阅读说明：本技术 访问处理方法、装置、系统、第一认证服务器及存储介质 (Access processing method, device, system, first authentication server and storage medium ) 是由 常润东 黄晓娟 于 2019-10-14 设计创作，主要内容包括：本发明提供了访问处理方法、装置、系统、第一认证服务器及计算机可读存储介质,其中所述访问处理方法包括：通过第一认证服务器接收客户端的访问请求；获取所述客户端的身份信息；当已存储身份信息包括所述客户端的身份信息时,生成凭证信息；存储所述凭证信息,以根据所述凭证信息对所述客户端进行认证；将所述凭证信息同步至第二认证服务器,以使所述第二认证服务器根据所述凭证信息对所述客户端进行认证。本发明提升了访问处理的兼容性和扩展性,适用于接入不同独立的应用系统服务器的公有云平台。(The invention provides an access processing method, an access processing device, an access processing system, a first authentication server and a computer readable storage medium, wherein the access processing method comprises the following steps: receiving an access request of a client through a first authentication server; acquiring identity information of the client; generating credential information when the stored identity information includes identity information of the client; storing the credential information to authenticate the client according to the credential information; and synchronizing the credential information to a second authentication server so that the second authentication server authenticates the client according to the credential information. The invention improves the compatibility and expansibility of access processing, and is suitable for the public cloud platform accessing different independent application system servers.)

1. An access processing method, comprising:

receiving an access request of a client through a first authentication server;

acquiring identity information of the client;

generating credential information when the stored identity information includes identity information of the client;

storing the credential information to authenticate the client according to the credential information;

and synchronizing the credential information to a second authentication server so that the second authentication server authenticates the client according to the credential information.

2. The access processing method of claim 1, wherein the generating credential information comprises:

determining at least one white list address stored by the first authentication server, wherein the white list address corresponds to a second authentication server trusted by the first authentication server;

and generating credential information according to the white list address, wherein the credential information is used for being synchronized to a second authentication server corresponding to the white list address.

3. The access processing method of claim 2, further comprising:

receiving synchronized credential information;

storing the credential information when a white list address in the credential information is the same as an address of the first authentication server;

discarding the credential information when a whitelist address within the credential information is different from an address of the first authentication server.

4. The access processing method of claim 2, wherein the generating credential information from the whitelist address comprises:

encrypting the identity information of the client to generate encrypted identity information;

and generating credential information according to the encrypted identity information and the white list address.

5. The access processing method of claim 4, wherein after encrypting the identity information of the client to generate encrypted identity information, further comprising:

and generating bill information according to the encrypted identity information and all the white list addresses, and sending the bill information to the client so that the client initiates an access request comprising the bill information to perform authentication.

6. The access processing method of claim 5, further comprising:

receiving bill information of the client;

when the bill information is the same as the encrypted identity information in the certificate information and the bill information comprises a white list address in the certificate information, determining that the client authentication is successful;

determining that the client authentication fails when the ticket information is different from encrypted identity information in the credential information and/or the ticket information does not include a white list address in the credential information.

7. The access processing method according to any one of claims 1 to 6, wherein the receiving, by the first authentication server, an access request of the client includes:

and receiving a redirected access request through a first authentication server, wherein the access request is intercepted and redirected by an application system server corresponding to the first authentication server.

8. The access processing method of claim 7, further comprising:

when the stored identity information comprises the identity information of the client, generating bill information and sending the bill information to the client;

adding the ticket information to the access request and redirecting the access request to the application system server.

9. An access processing apparatus, comprising:

the receiving unit is used for receiving an access request of the client through the first authentication server;

the acquiring unit is used for acquiring the identity information of the client;

a generating unit configured to generate credential information when the stored identity information includes identity information of the client;

the storage unit is used for storing the certificate information so as to authenticate the client according to the certificate information;

and the synchronization unit is used for synchronizing the certificate information to a second authentication server so that the second authentication server authenticates the client according to the certificate information.

