CN107124431B - Authentication method, device, computer readable storage medium and authentication system - Google Patents
Authentication method, device, computer readable storage medium and authentication system Download PDFInfo
- Publication number
- CN107124431B CN107124431B CN201710482304.XA CN201710482304A CN107124431B CN 107124431 B CN107124431 B CN 107124431B CN 201710482304 A CN201710482304 A CN 201710482304A CN 107124431 B CN107124431 B CN 107124431B
- Authority
- CN
- China
- Prior art keywords
- client
- service
- calling
- request
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
Abstract
The application provides an authentication method, an authentication device, a computer readable storage medium and an authentication system, wherein the method comprises the following steps: receiving a calling request sent by a client, wherein the calling request is used for calling service to a server; authenticating the client to determine whether the client has the authority to call the service; and after the authentication of the client is successful, forwarding the calling request to the server, so that the server responds to the calling request and calls the service. The method and the system authenticate the client for calling the service through the security platform, so that the service can be called only by the client with the authority for calling the service, and the security is improved; meanwhile, the authentication operation is executed by the security platform, so that the unified management of the authority of the client is facilitated, and the management efficiency is improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an authentication method, an authentication device, a computer-readable storage medium, and an authentication system.
Background
System services refer to programs, routines, or processes that perform specified system functions in order to support other programs. However, in the internet industry today, neither internal services nor external services provide a security mechanism to encapsulate and protect them, and service resources can be arbitrarily invoked, resulting in serious security risks.
Disclosure of Invention
In view of the above, the present application provides an authentication method, an authentication device, a computer-readable storage medium, and an authentication system, which provide a security mechanism for a service to solve the problem of security hidden danger caused by that a service resource can be arbitrarily called.
In order to achieve the above purpose, the present application provides the following technical solutions:
according to a first aspect of the present application, an authentication system is proposed, comprising: the system comprises a client, a server and a security platform;
the client sends a calling request to the security platform, and the calling request is used for calling a service to a server;
the security platform authenticates the client to determine whether the client has the authority to call the service; after the authentication of the client is successful, the calling request is forwarded to the server;
and the server side responds to the calling request and calls the service.
According to a second aspect of the present application, an authentication method is provided, which is applied to a security platform; the method comprises the following steps:
receiving a calling request sent by a client, wherein the calling request is used for calling service to a server;
authenticating the client to determine whether the client has the authority to call the service;
and after the authentication of the client is successful, forwarding the calling request to the server, so that the server responds to the calling request and calls the service.
According to a third aspect of the present application, an authentication apparatus is provided, which is applied to a security platform; the device comprises:
the receiving unit is used for receiving a calling request sent by a client, wherein the calling request is used for calling service to a server;
the authentication unit authenticates the client to determine whether the client has the authority of calling the service;
and the forwarding unit is used for forwarding the calling request to the server after the authentication of the client is successful so that the server responds to the calling request and calls the service.
According to a fourth aspect of the present application, a computer-readable storage medium is proposed, on which computer instructions are stored, which instructions, when executed by a processor, carry out the steps of the method according to any one of the preceding claims.
According to the technical scheme, the client side for calling the service is authenticated through the security platform, so that the service can be called only by the client side with the authority for calling the service, and the security is improved; meanwhile, the authentication operation is executed by the security platform, so that the unified management of the authority of the client is facilitated, and the management efficiency is improved.
Drawings
Fig. 1 is a flowchart of calling a service in the related art.
Fig. 2 is a schematic diagram of unified invoking service in a gateway manner in the related art.
Fig. 3 is a flow chart illustrating an authentication method according to an exemplary embodiment of the present application.
Fig. 4 is a schematic diagram of a network architecture shown in an exemplary embodiment of the present application.
Fig. 5 is a flow chart illustrating another authentication method according to an exemplary embodiment of the present application.
Fig. 6 is a schematic diagram illustrating a correspondence relationship between a service recorded by a secure platform and a client according to an exemplary embodiment of the present application.
Fig. 7 is a flowchart illustrating authentication by using a certificate according to an exemplary embodiment of the present application.
Fig. 8 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present application.
Fig. 9 is a block diagram of an authentication apparatus according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Often, a plurality of services are contained in the application (for example, the application "pay treasure" contains services such as payment, transfer, cash withdrawal and the like), and in the related art, the calling of the service is realized based on the services. Referring to fig. 1, fig. 1 is a flow chart of a related art calling service, and as shown in fig. 1, a calling process thereof may include the following steps:
In this case, it is assumed that service B is invoked for service a, i.e., service a is the service invoker. Hereinafter, the securitykey value is simply referred to as the sk value.
The calling request comprises a request parameter and a sk value.
And step 106, after receiving the call request, the service B reads the request parameter in the call request and encrypts the request parameter according to the preset algorithm to generate a new sk value.
And step 110, when the new sk value and the sk value are equal, determining that the call request is legal and returning relevant data to the service A.
Meanwhile, in the related art, a gateway mode is adopted to uniformly invoke services, and the mode is described below with reference to fig. 2. As shown in fig. 2, for example, services 1-6 are shared, then the invocation of the service is implemented between the services through the gateway, and the invocation request is forwarded by the gateway in a unified manner.
It can be seen that the following drawbacks exist in the related art:
1. inability to manage invocation of services
The service B can be called without limit as long as the preset algorithm is not changed, and only the preset algorithm can be changed when the calling of the service B by the service A is required to be limited; after the algorithm is changed, other services cannot call the service B, so that the calling of the service cannot be controlled, and serious potential safety hazards exist;
2. problem of single point of failure
As can be seen from the schematic diagram of fig. 2, once a gateway fails, all services in the system cannot be called, that is, when a single point fails, the fault may reach the entire system, which may cause the entire system to crash, and reduce the stability and security of the system.
Therefore, the present application addresses the above-mentioned deficiencies in the related art by improving the manner in which services are invoked. For further explanation of the present application, the following examples are provided:
fig. 3 is a flowchart illustrating an authentication method applied to a security platform according to an exemplary embodiment of the present application, which may include the following steps:
In the embodiment, the application is based on the calling of the service between the applications, namely, the application calls a certain service in another application. For example, when the "pay bank" uses the service "cash up", the service "deposit" of the bank to which it is bound needs to be invoked, and the "deposit" service is requested to the bank by the "pay bank". The service calling party is a client, the service provider is a server, and the calling request is used for calling service to the server.
In this embodiment, on one hand, a user at a client side may apply for invoking a service by logging in to a secure platform; on the other hand, a user of the server can check the application of the client by logging in the security platform. And after the client passes the audit, the security platform records the corresponding relation between the service applied and called by the client and the identification information of the client. And the corresponding relation is stored in a zookeeper cluster server.
Based on the auditing mechanism, after receiving a calling request (including identification information of the client) sent by the client, the security platform can call a pre-recorded corresponding relation between the service and the client which can call the service, and determine whether the client has the authority to call the service according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful. The service caller (namely the client) is authenticated to judge whether the service caller has the authority to call the service or not, so that on one hand, the safety of calling the service can be improved, and the service is prevented from being maliciously called; on the other hand, the method can prevent the service resources from being randomly called, thereby avoiding the problem that a large amount of processing resources of the server are occupied due to unlimited calling of the service and improving the performance of the server.
In this embodiment, when a deactivation operation of invoking the service for the client (which may be performed by a user on the service end side logging in to a secure platform) is detected, the correspondence between the identification information of the client and the service is deleted. Because the corresponding relation is deleted, when the subsequent client requests the service to call the service, the security platform judges that the authentication of the client fails, namely the client cannot call the service. The security platform can further prevent the service resources from being randomly called (for example, a user at the service end side can modify the corresponding relationship by logging in the security platform to limit the calling of the application to the service) by responding to the deactivation operation, so that the problem that a large amount of processing resources of the service end are occupied due to unlimited calling of the service is avoided, and the performance of the service end is improved.
In this embodiment, an encryption algorithm may be used to encrypt the request parameter to generate a signature, so as to verify the validity of the invocation request, and improve the security of the invocation request (for example, to prevent other applications from impersonating the client to illegally invoke the service). Specifically, the calling request includes a first signature and a request parameter of the client, and the first signature is calculated by a security key of the client and the request parameter according to a preset algorithm; the security key is issued to the client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server.
Based on the configuration of the data, the validity can be verified in the following way: reading a request parameter in the calling request, and calculating a security key corresponding to the client and the read request parameter which are locally recorded according to the preset algorithm to obtain a second signature; and if the first signature is equal to the second signature, executing the operation of forwarding the call request so as to enable the server to return corresponding data to the client, otherwise refusing to execute the forwarding operation.
According to the technical scheme, the service is called based on the application, on one hand, compared with the related technology based on the calling between the services, the calling of the service can be managed and controlled, the safety of the calling service is improved, meanwhile, the authentication operation is executed by the safety platform, the unified management on the authority of the service calling party is facilitated, and the management efficiency is improved; on the other hand, compared with the method of uniformly calling the service in a gateway mode in the related technology, the operation of calling the service among all the applications is not influenced mutually, so that the decentralization is realized, namely the problem of single-point failure does not exist, and the stability and the safety of all the application systems are improved.
For the convenience of understanding, the technical solution of the present application is described in detail below with reference to specific scenarios and accompanying drawings. Fig. 4 is a schematic diagram of a network architecture shown in an exemplary embodiment of the present application. As shown in fig. 4, the network architecture may include a security platform, a server, a client, and a network.
The security platform can comprise a control console, a software component and a zookeeper cluster server; the control console can be used for issuing identification information and a security key to the client and the server, auditing the application of calling the service and recording the corresponding relation between the service and the client after the auditing is passed; jar software components (hereinafter abbreviated as sdk) can be used to authenticate the client sending the invocation request and verify the validity of the invocation request; the zookeeper cluster server can be used for storing the corresponding relation recorded by the console, and the identification information and the security key issued to each client and each server. Additionally, a dubbo framework can be implanted in the security platform, and sdk.
Both the server and the client are applications, and the applications can contain a plurality of services. The service caller is a client, and the service provider is a server.
And the network for interaction among the security platform, the server and the client can comprise various types of wired or wireless networks. For example, the network may include a Public Switched Telephone Network (PSTN), the internet, a private network, and the like, which is not limited in this application.
Therefore, in the implementation process of the technical scheme of the application, three-party data interaction among a security platform, a server and a client is involved; the technical scheme of the application is described below by combining the three-party interaction process. Referring to fig. 5, fig. 5 is a flowchart illustrating another authentication method according to an exemplary embodiment of the present application. As shown in fig. 5, the method applied to the security platform may include the following steps:
At step 506, the secure platform generates corresponding identification information and a security key.
In this embodiment, the application serving as the service caller is a client, and the application serving as the service provider is a server. For example, when application 1 requests application 2 to invoke a service, application 1 acts as a client and application 2 acts as a server; on the contrary, when the application 2 requests the application 1 to call a service, the application 2 serves as a client and the application 1 serves as a server.
The client and the server need to register on the secure platform during initialization operation, so that the secure platform generates identification information and a secure key corresponding to the client, and generates identification information and a secure key corresponding to the server. The identification information may be Access Key (or Access Key ID, hereinafter abbreviated as ak), and the security Key may be secure Key (or Secret Access Key, hereinafter abbreviated as sk).
And step 508, the security platform issues ak and sk of the server to the server.
And step 510, the security platform issues ak and sk of the client to the client.
In this embodiment, a user on the client side may apply for invoking a service by logging in to the secure platform.
At step 514, the security platform reviews the received application for invoking the service.
In this embodiment, a user on the server side (i.e., an administrator of the application on the server side) can check the application of the client by logging in the security platform.
In this embodiment, the security platform may store the corresponding relationship between the issued ak, sk and record in the zookeeper cluster server, so as to unify services and ensure service consistency. The corresponding relationship of the security platform records will be described below with reference to fig. 6. Fig. 6 is a schematic diagram illustrating a correspondence relationship between a service recorded by a secure platform and a client according to an exemplary embodiment of the present application. As shown in fig. 6, application 1 (identification information ak1) includes service 1, service 2, and service 3. When the application 1 serves as a service provider, the service 1 can be called by the application 2 (identification information ak2), the application 3 (identification information ak3), and the application 4 (identification information ak 4); service 2 may be invoked by applications 2, 4; service 3 may be invoked by application 3, application 4, application 5 (identification information ak 5).
In this embodiment, step 502-516 is performed by a console in the security platform.
At step 518, the client sends a call request to the secure platform.
At step 522, the security platform verifies the validity of the invocation request.
In this embodiment, the invocation request includes ak of the client, the first signature, and the request parameter (for acquiring corresponding data in the server); the first signature is calculated by the sk and request parameters of the client according to a preset algorithm (such as any encryption algorithm, for example, MD5, SHA1, HMAC, etc., which is not limited in this application).
The security platform may, after receiving the call request sent by the client, call the corresponding relationship recorded in step 516, and determine whether the client has the right to call the service according to ak in the call request and the corresponding relationship; and when the client has the right to call the service, judging that the authentication of the client is successful. By authenticating a service caller (namely a client) and judging whether the service caller has the authority to call the service or not, on one hand, the security of calling the service can be improved, and on the other hand, the service resources can be prevented from being called randomly, so that the problem that a large amount of processing resources of the server are occupied due to unlimited calling of the service is avoided, and the performance of the server is improved.
For example, with the correspondence shown in fig. 6, in one case, assuming that the application 2 (which is a client) requests to invoke the service 3, the security platform may determine that the application 2 does not have the authority to invoke the service 3 by looking up the correspondence shown in fig. 6, that is, it is determined that the authentication of the application 2 fails; in another case, assuming that the application 2 requests to invoke the service 2, the security platform may determine that the application 2 has the authority to invoke the service 2 by looking up the corresponding relationship in fig. 6, i.e. determine that the authentication of the application 2 is successful.
The security platform may further verify the validity of the call request after performing the authentication operation, so as to improve the security of the call request (e.g., prevent other applications from impersonating the client to illegally call the service). Specifically, the security platform reads ak, a first signature and request parameters of a client included in a call request, reads sk corresponding to the ak and stored in a local zookeeper cluster server, and calculates the sk and the request parameters according to the preset algorithm to obtain a second signature; and if the first signature is equal to the second signature, executing the operation of forwarding the calling request to the server so that the server returns corresponding data to the client, otherwise refusing to execute the forwarding operation.
In step 526, the server returns the corresponding data of the called service to the client.
In this embodiment, when the security platform detects a deactivation operation for invoking a service for a client, the corresponding relationship between ak of the client and the service is deleted. Because the corresponding relation is deleted, when the client requests the server to call the service subsequently, the security platform judges that the authentication of the client fails, namely, the client cannot call the service. The security platform can further prevent the service resources from being randomly called (for example, a user at the service end side can modify the corresponding relationship by logging in the security platform to limit the calling of the application to the service) by responding to the deactivation operation, so that the problem that a large amount of processing resources of the service end are occupied due to unlimited calling of the service is avoided, and the performance of the service end is improved.
In summary, in the technical solution of the present application, the service is invoked based on the application, on one hand, compared with the related art that the service is invoked based on the application, the service invocation can be managed and controlled, so that the security of the service invocation is improved, and meanwhile, the authentication operation is executed by the security platform, which is beneficial to uniformly managing the authority of the service invocation party, and the management efficiency is improved; on the other hand, compared with the method of uniformly calling the service in a gateway mode in the related technology, the operation of calling the service among all the applications is not influenced mutually, so that the decentralization is realized, namely the problem of single-point failure does not exist, and the stability and the safety of all the application systems are improved.
In the technical scheme of the application, the security platform can also be applied to authentication in a certificate mode. The authentication process is described in detail below with reference to fig. 7. As shown in fig. 7, the process may include the steps of:
In this embodiment, after receiving the certificate, the client locally stores its own private key and the public key of the server; after receiving the certificate, the server locally stores the private key of the server and the public key of the client.
And step 712, the client signs the call request according to the private key of the client and sends the call request to the server.
And 714, the server checks the received call request according to the locally stored public key of the client.
In this embodiment, when the server requests the client to invoke the service, the authentication process is similar to the above process, and is not described herein again.
In the technical solution of the present application, an authentication manner of the identification information and the security key is adopted for the above fig. 5, and the life cycle management of the identification information and the security key may be performed, for example, the identification information and the security key of each application are updated regularly; for fig. 7, a certificate authentication manner is adopted, and the life cycle of the certificate may also be managed, for example, applying for the certificate, downloading the certificate, updating the certificate, revoking the certificate, suspending the certificate, and releasing the suspended certificate. Through the life cycle management mechanism, the safety of the system can be effectively improved, and services are prevented from being called by illegal applications.
Meanwhile, when the security key needs to be updated (for example, to prevent the security key from being leaked out, or the security key is expired, etc.), the updated first security key and the second security key before updating may be used simultaneously within the preset time duration, that is, the first security key and the second security key are valid simultaneously within the preset time duration, and both the first security key and the second security key may be used to verify the validity in step 522. After a preset time, only the first security key is valid, and the second security key is invalid. The preset duration can be flexibly set according to the actual situation, and the method is not limited by the application. The updating modes of the identification information and the certificate can be updated in the above mode, and are not described herein again.
Fig. 8 shows a schematic structural diagram of an electronic device according to an exemplary embodiment of the present application. Referring to fig. 8, at the hardware level, the electronic device includes a processor 802, an internal bus 804, a network interface 806, a memory 808, and a non-volatile memory 810, but may also include hardware required for other services. The processor 802 reads the corresponding computer program from the non-volatile memory 810 into the memory 808 and runs it, forming an authentication device on a logical level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 9, in a software implementation, the authentication apparatus may include a receiving unit 901, an authentication unit 902, and a forwarding unit 903. Wherein:
a receiving unit 901, configured to receive a call request sent by a client, where the call request is used to call a service to a server;
an authentication unit 902, authenticating the client to determine whether the client has the authority to invoke the service;
a forwarding unit 903, configured to forward the call request to the server after the client successfully authenticates, so that the server responds to the call request and invokes the service.
Optionally, the invocation request includes identification information of the client; the authentication unit 902 is specifically configured to:
calling a pre-recorded corresponding relation between the service and a client capable of calling the service;
determining whether the client has the authority to call the service or not according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful.
Optionally, the corresponding relationship is stored in the zookeeper cluster server.
Optionally, the method further includes:
a deleting unit 904, configured to delete the correspondence between the identification information of the client and the service when a deactivation operation for invoking the service for the client is detected.
Alternatively to this, the first and second parts may,
the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
the method further comprises the following steps: the reading unit 905 is configured to read a request parameter in the invocation request, and calculate a locally recorded security key corresponding to the client and the read request parameter according to the preset algorithm to obtain a second signature; and if the first signature is equal to the second signature, executing the operation of forwarding the call request so as to enable the server to return corresponding data to the client, otherwise refusing to execute the forwarding operation.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
In an exemplary embodiment, there is also provided a non-transitory computer readable storage medium, such as a memory, comprising instructions executable by a processor of an authentication apparatus to perform the method, which may include:
receiving a calling request sent by a client, wherein the calling request is used for calling service to a server;
authenticating the client to determine whether the client has the authority to call the service;
and after the authentication of the client is successful, forwarding the calling request to the server, so that the server responds to the calling request and calls the service.
Optionally, the invocation request includes identification information of the client; the authenticating the client includes:
calling a pre-recorded corresponding relation between the service and a client capable of calling the service;
determining whether the client has the authority to call the service or not according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful.
Optionally, the corresponding relationship is stored in the zookeeper cluster server.
Optionally, the method further includes:
and when the deactivation operation for calling the service for the client is detected, deleting the corresponding relation between the identification information of the client and the service.
Alternatively to this, the first and second parts may,
the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
the method further comprises the following steps: reading a request parameter in the calling request, and calculating a security key corresponding to the client and the read request parameter which are locally recorded according to the preset algorithm to obtain a second signature; and if the first signature is equal to the second signature, executing the operation of forwarding the call request so as to enable the server to return corresponding data to the client, otherwise refusing to execute the forwarding operation.
The non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, etc., which is not limited in this application.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. An authentication system, comprising: the system comprises a client, a server and a security platform;
the client sends a calling request to the security platform, and the calling request is used for calling a service to a server; the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
the security platform authenticates the client to determine whether the client has the authority to call the service; after the authentication of the client is successful, reading a request parameter in the calling request, and calculating a locally recorded security key corresponding to the client and the read request parameter according to the preset algorithm to obtain a second signature; if the first signature is equal to the second signature, forwarding the calling request to the server side so that the server side returns corresponding data to the client side, and otherwise, refusing to execute forwarding operation;
and the server side responds to the calling request and calls the service.
2. An authentication method is characterized by being applied to a security platform; the method comprises the following steps:
receiving a calling request sent by a client, wherein the calling request is used for calling a service to a server, the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
authenticating the client to determine whether the client has the authority to call the service;
after the authentication of the client is successful, reading a request parameter in the calling request, and calculating a security key which is locally recorded and corresponds to the client and the read request parameter according to the preset algorithm to obtain a second signature; if the first signature is equal to the second signature, forwarding the calling request to the server, so that the server responds to the calling request and calls the service, and returns corresponding data to the client; otherwise, the forwarding operation is refused to be executed.
3. The method according to claim 2, wherein the invocation request includes identification information of the client; the authenticating the client includes:
calling a pre-recorded corresponding relation between the service and a client capable of calling the service;
determining whether the client has the authority to call the service or not according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful.
4. The method of claim 3, wherein the correspondence is stored in a zookeeper cluster server.
5. The method of claim 3, further comprising:
and when the deactivation operation for calling the service for the client is detected, deleting the corresponding relation between the identification information of the client and the service.
6. An authentication device is applied to a security platform; the device comprises:
the system comprises a receiving unit, a service processing unit and a processing unit, wherein the receiving unit is used for receiving a calling request sent by a client, the calling request is used for calling a service to a server, the calling request comprises a first signature and a request parameter of the client, and the first signature is obtained by calculating a security key of the client and the request parameter according to a preset algorithm; the security key is issued to a client in advance by the security platform, and the request parameter is used for acquiring corresponding data in the server;
the authentication unit authenticates the client to determine whether the client has the authority of calling the service;
the forwarding unit reads the request parameter in the calling request after the authentication of the client is successful, and calculates the locally recorded security key corresponding to the client and the read request parameter according to the preset algorithm to obtain a second signature; if the first signature is equal to the second signature, forwarding the calling request to the server, so that the server responds to the calling request and calls the service, and returns corresponding data to the client; otherwise, the forwarding operation is refused to be executed.
7. The apparatus according to claim 6, wherein the invocation request includes identification information of the client; the authentication unit is specifically configured to:
calling a pre-recorded corresponding relation between the service and a client capable of calling the service;
determining whether the client has the authority to call the service or not according to the identification information and the corresponding relation; and when the client has the right of calling the service, judging that the authentication of the client is successful.
8. The apparatus of claim 7, wherein the correspondence is stored in a zookeeper cluster server.
9. The apparatus of claim 7, further comprising:
and the deleting unit is used for deleting the corresponding relation between the identification information of the client and the service when detecting the deactivation operation of calling the service for the client.
10. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the steps of the method according to any one of claims 2-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710482304.XA CN107124431B (en) | 2017-06-22 | 2017-06-22 | Authentication method, device, computer readable storage medium and authentication system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710482304.XA CN107124431B (en) | 2017-06-22 | 2017-06-22 | Authentication method, device, computer readable storage medium and authentication system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107124431A CN107124431A (en) | 2017-09-01 |
CN107124431B true CN107124431B (en) | 2020-03-06 |
Family
ID=59719339
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710482304.XA Active CN107124431B (en) | 2017-06-22 | 2017-06-22 | Authentication method, device, computer readable storage medium and authentication system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107124431B (en) |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107679831B (en) * | 2017-10-09 | 2021-01-08 | 金蝶软件(中国)有限公司 | Method and related device for calling ERP function |
CN108418814A (en) * | 2018-02-12 | 2018-08-17 | 广州市贝聊信息科技有限公司 | Interface authentication method, apparatus and computer readable storage medium based on dubbo frames |
CN108199852B (en) * | 2018-04-02 | 2021-02-26 | 上海企越信息技术有限公司 | Authentication method, authentication system and computer readable storage medium |
CN109376124A (en) * | 2018-08-22 | 2019-02-22 | 香港中文大学(深圳) | A kind of metadata storing method and computer readable storage medium |
CN109274699A (en) * | 2018-11-28 | 2019-01-25 | 北京锐安科技有限公司 | Method for authenticating, device, server and storage medium |
CN109828852B (en) * | 2019-01-23 | 2021-09-24 | 北京奇艺世纪科技有限公司 | Authority management method, device, system, equipment and readable storage medium |
CN110138741B (en) * | 2019-04-15 | 2022-06-17 | 平安科技(深圳)有限公司 | Micro-service management method and device based on unified management platform and computer equipment |
CN112134705A (en) * | 2019-06-24 | 2020-12-25 | 北京思源政通科技集团有限公司 | Data authentication method and device, storage medium and electronic device |
CN110545173A (en) * | 2019-07-29 | 2019-12-06 | 大众问问(北京)信息科技有限公司 | method and device for safety verification and request sending |
CN110278133B (en) * | 2019-07-31 | 2021-08-13 | 中国工商银行股份有限公司 | Checking method, device, computing equipment and medium executed by server |
CN110619206B (en) * | 2019-08-15 | 2024-04-02 | 中国平安财产保险股份有限公司 | Operation and maintenance risk control method, system, equipment and computer readable storage medium |
CN110995994B (en) * | 2019-12-09 | 2021-09-14 | 上海瑾盛通信科技有限公司 | Image shooting method and related device |
CN111031037A (en) * | 2019-12-12 | 2020-04-17 | 北京金山云网络技术有限公司 | Authentication method and device for object storage service and electronic equipment |
CN110995756B (en) * | 2019-12-20 | 2022-07-05 | 广州酷狗计算机科技有限公司 | Method and device for calling service |
CN113254047A (en) * | 2021-06-16 | 2021-08-13 | 前海七剑科技(深圳)有限公司 | Vehicle configuration upgrading method, vehicle-mounted terminal, server, vehicle and medium |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102955700A (en) * | 2011-08-18 | 2013-03-06 | 腾讯科技(深圳)有限公司 | System and method for upgrading software |
CN103188204B (en) * | 2011-12-27 | 2018-07-20 | 腾讯科技(深圳)有限公司 | Service control method in open platform and system |
CN104717192B (en) * | 2013-12-16 | 2018-05-18 | 腾讯科技(深圳)有限公司 | Legality identification method and intermediate server |
CN104754009A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团广东有限公司 | Service acquisition and invocation method, device, client-side and server |
CN106470184B (en) * | 2015-08-14 | 2020-06-26 | 阿里巴巴集团控股有限公司 | Security authentication method, device and system |
CN106506494B (en) * | 2016-10-27 | 2019-10-11 | 上海斐讯数据通信技术有限公司 | Application access method of open platform |
-
2017
- 2017-06-22 CN CN201710482304.XA patent/CN107124431B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN107124431A (en) | 2017-09-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107124431B (en) | Authentication method, device, computer readable storage medium and authentication system | |
US11610019B2 (en) | Information management method, apparatus, and information management system | |
CN107483509A (en) | A kind of auth method, server and readable storage medium storing program for executing | |
CN112422532B (en) | Service communication method, system and device and electronic equipment | |
JP5497171B2 (en) | System and method for providing a secure virtual machine | |
US8201231B2 (en) | Authenticated credential-based multi-tenant access to a service | |
CN108111473B (en) | Unified management method, device and system for hybrid cloud | |
CN110213276B (en) | Authorization verification method under micro-service architecture, server, terminal and medium | |
CN106453361B (en) | A kind of security protection method and system of the network information | |
CN112000951B (en) | Access method, device, system, electronic equipment and storage medium | |
CN109522726A (en) | Method for authenticating, server and the computer readable storage medium of small routine | |
CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
JP2013532394A (en) | System and method for remote maintenance in an electronic network having multiple clients | |
CN110175466B (en) | Security management method and device for open platform, computer equipment and storage medium | |
CN112688773A (en) | Token generation and verification method and device | |
CN110247758B (en) | Password management method and device and password manager | |
CN110908786A (en) | Intelligent contract calling method, device and medium | |
CN109474600B (en) | Account binding method, system, device and equipment | |
CN104753674A (en) | Application identity authentication method and device | |
CN103780580A (en) | Method, server and system for providing capability access strategy | |
CN112398799A (en) | Single sign-on method, device and system | |
CN109951291B (en) | Content sharing method and device based on trusted execution environment and multimedia equipment | |
CN110365632A (en) | Certification in computer network system | |
CN112272093B (en) | Token management method, electronic equipment and readable storage medium | |
CN116996305A (en) | Multi-level security authentication method, system, equipment, storage medium and entry gateway |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |