CN106411948A - Json verification code-based security authentication interception method - Google Patents
Json verification code-based security authentication interception method Download PDFInfo
- Publication number
- CN106411948A CN106411948A CN201611063558.XA CN201611063558A CN106411948A CN 106411948 A CN106411948 A CN 106411948A CN 201611063558 A CN201611063558 A CN 201611063558A CN 106411948 A CN106411948 A CN 106411948A
- Authority
- CN
- China
- Prior art keywords
- identifying code
- user
- json
- access
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000012795 verification Methods 0.000 title abstract 3
- 235000014510 cooky Nutrition 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 3
- 230000032683 aging Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a json verification code-based security authentication interception method, which comprises the following implementation processes: the realization process is as follows: firstly, all access links in the system are regarded as resources of the system, and only a user who successfully logs in can access the system, and a user who does not log in cannot access the system; after successful login, a json identifying code is granted to the user, when the user accesses system resources, the json identifying code is attached to each access request of the user, namely, the access requests without the json identifying code or with the json identifying code expired are all determined as illegal requests, and no authority is granted. Compared with the prior art, the json verification code-based security authentication interception method greatly improves the access efficiency of the server in a distributed environment, avoids the condition that a large number of users are on line simultaneously to cause downtime, is encrypted by AES265, is time-efficient, avoids the risk of information leakage after interception, and has strong practicability, wide application range and easy popularization.
Description
Technical field
The present invention relates to computer software technical field, specifically a kind of blocked based on the safety certification of json identifying code
The method cut.
Background technology
Application under distributed environment, the safety that resource accesses is extremely important, if system resource can be without stepping on
Record just can directly access, then the resource in system has the danger of leakage at any time, causes immeasurable loss.In addition,
Under distributed environment, safety certification interception is carried out to user behavior, performance requirement can be higher.We are same ensure information security
When it is also necessary to ensure that security audit does not result in performance pressures, to improve the efficiency of security audit.
Traditional safety certification interception mode, is all to need to rely on session to store id and the contextual information of user,
Need to take a large amount of server memory.By detecting whether session has existed to judge whether user has logged on.Dividing
Under cloth environment, have mass users simultaneously online, the session data comprising substantial amounts of user profile quickly can be server
Internal memory exhausts, and easily causes the machine of delaying.Therefore, session pattern is not particularly suited for the distributed ring simultaneously having magnanimity online user
Border.Based on this, now provide a kind of method that safety certification based on json identifying code intercepts, by the side using json identifying code
Formula, is stateless, by the pressure dissipation of storage in each client, prevents user being not logged on the situation of system
Under, direct access system resources, and it is not take up server resource, do not affect access efficiency.
Content of the invention
The technical assignment of the present invention is for above weak point, provides and a kind of is blocked based on the safety certification of json identifying code
The method cut.
A kind of method that safety certification based on json identifying code intercepts, it is realized process and is:First will be all in system
The link that accesses all be considered as the resource of system, the only user of successful log, just can access, the user being not logged in can not visit
Ask;After successful login, authorize a json identifying code to user, when user's access system resources, each access of user
This json identifying code is all enclosed in request, that is, do not have json identifying code or be the expired access request of json identifying code, all assert
For illegal request, do not authorize authority.
During User logs in, the process of acquisition json identifying code is:
When user logs in client, client sends username and password to the service end on backstage, and enters during password transmission
Row encryption;
Service end, after user name password authentification is passed through, checks in caching whether there is user profile, without then accessing data
Storehouse obtains user profile;
Then the information of user is saved in believable service end caching;
User profile is passed to checking code generator by service end, creates a json identifying code through encryption for this user.
The json identifying code that user obtains is saved in the browser cookie of client, does not preserve user in this cookie
Information, the information of user is saved in service end, and that is, this cookie is the storage address of identifying code.
Based on above-mentioned identifying code, the process of user's access system resources is:
When user sends access request, from cookie take out identifying code, be added in the header of access request with
Post mode is delivered to service end;
After service end receives the access request of client, first judge its header either with or without identifying code, if there are identifying code,
Then first decipher, check whether identifying code is correct, if expired;Without identifying code, or identifying code is expired, or tests
Card code is forge, then refuse resource request;If it is determined that identifying code effectively, then returns to the resource of user's request.
After browser cuts out, cookie is eliminated automatically, and service end stores information to the time and ceases to be in force automatically.
Compared to the prior art the method that a kind of safety certification based on json identifying code of the present invention intercepts, has following
Beneficial effect:
The method that a kind of safety certification based on json identifying code of the present invention intercepts, significantly improves clothes under distributed environment
The access efficiency of business device, it is to avoid mass users cause the situation of the machine of delaying simultaneously online, and json identifying code all passes through
AES265 encryption, and have ageing, it is to avoid be trapped the risk of rear information leakage;The context letter of user in system
Cease and be not preserved in client, and be stored in the credible caching of service end, ensure the safety accessing further, when
After token is overtime or expired, provide the mechanism of renewing, make Consumer's Experience more smooth, practical, applied widely, have very
Good application value.
Brief description
Accompanying drawing 1 is the flowchart of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawings and specific embodiment the invention will be further described.
As shown in Figure 1, the present invention provides a kind of method that safety certification based on json identifying code intercepts, the mesh of invention
Be prevent user in the case of being not logged on system, direct access system resources.
It realizes process:Access the resource that link is all considered as system, only successful log by all of in system first
User, just can access, the user being not logged in can not access;After successful login, authorize a json identifying code to user,
When user's access system resources, each access request of user encloses this json identifying code, that is, do not have json identifying code or
Person is the expired access request of json identifying code, all regards as illegal request, does not authorize authority.
Detailed process is:
User logs in, sends username and password to backstage.Need to encrypt during password transmission.
Service end is after user name password authentification is passed through, if not having user profile in caching, accessing data base and being used
Family information.
The information of user is saved in believable service end caching, it is to avoid frequently access data base.
User profile is passed to checking code generator by service end, creates a json checking through encryption for this user
Code, this identifying code is encrypted by AES265, and this identifying code is effective property, even if be trapped or compromised also can be very
Fast inefficacy.
This identifying code is saved in the middle of client cookie.Any information of user is not preserved in cookie, user's
Information is all in service end, it is to avoid information leakage, is now as a storage mechanism cookie, rather than a kind of checking
Mechanism, so do not have the danger that XSRF attacks.
When user click on menu when, from cookie take out identifying code, be added in the header of access request with
Post mode is delivered to server end.
After service end receives the resource request of a client, can first judge that its header, either with or without identifying code, has
If identifying code, can first decipher, check whether identifying code is correct, if expired.Without identifying code, or identifying code
Expired, or identifying code be forge, resource request can be refused.If it is determined that identifying code effectively, just can return to user's request
Resource.
After browser cuts out, cookie is eliminated automatically, and service end stores information to the time and ceases to be in force automatically.
In the use of tokens, once token expired it is only necessary to reacquire one.Service end provides interface
Refresh token, after refreshing, obtain a token that have updated effect duration, old token lost efficacy simultaneously.
The method that safety certification based on json identifying code intercepts, is all sentenced with traditional safety certification Interception Technology purpose
The operation of the access of disconnected user whether login user, if without the operation logging in mandate, just intercepts.Traditional mode is logical
Cross what session was carried out.Be whether there is by verifying session, to judge whether user has logged on.And information without
Encryption, dangerous.The present invention then verifies in service end to realize by json identifying code.
Service end does not need to store the information of the session of logging status of record user.Do not need to preserve any login
The state of user.
By the present invention, can achieve at following 2 points:
One is to improve the access efficiency in the case of high concurrent under distributed environment.Under distributed environment, mass users log in,
Simultaneously online number of users is huge, stores substantial amounts of session data and brings huge pressure to server.The reality of the present invention
Existing mode encrypts authority it is not necessary to store substantial amounts of log-on message in service end it is only necessary to preserve in client, thus significantly
The pressure reducing service end.
Two is the safety in order to improve user's access.Service end intercepts each request that client is sent, by checking
With legal token identifying code, whether request verifies whether user has logged on.User is prevented to be not logged on system
In the case of, direct access system resources, cause information leakage and malicious access, destroy information system security.And produce
Json identifying code is all encrypted, and is provided with ageing, the credibility of effective guarantee json identifying code.
In the present invention, server end does not need to store the logging status of user, and service end only needs to verify client
Whether json identifying code is legal.Decrease the memory pressure of service end.Using service end caching technology, user profile is had
Being buffered in of effect, further mitigates the pressure accessing data base.And client only stored user's unique mark and
Json identifying code, will not store this sensitive information of password, it is to avoid artificial malicious attack client causes password to reveal.Simultaneously
Json identifying code is effective property, and acquiescence lost efficacy for 240 minutes, even if being trapped, also will not to enough carry out Brute Force when
Between, it is to avoid the information leakage risk after intercepting and capturing.And json identifying code is through the encryption of AES256 AES, is effectively ensured
The safety of information.
By specific embodiment above, described those skilled in the art can readily realize the present invention.But should
Work as understanding, the present invention is not limited to above-mentioned specific embodiment.On the basis of disclosed embodiment, described technical field
Technical staff can the different technical characteristic of combination in any, thus realizing different technical schemes.
In addition to technical characteristic described in except description, it is the known technology of those skilled in the art.
Claims (5)
1. a kind of safety certification based on json identifying code intercepts method is it is characterised in that it realizes process is:It was realized
Cheng Wei:Access the resource that link is all considered as system, the only user of successful log by all of in system first, just can visit
Ask, the user being not logged in can not access;After successful login, authorize a json identifying code to user, when user accesses system
During resource, each access request of user encloses this json identifying code, that is, do not have json identifying code or be json identifying code
Expired access request, all regards as illegal request, does not authorize authority.
2. the method that a kind of safety certification based on json identifying code according to claim 1 intercepts is it is characterised in that use
When family logs in, the process of acquisition json identifying code is:
When user logs in client, client sends username and password to the service end on backstage, and enters during password transmission
Row encryption;
Service end, after user name password authentification is passed through, checks in caching whether there is user profile, without then accessing data
Storehouse obtains user profile;
Then the information of user is saved in believable service end caching;
User profile is passed to checking code generator by service end, creates a json identifying code through encryption for this user.
3. the method that a kind of safety certification based on json identifying code according to claim 2 intercepts is it is characterised in that use
The json identifying code that family obtains is saved in the browser cookie of client, does not preserve user profile, user in this cookie
Information be saved in service end, that is, this cookie be identifying code storage address.
4. a kind of safety certification based on json identifying code according to claim 3 intercepts method is it is characterised in that base
In above-mentioned identifying code, the process of user's access system resources is:
When user sends access request, from cookie take out identifying code, be added in the header of access request with
Post mode is delivered to service end;
After service end receives the access request of client, first judge its header either with or without identifying code, if there are identifying code,
Then first decipher, check whether identifying code is correct, if expired;Without identifying code, or identifying code is expired, or tests
Card code is forge, then refuse resource request;If it is determined that identifying code effectively, then returns to the resource of user's request.
5. the method that a kind of safety certification based on json identifying code according to claim 3 intercepts is it is characterised in that work as
After browser cuts out, cookie is eliminated automatically, and service end stores information to the time and ceases to be in force automatically.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611063558.XA CN106411948A (en) | 2016-11-28 | 2016-11-28 | Json verification code-based security authentication interception method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611063558.XA CN106411948A (en) | 2016-11-28 | 2016-11-28 | Json verification code-based security authentication interception method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106411948A true CN106411948A (en) | 2017-02-15 |
Family
ID=58083178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611063558.XA Pending CN106411948A (en) | 2016-11-28 | 2016-11-28 | Json verification code-based security authentication interception method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106411948A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106878024A (en) * | 2017-03-08 | 2017-06-20 | 北京科摩仕捷科技有限公司 | A kind of checking code check method and system based on caching |
| CN109302416A (en) * | 2018-11-13 | 2019-02-01 | 深圳市华师兄弟文化传播有限公司 | From brand share system |
| CN109309683A (en) * | 2018-10-30 | 2019-02-05 | 泰华智慧产业集团股份有限公司 | The method and system of client identity verifying based on token |
| CN109660546A (en) * | 2018-12-27 | 2019-04-19 | 泰华智慧产业集团股份有限公司 | The method that API gateway based on NetflixZuul realizes authentication |
| CN111200603A (en) * | 2019-12-30 | 2020-05-26 | 南京旅享云网络科技有限公司 | Data interaction method |
| CN111478923A (en) * | 2020-04-28 | 2020-07-31 | 华为技术有限公司 | Access request response method and device and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102682009A (en) * | 2011-03-11 | 2012-09-19 | 腾讯科技(北京)有限公司 | Method and system for logging in webpage |
| US20150229613A1 (en) * | 2014-02-11 | 2015-08-13 | Texas Instruments Incorporated | Methods and apparatus to provide extended object notation data |
-
2016
- 2016-11-28 CN CN201611063558.XA patent/CN106411948A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102682009A (en) * | 2011-03-11 | 2012-09-19 | 腾讯科技(北京)有限公司 | Method and system for logging in webpage |
| US20150229613A1 (en) * | 2014-02-11 | 2015-08-13 | Texas Instruments Incorporated | Methods and apparatus to provide extended object notation data |
Non-Patent Citations (2)
| Title |
|---|
| M.JONES等: ""JSON Web Token(JWT)"", 《RFC 7519》 * |
| 李凯: ""基于JSON Web Token的无状态账户系统的设计"", 《现代计算机》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106878024A (en) * | 2017-03-08 | 2017-06-20 | 北京科摩仕捷科技有限公司 | A kind of checking code check method and system based on caching |
| CN109309683A (en) * | 2018-10-30 | 2019-02-05 | 泰华智慧产业集团股份有限公司 | The method and system of client identity verifying based on token |
| CN109309683B (en) * | 2018-10-30 | 2021-09-14 | 泰华智慧产业集团股份有限公司 | Token-based client identity authentication method and system |
| CN109302416A (en) * | 2018-11-13 | 2019-02-01 | 深圳市华师兄弟文化传播有限公司 | From brand share system |
| CN109660546A (en) * | 2018-12-27 | 2019-04-19 | 泰华智慧产业集团股份有限公司 | The method that API gateway based on NetflixZuul realizes authentication |
| CN109660546B (en) * | 2018-12-27 | 2021-05-07 | 泰华智慧产业集团股份有限公司 | API gateway authentication realization method based on NetflixZuul |
| CN111200603A (en) * | 2019-12-30 | 2020-05-26 | 南京旅享云网络科技有限公司 | Data interaction method |
| CN111478923A (en) * | 2020-04-28 | 2020-07-31 | 华为技术有限公司 | Access request response method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108471432B (en) | Method for preventing network application program interface from being attacked maliciously | |
| CN106411948A (en) | Json verification code-based security authentication interception method | |
| US8245030B2 (en) | Method for authenticating online transactions using a browser | |
| US8302170B2 (en) | Method for enhancing network application security | |
| WO2016180202A1 (en) | Method and device for secure communication | |
| Sun et al. | The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| CN107579991B (en) | Method for performing cloud protection authentication on client, server and client | |
| Karapanos et al. | On the Effective Prevention of {TLS}{Man-in-the-Middle} Attacks in Web Applications | |
| CN108512784A (en) | Authentication method based on gateway routing forwarding | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| CN105430014B (en) | A kind of single-point logging method and its system | |
| CN103117998B (en) | A kind of safety encryption based on JavaEE application system | |
| CN101292496A (en) | Method and devices for carrying out cryptographic operations in a client-server network | |
| CN104601593A (en) | Anti-tracking method in network electronic identity authentication process based on challenge modes | |
| CN105743638A (en) | System client authorization authentication method based on B/S framework | |
| AU2011254221A1 (en) | System and method for protecting access to authentication systems | |
| CN109525565A (en) | A kind of defence method and system for SMS interception attack | |
| CN113918967A (en) | Data transmission method, system, computer equipment and medium based on security check | |
| Aljawarneh et al. | A web client authentication system using smart card for e-systems: initial testing and evaluation | |
| CN116743470A (en) | Service data encryption processing method and device | |
| Khandelwal et al. | Frontline techniques to prevent web application vulnerability | |
| CN104506518B (en) | The identity identifying method of MIPS platform network system access controls | |
| CN116108416A (en) | Application program interface safety protection method and system | |
| KR20140110118A (en) | A Defence Mechanism against Cookie Replay Attack in Single Sign-On of Web Application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170215 |
|
| RJ01 | Rejection of invention patent application after publication |