CN113076555B - Security authentication method and system based on open interface communication - Google Patents
Security authentication method and system based on open interface communication Download PDFInfo
- Publication number
- CN113076555B CN113076555B CN202110332256.2A CN202110332256A CN113076555B CN 113076555 B CN113076555 B CN 113076555B CN 202110332256 A CN202110332256 A CN 202110332256A CN 113076555 B CN113076555 B CN 113076555B
- Authority
- CN
- China
- Prior art keywords
- authorization
- authentication
- interface
- sign
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000004891 communication Methods 0.000 title claims abstract description 40
- 238000013475 authorization Methods 0.000 claims abstract description 123
- 230000008569 process Effects 0.000 claims abstract description 14
- 238000012545 processing Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 3
- 238000003860 storage Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 230000035515 penetration Effects 0.000 description 5
- 238000005336 cracking Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24552—Database cache management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a security authentication method and a system based on open interface communication, wherein the method comprises the following steps: setting up an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service; caching the updated authorization data in the authorization table into memory data of the authorization service; the authorized service designates an interface requiring security authentication; the authorized service initiates a request to an interface passing through security authentication in the interfaces and carries related authentication parameters; obtaining comparison s ign according to the authentication parameters, the authorization table and the memory data, and comparing the comparison s ign with s ign in the authentication parameters; after the comparison is passed, the interface performs authorization authentication through the authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a security authentication method and system based on open interface communication.
Background
With the update of internet micro services and distributed technology, communication among services is necessary, a scene is often used, an open service interface authorizes access to authorized services appointed by us, the authorized services are exposed to public networks or other non-target services of an intranet if the open service interface is not safely checked when the authorized services access the open interface, the open service interface can be accessed by other non-appointed services or even maliciously utilized, the services can be cracked due to replay attack of the interfaces, database penetration is likely to be caused if high-frequency interface access authentication exists, and a data access authorization scheme aiming at directional service authorization needs to be designed to ensure that the services can only be accessed by the authenticated services appointed by us so as to achieve the final purpose of final data security. The existing data access authorization scheme has a certain amount of requirements on the memory of the machine, the memory cost is high, and the security problem caused by key leakage or cracking due to unpacking of http request data can be caused.
Disclosure of Invention
The invention provides a security authentication method and a security authentication system based on open interface communication aiming at the technical problem that an open service interface can be maliciously utilized.
In a first aspect, an embodiment of the present application provides a security authentication method based on open interface communication, including:
the service construction step: setting up an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
and a data caching step: caching the updated authorization data in the authorization table into the memory data of the authorization service;
interface assignment step: the authorized service designates an interface requiring security authentication;
an interface request step: the authorized service initiates a request to an interface passing through security authentication in the interfaces and carries related authentication parameters;
and (3) comparison: according to the authentication parameters, the authorization table and the memory data, a comparison sign is obtained, and the comparison sign is compared with the sign in the authentication parameters;
an authorization authentication step: after the comparison is passed, the interface performs authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
The above secure authentication method based on open interface communication, wherein the information specified by the field of the authorization table includes, but is not limited to: app source name, appId, appSecret, status validity, creation date.
The above secure authentication method based on open interface communication, wherein the data caching step further includes:
a data refreshing step: and setting a refresh frequency, and refreshing the updated authorization data according to the refresh frequency in the authorization table.
The above secure authentication method based on open interface communication, wherein the interface designating step further includes:
a security authentication step: and carrying out security authentication on the interface through a security authentication module.
The above secure authentication method based on open interface communication, wherein the interface request step further includes: the authorized service initiates a request, and carries the relevant authentication parameters in an http request header, wherein the authentication parameters comprise: ts, nonce, sign, appId, sign rule hash (ts+nonce+AppId+AppSecret).
The above secure authentication method based on open interface communication, wherein the comparing step further includes: the open interface service caches the nonce according to the set caching time.
The secure authentication method based on open interface communication, wherein the comparing step includes:
AppSecret query step: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
a comparison sign obtaining step: comparing the AppSecret with ts, nonce, appId in the authentication parameters according to the sign generation rule;
sign comparison: and comparing the comparison sign with the sign in the authentication parameter.
