CN113746811A - Login method, device, equipment and readable storage medium - Google Patents
Login method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN113746811A CN113746811A CN202110932540.3A CN202110932540A CN113746811A CN 113746811 A CN113746811 A CN 113746811A CN 202110932540 A CN202110932540 A CN 202110932540A CN 113746811 A CN113746811 A CN 113746811A
- Authority
- CN
- China
- Prior art keywords
- vpn
- user
- login
- service
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 96
- 238000012795 verification Methods 0.000 claims abstract description 82
- 230000004044 response Effects 0.000 claims abstract description 79
- 238000012545 processing Methods 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 17
- 230000003213 activating effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 26
- 238000004891 communication Methods 0.000 abstract description 12
- 230000007246 mechanism Effects 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 16
- 230000006870 function Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请公开了一种登录方法、装置、设备及可读存储介质,VPN认证端确定出用户为VPN服务的合法用户后,向部署在内网中的业务服务器发送携带用户的身份标识的信任请求。业务服务器根据身份标识对用户进行合法性验证并向VPN认证端发送携带合法性验证结果的信任响应。VPN认证端根据信任响应,向用户的终端设备发送登录响应,该登录响应用于指示用户是否通过浏览器成功登录业务服务器和VPN服务。采用该种方案,通过VPN认证端和业务服务器相互通信建立信任机制,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率,提高用户体验。
The present application discloses a login method, device, device and readable storage medium. After the VPN authentication end determines that the user is a legitimate user of the VPN service, it sends a trust request carrying the user's identity to a service server deployed in an intranet . The service server verifies the legality of the user according to the identity identifier and sends a trust response carrying the legality verification result to the VPN authentication end. The VPN authentication end sends a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through the browser. With this solution, a trust mechanism is established through the mutual communication between the VPN authentication terminal and the service server, so that the user can log in to the service server while logging in to the VPN server, simplifying the login process, reducing the error rate and improving the user experience.
Description
技术领域technical field
本申请涉及网络安全技术领域,特别涉及一种登录方法、装置、设备及可读存储介质。The present application relates to the technical field of network security, and in particular, to a login method, apparatus, device, and readable storage medium.
背景技术Background technique
随着互联网技术的飞速发展,各个企业建立企业内部网络,利用企业内部网络部署多种业务系统以提高办公效率。常见的业务系统包括邮件系统、办公自动化系统(officeautomation,OA)等。With the rapid development of Internet technology, various enterprises have established intranet networks and deployed various business systems to improve office efficiency. Common business systems include mail systems, office automation systems (office automation, OA), and the like.
通常情况下,用户在公司办公时,若用户想要访问某个业务系统,则输入该业务系统的账号密码进行验证,验证通过后才能进行业务访问。然而,有时候用户出差、在家时需要办公。为了方便公网用户访问企业内部网络中的各个系统的同时保证访问安全,虚拟专用网络(Virtual Private Network,VPN)应运而生,考虑到运营成本和服务专业度等因素,大部分企业会选择购买网络服务提供商的VPN服务来实现公网用户访问内网业务。Usually, when a user is working in a company, if the user wants to access a business system, he or she needs to enter the account password of the business system for verification, and the business access can only be performed after the verification is passed. However, sometimes users need to work while on business trips or at home. In order to facilitate public network users to access various systems in the internal network of the enterprise and ensure access security, Virtual Private Network (VPN) came into being. Considering factors such as operating costs and service professionalism, most enterprises will choose to buy The VPN service of the network service provider is used to realize the public network user's access to the intranet service.
在该应用场景中,网络服务提供商为了识别用户合法性,会对用户身份进行验证,而内网中的业务系统自身也需要对用户身份进行合法性验证。如此一来,如果企业用户通过公网访问内网中的各业务系统,那么至少需要输入两次登录信息,才能顺利访问,过程繁琐、容易出错,用户体验差。In this application scenario, in order to identify the legitimacy of the user, the network service provider will verify the user's identity, and the business system in the intranet itself also needs to verify the legality of the user's identity. As a result, if an enterprise user accesses various business systems in the intranet through the public network, at least two login information needs to be entered for smooth access, which is cumbersome, error-prone, and poor user experience.
发明内容SUMMARY OF THE INVENTION
本申请一种登录方法、装置、设备及可读存储介质,通过VPN认证端和业务服务器相互通信建立信任机制,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率。The present application provides a login method, device, device and readable storage medium. A trust mechanism is established through mutual communication between a VPN authentication terminal and a service server, so that a user logs in to the service server while logging in to the VPN server terminal, which simplifies the login process and reduces the error rate.
第一方面,本申请实施例提供一种登录方法,应用于部署在公网中的虚拟专用网络VPN认证端,所述方法包括:In a first aspect, an embodiment of the present application provides a login method, which is applied to a VPN authentication terminal of a virtual private network deployed in a public network, and the method includes:
确定用户为VPN服务的合法用户;determine that the user is a legitimate user of the VPN service;
向部署在在内网中的业务服务器发送信任请求,所述信任请求携带所述用户的身份标识;Sending a trust request to the service server deployed in the intranet, where the trust request carries the identity of the user;
接收来自所述业务服务器的信任响应,所述信任响应为所述业务服务器根据所述身份标识的合法性验证结果生成的;Receive a trust response from the service server, where the trust response is generated by the service server according to a result of the validity verification of the identity identifier;
根据所述信任响应,向所述用户的终端设备发送登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。According to the trust response, a login response is sent to the user's terminal device, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser.
第二方面,本申请实施例提供一种登录方法,应用于部署在公网中的虚拟专用网络VPN服务端,所述方法包括:In a second aspect, an embodiment of the present application provides a login method, which is applied to a virtual private network VPN server deployed in a public network, and the method includes:
接收用户通过终端设备上的VPN客户端应用发送的鉴权请求;Receive the authentication request sent by the user through the VPN client application on the terminal device;
验证所述鉴权请求以得到反馈结果,并向所述终端设备的VPN客户端应用发送所述反馈结果;verifying the authentication request to obtain a feedback result, and sending the feedback result to the VPN client application of the terminal device;
若所述反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端发送的业务请求,并将所述业务请求发送至所述业务服务器。If the feedback result indicates that the VPN client application successfully logs in to the service server and the VPN service, establish a VPN tunnel with the VPN client application, so as to receive information from the user through the VPN client through the VPN tunnel. The service request sent, and the service request is sent to the service server.
第三方面,本申请实施例提供一种登录方法,应用于部署在内网中的业务服务器,包括:In a third aspect, an embodiment of the present application provides a login method, which is applied to a service server deployed in an intranet, including:
接收来自部署在公网中的虚拟专用网络VPN认证端的信任请求,所述信任请求携带用户的身份标识,所述用户是VPN服务的合法用户;receiving a trust request from a virtual private network VPN authentication terminal deployed in the public network, where the trust request carries the identity of the user, and the user is a legal user of the VPN service;
对所述用户进行合法性验证,以得到合法性验证结果,所述合法性验证结果用于指示所述用户是否为所述业务服务器的合法用户;Performing legality verification on the user to obtain a legality verification result, where the legality verification result is used to indicate whether the user is a legal user of the service server;
向所述VPN认证端发送携带所述合法性验证结果的信任响应。Send a trust response carrying the validity verification result to the VPN authentication end.
第四方面,本申请实施例提供一种登录方法,应用于终端设备,包括:In a fourth aspect, an embodiment of the present application provides a login method, which is applied to a terminal device, including:
通过浏览器获取用于显示登录页面的数据流,所述登录页面用于登录虚拟专用网络VPN服务和内网中的业务服务器;Obtaining a data stream for displaying a login page through a browser, the login page being used to log in to the virtual private network VPN service and the business server in the intranet;
根据所述数据流显示所述登录页面;displaying the login page according to the data stream;
通过所述登录页面向VPN认证端发送携带用户的登录信息的登录请求;Send a login request carrying the user's login information to the VPN authentication terminal through the login page;
接收来自所述VPN认证端的登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。A login response from the VPN authentication terminal is received, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser.
第五方面,本申请实施例提供一种登录装置,所述登录装置集成在部署在公网中的虚拟专用网络VPN认证端,所述装置包括:In a fifth aspect, an embodiment of the present application provides a login device, the login device is integrated in a virtual private network VPN authentication terminal deployed in a public network, and the device includes:
处理模块,用于确定用户为VPN服务的合法用户;The processing module is used to determine that the user is a legitimate user of the VPN service;
发送模块,用于向部署在在内网中的业务服务器发送信任请求,所述信任请求携带所述用户的身份标识;a sending module, configured to send a trust request to the service server deployed in the intranet, where the trust request carries the identity of the user;
接收模块,用于接收来自所述业务服务器的信任响应,所述信任响应为所述业务服务器根据所述身份标识的合法性验证结果生成的;a receiving module, configured to receive a trust response from the service server, where the trust response is generated by the service server according to the validity verification result of the identity identifier;
所述发送模块,还用于根据所述信任响应,向所述用户的终端设备发送登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。The sending module is further configured to send a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser .
第六方面,本申请实施例提供一种登录装置,集成在部署在公网中的虚拟专用网络VPN服务端,所述装置包括:In a sixth aspect, an embodiment of the present application provides a login device integrated in a virtual private network VPN server deployed in a public network, the device comprising:
接收模块,用于接收用户通过终端设备上的VPN客户端应用发送的鉴权请求;a receiving module, configured to receive an authentication request sent by the user through the VPN client application on the terminal device;
处理模块,用于验证所述鉴权请求以得到反馈结果,并向所述终端设备的VPN客户端应用发送所述反馈结果;a processing module, configured to verify the authentication request to obtain a feedback result, and send the feedback result to the VPN client application of the terminal device;
若所述反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端发送的业务请求;If the feedback result indicates that the VPN client application successfully logs in to the service server and the VPN service, establish a VPN tunnel with the VPN client application, so as to receive information from the user through the VPN client through the VPN tunnel. business requests sent;
发送模块,用于将所述业务请求发送至所述业务服务器。A sending module, configured to send the service request to the service server.
第七方面,本申请实施例提供一种登录装置,集成在部署在内网中的业务服务器,所述装置包括:In a seventh aspect, an embodiment of the present application provides a login device integrated in a service server deployed in an intranet, the device comprising:
接收模块,用于接收来自部署在公网中的虚拟专用网络VPN认证端的信任请求,所述信任请求携带用户的身份标识,所述用户是VPN服务的合法用户;a receiving module, configured to receive a trust request from a virtual private network VPN authentication terminal deployed in the public network, where the trust request carries the identity of the user, and the user is a legal user of the VPN service;
处理模块,用于对所述用户进行合法性验证,以得到合法性验证结果,所述合法性验证结果用于指示所述用户是否为所述业务服务器的合法用户;a processing module, configured to perform legality verification on the user to obtain a legality verification result, where the legality verification result is used to indicate whether the user is a legal user of the service server;
发送模块,用于向所述VPN认证端发送携带所述合法性验证结果的信任响应。A sending module, configured to send a trust response carrying the validity verification result to the VPN authentication end.
第八方面,本申请实施例提供一种登录装置,集成在终端设备,所述装置包括:In an eighth aspect, an embodiment of the present application provides a login device integrated in a terminal device, the device comprising:
处理模块,用于通过浏览器获取用于显示登录页面的数据流,所述登录页面用于登录虚拟专用网络VPN服务和内网中的业务服务器;a processing module, configured to obtain a data stream for displaying a login page through a browser, and the login page is used to log in to the virtual private network VPN service and the business server in the intranet;
显示模块,用于根据所述数据流显示所述登录页面;a display module, configured to display the login page according to the data stream;
发送模块,用于通过所述登录页面向VPN认证端发送携带用户的登录信息的登录请求;a sending module, configured to send a login request carrying the user's login information to the VPN authentication terminal through the login page;
接收模块,用于接收来自所述VPN认证端的登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。A receiving module, configured to receive a login response from the VPN authentication terminal, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser.
第九方面,本申请实施例提供一种电子设备,包括:处理器、存储器及存储在所述存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时使得所述电子设备实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电子设备实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电子设备实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电子设备实现如上第四方面或第四方面各种可能的实现方式所述的方法。In a ninth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program so that all The electronic device implements the method described in the first aspect or various possible implementation manners of the first aspect; or, when the processor executes the computer program, the electronic device implements the second aspect or each of the second aspects. The method described in one possible implementation manner; or, when the processor executes the computer program, the electronic device enables the electronic device to implement the method described in the third aspect or the various possible implementation manners of the third aspect; or, the When the processor executes the computer program, the electronic device implements the method described in the fourth aspect or various possible implementation manners of the fourth aspect.
第十方面,本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,所述计算机指令在被处理器执行时用于实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第四方面或第四方面各种可能的实现方式所述的方法。In a tenth aspect, an embodiment of the present application provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when executed by a processor, the computer instructions are used to implement the first aspect or the first aspect above. The method described in the various possible implementations of the aspect; or, the computer instructions, when executed by the processor, are used to implement the method described in the second aspect or the various possible implementations of the second aspect above; or, the Computer instructions, when executed by a processor, are used to implement the methods described in the third aspect or various possible implementations of the third aspect; or, the computer instructions, when executed by a processor, are used to implement the fourth aspect or The method described in various possible implementation manners of the fourth aspect.
第十一方面,本申请实施例提供一种包含计算程序的计算机程序产品,所述计算机程序被处理器执行时实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第四方面或第四方面各种可能的实现方式所述的方法。In an eleventh aspect, an embodiment of the present application provides a computer program product including a computing program, when the computer program is executed by a processor, the method described in the first aspect or various possible implementation manners of the first aspect is implemented; or , when the computer program is executed by the processor, the method described in the second aspect or the various possible implementation manners of the second aspect is implemented; or, when the computer program is executed by the processor, the third aspect or the third aspect is implemented as above The methods described in various possible implementations; or, when the computer program is executed by a processor, the methods described in the fourth aspect or the various possible implementations of the fourth aspect are implemented.
本申请实施例提供的登录方法、装置、设备及可读存储介质,VPN认证端确定出用户为VPN服务的合法用户后,向部署在内网中的业务服务器发送携带用户的身份标识的信任请求。业务服务器根据身份标识对用户进行合法性验证并向VPN认证端发送携带合法性验证结果的信任响应。VPN认证端根据信任响应,向用户的终端设备发送登录响应,该登录响应用于指示用户是否通过浏览器成功登录业务服务器和VPN服务。采用该种方案,通过VPN认证端和业务服务器相互通信建立信任机制,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率,提高用户体验。而且,登录过程中只输入一次认证信息,认证信息为用户的VPN服务登录信息,如登录账号和密码等,无需输入业务服务器的认证信息,从而将业务服务器隐藏于后端,降低业务服务器被攻击的风险的同时,减少用户输入登录信息的次数。In the login method, device, device, and readable storage medium provided by the embodiments of the present application, after the VPN authentication end determines that the user is a legitimate user of the VPN service, it sends a trust request carrying the user's identity to the service server deployed in the intranet . The service server verifies the legality of the user according to the identity identifier and sends a trust response carrying the legality verification result to the VPN authentication end. The VPN authentication end sends a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through the browser. With this solution, a trust mechanism is established through the mutual communication between the VPN authentication terminal and the service server, so that the user can log in to the service server while logging in to the VPN server, simplifying the login process, reducing the error rate and improving the user experience. Moreover, the authentication information is only entered once during the login process, and the authentication information is the user's VPN service login information, such as the login account and password. There is no need to enter the authentication information of the business server, thereby hiding the business server in the backend and reducing the attack on the business server. while reducing the number of times users enter login information.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.
图1A是本申请实施例提供的登录方法的一个实施环境示意图;1A is a schematic diagram of an implementation environment of a login method provided by an embodiment of the present application;
图1B是本申请实施例提供的登录方法的另一个实施环境示意图;1B is a schematic diagram of another implementation environment of the login method provided by the embodiment of the present application;
图2是本申请实施例提供的登录方法的流程图;2 is a flowchart of a login method provided by an embodiment of the present application;
图3是本申请实施例提供的登录方法中终端设备的界面变化过程示意图;3 is a schematic diagram of an interface change process of a terminal device in a login method provided by an embodiment of the present application;
图4是本申请实施例提供的登录方法中令牌的鉴定过程示意图;4 is a schematic diagram of an authentication process of a token in a login method provided by an embodiment of the present application;
图5是本申请实施例提供的登录方法的过程示意图;5 is a schematic process diagram of a login method provided by an embodiment of the present application;
图6为本申请实施例提供的一种登录装置的示意图;6 is a schematic diagram of a login device provided by an embodiment of the present application;
图7为本申请实施例提供的一种登录装置的示意图;7 is a schematic diagram of a login device provided by an embodiment of the present application;
图8为本申请实施例提供的一种电子设备的结构示意图。FIG. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.
目前,用户通过VPN客户端登录VPN服务之前,VPN系统利用自带的用于用户身份认证的功能模块对用户进行身份认证。身份认证通过之后,用户才能使用VPN服务。其中,VPN客户端应用包括安卓(Android)客户端应用、IOS客户端应用、window PC客户端应用等。Currently, before a user logs in to a VPN service through a VPN client, the VPN system uses a built-in function module for user identity authentication to authenticate the user. After the authentication is passed, the user can use the VPN service. The VPN client application includes an Android (Android) client application, an IOS client application, a window PC client application, and the like.
公网中的用户登录VPN系统后,访问内网中的业务系统时,业务系统同样需要对用户身份进行合法性验证。After a user on the public network logs in to the VPN system, when accessing the service system on the intranet, the service system also needs to verify the legality of the user's identity.
上述登录业务系统的过程中,第一次输入登录信息用于VPN系统的身份验证,第二次输入登录信息用于业务系统的身份验证。也就是说,VPN系统和业务系统各自单独管理自己的账号体系。以用户在公网中访问公司内网中的业务系统为例,访问过程中,首先,输入VPN服务的账号、密码等认证信息登录VPN服务端。成功登录VPN服务后,进入公司的一些业务系统的主页,在主页上选择要访问的业务系统进行登录。比如,访问OA系统,此时,又会跳出登录页面要求用户输入OA系统的认证信息。In the above process of logging in to the business system, the login information is input for the first time for the identity verification of the VPN system, and the login information is input for the second time for the identity verification of the business system. That is to say, the VPN system and the business system each manage their own account system independently. Take the user accessing the business system in the company's intranet from the public network as an example. During the access process, first, enter the authentication information such as the account and password of the VPN service to log in to the VPN server. After successfully logging in to the VPN service, enter the homepage of some of the company's business systems, and select the business system to be accessed on the homepage to log in. For example, when accessing the OA system, the login page will pop up again to require the user to enter the authentication information of the OA system.
显然,上述登录方式过程繁琐、容易出错,用户体验差,不便于用户管理登录信息。而且,若业务系统暴露在公网中可能会存在被攻击的风险。Obviously, the above login method is cumbersome, error-prone, has poor user experience, and is inconvenient for users to manage login information. Moreover, if the business system is exposed to the public network, there may be a risk of being attacked.
