阅读说明：本技术 iframe验证登录方法及装置 (iframe verification login method and device ) 是由 汲磊举 于 2021-09-18 设计创作，主要内容包括：本发明涉及网络安全领域,提供了一种iframe验证登录方法及装置,该方法包括：登录主系统后,确定需要通过iframe访问的目标系统的页面；根据该页面,生成对应的Json Web令牌；将Json Web令牌作为访问该页面的链接参数传输给目标系统后,接收目标系统上送的令牌数据；验证目标系统上送的令牌数据与Json Web令牌匹配后,得到验证登录用户信息；将验证登录用户信息发送给目标系统,目标系统在验证登录用户信息与当前登录用户信息一致时,访问该页面。利用令牌验证成功后,确定是否需要重新登录,若无需重新登录,直接访问页面,简化了验证登录的过程,提高了iframe验证登录时的灵活性,也改善了用户体验。(The invention relates to the field of network security, and provides an iframe verification login method and device, wherein the method comprises the following steps: after logging in a main system, determining a page of a target system which needs to be accessed through an iframe; generating a corresponding Json Web token according to the page; transmitting the Json Web token serving as a link parameter for accessing the page to a target system, and receiving token data sent by the target system; obtaining verification login user information after matching token data sent by a verification target system with a Json Web token; and sending the information of the verified login user to a target system, and accessing the page by the target system when the information of the verified login user is consistent with the information of the current login user. After the token is successfully verified, whether login needs to be re-logged in is determined, and if the login needs not to be re-logged in, the page is directly accessed, so that the login verification process is simplified, the flexibility of the iframe during login verification is improved, and the user experience is also improved.)

1. An iframe authentication login method is characterized by comprising the following steps:

after logging in a main system, determining a page of a target system which needs to be accessed through an iframe;

generating a corresponding Json Web token according to the page; the Json Web token is used for representing authority information of the page;

after the Json Web token is used as a link parameter for accessing the page and is transmitted to the target system, receiving token data sent by the target system;

verifying that the token data sent by the target system is matched with the Json Web token to obtain verification login user information;

and sending the information of the verified login user to a target system, and accessing the page by the target system when the information of the verified login user is consistent with the information of the current login user.

2. The iframe authentication login method of claim 1, wherein generating a corresponding Json Web token from the page comprises:

determining authority information required by the page according to the page;

determining login user information and token expiration time of a target system according to the authority information required by the page;

and generating a corresponding Json Web token according to the login user information of the target system and the token expiration time.

3. The iframe authentication login method of claim 1, wherein transmitting the Json Web token to the target system as a link parameter for accessing the page comprises:

splicing the Json Web token serving as a parameter into a page link of the target system, redirecting the iframe src of the main system to the page link of the target system, and accessing the target system through the iframe.

4. The iframe authentication login method of claim 1, further comprising:

and if the current login user information does not exist, logging in the target system and accessing the page according to the verified login user information.

5. The iframe authentication login method of claim 1, further comprising:

and if the information of the verified login user is inconsistent with the information of the current login user, logging in the target system again according to the information of the verified login user after logging out of the current login, and accessing the page.

6. An iframe authentication login apparatus, comprising:

the target access page determining module is used for determining a page of a target system which needs to be accessed through the iframe after logging in the main system;

the token generation module is used for generating a corresponding Json Web token according to the page; the Json Web token is used for representing authority information of the page;

the token transmission module is used for transmitting the Json Web token serving as a link parameter for accessing the page to the target system and then receiving token data uploaded by the target system;

the first verification module is used for verifying that the token data sent by the target system is matched with the Json Web token to obtain verification login user information;

and the login module is used for sending the information of the verified login user to the target system, and the target system accesses the page when the information of the verified login user is consistent with the information of the current login user.

7. The iframe authentication login apparatus of claim 6, wherein the token generation module is specifically configured to:

determining authority information required by the page according to the page;

determining login user information and token expiration time of a target system according to the authority information required by the page;

and generating a corresponding Json Web token according to the login user information of the target system and the token expiration time.

8. The iframe authentication login apparatus of claim 6, wherein the token transmission module is specifically configured to:

splicing the Json Web token serving as a parameter into a page link of the target system, redirecting the iframe src of the main system to the page link of the target system, and accessing the target system through the iframe.

9. The iframe authentication login apparatus of claim 6, further comprising: a second verification module to:

and if the current login user information does not exist, logging in the target system and accessing the page according to the verified login user information.

10. The iframe authentication login apparatus of claim 6, further comprising: a third verification module to:

and if the information of the verified login user is inconsistent with the information of the current login user, logging in the target system again according to the information of the verified login user after logging out of the current login, and accessing the page.

11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 5 when executing the computer program.

12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 5.

Technical Field

The invention relates to the technical field of network security, in particular to an iframe verification login method and device.

Background

The current iframe automatic login mode mostly utilizes a single sign-on mechanism, after a main system logs in, when the target system is accessed through the iframe, the target system still needs to log in again after obtaining the current main system user login information, the verification login process is complicated and repeated, the flexibility is not high, and the user experience is poor.

Disclosure of Invention

The embodiment of the invention provides an iframe verification login method, which is used for improving the flexibility of iframe verification login and improving user experience and comprises the following steps:

after logging in a main system, determining a page of a target system which needs to be accessed through an iframe;

generating a corresponding Json Web token according to the page; the Json Web token is used for representing authority information of the page;

after the Json Web token is used as a link parameter for accessing the page and is transmitted to the target system, receiving token data sent by the target system;

verifying that the token data sent by the target system is matched with the Json Web token to obtain verification login user information;

and sending the information of the verified login user to a target system, and accessing the page by the target system when the information of the verified login user is consistent with the information of the current login user.

The embodiment of the invention also provides an iframe login verification device, which is used for improving the flexibility of the iframe login verification and improving the user experience, and comprises the following steps:

the target access page determining module is used for determining a page of a target system which needs to be accessed through the iframe after logging in the main system;

the token generation module is used for generating a corresponding Json Web token according to the page; the Json Web token is used for representing authority information of the page;

the token transmission module is used for transmitting the Json Web token serving as a link parameter for accessing the page to the target system and then receiving token data uploaded by the target system;

the first verification module is used for verifying that the token data sent by the target system is matched with the Json Web token to obtain verification login user information;

and the login module is used for accessing the page when the login user information is verified to be consistent with the current login user information.

The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the iframe authentication login method when executing the computer program.

An embodiment of the present invention also provides a computer-readable storage medium, where a computer program for executing the iframe authentication login method is stored in the computer-readable storage medium.

In the embodiment of the invention, after logging in a main system, determining the page of a target system which needs to be accessed through iframe; generating a corresponding Json Web token according to the page; the Json Web token is used for representing authority information of the page; transmitting the Json Web token serving as a link parameter for accessing the page to a target system, and receiving token data sent by the target system; obtaining verification login user information after matching token data sent by a verification target system with a Json Web token; and sending the information of the verified login user to a target system, and accessing the page by the target system when the information of the verified login user is consistent with the information of the current login user. By setting the Json Web token, after the token is successfully verified, whether login needs to be re-logged in is determined, and if the login needs not to be re-logged in, the page of the target system is directly accessed, so that the login verification process is simplified, the flexibility of the iframe during login verification is improved, and the user experience is also improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic diagram of an iframe authentication login method in an embodiment of the present invention.

Fig. 2 is a schematic diagram of a method for implementing step 102 in an embodiment of the present invention.

FIG. 3 is a schematic flow chart of an embodiment of the present invention.

Fig. 4 is a schematic diagram of an iframe authentication login apparatus according to an embodiment of the present invention.

Fig. 5 is a schematic diagram of an iframe authentication login device in an embodiment of the invention.

Fig. 6 is a schematic diagram of an iframe authentication login device in another embodiment of the invention.

Fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

An embodiment of the present invention provides an iframe authentication login method, which is used to improve flexibility of iframe authentication login and improve user experience, and as shown in fig. 1, the method includes:

step 101: after logging in a main system, determining a page of a target system which needs to be accessed through an iframe;

step 102: generating a corresponding Json Web token according to the page; the Json Web token is used for representing authority information of the page;

step 103: transmitting the Json Web token serving as a link parameter for accessing the page to a target system, and receiving token data sent by the target system;

step 104: matching token data sent by the verification target system with the Json Web token to obtain verification login user information;

step 105: and sending the information of the verified login user to a target system, and accessing the page by the target system when the information of the verified login user is consistent with the information of the current login user.

As can be known from the flow shown in fig. 1, in the embodiment of the present invention, after logging in a host system, a page of a target system that needs to be accessed through an iframe is determined; generating a corresponding Json Web token according to the page; the Json Web token is used for representing authority information of the page; transmitting the Json Web token serving as a link parameter for accessing the page to a target system, and receiving token data sent by the target system; obtaining verification login user information after matching token data sent by a verification target system with a Json Web token; and sending the information of the verified login user to a target system, and accessing the page by the target system when the information of the verified login user is consistent with the information of the current login user. By setting the Json Web token, after the token is successfully verified, whether login needs to be re-logged in is determined, and if the login needs not to be re-logged in, the page of the target system is directly accessed, so that the login verification process is simplified, the flexibility of the iframe during login verification is improved, and the user experience is also improved.

In specific implementation, a main system is firstly logged in, and after the main system is logged in, a page of a target system which needs to be accessed through the iframe is determined. After logging in a main system, another system, namely a target system, can be accessed through an embedded iframe window src link, namely the front end sets an iframe link address as a background address of the main system, and the parameter is a page address of the target system to be accessed.

According to the page, generating a corresponding Json Web Token (JWT), as shown in fig. 2, the specific process includes:

step 201: determining authority information required by the page according to the page;

step 202: determining login user information and token expiration time of a target system according to the authority information required by the page;

step 203: and generating a corresponding JWT according to the login user information and the token expiration time of the target system.

Jwt (JSON Web token), among others, is a JSON-based open standard (RFC 7519) executed for transferring declaration among Web application environments. The token is designed to be compact and secure, particularly for single sign-on (SSO) scenarios for distributed sites. The assertion of JWT is typically used to pass authenticated user identity information between the identity provider and the service provider to facilitate resource acquisition from the server, and may add some additional assertion information necessary for other business logic, and the token may be used directly for authentication, or may be encrypted.

In the implementation, the token expiration time of the JWT can be set, so that the condition that the JWT is stolen to cause the loss of control of the authority can be prevented.

After generating the corresponding JWT, the JWT is transmitted to the target system as the link parameter for accessing the page, and then the token data sent by the target system is received. Wherein, the specific process of transmitting the JWT as the link parameter for accessing the page to the target system includes: and splicing the JWT serving as a parameter into a page link of a target system, redirecting the iframe src of the main system to the page link of the target system, and accessing the target system through the iframe.

After the JWT is used as a link parameter for accessing the page and transmitted to a target system, the target system receives an access request, analyzes and takes the JWT to call back a token verification interface of a main system, and uploads taken token data for verification.

After receiving the token data sent by the target system, verifying whether the token data sent by the target system is matched with the JWT or not, and obtaining verification login user information after successful verification; and sending the information of the verified login user to a target system, and accessing the page by the target system when the information of the verified login user is consistent with the information of the current login user.

Specifically, the specific embodiment further includes that, when there is no login: and if the current login user information does not exist, accessing the page after logging in the target system according to the verified login user information.

Similarly, there is also a case where the information of the verification login user is inconsistent with the information of the current login user, and the specific embodiment further includes: and if the information of the login user is not consistent with the information of the current login user, logging in the target system again according to the information of the verification login user and then accessing the page after logging out of the current login.

A specific example is given below to illustrate how embodiments of the present invention implement iframe authenticated login.

Because the current iframe automatic login mode mostly utilizes a single sign-on mechanism, after a main system logs in, when the target system is accessed through the iframe, the target system can only obtain the current user login information of the main system, and the purpose of flexibly switching users by accessing the target system through the iframe cannot be met.

Therefore, the embodiment is not only used for directly accessing another system B without logging again when the main system A is successfully logged in and another system B is accessed through the embedded iframe window; and when the user logged in by the main system A and the user logged in by the system B accessed through the iframe are different, the authority for checking each page is different, and the login user accessing the system B through the iframe can be dynamically switched.

As shown in fig. 3, a schematic workflow diagram of the present embodiment specifically includes:

(1) (2) represents: a user accesses the main system A through a browser;

(3) (4) represents: the user wants to access the page of the system B through the Iframe in the browser, and firstly accesses the main system A (the main system A is embedded into the page of the system B through the Iframe window);

(5) represents: the main system A generates different tokens according to different permissions for accessing the pages of the system B;

(6) (7) represents: after the main system A generates the token, the token is used as a page link parameter for accessing the system B and is redirected to the system B;

(8) represents: the system B resolves the URL (Uniform Resource Locator) of the received request to obtain a token;

(9) represents: the system B accesses the token verification interface of the main system A and uploads token data;

(10) represents: the main system A analyzes whether the uploaded token data is legal or not;

(11) represents: the main system A generates an analysis result to a system B, if the verification is successful, successful information and login user information are returned, and if the verification is failed, failure information is returned, and the login is failed;

(12) represents: the system B obtains a return result, judges whether the system B is in login and obtains a login mechanism, specifically, the system B checks the current login state, and if the system B is not in login, the system B logs in; if the user logs in, but the current login user is not in accordance with the returned login user information, logging out and logging in again; if the login is finished and the information of the login user is consistent with the information of the returned login user, no operation is carried out;

(13) represents: and returning the login result to the browser.

In the embodiment, JWT is used as a system login certificate and is transmitted between a main system and an iframe embedded system, and the token adopts a ciphertext mode, so that the information safety is ensured, and the loss of authority is out of control after the token is stolen can be prevented by setting the token failure time, so that the method is simple, flexible and safe. A new token is generated before the iframe page is accessed each time and is transmitted to the embedded system, the embedded system can determine the user authority of accessing the current page according to the returned information of the calling token verification interface, and a flexible authority control mode is provided.

The implementation of the above specific application is only an example, and the rest of the embodiments are not described in detail.

Based on the same inventive concept, embodiments of the present invention further provide an iframe authentication login apparatus, where the principle of the problem solved by the iframe authentication login apparatus is similar to that of the iframe authentication login method, so that the implementation of the iframe authentication login apparatus can refer to the implementation of the iframe authentication login method, repeated parts are not described again, and the specific structure is shown in fig. 4:

the target access page determining module 401 is configured to determine a page of a target system that needs to be accessed through an iframe after logging in a host system;

a token generation module 402, configured to generate a corresponding Json Web token according to a page; the Json Web token is used for representing authority information of the page;

the token transmission module 403 is configured to transmit the Json Web token serving as a link parameter for accessing the page to the target system, and then receive token data sent by the target system;

the first verification module 404 is configured to verify that token data sent by a target system is matched with a Json Web token, and then obtain verification login user information;

and the login module 405 is configured to send the information of the verified login user to the target system, and the target system accesses the page when the information of the verified login user is consistent with the information of the current login user.

In a specific embodiment, the token generating module 402 is specifically configured to:

determining authority information required by the page according to the page;

determining login user information and token expiration time of a target system according to the authority information required by the page;

and generating a corresponding Json Web token according to the login user information of the target system and the token expiration time.

In specific implementation, the token transmission module 403 is specifically configured to:

and splicing the Json Web token serving as a parameter into a page link of the target system, redirecting the iframe src of the main system to the page link of the target system, and accessing the target system through the iframe.

As shown in fig. 5, the iframe authentication login apparatus in the specific embodiment further includes, on the basis of fig. 4: a second verification module 501, configured to:

if the current login user information does not exist, the target system is logged in according to the verification login user information, and the page is accessed.

In another embodiment, as shown in fig. 6, the iframe authentication login apparatus further includes, on the basis of fig. 4: a third verification module 601, configured to:

and if the information of the verification login user is inconsistent with the information of the current login user, logging in the target system again according to the information of the verification login user after logging out of the current login, and accessing the page.

An embodiment of the present invention further provides a computer device, and fig. 7 is a schematic diagram of the computer device in the embodiment of the present invention, where the computer device is capable of implementing all steps in the iframe authentication login method in the embodiment, and the computer device specifically includes the following contents:

a processor (processor)701, a memory (memory)702, a communication Interface (Communications Interface)703, and a communication bus 704;

the processor 701, the memory 702 and the communication interface 703 complete mutual communication through the communication bus 704; the communication interface 703 is used for implementing information transmission between related devices;

the processor 701 is configured to call a computer program in the memory 702, and when the processor executes the computer program, the iframe authentication login method in the above embodiment is implemented.

An embodiment of the present invention further provides a computer-readable storage medium, where a computer program for executing the iframe authentication login method is stored in the computer-readable storage medium.

In summary, the iframe authentication login method and apparatus provided in the embodiments of the present invention have the following advantages:

after logging in a main system, determining a page of a target system needing to be accessed through the iframe; generating a corresponding Json Web token according to the page; the Json Web token is used for representing authority information of the page; transmitting the Json Web token serving as a link parameter for accessing the page to a target system, and receiving token data sent by the target system; obtaining verification login user information after matching token data sent by a verification target system with a Json Web token; and sending the information of the verified login user to a target system, and accessing the page by the target system when the information of the verified login user is consistent with the information of the current login user. By setting the Json Web token, after the token is successfully verified, whether login needs to be re-logged in is determined, and if the login needs not to be re-logged in, the page of the target system is directly accessed, so that the login verification process is simplified, the flexibility of the iframe during login verification is improved, and the user experience is also improved.

Although the present invention provides method steps as described in the examples or flowcharts, more or fewer steps may be included based on routine or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or client product executes, it may execute sequentially or in parallel (e.g., in the context of parallel processors or multi-threaded processing) according to the embodiments or methods shown in the figures.

As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, apparatus (system) or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "upper", "lower", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience in describing the present invention and simplifying the description, but do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Unless expressly stated or limited otherwise, the terms "mounted," "connected," and "connected" are intended to be inclusive and mean, for example, that they may be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations. It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention is not limited to any single aspect, nor is it limited to any single embodiment, nor is it limited to any combination and/or permutation of these aspects and/or embodiments. Moreover, each aspect and/or embodiment of the present invention may be utilized alone or in combination with one or more other aspects and/or embodiments thereof.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.