10. An access processing system comprising a client, a first authentication server and a second authentication server, the first authentication server performing the access processing method according to any one of claims 1 to 8.

11. A first authentication server, characterized in that the first authentication server comprises a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the access processing method according to any one of claims 1 to 8 when executing the computer program.

12. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the access processing method according to any one of claims 1 to 8.

Technical Field

The invention belongs to the technical field of computers, and particularly relates to an access processing method, device and system, a first authentication server and a computer readable storage medium.

Background

With the continuous development of cloud computing technology, services provided by a cloud platform are more and more abundant. Besides the distributed architecture of the public cloud platform, the public cloud platform also needs to access various independent external application system servers, such as a web system server. Because different application system servers are independent of each other, the client is generally required to perform identity authentication before each application system server is used, and the service provided by the application system server can be used only after login is successful, so that a user of the client needs to remember the authentication mode of each application system server, the application is inconvenient to use, and the complexity of the cloud platform for user management is increased.

In view of the situation, a single sign-on method is proposed at present, that is, a uniform authentication server is deployed for each application system server, the authentication server stores the identity information of each application system server, performs identity authentication on a client, and stores credential information after authentication is successful, so that rapid authentication is performed according to the credential information when the client accesses next time. However, the above method requires that the identity information of each application system server, such as a user name and a password, must conform to a unified standard and a unified format, and when the cloud platform accesses an application system server with inconsistent authentication methods, a large amount of modification needs to be performed on the identity authentication service and the corresponding database structure for storing the identity information, so that the compatibility and the expansibility are poor.

Disclosure of Invention

The embodiment of the invention provides an access processing method, an access processing device, an access processing system, a first authentication server and a computer readable storage medium, which can improve the compatibility and expansibility of access processing and are suitable for cloud platforms accessing different application system servers.

The technical scheme of the embodiment of the invention is realized as follows:

the embodiment of the invention provides an access processing method, which comprises the following steps:

receiving an access request of a client through a first authentication server;

acquiring identity information of the client;

generating credential information when the stored identity information includes identity information of the client;

storing the credential information to authenticate the client according to the credential information;

and synchronizing the credential information to a second authentication server so that the second authentication server authenticates the client according to the credential information.

An embodiment of the present invention provides an access processing apparatus, including:

the receiving unit is used for receiving an access request of the client through the first authentication server;

the acquiring unit is used for acquiring the identity information of the client;

a generating unit configured to generate credential information when the stored identity information includes identity information of the client;

the storage unit is used for storing the certificate information so as to authenticate the client according to the certificate information;

and the synchronization unit is used for synchronizing the certificate information to a second authentication server so that the second authentication server authenticates the client according to the certificate information.

An embodiment of the present invention provides a first authentication server, where the first authentication server includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements:

receiving an access request of a client through a first authentication server;

acquiring identity information of the client;

generating credential information when the stored identity information includes identity information of the client;

storing the credential information to authenticate the client according to the credential information;

and synchronizing the credential information to a second authentication server so that the second authentication server authenticates the client according to the credential information.

The embodiment of the invention provides an access processing system, which comprises a client, a first authentication server and a second authentication server, wherein the first authentication server executes:

receiving an access request of a client through a first authentication server;

acquiring identity information of the client;

generating credential information when the stored identity information includes identity information of the client;

storing the credential information to authenticate the client according to the credential information;

and synchronizing the credential information to a second authentication server so that the second authentication server authenticates the client according to the credential information.

An embodiment of the present invention provides a computer-readable storage medium, in which a computer program is stored, and when executed by a processor, the computer program implements:

receiving an access request of a client through a first authentication server;

acquiring identity information of the client;

generating credential information when the stored identity information includes identity information of the client;

storing the credential information to authenticate the client according to the credential information;

and synchronizing the credential information to a second authentication server so that the second authentication server authenticates the client according to the credential information.

The embodiment of the invention has the beneficial effects that:

in the embodiment of the invention, the client is authenticated through the first authentication server, and the certificate information is generated and stored when the authentication is successful so as to authenticate the client according to the certificate information.

Drawings

FIG. 1 is a flow chart of an implementation of an access processing method provided by an embodiment of the present invention;

fig. 2 is an architecture diagram of an access processing method provided in an embodiment of the present invention;

fig. 3 is another architecture diagram of the access processing method provided by the embodiment of the present invention;

FIG. 4 is a flowchart of an implementation of generating credential information provided by an embodiment of the invention;

FIG. 5 is a flowchart of an implementation of processing received credential information according to an embodiment of the present invention;

FIG. 6 is a diagram illustrating synchronization credential information provided by an embodiment of the present invention;

FIG. 7 is a flowchart of an implementation of generating credential information based on encrypted identity information and a white list address according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of credential information provided by an embodiment of the present invention;

FIG. 9 is a schematic illustration of ticket information provided by an embodiment of the present invention;

FIG. 10 is a flowchart of an implementation of determining an authentication result according to ticket information and credential information according to an embodiment of the present invention;

fig. 11 is a block diagram of an access processing apparatus according to an embodiment of the present invention;

FIG. 12 is a schematic diagram of an access processing system provided by an embodiment of the invention;

fig. 13 is a schematic diagram of a first authentication server according to an embodiment of the present invention.

Detailed Description

In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.

In order to explain the technical means of the present invention, the following description will be given by way of specific examples.

Fig. 1 shows an implementation flow of the access processing method provided by the embodiment of the present invention, which is detailed as follows:

in S101, an access request of a client is received through a first authentication server.

The public cloud platform is usually accessed to different independent application system servers, in a traditional access processing mechanism, a unified authentication server is usually constructed, identity information authentication is performed on a client through the authentication server, and the client is allowed to use services provided by the application system server corresponding to the authentication server after the authentication is successful, such as a page display service. Because the authentication modes of different application system servers may be different, for example, the application system server a performs authentication by using a password authentication mode, and the application system server B performs authentication by using a short message verification code authentication mode, the authentication modes and the identity information of the application system servers must be standardized, and then authentication can be performed by a uniform authentication server, and the standardization often involves a large amount of data migration and data association operations, resulting in poor compatibility and expansibility of the conventional access processing mechanism.

In view of the above situation, in the embodiment of the present invention, corresponding authentication servers are separately established for different application system servers, and for convenience of understanding, a first authentication server and a second authentication server are used to distinguish, where "first" and "second" are only used to distinguish different established authentication servers, and do not indicate the order. The first authentication server receives an access request of a client, and the embodiment of the present invention does not limit the manner in which the client initiates the access request, for example, on the premise that the first authentication server provides an address of a login page, the client may directly access the address of the login page through a browser, so as to initiate the access request to the first authentication server, where the access request may be a HyperText Transfer Protocol (HTTP) request or a request using another Protocol.

In one implementation, a redirected access request is received by a first authentication server, and the access request is intercepted and redirected by an application system server corresponding to the first authentication server. As shown in fig. 2, in some access mechanisms, a client may directly initiate an access request to an application system server corresponding to a first authentication server, so in the embodiment of the present invention, a Filter (Filter) component is deployed in the application system server, and an access request for accessing the application system server is intercepted by the Filter component, and the access request is redirected to the first authentication server for verification. On the basis, whether the client is authenticated or not can be judged through the filtering component, different operations are executed according to the judgment result, for example, when the access request of the client carries authenticated information such as bill information, the access request is not intercepted, wherein the specific content of the bill information is elaborated in the following text; when the access request of the client does not carry the authenticated information, if the client is determined not to be logged in, the access request is intercepted, and the access request is redirected to the first authentication server. By the method, the applicability of processing the access request is improved.

In S102, identity information of the client is obtained.

The first authentication server interacts with the client to obtain the identity information of the client after receiving the access request. For example, the first authentication server may provide a login page to a browser of the client, and a user of the client inputs identity information on the login page for interaction.

In S103, when the stored identity information includes the identity information of the client, credential information is generated.

The stored identity information refers to identity information of a client with a service using authority, and when the stored identity information of the first authentication server comprises the identity information of the client, the client is proved to have the service using authority, and credential information corresponding to the client is generated; when the stored identity information of the first authentication server does not include the identity information of the client, the client is proved not to have the service using authority, the authentication failure of the client is determined, and a prompt of the authentication failure can be output to the client.

In one implementation, when the stored identity information includes identity information of the client, generating ticket information, and sending the ticket information to the client; the ticket information is added to the access request and the access request is redirected to the application system server. The method for authenticating the client according to the voucher information is not limited, for example, besides the voucher information, the method can also generate the bill information and send the bill information to the client, when the client accesses subsequently, the bill information is added into the access request and sent to the application system server, the application system server sends the bill information in the access request to the first authentication server, and the first authentication server determines that the client is authenticated successfully or unsuccessfully according to the bill information and the voucher information. In addition, in order to specify the authentication, the ticket information is added to the access request, for example, in a case that the access request is an HTTP request, the ticket information is added to a Uniform Resource Locator (URL) of the access request, and the access request is redirected to the application system server, so that the application system server can send the ticket information to the first authentication server for authentication, and the first authentication server determines that the client authentication is successful or the client authentication is failed. The method improves the normalization of access processing.

In S104, the credential information is stored to authenticate the client according to the credential information.

And storing the obtained credential information, specifically storing the credential information in a cache and a database of the first authentication server, so as to authenticate the client according to the credential information when authenticating next time.

In S105, the credential information is synchronized to a second authentication server, so that the second authentication server authenticates the client according to the credential information.

And the first authentication server synchronizes the certificate information to the second authentication server so that the second authentication server authenticates the client according to the certificate information after storing the certificate information. Therefore, even if the first authentication server and the second authentication server originally apply different authentication modes, after the credential information is synchronized, the second authentication server can quickly authenticate the corresponding client according to the credential information.

In order to facilitate understanding of the contents of the embodiment of the present invention, another architecture diagram of the access processing method shown in fig. 3 is provided, in fig. 3, an application system server 1 corresponds to a first authentication server, an application system server 2 corresponds to a second authentication server, and credential information can be intercommunicated between the first authentication server and the second authentication server. When the client sends an access request to the application system server 1, the application system server 1 redirects the access request to the first authentication server for verification, the first authentication server performs identity authentication on the client, and when the identity authentication is successful, that is, the stored identity information of the first authentication server includes the identity information of the client, the first authentication server generates and stores credential information and synchronizes the credential information to the second authentication server. Therefore, after the second authentication server stores the synchronous certificate information, the same client can be quickly authenticated according to the certificate information.

As can be known from the above exemplary implementation of fig. 1 in the embodiment of the present invention, the first authentication server authenticates the client, and when the authentication is successful, the credential information is generated and stored, and is synchronized to the second authentication server, so that the second authentication server authenticates the client according to the credential information.

Fig. 4 is a flowchart illustrating an implementation of generating credential information according to an embodiment of the present invention, and as shown in fig. 4, the method may include the following steps:

in S401, at least one white list address stored by the first authentication server is determined, where the white list address corresponds to a second authentication server trusted by the first authentication server.

In the embodiment of the present invention, a white list mechanism is applied to control a flow direction of credential information, and specifically, at least one white list address stored in a first authentication server is determined, where the white list address is an address of a second authentication server trusted by the first authentication server, and may be set according to an actual application scenario. It should be noted that the first authentication server trusts a second authentication server, which means that the first authentication server and the second authentication server can share the same credential information for authentication.

In S402, generating credential information according to the white list address, where the credential information is used to be synchronized to a second authentication server corresponding to the white list address.