基于此,本申请实施例提供一种登录方法、装置、设备及可读存储介质,通过VPN认证端和业务服务器相互通信建立信任机制,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率,提高用户体验。Based on this, the embodiments of the present application provide a login method, device, device, and readable storage medium, which establish a trust mechanism through mutual communication between the VPN authentication terminal and the service server, so that the user logs in to the service server while logging in to the VPN server, thereby simplifying the login process. Reduce error rate and improve user experience.
图1A是本申请实施例提供的登录方法的一个实施环境示意图。请参照图1,本实施环境包括:部署在公网中的虚拟专用网络(Virtual Private Network,VPN)认证端11、部署在公网中的VPN服务端12、部署在内网中的业务服务器13和公网中的终端设备14。其中,VPN服务端12至少为一个,每个VPN服务端12与VPN认证端11通过网络连接,VPN认证端11和业务服务器13之间通过网络连接,终端设备14与VPN认证端11和VPN服务端之间可建立网络连接。在一较佳实施例中,VPN服务端12与VPN认证端11之间、VPN认证端11与业务服务器13之间,以及VPN服务端12与业务服务器13之间基于VPN网络进行通信,以保证数据传输的安全性,在一具体实施中,VPN网络可以基于SD-WAN(Software Defined Wide Area Network,软件定义广域网)技术构建,其中VPN认证端和VPN服务端可部署在SD-WAN网络中的POP(point-of-presence,网络服务提供点)节点服务器上。FIG. 1A is a schematic diagram of an implementation environment of the login method provided by the embodiment of the present application. Please refer to FIG. 1 , this implementation environment includes: a virtual private network (Virtual Private Network, VPN) authentication terminal 11 deployed in the public network, a
请参照图1A,一个VPN认证端11可以和多个VPN服务端12通信,VPN认证端11是网络提供商部署在公网的专门用于实现VPN和业务服务器单次登录验证的服务应用,它可以跟其中一个VPN服务端12部署在同一设备上,也可以分开部署,在实际应用场景中,VPN服务端12的数量可以是很多的。Referring to FIG. 1A, a VPN authentication terminal 11 can communicate with multiple
VPN服务端12用于为用户提供VPN服务,其中,VPN服务可包含将用户请求通过VPN隧道转发至内网。用户使用VPN服务时,每次提供VPN服务的可以是不同的VPN服务端12。The
在一应用场景中,业务服务器13例如为单点登录(Single Sign-On,SSO)系统的服务器等,即VPN客户已基于SSO服务对其业务服务实现了单点登录功能。当业务服务器13为SSO系统的服务器时,用户输入一次密码同时成功登录VPN服务和SSO系统的服务器后,就能够基于SSO系统的登录成功状态,直接访问已接入SSO系统的业务系统,如办公自动化(Office Automation,OA)系统、邮件系统、考勤系统、绩效系统等。In an application scenario, the
在另一应用场景中,业务服务器13可以是OA系统、邮件系统等的服务器中的一种。以OA系统为例,用户输入一次密码同时登录VPN服务和OA系统的服务器后,就能够访问其他OA系统。In another application scenario, the
另外,若一个VPN客户给内网中的多个业务系统购买了VPN服务,且尚未引入SSO系统,则建立互信机制时,VPN认证端需要和分别多个业务服务器中的每个业务服务器建立互信机制。In addition, if a VPN client has purchased VPN services for multiple service systems in the intranet, and the SSO system has not been introduced, when establishing a mutual trust mechanism, the VPN authentication end needs to establish mutual trust with each of the multiple service servers. mechanism.
终端设备14例如为安装有安卓操作系统、微软操作系统、塞班操作系统、Linux操作系统或苹果iOS操作系统的手机、平板电脑、个人电脑等电子设备。终端设备14上安装有浏览器和VPN客户端应用,如安卓(Android)客户端应用、IOS客户端应用或window PC客户端应用等。The
图1B是本申请实施例提供的登录方法的另一个实施环境示意图。请参照图1,本实施环境包括:部署在公网中的虚拟专用网络(Virtual Private Network,VPN)服务器110、部署在内网中的业务服务器13和公网中的终端设备14。其中,VPN服务器110同时集成了图1A中VPN认证端11和VPN服务端12的功能,即VPN认证端11和VPN服务端12均部署在VPN服务器10上,VPN服务器110和业务服务器13之间通过VPN网络连接,终端设备14可通过互联网访问VPN服务器。具体描述可参见图1A,此处不再赘述。FIG. 1B is a schematic diagram of another implementation environment of the login method provided by the embodiment of the present application. Referring to FIG. 1 , this implementation environment includes: a virtual private network (Virtual Private Network, VPN)
以下若未做特殊说明,均是以图1A所示实施环境进行说明。Unless otherwise specified, the following description is based on the implementation environment shown in FIG. 1A .
图2是本申请实施例提供的登录方法的流程图。本实施例是从VPN认证端、业务服务器和终端设备交互的角度进行说明。本实施例包括:FIG. 2 is a flowchart of a login method provided by an embodiment of the present application. This embodiment is described from the perspective of interaction between the VPN authentication end, the service server, and the terminal device. This embodiment includes:
201、VPN认证端确定用户为VPN服务的合法用户。201. The VPN authentication terminal determines that the user is a legitimate user of the VPN service.
值得说明的是,本申请实施例所提供的登录方法可适用于用户通过VPN客户端应用登录的场景,具体可参照图3所示,也可适用于用户直接基于浏览器登录的场景,即用户可直接通过浏览器访问登录页面。It is worth noting that the login method provided by the embodiment of the present application can be applied to a scenario in which a user logs in through a VPN client application, as shown in FIG. The login page can be accessed directly from the browser.
图3是本申请实施例提供的登录方法中终端设备的界面变化过程示意图。请参照图3,用户点击电子设备桌面上的VPN客户端应用后,打开VPN客户端应用。VPN客户端应用的用户界面上显示联合登录和普通登录两个按钮,普通登录方式为至少输入两次登录信息的登录方式,联合登录方式为本申请实施例提供的登录方式。FIG. 3 is a schematic diagram of an interface change process of a terminal device in a login method provided by an embodiment of the present application. Referring to FIG. 3 , after the user clicks the VPN client application on the desktop of the electronic device, the VPN client application is opened. The user interface of the VPN client application displays two buttons, joint login and ordinary login. The ordinary login mode is a login mode in which login information is input at least twice, and the joint login mode is the login mode provided by the embodiment of the present application.
用户点击联合登录按钮,从而选中本申请实施例提供的登录方式。之后,VPN客户端应用自动调起浏览器。终端设备通过浏览器向VPN认证端请求登录页面并显示,可以理解的是,在用户直接通过浏览器登录的场景下,可通过直接在浏览器中输入登录页面的访问地址即可。之后,用户在登录页面通过语音、触摸等方式输入登录信息并发送给VPN认证端。登录信息包括登录账号、密码等,还可以包括验证码、企业标识等。其中,登录账号和密码由VPN认证端独立维护,也就是说,该登录账号和密码是由用户预先在VPN认证端注册得到的,与业务服务器的登录信息无关联。The user clicks the combined login button to select the login method provided by the embodiment of the present application. After that, the VPN client application automatically brings up the browser. The terminal device requests the login page from the VPN authentication terminal through the browser and displays it. It is understandable that in the scenario where the user logs in directly through the browser, the access address of the login page can be directly entered in the browser. After that, the user enters the login information on the login page through voice, touch, etc. and sends it to the VPN authentication terminal. The login information includes a login account, a password, etc., and may also include a verification code, an enterprise ID, and the like. The login account and password are independently maintained by the VPN authentication terminal, that is, the login account and password are pre-registered by the user at the VPN authentication terminal, and are not related to the login information of the service server.
VPN认证端可在用户注册过程中收集并存储合法用户的登录信息(验证码除外),以及身份标识等相关信息,身份标识为企业用于标识用户身份的信息,例如为用户手机号码、身份证号码、工号等,可以理解的是,购买VPN服务的企业客户会预先将合法用户(例如,可以使用VPN服务的企业员工或其他人员)身份标识同步给VPN认证端,使得VPN认证端在接收到用户注册请求时,对用户是否合法进行确定。VPN认证端接收到登录信息后,可基于存储信息与用户登录时提交的登录账号、密码、企业标识进行比对,若一致,则确定为VPN服务的合法用户,较佳的,还可以对用户提交的验证码进行验证,以进一步保证操作者的合法性。During the user registration process, the VPN authentication terminal can collect and store the login information of the legal user (except the verification code), as well as the relevant information such as the ID. The ID is the information used by the enterprise to identify the user, such as the user's mobile phone number and ID card. It can be understood that the enterprise customer who purchases the VPN service will synchronize the identity of the legal user (for example, the enterprise employee or other personnel who can use the VPN service) to the VPN authentication end, so that the VPN authentication end receives At the time of the user registration request, it is determined whether the user is legal. After the VPN authentication terminal receives the login information, it can compare the stored information with the login account, password, and enterprise ID submitted by the user when logging in. If they are consistent, it is determined to be a legitimate user of the VPN service. The submitted verification code is verified to further ensure the legitimacy of the operator.
若用户为VPN服务的合法用户,则执行步骤202;若用户不是VPN服务的合法用户,则弹出提示信息以提示用户无法通过本申请实施例提供的登录方式登录。If the user is a legal user of the VPN service, step 202 is performed; if the user is not a legal user of the VPN service, a prompt message pops up to prompt the user that the user cannot log in through the login method provided in the embodiment of the present application.
需要说明的是,虽然上述图3中,VPN客户端应用的用户界面上同时显示联合登录和普通登录两个按钮。然而,本申请实施例并不限制,其他可行的实现方式中,VPN客户端应用的用户界面上只显示联合登录按钮,即VPN客户端应用只提供本申请实施例所述的登录方法。此时,用户点击电子设备桌面上的VPN客户端应用并请求登录后,VPN客户端应用调起浏览器向VPN认证端请求登录页,并显示登录页。无需用户选择联合登录方式。It should be noted that, although in the above-mentioned FIG. 3 , two buttons of joint login and ordinary login are displayed on the user interface of the VPN client application at the same time. However, the embodiment of the present application is not limited. In other feasible implementation manners, only a joint login button is displayed on the user interface of the VPN client application, that is, the VPN client application only provides the login method described in the embodiment of the present application. At this time, after the user clicks on the VPN client application on the desktop of the electronic device and requests to log in, the VPN client application invokes the browser to request the login page from the VPN authentication terminal, and displays the login page. The user is not required to choose a federated login method.
202、VPN认证端向业务服务器发送信任请求。202. The VPN authentication end sends a trust request to the service server.
其中,所述信任请求携带所述用户的身份标识。Wherein, the trust request carries the identity of the user.
示例性的,当VPN认证端确定出用户为VPN服务的合法用户后,可根据用户提交的登录信息确定出用户的身份标识,向内网中的业务服务器发送携带用户的身份标识的信任请求,以请求和业务服务器建立互信关系。Exemplarily, after the VPN authentication terminal determines that the user is a legitimate user of the VPN service, the user's identity can be determined according to the login information submitted by the user, and a trust request carrying the user's identity can be sent to the service server in the intranet, Establish a mutual trust relationship with the business server by request.
值得注意的是,为了保证数据传输的安全性,VPN认证端发送的信任请求,需基于VPN网络进行传输,该VPN网络部署在VPN认证端与业务服务器所在的内网之间,更进一步的,VPN认证端可基于与业务服务器预先协商好的加密方式对信任请求中携带的用户身份标识进行加密,以进一步防止用户信息的外泄,相应的,业务服务器在接收到加密的用户身份标识时,需先对其进行解密。It is worth noting that, in order to ensure the security of data transmission, the trust request sent by the VPN authentication terminal needs to be transmitted based on the VPN network. The VPN network is deployed between the VPN authentication terminal and the intranet where the service server is located. Further, The VPN authentication end can encrypt the user ID carried in the trust request based on the encryption method negotiated in advance with the service server to further prevent leakage of user information. Correspondingly, when the service server receives the encrypted user ID, It needs to be decrypted first.
203、业务服务器对所述用户进行合法性验证,以得到合法性验证结果。203. The service server performs legality verification on the user to obtain a legality verification result.
其中,所述合法性验证结果用于指示所述用户是否为所述业务服务器的合法用户。The validity verification result is used to indicate whether the user is a legitimate user of the service server.
在一实施中,由于业务服务器为企业客户自有的,因此,业务服务器可获知企业客户的用户信息,包含身份标识及访问权限等,其中业务服务器可获取到的用户身份标识形式与VPN认证端的一致,因此,业务服务器接收到信任请求后,根据信任请求携带的用户的身份标识判断该用户是否访问自身的权限,若有,则确定该用户为业务服务器的合法用户,从而得到合法性验证结果。In one implementation, since the service server is owned by the enterprise client, the service server can learn the user information of the enterprise client, including the identification and access rights, etc., wherein the user identification form that the service server can obtain is the same as that of the VPN authentication terminal. Therefore, after receiving the trust request, the service server judges whether the user has access to its own authority according to the user's identity carried in the trust request, and if so, determines that the user is a legitimate user of the service server, thereby obtaining the validity verification result. .
在另一实施中,VPN认证端可在验证用户为合法用户的过程中,确认用户的访问权限,以确定所述用户是否拥有访问业务服务器的权限,若有,则将用户身份标识发送给业务服务器,业务服务器在确定接收到的用户身份标识是来自合法的VPN认证端后,可直接信任VPN认证端的验证结果,确定用户为合法用户,并得到合法性验证结果。在该实施方式中,需要企业客户将用户访问权限同步给VPN认证端,但无需企业客户在业务服务器上配合实现上述实施例中的验证,因此实现更加简单。In another implementation, the VPN authentication terminal can confirm the user's access authority in the process of verifying that the user is a legitimate user, so as to determine whether the user has the authority to access the service server, and if so, send the user identity to the service The server and the service server can directly trust the verification result of the VPN authentication terminal, determine that the user is a legal user, and obtain the legality verification result after determining that the received user ID is from a legal VPN authentication terminal. In this embodiment, the enterprise client needs to synchronize the user access authority to the VPN authentication terminal, but the enterprise client does not need to cooperate on the service server to implement the verification in the above embodiment, so the implementation is simpler.
204、业务服务器向所述VPN认证端发送携带所述合法性验证结果的信任响应。204. The service server sends a trust response carrying the validity verification result to the VPN authentication terminal.
205、VPN认证端根据所述信任响应,向所述用户的终端设备发送登录响应。205. The VPN authentication end sends a login response to the user's terminal device according to the trust response.
示例性的,若合法性验证结果指示用户为业务服务器的合法用户,则登录响应为用于生成登录成功页的数据流,登录响应用于指示所述用户通过浏览器成功登录所述业务服务器和所述VPN服务。若合法性验证结果指示用户不是业务服务器的合法用户,则登录响应为用于生成登录失败页的数据流,登录响应用于指示所述用户未能通过浏览器成功登录业务服务器和所述VPN服务。Exemplarily, if the validity verification result indicates that the user is a legitimate user of the service server, the login response is a data stream used to generate a login success page, and the login response is used to instruct the user to successfully log in to the service server and the service server through a browser. the VPN service. If the validity verification result indicates that the user is not a legitimate user of the service server, the login response is a data stream used to generate a login failure page, and the login response is used to indicate that the user fails to successfully log in to the service server and the VPN service through the browser .
若登录成功,则表示用户能够通过VPN服务访问业务服务器。If the login is successful, it means that the user can access the service server through the VPN service.
本申请实施例提供的登录方法,VPN认证端确定出用户为VPN服务的合法用户后,向部署在内网中的业务服务器发送携带用户的身份标识的信任请求。业务服务器根据身份标识对用户进行合法性验证并向VPN认证端发送携带合法性验证结果的信任响应。VPN认证端根据信任响应,向用户的终端设备发送登录响应,该登录响应用于指示用户是否通过浏览器成功登录业务服务器和VPN服务。In the login method provided by the embodiment of the present application, after the VPN authentication end determines that the user is a legitimate user of the VPN service, it sends a trust request carrying the user's identity to the service server deployed in the intranet. The service server verifies the legality of the user according to the identity identifier and sends a trust response carrying the legality verification result to the VPN authentication end. The VPN authentication end sends a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through the browser.
采用该种方案,通过VPN认证端和业务服务器相互通信建立信任机制,登录过程中只输入一次登录信息,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率,提高用户体验。登录信息为网络服务提供商的VPN认证端独立管理,并不需要企业客户将自身管理的用户登录信息同步给VPN认证端,从而保证了客户内部数据的安全性。由于用户在登录过程中,不需要直接访问业务服务器,因此业务服务器不需要提供公网入口,可实现将业务服务器完全隐藏于内网,降低业务服务器被攻击的风险。With this solution, a trust mechanism is established through the mutual communication between the VPN authentication terminal and the service server, and the login information is only entered once during the login process, so that the user can log in to the service server while logging in to the VPN server, simplifying the login process, reducing the error rate and improving the user experience. The login information is independently managed by the VPN authentication terminal of the network service provider, and the enterprise customer does not need to synchronize the user login information managed by itself to the VPN authentication terminal, thus ensuring the security of the customer's internal data. Since the user does not need to directly access the service server during the login process, the service server does not need to provide a public network entrance, which can completely hide the service server in the intranet and reduce the risk of the service server being attacked.
可选的,上述实施例中,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务,由于浏览器和VPN客户端应用是两个不同的程序,在用户通过VPN客户端应用登录的场景中,需进一步完成VPN客户端应用侧的登录验证。此时,VPN认证端生成一个令牌,用于图4所示的验证流程认证。Optionally, in the above embodiment, the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser. Since the browser and VPN client applications are two different programs, In the scenario where the user logs in through the VPN client application, the login verification on the VPN client application side needs to be further completed. At this point, the VPN authentication end generates a token for authentication in the verification process shown in FIG. 4 .
示例性的,请参照图4,图4是本申请实施例提供的登录方法中令牌的鉴定过程示意图。本实施例包括:For example, please refer to FIG. 4 , which is a schematic diagram of a token authentication process in the login method provided by the embodiment of the present application. This embodiment includes:
401、VPN认证端接收到来自业务服务器的信任响应。401. The VPN authentication end receives a trust response from the service server.
402、VPN认证端针对用户生成令牌。402. The VPN authentication end generates a token for the user.
示例性的,VPN认证端接收到来自业务服务器的信任响应后,若信任响应指示用户为业务服务器的合法用户,则VPN认证端生成一个令牌(token),令牌用于验证VPN客户端应用的合法性。Exemplarily, after the VPN authentication end receives the trust response from the service server, if the trust response indicates that the user is a legitimate user of the service server, the VPN authentication end generates a token (token), and the token is used to verify the VPN client application. legitimacy.
403、VPN认证端向终端设备发送携带令牌的登录响应。403. The VPN authentication end sends a login response carrying the token to the terminal device.
示例性的,VPN认证端将令牌携带在登录响应中发送给终端设备的浏览器。Exemplarily, the VPN authentication end carries the token in the login response and sends it to the browser of the terminal device.
404、终端设备的浏览器显示登录成功页。404. The browser of the terminal device displays a successful login page.
405、终端设备的浏览器利用所述登录成功页激活所述VPN客户端应用,并将所述令牌发送给所述VPN客户端应用。405. The browser of the terminal device activates the VPN client application by using the login success page, and sends the token to the VPN client application.
本申请实施例中,浏览器通过登录成功页中的运行脚本等方式激活VPN客户端应用。例如,终端设备通过浏览器显示登录成功页,显示预设时长后,自动运行登录成功页中的脚本从而激活VPN客户端,其中,预设时长比如是3秒、4秒等,本申请实施例并不限制。In the embodiment of the present application, the browser activates the VPN client application by running a script on the successful login page or the like. For example, the terminal device displays the login success page through the browser, and after displaying a preset time period, automatically runs the script in the login success page to activate the VPN client, wherein the preset time period is, for example, 3 seconds, 4 seconds, etc., the embodiment of the present application Not limited.
再如,终端设备通过浏览器显示登录成功页,用户点击登录成功页上的关闭按钮触发脚本运行,从而激活VPN客户端。For another example, the terminal device displays a successful login page through a browser, and the user clicks the close button on the successful login page to trigger the script to run, thereby activating the VPN client.
406、所述VPN客户端应用向提供所述VPN服务的VPN服务端发送携带所述令牌的鉴权请求。406. The VPN client application sends an authentication request carrying the token to the VPN server providing the VPN service.
在一实施中,提供所述VPN服务的VPN服务端的地址信息可预先配置在VPN客户端应用中,所述客户端应用被浏览器激活后,将基于接收到的令牌自动向VPN服务发送鉴权请求。In one implementation, the address information of the VPN server that provides the VPN service can be pre-configured in the VPN client application, and after the client application is activated by the browser, it will automatically send the authentication token to the VPN service based on the received token. rights request.
在另一实施中,VPN认证端在生成令牌的同时,可根据终端设备的信息从多个提供所述VPN服务的VPN服务端中确定出一个或多个优选的VPN服务端的访问地址,一并发送给终端设备浏览器,以指示终端设备的VPN客户端应用从中选择一个VPN服务端为其提供所述VPN服务,具体而言,VPN认证端可根据终端设备的IP地址确定其所在位置,并为其就近选择VPN服务端,以提供所述VPN服务,可以理解的是,具体的VPN服务端选择策略可基于客户实际需求进行设定,本发明不作限制。In another implementation, while generating the token, the VPN authentication terminal may determine the access address of one or more preferred VPN servers from a plurality of VPN servers providing the VPN service according to the information of the terminal device. and send it to the browser of the terminal device to instruct the VPN client application of the terminal device to select a VPN server to provide the VPN service for it. Specifically, the VPN authentication end can determine its location according to the IP address of the terminal device, The VPN server is selected nearby to provide the VPN service. It can be understood that the specific VPN server selection strategy can be set based on the actual needs of the customer, which is not limited in the present invention.
407、VPN服务端验证所述鉴权请求以得到反馈结果。407. The VPN server verifies the authentication request to obtain a feedback result.
示例性的,VPN服务器自身对鉴权请求携带的令牌进行验证,或者,VPN服务器将鉴权请求携带的令牌发送给VPN认证端,由VPN认证端进行验证。Exemplarily, the VPN server itself verifies the token carried in the authentication request, or the VPN server sends the token carried in the authentication request to the VPN authentication end for verification by the VPN authentication end.
例如,VPN认证端生成令牌后,通过登录响应向终端设备的浏览器发送令牌的同时,向提供VPN服务的VPN服务端发送令牌(如VPN客户端应用中预先配置的VPN服务端,或选取的一个或多个VPN服务端),VPN服务端保存该令牌。当接收到VPN客户端应用向VPN服务端发送的鉴权请求事,VPN服务端基于存储的令牌,对鉴权请求携带的令牌进行验证以得到反馈结果。其中,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。For example, after the VPN authentication terminal generates the token, it sends the token to the browser of the terminal device through the login response, and at the same time sends the token to the VPN server that provides the VPN service (for example, the VPN server preconfigured in the VPN client application, or selected one or more VPN servers), the VPN server saves the token. When receiving the authentication request sent by the VPN client application to the VPN server, the VPN server verifies the token carried in the authentication request based on the stored token to obtain a feedback result. The feedback result is used to indicate whether the user successfully logs in to the service server and the VPN service through the VPN client application.
再如,VPN客户端应用向VPN服务端发送鉴权请求。VPN服务端接收到鉴权请求后,基于鉴权请求携带的令牌生成令牌验证请求并发送至VPN认证端。VPN认证端基于步骤402生成的令牌对验证请求携带的令牌进行验证,从而生成反馈结果,验证请求携带的令牌由VPN服务端从终端设备通过VPN客户端应用发送的鉴权请求中得到。之后,VPN认证端向VPN服务端发送反馈结果;相应的,VPN服务端接收VPN认证端返回的反馈结果。其中,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。For another example, the VPN client application sends an authentication request to the VPN server. After receiving the authentication request, the VPN server generates a token verification request based on the token carried in the authentication request and sends it to the VPN authentication terminal. The VPN authentication terminal verifies the token carried in the verification request based on the token generated in step 402, thereby generating a feedback result. The token carried in the verification request is obtained by the VPN server from the authentication request sent by the terminal device through the VPN client application . After that, the VPN authentication end sends the feedback result to the VPN server; correspondingly, the VPN server receives the feedback result returned by the VPN authentication end. The feedback result is used to indicate whether the user successfully logs in to the service server and the VPN service through the VPN client application.
另外,鉴权请求中很有可能并未携带令牌,此时,VPN服务端直接确定VPN客户端应用非法,即用户未能通过VPN应用成功登录业务服务器和VPN服务。In addition, the authentication request probably does not carry the token. In this case, the VPN server directly determines that the VPN client application is illegal, that is, the user fails to successfully log in to the service server and VPN service through the VPN application.
采用该种方案,通过VPN认证端或VPN服务端对鉴权请求携带的令牌进行验证,可保证VPN客户端应用的合法性,从而完成用户通过VPN客户端应用的登录过程。With this solution, the token carried in the authentication request is verified by the VPN authentication terminal or the VPN server, so as to ensure the legitimacy of the VPN client application, thereby completing the user login process through the VPN client application.
可选的,上述实施例中,VPN认证端生成令牌后,可基于有效期或其他信息设置令牌的状态并存储该令牌。比如,令牌已过期,则将令牌设置为失效状态、VPN认证端接收到客户发送的用户已失效的通知,则将令牌设置为失效状态、再如,用户所在公司购买的VPN服务已到期,则将令牌设置为失效状态。以下将存储的令牌称之为第一令牌。Optionally, in the above embodiment, after the VPN authentication end generates the token, it can set the state of the token based on the validity period or other information and store the token. For example, if the token has expired, the token is set to the invalid state, and the VPN authentication terminal receives the notification sent by the customer that the user has expired, and the token is set to the invalid state. For another example, the VPN service purchased by the user's company has been expires, sets the token to an invalid state. The stored token is hereinafter referred to as the first token.
之后,VPN客户端应用向VPN服务端发送携带令牌的鉴权请求,VPN服务端根据鉴权请求携带的令牌生成令牌验证请求,并向VPN认证端发送携带令牌的令牌验证请求,以下将该令牌验证请求携带的令牌称之为第二令牌。VPN认证端接收到令牌验证请求后,基于第一令牌对第二令牌进行验证。例如,若VPN认证端从存储的多个第一令牌中确定出与第二令牌相同的令牌,则确定第二令牌为VPN认证端生成的令牌,并进一步判断第二令牌的状态是否正常。若第二令牌状态正常,VPN认证端生成用于指示第二令牌合法的反馈结果。若第二令牌不是VPN认证端生成或状态异常,如已失效,则VPN认证端生成用于指示第二令牌不合法的反馈结果。After that, the VPN client application sends an authentication request carrying the token to the VPN server, the VPN server generates a token verification request according to the token carried in the authentication request, and sends the token verification request carrying the token to the VPN authentication terminal , and the token carried in the token verification request is hereinafter referred to as the second token. After receiving the token verification request, the VPN authentication end verifies the second token based on the first token. For example, if the VPN authentication terminal determines the same token as the second token from a plurality of stored first tokens, the second token is determined to be the token generated by the VPN authentication terminal, and the second token is further judged status is normal. If the state of the second token is normal, the VPN authentication end generates a feedback result for indicating that the second token is legal. If the second token is not generated by the VPN authentication terminal or the status is abnormal, such as invalid, the VPN authentication terminal generates a feedback result for indicating that the second token is invalid.
若由VPN服务端对鉴权请求携带的令牌进行验证,则VPN认证端生成令牌后,需要将令牌的状态等发送给VPN服务端,并在令牌状态发生更新时,同步给VPN服务端。VPN服务端接收并存储令牌、令牌的状态等,并基于存储的令牌及其状态对鉴权请求中携带的令牌进行验证,验证方法与上文描述相同,将不再赘述。If the VPN server verifies the token carried in the authentication request, after the VPN authenticator generates the token, it needs to send the token status to the VPN server, and synchronize to the VPN when the token status is updated. Server. The VPN server receives and stores the token, the status of the token, etc., and verifies the token carried in the authentication request based on the stored token and its status. The verification method is the same as that described above, and will not be repeated here.
采用该种方案,通过进一步验证令牌的状态是否正常,可实现实时、准确的验证令牌的合法性的目的。By adopting this scheme, by further verifying whether the status of the token is normal, the purpose of real-time and accurate verification of the legitimacy of the token can be achieved.
408、VPN服务端向所述终端设备的VPN客户端应用发送所述反馈结果。408. The VPN server sends the feedback result to the VPN client application of the terminal device.
VPN服务端可基于反馈结果确定是否为该VPN客户端应用提供VPN服务。具体而言,若反馈结果指示用户通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则VPN服务端可对VPN客户端应用发出的VPN隧道建立请求进行正常响应,以建立VPN客户端应用与VPN服务端之间的VPN隧道,该VPN隧道将用于接收用户通过VPN客户端应用发出的针对业务服务器的业务请求,可以理解的是,在业务服务器为SSO系统服务器的场景下,用户针对业务服务器发出的业务请求包含用户针对接入SSO系统服务器的所有业务发出的业务请求。若反馈结果指示用户并未通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则VPN服务端将拒绝与VPN客户端应用建立VPN隧道,从而拒绝接收用户的内网访问请求。The VPN server may determine whether to provide the VPN service for the VPN client application based on the feedback result. Specifically, if the feedback result indicates that the user successfully logs in to the service server and the VPN service through the VPN client application, the VPN server can respond normally to the VPN tunnel establishment request sent by the VPN client application to establish The VPN tunnel between the VPN client application and the VPN server. The VPN tunnel will be used to receive the service request for the service server sent by the user through the VPN client application. It can be understood that in the scenario where the service server is the SSO system server Below, the service request sent by the user to the service server includes the service request sent by the user to all the services accessing the SSO system server. If the feedback result indicates that the user has not successfully logged into the service server and the VPN service through the VPN client application, the VPN server will refuse to establish a VPN tunnel with the VPN client application, thereby refusing to receive the user's intranet access request .
示例性的,若反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则进入步骤409:与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端向所述业务服务器或接入所述业务服务器的其他业务服务器发送的业务请求,并将所述业务请求发送至所述业务服务器。Exemplarily, if the feedback result indicates that the VPN client application successfully logs in to the service server and the VPN service, then go to step 409: establish a VPN tunnel with the VPN client application to receive the user through the VPN tunnel A service request sent by the VPN client to the service server or other service servers accessing the service server, and the service request is sent to the service server.
若反馈结果指示VPN客户端应用未能成功登录业务服务器和所述VPN服务,则终端设备的VPN客户端应用弹出提示信息以提示用户登录失败,并拒绝与VPN客户端应用建立VPN隧道。If the feedback result indicates that the VPN client application fails to log in to the service server and the VPN service, the VPN client application of the terminal device pops up a prompt message to prompt the user that the login fails, and refuses to establish a VPN tunnel with the VPN client application.
上述实施例中,通过在浏览器上完成用户通过浏览器成功登录业务服务器和VPN服务后,再调起VPN客户端应用,并基于令牌确认VPN客户端应用的合法性,从而确定用户是否通过VPN客户端端应用成功登录业务服务器和VPN服务,整个操作过程中,VPN客户端应用与浏览器之间的切换均为自动实现的,无需用户手动切换,对于用户来说操作简单,体验度好,且用户只需输入一次登录信息即可通过VPN客户端应用登录VPN服务和业务服务器。In the above embodiment, after the user successfully logs in to the service server and the VPN service through the browser, the VPN client application is activated, and the validity of the VPN client application is confirmed based on the token, so as to determine whether the user has passed the The VPN client application successfully logs in to the service server and the VPN service. During the entire operation process, the switching between the VPN client application and the browser is automatically realized, and there is no need for the user to manually switch. It is easy for the user to operate and has a good experience. , and the user only needs to enter the login information once to log in to the VPN service and business server through the VPN client application.
以下将结合图5对基于VPN客户端应用实现登录的完整过程进行示例说明。The complete process of implementing login based on the VPN client application will be illustrated below with reference to FIG. 5 .
图5是本申请实施例提供的登录方法的过程示意图。请参照图5,本实施例包括:FIG. 5 is a schematic process diagram of a login method provided by an embodiment of the present application. Please refer to FIG. 5, this embodiment includes:
501、终端设备识别出用户在VPN客户端应用上的点击操作,确定用户选中联合登录方式。501. The terminal device recognizes the user's click operation on the VPN client application, and determines that the user selects the joint login method.
示例性的,用户打开终端设备桌面上的VPN客户端应用,在VPN客户端应用的用户界面上点击以选中联合登录方式。具体可参见图3的描述,此处不再赘述。Exemplarily, the user opens the VPN client application on the desktop of the terminal device, and clicks on the user interface of the VPN client application to select the joint login method. For details, reference may be made to the description of FIG. 3 , which will not be repeated here.
502、终端设备弹出浏览器。502. The terminal device pops up a browser.
示例性的,VPN客户端应用响应于用户选择的联合登录方式操作,自动调起浏览器,指定其访问VPN认证端,请求登录页面,VPN认证服务端部署在公网中。Exemplarily, the VPN client application operates in response to the joint login mode selected by the user, and automatically activates the browser, designates it to access the VPN authentication terminal, and requests a login page, and the VPN authentication server terminal is deployed in the public network.
503、浏览器向VPN认证端发送页面请求,该页面请求用于请求浏览器显示登录页面所需的数据流。503. The browser sends a page request to the VPN authentication end, where the page request is used to request the browser to display the data stream required for the login page.
504、浏览器接收来自VPN认证端的、用于显示登录页面的数据流。504. The browser receives the data stream from the VPN authentication terminal for displaying the login page.
示例性的,浏览器接收到数据流后,渲染并显示登录页面。Exemplarily, after receiving the data stream, the browser renders and displays the login page.
505、浏览器获取用户在登录页面输入的登录信息。505. The browser acquires the login information input by the user on the login page.
示例性的,用户在登录页面输入账号、密码、企业标识、验证码等登录信息。Exemplarily, the user inputs login information such as an account number, password, enterprise ID, verification code, etc. on the login page.
506、浏览器向VPN认证端提交登录信息。506. The browser submits the login information to the VPN authentication terminal.
507、VPN认证端根据登录信息对用户进行合法性验证。507. The VPN authentication end verifies the legality of the user according to the login information.
508、针对VPN服务的合法用户,VPN认证端和业务服务器进行互信认证。508. For legal users of the VPN service, the VPN authentication terminal and the service server perform mutual trust authentication.
在业务服务器为SSO系统服务器的应用场景中,互信认证过程中,VPN认证服务端通过VPN网络将认证信息同步给SSO系统服务器,例如,认证信息包含用户的身份标识,VPN认证服务端向业务服务器发送携带合法用户的身份标识的信任请求,SSO系统服务器基于认证信息对用户进行认证,以确定用户的访问权限,可以理解的是,接入SSO系统的业务服务的类型和数量与企业客户实际情况相关,如OA服务、邮件服务、财务管理服务等,企业客户可为员工(用户)设置不同的访问权限,SSO系统在对用户进行认证时,确认该用户拥有至少一个业务服务的访问权限时,即可向VPN认证端反馈登录成功的反馈,并同时为该用户生成登录状态,该登录状态仅作用于有访问权限的业务服务。In the application scenario where the service server is the SSO system server, during the mutual trust authentication process, the VPN authentication server synchronizes the authentication information to the SSO system server through the VPN network. Send a trust request carrying the identity of the legitimate user, and the SSO system server authenticates the user based on the authentication information to determine the user's access authority. It is understandable that the type and number of business services accessing the SSO system are related to the actual situation of the enterprise customer. Related, such as OA services, mail services, financial management services, etc., corporate customers can set different access rights for employees (users), when the SSO system authenticates users, when it confirms that the user has access rights to at least one business service, The login success feedback can be fed back to the VPN authentication terminal, and a login status is generated for the user at the same time, and the login status is only used for business services that have access rights.
后续业务访问过程中,业务服务器接收到该用户的业务访问请求后,可从SSO系统服务器确认用户的当前状态。若用户当前状态为登录状态,则直接放行,向VPN服务端发送业务响应,否则拒绝访问,向VPN服务端发送提示信息,以使得VPN服务端向终端设备发送提示信息,该提示信息用于提示终端设备业务访问失败。In the subsequent service access process, after receiving the user's service access request, the service server can confirm the current state of the user from the SSO system server. If the current state of the user is the login state, the user will be released directly and send a service response to the VPN server; otherwise, the access will be denied and a prompt message will be sent to the VPN server, so that the VPN server will send a prompt message to the terminal device. The prompt message is used to prompt Terminal device service access fails.
在一具体实施中,SSO系统服务器与各接入的业务服务之间可基于互信通信机制同步用户状态,使得后续业务访问过程中业务服务器无需对用户进行合法性验证,减少了认证信息的输入次数,降低出错概率。In a specific implementation, the user status can be synchronized between the SSO system server and each accessed business service based on a mutual trust communication mechanism, so that the business server does not need to perform legality verification on the user in the subsequent business access process, reducing the number of input authentication information. , reducing the probability of error.
可选的,所述通信机制包括下述通信机制中的任意一个:共享Java工具包(Jsonweb token,JWT)、共享会话(SESSION)、安全断言标记语言(Security Assertion MarkupLanguage,SAML)或开放授权(OAUTH)。Optionally, the communication mechanism includes any one of the following communication mechanisms: shared Java toolkit (Jsonweb token, JWT), shared session (SESSION), security assertion markup language (Security Assertion MarkupLanguage, SAML) or open authorization ( OAUTH).
采用该种方案,SSO系统服务器可针对用户生成共享JWT、共享SESSION、SAML等中的任意一种通信机制,灵活性高。With this solution, the SSO system server can generate any communication mechanism among shared JWT, shared SESSION, SAML, etc. for the user, with high flexibility.
509、VPN认证端针对用户生成令牌并向终端设备发送的携带该令牌的信任响应,该令牌用于对所述终端设备的VPN客户端应用进行合法性验证。509. The VPN authentication end generates a token for the user and sends a trust response carrying the token to the terminal device, where the token is used to verify the validity of the VPN client application of the terminal device.
示例性的,VPN认证端针对本次用户登录生成一个token,并携带在响应给浏览器的登录成功响应页面中,使得浏览器可获取到该token。Exemplarily, the VPN authenticator generates a token for the current user login, and carries it in the login success response page that is responded to the browser, so that the browser can obtain the token.
510、浏览器基于所述登录成功页激活所述VPN客户端应用。510. The browser activates the VPN client application based on the successful login page.
浏览器显示登录成功页后,通过运行页面中的脚步激活VPN客户端应,其中,登录成功页中的脚本通过浏览器内置方法调起VPN客户端应用并带上令牌,从而将令牌传递给VPN客户端应用。其中,浏览器内置方法示例如下:appName://truthLogin?Token=123456。After the browser displays the login success page, activate the VPN client application by running the steps in the page. The script in the login success page invokes the VPN client application and brings the token through the built-in method of the browser, thereby passing the token App to VPN client. Among them, the browser built-in method example is as follows: appName://truthLogin? Token=123456.
511、VPN客户端应用向提供VPN服务的VPN服务端发送携带令牌的鉴权请求。511. The VPN client application sends an authentication request carrying a token to the VPN server providing the VPN service.
示例性的,VPN客户端应用被激活后,接收到浏览器传递的令牌,自动将令牌携带在鉴权请求中发送给VPN服务端。Exemplarily, after the VPN client application is activated, it receives the token sent by the browser, and automatically carries the token in the authentication request and sends it to the VPN server.
VPN服务端接收到鉴权请求后,VPN服务端对令牌进行有效性验证得到反馈结果,以确定VPN客户端应用是否合法。例如,VPN服务端执行步骤512:向VPN认证端发送令牌验证请求,以使得VPN认证端验证所述令牌验证请求携带的令牌是否合法以得到反馈结果。之后,VPN服务端执行步骤513:接收来自VPN认证端的反馈结果。After the VPN server receives the authentication request, the VPN server verifies the validity of the token and obtains a feedback result to determine whether the VPN client application is legal. For example, the VPN server performs step 512: sends a token verification request to the VPN authentication terminal, so that the VPN authentication terminal verifies whether the token carried in the token verification request is legal to obtain a feedback result. Afterwards, the VPN server executes step 513: receives the feedback result from the VPN authentication end.
再如,VPN服务端接收鉴权请求之前,还接收到来自VPN认证端的令牌,VPN服务端接收到鉴权请求后,基于来自VPN认证端的令牌对鉴权请求携带的令牌进行验证以得到反馈结果。For another example, before the VPN server receives the authentication request, it also receives the token from the VPN authentication end. After the VPN server receives the authentication request, it verifies the token carried in the authentication request based on the token from the VPN authentication end. Get feedback.
VPN服务端得到反馈结果后,向VPN客户端应用发送该反馈结果,以完成登录。若反馈结果指示VPN客户端应用成功登录业务服务器和VPN服务,则VPN客户端应用可显示登录成功信息,并展示业务服务访问界面,供用户操作;若反馈结果指示登录失败,则VPN客户端应用向用户展示登录失败信息,并拒绝用户针对业务访问界面的请求或操作。After the VPN server receives the feedback result, it sends the feedback result to the VPN client application to complete the login. If the feedback result indicates that the VPN client application successfully logs in to the service server and VPN service, the VPN client application can display the login success information and display the business service access interface for user operations; if the feedback result indicates that the login fails, the VPN client application Display the login failure information to the user, and deny the user's request or operation for the business access interface.
下述为本申请装置实施例,可以用于执行本申请方法实施例。对于本申请装置实施例中未披露的细节,请参照本申请方法实施例。The following are apparatus embodiments of the present application, which can be used to execute the method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.
图6为本申请实施例提供的一种登录装置的示意图。该登录装置600包括:处理模块61、发送模块62和接收模块63。FIG. 6 is a schematic diagram of a login device provided by an embodiment of the present application. The login device 600 includes: a
当登录装置600集成在部署在公网中的虚拟专用网络VPN认证端时,可以执行上述实施例中VPN认证端的动作,处理模块61、发送模块62和接收模块63的作用如下:When the login device 600 is integrated in the VPN authentication terminal of the virtual private network deployed in the public network, the actions of the VPN authentication terminal in the above embodiment can be performed, and the functions of the
处理模块61,用于确定用户为VPN服务的合法用户;A
发送模块62,用于向部署在在内网中的业务服务器发送信任请求,所述信任请求携带所述用户的身份标识;a sending
接收模块63,用于接收来自所述业务服务器的信任响应,所述信任响应为所述业务服务器根据所述身份标识的合法性验证结果生成的;A receiving
所述发送模块62,还用于根据所述信任响应,向所述用户的终端设备发送登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。The sending
一种可行的实现方式中,所述接收模块63,还用于接收所述终端设备通过浏览器发送的页面请求,所述页面请求用于请求通过所述浏览器显示登录页面,所述登录页面用于登录所述VPN服务和所述业务服务器;In a feasible implementation manner, the receiving
所述发送模块62,还用于向所述终端设备发送用于显示所述登录页面的数据流;The sending
所述接收模块63,还用于接收所述终端设备通过所述登录页面发送的登录信息;The receiving
所述处理模块61,具体用于根据所述登录信息对所述用户进行合法性验证,当所述登录信息通过所述合法性验证时,确定所述用户为所述VPN服务的合法用户。The
一种可行的实现方式中,若所述信任响应指示所述用户为所述业务服务器的合法用户,则所述处理模块61,还用于针对所述用户生成令牌,所述令牌用于对所述终端设备的VPN客户端应用进行合法性验证,所述登录响应携带所述令牌;In a feasible implementation manner, if the trust response indicates that the user is a legitimate user of the service server, the
所述发送模块62,还用于向提供所述VPN服务的VPN服务端发送所述令牌,使得所述VPN服务端基于所述令牌对所述终端设备通过VPN客户端应用发送的鉴权请求进行验证以得到反馈结果;或者,所述接收模块63,还用于接收所述VPN服务端发送的令牌验证请求,验证所述令牌验证请求携带的令牌是否合法以得到反馈结果;所述发送模块62还用于向所述VPN服务端发送所述反馈结果,其中,所述验证请求携带的令牌由所述VPN服务端从所述终端设备通过VPN客户端应用发送的鉴权请求中得到;The sending
其中,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。The feedback result is used to indicate whether the user successfully logs in to the service server and the VPN service through the VPN client application.
一种可行的实现方式中,所述处理模块61验证所述验证请求携带的令牌是否合法以得到反馈结果时,用于验证所述令牌是否由所述VPN认证端生成,且所述令牌的状态是否正常;若所述令牌由所述VPN认证端生成且状态正常,则生成用于指示所述令牌合法的反馈结果;否则,生成用于指示所述令牌不合法的反馈结果。In a feasible implementation manner, when the
当登录装置600集成在部署在公网中的虚拟专用网络VPN服务端时,可以执行上述实施例中VPN服务端的动作,处理模块61、发送模块62和接收模块63的作用如下:When the login device 600 is integrated in the virtual private network VPN server deployed in the public network, the actions of the VPN server in the above embodiment can be performed, and the functions of the
接收模块63,用于接收用户通过终端设备上的VPN客户端应用发送的鉴权请求;The receiving
处理模块61,用于验证所述鉴权请求以得到反馈结果,并向所述终端设备的VPN客户端应用发送所述反馈结果;a
若所述反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端发送的业务请求;If the feedback result indicates that the VPN client application successfully logs in to the service server and the VPN service, establish a VPN tunnel with the VPN client application, so as to receive information from the user through the VPN client through the VPN tunnel. business requests sent;
发送模块62,用于将所述业务请求发送至所述业务服务器。The sending
一种可行的实现方式中,所述接收模块63,还用于接收VPN认证端发送的针对所述用户生成的令牌,所述处理模块61,用于基于所述令牌对所述鉴权请求携带的令牌进行验证,以得到反馈结果;或者,In a feasible implementation manner, the receiving
所述处理模块61,用于基于所述鉴权请求携带的令牌生成令牌验证请求并发送至VPN,所述发送模块62,用于向所述VPN认证端发送所述令牌验证请求,使得所述VPN认证端对所述验证请求携带的令牌进行验证以生成所述反馈结果,所述接收模块63,还用于接收所述VPN认证端返回的反馈结果。The
当登录装置600集成在部署在内网中的业务服务器时,可以执行上述实施例中业务服务器的动作,处理模块61、发送模块62和接收模块63的作用如下:When the login device 600 is integrated into the service server deployed in the intranet, it can perform the actions of the service server in the above embodiment, and the functions of the
接收模块63,用于接收来自部署在公网中的虚拟专用网络VPN认证端的信任请求,所述信任请求携带用户的身份标识,所述用户是VPN服务的合法用户;A receiving
处理模块61,用于对所述用户进行合法性验证,以得到合法性验证结果,所述合法性验证结果用于指示所述用户是否为所述业务服务器的合法用户;a
发送模块62,用于向所述VPN认证端发送携带所述合法性验证结果的信任响应。The sending
图7为本申请实施例提供的一种登录装置的示意图。该登录装置700集成在部署在公网中的终端设备上,该登录装置700包括:处理模块71、显示模块72、发送模块73和接收模块74。FIG. 7 is a schematic diagram of a login apparatus provided by an embodiment of the present application. The login apparatus 700 is integrated on a terminal device deployed in the public network, and the login apparatus 700 includes: a
处理模块71,用于通过浏览器获取用于显示登录页面的数据流,所述登录页面用于登录虚拟专用网络VPN服务和内网中的业务服务器;a
显示模块72,用于根据所述数据流显示所述登录页面;a
发送模块73,用于通过所述登录页面向VPN认证端发送携带用户的登录信息的登录请求;A sending module 73, configured to send a login request carrying the user's login information to the VPN authentication terminal through the login page;
接收模块74,用于接收来自所述VPN认证端的登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。The receiving
一种可行的实现方式中,所述处理模块71,用于响应于VPN客户端应用上的点击操作,弹出所述浏览器;In a feasible implementation manner, the
所述发送模块73,用于通过所述浏览器向所述VPN认证端发送页面请求,所述页面请求用于请求所述浏览器显示所述登录页面所需的所述数据流;The sending module 73 is configured to send a page request to the VPN authentication terminal through the browser, where the page request is used to request the browser to display the data stream required for the login page;
所述接收模块74,用于接收来自所述VPN认证端的、用于显示所述登录页面的数据流。The receiving
一种可行的实现方式中,所述显示模块72在所述接收模块74接收来自所述VPN认证端的登录响应之后,还用于根据所述登录响应显示登录成功页,所述登录成功页携带所述令牌;In a feasible implementation manner, after the receiving
所述处理模块71,还用于利用所述登录成功页激活所述VPN客户端应用;The
所述发送模块73,还用于利用所述VPN客户端应用向提供所述VPN服务的VPN服务端发送携带所述令牌的鉴权请求;The sending module 73 is further configured to use the VPN client application to send an authentication request carrying the token to the VPN server providing the VPN service;
所述接收模块74,还用于接收来自所述VPN服务端的反馈结果,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。The receiving
一种可行的实现方式中,若所述反馈结果指示所述用户通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则所述处理模块71还用于通过所述VPN客户端应用请求与所述VPN服务端建立VPN隧道;In a feasible implementation manner, if the feedback result indicates that the user successfully logs in to the service server and the VPN service through the VPN client application, the
所述发送模块73,还用于通过所述VPN隧道向所述VPN服务端发送业务请求。The sending module 73 is further configured to send a service request to the VPN server through the VPN tunnel.
图8为本申请实施例提供的一种电子设备的结构示意图。如图8所示,该电子设备800例如为上述的VPN认证端、VPN服务端、业务服务器或终端设备,该电子设备800包括:FIG. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in FIG. 8 , the electronic device 800 is, for example, the above-mentioned VPN authentication terminal, VPN server, service server or terminal device, and the electronic device 800 includes:
处理器81和存储器82;
所述存储器82存储计算机指令;the memory 82 stores computer instructions;
所述处理器81执行所述存储器82存储的计算机指令,使得所述处理器81执行如上VPN认证端、VPN服务端、业务服务器或终端设备实现的登录方法。The
处理器81的具体实现过程可参见上述方法实施例,其实现原理和技术效果类似,本实施例此处不再赘述。For the specific implementation process of the
可选地,该电子设备800还包括通信部件83。其中,处理器81、存储器82以及通信部件83可以通过总线84连接。Optionally, the electronic device 800 further includes a
本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,所述计算机指令被处理器执行时用于实现如上VPN认证端、VPN服务端、业务服务器或终端设备实施的登录方法。。Embodiments of the present application further provide a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed by a processor, are used to implement the above VPN authentication terminal, VPN server, and service server or the login method implemented by the terminal device. .
本申请实施例还提供一种计算机程序产品,该计算机程序产品包含计算机程序,计算机程序被处理器执行时实现如上VPN认证端、VPN服务端、业务服务器或终端设备实施的登录方法。。The embodiment of the present application also provides a computer program product, the computer program product includes a computer program, and when the computer program is executed by the processor, implements the above login method implemented by the VPN authentication terminal, the VPN server, the service server or the terminal device. .
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由下面的权利要求书指出。Other embodiments of the present application will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses or adaptations of this application that follow the general principles of this application and include common knowledge or conventional techniques in the technical field not disclosed in this application . The specification and examples are to be regarded as exemplary only, with the true scope and spirit of the application being indicated by the following claims.
应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求书来限制。It is to be understood that the present application is not limited to the precise structures described above and illustrated in the accompanying drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (17)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110932540.3A CN113746811A (en) | 2021-08-13 | 2021-08-13 | Login method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110932540.3A CN113746811A (en) | 2021-08-13 | 2021-08-13 | Login method, device, equipment and readable storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113746811A true CN113746811A (en) | 2021-12-03 |
Family
ID=78731213
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110932540.3A Pending CN113746811A (en) | 2021-08-13 | 2021-08-13 | Login method, device, equipment and readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113746811A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114567510A (en) * | 2022-03-21 | 2022-05-31 | 上海商汤智能科技有限公司 | Login authentication method, device, equipment and storage medium |
CN115001840A (en) * | 2022-06-21 | 2022-09-02 | 北京翼辉信息技术有限公司 | Agent-based authentication method, system and computer storage medium |
CN115134144A (en) * | 2022-06-28 | 2022-09-30 | 中国工商银行股份有限公司 | Enterprise-level business system authentication method, device and system |
CN115348168A (en) * | 2022-07-21 | 2022-11-15 | 金蝶软件(中国)有限公司 | Block chain network deployment method and device |
CN118413403A (en) * | 2024-07-02 | 2024-07-30 | 宁波港信息通信有限公司 | Double identity verification device and method |
WO2025087412A1 (en) * | 2023-10-25 | 2025-05-01 | 中移互联网有限公司 | Authentication login method, apparatus, and system, device, storage medium, and product |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104883353A (en) * | 2015-03-31 | 2015-09-02 | 深圳市深信服电子科技有限公司 | Terminal single sign-on configuration and authentication method and system, and application service system |
CN106330918A (en) * | 2016-08-26 | 2017-01-11 | 杭州迪普科技有限公司 | Multi-system login method and device |
US20170134370A1 (en) * | 2015-11-05 | 2017-05-11 | Red Hat, Inc. | Enabling single sign-on authentication for accessing protected network services |
-
2021
- 2021-08-13 CN CN202110932540.3A patent/CN113746811A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104883353A (en) * | 2015-03-31 | 2015-09-02 | 深圳市深信服电子科技有限公司 | Terminal single sign-on configuration and authentication method and system, and application service system |
US20160294810A1 (en) * | 2015-03-31 | 2016-10-06 | Sangfor Technologies Company Limited | Terminal single sign-on configuration, authentication method, and system, and application service system thereof |
US20170134370A1 (en) * | 2015-11-05 | 2017-05-11 | Red Hat, Inc. | Enabling single sign-on authentication for accessing protected network services |
CN106330918A (en) * | 2016-08-26 | 2017-01-11 | 杭州迪普科技有限公司 | Multi-system login method and device |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114567510A (en) * | 2022-03-21 | 2022-05-31 | 上海商汤智能科技有限公司 | Login authentication method, device, equipment and storage medium |
CN115001840A (en) * | 2022-06-21 | 2022-09-02 | 北京翼辉信息技术有限公司 | Agent-based authentication method, system and computer storage medium |
CN115134144A (en) * | 2022-06-28 | 2022-09-30 | 中国工商银行股份有限公司 | Enterprise-level business system authentication method, device and system |
CN115134144B (en) * | 2022-06-28 | 2025-04-15 | 中国工商银行股份有限公司 | Enterprise-level business system authentication method, device and system |
CN115348168A (en) * | 2022-07-21 | 2022-11-15 | 金蝶软件(中国)有限公司 | Block chain network deployment method and device |
CN115348168B (en) * | 2022-07-21 | 2024-03-19 | 金蝶软件(中国)有限公司 | Deployment method and device of block chain network |
WO2025087412A1 (en) * | 2023-10-25 | 2025-05-01 | 中移互联网有限公司 | Authentication login method, apparatus, and system, device, storage medium, and product |
CN118413403A (en) * | 2024-07-02 | 2024-07-30 | 宁波港信息通信有限公司 | Double identity verification device and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9871791B2 (en) | Multi factor user authentication on multiple devices | |
US10455025B2 (en) | Multi-factor authentication | |
WO2018041078A1 (en) | Method, system, proxy server, and computer storage medium for authentication | |
CN113746811A (en) | Login method, device, equipment and readable storage medium | |
CN113922982B (en) | Login method, electronic device and computer readable storage medium | |
US9038138B2 (en) | Device token protocol for authorization and persistent authentication shared across applications | |
US8510811B2 (en) | Network transaction verification and authentication | |
US6934848B1 (en) | Technique for handling subsequent user identification and password requests within a certificate-based host session | |
US9401909B2 (en) | System for and method of providing single sign-on (SSO) capability in an application publishing environment | |
US8191122B2 (en) | Provisioning a network appliance | |
JP5662507B2 (en) | Authentication method, authentication system, and service providing server | |
US8191123B2 (en) | Provisioning a network appliance | |
US20100197293A1 (en) | Remote computer access authentication using a mobile device | |
US20140289830A1 (en) | Method and system of a secure access gateway | |
US8051465B1 (en) | Mitigating forgery of electronic submissions | |
US20160337338A1 (en) | Late binding authentication | |
KR20170056566A (en) | System and method for integrating an authentication service within a network architecture | |
CN110730174A (en) | Network access control method, device, equipment and medium | |
CN113341798A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
CN113742676A (en) | Login management method, device, server, system and storage medium | |
CN113614691A (en) | Connection leasing system for use with legacy virtual delivery devices and related methods | |
US11917087B2 (en) | Transparent short-range wireless device factor in a multi-factor authentication system | |
CN114338078B (en) | A CS client login method and device | |
US20060122936A1 (en) | System and method for secure publication of online content | |
CN114374529B (en) | Resource access method, device, system, electronic device, medium and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211203 |
|
RJ01 | Rejection of invention patent application after publication |