in the access request, and the client identity information and client IP address;

根据待访问应用系统的标识、以及访问请求中携带的客户端身份信息和客户端IP地址,生成第二票据;Generate a second ticket according to the identifier of the application system to be accessed, and the client identity information and client IP address carried in the access request;

将第二票据和授权码对应的第一票据进行对比;Comparing the second ticket with the first ticket corresponding to the authorization code;

若第二票据和授权码对应的第一票据一致,且第一票据的有效期信息未失效的情况下,向待访问应用系统发送允许访问的指示信息。If the second ticket is consistent with the first ticket corresponding to the authorization code, and the validity period information of the first ticket has not expired, send access permission instruction information to the application system to be accessed.

本发明实施例中,访问验证模块,还可以用于将第二票据和授权码对应的第一票据进行对比之前:In the embodiment of the present invention, the access verification module can also be used before comparing the second ticket with the first ticket corresponding to the authorization code:

对授权码进行解密,得到授权码对应的第一票据。The authorization code is decrypted to obtain the first ticket corresponding to the authorization code.

本发明实施例中,所述指示信息可以包括访问控制信息,所述访问控制信息可以包括访问待访问应用系统时允许访问的资源信息、和访问所述资源信息的有效期信息;In the embodiment of the present invention, the indication information may include access control information, and the access control information may include resource information that is allowed to be accessed when accessing the application system to be accessed, and validity period information for accessing the resource information;

访问验证模块,还可以用于:The access authentication module can also be used to:

将访问控制信息以会话控制信息的形式发送至待访问应用系统,以使待访问应用系统根据会话控制信息对客户端访问待访问应用系统资源的权限进行验证。The access control information is sent to the application system to be accessed in the form of session control information, so that the application system to be accessed can verify the authority of the client to access the resources of the application system to be accessed according to the session control information.

本发明实施例还提供一种计算机设备,如图5所示,为本发明实施例中计算机设备的示意图,所述计算机设备500包括存储器510、处理器520及存储在存储器510上并可在处理器520上运行的计算机程序530,所述处理520执行所述计算机程序530时实现上述应用系统访问方法。The embodiment of the present invention also provides a computer device, as shown in FIG. 5 , which is a schematic diagram of the computer device in the embodiment of the present invention. The computer device 500 includes a memory 510, a processor 520, and is stored in the memory 510 and can be processed. A computer program 530 running on the processor 520, when the processing 520 executes the computer program 530, implements the above application system access method.

本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述应用系统访问方法。An embodiment of the present invention also provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the above method for accessing the application system is implemented.

本发明实施例还提供一种计算机程序产品,所述计算机程序产品包括计算机程序,所述计算机程序被处理器执行时实现上述应用系统访问方法。An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the above method for accessing the application system is implemented.

本发明实施例中,接收客户端发送的授权请求,所述授权请求包括客户端身份信息、客户端IP地址和待访问应用系统的标识;根据预先存储的多个客户端身份信息,对授权请求中的客户端身份信息进行身份认证;在身份认证通过之后,根据授权请求中客户端身份信息、客户端IP地址和待访问应用系统的标识,生成用于访问待访问应用系统的第一票据;对第一票据进行加密,得到第一票据唯一对应的授权码;将授权码发送至客户端,以使客户端通过授权码访问待访问应用系统。与现有的应用系统访问时由不同的系统分别进行身份认证和授权的技术方案相比,通过同一个系统对客户端的身份进行认证,在身份认证通过之后,生成仅用于访问待访问应用系统的票据,将该票据转化为授权码发送至客户端,客户端可以通过授权码访问待访问应用系统,从而可以提高应用系统的身份认证和授权效率,改善客户体验。In the embodiment of the present invention, the authorization request sent by the client is received, and the authorization request includes the identity information of the client, the IP address of the client and the identification of the application system to be accessed; according to a plurality of identity information of the clients stored in advance, the authorization request After the identity authentication is passed, according to the identity information of the client in the authorization request, the IP address of the client and the identification of the application system to be accessed, a first ticket for accessing the application system to be accessed is generated; Encrypting the first ticket to obtain an authorization code uniquely corresponding to the first ticket; sending the authorization code to the client, so that the client accesses the application system to be accessed through the authorization code. Compared with the existing technical solutions in which different systems perform identity authentication and authorization when accessing application systems, the identity of the client is authenticated through the same system. The ticket is converted into an authorization code and sent to the client. The client can access the application system to be accessed through the authorization code, thereby improving the identity authentication and authorization efficiency of the application system and improving customer experience.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

以上所述的具体实施例,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施例而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention and are not intended to limit the scope of the present invention. Protection scope, within the spirit and principles of the present invention, any modification, equivalent replacement, improvement, etc., shall be included in the protection scope of the present invention.