And independently generating credential information according to the determined white list address, wherein the credential information is used for being synchronized to a second authentication server corresponding to the white list address in the credential information, namely the generated credential information only comprises a single white list address. For example, the white list Address stored by the first authentication server includes Address_AAnd Address_BIf so, generating a message including the Address_AFor being synchronized to an Address_AA corresponding second authentication server; generating an include Address_BFor being synchronized to an Address_BA corresponding second authentication server.

As can be known from the above exemplary implementation of fig. 4 in the embodiment of the present invention, at least one white list address stored in the first authentication server is determined, and credential information is generated according to the white list address, where the credential information is used to be synchronized to the second authentication server corresponding to the white list address.

Fig. 5 is a flowchart illustrating an implementation of processing received credential information according to an embodiment of the present invention, and as shown in fig. 5, the method may include the following steps:

in S501, synchronized credential information is received.

When the first authentication server receives the synchronized credential information, a white list address in the credential information is determined.

In S502, when the white list address in the credential information is the same as the address of the first authentication server, the credential information is stored.

After the credential information is generated, the credential information may be unknowingly synchronized, and as shown in fig. 6, the white list address in the authentication server 1 includes the address of the authentication server 2, the address of the authentication server 3, and the address of the authentication server 4, the white list address in the authentication server 2 includes the address of the authentication server 1 and the address of the authentication server 3, and the white list address in the authentication server 3 includes the address of the authentication server 1 and the address of the authentication server 4. On this basis, if the authentication server 2 generates the credential information, the credential information is synchronized to the authentication server 1 and the authentication server 3, and then the authentication server 3 continues to synchronize the credential information to the authentication server 4 according to the white list address stored in itself, but the address of the authentication server 4 is not the white list address of the authentication server 2 generating the credential information, that is: the process of synchronizing the credential information to the authentication server 4 is performed without the knowledge of the authentication server 2. Therefore, in the embodiment of the present invention, when the white list address in the credential information is the same as the address of the first authentication server itself, it is verified that the first authentication server is the authentication server for which the credential information is originally expected to be synchronized, and the credential information is stored.

In S503, when the whitelist address in the credential information is different from the address of the first authentication server, discarding the credential information.

When the white list address in the certificate information is different from the address of the first authentication server, the certificate information is proved to be wrongly synchronized to the first authentication server, and the certificate information is discarded, so that illegal diffusion is prevented. For example, assume that the Address of the first authentication server is Address₁The white list Address in the certificate information received by the first authentication server is Address₂If the address of the white list in the credential information is different from the address of the first authentication server, the first authentication server discards the credential information. It should be noted that S501 to S503 are also applicable to the second authentication server.

As can be seen by the above exemplary implementation of fig. 5 in the inventive embodiments, receiving synchronized credential information, and storing the credential information when a white list address in the credential information is the same as an address of the first authentication server; when the white list address in the certificate information is different from the address of the first authentication server, the certificate information is discarded.

Fig. 7 is a flowchart illustrating an implementation of generating credential information according to encrypted identity information and a white list address according to an embodiment of the present invention, and as shown in fig. 7, the method may include the following steps:

in S701, the identity information of the client is encrypted to generate encrypted identity information.

In order to ensure that the credential information corresponding to different clients is different, in the embodiment of the present invention, the identity information of the client is encrypted to generate the encrypted identity information, and specifically, part or all of the content of the identity information of the client may be encrypted. The encryption algorithm used for encryption is not limited in the embodiments of the present invention, and for example, a message digest algorithm may be used for encryption.

In S702, credential information is generated according to the encrypted identity information and the white list address.

Generating credential information based on the encrypted identity information and the white list address, as shown in fig. 8, the generated credential information includes the encrypted identity information and the white list address.

In one implementation, the ticket information is generated according to the encrypted identity information and all white list addresses, and the ticket information is sent to the client, so that the client initiates an access request including the ticket information for authentication. In addition to generating the credential information, in the embodiment of the present invention, the ticket information may be generated, specifically, the ticket information is generated according to the encrypted identity information and all white list addresses stored by the first authentication server, and is sent to the client, and after the client stores the ticket information, the client may initiate an access request including the ticket information for authentication next time. As shown in fig. 9, assuming that the white list addresses stored by the first authentication server include N, where N is an integer greater than 2, the generated ticket information includes the encrypted identity information and the N white list addresses. The uniqueness of the bill information is ensured through the method.

As can be known from the above exemplary implementation of fig. 7 in the embodiment of the present invention, the identity information of the client is encrypted to generate encrypted identity information, and the credential information is generated according to the encrypted identity information and the white list address.

Fig. 10 is a flowchart illustrating an implementation of determining an authentication result according to ticket information and credential information according to an embodiment of the present invention, and as shown in fig. 10, the method may include the following steps:

in S1001, ticket information of the client is received.

And on the premise that the generated credential information comprises the encrypted identity information and the white list addresses, and the generated bill information comprises the encrypted identity information and all the white list addresses stored by the first authentication server, when the first authentication server receives the bill information of the client, determining an authentication result according to the encrypted identity information and all the white list addresses in the bill information. It should be noted that the ticket information may be directly sent from the client to the first authentication server, or may be sent from the client to the application server, and the application server then sends the ticket information to the first authentication server.

In S1002, when the ticket information is the same as the encrypted identity information in the credential information and the ticket information includes a white list address in the credential information, it is determined that the client authentication is successful.

When the ticket information is the same as the encrypted identity information in the certificate information and the ticket information comprises a white list address in the certificate information, the client authentication is determined to be successful, and the information of successful authentication can be output to an application system server corresponding to the first authentication server, so that the application system server provides service for the client. In addition, there may be another case where the ticket information is the same as the encrypted identity information in the credential information, but the white list address in the credential information is empty, which proves that the credential information is not synchronized from the second authentication server, and then the first authentication server is determined to be the authentication server that generated the credential information, and the first authentication server determines that the client authentication is successful.

In S1003, when the ticket information is different from the encrypted identity information in the credential information, and/or the ticket information does not include a white list address in the credential information, it is determined that the client authentication has failed.

In the process of synchronizing the credential information, the credential information may be illegally stored in the first authentication server by modifying the white list address in the credential information, for example, in a case where the white list address in the received credential information is not the address of the first authentication server, the first authentication server may illegally modify the address in the credential information to the address of the first authentication server, thereby storing the credential information. Therefore, in the embodiment of the invention, when the ticket information is different from the encrypted identity information in the certificate information and/or the ticket information does not include the white list address in the certificate information, the authentication failure of the client is determined, so that the first authentication server illegally storing the certificate information is prevented from determining the authentication success of the client according to the certificate information.

As can be seen from the above exemplary implementation of fig. 10 in the embodiment of the present invention, receiving the ticket information of the client, and determining that the client is successfully authenticated when the ticket information is the same as the encrypted identity information in the credential information and the ticket information includes the white list address in the credential information; and when the ticket information is different from the encrypted identity information in the certificate information and/or the ticket information does not comprise the white list address in the certificate information, determining that the client authentication fails. The embodiment of the invention improves the safety of authenticating the client and avoids the first authentication server illegally storing the certificate information from successfully authenticating the client.

It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

Corresponding to the access processing method described in the foregoing embodiment, fig. 11 shows a block diagram of a structure of an access processing apparatus provided in an embodiment of the present invention, and referring to fig. 11, the access processing apparatus includes:

a receiving unit 111, configured to receive an access request of a client through a first authentication server;

an obtaining unit 112, configured to obtain identity information of the client;

a generating unit 113 configured to generate credential information when the stored identity information includes identity information of the client;

a storage unit 114, configured to store the credential information, so as to authenticate the client according to the credential information;

a synchronizing unit 115, configured to synchronize the credential information to a second authentication server, so that the second authentication server authenticates the client according to the credential information.

In one implementation, the generating unit 113 includes:

determining at least one white list address stored by the first authentication server, wherein the white list address corresponds to a second authentication server trusted by the first authentication server;

and generating credential information according to the white list address, wherein the credential information is used for being synchronized to a second authentication server corresponding to the white list address.

In one implementation, the access processing apparatus further includes:

a credential receiving unit for receiving the synchronized credential information;

the certificate storage unit is used for storing the certificate information when the white list address in the certificate information is the same as the address of the first authentication server;

a credential discarding unit that discards the credential information when a white list address within the credential information is different from an address of the first authentication server.

In one implementation, generating credential information from the whitelist address includes:

encrypting the identity information of the client to generate encrypted identity information;

and generating credential information according to the encrypted identity information and the white list address.

In one implementation manner, after encrypting the identity information of the client to generate encrypted identity information, the method further includes:

and generating bill information according to the encrypted identity information and all the white list addresses, and sending the bill information to the client so that the client initiates an access request comprising the bill information to perform authentication.

In one implementation, the access processing apparatus further includes:

the bill receiving unit is used for receiving the bill information of the client;

the first authentication unit is used for determining that the client authentication is successful when the bill information is the same as the encrypted identity information in the certificate information and the bill information comprises a white list address in the certificate information;

and the second authentication unit is used for determining that the client authentication fails when the bill information is different from the encrypted identity information in the certificate information and/or the bill information does not comprise a white list address in the certificate information.

In one implementation, the receiving unit 111 includes:

and receiving a redirected access request through a first authentication server, wherein the access request is intercepted and redirected by an application system server corresponding to the first authentication server.

In one implementation, the access processing apparatus further includes:

the bill generating unit is used for generating bill information and sending the bill information to the client when the stored identity information comprises the identity information of the client;

and the redirecting unit is used for adding the bill information to the access request and redirecting the access request to the application system server.

Therefore, the access processing device provided by the embodiment of the invention authenticates the client through the first authentication server, and synchronizes the generated credential information to the second authentication server after the authentication is successful, so that the compatibility and expansibility of access processing are improved, and the access processing device is suitable for a public cloud platform accessing to different application system servers.

Fig. 12 is a schematic diagram illustrating an access processing system according to an embodiment of the present invention, in fig. 12, the access processing system 12 includes a client 121, a first authentication server 122, and a second authentication server 123, the number of the second authentication servers 123 is not limited in the embodiment of the present invention, and two second authentication servers 123 are taken as an example in fig. 12. Wherein the first authentication server 122 performs:

receiving an access request of the client 121 through the first authentication server 122;

acquiring identity information of the client 121;

generating credential information when the stored identity information includes identity information of the client 121;

storing the credential information to authenticate the client 121 according to the credential information;

synchronizing the credential information to a second authentication server 123, so that the second authentication server 123 authenticates the client 121 according to the credential information.

In one implementation, generating credential information includes:

determining at least one white list address stored by the first authentication server 122, where the white list address corresponds to a second authentication server 123 trusted by the first authentication server 122;

and generating credential information according to the white list address, wherein the credential information is used for being synchronized to the second authentication server 123 corresponding to the white list address.

In one implementation, the first authentication server 122 further performs:

receiving synchronized credential information;

storing the credential information when a white list address within the credential information is the same as an address of the first authentication server 122;

discarding the credential information when a whitelist address within the credential information is different from an address of the first authentication server 122.

In one implementation, generating credential information from the whitelist address includes:

encrypting the identity information of the client 121 to generate encrypted identity information;

and generating credential information according to the encrypted identity information and the white list address.

In one implementation manner, after encrypting the identity information of the client 121 to generate encrypted identity information, the method further includes:

and generating bill information according to the encrypted identity information and all the white list addresses, and sending the bill information to the client 121, so that the client 121 initiates an access request including the bill information to perform authentication.

In one implementation, the first authentication server 122 further performs:

receiving the bill information of the client 121;

when the ticket information is the same as the encrypted identity information in the credential information and the ticket information includes a white list address in the credential information, determining that the authentication of the client 121 is successful;

determining that the authentication of the client 121 fails when the ticket information is different from the encrypted identity information in the credential information and/or the ticket information does not include a white list address in the credential information.

In one implementation, receiving an access request of the client 121 through the first authentication server 122 includes:

receiving a redirected access request through the first authentication server 122, where the access request is intercepted by an application system server corresponding to the first authentication server 122 and redirected.

In one implementation, the first authentication server 122 further performs:

when the stored identity information includes the identity information of the client 121, generating ticket information, and sending the ticket information to the client 121;

adding the ticket information to the access request and redirecting the access request to the application system server.

Therefore, the access processing system 12 provided in the embodiment of the present invention promotes compatibility and extensibility of access processing through the synchronously generated credential information, and is suitable for a public cloud platform accessing different application system servers.

Fig. 13 is a schematic diagram of a first authentication server according to an embodiment of the present invention. As shown in fig. 13, the first authentication server 13 of this embodiment includes: a processor 130, a memory 131 and a computer program 132, e.g. an access handler, stored in said memory 131 and operable on said processor 130. The processor 130, when executing the computer program 132, implements the various access processing method embodiments described above, such as steps S101 to S105 shown in fig. 1. Alternatively, the processor 130 implements the functions of the units in the access processing device embodiments, such as the functions of the units 111 to 115 shown in fig. 11, when executing the computer program 132.

Illustratively, the computer program 132 may be divided into one or more units, which are stored in the memory 131 and executed by the processor 130 to accomplish the present invention. The one or more units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution process of the computer program 132 in the first authentication server 13. For example, the computer program 132 may be divided into a receiving unit, an obtaining unit, a generating unit, a storing unit and a synchronizing unit, and each unit specifically functions as follows:

the receiving unit is used for receiving an access request of the client through the first authentication server;

the acquiring unit is used for acquiring the identity information of the client;

a generating unit configured to generate credential information when the stored identity information includes identity information of the client;

the storage unit is used for storing the certificate information so as to authenticate the client according to the certificate information;

and the synchronization unit is used for synchronizing the certificate information to a second authentication server so that the second authentication server authenticates the client according to the certificate information.

The first authentication server 13 may be a computing device such as a desktop computer, a notebook, a palm computer, and a cloud server. The first authentication server may include, but is not limited to, a processor 130, a memory 131. It will be appreciated by those skilled in the art that fig. 13 is merely an example of the first authentication server 13 and does not constitute a limitation of the first authentication server 13 and may comprise more or less components than those shown, or some components may be combined, or different components, e.g. the first authentication server may further comprise an input output device, a network access device, a bus, etc.

The Processor 130 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The storage 131 may be an internal storage unit of the first authentication server 13, such as a hard disk or a memory of the first authentication server 13. The memory 131 may also be an external storage device of the first authentication server 13, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, provided on the first authentication server 13. Further, the memory 131 may also include both an internal storage unit and an external storage device of the first authentication server 13. The memory 131 is used to store the computer program and other programs and data required by the first authentication server. The memory 131 may also be used to temporarily store data that has been output or is to be output.

It is obvious to those skilled in the art that, for convenience and simplicity of description, the above-mentioned division of each functional unit is merely used as an example, and in practical applications, the above-mentioned function distribution may be performed by different functional units according to needs, that is, the internal structure of the first authentication server is divided into different functional units to perform all or part of the above-mentioned functions. Each functional unit in the embodiments may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units are only used for distinguishing one functional unit from another, and are not used for limiting the protection scope of the application. The specific working process of the units in the system may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.

In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

In the embodiments provided in the present invention, it should be understood that the disclosed first authentication server and method may be implemented in other ways. For example, the first authentication server embodiment described above is merely illustrative, and for example, the division of the units is only one logical functional division, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the computer program may implement the embodiments of the method according to the embodiments. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable storage medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable storage medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable storage media that does not include electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.

The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.