WO2010075798A1 - Configuration and authentication method for cross-domain authorization, the equipment and system thereof - Google Patents

Configuration and authentication method for cross-domain authorization, the equipment and system thereof Download PDF

Info

Publication number
WO2010075798A1
WO2010075798A1 PCT/CN2009/076318 CN2009076318W WO2010075798A1 WO 2010075798 A1 WO2010075798 A1 WO 2010075798A1 CN 2009076318 W CN2009076318 W CN 2009076318W WO 2010075798 A1 WO2010075798 A1 WO 2010075798A1
Authority
WO
WIPO (PCT)
Prior art keywords
page
information
user
resource information
server
Prior art date
Application number
PCT/CN2009/076318
Other languages
French (fr)
Chinese (zh)
Inventor
孙谦
胡立新
谭东晖
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2010075798A1 publication Critical patent/WO2010075798A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of computer applications, and in particular, to a cross-domain authorization setting, a signing method, a related device, and a system. Background technique
  • the SNS (Social Network Site) website commonly referred to as the social networking server in China, is a virtual social network platform based on the idea of social network relationship system. From Myspace to Facebook, Kaixin and intranet, domestic and international social networking servers have matured and become part of the daily life of more and more people. At the same time, a large number of applications are provided to users in the social networking platform.
  • the application is generally provided by an application server. It is these colorful social applications that truly bring value to users.
  • the application website server is often separated from the social network server and can be operated by different service providers, and the application website server and the social network server are generally located in different domains.
  • the user can have a lot of resource information in the application website server, such as photos, videos, diaries, microblogs, URL collections or location information, and the social network server stores the user's relationship information, such as contacts (also called For friends list, etc.) and groups and other information.
  • resource information such as photos, videos, diaries, microblogs, URL collections or location information
  • the social network server stores the user's relationship information, such as contacts (also called For friends list, etc.) and groups and other information.
  • the embodiments of the present invention provide a cross-domain authorization setting, a signing method, a related device, and a system, so as to implement the relationship information of the resource information of the user in the first domain to the second domain, thereby improving the user experience.
  • the embodiment of the invention provides a method for setting an inter-domain authorization, which includes:
  • the embodiment of the invention further provides an authentication method for cross-domain authorization, which includes:
  • the embodiment of the invention further provides an authentication method for cross-domain authorization, which includes:
  • the embodiment of the invention further provides a method for setting a cross-domain authorization, which includes:
  • the terminal Sending, by the foregoing request, the first page that includes the resource information to the terminal, so that the terminal sends the acquisition request of acquiring the relationship information to the second server of the second domain according to the first page, and the terminal acquires the second server. Transmitting the relationship information and displaying the relationship information on the second page; receiving resource information sent by the terminal and selecting, by the user, relationship information corresponding to the resource information on the second page, storing the selected relationship information and resource information Corresponding to the record, and the corresponding record is used as the authorization information for accessing the resource information.
  • the embodiment of the invention further provides a terminal, which includes:
  • a request receiving module configured to receive a request for a user to access resource information
  • a display module configured to display, according to the foregoing request, a first page that includes resource information of the user located in the first domain, where the first page displays a second information that includes relationship information of the user located in the second domain Page
  • a relationship information receiving module configured to receive, by the user, relationship information corresponding to the resource information on the second page
  • a sending module configured to send the foregoing resource information and the relationship information selected in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as the access point Authorization information about resource information.
  • the embodiment of the invention further provides a server, which includes:
  • a receiving module configured to receive a request of the user through the terminal
  • An obtaining module configured to obtain the authorization information of the user according to the foregoing request, and obtain resource information that the user is authorized to access according to the authorization information;
  • a sending module configured to send the foregoing resource information to the terminal.
  • An embodiment of the present invention further provides a server, including:
  • a receiving module configured to receive, by the user, the resource information in the first server in the first domain by using the terminal Request
  • the obtaining module is configured to obtain the authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;
  • the processing module is configured to determine whether the user belongs to the relationship information; when the determination is yes, the user is allowed to access the resource information, and when the determination is no, the user is denied access to the resource information.
  • An embodiment of the present invention further provides a server, including:
  • a receiving module configured to receive a request sent by a user through the terminal
  • a sending module configured to send, by using the foregoing request, a first page that includes resource information to the terminal, so that the terminal sends an acquisition request for obtaining the relationship information to the second server of the second domain according to the first page, and the terminal Obtaining relationship information sent by the second server and displaying the relationship information on the second page;
  • a storage module configured to receive resource information sent by the terminal, and the user selects relationship information corresponding to the resource information on the second page, and stores a corresponding record of the selected relationship information and resource information, and uses the corresponding record as an access Authorization information of the resource information.
  • the embodiment of the invention further provides a cross-domain authorization system, which is characterized in that it comprises:
  • the first server is located in the first domain, and is configured to receive a request sent by the user by using the terminal, and send, by using the foregoing request, the first page that includes the resource information to the terminal, so that the terminal is configured to the second domain according to the first page.
  • the second server sends an acquisition request for acquiring the relationship information, and the terminal acquires the relationship information sent by the second server and displays the relationship information on the second page; the resource information sent by the receiving terminal and the user corresponding to the second page selection And storing the corresponding record of the selected relationship information and the resource information in the relationship information of the resource information, and using the corresponding record as the authorization information for accessing the resource information;
  • the second server is located in the second domain, and is configured to send the relationship information of the user to the terminal.
  • the resource information of the user in the first domain can be authorized to the relationship information such as the contact located in the other domain of the user. , groups, etc., thereby improving the user experience.
  • Users can directly use the second service
  • the relationship information in the server is associated with the resources in the first server, that is, the user can conveniently share and authorize resources from his own perspective.
  • FIG. 1 is a flowchart of a method for setting cross-domain authorization according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for setting cross-domain authorization according to another embodiment of the present invention
  • FIG. 4 is a flowchart of a method for setting cross-domain authorization according to another embodiment of the present invention
  • FIG. 6 is a flowchart of a method for authenticating an inter-domain authorization according to an embodiment of the present invention
  • FIG. 7 is a flowchart of a method for authenticating an inter-domain authorization according to another embodiment of the present invention
  • 8 is a flowchart of a method for authenticating an inter-domain authorization according to another embodiment of the present invention
  • FIG. 9 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of a server according to another embodiment of the present invention
  • FIG. 12 is a schematic structural diagram of a server according to another embodiment of the present invention
  • FIG. 13 is a schematic diagram of a server according to an embodiment of the present invention
  • Schematic diagram of a cross-domain authorization system The embodiment of the present invention provides a method for setting a cross-domain authorization. Referring to FIG. 1 , the method includes: 101: receiving a request for a user to access resource information;
  • the first page of the foregoing displays a second page that includes the relationship information of the user, where the second page is provided by the second server in the second domain;
  • the receiving user selects relationship information corresponding to the resource information on the second page.
  • 105 Send the foregoing resource information and the relationship information selected in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as accessing the resource information.
  • Authorization information Send the foregoing resource information and the relationship information selected in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as accessing the resource information.
  • the relationship information of the resource information that the user is in the first domain is authorized to the second domain, so that the user experience can be improved.
  • the first server in the first domain stores resource information of the user, such as photos, videos, URL collections, blog logs, etc.; is in a second different from the first domain.
  • a second server in the domain that stores relationship information such as contacts and groups of the user.
  • Step 201 The terminal receives a request for accessing resource information by the user.
  • the user passes the resource information in the first server of the terminal, and the access mode can adopt OpenID technology, that is, the first server is a relying party of OpenID (open identity), the second server is a provider of OpenID, and the first server receives the user using OpenID.
  • the identity is performed.
  • the terminal's browser is forwarded to the second page of the second server to authenticate the user.
  • the user provides a password or other authentication information such as a fingerprint, etc.
  • the first page displayed on the terminal by the first server is returned by the redirect, and the first page includes resource information of the user, such as a photo, a video, a URL collection, a blog log, and the like.
  • the first server may also set a session cookie on the browser side of the terminal to maintain the current user session, and the subsequent user does not need to perform authentication when accessing the first server. If the browser of the terminal disables the cookie, the session information can be carried directly in the HTTP request and response message to maintain the current user session.
  • SSO Single Sign On
  • OpenSSO OpenSSO
  • Microsoft Passport a cross-domain identity authentication technologies
  • Browser login once first service In the subsequent authorization of the resource information, the user browser can directly access the second server to obtain the relationship information of the user without performing authentication on the second server again.
  • Step 202 The first server displays the first page, that is, the authorization page of the resource information in the first server, by using a browser of the user terminal, where the resource information is displayed in the first page, and the authorized button or hyperlink is determined.
  • the hypertext code (including the script code) in the first page is generated by the first server and displayed by the first server to the browser end of the user terminal.
  • Step 203 Display a second page that includes relationship information according to the first page.
  • the browser of the terminal is also displayed with a second page including the relationship information of the user, and the hypertext code (including the script code) of the second page is generated by the second server.
  • the second page can have multiple display modes, such as displaying an iframe (Inline Frame) in the first page, or popping up a new browser when clicking a button or link on the first page.
  • the browser page displays the user's relationship information such as contacts and groups.
  • the second page also includes an iframe frame page pointing to the first server, called the third page, which is generally set to a hidden style.
  • the third page is generally set to a hidden style.
  • the second page is displayed in the form of an iframe in the first page, and is visible through a first page from the first server to a second page of the second server, and then to a third page of the first server.
  • a circular information delivery channel such as the first page of the first server
  • the cross-domain transfer of the relationship information in the browser is realized, so that the first server can conveniently obtain the relationship information of the user in the second server.
  • the second page can be displayed by setting the source address of the second page in the first page, such as the source address of the second page in the iframe format in the javascript script function of the first page.
  • the properties are set, for example as follows:
  • Iframel .src "http://snsexample.com/relationship.php” ;
  • the click event of the button corresponds to the script to open a new page such as:
  • the second server performs identity authentication, such as adopting OpenID or single point, that is, the user is in step 101.
  • identity authentication such as adopting OpenID or single point
  • the second server may set a corresponding session C00 kie item on the browser end of the user terminal, and the data of the cookie item may include session information such as a session identifier, and the user accesses the current session.
  • the second server does not have to be authenticated. That is, the second page first obtains the cookie data of the browser end of the user's terminal, and then carries the cookie data to request the second server to obtain the relationship information of the user, and displays the obtained relationship information on the page.
  • the second server corresponding to the second page does not have corresponding session information. For example, if the second page displays the relationship information of the user, the user is prompted to perform identity authentication on the second server.
  • the first page contains resource information, such as a photo, and a button for determining authorization.
  • the second page may be included in the form of an inline frame, and the relationship information displayed on the second page may include a contact list, and the contacts may be displayed in groups, such as grouping for colleagues, classmates, and family members, etc.
  • a check box is displayed in front of the contact or group name.
  • some public groups and group members created or participated by the user can be displayed for the user to select. Whether it is a grouping of contacts or a public group, it can be represented by a unique group identifier.
  • the second page can display the name or nickname of the contact, as well as the name of the group, but when the actual information is transmitted,
  • the user ID of the contact is generally used, as well as the group ID.
  • the second server can also detect other users who have recently communicated with the user, such as having sent a message, a message, a record over the phone, and then displaying those users in the second server. In the second page.
  • the telecommunication network and the Internet are closely integrated.
  • the second server operated by the telecommunication operator it is easy to obtain the user's communication records (such as text messages, telephones, etc.), and those who have had communication with the user may not be in contact with the above users.
  • the first page may also request the first server to obtain the existing authorization information of the current resource information of the user, and
  • the authorized contact and group information and the like are passed to the second page as parameters of the second page source address URL (Uniform Resource Locator). Examples are as follows:
  • the second page can obtain the above parameters in the current page address when the window loading event (window.onLoad) occurs, and then set the authorized group such as groupl to be selected according to the above parameters when displaying the relationship information of the user. status. This allows the user to know which relationship information, such as a contact or group, has been authorized to access current resource information. Examples of parameters including both groups and contacts are as follows:
  • the parameters in the above address indicate that the current resource has been authorized to the group groupl and the contacts usera and userbc group 1 are group identifiers, and usera and userb are user identifiers.
  • Step 204 The user selects relationship information in the second page, and transmits the relationship information selected by the user to the third page.
  • the second page will be the currently selected relationship information (group or contact) when the user selects or deselects the group or contact event through the terminal (such as the onClick event of the check box corresponding to the contact or group).
  • the method of passing can specify the page address of the third page by setting the source address attribute of the third page, and the relationship information selected by the user is included in the address parameter and transmitted to the third page.
  • the source address of the third page set is as follows:
  • the parameters in the above address indicate that the current resource is selected for authorization to the groups groupl and group2 and the contacts usera, userb and userc»
  • Step 205 The third page transmits the relationship information selected by the user sent by the second page to the first page.
  • the third page sets a timer function, which is executed every predetermined time interval, such as 500 milliseconds.
  • the relationship information can be normal.
  • the example of the processing script in the third page is as follows: function transmit() ⁇
  • the first page corresponds to the parent.opener object, which is different from the second page in the inline frame form.
  • Step 206 After the user determines to authorize the resource information for the selected contact and/or group, the first page submits the relationship information and resource information finally selected by the user to the first server.
  • the first page includes a button or hyperlink that determines the authorization, which can be named "shared” or "ok".
  • the button When the button is activated by the user, the first page submits the relationship information and resource information and the like finally selected by the user to the first server server.
  • the first server stores a corresponding record of the relationship information and the resource information selected by the user, and uses the corresponding record as the authorization information for accessing the resource information.
  • the authorization information may further include an authorization time, that is, a time when the first page submits the relationship information and the corresponding resource information finally selected by the user to the first server.
  • the transmission of the relationship information of the corresponding resource information is completed only between the first server and the second server, and the authorized relationship information is transmitted from the first page of the first server to the The second page of the second server, and the relationship information selected by the user, are transmitted from the second page of the second server to the first page via the third page. It is not necessary to directly transfer any data between the first server and the second server, and the resource authorization of the cross-domain can be completed, which is simple and efficient, and fully utilizes the computing power of the terminal.
  • the first server lacking the relationship information can make full use of the user relationship information in the second server to enhance the social function of the application, and attract more users to visit. ask.
  • Step 301 the first page obtains the first password.
  • the first password may be generated by the first page using a random function, or may be requested from the first server to obtain the first password. Because some browsers do not use random functions to generate highly secure passwords, it is recommended to use a password from the server.
  • the password can be a random string.
  • the session ID (Session ID) between the first server and the user's browser can be used as the first password because the session IDs are usually an unpredictable random string.
  • Step 302 The first page passes the first password to the second page.
  • the password parameter set in the source address of the second page of the first page is obtained, for example, the password can be included in the bookmark parameter.
  • the second page will buffer the first password received for subsequent password verification.
  • Step 303 The second page obtains the second password, and sends the second password to the third page.
  • the second password can also be generated by the second page itself, or requesting the second password from the second server, and passing the second password to the third page, or using the session between the second server and the user browser.
  • the logo (Session ID) is used as the second password.
  • Step 304 The third page further passes the second password to the first page.
  • the first page caches the second password for subsequent password verification. This completes the cross-domain password exchange between the first server and the second server.
  • Step 305 When subsequently transmitting the relationship information selected by the user, the first page and the second page respectively carry the password corresponding to the respective domain in the set URL bookmark parameter.
  • the example of carrying the password is as follows:
  • the bookmark parameter of the above address includes the first password "qw3e45s32328f3nl".
  • Step 306 The second page verifies the password.
  • the password in the bookmark parameter in the address of the window is taken out, such as the above password "qw3e45s32328f3nl", and then the password is compared with the previously cached first password, and the subsequent processing is performed after the verification is passed. If you need to take out the authorized relationship information in the parameters in the subsequent steps.
  • Step 307 When the second page transmits the relationship information selected by the user to the third page, the second password is also carried.
  • Step 308 The third page performs password verification.
  • the password in the bookmark parameter in the address of the window is taken out, and then the password is compared with the previously cached second password, and the subsequent processing is performed after the verification is passed.
  • the request for accessing the address corresponding to the second page or the third page in a place other than the current browser instance does not reveal the user's relationship information or resource authorization information and the like because the above password cannot be obtained.
  • An authentication method for cross-domain authorization describes an authentication process when other users access resource information in the first server.
  • the user who has the resource information in the first server is referred to as the first user, and the user who wants to access the resource information of the first user is the second user.
  • the first user has authorized the resource information in the first server, such as album P, to group A, and the member in group A contains the second user.
  • the steps of the embodiment are as follows: Step 401: The first server receives a request for the second user to access the resource information of the first user, such as the album P, where the resource information is in the first server in the first domain.
  • the above request may be performed by the second user, such as OpenID, or by other means.
  • Step 402 The first server queries and obtains the authorization information of the first user for the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information.
  • Step 403 The first server determines whether the second user belongs to the relationship information.
  • Step 404 If yes, the first server allows the second user to access the resource information, otherwise the second user is denied access to the resource information.
  • the first server can share the resource information authorized by another user to the user by verifying the user, thereby improving the user experience.
  • the second server is not convenient to all deliver to the first server. That is, in the embodiment, the first server only stores the contact information corresponding to the resource information of the first user and the identifier of the group, and does not save the specific contact in the group.
  • Step 501 The first server receives a request for the second user to access the resource information of the first user, such as the album P.
  • the first server of the second user may adopt the method of OpenID, or may adopt other methods.
  • Step 502 The first server acquires, according to the resource information, the authorization information record of the first user for the resource information, and determines whether the second user is an authorized contact (including a temporary contact), and if yes, allows the second User access, end this process; otherwise, go to step 503.
  • Step 503 The first server sends the group identifier authorized by the first user to the authorization information record of the resource and the identifier of the second user to the second server, and requests the second server to determine whether the second user is authorized by the foregoing. Member of the group. When the second user is a member of at least one of the authorized groups, the second server returns a positive determination result.
  • Step 504 The first server receives the determination result returned by the second server. If the determination result is a positive result, the first server allows the second user to access, otherwise the access is prohibited.
  • the first server can share the resource information authorized by another user to the user by verifying the user, thereby improving the user experience.
  • Step 601 The first server receives the access request of the second user, and retrieves, in the stored authorization information, the resource information of the authorized access corresponding to the group to which the second user belongs, and the corresponding user of the second user. Resource information for authorized access.
  • the corresponding authorization time can be used to filter resources, such as only the resources authorized to access for a predetermined period of time (such as the last week), or the latest (most authorized time). Close to the current time) a predetermined number (such as the top 10 most recently authorized) resources, etc.
  • Step 602 Display the resource information in a page after the second user.
  • the method provided by the embodiment of the present invention enables the user to log in to the first server to display resource information shared by other users that the user has permission to access, thereby improving the user experience.
  • An embodiment of the present invention provides a terminal 7, as shown in FIG. 9, which includes:
  • a request receiving module 71 configured to receive a request for a user to access resource information
  • the display module 72 is configured to display, according to the request, a first page that includes resource information of the user located in the first domain, and display, according to the first page, a second page that includes relationship information of the user located in the second domain. ;
  • the relationship information receiving module 73 is configured to receive, by the user, relationship information corresponding to the resource information on the second page;
  • the sending module 74 is configured to send the resource information and the relationship information selected by the user in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and the corresponding Record the authorization information as access to the above resource information.
  • the request receiving module 71 is further configured to receive the existing authorization information that is sent by the first server according to the foregoing request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected; the display module 72 is further configured to: The above existing authorization information displays the relationship information selected by the user in the second page.
  • the second page is an inline frame page located in the first page or a new page opened by clicking a hyperlink or a button in the first page.
  • An embodiment of the present invention provides a server 8, as shown in FIG. 10, which includes:
  • the receiving module 81 is configured to receive a request of the user to pass the terminal;
  • the obtaining module 82 is configured to obtain the authorization information of the user according to the foregoing request, and obtain resource information that the user is authorized to access according to the authorization information;
  • the sending module 83 is configured to send the foregoing resource information to the terminal.
  • the foregoing obtaining module 82 is specifically configured to: obtain, according to the foregoing authorization information, resource information that is authorized to be accessed by the user at the latest scheduled time or resource information that is a predetermined number of newly authorized accesses; the sending module is specifically configured to: The resource information authorized by the user at the most recent scheduled time or the resource information for the predetermined number of newly authorized accesses is sent to the terminal.
  • the embodiment of the present invention further provides a server 9, as shown in FIG. 11, which includes:
  • the receiving module 91 is configured to receive, by the terminal, a request for accessing resource information in the first server in the first domain by using the terminal;
  • the obtaining module 92 is configured to obtain the authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;
  • the processing module 93 is configured to determine whether the user belongs to the relationship information; when the determination is yes, the user is allowed to access the resource information, and when the determination is negative, the user is denied access to the resource information.
  • the foregoing relationship information includes a contact or a group
  • the processing module 93 is specifically configured to: determine whether the user belongs to the contact in the relationship information, and if yes, allow the user to access the resource information, and end the process; if not, the group in the relationship information And the identifier of the user is sent to the second server, so that the second server determines whether the user belongs to the group; and receives the determination result sent by the second server, and if the determination result is yes, the user is allowed to access the resource. Information, otherwise the above user is denied access to the resource information.
  • the embodiment of the present invention further provides a server 10, as shown in FIG. 12, which includes:
  • the receiving module 101 is configured to receive a request sent by the user by using the terminal;
  • the sending module 102 is configured to send, to the terminal, the first page that includes the resource information according to the foregoing request, so that the terminal sends the acquiring request for acquiring the relationship information to the second server of the second domain according to the first page, and the terminal is Obtaining relationship information sent by the second server and displaying the relationship information on a second page;
  • the storage module 103 is configured to receive the resource information sent by the terminal, and the user selects the relationship information corresponding to the resource information on the second page, and stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as the access Authorization information for resource information.
  • the sending module 102 is further configured to: send the stored existing authorization information to the terminal according to the request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected.
  • the embodiment of the present invention further provides a cross-domain authorization system 11, as shown in FIG. 13, which includes: a first server 111, located in a first domain, configured to receive a request sent by a user through a terminal; Sending a first page that includes resource information, so that the terminal sends an acquisition request for acquiring the relationship information to the second server 112 of the second domain according to the first page, and the terminal acquires the relationship sent by the second server 112. And displaying the relationship information on the second page; receiving the resource information sent by the terminal, and selecting, by the user, the relationship information corresponding to the resource information on the second page, storing the corresponding record of the selected relationship information and the resource information, and The corresponding record is used as authorization information for accessing the resource information;
  • the second server 112 is located in the second domain, and is configured to send the relationship information of the user to the terminal.
  • the terminal, the server, and the system provided by the foregoing embodiments can implement the relationship information of the resource information of the user in the first domain to the second domain, thereby improving the user experience.