Claims (13)

1. An application system access method, comprising:
receiving an authorization request sent by a client, wherein the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed;
according to a plurality of pieces of client identity information stored in advance, identity authentication is carried out on the client identity information in the authorization request;
after the identity authentication is passed, generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request;
encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill;
and sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code.
2. The method of claim 1, wherein after generating the first ticket for accessing the application system to be accessed according to the client identity information, the client IP address, and the identifier of the application system to be accessed in the authorization request, the method further comprises:
and setting validity period information of the first bill.
3. The method of claim 2, further comprising:
after a client sends an access request to an application system to be accessed, receiving an access verification request sent by the application system to be accessed; the access verification request comprises an identifier of an application system to be accessed, and an authorization code, client identity information and a client IP address carried in the access request;
generating a second bill according to the identifier of the application system to be accessed, the client identity information and the client IP address carried in the access request;
comparing the second bill with the first bill corresponding to the authorization code;
and if the second bill is consistent with the first bill corresponding to the authorization code and the validity period information of the first bill is not invalid, sending indication information allowing access to the application system to be accessed.
4. The method of claim 3, wherein prior to comparing the second ticket to the first ticket corresponding to the authorization code, further comprising:
and decrypting the authorization code to obtain the first bill corresponding to the authorization code.
5. The method according to claim 3, wherein the indication information includes access control information including resource information that is allowed to be accessed when accessing the application system to be accessed, and validity period information for accessing the resource information;
sending the indication information of access permission to the application system to be accessed, including:
and sending the access control information to the application system to be accessed in the form of session control information so that the application system to be accessed verifies the authority of the client to access the resources of the application system to be accessed according to the session control information.
6. An application system access apparatus, comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving an authorization request sent by a client, and the authorization request comprises client identity information, a client IP address and an identifier of an application system to be accessed;
the identity authentication module is used for performing identity authentication on the client identity information in the authorization request according to a plurality of pre-stored client identity information;
the bill generating module is used for generating a first bill for accessing the application system to be accessed according to the client identity information, the client IP address and the identification of the application system to be accessed in the authorization request after the identity authentication is passed;
the authorization code generation module is used for encrypting the first bill to obtain an authorization code uniquely corresponding to the first bill;
and the sending module is used for sending the authorization code to the client so that the client can access the application system to be accessed through the authorization code.
7. The apparatus of claim 6, further comprising a validity period setting module, configured to, after the ticket generating module generates the first ticket for accessing the application system to be accessed according to the client identity information, the client IP address, and the identification of the application system to be accessed in the authorization request:
and setting the validity period information of the first bill.
8. The apparatus of claim 7, further comprising an access validation module to:
after a client sends an access request to an application system to be accessed, receiving an access verification request sent by the application system to be accessed; the access verification request comprises an identifier of an application system to be accessed, and an authorization code, client identity information and a client IP address carried in the access request;
generating a second bill according to the identifier of the application system to be accessed, the client identity information and the client IP address carried in the access request;
comparing the second bill with the first bill corresponding to the authorization code;
and if the second bill is consistent with the first bill corresponding to the authorization code and the validity period information of the first bill is not invalid, sending indication information allowing access to the application system to be accessed.
9. The apparatus of claim 8, wherein the access validation module is further configured to, prior to comparing the second ticket to the first ticket corresponding to the authorization code:
and decrypting the authorization code to obtain the first bill corresponding to the authorization code.
10. The apparatus of claim 8, wherein the indication information includes access control information, the access control information including resource information that is allowed to be accessed when accessing an application to be accessed, and validity period information for accessing the resource information;
an access validation module further to:
and sending the access control information to the application system to be accessed in the form of session control information so that the application system to be accessed verifies the authority of the client to access the resources of the application system to be accessed according to the session control information.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 5 when executing the computer program.
12. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5.
13. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1 to 5.
CN202211070849.7A 2022-09-02 2022-09-02 Application system access method and device Pending CN115442136A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211070849.7A CN115442136A (en) 2022-09-02 2022-09-02 Application system access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211070849.7A CN115442136A (en) 2022-09-02 2022-09-02 Application system access method and device

Publications (1)

Publication Number Publication Date
CN115442136A true CN115442136A (en) 2022-12-06

Family

ID=84248122

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211070849.7A Pending CN115442136A (en) 2022-09-02 2022-09-02 Application system access method and device

Country Status (1)

Country Link
CN (1) CN115442136A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119538228A (en) * 2024-11-12 2025-02-28 广东电网有限责任公司 A License-ticket-based application authorization management and control method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457509A (en) * 2010-11-02 2012-05-16 中兴通讯股份有限公司 Cloud computing resource security access method, device and system
CN103685282A (en) * 2013-12-18 2014-03-26 飞天诚信科技股份有限公司 Identity authentication method based on single sign on
CN103795692A (en) * 2012-10-31 2014-05-14 中国电信股份有限公司 Open authorization method, open authorization system and authentication and authorization server
CN109194673A (en) * 2018-09-20 2019-01-11 江苏满运软件科技有限公司 Authentication method, system, equipment and storage medium based on authorized user message
WO2021003751A1 (en) * 2019-07-11 2021-01-14 深圳市鹰硕技术有限公司 Single-account multi-identity login method and apparatus, server, and storage medium
CN113132404A (en) * 2021-04-28 2021-07-16 平安国际智慧城市科技股份有限公司 Identity authentication method, terminal and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457509A (en) * 2010-11-02 2012-05-16 中兴通讯股份有限公司 Cloud computing resource security access method, device and system
CN103795692A (en) * 2012-10-31 2014-05-14 中国电信股份有限公司 Open authorization method, open authorization system and authentication and authorization server
CN103685282A (en) * 2013-12-18 2014-03-26 飞天诚信科技股份有限公司 Identity authentication method based on single sign on
CN109194673A (en) * 2018-09-20 2019-01-11 江苏满运软件科技有限公司 Authentication method, system, equipment and storage medium based on authorized user message
WO2021003751A1 (en) * 2019-07-11 2021-01-14 深圳市鹰硕技术有限公司 Single-account multi-identity login method and apparatus, server, and storage medium
CN113132404A (en) * 2021-04-28 2021-07-16 平安国际智慧城市科技股份有限公司 Identity authentication method, terminal and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119538228A (en) * 2024-11-12 2025-02-28 广东电网有限责任公司 A License-ticket-based application authorization management and control method and device

Similar Documents

Publication Publication Date Title
EP3661120B1 (en) Method and apparatus for security authentication
CN106850699B (en) A kind of mobile terminal login authentication method and system
CN106534175B (en) Open platform authorization and authentication system and method based on OAuth protocol
US9589143B2 (en) Semi-trusted Data-as-a-Service platform
CN109274652B (en) Identity information verification system, method and device and computer storage medium
CN109005155B (en) Identity authentication method and device
US20200412554A1 (en) Id as service based on blockchain
US9185111B2 (en) Cryptographic authentication techniques for mobile devices
WO2021139338A1 (en) Data access permission verification method and apparatus, computer device, and storage medium
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
CN105915338B (en) Generate the method and system of key
CN107920052B (en) Encryption method and intelligent device
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN113271207A (en) Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium
CN113886771A (en) A software authorization authentication method
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN111355591A (en) Block chain account safety management method based on real-name authentication technology
KR20170019308A (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN111600903A (en) Communication method, system, equipment and readable storage medium
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN115150831B (en) Method, device, server and medium for processing network access request
JP6581611B2 (en) Authentication key sharing system and authentication key sharing method
EP4341834A1 (en) Custody service for authorising transactions
CN111404680B (en) Password management method and device
CN115442136A (en) Application system access method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination