CN101299753B - Web service security control mechanism based on proxy server - Google Patents
Web service security control mechanism based on proxy server Download PDFInfo
- Publication number
- CN101299753B CN101299753B CN 200810062261 CN200810062261A CN101299753B CN 101299753 B CN101299753 B CN 101299753B CN 200810062261 CN200810062261 CN 200810062261 CN 200810062261 A CN200810062261 A CN 200810062261A CN 101299753 B CN101299753 B CN 101299753B
- Authority
- CN
- China
- Prior art keywords
- service
- message
- acting server
- module
- soap
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to a Web service safety control mechanism based on the proxy server, belonging to the Web service safety field, characterized in that, a proxy server is arranged on the local machine of the service requestor and the service tenderer, wherein the proxy server is used for capturing all the HTTP information transmitted and received by the users and processing the SOAP information. The beneficial effect of the invention is that, through the proxy server arranged on the local machine, the captured SOAP information is processed with encryption and signature, which ensures that the SOAP information passing through the internet is processed with encryption and signature, to ensure the confidentiality, the integrality and the non-repudiation of the information to cause the information transmission safer.
Description
Technical field
The invention belongs to the Web service security fields, relate to a kind of acting server of the web of having service safe controlling mechanism.
Background technology
The Web service technology puts forward for solving the network application integration problem, makes that application program can be with a technology that intercoms mutually with mode that platform and programming language have nothing to do.Web service has been described one group can be through the operation of standardized extend markup language message transmission visit on network, use based on the agreement of XML language describe operation that institute will carry out or the data that will exchange with another Web service.
SOAP (Simple Object Access Protocol) Simple Object Access Protocol is based on the host-host protocol that is used for the coding of communication data between the application program of XML.The SOAP bag is not the binary protocol call method through special use, and is to use the morphology of this basic text of XML to come call method.All information between request applications and the reception object are to send through HTTP as the flag data in the XML stream.It is HTTP that the default transmission of SOAP is bound, thereby the SOAP document can pass nearly all fire compartment wall, thereby can cross over the different platforms exchange message, causes the insecurity of Web service.
Acting server is the server between browser and Web server.Use after the acting server; Browser no longer is directly to reach back webpage to Web server but send request to acting server; Request signal can be delivered to acting server earlier, is fetched the needed information of browser and is sent to browser by acting server.
Summary of the invention
Defective for the insecurity that solves above Web service the present invention proposes the safer acting server with web service safe controlling mechanism of a kind of message transmission.
A kind of acting server with web service safe controlling mechanism; It is characterized in that: on service requester and ISP's local machine, be provided with acting server; Said acting server is used to intercept and capture all HTTP information that the user sends and receives, and soap message is wherein processed.
Wherein, said acting server comprises the local proxy server module, message processing module, service authentication module, service strategy module and local configuration module;
Wherein,
The local proxy server module with the form of acting server, is monitored specific port; Intercept and capture all HTTP message through acting server; Obtain soap message wherein, transfer to message processing module and handle, and the soap message after will handling is transmitted to real destination;
Message processing module, soap message is handled: the Private Parts whole or wherein of the soap message that service requester is sent are encrypted, to guarantee confidentiality; Message is signed, with guarantee integrality with can not distorting property, and to serve the encryption that the recipient receives, the soap message of signature is verified, is deciphered;
The service authentication module is located authentication service requestor's identity the ISP, and judging whether provide service for it;
The service strategy module judges that according to the mode of asserting of consumer premise justice can service requester call the service that the recipient provides of serving;
Local configuration module is for service requester disposes corresponding security parameter and asserts parameter with the ISP.
Further, said to soap message handle the Private Parts whole or wherein that comprise the soap message that service requester is sent encrypt, sign and to serve the encryption that the recipient receives, the soap message of signature is verified, is deciphered.
Further, said acting server is that service requester and ISP dispose corresponding security parameter, comprises the key obtain manner; And, need encryption, signature section, AES, authentication mode, and generation strategy file for the ISP disposes to assert to comprise parameter whether encrypting, sign; Service requester can obtain ISP's the parameter of asserting.
Further, said acting server is provided with the thread pool of accelerating the soap message treatment effeciency.
Further, the acting server on acting server on the local machine of service requester and ISP's the local machine is through ESB container transport information.
Do further description in the face of the present invention down:
The present invention carries out encryption and decryption to the soap message through Internet net, thereby message layer safety end to end is provided for Web service.
Main design philosophy of the present invention is: controling mechanism of the present invention is present on service requester and ISP's the local machine with the form of a Client Agent server; It will intercept and capture all HTTP information that the user sends and accepts, and soap message is wherein processed.For guaranteeing service efficiency, will come each soap message of process user by a thread pool.
The user can pass through gui tool, corresponding security parameter is set and asserts parameter.When message handling device is carried out at the service requester place then, will read in corresponding configuration parameters SOAP is done encryption, signature operation, and the soap message of will (encrypting, sign) sends to the ESB container.ESB (Enterprise Service Bus) ESB is the product that the traditional middleware technology combines with technology such as XML, Web services, is a message based communication module of calling enterprises service.Equally, when message handling device was located to carry out the ISP, the configuration parameter that also reads in consumer premise justice was done soap message and is asserted checking, signature verification, deciphering and authentication operation.
This controling mechanism comprises: local proxy server module, message processing module, service authentication module, service strategy module and local configuration module.
The local proxy server module with the form of acting server, is monitored specific port; Intercept and capture all HTTP message through acting server; Obtain soap message wherein, transfer to message processor processes, and the soap message after will handling is transmitted to real destination.
Message processing module is handled soap message according to the configuration parameter of consumer premise justice, comprises encryption and decryption, signature, authentication mode and asserts mode.The Private Parts whole or wherein of the soap message that service requester is sent are encrypted, to guarantee confidentiality; And message is signed, with guarantee integrality with can not distorting property.To serve the encryption that the recipient receives, the soap message of signature is verified, is deciphered.
The service authentication module is located authentication service requestor's identity the ISP, and judging whether provide service for it.
The service strategy module judges that according to the mode of asserting of consumer premise justice can service requester call the service that the recipient provides of serving.
Local configuration module is that service requester and ISP dispose corresponding security parameter and assert parameter.
The invention has the beneficial effects as follows: through acting server is set on this diji; Processing such as the soap message to intercepting and capturing is encrypted, signature; Can guarantee that every soap message through the Internet net all is through encrypting and signing; To guarantee confidentiality, integrality and the non repudiation of message, make message transmission safer.
Description of drawings
Fig. 1 is an overview flow chart
Fig. 2 sends the call request information flow chart for service requester
Fig. 3 receives the call request information flow chart for serving the recipient
Embodiment
Below in conjunction with accompanying drawing the present invention is done further introduction:
1, the acting server overview flow chart (as shown in Figure 1) that has web service safe controlling mechanism:
(1) client-side service request person sends plaintext challenge message.
(2) the plaintext HTTP request message that the Client Agent server is intercepted and captured and the analysis service requestor sends obtains soap message wherein.Message handling device is handled request message according to the encryption in the strategy file, signature, parameters for authentication.Forwards after acting server will be handled is given server.
(3) the server end acting server is intercepted and captured and is resolved through the HTTP of ciphering signature request message, obtains soap message wherein.Message handling device is handled request message according to the encryption in the strategy file, signature, parameters for authentication.Plaintext challenge message after acting server will be handled is handed to the ISP and is handled.
(4) the server end ISP generates expressly response message, and the HTTP response message of sending this plaintext.
(5) the plaintext HTTP response message that the service end acting server is intercepted and captured and the analysis service supplier sends is obtained soap message wherein.Message handling device is handled request message according to the encryption in the strategy file, signature parameter.Forwards after acting server will be handled is given client.
(6) the Client Agent server is intercepted and captured and is resolved through the HTTP of ciphering signature response message, obtains soap message wherein.Message handling device is handled response message according to the encryption in the strategy file, signature parameter.Plaintext response message after acting server will be handled is handed to service requester.So far, the WEB service request procedure of a safety is accomplished.
2, service requester sends call request information:
Plaintext challenge information as shown in Figure 2, that client-side service request person sends through local proxy server, will send to the ESB container by the request message through ciphering signature after the message processor processes.
(1) service requester sends expressly HTTP request message.
(2) local proxy server is monitored at specific port, intercepts and captures this HTTP message.
(3) local proxy server is at first resolved this plaintext HTTP solicited message, obtains soap message wherein.
(4) local proxy server obtains Message Processing SOAP Handler instance from thread pool.
(5) SOAP Handler instance is responsible for SOAP request message encrypt and sign (encrypt, signature for optional).If use third party's certificate server, need from third party's certificate server, obtain bill.
(6) request message of acting server after with ciphering signature is transmitted to server.
Wherein the Message Processing in the step (4) can be divided into following substep:
1) encrypts: from strategy file, read and whether will carry out information encrypted request message.If request message is encrypted, utilize the AES, the need encrypted content parameter that from strategy file, read right
Request message is encrypted.
2) authentication: from strategy file, read authentication mode.If adopt user name, pin mode, the parameters for authentication that from configuration file, reads added in the request message.If what use is third-party certificate server, need from third party's certificate server, obtain bill.
3) signature: whether from strategy file, read the information that to sign to request message.If request message is signed, utilize the signature algorithm, the need signature contents parameter that from strategy file, read that request message is signed.
3, serve the recipient and receive call request information:
As shown in Figure 3, the local proxy server of server end receives the request message through ciphering signature that the ESB container is transmitted, will be by message handling device through asserting that the plaintext challenge message after checking, deciphering, checking, the authentication processing hands to the ISP.
(1) local proxy server is monitored specific port, intercepts and captures through the HTTP of ciphering signature request message.
(2) local proxy server is resolved this message, obtains SOAP request message wherein.
(3) local proxy server obtains Message Processing SOAP Handler instance from thread pool.
(4) SOAP Handler instance is responsible for message is asserted inspection, signature verification, deciphering and authentication, whether can call this service to judge service requester.
(5) the plaintext challenge message that obtains after with Message Processing of acting server is given the ISP and is handled.
Wherein the Message Processing in the step (4) can be divided into following substep:
(1) asserts inspection: whether compatiblely assert through asserting of using of inspection service requester and ISP are predefined, judge that can service requester call service.
(2) authentication: the ISP is according to the authentication information that from message, obtains, authentication service requestor's identity, and judging whether provide service for it.
(3) signature: from strategy file, obtain the signature relevant parameter, request message is carried out signature verification.
(4) deciphering: from strategy file, obtain the encryption relevant parameter, solicited message is deciphered, to read the content of message.
Claims (3)
1. acting server with web service safe controlling mechanism; It is characterized in that: on service requester and ISP's local machine, be provided with acting server, said acting server is used to intercept and capture all HTTP information that the user sends and receives, and soap message is wherein processed; Said acting server comprises the local proxy server module; Message processing module, service authentication module, service strategy module and local configuration module; Wherein,
The local proxy server module with the form of acting server, is monitored specific port; Intercept and capture all HTTP message through acting server; Obtain soap message wherein, transfer to message processing module and handle, and the soap message after will handling is transmitted to real destination;
Message processing module, soap message is handled: the Private Parts whole or wherein of the soap message that service requester is sent are encrypted, to guarantee confidentiality; Message is signed, with guarantee integrality with can not distorting property, and to serve the encryption that the recipient receives, the soap message of signature is verified, is deciphered;
The service authentication module is located authentication service requestor's identity the ISP, and judging whether provide service for it;
The service strategy module judges that according to the mode of asserting of consumer premise justice can service requester call the service that the recipient provides of serving;
Local configuration module is for service requester disposes corresponding security parameter and asserts parameter with the ISP.
2. the acting server with web service safe controlling mechanism according to claim 1 is characterized in that: said acting server is provided with the thread pool of accelerating the soap message treatment effeciency.
3. the acting server with web service safe controlling mechanism according to claim 1 is characterized in that: the acting server on acting server on the local machine of service requester and ISP's the local machine is through ESB container transport information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810062261 CN101299753B (en) | 2008-06-17 | 2008-06-17 | Web service security control mechanism based on proxy server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810062261 CN101299753B (en) | 2008-06-17 | 2008-06-17 | Web service security control mechanism based on proxy server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101299753A CN101299753A (en) | 2008-11-05 |
| CN101299753B true CN101299753B (en) | 2012-12-05 |
Family
ID=40079436
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810062261 Active CN101299753B (en) | 2008-06-17 | 2008-06-17 | Web service security control mechanism based on proxy server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101299753B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111193595A (en) * | 2019-11-28 | 2020-05-22 | 腾讯云计算(北京)有限责任公司 | Error detection method, device, equipment and storage medium for electronic signature |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515932B (en) * | 2009-03-23 | 2013-06-05 | 中兴通讯股份有限公司 | Method and system for accessing Web service safely |
| CN101621516B (en) * | 2009-08-10 | 2012-12-05 | 浙江大学 | Interactive method for enterprise service bus and external Web service |
| CN101923465A (en) * | 2010-06-25 | 2010-12-22 | 深圳创维-Rgb电子有限公司 | Embedded application-oriented scalable web service system |
| WO2012159059A1 (en) * | 2011-05-18 | 2012-11-22 | Citrix Systems, Inc. | Systems and methods for secure handling of data |
| CN102427461B (en) * | 2011-12-31 | 2015-05-20 | 山东中创软件商用中间件股份有限公司 | Method and system for realizing Web service application security |
| CN103281181B (en) * | 2013-04-27 | 2016-09-14 | 天地融科技股份有限公司 | Conversion equipment and display system |
| CN103533060B (en) * | 2013-10-17 | 2017-04-19 | 华为技术有限公司 | Processing method and device of local proxy |
| CN103986690B (en) * | 2014-04-03 | 2017-08-04 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus for handling client request |
| CN105550542A (en) * | 2015-12-10 | 2016-05-04 | 北京奇虎科技有限公司 | Mobile-game-based auditing task submitting method and device as well as game platform system |
| CN107294913B (en) * | 2016-03-31 | 2021-08-27 | 阿里巴巴集团控股有限公司 | Secure communication method based on HTTP, server and client |
| CN106375441A (en) * | 2016-08-31 | 2017-02-01 | 北京深思数盾科技股份有限公司 | Function extension method based on WEB browser and terminal device |
| CN107135249B (en) * | 2017-04-06 | 2023-03-24 | 腾讯科技(深圳)有限公司 | Data downloading method and device |
| CN108206825B (en) * | 2017-11-28 | 2020-05-22 | 中国科学院信息工程研究所 | Method and system for balancing privacy protection and behavioral accountability in a content delivery-based network |
| CN109067739B (en) * | 2018-07-27 | 2021-10-08 | 平安科技(深圳)有限公司 | Communication data encryption method and device |
| CN109005038A (en) * | 2018-08-03 | 2018-12-14 | 北京达佳互联信息技术有限公司 | Endorsement method, device, electronic equipment and storage medium |
| CN110855656B (en) * | 2019-11-06 | 2022-07-12 | 云深互联(北京)科技有限公司 | Plug-in flow proxy method, device and system capable of realizing application server protection |
| CN112671733A (en) * | 2020-12-16 | 2021-04-16 | 平安科技(深圳)有限公司 | Data communication method, key management system, device, and storage medium |
-
2008
- 2008-06-17 CN CN 200810062261 patent/CN101299753B/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111193595A (en) * | 2019-11-28 | 2020-05-22 | 腾讯云计算(北京)有限责任公司 | Error detection method, device, equipment and storage medium for electronic signature |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101299753A (en) | 2008-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101299753B (en) | Web service security control mechanism based on proxy server | |
| CN109067803A (en) | A kind of SSL/TLS encryption and decryption communication means, device and equipment | |
| CN101873331B (en) | Safety authentication method and system | |
| CN103428221B (en) | Safe login method, system and device to Mobile solution | |
| CN104702611B (en) | A kind of device and method for protecting Secure Socket Layer session key | |
| Paterson et al. | Reactive and proactive standardisation of TLS | |
| CN105610848B (en) | Possess the centralized data security method and system of source data Security Assurance Mechanism | |
| CN101978650B (en) | A system and method of secure network authentication | |
| CN101127604B (en) | Information secure transmission method and system | |
| CN101640682B (en) | Method for improving safety of Web service | |
| Gruschka et al. | Server-side streaming processing of ws-security | |
| US20130103944A1 (en) | Hypertext Link Verification In Encrypted E-Mail For Mobile Devices | |
| CN106941491A (en) | The safety application data link layer device and communication means of power information acquisition system | |
| CN103179128A (en) | Communication security enhancement agent system between Android platform browser and website server | |
| CN109792433A (en) | Method and apparatus for equipment application to be tied to network service | |
| CN106998316A (en) | A kind of method for authenticating, applications client and gateway device | |
| CN103117851A (en) | Encryption control method and device capable of achieving tamper-proofing and repudiation-proofing by means of public key infrastructure (PKI) | |
| CN102333085A (en) | Security network authentication system and method | |
| CN106603388B (en) | Mail sending, viewing and viewing control method and equipment thereof | |
| CN101296230A (en) | Web service security control mechanism based on PKI and PMI | |
| CN110581847A (en) | Input foreknowledge system | |
| Setiawan | Securing data communication through MQTT protocol with AES-256 encryption algorithm CBC mode on ESP32-based smart homes | |
| CN104618362B (en) | A kind of method and device of Resource Server and client interactive sessions message | |
| CN109510710A (en) | A kind of response method and system of service request | |
| CN107104888A (en) | A kind of safe instant communicating method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20081105 Assignee: Shenzhen Ipanel Network Co., Ltd. Assignor: Zhejiang University Contract record no.: 2013330000103 Denomination of invention: Web service security control mechanism based on proxy server Granted publication date: 20121205 License type: Common License Record date: 20130425 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model |