CN110839004A - Method and device for access authentication - Google Patents
Method and device for access authentication Download PDFInfo
- Publication number
- CN110839004A CN110839004A CN201810935614.7A CN201810935614A CN110839004A CN 110839004 A CN110839004 A CN 110839004A CN 201810935614 A CN201810935614 A CN 201810935614A CN 110839004 A CN110839004 A CN 110839004A
- Authority
- CN
- China
- Prior art keywords
- signature
- authentication
- access request
- access
- visitor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000012545 processing Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 230000001174 ascending effect Effects 0.000 claims description 7
- 238000012795 verification Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an access authentication method and device, and relates to the technical field of computers. One embodiment of the method comprises: receiving an access request; judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access. According to the embodiment, the technical means of signature timeliness verification, signature non-reuse, limitation of access to IP permission and the like are adopted, so that the situation of signature reuse is avoided, the resource access flow is optimized, the resource access efficiency is improved, and the pressure of malicious requests of a service system is relieved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for access authentication.
Background
The prior art exposes a uniform resource locator url (uniform resource locator) for a resource visitor to call via cartesian gateway encapsulation. The authentication rule is authenticated by a signature generation rule specified by the resource visitor. The http interface provided by the server (resource provider) needs to transmit token authentication, and token is the meaning of token (temporary) in computer identity authentication.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
1. the existing signature authentication rules are provided by clients, and if the verification rules and parameters needing to be verified are leaked, malicious attacks can be easily caused.
The token is repeatedly used, and when a malicious attack is encountered, because the signature is used, the access request of the malicious attack is intercepted.
Disclosure of Invention
In view of this, embodiments of the present invention provide an access authentication method and apparatus, which can solve the problem that a signature token is repeatedly used and is easily attacked by an external network after a parameter is leaked.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided an access authentication method including: receiving an access request; judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access.
Optionally, before determining whether the timestamp, the first signature, and the visitor IP in the access request all conform to the second authentication rule, the method further includes: determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule; the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost.
Optionally, judging whether the timestamp, the first signature and the visitor IP in the access request all conform to a second authentication rule; if yes, passing authentication, including: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature; and if the second signature is consistent with the first signature, the authentication is passed.
Optionally, generating a second signature according to the signature parameter in the access request includes: acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier; sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings; adding a key at the tail of the character string, and encoding the character string with the key; and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an apparatus for access authentication, including: a receiving module to: receiving an access request; an authentication module to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access.
Optionally, the authentication module is further configured to: determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule; the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost.
Optionally, the authentication module is further configured to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature; and if the second signature is consistent with the first signature, the authentication is passed.
Optionally, the authentication module is further configured to: acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier; sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings; adding a key at the tail of the character string, and encoding the character string with the key; and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an electronic apparatus including: one or more processors; a storage device, configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method for access authentication provided by the embodiment of the present invention.
To achieve the above object, according to still another aspect of the embodiments of the present invention, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the method of access authentication as provided by the embodiments of the present invention.
One embodiment of the above invention has the following advantages or benefits: by adopting the technical means of signature timeliness verification, signature non-reuse, limitation of access to IP permission and the like, the situation of signature reuse is avoided, the resource access flow is optimized, the resource access efficiency is improved, and the pressure of malicious requests of a service system is relieved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of a basic flow of a method of access authentication according to an embodiment of the invention;
FIG. 2 is a schematic diagram of a preferred flow of a method of access authentication according to an embodiment of the invention;
FIG. 3 is a schematic diagram of the basic modules of an apparatus for access authentication according to an embodiment of the present invention;
FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 5 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a basic flow of a method of access authentication according to an embodiment of the present invention. As shown in fig. 1, an embodiment of the present invention provides an access authentication method, including:
s101, receiving an access request;
s102, judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication;
step S103, the second authentication rule comprises the following steps: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the visitor IP is in a preset access-allowed IP list.
The embodiment of the invention adopts the technical means of signature timeliness verification, signature non-reuse, limitation of access IP permission and the like, avoids the situation of signature reuse, optimizes the resource access process, improves the resource access efficiency and relieves the pressure of malicious requests of a service system.
In this embodiment of the present invention, before determining whether the timestamp, the first signature, and the visitor IP in the access request all conform to the second authentication rule, the method further includes: determining that the version number and the mandatory filling parameter in the access request accord with a first authentication rule; the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost. The mandatory parameter refers to a parameter that the resource visitor has agreed with the resource provider and must be present in the access request. The preset version number is provided by the resource provider for verifying that the version number of the access request meets requirements. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.
In the embodiment of the invention, whether a timestamp, a first signature and an IP of an accessor in the access request all accord with a second authentication rule is judged; if yes, passing authentication, including: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature; and if the second signature is consistent with the first signature, the authentication is passed. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.
In this embodiment of the present invention, generating a second signature according to the signature parameter in the access request includes: acquiring a signature parameter in the access request, wherein the signature parameter comprises an access token (api _ key), a timestamp, a universal unique identifier (UUID random number) and a partial uniform resource identifier (partial URI); the part URI (uniform resource identifier) refers to the part of the URI of the access request following the version number. Sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings; adding a key (secret _ key) at the end of the character string, and encoding the character string with the key; and calculating the digest value of the encoding processing result by using a message digest algorithm to obtain a second signature (the MD5 value of the encoding processing result can also be the second signature). The UUID random number refers to a random number generated by the UUID, and a Universally Unique Identifier (UUID) (universal Unique identifier) is a standard for software construction and also refers to a number generated on one machine, which is guaranteed to be Unique to all machines in the same space-time. The MD5Message Digest Algorithm (MD5Message-Digest Algorithm), a widely used cryptographic hash function, may generate a 128-bit (16-byte) hash value (hash value) to ensure the integrity of the Message transmission. Lexicographic ordering is a method of alphabetically arranging words based on alphabetical ordering. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.
The embodiment of the invention carries out authentication from the following dimensions: a. verifying the version number; b. verifying timeliness of the timestamp; c. verification of whether the signature was used; d. verifying the signature; e. and verifying the validity of the remote access IP. Fig. 2 is a schematic diagram of a preferred flow of a method of access authentication according to an embodiment of the invention. As shown in the figure, the resource visitor sends a digital signature (first signature), an api _ key, a universally unique identifier (UUID random number) generated by the access and a timestamp to the resource provider; after receiving an access request from a resource visitor, a resource provider verifies whether version numbers are matched, whether a mandatory parameter is missing, the time efficiency of a timestamp, whether a first signature is used in the time efficiency period, whether an access IP is in a range allowing access, and a URI, an api _ key, a generated UUID random number, a timestamp and a key (secret _ key) after the version number of the resource visitor are subjected to MD5 operation to generate a second signature, compares the received first signature with second signature information generated by the parameter in the access request according to a signature algorithm, and passes authentication if the results are consistent. The embodiment of the invention optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.
Table 1 shows an authentication management table of a resource provider, and the resource provider performs authentication management of a resource visitor using table 1.
TABLE 1
The enumerated type is a basic data type rather than a constructed data type in some computer programming languages such as C # or C + +, java, VB, and the like. When a new cooperative project and/or company has an authentication requirement, a new record can be added in the table 1, and then the resource provider sends api _ key and secret _ key required by the signature generation of the resource visitor and an IP list allowing the visit to the resource visitor.
The resource provider, when interfacing with the resource visitor, can configure the api _ key, secret _ key, the allowed access IP list (allow _ IP), and the version number into a configuration file. The interaction format of the resource provider and the resource visitor is JSON, and the parameters in the access request are UTF-8 encoded. The request Header (HTTP Header) parameter specification in the access request is shown in table 2:
TABLE 2
The process of the authentication interface api using the signature algorithm to generate the second signature is as follows:
1. and obtaining an access token api _ key, a timestamp and a nonce in the HTTP Header of the access request.
2. Obtaining a URI (Uniform Resource Identifier) of the access request, wherein the URI (Uniform Resource Identifier) is a Uniform Resource Identifier and can identify and locate a character string of any Resource; for example:
and https:// IP: port/xxxx/api/v1/order/list, and acquiring the part 'order/list' behind the version number 'v 1/', namely the part URI is 'order/list'.
3. All signature parameters (including the api _ key, timemap, nonce, and part URI in HTTP Header) are keyed in ascending lexicographic order. For example: api _ key value1 value2 value3 value order/list.
4. The value4 of secret _ key is added to the end of the spliced character string. For example: api _ key value1 value2 value3 value
And (3) order/list & value4, carrying out url code encoding processing to form a base string base _ string, wherein the MD5 value of the base _ string is the value of the second signature. The URL code is a function that can encode a character string in URL for an encoding process. Namely, a second Signature is MD5(url code (api _ key value1& nonce value2& va lue3& uri & order/list & value 4)).
The embodiment of the present invention provides an access authentication apparatus 300, including: a receiving module 301, configured to: receiving an access request; an authentication module 302 to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access. The embodiment of the invention adopts the technical means of verifying the timeliness of the signature, preventing the signature from being reused, limiting the access to IP and the like, avoids the situation of reusing the signature, optimizes the resource access process, improves the resource access efficiency and relieves the pressure of malicious requests of a service system.
In this embodiment of the present invention, the authentication module 302 is further configured to: and is also used for: determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule; the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.
In this embodiment of the present invention, the authentication module 302 is further configured to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature; and if the second signature is consistent with the first signature, the authentication is passed. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.
In this embodiment of the present invention, the authentication module 302 is further configured to: acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier; sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings; adding a key at the tail of the character string, and encoding the character string with the key; and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.
The key (api _ key/secret _ key) takes the secret _ key as a parameter, and a proper signature algorithm is matched, so that a digital signature of the original information can be obtained, and the content is prevented from being forged or tampered in the transmission process. The key is usually created and used in pairs, containing one api _ key and one secret _ key. Where the api _ key is included in the transmission, the resource provider must keep the secret _ key from transmitting on the network to prevent theft.
Fig. 4 shows an exemplary system architecture 400 of an access authentication method or access authentication apparatus to which embodiments of the invention may be applied.
As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405. The network 404 serves as a medium for providing communication links between the terminal devices 401, 402, 403 and the server 405. Network 404 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 401, 402, 403 to interact with a server 405 over a network 404 to receive or send messages or the like. The terminal devices 401, 402, 403 may have various communication client applications installed thereon, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, and the like.
The terminal devices 401, 402, 403 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 405 may be a server that provides various services, such as a background management server that supports shopping websites browsed by users using the terminal devices 401, 402, and 403. The background management server can analyze and process the received data such as the product information inquiry request and feed back the processing result to the terminal equipment.
It should be noted that the method for access authentication provided by the embodiment of the present invention is generally executed by the server 405, and accordingly, the apparatus for access authentication is generally disposed in the server 405.
It should be understood that the number of terminal devices, networks, and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
According to an embodiment of the present invention, an electronic device and a computer-readable medium are also provided.
The electronic device of the embodiment of the invention comprises: one or more processors; a storage device, configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method for access authentication provided by the embodiment of the present invention.
The computer readable medium of the embodiment of the present invention stores thereon a computer program, which when executed by a processor implements the method of access authentication as provided by the embodiment of the present invention.
Referring now to FIG. 5, shown is a block diagram of a computer system 500 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU)501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data necessary for the operation of the system 500 are also stored. The CPU501, ROM502, and RAM503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 501.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor, comprising: the device comprises a receiving module, an authentication module and a rule module. The names of these modules do not in some cases constitute a limitation on the module itself, and for example, a receiving module may also be described as a "module for receiving an access request".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: s101, receiving an access request; s102, judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; step S103, the second authentication rule comprises the following steps: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the visitor IP is in a preset access-allowed IP list.
According to the access authentication method provided by the embodiment of the invention, the technical means of signature timeliness verification, signature non-reuse, limitation of access permitted IP and the like are adopted, so that the situation of signature reuse is avoided, the resource access flow is optimized, the resource access efficiency is improved, and the pressure of malicious requests of a service system is relieved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of access authentication, comprising:
receiving an access request;
judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication;
the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access.
2. The method of claim 1, before determining whether the timestamp, the first signature, and the visitor IP in the access request all conform to the second authentication rule, the method further comprising:
determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule;
the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost.
3. The method of claim 1, wherein whether the timestamp, the first signature, and the visitor IP in the access request all conform to a second authentication rule is determined; if yes, passing authentication, including:
judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature;
and if the second signature is consistent with the first signature, the authentication is passed.
4. The method of claim 3, wherein generating a second signature based on the signature parameter in the access request comprises:
acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier;
sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings;
adding a key at the tail of the character string, and encoding the character string with the key;
and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature.
5. An apparatus for access authentication, comprising:
a receiving module to: receiving an access request;
an authentication module to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication;
a rules module to: and configuring a second authentication rule, wherein the second authentication rule comprises that the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing access.
6. The apparatus of claim 1, wherein the authentication module is further configured to:
determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule;
the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost.
7. The apparatus of claim 1, wherein the authentication module is further configured to:
judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature;
and if the second signature is consistent with the first signature, the authentication is passed.
8. The apparatus of claim 3, wherein the authentication module is further configured to:
acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier;
sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings;
adding a key at the tail of the character string, and encoding the character string with the key;
and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-4.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810935614.7A CN110839004A (en) | 2018-08-16 | 2018-08-16 | Method and device for access authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810935614.7A CN110839004A (en) | 2018-08-16 | 2018-08-16 | Method and device for access authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110839004A true CN110839004A (en) | 2020-02-25 |
Family
ID=69574071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810935614.7A Pending CN110839004A (en) | 2018-08-16 | 2018-08-16 | Method and device for access authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110839004A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111510455A (en) * | 2020-04-16 | 2020-08-07 | 神州数码融信软件有限公司 | Request message authentication and data transmission method |
| CN111756749A (en) * | 2020-06-24 | 2020-10-09 | 中国建设银行股份有限公司 | Secure access method, device, equipment and storage medium |
| CN111769939A (en) * | 2020-06-29 | 2020-10-13 | 北京海泰方圆科技股份有限公司 | Business system access method and device, storage medium and electronic equipment |
| CN112202706A (en) * | 2020-08-21 | 2021-01-08 | 国网浙江省电力有限公司杭州供电公司 | Safe access method and device for power system intranet |
| CN112804269A (en) * | 2021-04-14 | 2021-05-14 | 中建电子商务有限责任公司 | Method for realizing website interface anti-crawler |
| CN113612678A (en) * | 2021-07-15 | 2021-11-05 | 中标软件有限公司 | Safety protection method for downloading and using mail attachment |
| CN114520724A (en) * | 2022-02-18 | 2022-05-20 | 深圳前海环融联易信息科技服务有限公司 | Signature verification method of open API (application program interface) |
| CN114760063A (en) * | 2022-03-18 | 2022-07-15 | 百安居信息技术(上海)有限公司 | Home decoration data processing method, system, storage medium and equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404392A (en) * | 2011-11-10 | 2012-04-04 | 山东浪潮齐鲁软件产业股份有限公司 | Integration type registering method for web application or website |
| CN103179134A (en) * | 2013-04-19 | 2013-06-26 | 中国建设银行股份有限公司 | Single sign on method and system based on Cookie and application server thereof |
| CN103475666A (en) * | 2013-09-23 | 2013-12-25 | 中国科学院声学研究所 | Internet of things resource digital signature authentication method |
| US9240886B1 (en) * | 2012-08-20 | 2016-01-19 | Amazon Technologies, Inc. | Authentication adaptation |
| CN108183907A (en) * | 2017-12-29 | 2018-06-19 | 浪潮通用软件有限公司 | A kind of authentication method, server and Verification System |
| CN108259437A (en) * | 2016-12-29 | 2018-07-06 | 北京神州泰岳软件股份有限公司 | A kind of http access methods, http-server and system |
-
2018
- 2018-08-16 CN CN201810935614.7A patent/CN110839004A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404392A (en) * | 2011-11-10 | 2012-04-04 | 山东浪潮齐鲁软件产业股份有限公司 | Integration type registering method for web application or website |
| US9240886B1 (en) * | 2012-08-20 | 2016-01-19 | Amazon Technologies, Inc. | Authentication adaptation |
| CN103179134A (en) * | 2013-04-19 | 2013-06-26 | 中国建设银行股份有限公司 | Single sign on method and system based on Cookie and application server thereof |
| CN103475666A (en) * | 2013-09-23 | 2013-12-25 | 中国科学院声学研究所 | Internet of things resource digital signature authentication method |
| CN108259437A (en) * | 2016-12-29 | 2018-07-06 | 北京神州泰岳软件股份有限公司 | A kind of http access methods, http-server and system |
| CN108183907A (en) * | 2017-12-29 | 2018-06-19 | 浪潮通用软件有限公司 | A kind of authentication method, server and Verification System |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111510455A (en) * | 2020-04-16 | 2020-08-07 | 神州数码融信软件有限公司 | Request message authentication and data transmission method |
| CN111510455B (en) * | 2020-04-16 | 2022-06-10 | 神州数码融信软件有限公司 | Request message authentication and data transmission method |
| CN111756749A (en) * | 2020-06-24 | 2020-10-09 | 中国建设银行股份有限公司 | Secure access method, device, equipment and storage medium |
| CN111769939A (en) * | 2020-06-29 | 2020-10-13 | 北京海泰方圆科技股份有限公司 | Business system access method and device, storage medium and electronic equipment |
| CN112202706A (en) * | 2020-08-21 | 2021-01-08 | 国网浙江省电力有限公司杭州供电公司 | Safe access method and device for power system intranet |
| CN112804269A (en) * | 2021-04-14 | 2021-05-14 | 中建电子商务有限责任公司 | Method for realizing website interface anti-crawler |
| CN113612678A (en) * | 2021-07-15 | 2021-11-05 | 中标软件有限公司 | Safety protection method for downloading and using mail attachment |
| CN114520724A (en) * | 2022-02-18 | 2022-05-20 | 深圳前海环融联易信息科技服务有限公司 | Signature verification method of open API (application program interface) |
| CN114760063A (en) * | 2022-03-18 | 2022-07-15 | 百安居信息技术(上海)有限公司 | Home decoration data processing method, system, storage medium and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110839004A (en) | Method and device for access authentication | |
| CN107888656B (en) | Calling method and calling device of server-side interface | |
| CN107249004B (en) | Identity authentication method, device and client | |
| CN112039826B (en) | Login method and device applied to applet end, electronic equipment and readable medium | |
| CN113271296B (en) | Login authority management method and device | |
| CN110958119A (en) | Identity verification method and device | |
| CN114049122A (en) | Service processing method and system | |
| CN112560003A (en) | User authority management method and device | |
| CN111181920A (en) | Encryption and decryption method and device | |
| CN113572763B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN114584381A (en) | Security authentication method and device based on gateway, electronic equipment and storage medium | |
| CN113765968A (en) | File transmission method, device and system | |
| CN110650014B (en) | Signature authentication method, system, equipment and storage medium based on hessian protocol | |
| CN112966286B (en) | Method, system, device and computer readable medium for user login | |
| CN115567271A (en) | Authentication method and device, page skip method and device, electronic equipment and medium | |
| CN115567263A (en) | Data transmission management method, data processing method and device | |
| CN112565156B (en) | Information registration method, device and system | |
| CN113761566A (en) | Data processing method and device | |
| CN109657481B (en) | Data management method and device | |
| CN113055186A (en) | Cross-system service processing method, device and system | |
| CN110659476A (en) | Method and apparatus for resetting password | |
| CN114598549B (en) | Customer SSL certificate verification method and device | |
| CN113420331B (en) | Method and device for managing file downloading permission | |
| CN112926076B (en) | Data processing method, device and system | |
| CN116112172B (en) | Android client gRPC interface security verification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200225 |