A kind of safe Web service access method and system
Technical field
The invention belongs to Web Service technical field, be specifically related to a kind of safe Web service access method and system.
Background technology
Web Service is one of current hot spot technology, and it has defined application program and how to have realized interoperability on Web, is the new platform of setting up the distributed application program of interoperable.People can write Web Service with the language of being liked in different platforms, come these services are inquired about and visited by the standard of Web Service then.Utilize Web Service to create out and can greatly expand the function of application program, dynamically providing of software has been provided for different people from different local application programs that use, powerful.
Web Service is the object on a kind of Web of being deployed in, and therefore has all advantages that object technology is promised to undertake; Simultaneously, the foundation stone of Web Service has than existing object technology better opening based on the Web specification technique of XML (Extensible Markup Language), opening.
Yet Web Service is as serving easily when being used by vast field, and its safety issue also receives publicity day by day,
Its safe realization at present mainly is divided into the following aspects: one, safety of transmission: with SSL and HTTPS agreement, can obtain the safety in the connection procedure; Two, message encryption: the data to the XML transmission are carried out data encryption, increase digital signature function.
Above-mentioned safety measure can increase the fail safe of Web Service visit, yet it can not be resisted all invasions from different aspects.
The method that this paper proposed, it is the access service itself that provides from Web Service, importance for business is carried out differentiated control, rank difference according to the client, the Operational Visit of authorizing, simultaneously carry out the check of IP address, further increase Web Service server security for visiting client.
Summary of the invention
The problem to be solved in the present invention is the safety problem that exists in the present Web service visit, experiences so that the user obtains better safety in Web service visit.
To achieve these goals, the invention provides a kind of safe Web service access method and system, this method may further comprise the steps:
Client is initiated access request to service end;
The interface module of described service end is obtained the safety verification parameter that described client provides, and this safety verification parameter authenticated, if authentification failure, then denied access, if, then described safety verification parameter and interface ID are sent to the service end Rights Management System by authentication;
The Rights Management System of described service end authenticates described safety verification parameter and accessed interface ID, if authentification failure, denied access then, if by authentication, then client can be obtained required business by access services end transaction processing system.
The safety verification parameter that described method, service end interface module are obtained described client to be provided comprises version number, device code, user name, the user cipher of client.
Described method, service end interface module authenticate the version number of client and are specially: the version number that checks client whether with version number's compatibility of service end, if incompatible, denied access then, if compatible, then by visit; Described service end interface module is specially the authentication of client device code: the device code that inspection will the be visited device code whether this service end disposes, if not, then refusing user's visit, if, then by visit.
Described method, the service end Rights Management System is specially the authentication of described user's user name and user cipher: Rights Management System checks whether the username and password of client is correct, if the user does not exist or password bad, denied access then, if user name exists and password is correct, then by visit; Described service end Rights Management System authenticates accessed service end interface ID and is specially: Rights Management System checks by described interface ID whether this user has the authority of this interface of visit, if do not have, then denied access if having, is then passed through visit.
Described method, when the service end interface module sends to the service end Rights Management System with described safety verification parameter, also the IP address with client sends to described service end Rights Management System, by described Rights Management System described IP address is authenticated.
Described method, the service end Rights Management System authenticates described IP address and is specially: check whether client has disposed the binding IP address inspection, if be configured, then check described IP address whether in the binding IP address scope of service end configuration, if, then by visit, if client does not dispose binding IP address inspection or described IP address not in the binding IP address scope of service end configuration, denied access then.
Described method, the data that the service end Rights Management System need be transferred in the service end database when authenticating authenticate.
This system comprises client and service end, and client is obtained service by the interface module of access services end; Service end comprises interface module and Rights Management System, and this interface module is used to client that access services is provided and obtains the access request parameters that client provides; This Rights Management System is used for receiving safety verification parameter and interface ID by the authentication back from described interface module in described interface module, and this safety verification parameter and interface ID are authenticated.
Described system also comprises database, is used to service end Rights Management System and transaction processing system that visit data is provided.
Described system also comprises transaction processing system, and being used for provides corresponding business by when authentication for client in client.
The method and system that this paper proposed carries out double authentication by service end interface module and service end Rights Management System, has increased the fail safe of Web Service server.
Description of drawings
Fig. 1 is the module map that the present invention includes;
Fig. 2 is a process chart of the present invention.
Embodiment
The present invention is described in detail below in conjunction with accompanying drawing.
As can be seen from Figure 1, this system comprises client, service end interface accessing module, Rights Management System, transaction processing system and is used for authority and the Database Systems of service management.Wherein service end interface accessing module is used for obtaining the safety verification parameter block from the access request of client, finish the safety verification work of client together with Rights Management System, and, be given to transaction processing system and carry out professional visit client-access request by safety verification; Rights Management System is responsible for finishing client-access user's rights management; Transaction processing system is responsible for finishing the service processing function that is authorized to access client.
Rights Management System is finished the authority configuration of calling party, different according to service end interface function and importance, calling party is carried out differentiated control, as 0 grade--super supervisor level, 1 grade--system administrator level, 2 grades-authorized user A level, 3 grades-authorized user B level, 4 grades-authorized user C level etc., the interface function difference that the user of different stage can visit.Simultaneously can carry out the binding of IP address or IP subnet address to calling party, if visiting user's IP address not within the IP address range of binding, denied access then.For access interface, each interface provides unique interface ID in Rights Management System, this ID value unique identification an access interface.Submit the interface accessing request of service end to when client after, when carrying out the Authority Verification of client, by accessed interface the safety verification parameter of this ID value and client submission is imported into Rights Management System together, with the checking of the authority that conducts interviews.
Accompanying drawing 2 is key steps that the present invention comprises.
Step S100, client is initiated access request.
Client is by soap message, initiates access request with the interface mode that the WSDL of service end describes.
Among the present invention, this required parameter is divided into two parameter blocks: safety verification parameter block and service parameter piece.Wherein the safety verification parameter block comprises system is carried out the granted access parameters needed, is used for the validity and the legitimacy of authentication-access request.The service parameter piece comprises the professional required parameter of access authorization, is used for business is carried out correct visit.
The safety verification parameter block partly comprises following parameter:
(1) version number of visiting user's Web Service client, whether the version that is used for checking client is the desired version of service end;
(2) device code refers to the code of accessed equipment;
(3) Lai Fang user name refers to the access username of Web Service service end mandate;
(4) user's password refers to that Web Service service end distributes to granted access user's password, transmits with cipher mode in the access request of client; The cipher mode of this password is specified cipher mode or is provided encrypted packet to finish the encrypted work of password by service end.
Step S105 after the service end interface module receives the interface accessing request of client, obtains the safety verification parameter that client provides, and comprises the version number of visiting user client, accessed device code, visiting user name, user's password.
Step S110, the version number that the service end interface module is checked client whether with version number's compatibility of service end; If incompatible, denied access then.
Step S115: whether the device code that the inspection of service end interface module will be visited this device code.If not the device code of this service end configuration, then refusing user's visit.
Step S120, service end is called Rights Management System, carries out the checking of authority.
Service end obtains the IP address of visiting client.The service end interface module is imported the ID value of the interface of visiting user's user name, password, IP address, this visit into checking that authority management module carries out authority.
Step S125: the service end Rights Management System reads user's Authorization Attributes according to the user name of client from database, checks whether dispose visiting user binding IP address check; If this user disposed the binding IP address inspection, then whether the visiting user's IP address of check is in the binding IP address scope of server end configuration; If not in this scope, then refusing user's visit.
Step S130: whether the visiting client's of service end authority management module inspection username and password is correct; If the user does not exist or password bad, then refusing user's visit.
Step S135: the service end authority management module is according to the user name of client, search the user right group at user place, and reading the authority that this user right group has, these access rights have comprised the user right group at user place can visit for which service end interface.
Step S140: if in the access rights of this user right group, do not comprise the interface ID of accessed interface, then Authority Verification failure is refused this user and is carried out professional visit.
Step S145: visiting user is by Authority Verification, and the service end interface module is called business module according to the service parameter piece content of client, carries out professional visit, and the visit result is returned to client modules.
The above; it only is better embodiment of the present invention; should not be considered to be limitation of the scope of the invention; and the claim scope that the present invention advocated is not limited thereto; all personages who is familiar with this field skill; according to the disclosed technology contents of the present invention, can think easily and equivalence change, all should fall into protection scope of the present invention.