[go: up one dir, main page]

CN113746811A - Login method, device, equipment and readable storage medium - Google Patents

Login method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN113746811A
CN113746811A CN202110932540.3A CN202110932540A CN113746811A CN 113746811 A CN113746811 A CN 113746811A CN 202110932540 A CN202110932540 A CN 202110932540A CN 113746811 A CN113746811 A CN 113746811A
Authority
CN
China
Prior art keywords
vpn
user
login
service
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110932540.3A
Other languages
Chinese (zh)
Inventor
林俊洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN202110932540.3A priority Critical patent/CN113746811A/en
Publication of CN113746811A publication Critical patent/CN113746811A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种登录方法、装置、设备及可读存储介质,VPN认证端确定出用户为VPN服务的合法用户后,向部署在内网中的业务服务器发送携带用户的身份标识的信任请求。业务服务器根据身份标识对用户进行合法性验证并向VPN认证端发送携带合法性验证结果的信任响应。VPN认证端根据信任响应,向用户的终端设备发送登录响应,该登录响应用于指示用户是否通过浏览器成功登录业务服务器和VPN服务。采用该种方案,通过VPN认证端和业务服务器相互通信建立信任机制,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率,提高用户体验。

Figure 202110932540

The present application discloses a login method, device, device and readable storage medium. After the VPN authentication end determines that the user is a legitimate user of the VPN service, it sends a trust request carrying the user's identity to a service server deployed in an intranet . The service server verifies the legality of the user according to the identity identifier and sends a trust response carrying the legality verification result to the VPN authentication end. The VPN authentication end sends a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through the browser. With this solution, a trust mechanism is established through the mutual communication between the VPN authentication terminal and the service server, so that the user can log in to the service server while logging in to the VPN server, simplifying the login process, reducing the error rate and improving the user experience.

Figure 202110932540

Description

登录方法、装置、设备及可读存储介质Login method, apparatus, device and readable storage medium

技术领域technical field

本申请涉及网络安全技术领域,特别涉及一种登录方法、装置、设备及可读存储介质。The present application relates to the technical field of network security, and in particular, to a login method, apparatus, device, and readable storage medium.

背景技术Background technique

随着互联网技术的飞速发展,各个企业建立企业内部网络,利用企业内部网络部署多种业务系统以提高办公效率。常见的业务系统包括邮件系统、办公自动化系统(officeautomation,OA)等。With the rapid development of Internet technology, various enterprises have established intranet networks and deployed various business systems to improve office efficiency. Common business systems include mail systems, office automation systems (office automation, OA), and the like.

通常情况下,用户在公司办公时,若用户想要访问某个业务系统,则输入该业务系统的账号密码进行验证,验证通过后才能进行业务访问。然而,有时候用户出差、在家时需要办公。为了方便公网用户访问企业内部网络中的各个系统的同时保证访问安全,虚拟专用网络(Virtual Private Network,VPN)应运而生,考虑到运营成本和服务专业度等因素,大部分企业会选择购买网络服务提供商的VPN服务来实现公网用户访问内网业务。Usually, when a user is working in a company, if the user wants to access a business system, he or she needs to enter the account password of the business system for verification, and the business access can only be performed after the verification is passed. However, sometimes users need to work while on business trips or at home. In order to facilitate public network users to access various systems in the internal network of the enterprise and ensure access security, Virtual Private Network (VPN) came into being. Considering factors such as operating costs and service professionalism, most enterprises will choose to buy The VPN service of the network service provider is used to realize the public network user's access to the intranet service.

在该应用场景中,网络服务提供商为了识别用户合法性,会对用户身份进行验证,而内网中的业务系统自身也需要对用户身份进行合法性验证。如此一来,如果企业用户通过公网访问内网中的各业务系统,那么至少需要输入两次登录信息,才能顺利访问,过程繁琐、容易出错,用户体验差。In this application scenario, in order to identify the legitimacy of the user, the network service provider will verify the user's identity, and the business system in the intranet itself also needs to verify the legality of the user's identity. As a result, if an enterprise user accesses various business systems in the intranet through the public network, at least two login information needs to be entered for smooth access, which is cumbersome, error-prone, and poor user experience.

发明内容SUMMARY OF THE INVENTION

本申请一种登录方法、装置、设备及可读存储介质,通过VPN认证端和业务服务器相互通信建立信任机制,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率。The present application provides a login method, device, device and readable storage medium. A trust mechanism is established through mutual communication between a VPN authentication terminal and a service server, so that a user logs in to the service server while logging in to the VPN server terminal, which simplifies the login process and reduces the error rate.

第一方面,本申请实施例提供一种登录方法,应用于部署在公网中的虚拟专用网络VPN认证端,所述方法包括:In a first aspect, an embodiment of the present application provides a login method, which is applied to a VPN authentication terminal of a virtual private network deployed in a public network, and the method includes:

确定用户为VPN服务的合法用户;determine that the user is a legitimate user of the VPN service;

向部署在在内网中的业务服务器发送信任请求,所述信任请求携带所述用户的身份标识;Sending a trust request to the service server deployed in the intranet, where the trust request carries the identity of the user;

接收来自所述业务服务器的信任响应,所述信任响应为所述业务服务器根据所述身份标识的合法性验证结果生成的;Receive a trust response from the service server, where the trust response is generated by the service server according to a result of the validity verification of the identity identifier;

根据所述信任响应,向所述用户的终端设备发送登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。According to the trust response, a login response is sent to the user's terminal device, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser.

第二方面,本申请实施例提供一种登录方法,应用于部署在公网中的虚拟专用网络VPN服务端,所述方法包括:In a second aspect, an embodiment of the present application provides a login method, which is applied to a virtual private network VPN server deployed in a public network, and the method includes:

接收用户通过终端设备上的VPN客户端应用发送的鉴权请求;Receive the authentication request sent by the user through the VPN client application on the terminal device;

验证所述鉴权请求以得到反馈结果,并向所述终端设备的VPN客户端应用发送所述反馈结果;verifying the authentication request to obtain a feedback result, and sending the feedback result to the VPN client application of the terminal device;

若所述反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端发送的业务请求,并将所述业务请求发送至所述业务服务器。If the feedback result indicates that the VPN client application successfully logs in to the service server and the VPN service, establish a VPN tunnel with the VPN client application, so as to receive information from the user through the VPN client through the VPN tunnel. The service request sent, and the service request is sent to the service server.

第三方面,本申请实施例提供一种登录方法,应用于部署在内网中的业务服务器,包括:In a third aspect, an embodiment of the present application provides a login method, which is applied to a service server deployed in an intranet, including:

接收来自部署在公网中的虚拟专用网络VPN认证端的信任请求,所述信任请求携带用户的身份标识,所述用户是VPN服务的合法用户;receiving a trust request from a virtual private network VPN authentication terminal deployed in the public network, where the trust request carries the identity of the user, and the user is a legal user of the VPN service;

对所述用户进行合法性验证,以得到合法性验证结果,所述合法性验证结果用于指示所述用户是否为所述业务服务器的合法用户;Performing legality verification on the user to obtain a legality verification result, where the legality verification result is used to indicate whether the user is a legal user of the service server;

向所述VPN认证端发送携带所述合法性验证结果的信任响应。Send a trust response carrying the validity verification result to the VPN authentication end.

第四方面,本申请实施例提供一种登录方法,应用于终端设备,包括:In a fourth aspect, an embodiment of the present application provides a login method, which is applied to a terminal device, including:

通过浏览器获取用于显示登录页面的数据流,所述登录页面用于登录虚拟专用网络VPN服务和内网中的业务服务器;Obtaining a data stream for displaying a login page through a browser, the login page being used to log in to the virtual private network VPN service and the business server in the intranet;

根据所述数据流显示所述登录页面;displaying the login page according to the data stream;

通过所述登录页面向VPN认证端发送携带用户的登录信息的登录请求;Send a login request carrying the user's login information to the VPN authentication terminal through the login page;

接收来自所述VPN认证端的登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。A login response from the VPN authentication terminal is received, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser.

第五方面,本申请实施例提供一种登录装置,所述登录装置集成在部署在公网中的虚拟专用网络VPN认证端,所述装置包括:In a fifth aspect, an embodiment of the present application provides a login device, the login device is integrated in a virtual private network VPN authentication terminal deployed in a public network, and the device includes:

处理模块,用于确定用户为VPN服务的合法用户;The processing module is used to determine that the user is a legitimate user of the VPN service;

发送模块,用于向部署在在内网中的业务服务器发送信任请求,所述信任请求携带所述用户的身份标识;a sending module, configured to send a trust request to the service server deployed in the intranet, where the trust request carries the identity of the user;

接收模块,用于接收来自所述业务服务器的信任响应,所述信任响应为所述业务服务器根据所述身份标识的合法性验证结果生成的;a receiving module, configured to receive a trust response from the service server, where the trust response is generated by the service server according to the validity verification result of the identity identifier;

所述发送模块,还用于根据所述信任响应,向所述用户的终端设备发送登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。The sending module is further configured to send a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser .

第六方面,本申请实施例提供一种登录装置,集成在部署在公网中的虚拟专用网络VPN服务端,所述装置包括:In a sixth aspect, an embodiment of the present application provides a login device integrated in a virtual private network VPN server deployed in a public network, the device comprising:

接收模块,用于接收用户通过终端设备上的VPN客户端应用发送的鉴权请求;a receiving module, configured to receive an authentication request sent by the user through the VPN client application on the terminal device;

处理模块,用于验证所述鉴权请求以得到反馈结果,并向所述终端设备的VPN客户端应用发送所述反馈结果;a processing module, configured to verify the authentication request to obtain a feedback result, and send the feedback result to the VPN client application of the terminal device;

若所述反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端发送的业务请求;If the feedback result indicates that the VPN client application successfully logs in to the service server and the VPN service, establish a VPN tunnel with the VPN client application, so as to receive information from the user through the VPN client through the VPN tunnel. business requests sent;

发送模块,用于将所述业务请求发送至所述业务服务器。A sending module, configured to send the service request to the service server.

第七方面,本申请实施例提供一种登录装置,集成在部署在内网中的业务服务器,所述装置包括:In a seventh aspect, an embodiment of the present application provides a login device integrated in a service server deployed in an intranet, the device comprising:

接收模块,用于接收来自部署在公网中的虚拟专用网络VPN认证端的信任请求,所述信任请求携带用户的身份标识,所述用户是VPN服务的合法用户;a receiving module, configured to receive a trust request from a virtual private network VPN authentication terminal deployed in the public network, where the trust request carries the identity of the user, and the user is a legal user of the VPN service;

处理模块,用于对所述用户进行合法性验证,以得到合法性验证结果,所述合法性验证结果用于指示所述用户是否为所述业务服务器的合法用户;a processing module, configured to perform legality verification on the user to obtain a legality verification result, where the legality verification result is used to indicate whether the user is a legal user of the service server;

发送模块,用于向所述VPN认证端发送携带所述合法性验证结果的信任响应。A sending module, configured to send a trust response carrying the validity verification result to the VPN authentication end.

第八方面,本申请实施例提供一种登录装置,集成在终端设备,所述装置包括:In an eighth aspect, an embodiment of the present application provides a login device integrated in a terminal device, the device comprising:

处理模块,用于通过浏览器获取用于显示登录页面的数据流,所述登录页面用于登录虚拟专用网络VPN服务和内网中的业务服务器;a processing module, configured to obtain a data stream for displaying a login page through a browser, and the login page is used to log in to the virtual private network VPN service and the business server in the intranet;

显示模块,用于根据所述数据流显示所述登录页面;a display module, configured to display the login page according to the data stream;

发送模块,用于通过所述登录页面向VPN认证端发送携带用户的登录信息的登录请求;a sending module, configured to send a login request carrying the user's login information to the VPN authentication terminal through the login page;

接收模块,用于接收来自所述VPN认证端的登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。A receiving module, configured to receive a login response from the VPN authentication terminal, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser.

第九方面,本申请实施例提供一种电子设备,包括:处理器、存储器及存储在所述存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时使得所述电子设备实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电子设备实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电子设备实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电子设备实现如上第四方面或第四方面各种可能的实现方式所述的方法。In a ninth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program so that all The electronic device implements the method described in the first aspect or various possible implementation manners of the first aspect; or, when the processor executes the computer program, the electronic device implements the second aspect or each of the second aspects. The method described in one possible implementation manner; or, when the processor executes the computer program, the electronic device enables the electronic device to implement the method described in the third aspect or the various possible implementation manners of the third aspect; or, the When the processor executes the computer program, the electronic device implements the method described in the fourth aspect or various possible implementation manners of the fourth aspect.

第十方面,本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,所述计算机指令在被处理器执行时用于实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第四方面或第四方面各种可能的实现方式所述的方法。In a tenth aspect, an embodiment of the present application provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when executed by a processor, the computer instructions are used to implement the first aspect or the first aspect above. The method described in the various possible implementations of the aspect; or, the computer instructions, when executed by the processor, are used to implement the method described in the second aspect or the various possible implementations of the second aspect above; or, the Computer instructions, when executed by a processor, are used to implement the methods described in the third aspect or various possible implementations of the third aspect; or, the computer instructions, when executed by a processor, are used to implement the fourth aspect or The method described in various possible implementation manners of the fourth aspect.

第十一方面,本申请实施例提供一种包含计算程序的计算机程序产品,所述计算机程序被处理器执行时实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第四方面或第四方面各种可能的实现方式所述的方法。In an eleventh aspect, an embodiment of the present application provides a computer program product including a computing program, when the computer program is executed by a processor, the method described in the first aspect or various possible implementation manners of the first aspect is implemented; or , when the computer program is executed by the processor, the method described in the second aspect or the various possible implementation manners of the second aspect is implemented; or, when the computer program is executed by the processor, the third aspect or the third aspect is implemented as above The methods described in various possible implementations; or, when the computer program is executed by a processor, the methods described in the fourth aspect or the various possible implementations of the fourth aspect are implemented.

本申请实施例提供的登录方法、装置、设备及可读存储介质,VPN认证端确定出用户为VPN服务的合法用户后,向部署在内网中的业务服务器发送携带用户的身份标识的信任请求。业务服务器根据身份标识对用户进行合法性验证并向VPN认证端发送携带合法性验证结果的信任响应。VPN认证端根据信任响应,向用户的终端设备发送登录响应,该登录响应用于指示用户是否通过浏览器成功登录业务服务器和VPN服务。采用该种方案,通过VPN认证端和业务服务器相互通信建立信任机制,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率,提高用户体验。而且,登录过程中只输入一次认证信息,认证信息为用户的VPN服务登录信息,如登录账号和密码等,无需输入业务服务器的认证信息,从而将业务服务器隐藏于后端,降低业务服务器被攻击的风险的同时,减少用户输入登录信息的次数。In the login method, device, device, and readable storage medium provided by the embodiments of the present application, after the VPN authentication end determines that the user is a legitimate user of the VPN service, it sends a trust request carrying the user's identity to the service server deployed in the intranet . The service server verifies the legality of the user according to the identity identifier and sends a trust response carrying the legality verification result to the VPN authentication end. The VPN authentication end sends a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through the browser. With this solution, a trust mechanism is established through the mutual communication between the VPN authentication terminal and the service server, so that the user can log in to the service server while logging in to the VPN server, simplifying the login process, reducing the error rate and improving the user experience. Moreover, the authentication information is only entered once during the login process, and the authentication information is the user's VPN service login information, such as the login account and password. There is no need to enter the authentication information of the business server, thereby hiding the business server in the backend and reducing the attack on the business server. while reducing the number of times users enter login information.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

图1A是本申请实施例提供的登录方法的一个实施环境示意图;1A is a schematic diagram of an implementation environment of a login method provided by an embodiment of the present application;

图1B是本申请实施例提供的登录方法的另一个实施环境示意图;1B is a schematic diagram of another implementation environment of the login method provided by the embodiment of the present application;

图2是本申请实施例提供的登录方法的流程图;2 is a flowchart of a login method provided by an embodiment of the present application;

图3是本申请实施例提供的登录方法中终端设备的界面变化过程示意图;3 is a schematic diagram of an interface change process of a terminal device in a login method provided by an embodiment of the present application;

图4是本申请实施例提供的登录方法中令牌的鉴定过程示意图;4 is a schematic diagram of an authentication process of a token in a login method provided by an embodiment of the present application;

图5是本申请实施例提供的登录方法的过程示意图;5 is a schematic process diagram of a login method provided by an embodiment of the present application;

图6为本申请实施例提供的一种登录装置的示意图;6 is a schematic diagram of a login device provided by an embodiment of the present application;

图7为本申请实施例提供的一种登录装置的示意图;7 is a schematic diagram of a login device provided by an embodiment of the present application;

图8为本申请实施例提供的一种电子设备的结构示意图。FIG. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

目前,用户通过VPN客户端登录VPN服务之前,VPN系统利用自带的用于用户身份认证的功能模块对用户进行身份认证。身份认证通过之后,用户才能使用VPN服务。其中,VPN客户端应用包括安卓(Android)客户端应用、IOS客户端应用、window PC客户端应用等。Currently, before a user logs in to a VPN service through a VPN client, the VPN system uses a built-in function module for user identity authentication to authenticate the user. After the authentication is passed, the user can use the VPN service. The VPN client application includes an Android (Android) client application, an IOS client application, a window PC client application, and the like.

公网中的用户登录VPN系统后,访问内网中的业务系统时,业务系统同样需要对用户身份进行合法性验证。After a user on the public network logs in to the VPN system, when accessing the service system on the intranet, the service system also needs to verify the legality of the user's identity.

上述登录业务系统的过程中,第一次输入登录信息用于VPN系统的身份验证,第二次输入登录信息用于业务系统的身份验证。也就是说,VPN系统和业务系统各自单独管理自己的账号体系。以用户在公网中访问公司内网中的业务系统为例,访问过程中,首先,输入VPN服务的账号、密码等认证信息登录VPN服务端。成功登录VPN服务后,进入公司的一些业务系统的主页,在主页上选择要访问的业务系统进行登录。比如,访问OA系统,此时,又会跳出登录页面要求用户输入OA系统的认证信息。In the above process of logging in to the business system, the login information is input for the first time for the identity verification of the VPN system, and the login information is input for the second time for the identity verification of the business system. That is to say, the VPN system and the business system each manage their own account system independently. Take the user accessing the business system in the company's intranet from the public network as an example. During the access process, first, enter the authentication information such as the account and password of the VPN service to log in to the VPN server. After successfully logging in to the VPN service, enter the homepage of some of the company's business systems, and select the business system to be accessed on the homepage to log in. For example, when accessing the OA system, the login page will pop up again to require the user to enter the authentication information of the OA system.

显然,上述登录方式过程繁琐、容易出错,用户体验差,不便于用户管理登录信息。而且,若业务系统暴露在公网中可能会存在被攻击的风险。Obviously, the above login method is cumbersome, error-prone, has poor user experience, and is inconvenient for users to manage login information. Moreover, if the business system is exposed to the public network, there may be a risk of being attacked.

基于此,本申请实施例提供一种登录方法、装置、设备及可读存储介质,通过VPN认证端和业务服务器相互通信建立信任机制,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率,提高用户体验。Based on this, the embodiments of the present application provide a login method, device, device, and readable storage medium, which establish a trust mechanism through mutual communication between the VPN authentication terminal and the service server, so that the user logs in to the service server while logging in to the VPN server, thereby simplifying the login process. Reduce error rate and improve user experience.

图1A是本申请实施例提供的登录方法的一个实施环境示意图。请参照图1,本实施环境包括:部署在公网中的虚拟专用网络(Virtual Private Network,VPN)认证端11、部署在公网中的VPN服务端12、部署在内网中的业务服务器13和公网中的终端设备14。其中,VPN服务端12至少为一个,每个VPN服务端12与VPN认证端11通过网络连接,VPN认证端11和业务服务器13之间通过网络连接,终端设备14与VPN认证端11和VPN服务端之间可建立网络连接。在一较佳实施例中,VPN服务端12与VPN认证端11之间、VPN认证端11与业务服务器13之间,以及VPN服务端12与业务服务器13之间基于VPN网络进行通信,以保证数据传输的安全性,在一具体实施中,VPN网络可以基于SD-WAN(Software Defined Wide Area Network,软件定义广域网)技术构建,其中VPN认证端和VPN服务端可部署在SD-WAN网络中的POP(point-of-presence,网络服务提供点)节点服务器上。FIG. 1A is a schematic diagram of an implementation environment of the login method provided by the embodiment of the present application. Please refer to FIG. 1 , this implementation environment includes: a virtual private network (Virtual Private Network, VPN) authentication terminal 11 deployed in the public network, a VPN server 12 deployed in the public network, and a service server 13 deployed in the intranet and terminal equipment 14 in the public network. There is at least one VPN server 12, each VPN server 12 is connected to the VPN authentication end 11 through a network, the VPN authentication end 11 and the service server 13 are connected through a network, and the terminal device 14 is connected to the VPN authentication end 11 and the VPN service A network connection can be established between the terminals. In a preferred embodiment, communication between the VPN server 12 and the VPN authentication end 11, between the VPN authentication end 11 and the service server 13, and between the VPN server 12 and the service server 13 is based on the VPN network to ensure For the security of data transmission, in a specific implementation, the VPN network can be constructed based on SD-WAN (Software Defined Wide Area Network, software-defined wide area network) technology, wherein the VPN authentication terminal and the VPN server can be deployed in the SD-WAN network. POP (point-of-presence, network service provider point) node server.

请参照图1A,一个VPN认证端11可以和多个VPN服务端12通信,VPN认证端11是网络提供商部署在公网的专门用于实现VPN和业务服务器单次登录验证的服务应用,它可以跟其中一个VPN服务端12部署在同一设备上,也可以分开部署,在实际应用场景中,VPN服务端12的数量可以是很多的。Referring to FIG. 1A, a VPN authentication terminal 11 can communicate with multiple VPN server terminals 12. The VPN authentication terminal 11 is a service application deployed by a network provider on the public network and is specially used to implement single sign-on verification for VPNs and service servers. It can be deployed on the same device with one of the VPN servers 12, or can be deployed separately. In practical application scenarios, the number of VPN servers 12 can be many.

VPN服务端12用于为用户提供VPN服务,其中,VPN服务可包含将用户请求通过VPN隧道转发至内网。用户使用VPN服务时,每次提供VPN服务的可以是不同的VPN服务端12。The VPN server 12 is used to provide a VPN service for the user, wherein the VPN service may include forwarding the user request to the intranet through the VPN tunnel. When the user uses the VPN service, different VPN servers 12 may provide the VPN service each time.

在一应用场景中,业务服务器13例如为单点登录(Single Sign-On,SSO)系统的服务器等,即VPN客户已基于SSO服务对其业务服务实现了单点登录功能。当业务服务器13为SSO系统的服务器时,用户输入一次密码同时成功登录VPN服务和SSO系统的服务器后,就能够基于SSO系统的登录成功状态,直接访问已接入SSO系统的业务系统,如办公自动化(Office Automation,OA)系统、邮件系统、考勤系统、绩效系统等。In an application scenario, the service server 13 is, for example, a server of a single sign-on (Single Sign-On, SSO) system, that is, a VPN client has implemented a single sign-on function for its business service based on the SSO service. When the service server 13 is the server of the SSO system, after the user successfully logs in the VPN service and the server of the SSO system at the same time by entering a password, he or she can directly access the service system that has been connected to the SSO system based on the successful login status of the SSO system, such as office work. Automation (Office Automation, OA) system, mail system, attendance system, performance system, etc.

在另一应用场景中,业务服务器13可以是OA系统、邮件系统等的服务器中的一种。以OA系统为例,用户输入一次密码同时登录VPN服务和OA系统的服务器后,就能够访问其他OA系统。In another application scenario, the service server 13 may be one of the servers of the OA system, the mail system, and the like. Taking the OA system as an example, users can access other OA systems after entering the one-time password to log in to the VPN service and the server of the OA system at the same time.

另外,若一个VPN客户给内网中的多个业务系统购买了VPN服务,且尚未引入SSO系统,则建立互信机制时,VPN认证端需要和分别多个业务服务器中的每个业务服务器建立互信机制。In addition, if a VPN client has purchased VPN services for multiple service systems in the intranet, and the SSO system has not been introduced, when establishing a mutual trust mechanism, the VPN authentication end needs to establish mutual trust with each of the multiple service servers. mechanism.

终端设备14例如为安装有安卓操作系统、微软操作系统、塞班操作系统、Linux操作系统或苹果iOS操作系统的手机、平板电脑、个人电脑等电子设备。终端设备14上安装有浏览器和VPN客户端应用,如安卓(Android)客户端应用、IOS客户端应用或window PC客户端应用等。The terminal device 14 is, for example, an electronic device such as a mobile phone, a tablet computer, and a personal computer installed with an Android operating system, a Microsoft operating system, a Symbian operating system, a Linux operating system, or an Apple iOS operating system. A browser and a VPN client application, such as an Android (Android) client application, an IOS client application, or a window PC client application, are installed on the terminal device 14 .

图1B是本申请实施例提供的登录方法的另一个实施环境示意图。请参照图1,本实施环境包括:部署在公网中的虚拟专用网络(Virtual Private Network,VPN)服务器110、部署在内网中的业务服务器13和公网中的终端设备14。其中,VPN服务器110同时集成了图1A中VPN认证端11和VPN服务端12的功能,即VPN认证端11和VPN服务端12均部署在VPN服务器10上,VPN服务器110和业务服务器13之间通过VPN网络连接,终端设备14可通过互联网访问VPN服务器。具体描述可参见图1A,此处不再赘述。FIG. 1B is a schematic diagram of another implementation environment of the login method provided by the embodiment of the present application. Referring to FIG. 1 , this implementation environment includes: a virtual private network (Virtual Private Network, VPN) server 110 deployed in the public network, a service server 13 deployed in the intranet, and a terminal device 14 in the public network. The VPN server 110 simultaneously integrates the functions of the VPN authentication terminal 11 and the VPN server 12 in FIG. Through the VPN network connection, the terminal device 14 can access the VPN server through the Internet. For a specific description, refer to FIG. 1A , which will not be repeated here.

以下若未做特殊说明,均是以图1A所示实施环境进行说明。Unless otherwise specified, the following description is based on the implementation environment shown in FIG. 1A .

图2是本申请实施例提供的登录方法的流程图。本实施例是从VPN认证端、业务服务器和终端设备交互的角度进行说明。本实施例包括:FIG. 2 is a flowchart of a login method provided by an embodiment of the present application. This embodiment is described from the perspective of interaction between the VPN authentication end, the service server, and the terminal device. This embodiment includes:

201、VPN认证端确定用户为VPN服务的合法用户。201. The VPN authentication terminal determines that the user is a legitimate user of the VPN service.

值得说明的是,本申请实施例所提供的登录方法可适用于用户通过VPN客户端应用登录的场景,具体可参照图3所示,也可适用于用户直接基于浏览器登录的场景,即用户可直接通过浏览器访问登录页面。It is worth noting that the login method provided by the embodiment of the present application can be applied to a scenario in which a user logs in through a VPN client application, as shown in FIG. The login page can be accessed directly from the browser.

图3是本申请实施例提供的登录方法中终端设备的界面变化过程示意图。请参照图3,用户点击电子设备桌面上的VPN客户端应用后,打开VPN客户端应用。VPN客户端应用的用户界面上显示联合登录和普通登录两个按钮,普通登录方式为至少输入两次登录信息的登录方式,联合登录方式为本申请实施例提供的登录方式。FIG. 3 is a schematic diagram of an interface change process of a terminal device in a login method provided by an embodiment of the present application. Referring to FIG. 3 , after the user clicks the VPN client application on the desktop of the electronic device, the VPN client application is opened. The user interface of the VPN client application displays two buttons, joint login and ordinary login. The ordinary login mode is a login mode in which login information is input at least twice, and the joint login mode is the login mode provided by the embodiment of the present application.

用户点击联合登录按钮,从而选中本申请实施例提供的登录方式。之后,VPN客户端应用自动调起浏览器。终端设备通过浏览器向VPN认证端请求登录页面并显示,可以理解的是,在用户直接通过浏览器登录的场景下,可通过直接在浏览器中输入登录页面的访问地址即可。之后,用户在登录页面通过语音、触摸等方式输入登录信息并发送给VPN认证端。登录信息包括登录账号、密码等,还可以包括验证码、企业标识等。其中,登录账号和密码由VPN认证端独立维护,也就是说,该登录账号和密码是由用户预先在VPN认证端注册得到的,与业务服务器的登录信息无关联。The user clicks the combined login button to select the login method provided by the embodiment of the present application. After that, the VPN client application automatically brings up the browser. The terminal device requests the login page from the VPN authentication terminal through the browser and displays it. It is understandable that in the scenario where the user logs in directly through the browser, the access address of the login page can be directly entered in the browser. After that, the user enters the login information on the login page through voice, touch, etc. and sends it to the VPN authentication terminal. The login information includes a login account, a password, etc., and may also include a verification code, an enterprise ID, and the like. The login account and password are independently maintained by the VPN authentication terminal, that is, the login account and password are pre-registered by the user at the VPN authentication terminal, and are not related to the login information of the service server.

VPN认证端可在用户注册过程中收集并存储合法用户的登录信息(验证码除外),以及身份标识等相关信息,身份标识为企业用于标识用户身份的信息,例如为用户手机号码、身份证号码、工号等,可以理解的是,购买VPN服务的企业客户会预先将合法用户(例如,可以使用VPN服务的企业员工或其他人员)身份标识同步给VPN认证端,使得VPN认证端在接收到用户注册请求时,对用户是否合法进行确定。VPN认证端接收到登录信息后,可基于存储信息与用户登录时提交的登录账号、密码、企业标识进行比对,若一致,则确定为VPN服务的合法用户,较佳的,还可以对用户提交的验证码进行验证,以进一步保证操作者的合法性。During the user registration process, the VPN authentication terminal can collect and store the login information of the legal user (except the verification code), as well as the relevant information such as the ID. The ID is the information used by the enterprise to identify the user, such as the user's mobile phone number and ID card. It can be understood that the enterprise customer who purchases the VPN service will synchronize the identity of the legal user (for example, the enterprise employee or other personnel who can use the VPN service) to the VPN authentication end, so that the VPN authentication end receives At the time of the user registration request, it is determined whether the user is legal. After the VPN authentication terminal receives the login information, it can compare the stored information with the login account, password, and enterprise ID submitted by the user when logging in. If they are consistent, it is determined to be a legitimate user of the VPN service. The submitted verification code is verified to further ensure the legitimacy of the operator.

若用户为VPN服务的合法用户,则执行步骤202;若用户不是VPN服务的合法用户,则弹出提示信息以提示用户无法通过本申请实施例提供的登录方式登录。If the user is a legal user of the VPN service, step 202 is performed; if the user is not a legal user of the VPN service, a prompt message pops up to prompt the user that the user cannot log in through the login method provided in the embodiment of the present application.

需要说明的是,虽然上述图3中,VPN客户端应用的用户界面上同时显示联合登录和普通登录两个按钮。然而,本申请实施例并不限制,其他可行的实现方式中,VPN客户端应用的用户界面上只显示联合登录按钮,即VPN客户端应用只提供本申请实施例所述的登录方法。此时,用户点击电子设备桌面上的VPN客户端应用并请求登录后,VPN客户端应用调起浏览器向VPN认证端请求登录页,并显示登录页。无需用户选择联合登录方式。It should be noted that, although in the above-mentioned FIG. 3 , two buttons of joint login and ordinary login are displayed on the user interface of the VPN client application at the same time. However, the embodiment of the present application is not limited. In other feasible implementation manners, only a joint login button is displayed on the user interface of the VPN client application, that is, the VPN client application only provides the login method described in the embodiment of the present application. At this time, after the user clicks on the VPN client application on the desktop of the electronic device and requests to log in, the VPN client application invokes the browser to request the login page from the VPN authentication terminal, and displays the login page. The user is not required to choose a federated login method.

202、VPN认证端向业务服务器发送信任请求。202. The VPN authentication end sends a trust request to the service server.

其中,所述信任请求携带所述用户的身份标识。Wherein, the trust request carries the identity of the user.

示例性的,当VPN认证端确定出用户为VPN服务的合法用户后,可根据用户提交的登录信息确定出用户的身份标识,向内网中的业务服务器发送携带用户的身份标识的信任请求,以请求和业务服务器建立互信关系。Exemplarily, after the VPN authentication terminal determines that the user is a legitimate user of the VPN service, the user's identity can be determined according to the login information submitted by the user, and a trust request carrying the user's identity can be sent to the service server in the intranet, Establish a mutual trust relationship with the business server by request.

值得注意的是,为了保证数据传输的安全性,VPN认证端发送的信任请求,需基于VPN网络进行传输,该VPN网络部署在VPN认证端与业务服务器所在的内网之间,更进一步的,VPN认证端可基于与业务服务器预先协商好的加密方式对信任请求中携带的用户身份标识进行加密,以进一步防止用户信息的外泄,相应的,业务服务器在接收到加密的用户身份标识时,需先对其进行解密。It is worth noting that, in order to ensure the security of data transmission, the trust request sent by the VPN authentication terminal needs to be transmitted based on the VPN network. The VPN network is deployed between the VPN authentication terminal and the intranet where the service server is located. Further, The VPN authentication end can encrypt the user ID carried in the trust request based on the encryption method negotiated in advance with the service server to further prevent leakage of user information. Correspondingly, when the service server receives the encrypted user ID, It needs to be decrypted first.

203、业务服务器对所述用户进行合法性验证,以得到合法性验证结果。203. The service server performs legality verification on the user to obtain a legality verification result.

其中,所述合法性验证结果用于指示所述用户是否为所述业务服务器的合法用户。The validity verification result is used to indicate whether the user is a legitimate user of the service server.

在一实施中,由于业务服务器为企业客户自有的,因此,业务服务器可获知企业客户的用户信息,包含身份标识及访问权限等,其中业务服务器可获取到的用户身份标识形式与VPN认证端的一致,因此,业务服务器接收到信任请求后,根据信任请求携带的用户的身份标识判断该用户是否访问自身的权限,若有,则确定该用户为业务服务器的合法用户,从而得到合法性验证结果。In one implementation, since the service server is owned by the enterprise client, the service server can learn the user information of the enterprise client, including the identification and access rights, etc., wherein the user identification form that the service server can obtain is the same as that of the VPN authentication terminal. Therefore, after receiving the trust request, the service server judges whether the user has access to its own authority according to the user's identity carried in the trust request, and if so, determines that the user is a legitimate user of the service server, thereby obtaining the validity verification result. .

在另一实施中,VPN认证端可在验证用户为合法用户的过程中,确认用户的访问权限,以确定所述用户是否拥有访问业务服务器的权限,若有,则将用户身份标识发送给业务服务器,业务服务器在确定接收到的用户身份标识是来自合法的VPN认证端后,可直接信任VPN认证端的验证结果,确定用户为合法用户,并得到合法性验证结果。在该实施方式中,需要企业客户将用户访问权限同步给VPN认证端,但无需企业客户在业务服务器上配合实现上述实施例中的验证,因此实现更加简单。In another implementation, the VPN authentication terminal can confirm the user's access authority in the process of verifying that the user is a legitimate user, so as to determine whether the user has the authority to access the service server, and if so, send the user identity to the service The server and the service server can directly trust the verification result of the VPN authentication terminal, determine that the user is a legal user, and obtain the legality verification result after determining that the received user ID is from a legal VPN authentication terminal. In this embodiment, the enterprise client needs to synchronize the user access authority to the VPN authentication terminal, but the enterprise client does not need to cooperate on the service server to implement the verification in the above embodiment, so the implementation is simpler.

204、业务服务器向所述VPN认证端发送携带所述合法性验证结果的信任响应。204. The service server sends a trust response carrying the validity verification result to the VPN authentication terminal.

205、VPN认证端根据所述信任响应,向所述用户的终端设备发送登录响应。205. The VPN authentication end sends a login response to the user's terminal device according to the trust response.

示例性的,若合法性验证结果指示用户为业务服务器的合法用户,则登录响应为用于生成登录成功页的数据流,登录响应用于指示所述用户通过浏览器成功登录所述业务服务器和所述VPN服务。若合法性验证结果指示用户不是业务服务器的合法用户,则登录响应为用于生成登录失败页的数据流,登录响应用于指示所述用户未能通过浏览器成功登录业务服务器和所述VPN服务。Exemplarily, if the validity verification result indicates that the user is a legitimate user of the service server, the login response is a data stream used to generate a login success page, and the login response is used to instruct the user to successfully log in to the service server and the service server through a browser. the VPN service. If the validity verification result indicates that the user is not a legitimate user of the service server, the login response is a data stream used to generate a login failure page, and the login response is used to indicate that the user fails to successfully log in to the service server and the VPN service through the browser .

若登录成功,则表示用户能够通过VPN服务访问业务服务器。If the login is successful, it means that the user can access the service server through the VPN service.

本申请实施例提供的登录方法,VPN认证端确定出用户为VPN服务的合法用户后,向部署在内网中的业务服务器发送携带用户的身份标识的信任请求。业务服务器根据身份标识对用户进行合法性验证并向VPN认证端发送携带合法性验证结果的信任响应。VPN认证端根据信任响应,向用户的终端设备发送登录响应,该登录响应用于指示用户是否通过浏览器成功登录业务服务器和VPN服务。In the login method provided by the embodiment of the present application, after the VPN authentication end determines that the user is a legitimate user of the VPN service, it sends a trust request carrying the user's identity to the service server deployed in the intranet. The service server verifies the legality of the user according to the identity identifier and sends a trust response carrying the legality verification result to the VPN authentication end. The VPN authentication end sends a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through the browser.

采用该种方案,通过VPN认证端和业务服务器相互通信建立信任机制,登录过程中只输入一次登录信息,使得用户登录VPN服务端的同时登录业务服务器,简化登录过程,降低出错率,提高用户体验。登录信息为网络服务提供商的VPN认证端独立管理,并不需要企业客户将自身管理的用户登录信息同步给VPN认证端,从而保证了客户内部数据的安全性。由于用户在登录过程中,不需要直接访问业务服务器,因此业务服务器不需要提供公网入口,可实现将业务服务器完全隐藏于内网,降低业务服务器被攻击的风险。With this solution, a trust mechanism is established through the mutual communication between the VPN authentication terminal and the service server, and the login information is only entered once during the login process, so that the user can log in to the service server while logging in to the VPN server, simplifying the login process, reducing the error rate and improving the user experience. The login information is independently managed by the VPN authentication terminal of the network service provider, and the enterprise customer does not need to synchronize the user login information managed by itself to the VPN authentication terminal, thus ensuring the security of the customer's internal data. Since the user does not need to directly access the service server during the login process, the service server does not need to provide a public network entrance, which can completely hide the service server in the intranet and reduce the risk of the service server being attacked.

可选的,上述实施例中,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务,由于浏览器和VPN客户端应用是两个不同的程序,在用户通过VPN客户端应用登录的场景中,需进一步完成VPN客户端应用侧的登录验证。此时,VPN认证端生成一个令牌,用于图4所示的验证流程认证。Optionally, in the above embodiment, the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser. Since the browser and VPN client applications are two different programs, In the scenario where the user logs in through the VPN client application, the login verification on the VPN client application side needs to be further completed. At this point, the VPN authentication end generates a token for authentication in the verification process shown in FIG. 4 .

示例性的,请参照图4,图4是本申请实施例提供的登录方法中令牌的鉴定过程示意图。本实施例包括:For example, please refer to FIG. 4 , which is a schematic diagram of a token authentication process in the login method provided by the embodiment of the present application. This embodiment includes:

401、VPN认证端接收到来自业务服务器的信任响应。401. The VPN authentication end receives a trust response from the service server.

402、VPN认证端针对用户生成令牌。402. The VPN authentication end generates a token for the user.

示例性的,VPN认证端接收到来自业务服务器的信任响应后,若信任响应指示用户为业务服务器的合法用户,则VPN认证端生成一个令牌(token),令牌用于验证VPN客户端应用的合法性。Exemplarily, after the VPN authentication end receives the trust response from the service server, if the trust response indicates that the user is a legitimate user of the service server, the VPN authentication end generates a token (token), and the token is used to verify the VPN client application. legitimacy.

403、VPN认证端向终端设备发送携带令牌的登录响应。403. The VPN authentication end sends a login response carrying the token to the terminal device.

示例性的,VPN认证端将令牌携带在登录响应中发送给终端设备的浏览器。Exemplarily, the VPN authentication end carries the token in the login response and sends it to the browser of the terminal device.

404、终端设备的浏览器显示登录成功页。404. The browser of the terminal device displays a successful login page.

405、终端设备的浏览器利用所述登录成功页激活所述VPN客户端应用,并将所述令牌发送给所述VPN客户端应用。405. The browser of the terminal device activates the VPN client application by using the login success page, and sends the token to the VPN client application.

本申请实施例中,浏览器通过登录成功页中的运行脚本等方式激活VPN客户端应用。例如,终端设备通过浏览器显示登录成功页,显示预设时长后,自动运行登录成功页中的脚本从而激活VPN客户端,其中,预设时长比如是3秒、4秒等,本申请实施例并不限制。In the embodiment of the present application, the browser activates the VPN client application by running a script on the successful login page or the like. For example, the terminal device displays the login success page through the browser, and after displaying a preset time period, automatically runs the script in the login success page to activate the VPN client, wherein the preset time period is, for example, 3 seconds, 4 seconds, etc., the embodiment of the present application Not limited.

再如,终端设备通过浏览器显示登录成功页,用户点击登录成功页上的关闭按钮触发脚本运行,从而激活VPN客户端。For another example, the terminal device displays a successful login page through a browser, and the user clicks the close button on the successful login page to trigger the script to run, thereby activating the VPN client.

406、所述VPN客户端应用向提供所述VPN服务的VPN服务端发送携带所述令牌的鉴权请求。406. The VPN client application sends an authentication request carrying the token to the VPN server providing the VPN service.

在一实施中,提供所述VPN服务的VPN服务端的地址信息可预先配置在VPN客户端应用中,所述客户端应用被浏览器激活后,将基于接收到的令牌自动向VPN服务发送鉴权请求。In one implementation, the address information of the VPN server that provides the VPN service can be pre-configured in the VPN client application, and after the client application is activated by the browser, it will automatically send the authentication token to the VPN service based on the received token. rights request.

在另一实施中,VPN认证端在生成令牌的同时,可根据终端设备的信息从多个提供所述VPN服务的VPN服务端中确定出一个或多个优选的VPN服务端的访问地址,一并发送给终端设备浏览器,以指示终端设备的VPN客户端应用从中选择一个VPN服务端为其提供所述VPN服务,具体而言,VPN认证端可根据终端设备的IP地址确定其所在位置,并为其就近选择VPN服务端,以提供所述VPN服务,可以理解的是,具体的VPN服务端选择策略可基于客户实际需求进行设定,本发明不作限制。In another implementation, while generating the token, the VPN authentication terminal may determine the access address of one or more preferred VPN servers from a plurality of VPN servers providing the VPN service according to the information of the terminal device. and send it to the browser of the terminal device to instruct the VPN client application of the terminal device to select a VPN server to provide the VPN service for it. Specifically, the VPN authentication end can determine its location according to the IP address of the terminal device, The VPN server is selected nearby to provide the VPN service. It can be understood that the specific VPN server selection strategy can be set based on the actual needs of the customer, which is not limited in the present invention.

407、VPN服务端验证所述鉴权请求以得到反馈结果。407. The VPN server verifies the authentication request to obtain a feedback result.

示例性的,VPN服务器自身对鉴权请求携带的令牌进行验证,或者,VPN服务器将鉴权请求携带的令牌发送给VPN认证端,由VPN认证端进行验证。Exemplarily, the VPN server itself verifies the token carried in the authentication request, or the VPN server sends the token carried in the authentication request to the VPN authentication end for verification by the VPN authentication end.

例如,VPN认证端生成令牌后,通过登录响应向终端设备的浏览器发送令牌的同时,向提供VPN服务的VPN服务端发送令牌(如VPN客户端应用中预先配置的VPN服务端,或选取的一个或多个VPN服务端),VPN服务端保存该令牌。当接收到VPN客户端应用向VPN服务端发送的鉴权请求事,VPN服务端基于存储的令牌,对鉴权请求携带的令牌进行验证以得到反馈结果。其中,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。For example, after the VPN authentication terminal generates the token, it sends the token to the browser of the terminal device through the login response, and at the same time sends the token to the VPN server that provides the VPN service (for example, the VPN server preconfigured in the VPN client application, or selected one or more VPN servers), the VPN server saves the token. When receiving the authentication request sent by the VPN client application to the VPN server, the VPN server verifies the token carried in the authentication request based on the stored token to obtain a feedback result. The feedback result is used to indicate whether the user successfully logs in to the service server and the VPN service through the VPN client application.

再如,VPN客户端应用向VPN服务端发送鉴权请求。VPN服务端接收到鉴权请求后,基于鉴权请求携带的令牌生成令牌验证请求并发送至VPN认证端。VPN认证端基于步骤402生成的令牌对验证请求携带的令牌进行验证,从而生成反馈结果,验证请求携带的令牌由VPN服务端从终端设备通过VPN客户端应用发送的鉴权请求中得到。之后,VPN认证端向VPN服务端发送反馈结果;相应的,VPN服务端接收VPN认证端返回的反馈结果。其中,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。For another example, the VPN client application sends an authentication request to the VPN server. After receiving the authentication request, the VPN server generates a token verification request based on the token carried in the authentication request and sends it to the VPN authentication terminal. The VPN authentication terminal verifies the token carried in the verification request based on the token generated in step 402, thereby generating a feedback result. The token carried in the verification request is obtained by the VPN server from the authentication request sent by the terminal device through the VPN client application . After that, the VPN authentication end sends the feedback result to the VPN server; correspondingly, the VPN server receives the feedback result returned by the VPN authentication end. The feedback result is used to indicate whether the user successfully logs in to the service server and the VPN service through the VPN client application.

另外,鉴权请求中很有可能并未携带令牌,此时,VPN服务端直接确定VPN客户端应用非法,即用户未能通过VPN应用成功登录业务服务器和VPN服务。In addition, the authentication request probably does not carry the token. In this case, the VPN server directly determines that the VPN client application is illegal, that is, the user fails to successfully log in to the service server and VPN service through the VPN application.

采用该种方案,通过VPN认证端或VPN服务端对鉴权请求携带的令牌进行验证,可保证VPN客户端应用的合法性,从而完成用户通过VPN客户端应用的登录过程。With this solution, the token carried in the authentication request is verified by the VPN authentication terminal or the VPN server, so as to ensure the legitimacy of the VPN client application, thereby completing the user login process through the VPN client application.

可选的,上述实施例中,VPN认证端生成令牌后,可基于有效期或其他信息设置令牌的状态并存储该令牌。比如,令牌已过期,则将令牌设置为失效状态、VPN认证端接收到客户发送的用户已失效的通知,则将令牌设置为失效状态、再如,用户所在公司购买的VPN服务已到期,则将令牌设置为失效状态。以下将存储的令牌称之为第一令牌。Optionally, in the above embodiment, after the VPN authentication end generates the token, it can set the state of the token based on the validity period or other information and store the token. For example, if the token has expired, the token is set to the invalid state, and the VPN authentication terminal receives the notification sent by the customer that the user has expired, and the token is set to the invalid state. For another example, the VPN service purchased by the user's company has been expires, sets the token to an invalid state. The stored token is hereinafter referred to as the first token.

之后,VPN客户端应用向VPN服务端发送携带令牌的鉴权请求,VPN服务端根据鉴权请求携带的令牌生成令牌验证请求,并向VPN认证端发送携带令牌的令牌验证请求,以下将该令牌验证请求携带的令牌称之为第二令牌。VPN认证端接收到令牌验证请求后,基于第一令牌对第二令牌进行验证。例如,若VPN认证端从存储的多个第一令牌中确定出与第二令牌相同的令牌,则确定第二令牌为VPN认证端生成的令牌,并进一步判断第二令牌的状态是否正常。若第二令牌状态正常,VPN认证端生成用于指示第二令牌合法的反馈结果。若第二令牌不是VPN认证端生成或状态异常,如已失效,则VPN认证端生成用于指示第二令牌不合法的反馈结果。After that, the VPN client application sends an authentication request carrying the token to the VPN server, the VPN server generates a token verification request according to the token carried in the authentication request, and sends the token verification request carrying the token to the VPN authentication terminal , and the token carried in the token verification request is hereinafter referred to as the second token. After receiving the token verification request, the VPN authentication end verifies the second token based on the first token. For example, if the VPN authentication terminal determines the same token as the second token from a plurality of stored first tokens, the second token is determined to be the token generated by the VPN authentication terminal, and the second token is further judged status is normal. If the state of the second token is normal, the VPN authentication end generates a feedback result for indicating that the second token is legal. If the second token is not generated by the VPN authentication terminal or the status is abnormal, such as invalid, the VPN authentication terminal generates a feedback result for indicating that the second token is invalid.

若由VPN服务端对鉴权请求携带的令牌进行验证,则VPN认证端生成令牌后,需要将令牌的状态等发送给VPN服务端,并在令牌状态发生更新时,同步给VPN服务端。VPN服务端接收并存储令牌、令牌的状态等,并基于存储的令牌及其状态对鉴权请求中携带的令牌进行验证,验证方法与上文描述相同,将不再赘述。If the VPN server verifies the token carried in the authentication request, after the VPN authenticator generates the token, it needs to send the token status to the VPN server, and synchronize to the VPN when the token status is updated. Server. The VPN server receives and stores the token, the status of the token, etc., and verifies the token carried in the authentication request based on the stored token and its status. The verification method is the same as that described above, and will not be repeated here.

采用该种方案,通过进一步验证令牌的状态是否正常,可实现实时、准确的验证令牌的合法性的目的。By adopting this scheme, by further verifying whether the status of the token is normal, the purpose of real-time and accurate verification of the legitimacy of the token can be achieved.

408、VPN服务端向所述终端设备的VPN客户端应用发送所述反馈结果。408. The VPN server sends the feedback result to the VPN client application of the terminal device.

VPN服务端可基于反馈结果确定是否为该VPN客户端应用提供VPN服务。具体而言,若反馈结果指示用户通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则VPN服务端可对VPN客户端应用发出的VPN隧道建立请求进行正常响应,以建立VPN客户端应用与VPN服务端之间的VPN隧道,该VPN隧道将用于接收用户通过VPN客户端应用发出的针对业务服务器的业务请求,可以理解的是,在业务服务器为SSO系统服务器的场景下,用户针对业务服务器发出的业务请求包含用户针对接入SSO系统服务器的所有业务发出的业务请求。若反馈结果指示用户并未通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则VPN服务端将拒绝与VPN客户端应用建立VPN隧道,从而拒绝接收用户的内网访问请求。The VPN server may determine whether to provide the VPN service for the VPN client application based on the feedback result. Specifically, if the feedback result indicates that the user successfully logs in to the service server and the VPN service through the VPN client application, the VPN server can respond normally to the VPN tunnel establishment request sent by the VPN client application to establish The VPN tunnel between the VPN client application and the VPN server. The VPN tunnel will be used to receive the service request for the service server sent by the user through the VPN client application. It can be understood that in the scenario where the service server is the SSO system server Below, the service request sent by the user to the service server includes the service request sent by the user to all the services accessing the SSO system server. If the feedback result indicates that the user has not successfully logged into the service server and the VPN service through the VPN client application, the VPN server will refuse to establish a VPN tunnel with the VPN client application, thereby refusing to receive the user's intranet access request .

示例性的,若反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则进入步骤409:与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端向所述业务服务器或接入所述业务服务器的其他业务服务器发送的业务请求,并将所述业务请求发送至所述业务服务器。Exemplarily, if the feedback result indicates that the VPN client application successfully logs in to the service server and the VPN service, then go to step 409: establish a VPN tunnel with the VPN client application to receive the user through the VPN tunnel A service request sent by the VPN client to the service server or other service servers accessing the service server, and the service request is sent to the service server.

若反馈结果指示VPN客户端应用未能成功登录业务服务器和所述VPN服务,则终端设备的VPN客户端应用弹出提示信息以提示用户登录失败,并拒绝与VPN客户端应用建立VPN隧道。If the feedback result indicates that the VPN client application fails to log in to the service server and the VPN service, the VPN client application of the terminal device pops up a prompt message to prompt the user that the login fails, and refuses to establish a VPN tunnel with the VPN client application.

上述实施例中,通过在浏览器上完成用户通过浏览器成功登录业务服务器和VPN服务后,再调起VPN客户端应用,并基于令牌确认VPN客户端应用的合法性,从而确定用户是否通过VPN客户端端应用成功登录业务服务器和VPN服务,整个操作过程中,VPN客户端应用与浏览器之间的切换均为自动实现的,无需用户手动切换,对于用户来说操作简单,体验度好,且用户只需输入一次登录信息即可通过VPN客户端应用登录VPN服务和业务服务器。In the above embodiment, after the user successfully logs in to the service server and the VPN service through the browser, the VPN client application is activated, and the validity of the VPN client application is confirmed based on the token, so as to determine whether the user has passed the The VPN client application successfully logs in to the service server and the VPN service. During the entire operation process, the switching between the VPN client application and the browser is automatically realized, and there is no need for the user to manually switch. It is easy for the user to operate and has a good experience. , and the user only needs to enter the login information once to log in to the VPN service and business server through the VPN client application.

以下将结合图5对基于VPN客户端应用实现登录的完整过程进行示例说明。The complete process of implementing login based on the VPN client application will be illustrated below with reference to FIG. 5 .

图5是本申请实施例提供的登录方法的过程示意图。请参照图5,本实施例包括:FIG. 5 is a schematic process diagram of a login method provided by an embodiment of the present application. Please refer to FIG. 5, this embodiment includes:

501、终端设备识别出用户在VPN客户端应用上的点击操作,确定用户选中联合登录方式。501. The terminal device recognizes the user's click operation on the VPN client application, and determines that the user selects the joint login method.

示例性的,用户打开终端设备桌面上的VPN客户端应用,在VPN客户端应用的用户界面上点击以选中联合登录方式。具体可参见图3的描述,此处不再赘述。Exemplarily, the user opens the VPN client application on the desktop of the terminal device, and clicks on the user interface of the VPN client application to select the joint login method. For details, reference may be made to the description of FIG. 3 , which will not be repeated here.

502、终端设备弹出浏览器。502. The terminal device pops up a browser.

示例性的,VPN客户端应用响应于用户选择的联合登录方式操作,自动调起浏览器,指定其访问VPN认证端,请求登录页面,VPN认证服务端部署在公网中。Exemplarily, the VPN client application operates in response to the joint login mode selected by the user, and automatically activates the browser, designates it to access the VPN authentication terminal, and requests a login page, and the VPN authentication server terminal is deployed in the public network.

503、浏览器向VPN认证端发送页面请求,该页面请求用于请求浏览器显示登录页面所需的数据流。503. The browser sends a page request to the VPN authentication end, where the page request is used to request the browser to display the data stream required for the login page.

504、浏览器接收来自VPN认证端的、用于显示登录页面的数据流。504. The browser receives the data stream from the VPN authentication terminal for displaying the login page.

示例性的,浏览器接收到数据流后,渲染并显示登录页面。Exemplarily, after receiving the data stream, the browser renders and displays the login page.

505、浏览器获取用户在登录页面输入的登录信息。505. The browser acquires the login information input by the user on the login page.

示例性的,用户在登录页面输入账号、密码、企业标识、验证码等登录信息。Exemplarily, the user inputs login information such as an account number, password, enterprise ID, verification code, etc. on the login page.

506、浏览器向VPN认证端提交登录信息。506. The browser submits the login information to the VPN authentication terminal.

507、VPN认证端根据登录信息对用户进行合法性验证。507. The VPN authentication end verifies the legality of the user according to the login information.

508、针对VPN服务的合法用户,VPN认证端和业务服务器进行互信认证。508. For legal users of the VPN service, the VPN authentication terminal and the service server perform mutual trust authentication.