Abstract

A configuration method for cross-domain authorization is disclosed in the invention, which includes the following steps: receiving a request for accessing the resource information from the user; displaying the first page including the resource information according to the request, in which the first page is provided by the first server in the first domain; displaying the second page including the user’s relation information according to the first page, in which the second page is provided by the second server in the second domain; receiving the relation information corresponding to the resource information selected by the user from the second page; sending the resource information and the relation information selected from the second page to the first server, so that the first server saves the corresponding record between the selected relation information and the resource information, and views the corresponding record as the authorization information when accessing the resource information. The embodiments of the invention also disclose an authentication method, terminal, relative equipment and system for the cross-domain authorization. With the embodiments of the present invention, the resource information of the user in the first domain can be authorized to the relation information in the second domain, so that the user’s experience can be improved.

Description

一种跨域授权的设置、 鉴权方法、 相关装置及系统 本申请要求 2008年 12月 31 日递交的申请号为 200810242174.3、发明名称 为 "一种跨域授权的设置、 鉴权方法、 相关装置及系统" 的中国专利申请的优 先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及计算机应用领域,尤其涉及一种跨域授权的设置、签权方法、 相关装置及系统。 背景技术  Setting, authentication method, related device and system for cross-domain authorization The application No. 200810242174.3 filed on December 31, 2008, the invention name is "a cross-domain authorization setting, authentication method, related device" The priority of the Chinese Patent Application, the entire disclosure of which is incorporated herein by reference. TECHNICAL FIELD The present invention relates to the field of computer applications, and in particular, to a cross-domain authorization setting, a signing method, a related device, and a system. Background technique
SNS ( Social Network Site ) 网站, 中文一般称为社交网站服务器, 是 基于社会网络关系系统思想建立的网络虚拟社交网络平台。 从 Myspace 到 Facebook, 开心网和校内网等, 国内外的社交网站服务器已经走向成熟, 成 为越来越多人日常生活的一部分。 同时出现了大量提供给社交网站平台中用 户的各种应用, 该应用一般是应用服务器提供的, 正是这些丰富多彩的社交 应用, 真正为用户带来了价值。 应用网站服务器往往是和社交网站服务器分 离独立的, 可以由不同的业务提供商运营, 且应用网站服务器与社交网站服 务器一般位于不同的域中。 用户在应用网站服务器中可以有很多的资源信 息, 如照片、 视频、 日记、 微型博客、 网址收藏或位置信息等, 而在社交网 站服务器中则存储着用户的关系信息, 如联系人(也称为好友列表等)和群 组等信息。 The SNS (Social Network Site) website, commonly referred to as the social networking server in China, is a virtual social network platform based on the idea of social network relationship system. From Myspace to Facebook, Kaixin and intranet, domestic and international social networking servers have matured and become part of the daily life of more and more people. At the same time, a large number of applications are provided to users in the social networking platform. The application is generally provided by an application server. It is these colorful social applications that truly bring value to users. The application website server is often separated from the social network server and can be operated by different service providers, and the application website server and the social network server are generally located in different domains. The user can have a lot of resource information in the application website server, such as photos, videos, diaries, microblogs, URL collections or location information, and the social network server stores the user's relationship information, such as contacts (also called For friends list, etc.) and groups and other information.
用户希望将自己在应用网站服务器的资源能够有限制的分享给自己在 社交网站中的某些联系人或指定的群组,如果关系信息和资源信息在同一域 内时通过普通的权限设置即可实现, 而如果不在同一域内时, 则应用网站服 务器不能未经许可而随意访问用户在社交网站服务器的关系信息, 这样, 如 何实现将应用网站服务器中的资源信息授权给不同域中的关系信息的用户 即跨域授权是一个目前需要解决的问题。 发明内容 Users want to share their resources on the application website server to certain contacts or designated groups in the social networking site. If the relationship information and resource information are in the same domain, they can be implemented through common permission settings. If the application server is not in the same domain, the application website server cannot access the relationship information of the user on the social networking server without permission, so how to implement the user who authorizes the resource information in the application website server to the relationship information in different domains. That is, cross-domain authorization is a problem that needs to be solved currently. Summary of the invention
本发明实施例提供一种跨域授权的设置、 签权方法、 相关装置及系统, 以 实现将用户处于第一域的资源信息授权给第二域的关系信息, 从而可以提高用 户体验。  The embodiments of the present invention provide a cross-domain authorization setting, a signing method, a related device, and a system, so as to implement the relationship information of the resource information of the user in the first domain to the second domain, thereby improving the user experience.
本发明实施例提供一种跨域授权的设置方法, 包括:  The embodiment of the invention provides a method for setting an inter-domain authorization, which includes:
接收用户访问资源信息的请求;  Receiving a request for user access to resource information;
根据上述请求显示包含所述用户的资源信息的第一页面, 所述第一页面是 处于第一域的第一服务器提供的;  Displaying, according to the foregoing request, a first page that includes resource information of the user, where the first page is provided by a first server in a first domain;
才艮据上述第一页面显示包含上述用户的关系信息的第二页面, 所述第二页 面是处于第二域的第二服务器提供的;  And displaying, according to the first page, the second page that includes the relationship information of the user, where the second page is provided by the second server in the second domain;
接收用户在上述第二页面选择对应于上述资源信息的关系信息;  Receiving, by the user, the relationship information corresponding to the resource information on the second page;
向上述第一服务器发送上述资源信息和上述用户在第二页面中选择的关系 信息, 以便于第一服务器存储上述选择的关系信息与资源信息的对应记录, 并 将上述对应记录作为访问上述资源信息的授权信息。  Sending the resource information and the relationship information selected by the user in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as the access to the resource information. Authorization information.
本发明实施例还提供一种跨域授权的鉴权方法, 其包括:  The embodiment of the invention further provides an authentication method for cross-domain authorization, which includes:
接收用户通过终端访问处于第一域第一服务器中资源信息的请求; 获取上述资源信息对应的授权信息, 上述授权信息记录有上述资源信息对 应的处于第二域第二服务器的关系信息;  Receiving, by the terminal, a request for accessing resource information in the first server of the first domain by using the terminal; acquiring authorization information corresponding to the resource information, where the authorization information records relationship information of the second server corresponding to the resource information corresponding to the resource information;
判断上述用户是否属于上述关系信息;  Determining whether the user belongs to the above relationship information;
如果是, 则允许所述用户访问上述资源信息, 否则拒绝上述用户访问上述 资源信息。  If yes, the user is allowed to access the resource information, otherwise the user is denied access to the resource information.
本发明实施例还提供一种跨域授权的鉴权方法, 其包括:  The embodiment of the invention further provides an authentication method for cross-domain authorization, which includes:
接收用户通过终端的请求;  Receiving a request from a user through the terminal;
根据上述请求获取上述用户的授权信息;  Obtaining authorization information of the above user according to the foregoing request;
根据上述授权信息获取上述用户被授权访问的资源信息; 将所述资源信息发送给所述终端。 Obtaining resource information that the user is authorized to access according to the foregoing authorization information; Sending the resource information to the terminal.
本发明实施例还提供一种跨域授权的设置方法, 其包括:  The embodiment of the invention further provides a method for setting a cross-domain authorization, which includes:
接收用户通过终端发送的访问资源信息的请求;  Receiving a request for accessing resource information sent by the user through the terminal;
根据上述请求向终端发送包含有资源信息的第一页面, 以便于上述终端根 据所述第一页面向第二域的第二服务器发送获取关系信息的获取请求, 且上述 终端获取所述第二服务器发送的关系信息并将上述关系信息显示在第二页面; 接收终端发送的资源信息和用户在所述第二页面选择对应于上述资源信息 的关系信息, 存储所述选择的关系信息与资源信息的对应记录, 并将所述对应 记录作为访问上述资源信息的授权信息。  Sending, by the foregoing request, the first page that includes the resource information to the terminal, so that the terminal sends the acquisition request of acquiring the relationship information to the second server of the second domain according to the first page, and the terminal acquires the second server. Transmitting the relationship information and displaying the relationship information on the second page; receiving resource information sent by the terminal and selecting, by the user, relationship information corresponding to the resource information on the second page, storing the selected relationship information and resource information Corresponding to the record, and the corresponding record is used as the authorization information for accessing the resource information.
本发明实施例还提供一种终端, 其包括:  The embodiment of the invention further provides a terminal, which includes:
请求接收模块, 用于接收用户访问资源信息的请求;  a request receiving module, configured to receive a request for a user to access resource information;
显示模块, 用于根据上述请求显示包含有位于第一域的所述用户的资源信 息的第一页面, ^居上述第一页面显示包含有位于第二域的所述用户的关系信 息的第二页面;  a display module, configured to display, according to the foregoing request, a first page that includes resource information of the user located in the first domain, where the first page displays a second information that includes relationship information of the user located in the second domain Page
关系信息接收模块, 用于接收用户在上述第二页面选择对应于上述资源信 息的关系信息;  a relationship information receiving module, configured to receive, by the user, relationship information corresponding to the resource information on the second page;
发送模块, 用于向第一服务器发送上述资源信息和在第二页面中选择的关 系信息, 以便于第一服务器存储上述选择的关系信息与资源信息的对应记录, 并将上述对应记录作为访问所述资源信息的授权信息。  a sending module, configured to send the foregoing resource information and the relationship information selected in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as the access point Authorization information about resource information.
本发明实施例还提供一种服务器, 其特征在于, 包括:  The embodiment of the invention further provides a server, which includes:
接收模块, 用于接收用户通过终端的请求;  a receiving module, configured to receive a request of the user through the terminal;
获取模块, 用于根据上述请求获取上述用户的授权信息, 并根据上述授权 信息获取所述用户被授权访问的资源信息;  An obtaining module, configured to obtain the authorization information of the user according to the foregoing request, and obtain resource information that the user is authorized to access according to the authorization information;
发送模块, 用于将上述资源信息发送给所述终端。  And a sending module, configured to send the foregoing resource information to the terminal.
本发明实施例还提供一种服务器, 其包括:  An embodiment of the present invention further provides a server, including:
接收模块, 用于接收用户通过终端访问处于第一域第一服务器中资源信息 的请求; a receiving module, configured to receive, by the user, the resource information in the first server in the first domain by using the terminal Request
获取模块, 用于获取上述资源信息对应的授权信息, 上述授权信息记录有 上述资源信息对应的处于第二域第二服务器的关系信息;  The obtaining module is configured to obtain the authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;
处理模块, 用于判断上述用户是否属于所述关系信息; 在判断为是时允许 上述用户访问上述资源信息, 在判断为否时拒绝上述用户访问上述资源信息。  The processing module is configured to determine whether the user belongs to the relationship information; when the determination is yes, the user is allowed to access the resource information, and when the determination is no, the user is denied access to the resource information.
本发明实施例还提供一种服务器, 其包括:  An embodiment of the present invention further provides a server, including:
接收模块, 用于接收用户通过终端发送的请求;  a receiving module, configured to receive a request sent by a user through the terminal;
发送模块, 用于根据上述请求向终端发送包含有资源信息的第一页面, 以 便于上述终端根据所述第一页面向第二域的第二服务器发送获取关系信息的获 取请求, 且所述终端获取所述第二服务器发送的关系信息并将上述关系信息显 示在第二页面;  a sending module, configured to send, by using the foregoing request, a first page that includes resource information to the terminal, so that the terminal sends an acquisition request for obtaining the relationship information to the second server of the second domain according to the first page, and the terminal Obtaining relationship information sent by the second server and displaying the relationship information on the second page;
存储模块, 用于接收终端发送的资源信息和用户在所述第二页面选择对应 于上述资源信息的关系信息,存储所述选择的关系信息与资源信息的对应记录, 并将上述对应记录作为访问所述资源信息的授权信息。  a storage module, configured to receive resource information sent by the terminal, and the user selects relationship information corresponding to the resource information on the second page, and stores a corresponding record of the selected relationship information and resource information, and uses the corresponding record as an access Authorization information of the resource information.
本发明实施例还提供一种跨域授权的系统, 其特征在于, 包括:  The embodiment of the invention further provides a cross-domain authorization system, which is characterized in that it comprises:
第一服务器, 位于第一域, 用于接收用户通过终端发送的请求; 根据上述 请求向终端发送包含有资源信息的第一页面, 以便于上述终端根据所述第一页 面向第二域的第二服务器发送获取关系信息的获取请求, 且上述终端获取所述 第二服务器发送的关系信息并将上述关系信息显示在第二页面; 接收终端发送 的资源信息和用户在所述第二页面选择对应于所述资源信息的关系信息, 存储 上述选择的关系信息与资源信息的对应记录, 并将所述对应记录作为访问上述 资源信息的授权信息;  The first server is located in the first domain, and is configured to receive a request sent by the user by using the terminal, and send, by using the foregoing request, the first page that includes the resource information to the terminal, so that the terminal is configured to the second domain according to the first page. The second server sends an acquisition request for acquiring the relationship information, and the terminal acquires the relationship information sent by the second server and displays the relationship information on the second page; the resource information sent by the receiving terminal and the user corresponding to the second page selection And storing the corresponding record of the selected relationship information and the resource information in the relationship information of the resource information, and using the corresponding record as the authorization information for accessing the resource information;
第二服务器, 位于第二域, 用于向上述终端发送上述用户的关系信息。 采用本发明实施例提供的跨域授权的设置、 鉴权方法、 终端、 服务器及系 统, 可以实现了将用户处于第一域的资源信息授权给位于该用户在另一个域的 关系信息如联系人、 群组等, 从而提高用户的体验。 用户可以直接利用第二服 务器中自己已有的关系信息来对第一服务器中的资源进行关联授权, 即用户可 从自己的视角来方便得对资源进行共享授权。 附图说明 The second server is located in the second domain, and is configured to send the relationship information of the user to the terminal. By using the cross-domain authorization setting, the authentication method, the terminal, the server, and the system provided by the embodiment of the present invention, the resource information of the user in the first domain can be authorized to the relationship information such as the contact located in the other domain of the user. , groups, etc., thereby improving the user experience. Users can directly use the second service The relationship information in the server is associated with the resources in the first server, that is, the user can conveniently share and authorize resources from his own perspective. DRAWINGS
图 1为本发明一种实施例提供的一种跨域授权的设置方法的流程图; 图 2为本发明又一种实施例提供的一种跨域授权的设置方法的流程图; 图 3为本发明又一种实施例提供的一种跨域授权的设置方法的示意图; 图 4为本发明另一种实施例提供的一种跨域授权的设置方法的流程图; 图 5 为本发明实施例提供的一种跨域授权的设置方法中终端的浏笕器 的示意图;  FIG. 1 is a flowchart of a method for setting cross-domain authorization according to an embodiment of the present invention; FIG. 2 is a flowchart of a method for setting cross-domain authorization according to another embodiment of the present invention; A schematic diagram of a method for setting cross-domain authorization according to another embodiment of the present invention; FIG. 4 is a flowchart of a method for setting cross-domain authorization according to another embodiment of the present invention; FIG. A schematic diagram of a browser of a terminal in a method for setting a cross-domain authorization provided by the example;
图 6为本发明一种实施例提供的一种跨域授权的鉴权方法的流程图; 图 7为本发明又一种实施例提供的一种跨域授权的鉴权方法的流程图; 图 8为本发明另一种实施例提供的一种跨域授权的鉴权方法的流程图; 图 9为本发明一种实施例提供的一种终端的结构示意图;  FIG. 6 is a flowchart of a method for authenticating an inter-domain authorization according to an embodiment of the present invention; FIG. 7 is a flowchart of a method for authenticating an inter-domain authorization according to another embodiment of the present invention; 8 is a flowchart of a method for authenticating an inter-domain authorization according to another embodiment of the present invention; FIG. 9 is a schematic structural diagram of a terminal according to an embodiment of the present invention;
图 10为本发明一种实施例提供的一种服务器的结构示意图;  FIG. 10 is a schematic structural diagram of a server according to an embodiment of the present invention;
图 11为本发明又一种实施例提供的一种服务器的结构示意图; 图 12为本发明另一种实施例提供的一种服务器的结构示意图; 图 13为本发明一种实施例提供的一种跨域授权的系统的结构示意图。 具体实施方式 本发明实施例提供一种跨域授权的设置方法, 请参图 1所示, 其包括: 101 : 接收用户访问资源信息的请求;  FIG. 11 is a schematic structural diagram of a server according to another embodiment of the present invention; FIG. 12 is a schematic structural diagram of a server according to another embodiment of the present invention; FIG. 13 is a schematic diagram of a server according to an embodiment of the present invention; Schematic diagram of a cross-domain authorization system. The embodiment of the present invention provides a method for setting a cross-domain authorization. Referring to FIG. 1 , the method includes: 101: receiving a request for a user to access resource information;
102: 据上述请求显示包含上述用户的资源信息的第一页面, 上述第一页 面是处于第一域的第一服务器提供的;  102: Display, according to the request, a first page that includes resource information of the user, where the first page is provided by a first server in the first domain;
103: ^居上述第一页面显示包含上述用户的关系信息的第二页面, 上述第 二页面是处于第二域的第二服务器提供的;  103: The first page of the foregoing displays a second page that includes the relationship information of the user, where the second page is provided by the second server in the second domain;
104: 接收用户在上述第二页面选择对应于上述资源信息的关系信息; 105: 向上述第一服务器发送上述资源信息和在第二页面中选择的关系信 息, 以便于第一服务器存储上述选择的关系信息与资源信息的对应记录, 并将 上述对应记录作为访问上述资源信息的授权信息。 104: The receiving user selects relationship information corresponding to the resource information on the second page. 105: Send the foregoing resource information and the relationship information selected in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as accessing the resource information. Authorization information.
采用上述实施例, 可以实现将用户处于第一域的资源信息授权给第二域的 关系信息, 从而可以提高用户体验。  With the foregoing embodiment, the relationship information of the resource information that the user is in the first domain is authorized to the second domain, so that the user experience can be improved.
本发明提供的另外一种实施例中, 处于第一域中的第一服务器, 其存储 有用户的资源信息, 如照片、 视频、 网址收藏, 博客日志等; 处于与第一域 不同的第二域中的第二服务器, 其存储有该用户的联系人和群组等关系信 息。 如图 2所示, 本发明实施例提供的一种跨域授权的设置方法主要包括以 下步骤:  In another embodiment provided by the present invention, the first server in the first domain stores resource information of the user, such as photos, videos, URL collections, blog logs, etc.; is in a second different from the first domain. A second server in the domain that stores relationship information such as contacts and groups of the user. As shown in FIG. 2, a method for setting cross-domain authorization provided by an embodiment of the present invention mainly includes the following steps:
步骤 201、 终端接收用户的访问资源信息的请求。  Step 201: The terminal receives a request for accessing resource information by the user.
用户通过终端第一服务器中的资源信息, 该访问方式可以采用 OpenID 技术, 即第一服务器作为 OpenID (开放身份标识) 的依赖方, 第二服务器 作为 OpenID的提供方, 第一服务器接收用户使用 OpenID身份标识进行, 根据 OpenID协议通过重定向方式, 终端的浏笕器会被前转到第二服务器的 第二页面上对用户进行认证, 用户提供密码或其它认证信息如指纹等, 通过 上述认证后再通过重定向返回到第一服务器在终端上显示的第一页面,该第 一页面上包含有有用户的资源信息, 如照片、视频、 网址收藏, 博客日志等。  The user passes the resource information in the first server of the terminal, and the access mode can adopt OpenID technology, that is, the first server is a relying party of OpenID (open identity), the second server is a provider of OpenID, and the first server receives the user using OpenID. The identity is performed. According to the OpenID protocol, the terminal's browser is forwarded to the second page of the second server to authenticate the user. The user provides a password or other authentication information such as a fingerprint, etc. Then, the first page displayed on the terminal by the first server is returned by the redirect, and the first page includes resource information of the user, such as a photo, a video, a URL collection, a blog log, and the like.
第一服务器亦可以在终端的浏笕器端设置会话 cookie 用于维持当前的 用户会话, 后续该用户访问第一服务器时就不必再进行认证。 如果该终端的 浏笕器禁用 cookie, 可以直接在 HTTP请求和响应消息中携带会话信息以维 持当前用户会话。 这两种维持会话的方式都是互联网业务中的常用技术, 此 处不再赘述。  The first server may also set a session cookie on the browser side of the terminal to maintain the current user session, and the subsequent user does not need to perform authentication when accessing the first server. If the browser of the terminal disables the cookie, the session information can be carried directly in the HTTP request and response message to maintain the current user session. These two ways of maintaining the session are common technologies in the Internet business, and will not be described here.
除了可以采用 OpenID技术外, 还可以采用其他的跨域身份认证技术如 单点 (SSO, Single Sign On ) , 包括 OpenSSO和微软 Passport等, 来简化 用户的资源信息的授权过程,用户可以通过终端的浏笕器登录一次第一服务 器,后续需要对资源信息授权时用户浏笕器可直接访问第二服务器获取用户 的关系信息, 而无需再次在第二服务器进行认证。 In addition to OpenID technology, other cross-domain identity authentication technologies such as Single Sign On (SSO), including OpenSSO and Microsoft Passport, can be used to simplify the authorization process of user resource information. Browser login once first service In the subsequent authorization of the resource information, the user browser can directly access the second server to obtain the relationship information of the user without performing authentication on the second server again.
当然如果不想使用额外的跨域身份认证技术,也可以让用户在访问第一 服务器后再访问第二服务器以获取用户的关系信息,即再单独一次第二服务 器即可。  Of course, if you do not want to use the additional cross-domain identity authentication technology, you can also allow the user to access the second server after accessing the first server to obtain the user's relationship information, that is, the second server can be used separately.
步骤 202、 第一服务器通过用户终端的浏笕器显示第一页面, 即第一服 务器中的资源信息的授权页面, 该第一页面中显示有资源信息, 以及确定授 权的按钮或超链接。 该第一页面中的超文本代码(包括脚本代码)都由第一 服务器生成, 且由该第一服务器发送到用户终端的浏笕器端显示。  Step 202: The first server displays the first page, that is, the authorization page of the resource information in the first server, by using a browser of the user terminal, where the resource information is displayed in the first page, and the authorized button or hyperlink is determined. The hypertext code (including the script code) in the first page is generated by the first server and displayed by the first server to the browser end of the user terminal.
步骤 203、 根据上述第一页面显示包含关系信息的第二页面。  Step 203: Display a second page that includes relationship information according to the first page.
终端的浏笕器还显示有包括用户的关系信息的第二页面,该第二页面的 超文本代码(包括脚本代码) 由第二服务器生成。 该第二页面可以有多种显 示方式, 如在第一页面中以 iframe ( Inline Frame, 内联框架)的形式显示, 或者当在第一页面点击某个按钮或链接时,弹出一个新的浏笕器页面显示用 户的关系信息如联系人和群组等。  The browser of the terminal is also displayed with a second page including the relationship information of the user, and the hypertext code (including the script code) of the second page is generated by the second server. The second page can have multiple display modes, such as displaying an iframe (Inline Frame) in the first page, or popping up a new browser when clicking a button or link on the first page. The browser page displays the user's relationship information such as contacts and groups.
第二页面中又包括一个指向第一服务器的 iframe框架页面,称为第三页 面, 一般设为隐藏风格。通过上述第二页面中指向第一服务器的 iframe框架 页面, 可以突破浏笕器中无法直接进行跨域通信的限制, 使第一服务器与第 二服务器可以通过用户的浏笕器进行信息的传递和交流。  The second page also includes an iframe frame page pointing to the first server, called the third page, which is generally set to a hidden style. Through the iframe frame page pointing to the first server in the second page, the limitation that the cross-domain communication cannot be directly performed in the browser can be broken, so that the first server and the second server can transmit information through the user's browser. communicate with.
请参图 3所示, 第一页面中以 iframe的形式显示第二页面,可见通过一 个从第一服务器的第一页面到第二服务器的第二页面,再到第一服务器的第 三页面, 再回到第一服务器的第一页面这样的一个环状信息传递通道, 实现 了关系信息在浏笕器内的跨域传递,使第一服务器可以方便地获得第二服务 器中的用户的关系信息, 从而对应用中的资源进行授权。  Referring to FIG. 3, the second page is displayed in the form of an iframe in the first page, and is visible through a first page from the first server to a second page of the second server, and then to a third page of the first server. Returning to a circular information delivery channel such as the first page of the first server, the cross-domain transfer of the relationship information in the browser is realized, so that the first server can conveniently obtain the relationship information of the user in the second server. To authorize resources in the application.
第二页面可以通过在第一页面中设置第二页面的源地址来进行显示,如 可以在第一页面的 javascript脚本函数中对 iframe形式的第二页面的源地址 属性进行设置, 举例如下: The second page can be displayed by setting the source address of the second page in the first page, such as the source address of the second page in the iframe format in the javascript script function of the first page. The properties are set, for example as follows:
iframel .src= "http://snsexample.com/relationship.php" ;  Iframel .src= "http://snsexample.com/relationship.php" ;
而对于弹出形式的第二页面, 直接使用超链接地址如:  For the second page of the pop-up form, directly use the hyperlink address such as:
<a href="http:〃 snsexample.com/relationship.php" target="_blank">^.-n^^- 组和联系人 </a>  <a href="http:〃 snsexample.com/relationship.php" target="_blank">^.-n^^- Groups and Contacts </a>
或者按钮的点击事件对应脚本打开新页面如:  Or the click event of the button corresponds to the script to open a new page such as:
window. open ('http://snsexample.com/relationship.php') ; 如果用户通过终端第一服务器时是由第二服务器进行身份认证,如采用 OpenID或单点等方式, 即用户在步骤 101通过第二服务器的身份认证时, 第二服务器可以在用户的终端的浏笕器端设置相应的会话 C00kie 项, 该 cookie项的数据可以包括会话标识等会话信息,在当前会话内用户访问第二 服务器就可以不必进行认证了。即第二页面先获取用户的终端的浏笕器端的 cookie数据, 然后携带 cookie数据向第二服务器请求获取该用户的关系信 息, 并将得到的关系信息显示在本页面中。 Window. open ('http://snsexample.com/relationship.php') ; If the user passes the first server of the terminal, the second server performs identity authentication, such as adopting OpenID or single point, that is, the user is in step 101. When the identity of the second server is authenticated, the second server may set a corresponding session C00 kie item on the browser end of the user terminal, and the data of the cookie item may include session information such as a session identifier, and the user accesses the current session. The second server does not have to be authenticated. That is, the second page first obtains the cookie data of the browser end of the user's terminal, and then carries the cookie data to request the second server to obtain the relationship information of the user, and displays the obtained relationship information on the page.
如果第一服务器与第二服务器不能采用 OpenID或单点等方式使用户只 在一个服务器中进行身份认证, 则用户在第一服务器上之后, 由于第二页面 对应的第二服务器没有相应的会话信息如 cookie数据,则第二页面显示用户 的关系信息之前, 要提示用户先第二服务器上进行身份认证。  If the first server and the second server cannot use the OpenID or a single point to enable the user to perform identity authentication only in one server, after the user is on the first server, the second server corresponding to the second page does not have corresponding session information. For example, if the second page displays the relationship information of the user, the user is prompted to perform identity authentication on the second server.
如图 4所示, 第一页面中包含资源信息, 如照片, 还有一个确定授权的 按钮。 在第一页面中可以采用内联框架的形式包含第二页面, 第二页面显示 的关系信息中可以包括联系人列表, 联系人可以分组显示, 如分组为同事、 同学和家人等, 在每个联系人或分组名称前面显示一个复选框。 另外还可以 显示用户创建或参与的一些公共群组以及群组成员, 供用户选择。 无论是联 系人的分组, 还是公共群组, 都可以用唯一的组标识来表示。 第二页面显示 的可以是联系人的姓名或昵称, 以及群组的名称, 但在实际的信息传送时, 使用的一般是联系人的用户标识, 以及组标识。 As shown in FIG. 4, the first page contains resource information, such as a photo, and a button for determining authorization. In the first page, the second page may be included in the form of an inline frame, and the relationship information displayed on the second page may include a contact list, and the contacts may be displayed in groups, such as grouping for colleagues, classmates, and family members, etc. A check box is displayed in front of the contact or group name. In addition, some public groups and group members created or participated by the user can be displayed for the user to select. Whether it is a grouping of contacts or a public group, it can be represented by a unique group identifier. The second page can display the name or nickname of the contact, as well as the name of the group, but when the actual information is transmitted, The user ID of the contact is generally used, as well as the group ID.
除了上述的联系人和群组,第二服务器还可以检测最近与用户曾经有过 通信的其他用户,如在第二服务器中有过发送消息,邮件,通过电话的记录, 然后将这些用户也显示在第二页面中。 未来电信网和互联网紧密融合, 在电 信运营商运营的第二服务器中, 很容易获得用户的通信记录(如短信, 电话 等) , 与用户有过通信联系的人不一定会在上述用户的联系人和群组中, 但 有时用户却希望能与这些有过通信联系的人临时分享一些资源, 这些人(可 以称为临时联系人) 的信息实际上也属于用户的关系数据。  In addition to the contacts and groups described above, the second server can also detect other users who have recently communicated with the user, such as having sent a message, a message, a record over the phone, and then displaying those users in the second server. In the second page. In the future, the telecommunication network and the Internet are closely integrated. In the second server operated by the telecommunication operator, it is easy to obtain the user's communication records (such as text messages, telephones, etc.), and those who have had communication with the user may not be in contact with the above users. People and groups, but sometimes users want to temporarily share some resources with those who have communicated. The information of these people (which can be called temporary contacts) actually belongs to the user's relationship data.
另外,由于用户可能对当前的资源信息已经授权给了一些关系信息如联 系人或群组,第一页面还可以从第一服务器请求获取该用户对当前资源信息 的已有授权信息,并将已获得授权的联系人和群组信息等作为第二页面源地 址 URL (统一资源定位符) 的参数传递给第二页面。 举例如下:  In addition, since the user may have authorized the current resource information to some relationship information such as a contact or a group, the first page may also request the first server to obtain the existing authorization information of the current resource information of the user, and The authorized contact and group information and the like are passed to the second page as parameters of the second page source address URL (Uniform Resource Locator). Examples are as follows:
iframel .src= "http:〃 snsexample.com/relationship.php#groups=groupr, ; 其中书签中的参数即该上述地址 "#,, 后面的部分表示当前资源已经授 权给了群组 group 1。  Iframel .src= "http:〃 snsexample.com/relationship.php#groups=groupr, ; where the parameter in the bookmark is the above address "#," and the following section indicates that the current resource has been granted to the group group 1.
除了使用书签参数外, 也可以使用在源地址的查询字符串 "?" 后包含 参数, 如:  In addition to using bookmark parameters, you can also include parameters after the query string "?" at the source address, such as:
i frame 1.src= "http://snsexample.com/relationship.php?groups=group 1 " ; 当然在需要使用同一个地址, 通过 iframe的 URL传送大量信息的情况 下, 书签 "#', 是最好的方式。  i frame 1.src= "http://snsexample.com/relationship.php?groups=group 1 " ; Of course, if you need to use the same address and transfer a large amount of information through the URL of the iframe, the bookmark "#" is the best way.
第二页面可以在本窗口加载事件 ( window.onLoad )发生时, 在当前页 面地址中获取上述参数, 然后在显示用户的关系信息时, 根据上述参数将已 经获得授权的群组如 groupl 设置为选中状态。 由此用户可以了解哪些关系 信息如联系人或群组已经获得授权访问当前资源信息。参数中同时包括群组 和联系人的例子如下:  The second page can obtain the above parameters in the current page address when the window loading event (window.onLoad) occurs, and then set the authorized group such as groupl to be selected according to the above parameters when displaying the relationship information of the user. status. This allows the user to know which relationship information, such as a contact or group, has been authorized to access current resource information. Examples of parameters including both groups and contacts are as follows:
iframe l .src= "http:〃 snsexample.com/relationship.php#groups=groupl& contacts=usera+userb" ; Iframe l .src= "http:〃 snsexample.com/relationship.php#groups=groupl& Contacts=usera+userb";
上述地址中的参数表示当前资源已经被授权给了群组 groupl 以及联系 人 usera和 userbc group 1为组标识, usera和 userb为用户标识。  The parameters in the above address indicate that the current resource has been authorized to the group groupl and the contacts usera and userbc group 1 are group identifiers, and usera and userb are user identifiers.
步骤 204、 用户在第二页面中选择关系信息, 并将用户所选择的关系信 息传递给第三页面。第二页面在用户通过终端选择或取消选择群组或联系人 的事件发生时 (如对应联系人或群组的复选框的 onClick事件) , 都将当前 选中的关系信息(群组或联系人)传递给第三页面, 其传递的方法可以通过 设置第三页面的源地址属性指定第三页面的页面地址,并将用户选择的关系 信息包含在地址参数中传送给第三页面。所设置的第三页面的源地址举例如 下:  Step 204: The user selects relationship information in the second page, and transmits the relationship information selected by the user to the third page. The second page will be the currently selected relationship information (group or contact) when the user selects or deselects the group or contact event through the terminal (such as the onClick event of the check box corresponding to the contact or group). Passed to the third page, the method of passing can specify the page address of the third page by setting the source address attribute of the third page, and the relationship information selected by the user is included in the address parameter and transmitted to the third page. The source address of the third page set is as follows:
iframe2. src= " http '.I I appexample .com/ auth.php#groups=group 1 +group2 & contacts=usera+userb+userc" ; Iframe2. src= " http '.II appexample .com/ auth.php#groups = group 1 +group2 &contacts=usera+userb+userc";
上述地址中的参数表示当前资源被选择授权给群组 groupl和 group2以 及联系人 usera 、 userb和 userc»  The parameters in the above address indicate that the current resource is selected for authorization to the groups groupl and group2 and the contacts usera, userb and userc»
步骤 205、 第三页面将第二页面发送的用户选择的关系信息传递给第一 页面。 第三页面设置一个定时器函数, 每隔一预定的时间间隔如 500毫秒执 行一次, 在当前页面地址中的参数里获取用户选择的关系信息, 当其有变化 时就传递给第一页面。 由于预定的时间间隔很短(一般小于 1秒) , 第三页 面获取的这些关系信息可以实时反映用户在第二页面做出的授权选择,然后 夸这些关系信息 (如 "groups=groupl+giOup2&contacts=usera+userb+userc,, ) 传递给第一页面的相应脚本程序处理。 因为第三页面和第一页面位于同一域 内, 即都在第一服务器中, 没有跨域通信的问题, 关系信息可以正常的进行 传递。 对于内联框架形式的第二页面, 第三页面中的处理脚本举例如下: function transmit() {  Step 205: The third page transmits the relationship information selected by the user sent by the second page to the first page. The third page sets a timer function, which is executed every predetermined time interval, such as 500 milliseconds. The relationship information selected by the user is obtained in the parameters in the current page address, and is transmitted to the first page when there is a change. Since the predetermined time interval is short (generally less than 1 second), the relationship information obtained by the third page can reflect the authorization choice made by the user on the second page in real time, and then exaggerate the relationship information (such as "groups=groupl+giOup2&contacts= Usera+userb+userc,, ) is passed to the corresponding script of the first page. Because the third page and the first page are in the same domain, that is, in the first server, there is no cross-domain communication problem, the relationship information can be normal. For the second page in the form of an inline frame, the example of the processing script in the third page is as follows: function transmit() {
parent.parent.receive(window.location.hash);  Parent.parent.receive(window.location.hash);
}  }
setlnterval(transmit, 500); 上述脚本在每隔 500毫秒执行一次上述 transmit()函数, 将本页面的源 地址中的参数 (即 window.location.hash对应的内容)传递给第一页面 (即 对象 parent.parent ) 的相应脚本程序 (即上述 receive函数) 处理。 Setlnterval(transmit, 500); The above script executes the above transmit() function every 500 milliseconds, and passes the parameter in the source address of the page (that is, the content corresponding to window.location.hash) to the corresponding script of the first page (ie, object parent.parent). The program (that is, the receive function above) is processed.
对于弹出形式的第二页面, 第三页面中的处理脚本举例如下: function transmit() {  For the second page in pop-up form, the processing script in the third page is as follows: function transmit() {
parent.opener.receive(window.location.hash);  Parent.opener.receive(window.location.hash);
}  }
setlnterval(transmit, 500);  Setlnterval(transmit, 500);
其中第一页面对应的为 parent.opener对象,这与内联框架形式的第二页 面时不同。 The first page corresponds to the parent.opener object, which is different from the second page in the inline frame form.
步骤 206、在用户确定为所选择的联系人和 /或群组授权资源信息后, 第 一页面将用户最终所选择的关系信息和资源信息等提交给第一服务器。  Step 206: After the user determines to authorize the resource information for the selected contact and/or group, the first page submits the relationship information and resource information finally selected by the user to the first server.
第一页面中包括一个确定授权的按钮或超链接, 可以命名为 "共享"或 "确定 " 等。 当该按钮被用户激活后, 第一页面将用户最终所选择的关系信 息和资源信息等提交给第一服务器服务器。第一服务器存储用户所选择的关 系信息与资源信息的对应记录,并将该对应记录作为访问该资源信息的授权 信息。 另外, 上述授权信息中还可以包含授权时间, 即第一页面将用户最终 所选择的关系信息和对应的资源信息等提交给第一服务器的时间。  The first page includes a button or hyperlink that determines the authorization, which can be named "shared" or "ok". When the button is activated by the user, the first page submits the relationship information and resource information and the like finally selected by the user to the first server server. The first server stores a corresponding record of the relationship information and the resource information selected by the user, and uses the corresponding record as the authorization information for accessing the resource information. In addition, the authorization information may further include an authorization time, that is, a time when the first page submits the relationship information and the corresponding resource information finally selected by the user to the first server.
由以上步骤可见,第一服务器和第二服务器之间仅在终端的浏笕器端就 完成了对应资源信息的关系信息的传送,如已授权的关系信息从第一服务器 的第一页面传送给第二服务器的第二页面,以及用户选择的关系信息从第二 服务器的第二页面经第三页面传送给第一页面。不必在第一服务器和第二服 务器之间直接传送任何数据, 即可完成跨域的资源授权, 实现简单高效, 充 分利用了终端的计算能力。可以使缺乏关系信息的第一服务器充分利用第二 服务器中的用户关系信息来增强自身应用的社交功能, 吸引更多的用户访 问。 It can be seen from the above steps that the transmission of the relationship information of the corresponding resource information is completed only between the first server and the second server, and the authorized relationship information is transmitted from the first page of the first server to the The second page of the second server, and the relationship information selected by the user, are transmitted from the second page of the second server to the first page via the third page. It is not necessary to directly transfer any data between the first server and the second server, and the resource authorization of the cross-domain can be completed, which is simple and efficient, and fully utilizes the computing power of the terminal. The first server lacking the relationship information can make full use of the user relationship information in the second server to enhance the social function of the application, and attract more users to visit. ask.
本发明的另一实施例提供的一种跨域授权的设置方法中,如果用户的终 端浏笕器禁用 cookie, 为了保证跨域信息传递的安全性, 在信息传递之前, 首先在第一域与第二域之间交换密码, 以后传递信息时都要带上密码, 在接 收到传递的信息时先要对密码进行验证。 请参图 5所示, 具体过程如下: 步骤 301、 第一页面获取第一密码。 该第一密码可以由第一页面自行利 用随机函数生成, 或者从第一服务器请求获取第一密码。 因为有些浏笕器自 身并不能利用随机函数生成安全性较高的密码, 因此建议采用从服务器获取 密码的方式, 密码可以为一个随机字符串。 可以使用第一服务器与用户浏笕 器之间的会话标识 (Session ID )作为第一密码, 因为会话标识通常都是一 个不可预测的随机字符串。  In another method for setting cross-domain authorization provided by another embodiment of the present invention, if the user's terminal browser disables the cookie, in order to ensure the security of cross-domain information transmission, before the information is transmitted, first in the first domain and The second domain exchanges passwords. When you pass the information, you must bring the password. When receiving the transmitted information, you must first verify the password. Please refer to Figure 5, the specific process is as follows: Step 301, the first page obtains the first password. The first password may be generated by the first page using a random function, or may be requested from the first server to obtain the first password. Because some browsers do not use random functions to generate highly secure passwords, it is recommended to use a password from the server. The password can be a random string. The session ID (Session ID) between the first server and the user's browser can be used as the first password because the session IDs are usually an unpredictable random string.
步骤 302、 第一页面将上述第一密码传递给第二页面。 在第二页面的窗 口加载事件 ( window.onLoad ) 中, 获取第一页面在第二页面的源地址中设 置的密码参数, 如可在书签参数中包含密码。 第二页面将收到的第一密码缓 存, 用于后续进行密码验证。  Step 302: The first page passes the first password to the second page. In the window loading event ( window.onLoad ) of the second page, the password parameter set in the source address of the second page of the first page is obtained, for example, the password can be included in the bookmark parameter. The second page will buffer the first password received for subsequent password verification.
步骤 303、 第二页面获取第二密码, 并将该第二密码发送给第三页面。 该第二密码同样可以由第二页面自行生成,或者从第二服务器请求获取第二 密码, 并将第二密码传递给第三页面, 也可以使用第二服务器与用户浏笕器 之间的会话标识 (Session ID )作为第二密码。  Step 303: The second page obtains the second password, and sends the second password to the third page. The second password can also be generated by the second page itself, or requesting the second password from the second server, and passing the second password to the third page, or using the session between the second server and the user browser. The logo (Session ID) is used as the second password.
步骤 304、 第三页面再将第二密码传递给第一页面。 第一页面缓存该第 二密码, 用于后续进行密码验证。 至此完成了第一服务器与第二服务器之间 的跨域密码交换。  Step 304: The third page further passes the second password to the first page. The first page caches the second password for subsequent password verification. This completes the cross-domain password exchange between the first server and the second server.
步骤 305、 在后续传送用户选择的关系信息时, 第一页面和第二页面都 要在设置的 URL书签参数中分别带上各自域所对应的密码。 如第一页面在 设置第二页面的源地址属性时, 携带密码举例如下:  Step 305: When subsequently transmitting the relationship information selected by the user, the first page and the second page respectively carry the password corresponding to the respective domain in the set URL bookmark parameter. For example, when setting the source address attribute of the second page on the first page, the example of carrying the password is as follows:
iframel .src= "http:〃 snsexample.com/relationship.php#groups=groupl& password=qw3e45s32328f3nl" ; Iframel .src= "http:〃 snsexample.com/relationship.php#groups=groupl& Password=qw3e45s32328f3nl";
上述地址的书签参数中除了 关系信息外, 还包括第一密码 "qw3e45s32328f3nl" 。  In addition to the relationship information, the bookmark parameter of the above address includes the first password "qw3e45s32328f3nl".
步骤 306、 第二页面对密码进行验证。 在第二页面的窗口加载事件中, 取出本窗口地址中书签参数中的密码如上述密码 "qw3e45s32328f3nl" , 然 后将该密码与之前缓存的第一密码进行对比验证,验证通过后才进行后续处 理。 如后续的步骤中需要取出参数中的已授权的关系信息。  Step 306: The second page verifies the password. In the window loading event of the second page, the password in the bookmark parameter in the address of the window is taken out, such as the above password "qw3e45s32328f3nl", and then the password is compared with the previously cached first password, and the subsequent processing is performed after the verification is passed. If you need to take out the authorized relationship information in the parameters in the subsequent steps.
步骤 307、 第二页面将用户所选择的关系信息传递给第三页面时, 也携 带第二密码。  Step 307: When the second page transmits the relationship information selected by the user to the third page, the second password is also carried.
步骤 308、 第三页面进行密码验证。 在第三页面的窗口定时器函数中, 取出本窗口地址中书签参数中的密码,然后将该密码与之前缓存的第二密码 进行对比验证, 验证通过后才进行后续处理。  Step 308: The third page performs password verification. In the window timer function of the third page, the password in the bookmark parameter in the address of the window is taken out, and then the password is compared with the previously cached second password, and the subsequent processing is performed after the verification is passed.
这样在当前浏笕器实例之外的其他地方访问第二页面或第三页面对应 地址的请求, 由于无法获得上述密码, 因此不会泄漏用户的关系信息或资源 授权信息等。  In this way, the request for accessing the address corresponding to the second page or the third page in a place other than the current browser instance does not reveal the user's relationship information or resource authorization information and the like because the above password cannot be obtained.
本发明一种实施例提供的一种跨域授权的鉴权方法中,描述了其他用户 访问第一服务器中资源信息时的鉴权处理过程。 为描述清楚, 将拥有第一服 务器中资源信息的用户称为第一用户,要访问第一用户的资源信息的用户为 第二用户。假设第一用户将第一服务器中的资源信息如相册 P已经授权给了 群组 A,群组 A中的成员包含第二用户。请参见图 6,该实施例的步骤如下: 步骤 401、 第一服务器接收第二用户访问第一用户的资源信息如相册 P 的请求, 该资源信息处于上述处于第一域中的第一服务器中, 上述请求可以 为第二用户使用如 OpenID进行, 也可以通过其他方式进行。  An authentication method for cross-domain authorization provided by an embodiment of the present invention describes an authentication process when other users access resource information in the first server. For the sake of clarity, the user who has the resource information in the first server is referred to as the first user, and the user who wants to access the resource information of the first user is the second user. It is assumed that the first user has authorized the resource information in the first server, such as album P, to group A, and the member in group A contains the second user. Referring to FIG. 6, the steps of the embodiment are as follows: Step 401: The first server receives a request for the second user to access the resource information of the first user, such as the album P, where the resource information is in the first server in the first domain. The above request may be performed by the second user, such as OpenID, or by other means.
步骤 402、 第一服务器查询并获得第一用户对该资源信息的授权信息, 该授权信息记录有该资源信息对应的处于第二域第二服务器的关系信息。  Step 402: The first server queries and obtains the authorization information of the first user for the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information.
步骤 403、 第一服务器判断第二用户是否属于上述关系信息。 步骤 404、 如果是, 则第一服务器允许第二用户访问上述资源信息, 否 则拒绝第二用户访问上述资源信息。 Step 403: The first server determines whether the second user belongs to the relationship information. Step 404: If yes, the first server allows the second user to access the resource information, otherwise the second user is denied access to the resource information.
通过上述实施例提供的方法, 第一服务器能通过对用户的验证, 将另一 用户授权的资源信息共享给该用户, 从而可以提高用户体验。  Through the method provided by the foregoing embodiment, the first server can share the resource information authorized by another user to the user by verifying the user, thereby improving the user experience.
为了让第一服务器尽量少的获得用户的关系信息,如第二用户所归属的 全部群组, 而且第二用户所归属的全部群组可能很多, 第二服务器也不便于 全部传递给第一服务器,即本实施例中第一服务器仅存储有第一用户的资源 信息所对应的联系人信息和群组的标识, 而不保存群组中的具体联系人。 本 发明又一种实施例提供的跨域授权的鉴权方法的步骤具体请参见图 7:  In order to allow the first server to obtain the user's relationship information as little as possible, such as all the groups to which the second user belongs, and all the groups to which the second user belongs may be many, the second server is not convenient to all deliver to the first server. That is, in the embodiment, the first server only stores the contact information corresponding to the resource information of the first user and the identifier of the group, and does not save the specific contact in the group. For the steps of the authentication method of the cross-domain authorization provided by another embodiment of the present invention, refer to FIG. 7:
步骤 501、 第一服务器接收第二用户访问第一用户的资源信息如相册 P 的请求。 该第二用户上述第一服务器可以采用 OpenID的方式, 也可以采用 其他的方式。  Step 501: The first server receives a request for the second user to access the resource information of the first user, such as the album P. The first server of the second user may adopt the method of OpenID, or may adopt other methods.
步骤 502、 第一服务器根据上述资源信息获取第一用户对该资源信息的 授权信息记录, 并判断第二用户是否为已被授权的联系人(包括临时联系 人) , 如果是, 则允许第二用户访问, 结束本流程; 否则执行步骤 503。  Step 502: The first server acquires, according to the resource information, the authorization information record of the first user for the resource information, and determines whether the second user is an authorized contact (including a temporary contact), and if yes, allows the second User access, end this process; otherwise, go to step 503.
步骤 503、 第一服务器将第一用户对该资源的授权信息记录中所授权的 群组标识以及第二用户的标识发送给第二服务器,请求第二服务器判定第二 用户是否为上述所授权的群组的成员。 当第二用户为所授权的群组中至少其 中之一的成员时, 则第二服务器返回肯定的判定结果。  Step 503: The first server sends the group identifier authorized by the first user to the authorization information record of the resource and the identifier of the second user to the second server, and requests the second server to determine whether the second user is authorized by the foregoing. Member of the group. When the second user is a member of at least one of the authorized groups, the second server returns a positive determination result.
步骤 504、 第一服务器接收第二服务器返回的判定结果, 如果判定结果 为肯定结果, 则第一服务器允许第二用户访问, 否则禁止访问。  Step 504: The first server receives the determination result returned by the second server. If the determination result is a positive result, the first server allows the second user to access, otherwise the access is prohibited.
通过上述实施例提供的方法, 第一服务器能通过对用户的验证, 将另一 用户授权的资源信息共享给该用户, 从而可以提高用户体验。  Through the method provided by the foregoing embodiment, the first server can share the resource information authorized by another user to the user by verifying the user, thereby improving the user experience.
为了在用户登录第一服务器后,即可显示该用户有权限访问的其他用户 共享的资源, 方便用户获知自己有哪些可访问的资源, 本发明另一种实施例 提供的一种跨域授权的鉴权方法请参照图 8, 主要包括步骤: 步骤 601、 第一服务器接收第二用户的访问请求, 并在存储的授权信息 中检索出上述第二用户所归属的群组所对应的被授权访问的资源信息,以及 第二用户自身对应的被授权访问的资源信息。 由于被检索出的资源可能很 多, 因此可以用对应的授权时间来筛选资源, 如只检索出授权时间为预定时 期内 (如最近一周内)的被授权访问的资源, 或者最新的 (授权时间最接近 当前时间)预定数量 (如最近被授权的前 10项) 资源等。 In order to display the resources shared by other users that the user has the right to access after the user logs in to the first server, it is convenient for the user to know which resources are available to the user, and the cross-domain authorization is provided by another embodiment of the present invention. Please refer to Figure 8 for the authentication method, which mainly includes the steps: Step 601: The first server receives the access request of the second user, and retrieves, in the stored authorization information, the resource information of the authorized access corresponding to the group to which the second user belongs, and the corresponding user of the second user. Resource information for authorized access. Since there are many resources that can be retrieved, the corresponding authorization time can be used to filter resources, such as only the resources authorized to access for a predetermined period of time (such as the last week), or the latest (most authorized time). Close to the current time) a predetermined number (such as the top 10 most recently authorized) resources, etc.
步骤 602、将上述资源信息显示在第二用户后的页面中。通过上述方案, 可见为用户提供了一个个性化的后的首页, 显示用户可以访问的资源。 尤其 是那些最近被共享的资源。  Step 602: Display the resource information in a page after the second user. Through the above scheme, it can be seen that the user is provided with a personalized homepage, and the resources that the user can access are displayed. Especially those resources that have been recently shared.
本发明实施例提供的方法能使用户登录第一服务器后,即可显示该用户 有权限访问的其他用户共享的资源信息, 从而提高用户体验。  The method provided by the embodiment of the present invention enables the user to log in to the first server to display resource information shared by other users that the user has permission to access, thereby improving the user experience.
本发明一种实施例提供一种终端 7, 请参图 9所示, 其包括:  An embodiment of the present invention provides a terminal 7, as shown in FIG. 9, which includes:
请求接收模块 71, 用于接收用户访问资源信息的请求;  a request receiving module 71, configured to receive a request for a user to access resource information;
显示模块 72, 用于根据上述请求显示包含有位于第一域的上述用户的资源 信息的第一页面, 据上述第一页面显示包含有位于第二域的所述用户的关系 信息的第二页面;  The display module 72 is configured to display, according to the request, a first page that includes resource information of the user located in the first domain, and display, according to the first page, a second page that includes relationship information of the user located in the second domain. ;
关系信息接收模块 73, 用于接收用户在上述第二页面选择对应于上述资源 信息的关系信息;  The relationship information receiving module 73 is configured to receive, by the user, relationship information corresponding to the resource information on the second page;
发送模块 74, 用于向第一服务器发送上述资源信息和所述用户在第二页面 中选择的关系信息, 以便于第一服务器存储上述选择的关系信息与资源信息的 对应记录, 并将上述对应记录作为访问上述资源信息的授权信息。  The sending module 74 is configured to send the resource information and the relationship information selected by the user in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and the corresponding Record the authorization information as access to the above resource information.
进一步地,  further,
请求接收模块 71 还用于接收第一服务器根据上述请求发送的已有授权信 息, 上述已有授权信息中包括用户已选择的关系信息与资源信息的对应记录; 上述显示模块 72还用于:根据上述已有授权信息在第二页面中显示上述用 户已选择的关系信息。 进一步地, 上述第二页面为位于第一页面中的内联框架页面或为在第一页 面里点击超链接或按钮打开的新页面。 The request receiving module 71 is further configured to receive the existing authorization information that is sent by the first server according to the foregoing request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected; the display module 72 is further configured to: The above existing authorization information displays the relationship information selected by the user in the second page. Further, the second page is an inline frame page located in the first page or a new page opened by clicking a hyperlink or a button in the first page.
本发明实施例提供一种服务器 8, 请参图 10所示, 其包括:  An embodiment of the present invention provides a server 8, as shown in FIG. 10, which includes:
接收模块 81, 用于接收用户通过终端的请求;  The receiving module 81 is configured to receive a request of the user to pass the terminal;
获取模块 82, 用于根据上述请求获取上述用户的授权信息, 并根据上述授 权信息获取上述用户被授权访问的资源信息;  The obtaining module 82 is configured to obtain the authorization information of the user according to the foregoing request, and obtain resource information that the user is authorized to access according to the authorization information;
发送模块 83, 用于将上述资源信息发送给上述终端。  The sending module 83 is configured to send the foregoing resource information to the terminal.
进一步地, 上述获取模块 82具体用于: 根据上述授权信息获取上述用户在 最近预定时间的被授权访问的资源信息或为预定数量的最新被授权访问的资源 信息; 上述发送模块具体用于: 将上述用户在最近预定时间的被授权访问的资 源信息或为预定数量的最新被授权访问的资源信息发送给上述终端。  Further, the foregoing obtaining module 82 is specifically configured to: obtain, according to the foregoing authorization information, resource information that is authorized to be accessed by the user at the latest scheduled time or resource information that is a predetermined number of newly authorized accesses; the sending module is specifically configured to: The resource information authorized by the user at the most recent scheduled time or the resource information for the predetermined number of newly authorized accesses is sent to the terminal.
本发明实施例还提供一种服务器 9, 请参图 11所示, 其包括:  The embodiment of the present invention further provides a server 9, as shown in FIG. 11, which includes:
接收模块 91, 用于接收用户通过终端访问处于第一域第一服务器中资源信 息的请求;  The receiving module 91 is configured to receive, by the terminal, a request for accessing resource information in the first server in the first domain by using the terminal;
获取模块 92, 用于获取上述资源信息对应的授权信息, 上述授权信息记录 有上述资源信息对应的处于第二域第二服务器的关系信息;  The obtaining module 92 is configured to obtain the authorization information corresponding to the resource information, where the authorization information records the relationship information of the second server in the second domain corresponding to the resource information;
处理模块 93, 用于判断上述用户是否属于上述关系信息; 在判断为是时允 许上述用户访问上述资源信息,在判断为否时拒绝上述用户访问上述资源信息。  The processing module 93 is configured to determine whether the user belongs to the relationship information; when the determination is yes, the user is allowed to access the resource information, and when the determination is negative, the user is denied access to the resource information.
进一步地, 上述关系信息包括联系人或群组;  Further, the foregoing relationship information includes a contact or a group;
上述处理模块 93具体用于:判断上述用户是否属于上述关系信息中的联系 人, 如果是, 则允许上述用户访问上述资源信息, 并结束本流程; 若否, 则将 上述关系信息中的群组以及上述用户的标识发送给第二服务器, 以便于第二服 务器判断所述用户是否属于上述群组; 接收上述第二服务器发送的判断结果, 若上述判断结果为是, 则允许用户访问所述资源信息, 否则拒绝上述用户访问 所述资源信息。  The processing module 93 is specifically configured to: determine whether the user belongs to the contact in the relationship information, and if yes, allow the user to access the resource information, and end the process; if not, the group in the relationship information And the identifier of the user is sent to the second server, so that the second server determines whether the user belongs to the group; and receives the determination result sent by the second server, and if the determination result is yes, the user is allowed to access the resource. Information, otherwise the above user is denied access to the resource information.
本发明实施例还提供一种服务器 10, 请参图 12所示, 其包括: 接收模块 101, 用于接收用户通过终端发送的请求; The embodiment of the present invention further provides a server 10, as shown in FIG. 12, which includes: The receiving module 101 is configured to receive a request sent by the user by using the terminal;
发送模块 102, 用于根据上述请求向终端发送包含有资源信息的第一页面, 以便于上述终端根据所述第一页面向第二域的第二服务器发送获取关系信息的 获取请求, 且上述终端获取所述第二服务器发送的关系信息并将所述关系信息 显示在第二页面;  The sending module 102 is configured to send, to the terminal, the first page that includes the resource information according to the foregoing request, so that the terminal sends the acquiring request for acquiring the relationship information to the second server of the second domain according to the first page, and the terminal is Obtaining relationship information sent by the second server and displaying the relationship information on a second page;
存储模块 103 , 用于接收终端发送的资源信息和用户在上述第二页面选择 对应于上述资源信息的关系信息, 存储上述选择的关系信息与资源信息的对应 记录, 并将上述对应记录作为访问上述资源信息的授权信息。  The storage module 103 is configured to receive the resource information sent by the terminal, and the user selects the relationship information corresponding to the resource information on the second page, and stores the corresponding record of the selected relationship information and the resource information, and uses the corresponding record as the access Authorization information for resource information.
进一步地,  further,
上述发送模块 102还用于:根据上述请求向终端发送存储的已有授权信息, 上述已有授权信息中包括用户已选择的关系信息与资源信息的对应记录。  The sending module 102 is further configured to: send the stored existing authorization information to the terminal according to the request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected.
本发明实施例还提供一种跨域授权的系统 11, 请参图 13所示, 其包括: 第一服务器 111, 位于第一域, 用于接收用户通过终端发送的请求; 根据上述请求向终端发送包含有资源信息的第一页面, 以便于上述终端根 据所述第一页面向第二域的第二服务器 112发送获取关系信息的获取请求, 且 上述终端获取所述第二服务器 112发送的关系信息并将上述关系信息显示在第 二页面; 接收终端发送的资源信息和用户在上述第二页面选择对应于上述资源 信息的关系信息, 存储上述选择的关系信息与资源信息的对应记录, 并将上述 对应记录作为访问所述资源信息的授权信息;  The embodiment of the present invention further provides a cross-domain authorization system 11, as shown in FIG. 13, which includes: a first server 111, located in a first domain, configured to receive a request sent by a user through a terminal; Sending a first page that includes resource information, so that the terminal sends an acquisition request for acquiring the relationship information to the second server 112 of the second domain according to the first page, and the terminal acquires the relationship sent by the second server 112. And displaying the relationship information on the second page; receiving the resource information sent by the terminal, and selecting, by the user, the relationship information corresponding to the resource information on the second page, storing the corresponding record of the selected relationship information and the resource information, and The corresponding record is used as authorization information for accessing the resource information;
第二服务器 112, 位于第二域, 用于向所述终端发送上述用户的关系信息。 通过上述实施例提供的终端、服务器及系统, 可以实现将用户处于第一 域的资源信息授权给第二域的关系信息, 从而可以提高用户体验。  The second server 112 is located in the second domain, and is configured to send the relationship information of the user to the terminal. The terminal, the server, and the system provided by the foregoing embodiments can implement the relationship information of the resource information of the user in the first domain to the second domain, thereby improving the user experience.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步 骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算 机可读存储介质中, 该程序在运行时, 执行上述实施例方法中的全部或部分 步骤。 上述提到的存储介质可以是只读存储器, 磁盘或光盘等。 发明的精神和范围。 这样, 倘若本发明的这些修改和变型属于本发明权利要 求及其等同技术的范围之内, 则本发明也意图包含这些改动和变型在内。 It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be performed by a program to instruct related hardware, and the program may be stored in a computer readable storage medium at runtime. , performing all or part of the steps in the above embodiment methods. The above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like. The spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and the modifications of the invention

Claims

权 利 要 求 书 Claim
1、 一种跨域授权的设置方法, 其特征在于, 包括:  A method for setting a cross-domain authorization, which is characterized by comprising:
接收用户访问资源信息的请求;  Receiving a request for user access to resource information;
根据所述请求显示包含所述用户的资源信息的第一页面, 所述第一页面是 处于第一域的第一服务器提供的;  Displaying, according to the request, a first page that includes resource information of the user, where the first page is provided by a first server in a first domain;
根据所述第一页面显示包含所述用户的关系信息的第二页面, 所述第二页 面是处于第二域的第二服务器提供的;  Displaying, according to the first page, a second page that includes relationship information of the user, where the second page is provided by a second server in the second domain;
接收用户在所述第二页面选择对应于所述资源信息的关系信息;  Receiving, by the user, the relationship information corresponding to the resource information on the second page;
向所述第一服务器发送所述资源信息和所述用户在第二页面中选择的关系 信息, 以便于第一服务器存储所述选择的关系信息与资源信息的对应记录, 并 将所述对应记录作为访问所述资源信息的授权信息。  Sending the resource information and the relationship information selected by the user in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and the resource information, and the corresponding record is recorded As authorization information for accessing the resource information.
2、 如权利要求 1所述的方法, 其特征在于, 还包括:  2. The method of claim 1, further comprising:
接收第一服务器根据所述请求发送的已有授权信息, 所述已有授权信息中 包括用户已选择的关系信息与资源信息的对应记录;  Receiving the existing authorization information sent by the first server according to the request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected;
所述根据所述第一页面显示包含有所述用户的关系信息的第二页面具体 为:  The displaying, by the first page, the second page that includes the relationship information of the user is:
所述第一页面接收所述已有授权信息并将所述已有授权信息发送给第二页 面;  The first page receives the existing authorization information and sends the existing authorization information to the second page;
第二页面显示所述已有授权信息中用户已选择的关系信息。  The second page displays the relationship information that the user has selected in the existing authorization information.
3、 如权利要求 2所述的方法, 其特征在于:  3. The method of claim 2, wherein:
所述第二页面为位于第一页面中的内联框架页面, 所述第一页面将所述已 有授权信息发送给第二页面具体为: 所述第一页面通过设置第二页面的源地址 属性指定第二页面的页面地址, 将所述已有授权信息包含在地址参数中传送给 第二页面; 或  The second page is an inline frame page located in the first page, and the first page sends the existing authorization information to the second page, where the first page is configured to: The attribute specifies a page address of the second page, and the existing authorization information is included in the address parameter and transmitted to the second page; or
所述第二页面为在第一页面里点击超链接或按钮打开的新页面, 所述第一 页面将所述已有授权信息发送给第二页面具体为: 所述第一页面通过设置所述 超链接或按钮对应的页面地址将所述已有授权信息包含在地址参数中传送给第 二服务器的第二页面。 The second page is a new page that is opened by clicking a hyperlink or a button in the first page, and the first page sends the existing authorization information to the second page, where the first page is set by the first page. The page address corresponding to the hyperlink or button transmits the existing authorization information to the address parameter and transmits it to the first The second page of the second server.
4、 如权利要求 3所述的方法, 其特征在于:  4. The method of claim 3 wherein:
所述第二页面显示所述已有授权信息中用户已选择的关系信息具体为: 所述第二页面在窗口加载事件中取出第二页面地址中包含有已有授权信息 的参数, 并根据所述已有授权信息, 显示用户已选择的关系信息。  The second page displays the relationship information that the user has selected in the existing authorization information, where the second page receives the parameter of the existing authorization information in the second page address in the window loading event, and according to the The existing authorization information is displayed, and the relationship information selected by the user is displayed.
5、 如权利要求 1 - 4所述的方法, 其特征在于: 所述第二页面中包含有指 向第一页面的第三页面, 所述第三页面为内联框架页面;  The method according to any one of claims 1 to 4, wherein: the second page includes a third page that points to the first page, and the third page is an inline frame page;
所述接收用户在所述第二页面选择对应于所述资源信息的关系信息具体 为: 所述第一页面接收第二页面通过设置所述第三页面的源地址属性指定第三 页面的页面地址,将用户所选择的关系信息包含在地址参数中传送给第一页面。  The receiving user selects the relationship information corresponding to the resource information on the second page, where the first page receives the second page, and specifies the page address of the third page by setting a source address attribute of the third page. The relationship information selected by the user is included in the address parameter and transmitted to the first page.
6、 如权利要求 5所述的方法, 其特征在于: 所述第三页面在预定的时间内 检测所述第三页面的源地址属性中的地址参数是否发生变化, 并在所述地址参 数发生变化时将变化的地址参数发送给所述第一页面。  6. The method according to claim 5, wherein: the third page detects whether an address parameter in a source address attribute of the third page changes within a predetermined time, and occurs in the address parameter The changed address parameter is sent to the first page when the change occurs.
7、 如权利要求 6所述的方法, 其特征在于: 所述第三页面将用户所选择的 关系信息发送给第一页面具体为: 所述第三页面通过调用第一页面的脚本函数 处理所述源地址属性中的参数, 将用户所选择的关系信息传送给第一页面。  The method according to claim 6, wherein: the third page sends the relationship information selected by the user to the first page, where the third page is processed by calling a script function of the first page. The parameter in the source address attribute is used to transmit the relationship information selected by the user to the first page.
8、 如权利要求 5所述的方法, 其特征在于: 还包括:  8. The method of claim 5, further comprising:
第一页面和第二页面分别生成各自的密码;  The first page and the second page respectively generate respective passwords;
第一页面和第二页面交换和保存对方的密码;  The first page and the second page exchange and save the password of the other party;
后续第一页面和第二页面之间进行信息传送时, 第一页面或第二页面生成 各自新的密码并发送给对方, 第一页面或第二页面将保存的密码与对方发送过 来的新密码进行验证, 当第一页面或第二页面对对方发送过来的新密码验证成 功时才进行相应的处理。  When the information is transmitted between the subsequent first page and the second page, the first page or the second page generates a new password and sends it to the other party, and the first page or the second page stores the password and the new password sent by the other party. The verification is performed, and the first page or the second page performs corresponding processing when the new password sent by the other party is successfully verified.
9、 如权利要求 5所述的方法, 其特征在于: 所述用户选择的关系信息或已 有授权信息是通过设置在页面地址的查询字符串参数或书签参数中发送的。  9. The method according to claim 5, wherein: the relationship information or the authorized information selected by the user is sent by a query string parameter or a bookmark parameter set in a page address.
10、 一种跨域授权的鉴权方法, 其特征在于, 包括:  10. An authentication method for cross-domain authorization, which is characterized by:
接收用户通过终端访问处于第一域第一服务器中资源信息的请求; 获取所述资源信息对应的授权信息, 所述授权信息记录有所述资源信息对 应的处于第二域第二服务器的关系信息; Receiving, by the terminal, a request for accessing resource information in the first server in the first domain by using the terminal; Acquiring the authorization information corresponding to the resource information, where the authorization information records relationship information of the second server in the second domain corresponding to the resource information;
判断所述用户是否属于所述关系信息;  Determining whether the user belongs to the relationship information;
如果是, 则允许所述用户访问所述资源信息, 否则拒绝所述用户访问所述 资源信息。  If so, the user is allowed to access the resource information, otherwise the user is denied access to the resource information.
11、 如权利要求 10所述的方法, 其特征在于:  11. The method of claim 10 wherein:
所述关系信息包括联系人或群组;  The relationship information includes a contact or a group;
所述判断所述用户是否属于所述关系信息; 如果是, 则允许所述用户访问 所述资源信息, 否则拒绝所述用户访问所述资源信息的步骤具体为:  Determining whether the user belongs to the relationship information; if yes, allowing the user to access the resource information, otherwise the step of denying the user access to the resource information is specifically:
判断所述用户是否属于所述关系信息中的联系人, 如果是, 则允许所述用 户访问所述资源信息, 并结束本流程; 若否, 则执行下述的步骤:  Determining whether the user belongs to a contact in the relationship information, and if yes, allowing the user to access the resource information, and ending the process; if not, performing the following steps:
将所述关系信息中的群组以及所述用户的标识发送给第二服务器, 以便于 第二服务器判断所述用户是否属于所述群组;  Sending the group in the relationship information and the identifier of the user to the second server, so that the second server determines whether the user belongs to the group;
接收所述第二服务器发送的判断结果, 若所述判断结果为是, 则允许用户 访问所述资源信息, 否则拒绝所述用户访问所述资源信息。  Receiving the determination result sent by the second server, if the determination result is yes, the user is allowed to access the resource information, otherwise the user is denied access to the resource information.
12、 一种跨域授权的鉴权方法, 其特征在于, 包括:  12. An authentication method for cross-domain authorization, which is characterized by:
接收用户通过终端的访问请求;  Receiving an access request of the user through the terminal;
根据所述请求获取对应于所述用户的授权信息;  Obtaining authorization information corresponding to the user according to the request;
根据所述授权信息获取所述用户被授权访问的资源信息;  Obtaining, according to the authorization information, resource information that the user is authorized to access;
将所述资源信息发送给所述终端。  Sending the resource information to the terminal.
13、 如权利要求 12所述的方法, 其特征在于, 包括:  13. The method of claim 12, comprising:
所述^^据所述授权信息获取所述用户被授权访问的资源信息具体为: 根据所述授权信息获取所述用户在最近预定时间的被授权访问的资源信息 或为预定数量的最新被授权访问的资源信息;  And obtaining, according to the authorization information, the resource information that the user is authorized to access, according to the authorization information, acquiring resource information that is authorized to be accessed by the user at a recent predetermined time or being authorized for a predetermined number of latest Resource information accessed;
所述将所述资源信息显示在所述用户后的页面上具体为:  The displaying the resource information on the page after the user is specifically:
将所述用户在最近预定时间的被授权访问的资源信息或为预定数量的最新 被授权访问的资源信息发送给所述终端。 The resource information of the authorized access of the user at the most recent predetermined time or the resource information for the predetermined number of newly authorized accesses is transmitted to the terminal.
14、 一种跨域授权的设置方法, 其特征在于, 包括: 14. A method for setting an inter-domain authorization, comprising:
接收用户通过终端发送的访问资源信息的请求;  Receiving a request for accessing resource information sent by the user through the terminal;
根据所述请求向终端发送包含有所述用户的资源信息的第一页面, 以便于 所述终端根据所述第一页面向第二域的第二服务器发送获取所述用户的关系信 息的获取请求, 且所述终端获取所述第二服务器发送的所述用户的关系信息并 将所述关系信息显示在第二页面;  Sending, by the request, the first page that includes the resource information of the user to the terminal, so that the terminal sends the acquiring request for acquiring the relationship information of the user to the second server of the second domain according to the first page. And acquiring, by the terminal, relationship information of the user sent by the second server, and displaying the relationship information on a second page;
接收终端发送的资源信息和用户在所述第二页面选择对应于所述资源信息 的关系信息, 存储所述选择的关系信息与资源信息的对应记录, 并将所述对应 记录作为访问所述资源信息的授权信息。  Receiving resource information sent by the terminal, and selecting, by the user, relationship information corresponding to the resource information on the second page, storing a corresponding record of the selected relationship information and resource information, and using the corresponding record as accessing the resource Authorization information for the information.
15、 如权利要求 14所述的方法, 其特征在于, 还包括:  15. The method of claim 14, further comprising:
根据所述请求向终端发送存储的已有授权信息, 所述已有授权信息中包括 用户已选择的关系信息与资源信息的对应记录。  The stored existing authorization information is sent to the terminal according to the request, and the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected.
16、 一种终端, 其特征在于, 包括:  16. A terminal, comprising:
请求接收模块, 用于接收用户访问资源信息的请求;  a request receiving module, configured to receive a request for a user to access resource information;
显示模块, 用于根据所述请求显示包含有位于第一域的所述用户的资源信 息的第一页面, ^据所述第一页面显示包含有位于第二域的所述用户的关系信 息的第二页面;  a display module, configured to display, according to the request, a first page that includes resource information of the user located in the first domain, and according to the first page, display relationship information of the user that is located in the second domain Second page;
关系信息接收模块, 用于接收用户在所述第二页面选择对应于所述资源信 息的关系信息;  a relationship information receiving module, configured to receive, by the user, relationship information corresponding to the resource information on the second page;
发送模块, 用于向第一服务器发送所述资源信息和所述用户在第二页面中 选择的关系信息, 以便于第一服务器存储所述选择的关系信息与资源信息的对 应记录, 并将所述对应记录作为访问所述资源信息的授权信息。  a sending module, configured to send the resource information and the relationship information selected by the user in the second page to the first server, so that the first server stores the corresponding record of the selected relationship information and resource information, and The corresponding record is used as the authorization information for accessing the resource information.
17、 如权利要求 16所述的终端, 其特征在于:  17. The terminal of claim 16 wherein:
所述接收模块还用于接收第一服务器根据所述请求发送的已有授权信息, 所述已有授权信息中包括用户已选择的关系信息与资源信息的对应记录;  The receiving module is further configured to receive the existing authorization information that is sent by the first server according to the request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected;
所述显示模块还用于: 根据所述已有授权信息在第二页面中显示所述用户 已选择的关系信息。 The display module is further configured to: display the relationship information that the user has selected in the second page according to the existing authorization information.
18、 如权利要求 16或 17所述的终端, 所述第二页面为位于第一页面中的 内联框架页面或为在第一页面里点击超链接或按钮打开的新页面。 18. The terminal of claim 16 or 17, wherein the second page is an inline frame page located in the first page or a new page opened by clicking a hyperlink or button in the first page.
19、 一种服务器, 其特征在于, 包括:  19. A server, comprising:
接收模块, 用于接收用户通过终端发送的访问请求;  a receiving module, configured to receive an access request sent by the user through the terminal;
获取模块, 用于根据所述请求获取所述用户的授权信息, 并根据所述授权 信息获取所述用户被授权访问的资源信息;  An obtaining module, configured to acquire authorization information of the user according to the request, and obtain resource information that the user is authorized to access according to the authorization information;
发送模块, 用于将所述资源信息发送给所述终端。  And a sending module, configured to send the resource information to the terminal.
20、 如权利要求 19所述的服务器, 其特征在于, 所述获取模块具体用于: 根据所述授权信息获取所述用户在最近预定时间的被授权访问的资源信息或为 预定数量的最新被授权访问的资源信息; 所述发送模块具体用于: 将所述用户 在最近预定时间的被授权访问的资源信息或为预定数量的最新被授权访问的资 源信息发送给所述终端。  The server according to claim 19, wherein the acquiring module is configured to: acquire, according to the authorization information, resource information that is authorized to be accessed by the user at a recent predetermined time or for a predetermined number of latest ones And the sending module is configured to: send the resource information that the user is authorized to access at the most recent predetermined time or the resource information that is the latest authorized access to the terminal.
21、 一种服务器, 其特征在于, 包括:  21. A server, comprising:
接收模块, 用于接收用户通过终端访问处于第一域第一服务器中的资源信 息的请求;  a receiving module, configured to receive, by the terminal, a request for accessing resource information in the first server in the first domain by using the terminal;
获取模块, 用于获取所述资源信息对应的授权信息, 所述授权信息记录有 所述资源信息对应的处于第二域第二服务器的关系信息;  An obtaining module, configured to acquire authorization information corresponding to the resource information, where the authorization information records relationship information of the second server in the second domain corresponding to the resource information;
处理模块, 用于判断所述用户是否属于所述关系信息; 在判断为是时允许 所述用户访问所述资源信息, 在判断为否时拒绝所述用户访问所述资源信息。  The processing module is configured to determine whether the user belongs to the relationship information; when the determination is yes, the user is allowed to access the resource information, and when the determination is negative, the user is denied access to the resource information.
22、 如权利要求 21所述的服务器, 其特征在于: 所述关系信息包括联系人 或群组;  22. The server according to claim 21, wherein: the relationship information comprises a contact or a group;
所述处理模块具体用于:判断所述用户是否属于所述关系信息中的联系人, 如果是, 则允许所述用户访问所述资源信息, 并结束本流程; 若否, 则将所述 关系信息中的群组以及所述用户的标识发送给第二服务器, 以便于第二服务器 判断所述用户是否属于所述群组; 接收所述第二服务器发送的判断结果, 若所 述判断结果为是, 则允许用户访问所述资源信息, 否则拒绝所述用户访问所述 资源信息。 The processing module is specifically configured to: determine whether the user belongs to a contact in the relationship information, and if yes, allow the user to access the resource information, and end the process; if not, the relationship is The group in the information and the identifier of the user are sent to the second server, so that the second server determines whether the user belongs to the group; and receives the determination result sent by the second server, if the determination result is Yes, the user is allowed to access the resource information, otherwise the user is denied access to the resource information.
23、 一种服务器, 其特征在于, 包括: 23. A server, comprising:
接收模块, 用于接收用户通过终端发送的请求;  a receiving module, configured to receive a request sent by a user through the terminal;
发送模块, 用于根据所述请求向终端发送包含有资源信息的第一页面, 以 便于所述终端根据所述第一页面向第二域的第二服务器发送获取关系信息的获 取请求, 且所述终端获取所述第二服务器发送的关系信息并将所述关系信息显 示在第二页面;  a sending module, configured to send, to the terminal, the first page that includes the resource information, according to the request, so that the terminal sends the acquiring request for acquiring the relationship information to the second server of the second domain according to the first page, and The terminal acquires relationship information sent by the second server and displays the relationship information on the second page;
存储模块, 用于接收终端发送的资源信息和用户在所述第二页面选择对应 于所述资源信息的关系信息,存储所述选择的关系信息与资源信息的对应记录, 并将所述对应记录作为访问所述资源信息的授权信息。  a storage module, configured to receive resource information sent by the terminal, and the user selects relationship information corresponding to the resource information on the second page, and stores a corresponding record of the selected relationship information and resource information, and the corresponding record is As authorization information for accessing the resource information.
24、 如权利要求 23所述的服务器, 其特征在于,  24. The server of claim 23, wherein:
发送模块, 还用于根据所述请求向终端发送存储的已有授权信息, 所述已 有授权信息中包括用户已选择的关系信息与资源信息的对应记录。  The sending module is further configured to send the stored existing authorization information to the terminal according to the request, where the existing authorization information includes a corresponding record of the relationship information and the resource information that the user has selected.
25、 一种跨域授权的系统, 其特征在于, 包括:  25. A cross-domain authorization system, comprising:
第一服务器, 位于第一域, 用于接收用户通过终端发送的访问资源信息的 请求; 根据所述请求向终端发送包含有所述用户的资源信息的第一页面, 以便 于所述终端^ ^据所述第一页面向位于第二域的第二服务器发送获取关系信息的 获取请求, 且所述终端获取所述第二服务器发送的关系信息并将所述关系信息 显示在第二页面; 接收终端发送的资源信息和用户在所述第二页面选择对应于 所述资源信息的关系信息, 存储所述选择的关系信息与资源信息的对应记录, 并将所述对应记录作为访问所述资源信息的授权信息;  a first server, configured to receive, by the first domain, a request for accessing resource information sent by the user by using the terminal; sending, according to the request, a first page that includes resource information of the user, to facilitate the terminal And sending, by the first page, an acquisition request for acquiring the relationship information to the second server located in the second domain, and the terminal acquiring the relationship information sent by the second server and displaying the relationship information on the second page; The resource information sent by the terminal and the user select the relationship information corresponding to the resource information on the second page, store the corresponding record of the selected relationship information and the resource information, and use the corresponding record as the access to the resource information. Authorization information;
第二服务器, 位于第二域, 用于向所述终端发送所述用户的关系信息。  The second server is located in the second domain, and is configured to send the relationship information of the user to the terminal.
PCT/CN2009/076318 2008-12-31 2009-12-31 Configuration and authentication method for cross-domain authorization, the equipment and system thereof WO2010075798A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200810242174 CN101771676B (en) 2008-12-31 2008-12-31 Setting and authentication method for cross-domain authorization and relevant device and system
CN200810242174.3 2008-12-31

Publications (1)

Publication Number Publication Date
WO2010075798A1 true WO2010075798A1 (en) 2010-07-08

Family

ID=42309830

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/076318 WO2010075798A1 (en) 2008-12-31 2009-12-31 Configuration and authentication method for cross-domain authorization, the equipment and system thereof

Country Status (2)

Country Link
CN (1) CN101771676B (en)
WO (1) WO2010075798A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143091B (en) * 2010-08-06 2014-07-16 华为技术有限公司 Cross-domain operation realization method, system, server and browser
CN102694779B (en) * 2011-03-24 2017-03-29 中兴通讯股份有限公司 Combination attestation system and authentication method
ES2605929T3 (en) * 2013-06-06 2017-03-17 Nagravision S.A. System and method for user authentication
CN103391192B (en) * 2013-07-16 2016-09-21 国家电网公司 A kind of based on secret protection across security domain access control system and control method thereof
CN104618217B (en) * 2014-03-24 2018-09-04 腾讯科技(北京)有限公司 Share method, terminal, server and the system of resource
US9203612B1 (en) * 2014-06-02 2015-12-01 Atlanta DTH, Inc. Systems and methods for controlling media distribution
CN104486458B (en) * 2014-12-15 2019-01-08 北京国双科技有限公司 The data processing method and device of cross-domain session
CN106161361B (en) * 2015-04-03 2018-10-02 北京神州泰岳软件股份有限公司 A kind of access method and device of cross-domain resource
CN105183851A (en) * 2015-09-08 2015-12-23 上海上讯信息技术股份有限公司 Interaction method and device overcoming browser same-origin policy limit
CN106708878B (en) * 2015-11-16 2020-06-16 北京国双科技有限公司 Terminal identification method and device
CN105472029B (en) * 2015-12-29 2019-06-21 锐达互动科技股份有限公司 A kind of method and system of the single-sign-on based on caching
CN110300133B (en) * 2018-03-22 2023-04-28 财付通支付科技有限公司 Cross-domain data transmission method, device, equipment and storage medium
CN108595512A (en) * 2018-03-23 2018-09-28 华迪计算机集团有限公司 A kind of information retrieval method and equipment across security domain
CN110502880B (en) * 2019-07-30 2021-06-04 同济大学 Heterogeneous identity association method based on attribute aggregation

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093666A1 (en) * 2000-11-10 2003-05-15 Jonathan Millen Cross-domain access control
US20030120948A1 (en) * 2001-12-21 2003-06-26 Schmidt Donald E. Authentication and authorization across autonomous network systems
CN1627683A (en) * 2003-12-09 2005-06-15 鸿富锦精密工业(深圳)有限公司 Unitary authentication authorization management system and method
CN1633085A (en) * 2004-12-29 2005-06-29 北京邮电大学 An access control method based on non-grade inter-role mapping
CN1953455A (en) * 2006-11-15 2007-04-25 北京北大方正电子有限公司 A method, module and server to control access to network resource
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A cross-domain access control system for realizing role and group mapping based on cross-domain authorization

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093666A1 (en) * 2000-11-10 2003-05-15 Jonathan Millen Cross-domain access control
US20030120948A1 (en) * 2001-12-21 2003-06-26 Schmidt Donald E. Authentication and authorization across autonomous network systems
CN1627683A (en) * 2003-12-09 2005-06-15 鸿富锦精密工业(深圳)有限公司 Unitary authentication authorization management system and method
CN1633085A (en) * 2004-12-29 2005-06-29 北京邮电大学 An access control method based on non-grade inter-role mapping
CN1953455A (en) * 2006-11-15 2007-04-25 北京北大方正电子有限公司 A method, module and server to control access to network resource
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A cross-domain access control system for realizing role and group mapping based on cross-domain authorization

Also Published As

Publication number Publication date
CN101771676A (en) 2010-07-07
CN101771676B (en) 2013-04-24

Similar Documents

Publication Publication Date Title
WO2010075798A1 (en) Configuration and authentication method for cross-domain authorization, the equipment and system thereof
US11658979B2 (en) Systems and methods for efficient and secure temporary anonymous access to media content
US11665146B2 (en) Migrating authenticated content towards content consumer
EP2383946B1 (en) Method, server and system for providing resource for an access user
US9692747B2 (en) Authenticating linked accounts
US7827318B2 (en) User enrollment in an e-community
CN103327100B (en) Resource processing method and site server
US11831680B2 (en) Electronic authentication infrastructure
US20110258326A1 (en) Method, device, and system for implementing resource sharing
JP2004173285A5 (en)
CN101331731A (en) Method, apparatus and program products for custom authentication of a principal in a federation by an identity provider
TW201019676A (en) Identity and authentication system using aliases
WO2013002024A1 (en) Method and system for automatic recovery from lost security token on embedded device
EP2518972A1 (en) System and method for device addressing
US10601809B2 (en) System and method for providing a certificate by way of a browser extension
US9553863B2 (en) Computer implemented method and system for an anonymous communication and computer program thereof
JP2012159980A (en) Server for preventing identification information from being illegally acquired
JP2014130542A (en) Image formation device, session management method and program
JP2017049881A (en) Server device, control method of server device, and program
WO2015027298A1 (en) Proxy system with integrated identity management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09836085

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09836085

Country of ref document: EP

Kind code of ref document: A1