CN107124431B - Authentication method, device, computer readable storage medium and authentication system - Google Patents

Authentication method, device, computer readable storage medium and authentication system Download PDF

Info

Publication number
CN107124431B
CN107124431B CN201710482304.XA CN201710482304A CN107124431B CN 107124431 B CN107124431 B CN 107124431B CN 201710482304 A CN201710482304 A CN 201710482304A CN 107124431 B CN107124431 B CN 107124431B
Authority
CN
China
Prior art keywords
client
service
calling
request
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710482304.XA
Other languages
Chinese (zh)
Other versions
CN107124431A (en
Inventor
李国喜
司先锋
鲁原良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Number Chain Technology Co Ltd
Original Assignee
Zhejiang Number Chain Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Number Chain Technology Co Ltd filed Critical Zhejiang Number Chain Technology Co Ltd
Priority to CN201710482304.XA priority Critical patent/CN107124431B/en
Publication of CN107124431A publication Critical patent/CN107124431A/en
Application granted granted Critical
Publication of CN107124431B publication Critical patent/CN107124431B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides an authentication method, an authentication device, a computer readable storage medium and an authentication system, wherein the method comprises the following steps: receiving a calling request sent by a client, wherein the calling request is used for calling service to a server; authenticating the client to determine whether the client has the authority to call the service; and after the authentication of the client is successful, forwarding the calling request to the server, so that the server responds to the calling request and calls the service. The method and the system authenticate the client for calling the service through the security platform, so that the service can be called only by the client with the authority for calling the service, and the security is improved; meanwhile, the authentication operation is executed by the security platform, so that the unified management of the authority of the client is facilitated, and the management efficiency is improved.

Description

Authentication method, device, computer readable storage medium and authentication system
Technical Field
The present application relates to the field of communications technologies, and in particular, to an authentication method, an authentication device, a computer-readable storage medium, and an authentication system.
Background
System services refer to programs, routines, or processes that perform specified system functions in order to support other programs. However, in the internet industry today, neither internal services nor external services provide a security mechanism to encapsulate and protect them, and service resources can be arbitrarily invoked, resulting in serious security risks.
Disclosure of Invention
In view of the above, the present application provides an authentication method, an authentication device, a computer-readable storage medium, and an authentication system, which provide a security mechanism for a service to solve the problem of security hidden danger caused by that a service resource can be arbitrarily called.
In order to achieve the above purpose, the present application provides the following technical solutions:
according to a first aspect of the present application, an authentication system is proposed, comprising: the system comprises a client, a server and a security platform;
the client sends a calling request to the security platform, and the calling request is used for calling a service to a server;
the security platform authenticates the client to determine whether the client has the authority to call the service; after the authentication of the client is successful, the calling request is forwarded to the server;
and the server side responds to the calling request and calls the service.
According to a second aspect of the present application, an authentication method is provided, which is applied to a security platform; the method comprises the following steps:
receiving a calling request sent by a client, wherein the calling request is used for calling service to a server;
authenticating the client to determine whether the client has the authority to call the service;
and after the authentication of the client is successful, forwarding the calling request to the server, so that the server responds to the calling request and calls the service.
According to a third aspect of the present application, an authentication apparatus is provided, which is applied to a security platform; the device comprises:
the receiving unit is used for receiving a calling request sent by a client, wherein the calling request is used for calling service to a server;
the authentication unit authenticates the client to determine whether the client has the authority of calling the service;
and the forwarding unit is used for forwarding the calling request to the server after the authentication of the client is successful so that the server responds to the calling request and calls the service.
According to a fourth aspect of the present application, a computer-readable storage medium is proposed, on which computer instructions are stored, which instructions, when executed by a processor, carry out the steps of the method according to any one of the preceding claims.
According to the technical scheme, the client side for calling the service is authenticated through the security platform, so that the service can be called only by the client side with the authority for calling the service, and the security is improved; meanwhile, the authentication operation is executed by the security platform, so that the unified management of the authority of the client is facilitated, and the management efficiency is improved.
Drawings
Fig. 1 is a flowchart of calling a service in the related art.
Fig. 2 is a schematic diagram of unified invoking service in a gateway manner in the related art.
Fig. 3 is a flow chart illustrating an authentication method according to an exemplary embodiment of the present application.
Fig. 4 is a schematic diagram of a network architecture shown in an exemplary embodiment of the present application.
Fig. 5 is a flow chart illustrating another authentication method according to an exemplary embodiment of the present application.
Fig. 6 is a schematic diagram illustrating a correspondence relationship between a service recorded by a secure platform and a client according to an exemplary embodiment of the present application.
Fig. 7 is a flowchart illustrating authentication by using a certificate according to an exemplary embodiment of the present application.
Fig. 8 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present application.
Fig. 9 is a block diagram of an authentication apparatus according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Often, a plurality of services are contained in the application (for example, the application "pay treasure" contains services such as payment, transfer, cash withdrawal and the like), and in the related art, the calling of the service is realized based on the services. Referring to fig. 1, fig. 1 is a flow chart of a related art calling service, and as shown in fig. 1, a calling process thereof may include the following steps:
step 102, the service A encrypts the request parameter according to a preset algorithm to generate a security key value.
In this case, it is assumed that service B is invoked for service a, i.e., service a is the service invoker. Hereinafter, the securitykey value is simply referred to as the sk value.
Step 104, service a sends a call request to service B.
The calling request comprises a request parameter and a sk value.
And step 106, after receiving the call request, the service B reads the request parameter in the call request and encrypts the request parameter according to the preset algorithm to generate a new sk value.
Step 108, compare if the new sk value and sk value are equal.
And step 110, when the new sk value and the sk value are equal, determining that the call request is legal and returning relevant data to the service A.
Meanwhile, in the related art, a gateway mode is adopted to uniformly invoke services, and the mode is described below with reference to fig. 2. As shown in fig. 2, for example, services 1-6 are shared, then the invocation of the service is implemented between the services through the gateway, and the invocation request is forwarded by the gateway in a unified manner.
It can be seen that the following drawbacks exist in the related art:
1. inability to manage invocation of services
The service B can be called without limit as long as the preset algorithm is not changed, and only the preset algorithm can be changed when the calling of the service B by the service A is required to be limited; after the algorithm is changed, other services cannot call the service B, so that the calling of the service cannot be controlled, and serious potential safety hazards exist;
2. problem of single point of failure
As can be seen from the schematic diagram of fig. 2, once a gateway fails, all services in the system cannot be called, that is, when a single point fails, the fault may reach the entire system, which may cause the entire system to crash, and reduce the stability and security of the system.
Therefore, the present application addresses the above-mentioned deficiencies in the related art by improving the manner in which services are invoked. For further explanation of the present application, the following examples are provided:
fig. 3 is a flowchart illustrating an authentication method applied to a security platform according to an exemplary embodiment of the present application, which may include the following steps:
step 302, receiving a call request sent by a client.
In the embodiment, the application is based on the calling of the service between the applications, namely, the application calls a certain service in another application. For example, when the "pay bank" uses the service "cash up", the service "deposit" of the bank to which it is bound needs to be invoked, and the "deposit" service is requested to the bank by the "pay bank". The service calling party is a client, the service provider is a server, and the calling request is used for calling service to the server.
Step 304, authenticating the client to determine whether the client has the authority to call the service.
In this embodiment, on one hand, a user at a client side may apply for invoking a service by logging in to a secure platform; on the other hand, a user of the server can check the application of the client by logging in the security platform. And after the client passes the audit, the security platform records the corresponding relation between the service applied and called by the client and the identification information of the client. And the corresponding relation is stored in a zookeeper cluster server.
Based on the auditing mechanism, after receiving a calling request (including identification information of the client) sent by the client, the security platform can call a pre-recorded corresponding relation between the service and the client which can call the service, and determine whether the client has the authority to call the service according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful. The service caller (namely the client) is authenticated to judge whether the service caller has the authority to call the service or not, so that on one hand, the safety of calling the service can be improved, and the service is prevented from being maliciously called; on the other hand, the method can prevent the service resources from being randomly called, thereby avoiding the problem that a large amount of processing resources of the server are occupied due to unlimited calling of the service and improving the performance of the server.
In this embodiment, when a deactivation operation of invoking the service for the client (which may be performed by a user on the service end side logging in to a secure platform) is detected, the correspondence between the identification information of the client and the service is deleted. Because the corresponding relation is deleted, when the subsequent client requests the service to call the service, the security platform judges that the authentication of the client fails, namely the client cannot call the service. The security platform can further prevent the service resources from being randomly called (for example, a user at the service end side can modify the corresponding relationship by logging in the security platform to limit the calling of the application to the service) by responding to the deactivation operation, so that the problem that a large amount of processing resources of the service end are occupied due to unlimited calling of the service is avoided, and the performance of the service end is improved.
Step 306, after the authentication of the client is successful, forwarding the calling request to the server, so that the server responds to the calling request and calls the service.
In this embodiment, an encryption algorithm may be used to encrypt the request parameter to generate a signature, so as to verify the validity of the invocation request, and improve the security of the invocation request (for example, to prevent other applications from impersonating the client to illegally invoke the service). Specifically, the calling request includes a first signature and a request parameter of the client, and the first signature is calculated by a security key of the client and the request parameter according to a preset algorithm; the security key is issued to the client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server.
Based on the configuration of the data, the validity can be verified in the following way: reading a request parameter in the calling request, and calculating a security key corresponding to the client and the read request parameter which are locally recorded according to the preset algorithm to obtain a second signature; and if the first signature is equal to the second signature, executing the operation of forwarding the call request so as to enable the server to return corresponding data to the client, otherwise refusing to execute the forwarding operation.
According to the technical scheme, the service is called based on the application, on one hand, compared with the related technology based on the calling between the services, the calling of the service can be managed and controlled, the safety of the calling service is improved, meanwhile, the authentication operation is executed by the safety platform, the unified management on the authority of the service calling party is facilitated, and the management efficiency is improved; on the other hand, compared with the method of uniformly calling the service in a gateway mode in the related technology, the operation of calling the service among all the applications is not influenced mutually, so that the decentralization is realized, namely the problem of single-point failure does not exist, and the stability and the safety of all the application systems are improved.
For the convenience of understanding, the technical solution of the present application is described in detail below with reference to specific scenarios and accompanying drawings. Fig. 4 is a schematic diagram of a network architecture shown in an exemplary embodiment of the present application. As shown in fig. 4, the network architecture may include a security platform, a server, a client, and a network.
The security platform can comprise a control console, a software component and a zookeeper cluster server; the control console can be used for issuing identification information and a security key to the client and the server, auditing the application of calling the service and recording the corresponding relation between the service and the client after the auditing is passed; jar software components (hereinafter abbreviated as sdk) can be used to authenticate the client sending the invocation request and verify the validity of the invocation request; the zookeeper cluster server can be used for storing the corresponding relation recorded by the console, and the identification information and the security key issued to each client and each server. Additionally, a dubbo framework can be implanted in the security platform, and sdk.
Both the server and the client are applications, and the applications can contain a plurality of services. The service caller is a client, and the service provider is a server.
And the network for interaction among the security platform, the server and the client can comprise various types of wired or wireless networks. For example, the network may include a Public Switched Telephone Network (PSTN), the internet, a private network, and the like, which is not limited in this application.
Therefore, in the implementation process of the technical scheme of the application, three-party data interaction among a security platform, a server and a client is involved; the technical scheme of the application is described below by combining the three-party interaction process. Referring to fig. 5, fig. 5 is a flowchart illustrating another authentication method according to an exemplary embodiment of the present application. As shown in fig. 5, the method applied to the security platform may include the following steps:
step 502, the client sends a registration request to the secure platform.
Step 504, the server sends a registration request to the security platform.
At step 506, the secure platform generates corresponding identification information and a security key.
In this embodiment, the application serving as the service caller is a client, and the application serving as the service provider is a server. For example, when application 1 requests application 2 to invoke a service, application 1 acts as a client and application 2 acts as a server; on the contrary, when the application 2 requests the application 1 to call a service, the application 2 serves as a client and the application 1 serves as a server.
The client and the server need to register on the secure platform during initialization operation, so that the secure platform generates identification information and a secure key corresponding to the client, and generates identification information and a secure key corresponding to the server. The identification information may be Access Key (or Access Key ID, hereinafter abbreviated as ak), and the security Key may be secure Key (or Secret Access Key, hereinafter abbreviated as sk).
And step 508, the security platform issues ak and sk of the server to the server.
And step 510, the security platform issues ak and sk of the client to the client.
Step 512, the client applies for the call service to the security platform.
In this embodiment, a user on the client side may apply for invoking a service by logging in to the secure platform.
At step 514, the security platform reviews the received application for invoking the service.
In this embodiment, a user on the server side (i.e., an administrator of the application on the server side) can check the application of the client by logging in the security platform.
Step 516, after the client passes the audit, the security platform records the corresponding relationship between the service applied and called by the client and the identification information of the client.
In this embodiment, the security platform may store the corresponding relationship between the issued ak, sk and record in the zookeeper cluster server, so as to unify services and ensure service consistency. The corresponding relationship of the security platform records will be described below with reference to fig. 6. Fig. 6 is a schematic diagram illustrating a correspondence relationship between a service recorded by a secure platform and a client according to an exemplary embodiment of the present application. As shown in fig. 6, application 1 (identification information ak1) includes service 1, service 2, and service 3. When the application 1 serves as a service provider, the service 1 can be called by the application 2 (identification information ak2), the application 3 (identification information ak3), and the application 4 (identification information ak 4); service 2 may be invoked by applications 2, 4; service 3 may be invoked by application 3, application 4, application 5 (identification information ak 5).
In this embodiment, step 502-516 is performed by a console in the security platform.
At step 518, the client sends a call request to the secure platform.
Step 520, the security platform determines whether the client has the right to invoke the requested service.
At step 522, the security platform verifies the validity of the invocation request.
In this embodiment, the invocation request includes ak of the client, the first signature, and the request parameter (for acquiring corresponding data in the server); the first signature is calculated by the sk and request parameters of the client according to a preset algorithm (such as any encryption algorithm, for example, MD5, SHA1, HMAC, etc., which is not limited in this application).
The security platform may, after receiving the call request sent by the client, call the corresponding relationship recorded in step 516, and determine whether the client has the right to call the service according to ak in the call request and the corresponding relationship; and when the client has the right to call the service, judging that the authentication of the client is successful. By authenticating a service caller (namely a client) and judging whether the service caller has the authority to call the service or not, on one hand, the security of calling the service can be improved, and on the other hand, the service resources can be prevented from being called randomly, so that the problem that a large amount of processing resources of the server are occupied due to unlimited calling of the service is avoided, and the performance of the server is improved.
For example, with the correspondence shown in fig. 6, in one case, assuming that the application 2 (which is a client) requests to invoke the service 3, the security platform may determine that the application 2 does not have the authority to invoke the service 3 by looking up the correspondence shown in fig. 6, that is, it is determined that the authentication of the application 2 fails; in another case, assuming that the application 2 requests to invoke the service 2, the security platform may determine that the application 2 has the authority to invoke the service 2 by looking up the corresponding relationship in fig. 6, i.e. determine that the authentication of the application 2 is successful.
The security platform may further verify the validity of the call request after performing the authentication operation, so as to improve the security of the call request (e.g., prevent other applications from impersonating the client to illegally call the service). Specifically, the security platform reads ak, a first signature and request parameters of a client included in a call request, reads sk corresponding to the ak and stored in a local zookeeper cluster server, and calculates the sk and the request parameters according to the preset algorithm to obtain a second signature; and if the first signature is equal to the second signature, executing the operation of forwarding the calling request to the server so that the server returns corresponding data to the client, otherwise refusing to execute the forwarding operation.
Step 524, the secure platform forwards the invocation request to the server.
In step 526, the server returns the corresponding data of the called service to the client.
In this embodiment, when the security platform detects a deactivation operation for invoking a service for a client, the corresponding relationship between ak of the client and the service is deleted. Because the corresponding relation is deleted, when the client requests the server to call the service subsequently, the security platform judges that the authentication of the client fails, namely, the client cannot call the service. The security platform can further prevent the service resources from being randomly called (for example, a user at the service end side can modify the corresponding relationship by logging in the security platform to limit the calling of the application to the service) by responding to the deactivation operation, so that the problem that a large amount of processing resources of the service end are occupied due to unlimited calling of the service is avoided, and the performance of the service end is improved.
In summary, in the technical solution of the present application, the service is invoked based on the application, on one hand, compared with the related art that the service is invoked based on the application, the service invocation can be managed and controlled, so that the security of the service invocation is improved, and meanwhile, the authentication operation is executed by the security platform, which is beneficial to uniformly managing the authority of the service invocation party, and the management efficiency is improved; on the other hand, compared with the method of uniformly calling the service in a gateway mode in the related technology, the operation of calling the service among all the applications is not influenced mutually, so that the decentralization is realized, namely the problem of single-point failure does not exist, and the stability and the safety of all the application systems are improved.
In the technical scheme of the application, the security platform can also be applied to authentication in a certificate mode. The authentication process is described in detail below with reference to fig. 7. As shown in fig. 7, the process may include the steps of:
step 702, the client applies for a certificate to the security platform.
Step 704, the server applies for the certificate to the security platform.
Step 706, the security platform generates a certificate of the client (including the public key of the server) and a certificate of the server (including the public key of the client), respectively.
Step 708, the secure platform issues the certificate of the server to the server.
Step 710, the security platform issues a client certificate to the client.
In this embodiment, after receiving the certificate, the client locally stores its own private key and the public key of the server; after receiving the certificate, the server locally stores the private key of the server and the public key of the client.
And step 712, the client signs the call request according to the private key of the client and sends the call request to the server.
And 714, the server checks the received call request according to the locally stored public key of the client.
Step 716, if the signature verification is successful, corresponding data is returned to the client; otherwise, the call request is rejected.
In this embodiment, when the server requests the client to invoke the service, the authentication process is similar to the above process, and is not described herein again.
In the technical solution of the present application, an authentication manner of the identification information and the security key is adopted for the above fig. 5, and the life cycle management of the identification information and the security key may be performed, for example, the identification information and the security key of each application are updated regularly; for fig. 7, a certificate authentication manner is adopted, and the life cycle of the certificate may also be managed, for example, applying for the certificate, downloading the certificate, updating the certificate, revoking the certificate, suspending the certificate, and releasing the suspended certificate. Through the life cycle management mechanism, the safety of the system can be effectively improved, and services are prevented from being called by illegal applications.
Meanwhile, when the security key needs to be updated (for example, to prevent the security key from being leaked out, or the security key is expired, etc.), the updated first security key and the second security key before updating may be used simultaneously within the preset time duration, that is, the first security key and the second security key are valid simultaneously within the preset time duration, and both the first security key and the second security key may be used to verify the validity in step 522. After a preset time, only the first security key is valid, and the second security key is invalid. The preset duration can be flexibly set according to the actual situation, and the method is not limited by the application. The updating modes of the identification information and the certificate can be updated in the above mode, and are not described herein again.
Fig. 8 shows a schematic structural diagram of an electronic device according to an exemplary embodiment of the present application. Referring to fig. 8, at the hardware level, the electronic device includes a processor 802, an internal bus 804, a network interface 806, a memory 808, and a non-volatile memory 810, but may also include hardware required for other services. The processor 802 reads the corresponding computer program from the non-volatile memory 810 into the memory 808 and runs it, forming an authentication device on a logical level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 9, in a software implementation, the authentication apparatus may include a receiving unit 901, an authentication unit 902, and a forwarding unit 903. Wherein:
a receiving unit 901, configured to receive a call request sent by a client, where the call request is used to call a service to a server;
an authentication unit 902, authenticating the client to determine whether the client has the authority to invoke the service;
a forwarding unit 903, configured to forward the call request to the server after the client successfully authenticates, so that the server responds to the call request and invokes the service.
Optionally, the invocation request includes identification information of the client; the authentication unit 902 is specifically configured to:
calling a pre-recorded corresponding relation between the service and a client capable of calling the service;
determining whether the client has the authority to call the service or not according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful.
Optionally, the corresponding relationship is stored in the zookeeper cluster server.
Optionally, the method further includes:
a deleting unit 904, configured to delete the correspondence between the identification information of the client and the service when a deactivation operation for invoking the service for the client is detected.
Alternatively to this, the first and second parts may,
the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
the method further comprises the following steps: the reading unit 905 is configured to read a request parameter in the invocation request, and calculate a locally recorded security key corresponding to the client and the read request parameter according to the preset algorithm to obtain a second signature; and if the first signature is equal to the second signature, executing the operation of forwarding the call request so as to enable the server to return corresponding data to the client, otherwise refusing to execute the forwarding operation.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
In an exemplary embodiment, there is also provided a non-transitory computer readable storage medium, such as a memory, comprising instructions executable by a processor of an authentication apparatus to perform the method, which may include:
receiving a calling request sent by a client, wherein the calling request is used for calling service to a server;
authenticating the client to determine whether the client has the authority to call the service;
and after the authentication of the client is successful, forwarding the calling request to the server, so that the server responds to the calling request and calls the service.
Optionally, the invocation request includes identification information of the client; the authenticating the client includes:
calling a pre-recorded corresponding relation between the service and a client capable of calling the service;
determining whether the client has the authority to call the service or not according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful.
Optionally, the corresponding relationship is stored in the zookeeper cluster server.
Optionally, the method further includes:
and when the deactivation operation for calling the service for the client is detected, deleting the corresponding relation between the identification information of the client and the service.
Alternatively to this, the first and second parts may,
the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
the method further comprises the following steps: reading a request parameter in the calling request, and calculating a security key corresponding to the client and the read request parameter which are locally recorded according to the preset algorithm to obtain a second signature; and if the first signature is equal to the second signature, executing the operation of forwarding the call request so as to enable the server to return corresponding data to the client, otherwise refusing to execute the forwarding operation.
The non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, etc., which is not limited in this application.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. An authentication system, comprising: the system comprises a client, a server and a security platform;
the client sends a calling request to the security platform, and the calling request is used for calling a service to a server; the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
the security platform authenticates the client to determine whether the client has the authority to call the service; after the authentication of the client is successful, reading a request parameter in the calling request, and calculating a locally recorded security key corresponding to the client and the read request parameter according to the preset algorithm to obtain a second signature; if the first signature is equal to the second signature, forwarding the calling request to the server side so that the server side returns corresponding data to the client side, and otherwise, refusing to execute forwarding operation;
and the server side responds to the calling request and calls the service.
2. An authentication method is characterized by being applied to a security platform; the method comprises the following steps:
receiving a calling request sent by a client, wherein the calling request is used for calling a service to a server, the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
authenticating the client to determine whether the client has the authority to call the service;
after the authentication of the client is successful, reading a request parameter in the calling request, and calculating a security key which is locally recorded and corresponds to the client and the read request parameter according to the preset algorithm to obtain a second signature; if the first signature is equal to the second signature, forwarding the calling request to the server, so that the server responds to the calling request and calls the service, and returns corresponding data to the client; otherwise, the forwarding operation is refused to be executed.
3. The method according to claim 2, wherein the invocation request includes identification information of the client; the authenticating the client includes:
calling a pre-recorded corresponding relation between the service and a client capable of calling the service;
determining whether the client has the authority to call the service or not according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful.
4. The method of claim 3, wherein the correspondence is stored in a zookeeper cluster server.
5. The method of claim 3, further comprising:
and when the deactivation operation for calling the service for the client is detected, deleting the corresponding relation between the identification information of the client and the service.
6. An authentication device is applied to a security platform; the device comprises:
the system comprises a receiving unit, a service processing unit and a processing unit, wherein the receiving unit is used for receiving a calling request sent by a client, the calling request is used for calling a service to a server, the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
the authentication unit authenticates the client to determine whether the client has the authority of calling the service;
the forwarding unit reads the request parameter in the calling request after the authentication of the client is successful, and calculates the locally recorded security key corresponding to the client and the read request parameter according to the preset algorithm to obtain a second signature; if the first signature is equal to the second signature, forwarding the calling request to the server, so that the server responds to the calling request and calls the service, and returns corresponding data to the client; otherwise, the forwarding operation is refused to be executed.
7. The apparatus according to claim 6, wherein the invocation request includes identification information of the client; the authentication unit is specifically configured to:
calling a pre-recorded corresponding relation between the service and a client capable of calling the service;
determining whether the client has the authority to call the service or not according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful.
8. The apparatus of claim 7, wherein the correspondence is stored in a zookeeper cluster server.
9. The apparatus of claim 7, further comprising:
and the deleting unit is used for deleting the corresponding relation between the identification information of the client and the service when detecting the deactivation operation of calling the service for the client.
10. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the steps of the method according to any one of claims 2-5.
CN201710482304.XA 2017-06-22 2017-06-22 Authentication method, device, computer readable storage medium and authentication system Active CN107124431B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710482304.XA CN107124431B (en) 2017-06-22 2017-06-22 Authentication method, device, computer readable storage medium and authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710482304.XA CN107124431B (en) 2017-06-22 2017-06-22 Authentication method, device, computer readable storage medium and authentication system

Publications (2)

Publication Number Publication Date
CN107124431A CN107124431A (en) 2017-09-01
CN107124431B true CN107124431B (en) 2020-03-06

Family

ID=59719339

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710482304.XA Active CN107124431B (en) 2017-06-22 2017-06-22 Authentication method, device, computer readable storage medium and authentication system

Country Status (1)

Country Link
CN (1) CN107124431B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107679831B (en) * 2017-10-09 2021-01-08 金蝶软件(中国)有限公司 Method and related device for calling ERP function
CN108418814A (en) * 2018-02-12 2018-08-17 广州市贝聊信息科技有限公司 Interface authentication method, apparatus and computer readable storage medium based on dubbo frames
CN108199852B (en) * 2018-04-02 2021-02-26 上海企越信息技术有限公司 Authentication method, authentication system and computer readable storage medium
CN109376124A (en) * 2018-08-22 2019-02-22 香港中文大学(深圳) A kind of metadata storing method and computer readable storage medium
CN109274699A (en) * 2018-11-28 2019-01-25 北京锐安科技有限公司 Method for authenticating, device, server and storage medium
CN109828852B (en) * 2019-01-23 2021-09-24 北京奇艺世纪科技有限公司 Authority management method, device, system, equipment and readable storage medium
CN110138741B (en) * 2019-04-15 2022-06-17 平安科技(深圳)有限公司 Micro-service management method and device based on unified management platform and computer equipment
CN112134705A (en) * 2019-06-24 2020-12-25 北京思源政通科技集团有限公司 Data authentication method and device, storage medium and electronic device
CN110545173A (en) * 2019-07-29 2019-12-06 大众问问(北京)信息科技有限公司 method and device for safety verification and request sending
CN110278133B (en) * 2019-07-31 2021-08-13 中国工商银行股份有限公司 Checking method, device, computing equipment and medium executed by server
CN110619206B (en) * 2019-08-15 2024-04-02 中国平安财产保险股份有限公司 Operation and maintenance risk control method, system, equipment and computer readable storage medium
CN110995994B (en) * 2019-12-09 2021-09-14 上海瑾盛通信科技有限公司 Image shooting method and related device
CN111031037A (en) * 2019-12-12 2020-04-17 北京金山云网络技术有限公司 Authentication method and device for object storage service and electronic equipment
CN110995756B (en) * 2019-12-20 2022-07-05 广州酷狗计算机科技有限公司 Method and device for calling service
CN113254047A (en) * 2021-06-16 2021-08-13 前海七剑科技(深圳)有限公司 Vehicle configuration upgrading method, vehicle-mounted terminal, server, vehicle and medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102955700A (en) * 2011-08-18 2013-03-06 腾讯科技(深圳)有限公司 System and method for upgrading software
CN103188204B (en) * 2011-12-27 2018-07-20 腾讯科技(深圳)有限公司 Service control method in open platform and system
CN104717192B (en) * 2013-12-16 2018-05-18 腾讯科技(深圳)有限公司 Legality identification method and intermediate server
CN104754009A (en) * 2013-12-31 2015-07-01 中国移动通信集团广东有限公司 Service acquisition and invocation method, device, client-side and server
CN106470184B (en) * 2015-08-14 2020-06-26 阿里巴巴集团控股有限公司 Security authentication method, device and system
CN106506494B (en) * 2016-10-27 2019-10-11 上海斐讯数据通信技术有限公司 Application access method of open platform

Also Published As

Publication number Publication date
CN107124431A (en) 2017-09-01

Similar Documents

Publication Publication Date Title
CN107124431B (en) Authentication method, device, computer readable storage medium and authentication system
US11610019B2 (en) Information management method, apparatus, and information management system
CN107483509A (en) A kind of auth method, server and readable storage medium storing program for executing
CN112422532B (en) Service communication method, system and device and electronic equipment
JP5497171B2 (en) System and method for providing a secure virtual machine
US8201231B2 (en) Authenticated credential-based multi-tenant access to a service
CN108111473B (en) Unified management method, device and system for hybrid cloud
CN110213276B (en) Authorization verification method under micro-service architecture, server, terminal and medium
CN106453361B (en) A kind of security protection method and system of the network information
CN112000951B (en) Access method, device, system, electronic equipment and storage medium
CN109522726A (en) Method for authenticating, server and the computer readable storage medium of small routine
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
JP2013532394A (en) System and method for remote maintenance in an electronic network having multiple clients
CN110175466B (en) Security management method and device for open platform, computer equipment and storage medium
CN112688773A (en) Token generation and verification method and device
CN110247758B (en) Password management method and device and password manager
CN110908786A (en) Intelligent contract calling method, device and medium
CN109474600B (en) Account binding method, system, device and equipment
CN104753674A (en) Application identity authentication method and device
CN103780580A (en) Method, server and system for providing capability access strategy
CN112398799A (en) Single sign-on method, device and system
CN109951291B (en) Content sharing method and device based on trusted execution environment and multimedia equipment
CN110365632A (en) Certification in computer network system
CN112272093B (en) Token management method, electronic equipment and readable storage medium
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant