CN119155129B

CN119155129B - Method and system for rapidly authenticating multiple services in coal mine

Info

Publication number: CN119155129B
Application number: CN202411666877.4A
Authority: CN
Inventors: 李万良; 李宇; 谢陈; 高明明
Original assignee: Beijing Lianchuang Hi Tech Information Technology Co ltd
Current assignee: Beijing Lianchuang Hi Tech Information Technology Co ltd
Priority date: 2024-11-21
Filing date: 2024-11-21
Publication date: 2025-03-04
Anticipated expiration: 2044-11-21
Also published as: CN119155129A

Abstract

The invention discloses a method and a system for quick authentication among coal mine multi-service, which comprise the steps that a new user accesses a registration interface of an authentication center through a user terminal, fills in and submits registration information, the authentication center verifies the registration information, the user inputs login information on the login interface of the authentication center, a login request is transmitted to a service provider through an encryption protocol, the service provider forwards the login request to the authentication center for verification, an authentication token is generated after verification is passed, the user terminal receives the authentication token and stores the authentication token in a local place, when the user accesses the coal mine multi-service, the user terminal initiates an access request with the authentication token, the service provider verifies the validity of the token, after verification is passed, the user is allowed to access the corresponding service room, and when the authentication token is nearly expired, the user terminal automatically invokes a token refreshing interface of the authentication center, so that the new authentication token is obtained, and the continuous login state and authentication authority of the user are ensured.

Description

Method and system for rapidly authenticating multiple services in coal mine

Technical Field

The invention relates to the technical field of information security, in particular to a method and a system for rapidly authenticating multiple services in a coal mine.

Background

Along with the acceleration of the informatization process of the coal mine industry, various information systems and digital services are widely applied to coal mine enterprises, and the systems relate to aspects such as production management, safety monitoring, equipment management, personnel positioning and the like. Through the systems, enterprises can monitor and optimally manage the production process, and the safety production level and the operation efficiency are improved. However, as the number of systems increases, enterprise users need to frequently log in between different systems to perform operations and management, which brings a great operational burden to the users, especially in emergency situations, frequent authentication processes affect the work efficiency and response speed.

At present, a common authentication mode of coal mine enterprises mainly adopts a traditional user name and password authentication mode. Each system separately manages authentication information of a user who needs to input a user name and a password for each system to access related functions. This authentication method has several drawbacks:

The security hidden trouble is that in the traditional user name and password authentication mode, each system independently manages user passwords, so that the management complexity is increased, risks of password leakage are easily caused, users often set the same passwords for a plurality of systems, once a certain system suffers from password leakage, the security of other systems is threatened, the possibility of exposing to security risks such as keyboard recording attacks is increased due to frequent password input, the repeated authentication caused by the independence of the systems is that a unified authentication mechanism is not usually established among the systems, the user needs to log in for multiple times when accessing different systems, the scattered authentication mode is especially unfavorable in emergency, the user needs to spend more time on repeated authentication operation when handling emergency tasks, and therefore the overall work efficiency is reduced, the management complexity is that due to the fact that each system independently maintains user identity information, the user management and authentication information are complicated, the user is easy to change in error management, the situation of error management or the user's permission is increased, and the user's permission is easy to change, and the user's permission is required to be added one by one, and the user's permission is easy to change in the situation of frequent operation, and the user's permission is not changed, and the user's permission is required to change one by one.

While some modern authentication schemes such as Kerberos are capable of implementing centralized authentication among multiple systems, their deployment and maintenance procedures are complex, requiring additional configuration and debugging especially in heterogeneous network environments. The method not only improves the implementation cost and difficulty, but also has adverse effect on the system performance, and cannot be well adapted to the complex network environment in coal mine enterprises.

Therefore, a method and a system for rapid authentication among multiple services in a coal mine are urgently needed.

Disclosure of Invention

The invention provides a method and a system for rapidly authenticating multiple services in a coal mine, which are used for solving the problems in the prior art.

In order to achieve the above purpose, the present invention provides the following technical solutions:

A method for rapidly authenticating multiple services in a coal mine comprises the following steps:

s101, a new user accesses a registration interface of an authentication center through a user terminal, fills in and submits registration information, and the authentication center verifies the registration information to finish user registration;

S102, a user inputs login information on a login interface of an authentication center, a login request is transmitted to a service provider through an encryption protocol, the service provider forwards the login request to the authentication center for verification, an authentication token is generated after the verification is passed, and the authentication token is returned to a user terminal through the service provider;

S103, after receiving the authentication token, the user terminal stores the authentication token locally;

s104, when a user accesses the coal mine multi-service room, the user terminal carries an authentication token to initiate an access request, a service provider verifies the validity of the token, and after verification, the user is allowed to access the corresponding service room;

And S105, when the authentication token is close to expiration, the user terminal automatically invokes a token refreshing interface of the authentication center to acquire a new authentication token, and the continuous login state and authentication authority of the user are ensured.

Wherein, the step S101 includes:

S1011, a user accesses a registration interface of an authentication center on a user terminal and submits registration information, wherein the registration information comprises a user name, a password, a mailbox address and a mobile phone number;

s1012, a user management module of the authentication center receives registration information, performs uniqueness check on the filled user name, ensures that the submitted user name is not registered by other people, and sends prompt information to a user terminal if the user name exists, so as to require the user to select other user names;

S1013, the user management module performs integrity verification on the submitted information to ensure that all necessary filling items are filled in and the input information format accords with a preset standard;

S1014, under the condition that the information is complete and the format is legal, the authentication center carries out validity verification continuously, including verification of the mobile phone number, and confirmation is carried out by sending a verification code to the mobile phone provided by the user;

and S1015, after the verification is passed, the user management module stores the user information in a user database and generates a user unique identifier.

Wherein, the step S102 includes:

based on the login information, sending a login request to a coal mine multi-service room through an encryption protocol;

After receiving the login request, the multi-service receiver in the coal mine forwards the login request to an authentication center for user identity verification;

the authentication center verifies the login information, and an authentication token is generated after verification is passed;

receiving an authentication token generated by an authentication center from the coal mine multi-service receiver, and returning the authentication token to the user terminal through an access system;

the user terminal carries an authentication token in the subsequent request;

the coal mine multi-service room verifies the authentication token through a verification interface of the authentication center, including verifying the signature and the validity of the authentication token;

if the authentication token passes the verification, the user identity information and the authority information are extracted from the authentication token among the coal mine multi-service, and the access control is performed to ensure that the user can access the information within the authority range.

After passing the verification, the user is allowed to access the corresponding service room, which comprises the following steps:

acquiring access request data among coal mine multi-service, extracting user identity information from an authentication token carried by a user terminal, wherein the access request data comprises user identity data and access service types;

layering processing is carried out on the access request data according to the user identity data and the access service type to obtain verification data, and the method specifically comprises the following steps:

acquiring user authority information from user identity data;

Acquiring the type of each service associated with the user authority information as data to be verified;

and generating an access authorization result according to the verification data, inputting the access authorization result into the coal mine multi-service room, and allowing the user to access the corresponding service data and the function module.

Wherein obtaining a new authentication token comprises:

Receiving an authentication token state detection request sent by a user terminal, and acquiring first expiration time information carried in an authentication token, wherein the authentication token is generated by an authentication center aiming at user identity verification and is sent to the user terminal, and the user terminal is terminal equipment carrying authentication information when accessing a target resource in an authentication path corresponding to the authentication token;

When the residual effective time represented by the first expiration time information is smaller than a preset threshold value, automatically triggering the user terminal to call a token refreshing interface of an authentication center, and sending a refreshing request carrying an old token to acquire a new authentication token, wherein the preset threshold value is used for indicating a time point when the authentication token is close to expiration;

After a new authentication token is successfully acquired, updating an old token stored on the user terminal, and ensuring the continuous login state and authentication authority of the user in an authentication center and a target resource access path;

And sending an access request carrying a new authentication token to a server corresponding to the target resource, and using the new authentication token in a subsequent authentication process when an access response of the target resource is acquired so as to maintain the continuous access authority of the user terminal.

Wherein generating an authentication token after verification passes includes:

determining user information contained in the login request based on the user authentication requirement;

acquiring a user database corresponding to the user information;

performing matching verification according to the user information and the data in the user database, and generating an authentication token if the matching is successful;

Performing matching verification according to the user information and data in a preset verification database, and if matching is successful, generating an authentication token, wherein the authentication token comprises the following steps:

Searching the user name in the information to be verified in a verification database, and outputting a login failure result if the matching fails;

Matching the password input by the user with the password information in the database, and if the matching is successful, generating an authentication token which is in a JWT format;

After the authentication token is generated, the token contains user identity information and a signature, and the signature is encrypted based on a private key of an authentication center;

returning the generated authentication token to the client as a credential for subsequently accessing the system resource;

if the matching of the user name and the password fails, a login failure result is output, and the login request is refused.

Wherein determining user information contained in the login request based on the user authentication requirement comprises:

Analyzing the login request to obtain a user name and a password input by a user;

preprocessing the user name and the password to obtain cleaned user information;

and taking the user name and the password as information to be verified.

The method for acquiring the user permission information from the user identity data comprises the following steps:

Analyzing the user identity data to obtain a permission information set related to the identity data, wherein the permission information set comprises roles, permission levels and an accessible information list of the user;

Generating an access authorization result based on the data to be verified, including:

matching the user authority information with each type in the inter-service types, and determining the authorization level of the user on the inter-service type;

If the user authority information meets the preset access condition, generating an access authorization result which passes authorization;

And if the user authority information does not meet the access condition, generating an access authorization result of authorization rejection.

The system for rapidly authenticating the coal mine multi-service comprises:

The registration unit is used for enabling the new user to access a registration interface of the authentication center through the user terminal, filling in and submitting registration information, and the authentication center verifies the registration information to finish user registration;

The login unit is used for inputting login information at a login interface of the authentication center by a user, transmitting a login request to the service provider through an encryption protocol, forwarding the login request to the authentication center by the service provider for verification, generating an authentication token after the verification is passed, and returning the authentication token to the user terminal through the service provider;

the token storage unit is used for storing the authentication token in the local after the user terminal receives the authentication token;

The service access unit is used for enabling the user to carry the authentication token to initiate an access request when the user accesses the coal mine multi-service room, and enabling the user to access the corresponding service room after the service provider verifies the validity of the token;

and the token refreshing unit is used for automatically calling a token refreshing interface of the authentication center by the user terminal when the authentication token is close to expiration, acquiring a new authentication token and ensuring the continuous login state and authentication authority of the user.

Wherein the login unit comprises:

the user terminal carries an authentication token in the subsequent request;

Compared with the prior art, the invention has the following advantages:

A method for quickly authenticating between multiple services in coal mine includes such steps as accessing the registration interface of authentication center by new user, filling in and submitting registration information, authenticating the registration information by authentication center, inputting the registration information by user on the registration interface of authentication center, transmitting the registration request to service provider by encryption protocol, transmitting the registration request to authentication center, authenticating, generating authentication token, returning the authentication token to user terminal by service provider, receiving the authentication token, storing it in local place, carrying the authentication token by user terminal, initiating access request by user terminal, authenticating the validity of token by service provider, and allowing user to access to corresponding service room. Quick authentication and single sign-on among multiple service systems are realized.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

The technical scheme of the invention is further described in detail through the drawings and the embodiments.

Drawings

The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:

FIG. 1 is a flow chart of a method for rapid authentication between coal mine multiple services in an embodiment of the invention;

FIG. 2 is a flow chart of submitting registration information according to an embodiment of the present invention;

fig. 3 is an operation flowchart of an embodiment of a method for fast authentication between coal mine multi-services according to the present invention.

Detailed Description

The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.

The embodiment of the invention provides a method for rapidly authenticating multiple services in a coal mine, which comprises the following steps:

The working principle of the technical scheme is that as shown in fig. 3, the actual operation flow of the user king in the coal mine enterprises is as follows:

User registration assuming that the king is a new employee of the coal mine enterprise, he needs to access the production management system, the security monitoring system, and the equipment management system. The king fills in personal information in the user terminal interface of the authentication center to register, and the user management module of the authentication center verifies and stores the information.

User login, namely, the king inputs a user name and a password in a user terminal, and sends a login request to a production management system through an HTTPS protocol. The authentication interface module of the production management system forwards the login request to the authentication management module of the authentication center. The authentication center verifies the user name and the password, generates a JWT token (containing user identity information and authority), and returns the JWT token to the user terminal through the production management system. The user terminal of the king securely stores the JWT token (e.g., localStorage of the browser).

And accessing the production management system, namely, the king needs to check the production plan, and the user terminal automatically carries the JWT token to initiate a request for accessing the production management system. The authentication interface module of the production management system extracts the JWT token and confirms the validity thereof through the token verification interface of the authentication center. The authentication center verifies that the token is valid, and the production management system allows the king to view the production plan according to the verification result.

Accessing the security monitoring system, namely, the king needs to check the security monitoring data of the mine, and the user terminal also carries the JWT token to initiate a request for accessing the security monitoring system. The authentication interface module of the security monitoring system extracts the JWT token, verifies the validity of the JWT token and returns a verification result. After verification is passed, the king can check safety monitoring data in the mine, such as gas concentration and ventilation.

Accessing the equipment management system, namely, the king needs to check and maintain the state of the mine equipment, and the user terminal carries the JWT token again to initiate a request for accessing the equipment management system. The authentication interface module of the device management system also extracts and validates the JWT token. After verification is passed, the king can check the equipment state and fault early warning information.

And (3) refreshing the token, namely when the JWT token of the king is nearly expired, the user terminal acquires a new token through a token refreshing interface of the authentication center, and the continuity of the login state is maintained.

The technical scheme has the beneficial effects that the user information is ensured not to be stolen or tampered in the transmission process, and the man-in-the-middle attack is prevented. The access authority of the user is controlled by verifying the validity of the token, so that only authorized users can access specific resources, and unauthorized access is avoided. The user can access a plurality of coal mine service rooms by using the authentication token (S104) only by logging in the authentication center once, so that the trouble of frequent logging in is reduced, and the operation efficiency is improved. The forced exit of the user due to the expiration of the token is avoided, and the continuity and usability of the system are greatly improved. All authentication logics are centralized in the authentication center management (S101 and S102), so that a system administrator can monitor and maintain user information and authority uniformly. By controlling the generation and verification of the token, the service provider can flexibly manage the access rights of the user to different resources. The service provider only needs to forward the login request and the verification token, and does not need to realize complex authentication logic, so that the complexity of the system is reduced, and the maintenance efficiency is improved. Even if new service rooms are added in the future, the same token verification mechanism is only needed to be used, and the authentication flow is not needed to be greatly adjusted. The plurality of services share the same authentication center, so that each system can be prevented from independently developing and maintaining a user authentication module, and development and operation cost is saved.

In another embodiment, the step S101 includes:

The technical scheme has the working principle that when a user opens a registration interface of an authentication center, personal information (comprising a user name, a password, a mailbox address and a mobile phone number) is filled in and submitted. This information is passed through the user terminal to the user management module of the authentication center. After receiving the registration information, the user management module first checks whether the submitted user name already exists in the database. If the user name already exists, the system sends prompt information to the user terminal to require the user to replace the user name. The user management module performs integrity check on all submitted registration information to ensure that the user has filled in all necessary entries. Then, the system verifies the input format, such as whether the user name length, the format of the mailbox address are correct, whether the mobile phone number accords with the specified format, and the like. On the premise that the information is complete and the format is correct, the system continues to perform validity verification, such as verification of the mobile phone number. The system sends an authentication code to the mobile phone number provided by the user and requests the user to input the received authentication code on the page. After verification, the user management module stores the registration information of the users in a database, and generates a unique user identifier (userID) for each user.

The technical scheme has the beneficial effects that after uniqueness checking and format verification, the information submitted by the user is ensured to meet the standard, repeated user names or invalid mailboxes and mobile phone numbers are avoided, and garbage registration and data conflict are prevented. The system can prompt the user to fill in wrong information (such as repeated user names or wrong formats) in time, provide guidance and help the user to finish the registration process smoothly. The mobile phone authentication function further ensures that the contact way provided by the registered user is real and effective, the security of the account is improved, and false or malicious registration is avoided. By generating a unique user identifier for each user, the system is able to efficiently manage each user's data information, ensuring accurate association of the system's operations (e.g., logging in, modifying passwords) to the user with their personal information.

In another embodiment, the step S102 includes:

the user terminal carries an authentication token in the subsequent request;

The technical scheme has the working principle that a user submits login information (such as a user name and a password) through a user terminal. The login request is encrypted by using an encryption protocol (such as HTTPS) and is transmitted to the coal mine multi-service room through a network, so that the data security in the transmission process is ensured. After receiving the encrypted login request, the coal mine multiservice receives the encrypted login request and forwards the encrypted login request to an authentication center for user identity verification. The authentication center is responsible for handling all user identity authentication related operations. The authentication center performs verification according to the received login information. Verification includes checking if the username and password match. If the verification is passed, the authentication center generates an authentication token (JWT) containing user identity information, rights and expiration date, and signature-encrypts. And after receiving the authentication token generated by the authentication center, the coal mine multi-service receives the authentication token and returns the authentication token to the user terminal for subsequent access requests. This process is also transmitted via an encryption protocol. The user terminal carries the authentication token in the following access request. This ensures that the system can identify authenticated users without having to re-log in every operation. And the authentication interface of the authentication center is called among the coal mine multi-service, the authentication token provided by the user terminal is verified, the signature and the validity of the token are confirmed, and the fact that the token is not tampered and still in the validity period is ensured. After the authentication token passes, the identity information and the authority information of the user are extracted from the authentication token among the coal mine multi-service, so that the user can only access the resources within the authority range.

The technical scheme has the beneficial effects that the login information and the authentication token are transmitted through the encryption protocol, so that the data is ensured not to be stolen or tampered in the network, and the man-in-the-middle attack is effectively prevented. The authentication center strictly verifies the login information, so that only legal users can acquire the authentication token, and illegal access of unauthorized users is avoided. The authentication token mechanism allows the user to avoid re-login within a certain time, improves the user experience, and reduces the load of the authentication center. Through the identity and authority information in the authentication token, fine-granularity access control can be implemented among coal mine multi-service, so that users can only access resources within the authority range, and unauthorized access is avoided. The authentication token mechanism not only ensures the security of user authentication, but also simplifies the authentication process of subsequent requests, reduces frequent authentication operations, and improves the efficiency and security of the system.

In another embodiment, after passing the authentication, allowing the user to access the corresponding service room comprises:

acquiring user authority information from user identity data;

Wherein generating an access authorization result according to the verification data comprises:

Storing user rights information in a rights log;

receiving user permission rules applicable to a plurality of services;

Acquiring the type of the service room associated with the user authority information as data to be verified;

aggregating data to be verified in the permission log to generate an access authorization result;

generating an access policy defining access rights of a user to a plurality of services;

dynamically adjusting an access strategy according to the working roles and tasks of the user so as to provide more flexible authority control;

generating a service recommendation strategy by combining the historical behaviors and the working contents of the user so as to intelligently recommend related services and improve the working efficiency;

storing the access policy and the service recommendation policy in a memory;

Inputting the access authorization result into the coal mine multi-service system, and allowing the user to access corresponding service data and function modules;

Transmitting the access policy to a rights control module in the production environment, the rights control module accessing the access policy to grant the user access rights to the plurality of services;

And sending the service recommendation strategy to the user terminal so as to recommend related services to the user, thereby improving the working efficiency.

The technical scheme has the working principle that after the coal mine multi-service receives the access request from the user terminal, the identity information and the access service type of the user are extracted from the authentication token. The authentication token contains the identity and rights data of the user, which is critical for subsequent authorization. And according to the identity data (such as the identity ID and the role) of the user and the access service type, the system carries out layering processing on the request data to acquire the authority information of the user. This step ensures that different users and service types have different rights divisions, conforming to the minimum rights principle. The system obtains specific inter-service types which can be accessed by the user from the user authority information. Each user has different service access rights associated with a particular service type. Based on the acquired user rights information and the inter-service type, data to be authenticated (authentication data) is generated, which will be used for subsequent access authorization decisions. The system generates an access authorization result according to the verification data, and determines whether the user has the right to access the requested service or function module. If authorization passes, the system allows the user access. The system inputs the generated authorization result into the coal mine multi-service room, and the coal mine multi-service room opens corresponding service data and function modules to the user according to the authorization result.

The technical scheme has the beneficial effects that the identity information and the authority are extracted through the authentication token, so that only users with legal authorities can access corresponding services and data, unauthorized users are effectively prevented from accessing key resources of the system, and the security compliance requirement is met. By layering the user identity data and the access service types, the system can implement fine-grained access control, different users and service types correspond to different authority levels, the implementation of the minimum authority principle is ensured, and the security risk is reduced. The system can flexibly generate verification data and access authorization results according to the identities and service requirements of different users, support the expansion of different roles and service types, and promote the expandability and flexibility of the system.

In another embodiment, obtaining a new authentication token includes:

The technical scheme has the working principle that the user terminal periodically sends an authentication token state detection request to the system, and the system extracts first expiration time information in the token after receiving the request. This information is used to determine the validity time of the token. And the system calculates the current remaining effective time according to the extracted first expiration time information. If the remaining time of the token is less than a preset threshold (e.g., 5 minutes), the system will trigger a token refresh mechanism. When the system detects that the token is about to expire, the user terminal automatically invokes a token refreshing interface of the authentication center, sends an old authentication token as a parameter, and requests the authentication center to generate a new authentication token.

The authentication center generates a new authentication token according to the user identity and the old token after verification, and returns the new authentication token to the user terminal. The user terminal uses the new token in subsequent access requests. After a new token is successfully acquired, the user terminal automatically updates the locally stored authentication token, and simultaneously maintains the continuous login state and authentication authority of the user, so that the user is ensured not to be interrupted for access due to expiration of the token in the whole resource access process. The user terminal passes a new authentication token between the authentication center and the target resource server, ensuring that the latest authentication token is used to maintain access rights when accessing the target resource (e.g., data or function module).

The technical scheme has the beneficial effects that the system automatically refreshes the token when the authentication token is about to expire, so that the user is ensured not to be forced to exit due to authentication failure when accessing the system, and the continuous login state of the user is ensured. The automatic token refreshing mechanism reduces the times of manual re-login of the user, and the user does not need to frequently perform identity verification, so that the usability and the user experience of the system are improved. Through dynamic detection and automatic update of the validity period of the authentication token, the system can replace the expired token in time, so that the occurrence of security risk is prevented, and the user is ensured to always use the effective authentication token. In the process of accessing the target resource, the system avoids access interruption through an automatic token refreshing mechanism, and ensures that a user can continuously and seamlessly access system functions, particularly in key business scenes.

In another embodiment, generating the authentication token after verification passes includes:

acquiring a user database corresponding to the user information;

Wherein returning the generated authentication token to the client comprises:

Acquiring user identity information and user terminal equipment information or geographic position information;

generating a signature containing user identity information;

Encrypting the signature by using a private key of the authentication center to generate an encrypted signature;

Integrating user identity information, an encryption signature and dynamically changing elements (such as a one-time password (OTP)) into an authentication token;

Associating the authentication token with the user terminal device or geographic location, preventing use of the token at unauthorized devices or locations;

and returning the generated authentication token to the client as a credential for subsequently accessing the system resource.

The technical scheme has the working principle that when a system receives a user login request, user information, which generally comprises a user name and a password, is extracted from the request. This information is the basis for user authentication. User a enters a user name and password when logging into the system, which extracts both pieces of information for subsequent authentication.

The system accesses a corresponding user database storing information of all registered users in the system according to the extracted user information. The system will first look up the user name provided in the login request in the user database. If the user name does not exist, a login failure result is immediately returned. If the user name is successfully matched, the system extracts the password information corresponding to the user name from the database and compares the password information with the password input by the user. If the password is successfully matched, the verification is passed, otherwise, a login failure result is returned. After the user name and password match is successful, the system generates an authentication token in JWT (JSON Web Token) format. The token contains identity information of the user and a system signature, and the signature is generated based on private key encryption of an authentication center and is used for guaranteeing the integrity and the safety of the token. The generated authentication token is returned to the client as a credential for subsequent access to the system resource. The client carries the authentication token for identity authentication each time the system resource is requested. If the user name or password matching fails, the system outputs a login failure result and refuses the login request of the user.

The technical scheme has the beneficial effects that through matching of the user name and the password and subsequent JWT token generation based on private key signature, the safety verification of the user identity is ensured, and the login of an unauthorized user is prevented. The signature in the JWT token is generated based on the private key encryption of the authentication center, so that the security of the authentication token in the transmission process is ensured, and the falsification and counterfeiting are prevented. Once the authentication token is generated, the client only needs to carry the token in the subsequent request, and the user name and the password do not need to be repeatedly verified, so that the convenience and the user experience of the system are improved. The JWT token is stateless, and user session information does not need to be stored at the server side when the JWT token is requested, so that the load of the server is reduced, and the efficiency and the response speed of the system are improved.

In another embodiment, determining user information contained in the login request based on the user authentication requirement comprises:

and taking the user name and the password as information to be verified.

The technical scheme has the working principle that the system firstly receives a login request of a user and extracts a user name and a password input by the user. This step ensures that the system can recognize the login intention of the user and collect the necessary authentication information. In order to improve the accuracy and consistency of the data, the system preprocesses the extracted user name and password. The preprocessing may include removing spaces, converting cases, removing special characters, etc. to ensure the reliability of the user input information. After preprocessing, the system obtains a formatted user name and password. The cleaned information is used as information to be verified and is used for comparison with records in a database. The processed user name and password are combined into a set of information to be verified. The packet is passed to the authentication module for comparison with the user data stored in the database.

The technical scheme has the beneficial effects that through preprocessing the user name and the password, the system effectively reduces the risk caused by inconsistent input formats, so that the information to be verified is more reliable, and verification failure caused by format problems is avoided. In the preprocessing stage, the system removes the problems of space, case processing and the like, can forgiving some small errors or input habits of a user to be treated, and improves the user experience. For example, the system will automatically adjust without the user having to pay excessive attention to the input format.

In another embodiment, obtaining user rights information from user identity data includes:

The technical scheme has the working principle that the system firstly analyzes the user identity data to acquire the authority information related to the user. The identity data may contain the user's ID, authentication token, or other identification information. The system extracts the user's role, permission level and list of accessible resources from it. After analyzing the identity data, the system gathers the roles, authority levels and accessible resource lists of the user to form an authority information set of the user. This information is used to determine the range of operations that the user can perform. Based on the architecture of the service, the system needs to match the user rights information with each of the inter-service types. For example, services may be classified into different types of read, write, delete, etc., and the system may determine the authorization level of the user for each service type based on the user authorization information. And the system generates an access authorization result according to the permission matching result. If the authority information of the user meets the preset access condition, an access result of 'authorized pass' is generated, the user is allowed to execute the requested operation, and if the authority does not meet the condition, an access result of 'authorized reject' is generated, and the user is prevented from accessing.

The technical scheme has the beneficial effects that the system effectively ensures the accuracy of authority control by analyzing and matching the authority information of the user with the service type. Each user can only access the functions or data within the authority range, and the unauthorized operation is avoided. Through strict authority matching and verification flow, the system can prevent unauthorized users from performing sensitive operation, and the security of the system is enhanced. For example, the general user is prevented from accessing or modifying the high-level management data. The authority information set can be dynamically adjusted according to roles and authority levels of different users and resources required to be accessed, and a flexible authority management scheme is supported. This allows the system to adjust permissions at any time depending on the organization or business requirements. For users who do not meet the access conditions, the system generates an authorization rejection result, so that users are prevented from accessing sensitive information wrongly or performing unauthorized operations, and the probability of system errors is reduced.

In another embodiment, a system for rapid authentication between coal mine multi-services comprises:

The technical scheme has the working principle that the method comprises an authentication center, a service provider and a user terminal. The three parts cooperate together to ensure safe, reliable and continuous authentication and access control of users in the coal mine multi-service system. The following are detailed working mechanisms and interaction procedures:

authentication center is the core of the whole system and is responsible for managing the user identity, authentication process and Token generation and verification. The functional module comprises:

And a user management module:

Providing functions such as user registration, information updating, password management, etc. All user information is stored in a database, including data such as user name, password (encrypted storage), role, and rights.

When a user registers or updates information, the information is stored in a database and sensitive information is protected by encryption techniques.

And the authentication management module:

The user login request is processed and the user identity is verified. The user inputs a user name and a password through the user terminal, and the information is transmitted to the authentication center for verification.

After passing the verification, the authentication management module generates JWT (JSON Web Token) a token containing identity information, rights information, validity period, and the like of the user.

The token management module:

Responsible for generating, verifying and managing JWT tokens. After the user successfully logs in, the authentication center generates a token containing user information and rights and sends the token back to the user terminal.

The token verification mechanism ensures that the validity of the token can be checked every time the user initiates a service request, and ensures the safety and continuity of the user session.

And a token refreshing mechanism, wherein when the token is about to expire, the authentication center can generate a new token according to the request of the user terminal, so that the user is ensured not to need to frequently log in again during the session.

Log and audit module:

All authentication requests and responses are recorded for auditing and traceability. The module may also detect abnormal login attempts and potential security threats to ensure system security.

The service provider is used as an intermediate bridge between the authentication center and the user terminal and also provides specific business services. The main modules comprise:

And the authentication interface module is responsible for communicating with the authentication center, forwarding the login request of the user to the authentication center and receiving the authentication result.

When a user requests access to a service, the authentication interface module verifies the validity of the JWT token, and the token verification is performed through an API interface of the authentication center.

And the service processing module processes the service request of the user and performs access control based on the identity and authority information of the user.

The business processing module supports a variety of functions such as production management, equipment control, and data querying. The access rights of each functional module are controlled according to the identity of the user.

And the log module is used for recording the operation log of the user in the system. These logs not only help track and manage user behavior, but also provide a retrospective basis when security events occur.

User terminal-user terminal is the interface where the user interacts with the system, typically an application or browser interface with login and service access functions. The main modules comprise:

and a login interface, which is to provide an interface for inputting a user name and a password for a user. The information input by the user is sent to the service provider through the encryption protocol, and then the information is forwarded to the authentication center for verification by the service provider.

The token management module is responsible for storing and managing JWT tokens, typically stored in browser Local Storage (Local Storage) or Session Storage (Session Storage) to ensure that the tokens are continuously carried over multiple accesses.

The user terminal automatically carries the token in the subsequent service request, so that the authentication center and the service provider can continuously verify the identity of the user terminal.

The service provider in the whole system supports a plurality of service systems, including:

and the production management system is used for managing production planning, scheduling and executing, and ensuring orderly production of the mine.

And the safety monitoring system monitors the safety conditions of the mine, such as gas concentration, ventilation condition and the like, in real time, and ensures the production safety.

And the equipment management system is used for managing and maintaining mine equipment and comprises equipment state monitoring and fault early warning so as to ensure the normal operation of the equipment.

And the personnel positioning system is used for tracking the positions of operators in the mine in real time and ensuring safe and efficient personnel management.

Summary of interaction procedure

Registering and logging in, that is, the user registers and logs in through the user terminal, the information is sent to the service provider through the encryption protocol, and then the information is forwarded to the authentication center for verification.

And after the verification is passed, the authentication center generates a JWT token and returns the JWT token to the user terminal, and the user terminal stores the token.

And the service access is that when a user initiates a service request, the service request carries the token for verification, and the service provider allows access to the corresponding service after confirming that the token is valid.

And (4) refreshing the token, namely automatically requesting the authentication center to refresh the token by the user terminal when the token is about to expire so as to keep the session continuously valid.

The technical scheme has the beneficial effects that access control and continuous authentication of users in the coal mine multi-service system are ensured, and meanwhile, the safety and management efficiency of the system are improved through log audit and safety monitoring.

In another embodiment, the login unit comprises:

the user terminal carries an authentication token in the subsequent request;

The technical scheme has the working principle that a user inputs login information through a client (such as a mobile application or a Web end), and a login request is sent to the coal mine multi-service system through an HTTPS protocol. The HTTPS protocol ensures that data is not eavesdropped or tampered with during transmission.

And after receiving the user login request, the coal mine multi-service receives the user login request and forwards the request to the authentication center. The authentication center is the main component responsible for verifying the identity of the user.

The authentication center verifies login information (such as a user name and a password) provided by the user, and generates the JWT token after the verification is passed. JWT contains three parts:

Header, claims token type (JWT) and signature algorithm (e.g., HS256 or RS 256).

Payload, including the identity information of the user (e.g., user ID, user name), rights information, and validity period of the token.

Signature, the authentication center signs the Header and Payload parts by using the private key of the authentication center, so that the data cannot be tampered.

After the authentication center generates the JWT token, the token is returned to the user terminal by the coal mine multi-service room. The user terminal will carry the JWT token in a subsequent request.

When a user carries a JWT token to carry out subsequent operation, the coal mine multi-service room can verify the token through a verification interface of an authentication center, and the method specifically comprises the following steps:

And verifying the signature, namely verifying whether the signature of the token is valid or not through the public key of the authentication center, so as to ensure that the data is not tampered.

Verifying validity, namely confirming whether the token is in the validity period (checked by exp field).

If the authentication is passed, the coal mine multi-service room can extract the identity information and the authority information of the user from the Payload of the JWT token, and access control is performed to ensure that the user can only access the resources within the authority range.

And the encryption transmission is carried out through the HTTPS protocol, so that confidentiality and integrity of authentication request and response data are ensured, and the data are prevented from being intercepted or tampered by a third party in the transmission process.

The authentication center provides a standardized RESTful API interface for integration with external systems, and the support functions include:

User registration, the external system registers the new user through the API interface.

User login authentication, namely verifying the identity of the user and returning the JWT token.

Token verification, verifying the validity of the JWT token.

And the token refreshing step is used for supporting the refreshing of the expired token and generating a new token.

The technical scheme has the beneficial effects that the quick authentication and single sign-on among the multi-service systems are realized, the user experience and the working efficiency are greatly improved, the safety of the systems and the convenience of management are enhanced, and the method has a wide application prospect.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A method for rapid authentication between multiple services in a coal mine, comprising:

S105, when the authentication token is close to expiration, the user terminal automatically invokes a token refreshing interface of the authentication center to acquire a new authentication token, and the continuous login state and authentication authority of the user are ensured;

acquiring user authority information from user identity data;

Generating an access authorization result according to the verification data, inputting the access authorization result into a coal mine multi-service room, and allowing a user to access corresponding service data and function modules;

acquiring a new authentication token, comprising:

2. The method for rapid authentication between coal mine multiple services of claim 1, wherein the step S101 comprises:

3. The method for rapid authentication between coal mine multiple services of claim 1, wherein the step S102 comprises:

the user terminal carries an authentication token in the subsequent request;

4. A method of rapid authentication between coal mine multiple services as claimed in claim 3, wherein generating the authentication token after verification passes comprises:

acquiring a user database corresponding to the user information;

5. The method for rapid authentication between coal mine multiple services of claim 4, wherein determining user information contained in the login request based on user authentication requirements comprises:

and taking the user name and the password as information to be verified.

6. The method for rapid authentication between coal mine multiple services according to claim 1, wherein obtaining user permission information from user identity data comprises:

7. A system for rapid authentication between multiple services in a coal mine, comprising:

the token refreshing unit is used for automatically calling a token refreshing interface of the authentication center when the authentication token is close to expiration, acquiring a new authentication token and ensuring the continuous login state and authentication authority of the user;

acquiring user authority information from user identity data;

acquiring a new authentication token, comprising:

8. The system for rapid authentication between coal mine multiple services of claim 7, wherein the login unit comprises:

the user terminal carries an authentication token in the subsequent request;