According to the security authentication method based on the open interface communication, after the authorization process in the authorization authentication step is completed, the open interface service enters an interface logic layer for processing, and returns related data of the interface with successful authorization authentication.
In a second aspect, an embodiment of the present application provides a security authentication system based on open interface communication, including:
service building unit: setting up an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
a data caching unit: caching the updated authorization data in the authorization table into the memory data of the authorization service;
interface specifying unit: the authorized service designates an interface requiring security authentication;
an interface request unit: the authorized service initiates a request to an interface passing through security authentication in the interfaces and carries related authentication parameters;
and a comparison unit: obtaining a comparison sign according to the authentication parameters, an authorization table and memory data, and comparing the comparison sign with the sign in the authentication parameters;
an authorization authentication unit: after the comparison is passed, the interface performs authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
The above secure authentication system based on open interface communication, wherein the comparison unit includes:
AppSecret query module: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
and (3) comparing sign to obtain a module: comparing the AppSecret with ts, nonce, appId in the authentication parameters according to the sign generation rule;
sign comparison module: and comparing the comparison sign with the sign in the authentication parameter.
Compared with the prior art, the invention has the advantages and positive effects that:
1. the latest authorization data of the authorization table in the MYSQL service is refreshed and cached according to a certain refresh frequency, so that the database access times of the authorization access list can be reduced, and the database penetration caused by the high-frequency interface access authentication can be prevented.
2. The open interface service caches the nonce according to the caching time, so that the replay attack of the interface can be prevented, the possibility of being cracked is reduced, and the risk is reduced.
3. The method solves the security authentication problem of the design of the service open interface, protects the interface to the greatest extent, solves the problem that the secret key corresponds to the http request in the form of preauthorization appSecret of each service, and also solves the security problem caused by secret key leakage or cracking due to unpacking of the http request data, thereby improving the security of the data capacity.
Drawings
FIG. 1 is a schematic diagram of steps of a security authentication method based on open interface communication according to the present invention;
FIG. 2 is a flowchart based on step S5 in FIG. 1 according to the present invention;
FIG. 3 is a block diagram of a security authentication system based on open interface communication according to the present invention;
fig. 4 is a frame diagram of a computer device according to an embodiment of the present application.
Wherein, the reference numerals are as follows:
11. a service construction unit; 12. a data caching unit; 13. an interface specifying unit; 14. an interface request unit; 15. an alignment unit; 151. an AppSecret query module; 152. comparing sign to obtain a module; 153. sign comparison module; 16. an authorization authentication unit; 81. a processor; 82. a memory; 83. a communication interface; 80. a bus.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application.
It is apparent that the drawings in the following description are only some examples or embodiments of the present application, and it is possible for those of ordinary skill in the art to apply the present application to other similar situations according to these drawings without inventive effort. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein refers to two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
The present invention will be described in detail below with reference to the embodiments shown in the drawings, but it should be understood that the embodiments are not limited to the present invention, and functional, method, or structural equivalents and alternatives according to the embodiments are within the scope of protection of the present invention by those skilled in the art.
Before explaining the various embodiments of the invention in detail, the core inventive concepts of the invention are summarized and described in detail by the following examples.
According to the invention, the latest authorization data is refreshed from the MYSQL service on time, updated data in an OpenAuth (authorization table) is cached, the authorized service designates a relevant interface needing authentication, when the authorized service initiates a request, the http request header carries relevant authentication parameters, then the app secret corresponding to the application is queried in the OpenAuth data table or the cache according to the app Id, a comparison sign is obtained according to a sign generation rule, the comparison sign is carried out with the sign transmitted by the authorized service, and after the comparison is passed, the interface passes through an authorization authentication module, so that the authorization process is completed.
Embodiment one:
fig. 1 is a schematic step diagram of a security authentication method based on open interface communication according to the present invention. As shown in fig. 1, this embodiment discloses a specific implementation of a security authentication method (hereinafter referred to as "method") based on open interface communication.
Specifically, the method disclosed in this embodiment mainly includes the following steps:
step S1: setting up an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
specifically, build MYSQL service and initialize related authorization table (OpenAuth) in MYSQL service, and the information specified by the authorization table field includes, but is not limited to: app source name, appId, appSecret, status validity, creation date.
Step S2: caching the updated authorization data in the authorization table into the memory data of the authorization service;
specifically, when the memory data is used for caching, the refreshing frequency is set, and the latest authorization data is refreshed in the MYSQL service according to the refreshing frequency to cache the OpenAuth data, so that the database access times of the authorization access list are reduced, and the database penetration caused by the high-frequency interface access authentication is prevented.
The OpenAuth table is generated by using multidimensional character string combinations as much as possible when the authorized App names and AppId, appSecret, appSecret are added, so that safety is improved, appId, appSecret delivers storage of relevant application users, transmission safety of AppId and Appsecret is ensured, and data safety risks caused by leakage are prevented.
Step S3: the authorized service designates an interface requiring security authentication;
specifically, the open service, i.e. the authorized service, designates the relevant interface to be authenticated, and the interface needs to be authenticated by the security authentication module.
Step S4: the authorized service initiates a request to an interface passing through security authentication in the interfaces and carries related authentication parameters;
specifically, the authorized service initiates a request, and when the request interface is required to carry relevant authentication parameters in an http request header, including ts (time stamp), nonce (random character string), sign (signature verification), appId (application id), sign generation rule, and hash (ts+nonce+appid+appsecret).
Step S5: obtaining a comparison sign according to the authentication parameters, an authorization table and memory data, and comparing the comparison sign with the sign in the authentication parameters;
specifically, firstly, the open interface service caches the nonce according to the set caching time to prevent the interface replay attack, and then referring to fig. 2, step S5 specifically includes the following steps:
step S51: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
step S52: comparing the AppSecret with ts, nonce, appId in the authentication parameters according to the sign generation rule;
step S53: and comparing the comparison sign with the sign in the authentication parameter.
Step S6: after the comparison is passed, the interface performs authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
Specifically, after the authorization process in step S6 is completed, the open interface service enters an interface logic layer for processing, and returns the related data of the interface with successful authorization authentication.
The application flow of the method is specifically described as follows:
1. an authorization service MYSQL service is built and a related authorization table OpenAuth is initialized, and the related table field specifies an App source name, appId, appSecret, status validity, creation date, and the like.
2. And refreshing the latest authorization data from MYSQL every 60 seconds by using the memory data caching to cache the OpenAuth data, and reducing the database access times of the authorization access list so as to prevent database penetration caused by high-frequency interface access authentication.
3. The OpenAuth table is added with authorized App names and AppId, appSecret, appSecret as much as possible to use multidimensional character string combination generation to increase security, appId, appSecret delivers relevant application user storage, and AppId, appSecret transmission security needs to be ensured, so that data security risks caused by leakage are prevented.
4. The open service specifies the relevant interfaces that need authentication to achieve that the relevant security authentication protection interfaces must pass through the security authentication module.
5. The authorized service initiates a request, and related authentication parameters including ts (time stamp), nonce (random character string), sign (signature verification), app id (application id), sign generation rule, hash (ts+nonce+appid+appsecret) are carried in an http request header when requesting a secure authentication protection interface.
6. The open interface service needs to cache nonces for 60 seconds to prevent interface replay attacks. And then inquiring application corresponding appSecret in an OpenAuth data table or a cache according to the appId, and finally comparing the hash (ts+nonce+appId+appsecret) with the hash with the same rule with sign transmitted by the authorized service, wherein the authorization is completed after the comparison.
7. And if the interface passes through the authorization authentication module, the authorization process is completed, the interface logic layer is accessed for processing, and relevant interface data is returned.
The invention solves the security authentication problem of the design of the service open interface, protects the interface to the greatest extent, removes the problem that the secret key corresponds to the http request in the form of preauthorization appSecret of each service, and reduces the security problem caused by secret key leakage or cracking caused by unpacking of the data of the http request. And meanwhile, the replay attack of the interface can be prevented, so that the possibility of being cracked is reduced, and the risk is reduced. Meanwhile, the authorization efficiency is considered, the authorization data caching module is increased, and the influence of the authorization module on the application efficiency is reduced to the greatest extent.
Embodiment two:
in connection with the first embodiment, a security authentication method based on open interface communication is disclosed, and this embodiment discloses a specific implementation example of a security authentication system (hereinafter referred to as "system") based on open interface communication.
Referring to fig. 3, the system includes:
service creation unit 11: setting up an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
data caching unit 12: caching the updated authorization data in the authorization table into the memory data of the authorization service;
interface specification unit 13: the authorized service designates an interface requiring security authentication;
interface request unit 14: the authorized service initiates a request to an interface passing through security authentication in the interfaces and carries related authentication parameters;
an alignment unit 15: obtaining a comparison sign according to the authentication parameters, an authorization table and memory data, and comparing the comparison sign with the sign in the authentication parameters;
authorization authentication unit 16: after the comparison is passed, the interface performs authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
Specifically, the comparison unit 15 includes:
the AppSecret query module 151: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
comparison sign obtaining module 152: comparing the AppSecret with ts, nonce, appId in the authentication parameters according to the sign generation rule;
sign comparison module 153: and comparing the comparison sign with the sign in the authentication parameter.
The technical solutions of the same parts of the secure authentication system based on open interface communication disclosed in this embodiment and the secure authentication method based on open interface communication disclosed in the first embodiment are described in the first embodiment, and are not repeated here.
Embodiment III:
referring to FIG. 4, this embodiment discloses a specific implementation of a computer device. The computer device may include a processor 81 and a memory 82 storing computer program instructions.
In particular, the processor 81 may include a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or may be configured to implement one or more integrated circuits of embodiments of the present application.
Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may comprise a Hard Disk Drive (HDD), floppy Disk Drive, solid state Drive (Solid State Drive, SSD), flash memory, optical Disk, magneto-optical Disk, tape, or universal serial bus (Universal Serial Bus, USB) Drive, or a combination of two or more of the foregoing. The memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In a particular embodiment, the Memory 82 includes Read-Only Memory (ROM) and random access Memory (Random Access Memory, RAM). Where appropriate, the ROM may be a mask-programmed ROM, a programmable ROM (Programmable Read-Only Memory, abbreviated PROM), an erasable PROM (Erasable Programmable Read-Only Memory, abbreviated EPROM), an electrically erasable PROM (Electrically Erasable Programmable Read-Only Memory, abbreviated EEPROM), an electrically rewritable ROM (Electrically Alterable Read-Only Memory, abbreviated EAROM), or a FLASH Memory (FLASH), or a combination of two or more of these. The RAM may be Static Random-Access Memory (SRAM) or dynamic Random-Access Memory (Dynamic Random Access Memory DRAM), where the DRAM may be a fast page mode dynamic Random-Access Memory (Fast Page Mode Dynamic Random Access Memory FPMDRAM), extended data output dynamic Random-Access Memory (Extended Date Out Dynamic Random Access Memory EDODRAM), synchronous dynamic Random-Access Memory (Synchronous Dynamic Random-Access Memory SDRAM), or the like, as appropriate.
Memory 82 may be used to store or cache various data files that need to be processed and/or communicated, as well as possible computer program instructions for execution by processor 81.
The processor 81 implements the method of security authentication of any of the above embodiments by reading and executing computer program instructions stored in the memory 82.
In some of these embodiments, the computer device may also include a communication interface 83 and a bus 80. As shown in fig. 4, the processor 81, the memory 82, and the communication interface 83 are connected to each other through the bus 80 and perform communication with each other.
The communication interface 83 is used to implement communications between various modules, devices, units, and/or units in embodiments of the present application. Communication port 83 may also enable communication with other components such as: and the external equipment, the image/data acquisition equipment, the database, the external storage, the image/data processing workstation and the like are used for data communication.
Bus 80 includes hardware, software, or both, coupling components of the computer device to each other. Bus 80 includes, but is not limited to, at least one of: data Bus (Data Bus), address Bus (Address Bus), control Bus (Control Bus), expansion Bus (Expansion Bus), local Bus (Local Bus). By way of example, and not limitation, bus 80 may include a graphics acceleration interface (Accelerated Graphics Port), abbreviated AGP, or other graphics Bus, an enhanced industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) Bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an industry standard architecture (Industry Standard Architecture, ISA) Bus, a wireless bandwidth (InfiniBand) interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a micro channel architecture (Micro Channel Architecture, abbreviated MCa) Bus, a peripheral component interconnect (Peripheral Component Interconnect, abbreviated PC) Bus, a PCI-Express (PCI-X) Bus, a serial advanced technology attachment (Serial Advanced Technology Attachment, abbreviated SATA) Bus, a video electronics standards association local (Video Electronics Standards Association Local Bus, abbreviated VLB) Bus, or other suitable Bus, or a combination of two or more of the foregoing. Bus 80 may include one or more buses, where appropriate. Although embodiments of the present application describe and illustrate a particular bus, the present application contemplates any suitable bus or interconnect.
In addition, in combination with the security authentication method in the above embodiment, the embodiment of the application may be implemented by providing a computer readable storage medium. The computer readable storage medium has stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the security authentication methods of the embodiments described above.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
In summary, the method has the advantages that the latest authorization data of the authorization table in the MYSQL service is refreshed and cached according to a certain refresh frequency, so that the database access times of the authorization access list can be reduced, and the database penetration caused by the high-frequency interface access authentication can be prevented; the open interface service caches the nonce according to the caching time, so that the replay attack of the interface can be prevented, the possibility of being cracked is reduced, and the risk is reduced; the method solves the security authentication problem of the design of the service open interface, protects the interface to the greatest extent, solves the problem that the secret key corresponds to the http request in the form of preauthorization appSecret of each service, and also solves the security problem caused by secret key leakage or cracking due to unpacking of the data of the http request.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (8)
1. A security authentication method based on open interface communication, comprising:
the service construction step: setting up an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
and a data caching step: caching the updated authorization data in the authorization table into the memory data of the authorization service;
interface assignment step: the authorized service designates an interface requiring security authentication;
an interface request step: the authorized service initiates a request to an interface passing through security authentication in the interfaces, and carries related authentication parameters, wherein the authentication parameters comprise: ts, nonce, sign, appId, sign rule-generating hash (ts+nonce+AppId+AppSecret);
and (3) comparison: according to the authentication parameters, the authorization table and the memory data, a comparison sign is obtained, and the comparison sign is compared with the sign in the authentication parameters;
an authorization authentication step: after the comparison is passed, the interface performs authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful, wherein the comparison step comprises the following steps:
AppSecret query step: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
a comparison sign obtaining step: comparing the AppSecret with ts, nonce, appId in the authentication parameters according to the sign generation rule;
sign comparison: and comparing the comparison sign with the sign in the authentication parameter.
2. A method of secure authentication based on open interface communication according to claim 1, wherein the information specified by the field of the authorization table includes, but is not limited to: app source name, appId, appSecret, status validity, creation date.
3. The method for secure authentication based on open interface communication according to claim 1, wherein the data caching step further comprises:
a data refreshing step: and setting a refresh frequency, and refreshing the updated authorization data according to the refresh frequency in the authorization table.
4. The method for secure authentication based on open interface communication according to claim 1, wherein the interface specifying step further comprises:
a security authentication step: and carrying out security authentication on the interface through a security authentication module.
5. The security authentication method based on open interface communication according to claim 1, wherein the interface requesting step further comprises: and carrying the relevant authentication parameters in the http request header when the authorized service initiates the request.
6. The method for secure authentication based on open interface communication of claim 5, wherein the step of comparing further comprises: the open interface service caches the nonce according to the set caching time.
7. The method according to claim 1, wherein after the authorization process in the authorization step is completed, the open interface service enters an interface logic layer for processing, and returns the related data of the interface for which authorization is successful.