在业务服务器为SSO系统服务器的应用场景中,互信认证过程中,VPN认证服务端通过VPN网络将认证信息同步给SSO系统服务器,例如,认证信息包含用户的身份标识,VPN认证服务端向业务服务器发送携带合法用户的身份标识的信任请求,SSO系统服务器基于认证信息对用户进行认证,以确定用户的访问权限,可以理解的是,接入SSO系统的业务服务的类型和数量与企业客户实际情况相关,如OA服务、邮件服务、财务管理服务等,企业客户可为员工(用户)设置不同的访问权限,SSO系统在对用户进行认证时,确认该用户拥有至少一个业务服务的访问权限时,即可向VPN认证端反馈登录成功的反馈,并同时为该用户生成登录状态,该登录状态仅作用于有访问权限的业务服务。In the application scenario where the service server is the SSO system server, during the mutual trust authentication process, the VPN authentication server synchronizes the authentication information to the SSO system server through the VPN network. Send a trust request carrying the identity of the legitimate user, and the SSO system server authenticates the user based on the authentication information to determine the user's access authority. It is understandable that the type and number of business services accessing the SSO system are related to the actual situation of the enterprise customer. Related, such as OA services, mail services, financial management services, etc., corporate customers can set different access rights for employees (users), when the SSO system authenticates users, when it confirms that the user has access rights to at least one business service, The login success feedback can be fed back to the VPN authentication terminal, and a login status is generated for the user at the same time, and the login status is only used for business services that have access rights.

后续业务访问过程中,业务服务器接收到该用户的业务访问请求后,可从SSO系统服务器确认用户的当前状态。若用户当前状态为登录状态,则直接放行,向VPN服务端发送业务响应,否则拒绝访问,向VPN服务端发送提示信息,以使得VPN服务端向终端设备发送提示信息,该提示信息用于提示终端设备业务访问失败。In the subsequent service access process, after receiving the user's service access request, the service server can confirm the current state of the user from the SSO system server. If the current state of the user is the login state, the user will be released directly and send a service response to the VPN server; otherwise, the access will be denied and a prompt message will be sent to the VPN server, so that the VPN server will send a prompt message to the terminal device. The prompt message is used to prompt Terminal device service access fails.

在一具体实施中,SSO系统服务器与各接入的业务服务之间可基于互信通信机制同步用户状态,使得后续业务访问过程中业务服务器无需对用户进行合法性验证,减少了认证信息的输入次数,降低出错概率。In a specific implementation, the user status can be synchronized between the SSO system server and each accessed business service based on a mutual trust communication mechanism, so that the business server does not need to perform legality verification on the user in the subsequent business access process, reducing the number of input authentication information. , reducing the probability of error.

可选的,所述通信机制包括下述通信机制中的任意一个:共享Java工具包(Jsonweb token,JWT)、共享会话(SESSION)、安全断言标记语言(Security Assertion MarkupLanguage,SAML)或开放授权(OAUTH)。Optionally, the communication mechanism includes any one of the following communication mechanisms: shared Java toolkit (Jsonweb token, JWT), shared session (SESSION), security assertion markup language (Security Assertion MarkupLanguage, SAML) or open authorization ( OAUTH).

采用该种方案,SSO系统服务器可针对用户生成共享JWT、共享SESSION、SAML等中的任意一种通信机制,灵活性高。With this solution, the SSO system server can generate any communication mechanism among shared JWT, shared SESSION, SAML, etc. for the user, with high flexibility.

509、VPN认证端针对用户生成令牌并向终端设备发送的携带该令牌的信任响应,该令牌用于对所述终端设备的VPN客户端应用进行合法性验证。509. The VPN authentication end generates a token for the user and sends a trust response carrying the token to the terminal device, where the token is used to verify the validity of the VPN client application of the terminal device.

示例性的,VPN认证端针对本次用户登录生成一个token,并携带在响应给浏览器的登录成功响应页面中,使得浏览器可获取到该token。Exemplarily, the VPN authenticator generates a token for the current user login, and carries it in the login success response page that is responded to the browser, so that the browser can obtain the token.

510、浏览器基于所述登录成功页激活所述VPN客户端应用。510. The browser activates the VPN client application based on the successful login page.

浏览器显示登录成功页后,通过运行页面中的脚步激活VPN客户端应,其中,登录成功页中的脚本通过浏览器内置方法调起VPN客户端应用并带上令牌,从而将令牌传递给VPN客户端应用。其中,浏览器内置方法示例如下:appName://truthLogin?Token=123456。After the browser displays the login success page, activate the VPN client application by running the steps in the page. The script in the login success page invokes the VPN client application and brings the token through the built-in method of the browser, thereby passing the token App to VPN client. Among them, the browser built-in method example is as follows: appName://truthLogin? Token=123456.

511、VPN客户端应用向提供VPN服务的VPN服务端发送携带令牌的鉴权请求。511. The VPN client application sends an authentication request carrying a token to the VPN server providing the VPN service.

示例性的,VPN客户端应用被激活后,接收到浏览器传递的令牌,自动将令牌携带在鉴权请求中发送给VPN服务端。Exemplarily, after the VPN client application is activated, it receives the token sent by the browser, and automatically carries the token in the authentication request and sends it to the VPN server.

VPN服务端接收到鉴权请求后,VPN服务端对令牌进行有效性验证得到反馈结果,以确定VPN客户端应用是否合法。例如,VPN服务端执行步骤512:向VPN认证端发送令牌验证请求,以使得VPN认证端验证所述令牌验证请求携带的令牌是否合法以得到反馈结果。之后,VPN服务端执行步骤513:接收来自VPN认证端的反馈结果。After the VPN server receives the authentication request, the VPN server verifies the validity of the token and obtains a feedback result to determine whether the VPN client application is legal. For example, the VPN server performs step 512: sends a token verification request to the VPN authentication terminal, so that the VPN authentication terminal verifies whether the token carried in the token verification request is legal to obtain a feedback result. Afterwards, the VPN server executes step 513: receives the feedback result from the VPN authentication end.

再如,VPN服务端接收鉴权请求之前,还接收到来自VPN认证端的令牌,VPN服务端接收到鉴权请求后,基于来自VPN认证端的令牌对鉴权请求携带的令牌进行验证以得到反馈结果。For another example, before the VPN server receives the authentication request, it also receives the token from the VPN authentication end. After the VPN server receives the authentication request, it verifies the token carried in the authentication request based on the token from the VPN authentication end. Get feedback.

VPN服务端得到反馈结果后,向VPN客户端应用发送该反馈结果,以完成登录。若反馈结果指示VPN客户端应用成功登录业务服务器和VPN服务,则VPN客户端应用可显示登录成功信息,并展示业务服务访问界面,供用户操作;若反馈结果指示登录失败,则VPN客户端应用向用户展示登录失败信息,并拒绝用户针对业务访问界面的请求或操作。After the VPN server receives the feedback result, it sends the feedback result to the VPN client application to complete the login. If the feedback result indicates that the VPN client application successfully logs in to the service server and VPN service, the VPN client application can display the login success information and display the business service access interface for user operations; if the feedback result indicates that the login fails, the VPN client application Display the login failure information to the user, and deny the user's request or operation for the business access interface.

下述为本申请装置实施例,可以用于执行本申请方法实施例。对于本申请装置实施例中未披露的细节,请参照本申请方法实施例。The following are apparatus embodiments of the present application, which can be used to execute the method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.

图6为本申请实施例提供的一种登录装置的示意图。该登录装置600包括:处理模块61、发送模块62和接收模块63。FIG. 6 is a schematic diagram of a login device provided by an embodiment of the present application. The login device 600 includes: a processing module 61 , a sending module 62 and a receiving module 63 .

当登录装置600集成在部署在公网中的虚拟专用网络VPN认证端时,可以执行上述实施例中VPN认证端的动作,处理模块61、发送模块62和接收模块63的作用如下:When the login device 600 is integrated in the VPN authentication terminal of the virtual private network deployed in the public network, the actions of the VPN authentication terminal in the above embodiment can be performed, and the functions of the processing module 61, the sending module 62 and the receiving module 63 are as follows:

处理模块61,用于确定用户为VPN服务的合法用户;A processing module 61, configured to determine that the user is a legitimate user of the VPN service;

发送模块62,用于向部署在在内网中的业务服务器发送信任请求,所述信任请求携带所述用户的身份标识;a sending module 62, configured to send a trust request to the service server deployed in the intranet, where the trust request carries the identity of the user;

接收模块63,用于接收来自所述业务服务器的信任响应,所述信任响应为所述业务服务器根据所述身份标识的合法性验证结果生成的;A receiving module 63, configured to receive a trust response from the service server, where the trust response is generated by the service server according to the result of the validity verification of the identity identifier;

所述发送模块62,还用于根据所述信任响应,向所述用户的终端设备发送登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。The sending module 62 is further configured to send a login response to the user's terminal device according to the trust response, where the login response is used to indicate whether the user has successfully logged into the service server and the VPN through a browser Serve.

一种可行的实现方式中,所述接收模块63,还用于接收所述终端设备通过浏览器发送的页面请求,所述页面请求用于请求通过所述浏览器显示登录页面,所述登录页面用于登录所述VPN服务和所述业务服务器;In a feasible implementation manner, the receiving module 63 is further configured to receive a page request sent by the terminal device through a browser, where the page request is used to request to display a login page through the browser, and the login page for logging into the VPN service and the business server;

所述发送模块62,还用于向所述终端设备发送用于显示所述登录页面的数据流;The sending module 62 is further configured to send a data stream for displaying the login page to the terminal device;

所述接收模块63,还用于接收所述终端设备通过所述登录页面发送的登录信息;The receiving module 63 is further configured to receive the login information sent by the terminal device through the login page;

所述处理模块61,具体用于根据所述登录信息对所述用户进行合法性验证,当所述登录信息通过所述合法性验证时,确定所述用户为所述VPN服务的合法用户。The processing module 61 is specifically configured to perform legality verification on the user according to the login information, and when the login information passes the legality verification, determine that the user is a legal user of the VPN service.

一种可行的实现方式中,若所述信任响应指示所述用户为所述业务服务器的合法用户,则所述处理模块61,还用于针对所述用户生成令牌,所述令牌用于对所述终端设备的VPN客户端应用进行合法性验证,所述登录响应携带所述令牌;In a feasible implementation manner, if the trust response indicates that the user is a legitimate user of the service server, the processing module 61 is further configured to generate a token for the user, and the token is used for Verifying the validity of the VPN client application of the terminal device, and the login response carries the token;

所述发送模块62,还用于向提供所述VPN服务的VPN服务端发送所述令牌,使得所述VPN服务端基于所述令牌对所述终端设备通过VPN客户端应用发送的鉴权请求进行验证以得到反馈结果;或者,所述接收模块63,还用于接收所述VPN服务端发送的令牌验证请求,验证所述令牌验证请求携带的令牌是否合法以得到反馈结果;所述发送模块62还用于向所述VPN服务端发送所述反馈结果,其中,所述验证请求携带的令牌由所述VPN服务端从所述终端设备通过VPN客户端应用发送的鉴权请求中得到;The sending module 62 is further configured to send the token to the VPN server providing the VPN service, so that the VPN server authenticates the authentication sent by the terminal device through the VPN client application based on the token Request verification to obtain a feedback result; or, the receiving module 63 is further configured to receive a token verification request sent by the VPN server, and verify whether the token carried in the token verification request is legal to obtain a feedback result; The sending module 62 is further configured to send the feedback result to the VPN server, wherein the token carried in the verification request is authenticated by the VPN server sent from the terminal device through the VPN client application. obtained from the request;

其中,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。The feedback result is used to indicate whether the user successfully logs in to the service server and the VPN service through the VPN client application.

一种可行的实现方式中,所述处理模块61验证所述验证请求携带的令牌是否合法以得到反馈结果时,用于验证所述令牌是否由所述VPN认证端生成,且所述令牌的状态是否正常;若所述令牌由所述VPN认证端生成且状态正常,则生成用于指示所述令牌合法的反馈结果;否则,生成用于指示所述令牌不合法的反馈结果。In a feasible implementation manner, when the processing module 61 verifies whether the token carried in the verification request is legal to obtain a feedback result, it is used to verify whether the token is generated by the VPN authentication terminal, and the command Whether the status of the token is normal; if the token is generated by the VPN authentication terminal and the status is normal, a feedback result indicating that the token is legal is generated; otherwise, a feedback indicating that the token is illegal is generated. result.

当登录装置600集成在部署在公网中的虚拟专用网络VPN服务端时,可以执行上述实施例中VPN服务端的动作,处理模块61、发送模块62和接收模块63的作用如下:When the login device 600 is integrated in the virtual private network VPN server deployed in the public network, the actions of the VPN server in the above embodiment can be performed, and the functions of the processing module 61, the sending module 62 and the receiving module 63 are as follows:

接收模块63,用于接收用户通过终端设备上的VPN客户端应用发送的鉴权请求;The receiving module 63 is used to receive the authentication request sent by the user through the VPN client application on the terminal device;

处理模块61,用于验证所述鉴权请求以得到反馈结果,并向所述终端设备的VPN客户端应用发送所述反馈结果;a processing module 61, configured to verify the authentication request to obtain a feedback result, and send the feedback result to the VPN client application of the terminal device;

若所述反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端发送的业务请求;If the feedback result indicates that the VPN client application successfully logs in to the service server and the VPN service, establish a VPN tunnel with the VPN client application, so as to receive information from the user through the VPN client through the VPN tunnel. business requests sent;

发送模块62,用于将所述业务请求发送至所述业务服务器。The sending module 62 is configured to send the service request to the service server.

一种可行的实现方式中,所述接收模块63,还用于接收VPN认证端发送的针对所述用户生成的令牌,所述处理模块61,用于基于所述令牌对所述鉴权请求携带的令牌进行验证,以得到反馈结果;或者,In a feasible implementation manner, the receiving module 63 is further configured to receive a token generated for the user sent by the VPN authentication terminal, and the processing module 61 is configured to authenticate the authentication based on the token. The token carried by the request is verified to get the feedback result; or,

所述处理模块61,用于基于所述鉴权请求携带的令牌生成令牌验证请求并发送至VPN,所述发送模块62,用于向所述VPN认证端发送所述令牌验证请求,使得所述VPN认证端对所述验证请求携带的令牌进行验证以生成所述反馈结果,所述接收模块63,还用于接收所述VPN认证端返回的反馈结果。The processing module 61 is configured to generate a token verification request based on the token carried in the authentication request and send it to the VPN, and the sending module 62 is configured to send the token verification request to the VPN authentication terminal, The VPN authentication terminal is made to verify the token carried in the verification request to generate the feedback result, and the receiving module 63 is further configured to receive the feedback result returned by the VPN authentication terminal.

当登录装置600集成在部署在内网中的业务服务器时,可以执行上述实施例中业务服务器的动作,处理模块61、发送模块62和接收模块63的作用如下:When the login device 600 is integrated into the service server deployed in the intranet, it can perform the actions of the service server in the above embodiment, and the functions of the processing module 61, the sending module 62 and the receiving module 63 are as follows:

接收模块63,用于接收来自部署在公网中的虚拟专用网络VPN认证端的信任请求,所述信任请求携带用户的身份标识,所述用户是VPN服务的合法用户;A receiving module 63, configured to receive a trust request from a virtual private network VPN authentication terminal deployed in the public network, where the trust request carries the identity of the user, and the user is a legal user of the VPN service;

处理模块61,用于对所述用户进行合法性验证,以得到合法性验证结果,所述合法性验证结果用于指示所述用户是否为所述业务服务器的合法用户;a processing module 61, configured to perform legality verification on the user to obtain a legality verification result, where the legality verification result is used to indicate whether the user is a legal user of the service server;

发送模块62,用于向所述VPN认证端发送携带所述合法性验证结果的信任响应。The sending module 62 is configured to send a trust response carrying the validity verification result to the VPN authentication end.

图7为本申请实施例提供的一种登录装置的示意图。该登录装置700集成在部署在公网中的终端设备上,该登录装置700包括:处理模块71、显示模块72、发送模块73和接收模块74。FIG. 7 is a schematic diagram of a login apparatus provided by an embodiment of the present application. The login apparatus 700 is integrated on a terminal device deployed in the public network, and the login apparatus 700 includes: a processing module 71 , a display module 72 , a sending module 73 and a receiving module 74 .

处理模块71,用于通过浏览器获取用于显示登录页面的数据流,所述登录页面用于登录虚拟专用网络VPN服务和内网中的业务服务器;a processing module 71, configured to obtain a data stream for displaying a login page through a browser, and the login page is used to log in to the virtual private network VPN service and the business server in the intranet;

显示模块72,用于根据所述数据流显示所述登录页面;a display module 72, configured to display the login page according to the data stream;

发送模块73,用于通过所述登录页面向VPN认证端发送携带用户的登录信息的登录请求;A sending module 73, configured to send a login request carrying the user's login information to the VPN authentication terminal through the login page;

接收模块74,用于接收来自所述VPN认证端的登录响应,所述登录响应用于指示所述用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。The receiving module 74 is configured to receive a login response from the VPN authentication terminal, where the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through a browser.

一种可行的实现方式中,所述处理模块71,用于响应于VPN客户端应用上的点击操作,弹出所述浏览器;In a feasible implementation manner, the processing module 71 is configured to pop up the browser in response to a click operation on the VPN client application;

所述发送模块73,用于通过所述浏览器向所述VPN认证端发送页面请求,所述页面请求用于请求所述浏览器显示所述登录页面所需的所述数据流;The sending module 73 is configured to send a page request to the VPN authentication terminal through the browser, where the page request is used to request the browser to display the data stream required for the login page;

所述接收模块74,用于接收来自所述VPN认证端的、用于显示所述登录页面的数据流。The receiving module 74 is configured to receive the data stream from the VPN authentication terminal for displaying the login page.

一种可行的实现方式中,所述显示模块72在所述接收模块74接收来自所述VPN认证端的登录响应之后,还用于根据所述登录响应显示登录成功页,所述登录成功页携带所述令牌;In a feasible implementation manner, after the receiving module 74 receives the login response from the VPN authentication terminal, the display module 72 is further configured to display a login success page according to the login response, and the login success page carries all said token;

所述处理模块71,还用于利用所述登录成功页激活所述VPN客户端应用;The processing module 71 is further configured to activate the VPN client application by using the successful login page;

所述发送模块73,还用于利用所述VPN客户端应用向提供所述VPN服务的VPN服务端发送携带所述令牌的鉴权请求;The sending module 73 is further configured to use the VPN client application to send an authentication request carrying the token to the VPN server providing the VPN service;

所述接收模块74,还用于接收来自所述VPN服务端的反馈结果,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。The receiving module 74 is further configured to receive a feedback result from the VPN server, where the feedback result is used to indicate whether the user successfully logs in to the service server and the VPN service through the VPN client application.

一种可行的实现方式中,若所述反馈结果指示所述用户通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则所述处理模块71还用于通过所述VPN客户端应用请求与所述VPN服务端建立VPN隧道;In a feasible implementation manner, if the feedback result indicates that the user successfully logs in to the service server and the VPN service through the VPN client application, the processing module 71 is further configured to use the VPN client application to log in to the service server and the VPN service. The terminal application requests to establish a VPN tunnel with the VPN server;

所述发送模块73,还用于通过所述VPN隧道向所述VPN服务端发送业务请求。The sending module 73 is further configured to send a service request to the VPN server through the VPN tunnel.

图8为本申请实施例提供的一种电子设备的结构示意图。如图8所示,该电子设备800例如为上述的VPN认证端、VPN服务端、业务服务器或终端设备,该电子设备800包括:FIG. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in FIG. 8 , the electronic device 800 is, for example, the above-mentioned VPN authentication terminal, VPN server, service server or terminal device, and the electronic device 800 includes:

处理器81和存储器82;processor 81 and memory 82;

所述存储器82存储计算机指令;the memory 82 stores computer instructions;

所述处理器81执行所述存储器82存储的计算机指令,使得所述处理器81执行如上VPN认证端、VPN服务端、业务服务器或终端设备实现的登录方法。The processor 81 executes the computer instructions stored in the memory 82, so that the processor 81 executes the login method implemented by the above VPN authentication terminal, VPN server, service server or terminal device.

处理器81的具体实现过程可参见上述方法实施例,其实现原理和技术效果类似,本实施例此处不再赘述。For the specific implementation process of the processor 81, reference may be made to the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not described herein again in this embodiment.

可选地,该电子设备800还包括通信部件83。其中,处理器81、存储器82以及通信部件83可以通过总线84连接。Optionally, the electronic device 800 further includes a communication component 83 . Among them, the processor 81 , the memory 82 and the communication part 83 can be connected through the bus 84 .

本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,所述计算机指令被处理器执行时用于实现如上VPN认证端、VPN服务端、业务服务器或终端设备实施的登录方法。。Embodiments of the present application further provide a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed by a processor, are used to implement the above VPN authentication terminal, VPN server, and service server or the login method implemented by the terminal device. .

本申请实施例还提供一种计算机程序产品,该计算机程序产品包含计算机程序,计算机程序被处理器执行时实现如上VPN认证端、VPN服务端、业务服务器或终端设备实施的登录方法。。The embodiment of the present application also provides a computer program product, the computer program product includes a computer program, and when the computer program is executed by the processor, implements the above login method implemented by the VPN authentication terminal, the VPN server, the service server or the terminal device. .

本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由下面的权利要求书指出。Other embodiments of the present application will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses or adaptations of this application that follow the general principles of this application and include common knowledge or conventional techniques in the technical field not disclosed in this application . The specification and examples are to be regarded as exemplary only, with the true scope and spirit of the application being indicated by the following claims.

应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求书来限制。It is to be understood that the present application is not limited to the precise structures described above and illustrated in the accompanying drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (17)

1. A login method is applied to a Virtual Private Network (VPN) authentication end deployed in a public network, and comprises the following steps:
determining that the user is a legal user of the VPN service;
sending a trust request to a service server deployed in an intranet, wherein the trust request carries the identity of the user;
receiving a trust response from the service server, wherein the trust response is generated by the service server according to the validity verification result of the identity;
and sending a login response to the terminal equipment of the user according to the trust response, wherein the login response is used for indicating whether the user successfully logs in the service server and the VPN service through a browser.
2. The method of claim 1, wherein determining that the user is a legitimate user of the VPN service comprises:
receiving a page request sent by the terminal device through a browser, wherein the page request is used for requesting to display a login page through the browser, and the login page is used for logging in the VPN service and the business server;
sending a data stream for displaying the login page to the terminal equipment;
receiving login information sent by the terminal equipment through the login page;
carrying out validity verification on the user according to the login information;
and when the login information passes the validity verification, determining that the user is a valid user of the VPN service.
3. The method according to claim 1 or 2, wherein if the trust response indicates that the user is a valid user of the service server, the method further comprises:
generating a token for the user, wherein the token is used for carrying out validity verification on VPN client application of the terminal equipment, and the login response carries the token;
sending the token to a VPN server side providing the VPN service, so that the VPN server side verifies an authentication request sent by the terminal equipment through VPN client application on the basis of the token to obtain a feedback result; or, receiving a token verification request sent by the VPN server, and verifying whether a token carried by the token verification request is legal or not to obtain a feedback result; sending the feedback result to the VPN server, wherein the token carried by the verification request is obtained by the VPN server from an authentication request sent by the terminal equipment through VPN client application;
wherein the feedback result is used for indicating whether the user successfully logs in the business server and the VPN service through the VPN client application.
4. The method of claim 3, wherein the verifying whether the token carried by the verification request is legal to obtain the feedback result comprises:
verifying whether the token is generated by the VPN authentication end and whether the state of the token is normal; if the token is generated by the VPN authentication end and the state is normal, generating a feedback result for indicating that the token is legal;
otherwise, a feedback result indicating that the token is not legitimate is generated.
5. A login method is applied to a Virtual Private Network (VPN) server deployed in a public network, and comprises the following steps:
receiving an authentication request sent by a user through a VPN client application on terminal equipment;
verifying the authentication request to obtain a feedback result, and sending the feedback result to a VPN client application of the terminal equipment;
if the feedback result indicates that the VPN client application successfully logs in a service server and the VPN service, a VPN tunnel is established with the VPN client application, so that a service request sent by the user through the VPN client is received through the VPN tunnel, and the service request is sent to the service server.
6. The method of claim 5, wherein the verifying the authentication request to obtain a feedback result comprises:
receiving a token generated by a VPN authentication end aiming at the user, and verifying the token carried by the authentication request based on the token to obtain a feedback result; or,
and generating a token verification request based on the token carried by the authentication request and sending the token verification request to a VPN authentication end, so that the VPN authentication end verifies the token carried by the verification request to generate the feedback result, and receiving the feedback result returned by the VPN authentication end.
7. A login method is applied to a service server deployed in an intranet, and comprises the following steps:
receiving a trust request from a Virtual Private Network (VPN) authentication end deployed in a public network, wherein the trust request carries an identity of a user, and the user is a legal user of VPN service;
carrying out validity verification on the user to obtain a validity verification result, wherein the validity verification result is used for indicating whether the user is a valid user of the service server or not;
and sending a trust response carrying the validity verification result to the VPN authentication end.
8. A login method is applied to a terminal device and comprises the following steps:
acquiring a data stream for displaying a login page through a browser, wherein the login page is used for logging in a Virtual Private Network (VPN) service and a service server in an intranet;
displaying the login page according to the data stream;
sending a login request carrying login information of a user to a VPN authentication end through the login page;
and receiving a login response from the VPN authentication end, wherein the login response is used for indicating whether the user successfully logs in the service server and the VPN service through a browser.
9. The method of claim 8, wherein the obtaining, by the browser, the data stream for displaying the landing page comprises:
responding to click operation on a VPN client application, and popping up the browser;
sending a page request to the VPN authentication terminal through the browser, wherein the page request is used for requesting the browser to display the data stream required by the login page;
and receiving a data stream from the VPN authentication end and used for displaying the login page.
10. The method according to claim 8, wherein after receiving the login response from the VPN authenticator, further comprising:
displaying a login success page according to the login response, wherein the login success page carries a token;
activating the VPN client application with the login success page;
sending an authentication request carrying the token to a VPN server side providing the VPN service by utilizing the VPN client side application;
and receiving a feedback result from the VPN server, wherein the feedback result is used for indicating whether the user successfully logs in the service server and the VPN service through the VPN client application.
11. The method according to any one of claims 8-10, further comprising:
if the feedback result indicates that the user successfully logs in the service server and the VPN service through the VPN client application, establishing a VPN tunnel with the VPN server through the VPN client application request;
and sending a service request to the VPN server through the VPN tunnel.
12. A login apparatus integrated in a Virtual Private Network (VPN) authentication end deployed in a public network, the apparatus comprising:
the processing module is used for determining that the user is a legal user of the VPN service;
the sending module is used for sending a trust request to a service server deployed in an intranet, wherein the trust request carries the identity of the user;
the receiving module is used for receiving a trust response from the service server, wherein the trust response is generated by the service server according to the validity verification result of the identity;
the sending module is further configured to send a login response to the terminal device of the user according to the trust response, where the login response is used to indicate whether the user successfully logs in the service server and the VPN service through a browser.
13. A login apparatus integrated in a Virtual Private Network (VPN) server deployed in a public network, the apparatus comprising:
the receiving module is used for receiving an authentication request sent by a user through a VPN client application on the terminal equipment;
the processing module is used for verifying the authentication request to obtain a feedback result and sending the feedback result to the VPN client application of the terminal equipment;
if the feedback result indicates that the VPN client application successfully logs in a service server and the VPN service, establishing a VPN tunnel with the VPN client application so as to receive a service request sent by the user through the VPN client through the VPN tunnel;
and the sending module is used for sending the service request to the service server.
14. A login apparatus integrated in a service server deployed in an intranet, the apparatus comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a trust request from a Virtual Private Network (VPN) authentication end deployed in a public network, the trust request carries an identity of a user, and the user is a legal user of VPN service;
the processing module is used for carrying out validity verification on the user to obtain a validity verification result, and the validity verification result is used for indicating whether the user is a valid user of the service server or not;
and the sending module is used for sending a trust response carrying the validity verification result to the VPN authentication end.
15. A login apparatus integrated in a terminal device, the apparatus comprising:
the system comprises a processing module, a browser and a server, wherein the processing module is used for acquiring a data stream for displaying a login page through the browser, and the login page is used for logging in a Virtual Private Network (VPN) service and a service server in an intranet;
the display module is used for displaying the login page according to the data stream;
the sending module is used for sending a login request carrying login information of a user to the VPN authentication end through the login page;
and the receiving module is used for receiving a login response from the VPN authentication end, wherein the login response is used for indicating whether the user successfully logs in the service server and the VPN service through a browser.
16. An electronic device comprising a processor, a memory, and a computer program stored on the memory and executable on the processor, wherein execution of the computer program by the processor causes the electronic device to perform the method of any of claims 1-11.
17. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-11.
CN202110932540.3A 2021-08-13 2021-08-13 Login method, device, equipment and readable storage medium Pending CN113746811A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110932540.3A CN113746811A (en) 2021-08-13 2021-08-13 Login method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110932540.3A CN113746811A (en) 2021-08-13 2021-08-13 Login method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN113746811A true CN113746811A (en) 2021-12-03

Family

ID=78731213

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110932540.3A Pending CN113746811A (en) 2021-08-13 2021-08-13 Login method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN113746811A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567510A (en) * 2022-03-21 2022-05-31 上海商汤智能科技有限公司 Login authentication method, device, equipment and storage medium
CN115001840A (en) * 2022-06-21 2022-09-02 北京翼辉信息技术有限公司 Agent-based authentication method, system and computer storage medium
CN115134144A (en) * 2022-06-28 2022-09-30 中国工商银行股份有限公司 Enterprise-level business system authentication method, device and system
CN115348168A (en) * 2022-07-21 2022-11-15 金蝶软件(中国)有限公司 Block chain network deployment method and device
CN118413403A (en) * 2024-07-02 2024-07-30 宁波港信息通信有限公司 Double identity verification device and method
WO2025087412A1 (en) * 2023-10-25 2025-05-01 中移互联网有限公司 Authentication login method, apparatus, and system, device, storage medium, and product

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104883353A (en) * 2015-03-31 2015-09-02 深圳市深信服电子科技有限公司 Terminal single sign-on configuration and authentication method and system, and application service system
CN106330918A (en) * 2016-08-26 2017-01-11 杭州迪普科技有限公司 Multi-system login method and device
US20170134370A1 (en) * 2015-11-05 2017-05-11 Red Hat, Inc. Enabling single sign-on authentication for accessing protected network services

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104883353A (en) * 2015-03-31 2015-09-02 深圳市深信服电子科技有限公司 Terminal single sign-on configuration and authentication method and system, and application service system
US20160294810A1 (en) * 2015-03-31 2016-10-06 Sangfor Technologies Company Limited Terminal single sign-on configuration, authentication method, and system, and application service system thereof
US20170134370A1 (en) * 2015-11-05 2017-05-11 Red Hat, Inc. Enabling single sign-on authentication for accessing protected network services
CN106330918A (en) * 2016-08-26 2017-01-11 杭州迪普科技有限公司 Multi-system login method and device

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567510A (en) * 2022-03-21 2022-05-31 上海商汤智能科技有限公司 Login authentication method, device, equipment and storage medium
CN115001840A (en) * 2022-06-21 2022-09-02 北京翼辉信息技术有限公司 Agent-based authentication method, system and computer storage medium
CN115134144A (en) * 2022-06-28 2022-09-30 中国工商银行股份有限公司 Enterprise-level business system authentication method, device and system
CN115134144B (en) * 2022-06-28 2025-04-15 中国工商银行股份有限公司 Enterprise-level business system authentication method, device and system
CN115348168A (en) * 2022-07-21 2022-11-15 金蝶软件(中国)有限公司 Block chain network deployment method and device
CN115348168B (en) * 2022-07-21 2024-03-19 金蝶软件(中国)有限公司 Deployment method and device of block chain network
WO2025087412A1 (en) * 2023-10-25 2025-05-01 中移互联网有限公司 Authentication login method, apparatus, and system, device, storage medium, and product
CN118413403A (en) * 2024-07-02 2024-07-30 宁波港信息通信有限公司 Double identity verification device and method

Similar Documents

Publication Publication Date Title
US9871791B2 (en) Multi factor user authentication on multiple devices
US10455025B2 (en) Multi-factor authentication
WO2018041078A1 (en) Method, system, proxy server, and computer storage medium for authentication
CN113746811A (en) Login method, device, equipment and readable storage medium
CN113922982B (en) Login method, electronic device and computer readable storage medium
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
US8510811B2 (en) Network transaction verification and authentication
US6934848B1 (en) Technique for handling subsequent user identification and password requests within a certificate-based host session
US9401909B2 (en) System for and method of providing single sign-on (SSO) capability in an application publishing environment
US8191122B2 (en) Provisioning a network appliance
JP5662507B2 (en) Authentication method, authentication system, and service providing server
US8191123B2 (en) Provisioning a network appliance
US20100197293A1 (en) Remote computer access authentication using a mobile device
US20140289830A1 (en) Method and system of a secure access gateway
US8051465B1 (en) Mitigating forgery of electronic submissions
US20160337338A1 (en) Late binding authentication
KR20170056566A (en) System and method for integrating an authentication service within a network architecture
CN110730174A (en) Network access control method, device, equipment and medium
CN113341798A (en) Method, system, device, equipment and storage medium for remotely accessing application
CN113742676A (en) Login management method, device, server, system and storage medium
CN113614691A (en) Connection leasing system for use with legacy virtual delivery devices and related methods
US11917087B2 (en) Transparent short-range wireless device factor in a multi-factor authentication system
CN114338078B (en) A CS client login method and device
US20060122936A1 (en) System and method for secure publication of online content
CN114374529B (en) Resource access method, device, system, electronic device, medium and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211203

RJ01 Rejection of invention patent application after publication