CN111314306A - Interface access method and device, electronic equipment and storage medium - Google Patents
Interface access method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111314306A CN111314306A CN202010057153.5A CN202010057153A CN111314306A CN 111314306 A CN111314306 A CN 111314306A CN 202010057153 A CN202010057153 A CN 202010057153A CN 111314306 A CN111314306 A CN 111314306A
- Authority
- CN
- China
- Prior art keywords
- signature
- access
- interface
- annotation
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides an interface access method and device, electronic equipment and a storage medium, and the scheme comprises the following steps: intercepting an access request sent by a client; mapping to obtain an access interface corresponding to the access address according to the access address carried by the access request; judging whether the access interface has a signature annotation configured correspondingly or not according to the signature annotation configured in advance for different interfaces; determining whether to execute signature verification operation according to whether the access interface has a signature annotation; and if the signature checking operation is executed, returning an access result corresponding to the access request to the client based on a signature checking result of the signature checking operation. Therefore, for the interfaces needing signature verification, the server side can execute the same set of signature verification codes without adding signature verification codes for each interface, so that the development cost is saved, and the load of the server side is reduced.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an interface access method and apparatus, an electronic device, and a computer-readable storage medium.
Background
With the emergence of problems such as network information falsification, the validity of network information becomes a focus of attention. An internet interface that is open to the outside may be exposed to masquerading attacks, tampering attacks, replay attacks, and data information leakage.
In the internet service end programming and development, a signature is generally required to be verified for some sensitive internet interfaces so as to ensure the safety of the interfaces. However, the number of interfaces of the server is large, and a set of logic for verifying the signature is developed for each interface, so that the development cost is increased undoubtedly, and the load of the server is increased.
Disclosure of Invention
The embodiment of the application provides an interface access method, which is used for reducing development cost and lightening the load of a server.
The application provides an interface access method, which comprises the following steps:
intercepting an access request sent by a client;
mapping to obtain an access interface corresponding to the access address according to the access address carried by the access request;
judging whether the access interface has a signature annotation configured correspondingly or not according to the signature annotation configured in advance for different interfaces;
determining whether to execute signature verification operation according to whether the access interface has a signature annotation;
and if the signature checking operation is executed, returning an access result corresponding to the access request to the client based on a signature checking result of the signature checking operation.
In an embodiment, the determining whether to perform a signature verification operation according to whether the access interface has a signature annotation includes:
and if the access interface has the signature annotation, executing the signature verification operation.
In an embodiment, the determining whether to perform a signature verification operation according to whether the access interface has a signature annotation includes:
if the access interface does not have the signature annotation, judging whether the service method indicated by the access request has the signature annotation, and if so, executing the signature verification operation.
In one embodiment, the executing the signature verification operation includes:
analyzing the signature information carried by the access request to obtain a timestamp;
comparing the timestamp with the current time point, and judging whether the access request is overdue according to a comparison result;
and when the access request is not expired, verifying the signature character string contained in the signature information to obtain a signature verification result.
In an embodiment, the verifying the signature character string included in the signature information to obtain a signature verification result includes:
inquiring a key corresponding to the application identifier according to the application identifier obtained by analyzing the signature information;
encrypting the interface parameters by using the secret key according to the interface parameters carried by the access request to obtain an encrypted character string;
and carrying out consistency comparison on the encrypted character string and the signature character string contained in the signature information to obtain a signature checking result.
In an embodiment, the encrypting the interface parameter by using the key according to the interface parameter carried by the access request to obtain an encrypted character string includes:
obtaining an ignore parameter indicated in the signature annotation;
filtering the neglected parameters from the interface parameters to obtain signature parameters;
and encrypting the signature parameters, the timestamp and the random characters obtained by analyzing the signature information through the secret key to obtain the encrypted character string.
In an embodiment, the returning, to the client, an access result corresponding to the access request based on a signature verification result of the signature verification operation includes:
if the signature verification result is that the encrypted character string is consistent with the signature character string contained in the signature information, calling a corresponding service method by using the interface parameter;
and returning the service data generated by calling the service method to the client.
In an embodiment, the returning, to the client, an access result corresponding to the access request based on a signature verification result of the signature verification operation includes:
and if the signature verification result is that the encrypted character string is inconsistent with the signature character string contained in the signature information, returning prompt information of signature verification failure to the client.
In an embodiment, the determining whether to perform a signature verification operation according to whether the access interface has a signature annotation includes:
if the access interface and the business method indicated by the access request do not have signature annotation, determining not to execute signature verification operation;
and calling a corresponding service method according to the interface parameters carried by the access request, and returning service data generated by calling the service method to the client.
An embodiment of the present application further provides an interface access apparatus, including:
the request intercepting module is used for intercepting an access request sent by a client;
the interface mapping module is used for mapping to obtain an access interface corresponding to the access address according to the access address carried by the access request;
the annotation judging module is used for judging whether the access interface has a signature annotation corresponding to the configuration;
the signature checking and judging module is used for determining whether to execute signature checking operation according to whether the access interface has signature annotation;
and the result returning module is used for returning the access result corresponding to the access request to the client based on the signature checking result of the signature checking operation when the signature checking operation is executed.
In addition, the present application also provides an electronic device, which includes:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the above interface access method.
Further, the present application also provides a computer-readable storage medium storing a computer program executable by a processor to perform the above-mentioned interface access method.
According to the technical scheme provided by the embodiment of the application, the server adds the signature annotation to the interface needing signature verification, so that for the interface needing to be accessed by the client, whether signature annotation exists on the basis of the access interface is determined, whether signature verification operation is executed is determined, and the access result is returned to the client on the basis of the signature verification result.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic application scenario diagram of an interface access method provided in an embodiment of the present application;
FIG. 2 is a schematic flow chart diagram illustrating a data access method according to an embodiment of the present application;
FIG. 3 is an architectural diagram of a signature tool class according to an embodiment of the present application;
FIG. 4 is a diagram illustrating a call when a signature is correct according to an embodiment of the present application;
FIG. 5 is a diagram illustrating a call in the case of a signature error according to an embodiment of the present application;
FIG. 6 is a schematic flow chart illustrating an exemplary embodiment of a system for performing a signature verification operation;
FIG. 7 is a detailed flowchart of step 630 in a corresponding embodiment of FIG. 6;
FIG. 8 is a schematic diagram illustrating a complete flow chart of an interface access method according to an embodiment of the present application;
fig. 9 is a block diagram of an interface access device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Fig. 1 is a schematic view of an application scenario of an interface access method provided in an embodiment of the present application, as shown in fig. 1, the application scenario includes a server 110 and a plurality of clients 120. The client 120 and the server 110 are connected through a wired or wireless network. The client 120 may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), and the like. The server 110 may be a server, a server cluster, or a cloud computing center.
Signature annotations can be configured in advance for sensitive internet interfaces, so that when the server 110 receives an access request, the method provided by the application can be adopted, the access request sent by the client 120 is intercepted, whether the signature annotations exist in the access interface is judged, whether the access interface needs to be checked is determined, and for the access interface needing to be checked, a code segment for verifying the signature is executed first before a specific business method is executed, then the specific business method is executed, and business data is returned to the client 120. Therefore, when writing interface services, service developers do not need to write a section of logic for verifying signatures for each interface, all the interfaces are uniformly managed, the interfaces needing signature verification can be determined based on the signature annotations, and therefore signature verification operation is uniformly executed before the interfaces are accessed.
The application also provides an electronic device, which may be the server 110. As shown in fig. 1, the server 110 may include a processor 111; a memory 112 for storing instructions executable by the processor 111; wherein the processor 111 is configured to execute the interface access method provided herein.
The Memory 112 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk.
A computer-readable storage medium is also provided, which stores a computer program executable by the processor 111 to perform the interface access method provided herein.
Fig. 2 is a schematic flowchart of a data access method provided in an embodiment of the present application. The method may be performed by a server, as shown in fig. 2, and includes the following steps 210-250.
In step 210, the server intercepts an access request sent by the client.
The interception means that the service end does not directly access the service interface after receiving an access request sent by the client. The access request can be a payment request, a web browsing request, a login request, etc., and different access requests can interface with one or more service interfaces. The access request may carry an access address, interface parameters (explained below), and for an access interface with a higher security requirement, the access request may also carry signature information, etc.
In step 220, according to the access address carried by the access request, an access interface corresponding to the access address is obtained through mapping.
The access address may be a Uniform Resource Identifier (URI). The access interface is the above-mentioned service interface, and the service end may have a plurality of service interfaces, and different service interfaces execute different service logics. The server stores the access addresses corresponding to different access interfaces in advance, and then can determine the access interface corresponding to the access address according to the access address contained in the access request.
In step 230, it is determined whether the access interface has a signature annotation configured correspondingly according to the signature annotations configured in advance for different interfaces.
In step 240, it is determined whether to perform a signature verification operation based on whether a signature annotation exists for the access interface.
The signature annotation refers to that a service interface with higher security requirement is marked, the interface with the signature annotation can be considered as being marked, and the signature needs to be verified before a specific service method is executed. For an interface with higher security requirement, the access request sent by the client carries a signature, and the signature verification operation refers to that the server inquires a signature key, generates a signature and verifies whether the signature sent by the client is correct.
In an embodiment, the service end marks a service interface needing signature verification in advance through the signature annotation, when an access address is analyzed from an access request and the access interface is obtained based on access address mapping, the service end can judge whether the access interface has the signature annotation, if so, the service end can judge that the signature needs to be verified before a specific service method of the access interface is called, and the specific service method can be called after the signature verification is successful. If the access interface does not have a signature annotation, a specific business method can be directly called. Which service method is specifically invoked may be determined based on the indication of the access request.
The business method can be regarded as a logic program of business operation, such as a payment program and a login program. There may be multiple business methods for one access interface, and some business methods may have higher security requirements. The server can add signature annotation to the method needing signature verification. Therefore, in another embodiment, if the access interface does not have the signature annotation, the server may continue to determine whether the signature annotation exists in the business method indicated by the access request. If the signature exists, the signature is verified, and the specific service method is called after the signature verification is successful. Therefore, for the same access interface, the business method needing signature verification can be customized, and the flexibility of the interface is improved.
In an embodiment, if no signature annotation exists in the business methods indicated by the access interface and the access request, the corresponding business methods can be directly called without executing signature verification operation.
In step 250, if the label checking operation is executed, an access result corresponding to the access request is returned to the client based on a label checking result of the label checking operation.
Wherein, the result of checking the label includes: and the signature verification is successful or fails. Accessing the results may include: prompt information or service data of label checking failure. Wherein the service data is obtained by executing the service method.
And if the signature verification fails, returning prompt information of the signature verification failure to the client. And if the signature is successfully verified, calling a service method, and returning service data corresponding to the access request to the server.
According to the technical scheme provided by the embodiment of the application, the service end side adds the signature annotation to the interface needing signature verification, so that for the interface needing to be accessed by the client, whether signature annotation exists on the basis of the access interface is determined, whether signature verification operation is executed is determined, and the access result is returned to the client based on the signature verification result.
In one embodiment, the application utilizes the AOP (to call a specified function module before calling an object of a certain type) principle to add an interceptor for signature verification at a Controller interface of Spring MVC (a development framework). The code fragments used to verify the signature are executed before the specific business method is invoked.
In an embodiment, when an http (hypertext transfer protocol) access request comes, the server calls a doDispatch (mainly used for responsibility scheduling work and mainly used for control flow) method in a Dispatcher Servlet to take a handleradater (a processing adapter which calls a specific method to process a request sent by a user) to process a handle, and after spring mvc calls a Handler method of the handleraduater, the http parameter is resolved by using a handledargumentresolver. Before a specific service method is called, an access request is intercepted through an AOP principle, and parameters Http ServeltRequest (an object which encapsulates information in an Http request header) and a proceedings Join Point (an instance for obtaining a current method and parameters) of the calling method are obtained. An http request header can be taken from an http server, and signature information uploaded by a client is acquired from the request header; the parameters, parameter types and parameter annotations for the calling method can be taken from proceedingJoinPoint. And further performing signature verification by using the data, if the verification is passed, continuing to execute the service method, if the verification is not passed, intercepting the request, writing an error prompt into an http response, and directly returning the error prompt to the client by escaping from the service code. According to the scheme, a signature tool class can be instantiated and injected into a container of springMVC, a signature annotation is added to an interface needing signature verification, and then the automatic signature verification function can be started. The signature tool class can adopt a signature mode based on Base64 (an encoding mode, which represents binary data based on 64 printable characters) and HmacSHA1 algorithm (a keyed hash algorithm constructed from SHA1 hash function), if other signature algorithms are required to be adopted, the signature tool class can still be inherited, and only the signature algorithm in the signature tool class needs to be rewritten, so that the signature tool class has good expansibility and usability.
Fig. 3 is a schematic diagram illustrating an architecture of a signature tool class according to an embodiment of the present application. As shown in fig. 3, a Signature Component (basic Signature Component class) is included for generating a Signature and verifying the Signature. If a new signature algorithm needs to be implemented, the key and signature verification parameters are rewritten in the subclass. The Http Signature Component is a subclass of the Signature Component, has the functions of analyzing Http parameters, analyzing Spring MVC Controller annotations and assembling parameters, and realizes the function of checking Http requests. The Controller Interceptor is a custom Interceptor, and after the handlemethodargentresolution has analyzed the original Http parameters, before calling a specific business method, the Http Signature Component is used to analyze the Http parameters and check whether the Signature is correct.
Fig. 4 is a schematic diagram of calls between the functional devices shown in fig. 3 when the signature is correct. The http Signature Component is a subclass of Signature Component, can be regarded as an extension and enhancement of Signature Component, and has all functions of Signature Component. Thus, as shown in fig. 4, (1) the client initiates an access request; (2) the interceptor intercepts the access request and transmits related parameters to the http signature component; (3) the http signature component verifies the signature, the signature is correct, and the interceptor is informed of the successful signature verification; (4) the interceptor calls the service controller to execute the service method; (5) the interceptor receives service data returned by the service controller; (6) and the interceptor returns the service data to the client initiating the access request.
Fig. 5 is a schematic diagram of the call between the functional devices shown in fig. 3 when the signature is incorrect. As shown in fig. 5, (1) the client initiates an access request, (2) the interceptor intercepts the access request and transmits the relevant parameters to the http signature component; (3) the http signature component verifies the signature, verifies the signature error and returns a signature verification failure notice to the interceptor; (4) the interceptor sends prompt information of signature error and service rejection to the client.
In an embodiment, the performing of the signature verification operation, as shown in fig. 6, may include the following steps 610 and 630.
In step 610, the signature information carried by the access request is parsed to obtain a timestamp.
In one embodiment, the client performs the signing step as follows: (1) assembling all the entries of the calling business method into json (JavaScript Object Notation, JS Object Notation) format character strings, arranging the parameters in alphabetical order by the name of the parameters, and splicing a current timestamp (millisecond) and a random character string (nonce) after the parameters, such as: { "a":1, "b": numerical value "," bb ":2," c ": 213", "z": "zzz" }1564469443000 nonce; (2) performing Base64 encryption on the parameters to obtain a first ciphertext; (3) encrypting the first ciphertext by using the provided key and adopting an HmacSHA1 algorithm to obtain a second ciphertext; (4) and carrying out Base64 encryption on the second ciphertext to obtain a signature character string.
When a client side initiates an http request, signature information is carried in a request header: [ clientId (application identification) ] [ timestamp ]: sign: nonce. For example, client Id is km; a timestamp of 1564024954180; the signature character string is cX3b5/O3 oIIVSkhxuXguHYgJW/8; nonce is cafebaby.
The server analyzes the signature information to obtain a timestamp, and the timestamp in the signature information may be the initiation time of the access request.
In step 620, the timestamp is compared with the current time point, and whether the access request is expired is determined according to the comparison result.
The current time point may be a time point when the timestamp is analyzed, and if a time interval between the timestamp and the current time point is greater than a preset value, it may be considered that the access request corresponding to the timestamp is expired. If the access request is expired, the signature verification can be considered to be failed, and error prompt information is returned to the client. Therefore, the server can be prevented from continuously responding to the overdue request, and the safety is improved.
In step 630, when the access request is not expired, the signature string included in the signature information is verified, and a signature verification result is obtained.
If the access request is not overdue, generating a signature by using the interface parameters, comparing the signature with the signature character string contained in the signature information, and checking whether the signature character string and the signature character string are consistent. If the two types of data are consistent, the signature verification can be considered to be successful, and a corresponding service method is called and service data is returned to the client. If the two are not consistent, the signature verification can be considered to be failed, and error prompt information is returned to the client.
In an embodiment, as shown in fig. 7, the step 630 specifically includes the following steps 631 and 633.
In step 631, according to the application identifier obtained by parsing the signature information, a key corresponding to the application identifier is queried.
The application identifier may be a number correspondingly set for each application, for example 001. The server can store the key corresponding to each application identification in advance. Under normal conditions, the key used when signing a certain application is the same as the key corresponding to the application identifier stored by the server.
In step 632, according to the interface parameter carried by the access request, the interface parameter is encrypted by using the key, so as to obtain an encrypted character string.
According to the embodiment of the application, the interface parameters can be automatically identified from the access request, and the interface parameters do not need to be carried in the signature verification code. Therefore, the same set of signature checking tools (also called signature checking codes) can be used, and a set of signature checking tools do not need to be developed for each interface. The server side firstly converts interface parameters into json format character strings, arranges the json format character strings in the order of parameter name letters, then splices time stamps and random characters to obtain parameter combinations, then performs Base64 encryption on the parameter combinations to obtain first ciphertext, performs HmacSHA1 encryption on the first ciphertext and a secret key to obtain second ciphertext, and performs Base64 encryption on the second ciphertext to obtain encrypted character strings.
In step 633, the encrypted character string is compared with the signature character string included in the signature information in a consistent manner, so as to obtain a signature verification result.
And the server compares the encrypted character string with the signature character string contained in the signature information, if the encrypted character string is the same as the signature character string contained in the signature information, the signature verification is successful, a corresponding service method is called according to the interface parameters, and service data are returned to the client. If the two types of the signature are different, the signature verification can be considered to fail, and prompt information of the signature verification failure is returned to the client.
Generally, the signatures are related to specific parameters of the interfaces, and different interfaces correspond to different interface parameters, so that a set of logic (i.e., signature verification code) for verifying the signatures needs to be developed according to the specific parameters of each interface in the interface service in the prior art. The signature verification logic provided by the embodiment of the application is a set of general logic, interface parameters can be automatically identified from an access request, the interface parameters are encrypted by using a secret key to obtain an encrypted character string, a signature verification result can be obtained based on a comparison result of the encrypted character string and a signature character string contained in signature information, and the signature verification logic can realize signature verification of various interfaces.
If some interfaces need to specify that certain special parameters do not participate in computing the signature, an override parameter may be specified in the signature annotation. In one embodiment, the step 632 may include: obtaining an ignore parameter indicated in the signature annotation; filtering the neglected parameters from the interface parameters to obtain signature parameters; and encrypting the signature parameters, the timestamp and the random characters obtained by analyzing the signature information through the secret key to obtain the encrypted character string.
Here, ignoring a parameter refers to a parameter that does not participate in signature calculation. According to the rule of SpringMVC, the interface parameters of the Controller are typically RequestParam (request parameter), PathVariable (path variable), ModelAttribute (model attribute), and RequestBody (request body).
Among the parameter types supported by RequestParam, there are elementary types such as Integer, String, Long, Boolean, LocalDate, LocalDateTime, YearMonth, Year and month, and MultipartFile types (types of binary files uploaded by the client, such as pictures, videos, etc.). The MultipartFile file type needs to be filtered out at the time of parsing.
The PathVariable annotation parameter does not participate in the signature computation and can be ignored.
The ModelAttribute annotation parameter is a POJO (PlainOrdinary Java object) class or Map encapsulated by query parameters by SpringMVC, and the PoJO (PlainOrdinary Java object) class or Map is directly converted into json.
The parameter of the RequestBody note is a POJO class, and all fields in the PoJO class participate in signature calculation, so that all fields can be converted into json fields.
Some parameters may not have any comments, some basic types such as Integer, String, SpringMVC will also be identified and mapped, and some other types such as BindingResult type for returning parameter check results, which do not belong to http entries, should be ignored.
Therefore, when the interface parameters are analyzed from the access request, the filtering can be carried out according to the parameter types, the neglected parameters are removed, and the residual parameters are used as signature parameters. The signature parameters refer to parameters involved in signature calculation. Analyzing a time stamp, a random character, a signature character string and an application identifier from the signature information; converting the signature parameters into json format and sequencing, splicing with the timestamp and the random characters to obtain a parameter combination, then performing Base64 encryption on the parameter combination to obtain a first ciphertext, performing HmacSHA1 encryption on the first ciphertext and the key to obtain a second ciphertext, and performing Base64 encryption on the second ciphertext to obtain an encrypted character string.
And then, the server can compare the encrypted character string with the signature character string contained in the signature information, and if the encrypted character string is consistent with the signature character string contained in the signature information, the server calls the service method of the request and returns service data generated by calling the service method to the client. And if not, returning prompt information of label checking failure to the client.
Fig. 8 is a schematic flowchart of a complete interface access method according to an embodiment of the present application. The process may be performed by a server, as shown in fig. 8, and the interface access method may include the following steps.
Step 801: intercepting an access request sent by a client, and analyzing the access request to determine an access interface and a service method.
Step 802: it is determined whether a signature annotation exists for the access interface. If a signature annotation exists, go to step 804; if not, step 803 is performed.
Step 803: and judging whether the service method has a signature annotation. If there is execution step 804, otherwise, execution step 810 is performed.
Step 804: the analysis request header obtains the signature information, and the analysis signature information obtains a timestamp, an application identifier, a signature character string, a random character and the like.
Step 805: and judging whether the time is overdue or not according to the timestamp. If it is overdue, go to step 806; if not, go to step 807.
Step 806: and returning a sign checking failure prompt.
Step 807: and inquiring to obtain the key according to the application identification.
Step 808: interface parameters are converted into json format character strings and are arranged in alphabetical order of parameter names, then time stamps and random characters are spliced to obtain parameter combinations, then the parameter combinations are subjected to Base64 encryption to obtain first ciphertexts, the first ciphertexts and keys are subjected to HmacSHA1 encryption to obtain second ciphertexts, and the second ciphertexts are subjected to Base64 encryption to obtain encrypted character strings.
Step 809: comparing whether the encrypted character string is consistent with the signature character string contained in the signature information, and if so, executing step 810. If not, step 806 is performed.
Step 810: the corresponding business method is called.
Step 811: and returning the service data generated by calling the service method to the client.
The following is an embodiment of the apparatus of the present application, which may be used to execute an embodiment of an interface access method executed by the server of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the interface access method of the present application.
Fig. 9 is a block diagram of an interface access device according to an embodiment of the present application. As shown in fig. 9, the interface access means may include: a request interception module 910, an interface mapping module 920, a comment judgment module 930, a signature verification judgment module 940 and a result return module 950.
A request intercepting module 910, configured to intercept an access request sent by a client;
an interface mapping module 920, configured to map, according to an access address carried in the access request, an access interface corresponding to the access address;
an annotation judging module 930, configured to judge whether a signature annotation corresponding to the configuration exists in the access interface;
a signature verification judgment module 940, configured to determine whether to execute a signature verification operation according to whether the access interface has a signature annotation;
a result returning module 950, configured to, if the label checking operation is executed, return an access result corresponding to the access request to the client based on a label checking result of the label checking operation.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above interface access method, and is not described herein again.
In the embodiments provided in the present application, the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Claims (12)
1. An interface access method, comprising:
intercepting an access request sent by a client;
mapping to obtain an access interface corresponding to the access address according to the access address carried by the access request;
judging whether the access interface has a signature annotation configured correspondingly or not according to the signature annotation configured in advance for different interfaces;
determining whether to execute signature verification operation according to whether the access interface has a signature annotation;
and if the signature checking operation is executed, returning an access result corresponding to the access request to the client based on a signature checking result of the signature checking operation.
2. The method of claim 1, wherein determining whether to perform a signature verification operation based on whether a signature annotation exists for the access interface comprises:
and if the access interface has the signature annotation, executing the signature verification operation.
3. The method of claim 1, wherein determining whether to perform a signature verification operation based on whether a signature annotation exists for the access interface comprises:
if the access interface does not have the signature annotation, judging whether the service method indicated by the access request has the signature annotation, and if so, executing the signature verification operation.
4. The method of claim 2 or 3, wherein said performing said signature verification operation comprises:
analyzing the signature information carried by the access request to obtain a timestamp;
comparing the timestamp with the current time point, and judging whether the access request is overdue according to a comparison result;
and when the access request is not expired, verifying the signature character string contained in the signature information to obtain a signature verification result.
5. The method according to claim 4, wherein the verifying the signature string included in the signature information to obtain a signature verification result comprises:
inquiring a key corresponding to the application identifier according to the application identifier obtained by analyzing the signature information;
encrypting the interface parameters by using the secret key according to the interface parameters carried by the access request to obtain an encrypted character string;
and carrying out consistency comparison on the encrypted character string and the signature character string contained in the signature information to obtain a signature checking result.
6. The method according to claim 5, wherein the encrypting the interface parameter by using the key according to the interface parameter carried by the access request to obtain an encrypted string comprises:
obtaining an ignore parameter indicated in the signature annotation;
filtering the neglected parameters from the interface parameters to obtain signature parameters;
and encrypting the signature parameters, the timestamp and the random characters obtained by analyzing the signature information through the secret key to obtain the encrypted character string.
7. The method according to claim 5, wherein the returning an access result corresponding to the access request to the client based on the signature verification result of the signature verification operation comprises:
if the signature verification result is that the encrypted character string is consistent with the signature character string contained in the signature information, calling a corresponding service method by using the interface parameter;
and returning the service data generated by calling the service method to the client.
8. The method according to claim 5, wherein the returning an access result corresponding to the access request to the client based on the signature verification result of the signature verification operation comprises:
and if the signature verification result is that the encrypted character string is inconsistent with the signature character string contained in the signature information, returning prompt information of signature verification failure to the client.
9. The method of claim 3, further comprising:
if the service method indicated by the access request does not have a signature annotation, determining not to execute the signature verification operation;
calling a corresponding service method according to the interface parameters carried by the access request; and returning the service data generated by calling the service method to the client.
10. An interface access apparatus, comprising:
the request intercepting module is used for intercepting an access request sent by a client;
the interface mapping module is used for mapping to obtain an access interface corresponding to the access address according to the access address carried by the access request;
the annotation judging module is used for judging whether the access interface has a signature annotation corresponding to the configuration;
the signature checking and judging module is used for determining whether to execute signature checking operation according to whether the access interface has signature annotation;
and the result returning module is used for returning the access result corresponding to the access request to the client based on the signature checking result of the signature checking operation when the signature checking operation is executed.
11. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the interface access method of any one of claims 1-9.
12. A computer-readable storage medium, characterized in that the storage medium stores a computer program executable by a processor to perform the interface access method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010057153.5A CN111314306A (en) | 2020-01-17 | 2020-01-17 | Interface access method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010057153.5A CN111314306A (en) | 2020-01-17 | 2020-01-17 | Interface access method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111314306A true CN111314306A (en) | 2020-06-19 |
Family
ID=71148280
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010057153.5A Pending CN111314306A (en) | 2020-01-17 | 2020-01-17 | Interface access method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111314306A (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112272190A (en) * | 2020-11-10 | 2021-01-26 | 网易(杭州)网络有限公司 | Data access method and device |
| CN112468478A (en) * | 2020-11-23 | 2021-03-09 | 杭州贝嘟科技有限公司 | Attack interception method and device, computer equipment and storage medium |
| CN112631695A (en) * | 2020-12-22 | 2021-04-09 | 北京达佳互联信息技术有限公司 | Data verification method and device, electronic equipment and storage medium |
| CN112966303A (en) * | 2021-03-10 | 2021-06-15 | 中国民航信息网络股份有限公司 | Data encryption and decryption method and device, electronic equipment and computer storage medium |
| CN112965739A (en) * | 2021-02-08 | 2021-06-15 | 中国工商银行股份有限公司 | Front-end HTTP request processing method, device and system |
| CN113285951A (en) * | 2021-05-24 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Request forwarding method, device, equipment and storage medium |
| CN113489702A (en) * | 2021-06-29 | 2021-10-08 | 网易(杭州)网络有限公司 | Interface current limiting method and device and electronic equipment |
| CN113515767A (en) * | 2021-08-02 | 2021-10-19 | 杭州粉象家科技有限公司 | Interface request management method and device based on mixed-mode mobile application |
| CN113542527A (en) * | 2020-11-26 | 2021-10-22 | 腾讯科技(深圳)有限公司 | Face image transmission method and device, electronic equipment and storage medium |
| CN113609366A (en) * | 2021-08-04 | 2021-11-05 | 深圳市元征科技股份有限公司 | Data acquisition method and device, terminal equipment and readable storage medium |
| CN113706299A (en) * | 2021-09-10 | 2021-11-26 | 京东科技控股股份有限公司 | Data processing method and device, electronic equipment and medium |
| CN113722733A (en) * | 2021-08-27 | 2021-11-30 | 北京航天云路有限公司 | Data access authority control method based on Java annotation |
| CN113742752A (en) * | 2021-09-13 | 2021-12-03 | 杭州安恒信息技术股份有限公司 | Unified authentication method and device for interface docking, computer equipment and storage medium |
| CN113779638A (en) * | 2021-11-15 | 2021-12-10 | 浪潮软件股份有限公司 | Method and device for realizing interface caller authentication in dynamic proxy mode |
| CN114257583A (en) * | 2021-12-22 | 2022-03-29 | 贵州东彩供应链科技有限公司 | Safe downloading method for solving JWT authorization |
| CN114500301A (en) * | 2022-01-13 | 2022-05-13 | 珠海紫讯信息科技有限公司 | Service degradation method and system based on service scene |
| CN114637554A (en) * | 2022-03-18 | 2022-06-17 | 中国建设银行股份有限公司 | Interface calling method, device, equipment and storage medium |
| CN116226879A (en) * | 2022-12-26 | 2023-06-06 | 易方达基金管理有限公司 | Service interface access control method, device, computer equipment and storage medium |
| CN116629864A (en) * | 2023-04-27 | 2023-08-22 | 北京熠智科技有限公司 | API service charging method, platform and storage medium under privacy computing scene |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562606A (en) * | 2008-04-17 | 2009-10-21 | 鸿富锦精密工业(深圳)有限公司 | Open type data calling system and method |
| CN104935568A (en) * | 2015-04-20 | 2015-09-23 | 成都康赛信息技术有限公司 | Interface authentication signature method facing cloud platform |
| CN106656953A (en) * | 2016-09-23 | 2017-05-10 | 焦点科技股份有限公司 | Method for realizing safe interface calling between systems based on Internet |
| CN108415834A (en) * | 2018-02-12 | 2018-08-17 | 平安科技(深圳)有限公司 | Explain rear end method of calibration, device, computer equipment and storage medium |
| CN109858257A (en) * | 2018-12-27 | 2019-06-07 | 北京互金新融科技有限公司 | Access control method and device |
| CN110147261A (en) * | 2019-04-15 | 2019-08-20 | 平安普惠企业管理有限公司 | Parameter verification method and relevant device based on calling interface |
| CN110381135A (en) * | 2019-07-18 | 2019-10-25 | 北京奇艺世纪科技有限公司 | Interface creation method, service request method, device, computer equipment and medium |
| CN110489207A (en) * | 2019-07-11 | 2019-11-22 | 平安科技(深圳)有限公司 | Verification method, apparatus and computer readable storage medium |
| CN110633160A (en) * | 2019-08-22 | 2019-12-31 | 浙江大搜车软件技术有限公司 | Interface calling method and device, computer equipment and storage medium |
-
2020
- 2020-01-17 CN CN202010057153.5A patent/CN111314306A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562606A (en) * | 2008-04-17 | 2009-10-21 | 鸿富锦精密工业(深圳)有限公司 | Open type data calling system and method |
| CN104935568A (en) * | 2015-04-20 | 2015-09-23 | 成都康赛信息技术有限公司 | Interface authentication signature method facing cloud platform |
| CN106656953A (en) * | 2016-09-23 | 2017-05-10 | 焦点科技股份有限公司 | Method for realizing safe interface calling between systems based on Internet |
| CN108415834A (en) * | 2018-02-12 | 2018-08-17 | 平安科技(深圳)有限公司 | Explain rear end method of calibration, device, computer equipment and storage medium |
| CN109858257A (en) * | 2018-12-27 | 2019-06-07 | 北京互金新融科技有限公司 | Access control method and device |
| CN110147261A (en) * | 2019-04-15 | 2019-08-20 | 平安普惠企业管理有限公司 | Parameter verification method and relevant device based on calling interface |
| CN110489207A (en) * | 2019-07-11 | 2019-11-22 | 平安科技(深圳)有限公司 | Verification method, apparatus and computer readable storage medium |
| CN110381135A (en) * | 2019-07-18 | 2019-10-25 | 北京奇艺世纪科技有限公司 | Interface creation method, service request method, device, computer equipment and medium |
| CN110633160A (en) * | 2019-08-22 | 2019-12-31 | 浙江大搜车软件技术有限公司 | Interface calling method and device, computer equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 虞益诚: "《电子商务概论 第2版》", 31 January 2013, 北京:中国铁道出版社, pages: 105 * |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112272190A (en) * | 2020-11-10 | 2021-01-26 | 网易(杭州)网络有限公司 | Data access method and device |
| CN112468478A (en) * | 2020-11-23 | 2021-03-09 | 杭州贝嘟科技有限公司 | Attack interception method and device, computer equipment and storage medium |
| CN113542527B (en) * | 2020-11-26 | 2023-08-18 | 腾讯科技(深圳)有限公司 | Face image transmission method and device, electronic equipment and storage medium |
| CN113542527A (en) * | 2020-11-26 | 2021-10-22 | 腾讯科技(深圳)有限公司 | Face image transmission method and device, electronic equipment and storage medium |
| CN112631695A (en) * | 2020-12-22 | 2021-04-09 | 北京达佳互联信息技术有限公司 | Data verification method and device, electronic equipment and storage medium |
| CN112965739A (en) * | 2021-02-08 | 2021-06-15 | 中国工商银行股份有限公司 | Front-end HTTP request processing method, device and system |
| CN112965739B (en) * | 2021-02-08 | 2024-02-09 | 中国工商银行股份有限公司 | Front-end HTTP request processing method, device and system |
| CN112966303A (en) * | 2021-03-10 | 2021-06-15 | 中国民航信息网络股份有限公司 | Data encryption and decryption method and device, electronic equipment and computer storage medium |
| CN113285951A (en) * | 2021-05-24 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Request forwarding method, device, equipment and storage medium |
| CN113489702A (en) * | 2021-06-29 | 2021-10-08 | 网易(杭州)网络有限公司 | Interface current limiting method and device and electronic equipment |
| CN113515767B (en) * | 2021-08-02 | 2024-01-23 | 杭州粉象家科技有限公司 | Interface request management method and device based on mixed mode mobile application |
| CN113515767A (en) * | 2021-08-02 | 2021-10-19 | 杭州粉象家科技有限公司 | Interface request management method and device based on mixed-mode mobile application |
| CN113609366A (en) * | 2021-08-04 | 2021-11-05 | 深圳市元征科技股份有限公司 | Data acquisition method and device, terminal equipment and readable storage medium |
| CN113722733A (en) * | 2021-08-27 | 2021-11-30 | 北京航天云路有限公司 | Data access authority control method based on Java annotation |
| CN113706299A (en) * | 2021-09-10 | 2021-11-26 | 京东科技控股股份有限公司 | Data processing method and device, electronic equipment and medium |
| CN113742752A (en) * | 2021-09-13 | 2021-12-03 | 杭州安恒信息技术股份有限公司 | Unified authentication method and device for interface docking, computer equipment and storage medium |
| CN113742752B (en) * | 2021-09-13 | 2024-03-26 | 杭州安恒信息技术股份有限公司 | Unified authentication method, device, computer equipment and storage medium for interface docking |
| CN113779638A (en) * | 2021-11-15 | 2021-12-10 | 浪潮软件股份有限公司 | Method and device for realizing interface caller authentication in dynamic proxy mode |
| CN114257583A (en) * | 2021-12-22 | 2022-03-29 | 贵州东彩供应链科技有限公司 | Safe downloading method for solving JWT authorization |
| CN114500301A (en) * | 2022-01-13 | 2022-05-13 | 珠海紫讯信息科技有限公司 | Service degradation method and system based on service scene |
| CN114637554A (en) * | 2022-03-18 | 2022-06-17 | 中国建设银行股份有限公司 | Interface calling method, device, equipment and storage medium |
| CN116226879A (en) * | 2022-12-26 | 2023-06-06 | 易方达基金管理有限公司 | Service interface access control method, device, computer equipment and storage medium |
| CN116629864A (en) * | 2023-04-27 | 2023-08-22 | 北京熠智科技有限公司 | API service charging method, platform and storage medium under privacy computing scene |
| CN116629864B (en) * | 2023-04-27 | 2024-04-16 | 北京熠智科技有限公司 | API service charging method, platform and storage medium under privacy computing scene |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111314306A (en) | Interface access method and device, electronic equipment and storage medium | |
| CN110365670B (en) | Blacklist sharing method and device, computer equipment and storage medium | |
| KR102514325B1 (en) | Model training system and method, storage medium | |
| CN109474578B (en) | Message checking method, device, computer equipment and storage medium | |
| EP3596642B1 (en) | Privacy-preserving identity verification | |
| CN112866177B (en) | Method, device, storage medium and computer equipment for processing service call request | |
| CN109784922B (en) | Electronic contract signing method, electronic contract signing device, computer equipment and storage medium | |
| CN113779444B (en) | Interface development method, zero code engine and zero code data interface development system | |
| CN102171652A (en) | Method for provisioning trusted software to an electronic device | |
| CN111290742A (en) | Parameter verification method and device, electronic equipment and readable storage medium | |
| WO2019019344A1 (en) | Webpage data crawling method and device, user terminal, and readable storage medium | |
| CN108897728B (en) | Short message splicing processing method and device, computer equipment and storage medium | |
| CN112528201A (en) | Method and device for calling third-party platform, computer equipment and storage medium | |
| CN112328486A (en) | Interface automation test method and device, computer equipment and storage medium | |
| CN115130075A (en) | Digital signature method and device, electronic equipment and storage medium | |
| CN112100689B (en) | Trusted data processing method, device and equipment | |
| CN110516172B (en) | Resource calling method and device, computer equipment and storage medium | |
| CN112685077A (en) | Data modification method, system, computer device and computer readable storage medium | |
| CN111817859A (en) | Data sharing method, device, equipment and storage medium based on zero knowledge proof | |
| CN111143399B (en) | Data processing method, device, storage medium and computer equipment | |
| CN115129275A (en) | Digital file printing method and device, electronic equipment and storage medium | |
| CN111343170B (en) | Electronic signing method and system | |
| CN114979109A (en) | Behavior track detection method and device, computer equipment and storage medium | |
| CN113407213B (en) | Resource package updating method, device, equipment and storage medium | |
| CN114021175B (en) | User portrait configuration method and device, computer equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200619 |
|
| RJ01 | Rejection of invention patent application after publication |