8. A secure authentication system based on open interface communication, comprising:
service building unit: setting up an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
a data caching unit: caching the updated authorization data in the authorization table into the memory data of the authorization service;
interface specifying unit: the authorized service designates an interface requiring security authentication;
an interface request unit: the authorized service initiates a request to an interface passing through security authentication in the interfaces, and carries related authentication parameters, wherein the authentication parameters comprise: ts, nonce, sign, appId, sign rule-generating hash (ts+nonce+AppId+AppSecret);
and a comparison unit: according to the authentication parameters, the authorization table and the memory data, a comparison sign is obtained, and the comparison sign is compared with the sign in the authentication parameters;
an authorization authentication unit: after the comparison is passed, the interface performs authorization authentication through an authorization authentication module, and if the authorization authentication is successful, the authorization process is completed;
the comparison unit includes:
AppSecret query module: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
and (3) comparing sign to obtain a module: comparing the AppSecret with ts, nonce, appId in the authentication parameters according to the sign generation rule;
sign comparison module: and comparing the comparison sign with the sign in the authentication parameter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110332256.2A CN113076555B (en) | 2021-03-29 | 2021-03-29 | Security authentication method and system based on open interface communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110332256.2A CN113076555B (en) | 2021-03-29 | 2021-03-29 | Security authentication method and system based on open interface communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113076555A CN113076555A (en) | 2021-07-06 |
| CN113076555B true CN113076555B (en) | 2024-02-06 |
Family
ID=76610887
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110332256.2A Active CN113076555B (en) | 2021-03-29 | 2021-03-29 | Security authentication method and system based on open interface communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113076555B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104350501A (en) * | 2012-05-25 | 2015-02-11 | 佳能株式会社 | Authorization server and client apparatus, server cooperative system, and token management method |
| CN110945850A (en) * | 2017-08-11 | 2020-03-31 | 万事达卡国际公司 | System and method for automating security control between computer networks |
| CN112016106A (en) * | 2020-08-19 | 2020-12-01 | 杭州指令集智能科技有限公司 | Authentication calling method, device, equipment and readable storage medium of open interface |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA3035020C (en) * | 2017-11-17 | 2023-03-07 | Huawei Technologies Co., Ltd. | System and method for channel measurement and interference measurement in wireless network |
-
2021
- 2021-03-29 CN CN202110332256.2A patent/CN113076555B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104350501A (en) * | 2012-05-25 | 2015-02-11 | 佳能株式会社 | Authorization server and client apparatus, server cooperative system, and token management method |
| CN110945850A (en) * | 2017-08-11 | 2020-03-31 | 万事达卡国际公司 | System and method for automating security control between computer networks |
| CN112016106A (en) * | 2020-08-19 | 2020-12-01 | 杭州指令集智能科技有限公司 | Authentication calling method, device, equipment and readable storage medium of open interface |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113076555A (en) | 2021-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3694175B1 (en) | System and method for delegating authority through coupled devices | |
| KR101729960B1 (en) | Method and Apparatus for authenticating and managing an application using trusted platform module | |
| CN108880821B (en) | Authentication method and equipment of digital certificate | |
| CN112131021B (en) | Access request processing method and device | |
| CN113726774B (en) | Client login authentication method, system and computer equipment | |
| US11296881B2 (en) | Using IP heuristics to protect access tokens from theft and replay | |
| CN103108327A (en) | Method, device and system of verification of safety association between terminal equipment and user card | |
| CN103679000A (en) | Apparatus and method for remotely deleting critical information | |
| US10122728B2 (en) | Delegated resource authorization for replicated applications | |
| CN104935435A (en) | Login methods, terminal and application server | |
| CN111988262B (en) | Authentication method, authentication device, server and storage medium | |
| CN114040411B (en) | Equipment binding method and device, electronic equipment and storage medium | |
| CN113076555B (en) | Security authentication method and system based on open interface communication | |
| CN108055299A (en) | Portal page push method, network access server and portal certification system | |
| US10693857B2 (en) | Single key authentication method | |
| CN114866247B (en) | Communication method, device, system, terminal and server | |
| CN113784354B (en) | Request conversion method and device based on gateway | |
| US10599828B2 (en) | Single key authentication method | |
| CN102647273B (en) | Generation methods and devices of user root key and user key for trusted computing platform | |
| CN113395249A (en) | Client login authentication method, system and computer equipment | |
| US20240160739A1 (en) | NFT-based Firmware Management | |
| CN114401110B (en) | Request authentication method, system, computer device and readable storage medium | |
| CN113794716B (en) | Network access authentication method, device and equipment for terminal equipment and readable storage medium | |
| CN116155625B (en) | Key exchange method, device, electronic equipment, storage medium and program product | |
| TWI817162B (en) | Component-free signature system for mobile device and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |