CN113141365B - Distributed micro-service data transmission method, device, system and electronic equipment - Google Patents

Distributed micro-service data transmission method, device, system and electronic equipment Download PDF

Info

Publication number
CN113141365B
CN113141365B CN202110439097.6A CN202110439097A CN113141365B CN 113141365 B CN113141365 B CN 113141365B CN 202110439097 A CN202110439097 A CN 202110439097A CN 113141365 B CN113141365 B CN 113141365B
Authority
CN
China
Prior art keywords
request
data request
token
authentication information
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110439097.6A
Other languages
Chinese (zh)
Other versions
CN113141365A (en
Inventor
梁静
汤仲喆
段小燕
孙孟雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110439097.6A priority Critical patent/CN113141365B/en
Publication of CN113141365A publication Critical patent/CN113141365A/en
Application granted granted Critical
Publication of CN113141365B publication Critical patent/CN113141365B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The present disclosure provides a method, an apparatus, a system and an electronic device for transmitting distributed micro service data, which can be used in the field of big data or financial field, and the method includes: receiving a data request from a client, wherein the data request comprises identity authentication information and request object information; responding to the data request, adding a source token and a session identifier to a request head of the data request to obtain a packaged data request; and sending the encapsulated data request to a main control server so that the main control server transmits a session identifier to a secondary server in response to a source token, so that the secondary server can verify at least part of authentication information in identity authentication information acquired from a specified storage space based on the session identifier, and return a request result corresponding to the data request after the verification is successful, wherein the specified storage space comprises at least part of the authentication information and the session identifier which are stored in an associated manner by the main control server.

Description

Distributed micro-service data transmission method, device, system and electronic equipment
Technical Field
The present disclosure relates to the field of big data technologies, and in particular, to a method, an apparatus, a system, and an electronic device for distributed micro-service data transmission.
Background
A distributed system of a microservice framework is formed by a plurality of discrete services based on business logic through data sharing and information interaction, has the characteristics of low coupling, easiness in development, easiness in deployment, easiness in expansion and contraction and the like, has natural advantages under the condition of processing high concurrency requirements, and is the most important technical route and system framework under the current situation of solving a large business.
In implementing the disclosed concept, the inventors found that at least the following problems exist in the related art, and data security cross-domain access in a distributed system is one of the urgent requirements and research and exploration in the aspect of data security transmission at present.
Disclosure of Invention
In view of the above, the present disclosure provides a method, an apparatus, a system and an electronic device for distributed microservice data transmission for improving security of data cross-domain access.
One aspect of the present disclosure provides a method of distributed microservice data transmission performed by a gateway, comprising: receiving a data request from a client, wherein the data request comprises authentication information and request object information; responding to the data request, and adding a source token and a session identifier to a request head of the data request to obtain a packaged data request; and sending the encapsulated data request to the main control server so that the main control server transmits the session identifier to the secondary server in response to the source token, so that the secondary server can verify at least part of authentication information in the authentication information acquired from the specified storage space based on the session identifier from the main control server, and return a request result corresponding to the data request after the verification is successful, wherein the specified storage space comprises at least part of the authentication information and the session identifier which are stored in an associated manner by the main control server.
One aspect of the present disclosure provides a method for distributed microservice data transmission performed by a master server, including: receiving an encapsulated data request from a gateway, wherein the encapsulated data request comprises identity authentication information; responding to the encapsulated data request, if a request header of the encapsulated data request comprises a source token which is used for representing from a specified gateway, verifying the authentication information, and associatively storing the session identification and at least part of the authentication information in a specified storage space; and if the verification is successful, setting a session token in a request header of the packaged data request to obtain a distributed data request, and sending the distributed data request to a secondary server side, wherein the session token comprises a session identifier, so that the secondary server side verifies at least part of authentication information in the authentication information acquired from the specified storage space based on the session identifier, and returns a request result corresponding to the data request after the verification is successful.
One aspect of the present disclosure provides a method for distributed microservice data transfer performed by a secondary server, comprising: receiving a distributed data request from a master control server; responding to the distributed data request, if a request header of the distributed data request comprises a source token and a session token, and the session token comprises a session identifier, acquiring at least part of authentication information in identity authentication information from a specified storage space based on the session identifier for authentication, wherein the specified storage space comprises at least part of authentication information and the session identifier which are associated and stored by a main control server; and returning a request result corresponding to the distributed data request after the verification is successful, wherein the request result comprises a token string and encrypted target data, so that the master control server carries out tamper detection on the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
One aspect of the present disclosure provides a method for distributed microservice data transmission performed by a distributed system, the distributed system including a client, a gateway, a master server, and a secondary server, the method comprising: the gateway receives a data request from a client, wherein the data request comprises authentication information and request object information; responding to the data request by the gateway, and adding a source token and a session identifier to a request head of the data request to obtain a packaged data request; the gateway sends the encapsulated data request to a master control server side; the main control server responds to the encapsulated data request, if the request head of the encapsulated data request comprises a source token representing the source token from the gateway, the authentication information is verified, and the session identification and at least part of the authentication information in the authentication information are associatively stored in the designated storage space; if the master server side succeeds in verification, a session token is set in a request header of the encapsulated data request to obtain a distributed data request, and the distributed data request is sent to a secondary server side; responding to the distributed data request by the secondary server, if a request head of the distributed data request comprises a source token and a session token, and the session token comprises a session identifier, verifying at least part of authentication information in identity authentication information acquired from a specified storage space based on the session identifier; and the secondary server returns a request result corresponding to the distributed data request after the verification is successful, wherein the request result comprises a token string and encrypted target data, so that the master server performs tampering detection on the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
One aspect of the present disclosure provides an apparatus for distributed micro-service data transmission, disposed in a gateway, where the apparatus includes: the data request receiving module is used for receiving a data request from a client, wherein the data request comprises identity authentication information and request object information; the data request response module is used for responding to the data request, adding a source token and a session identifier to a request head of the data request and obtaining a packaged data request; and the encapsulated data request sending module is used for sending the encapsulated data request to the main control server so that the main control server transmits the session identifier to the secondary server in response to the source token, so that the secondary server can verify at least part of authentication information in the authentication information acquired from the specified storage space based on the session identifier from the main control server, and returns a request result corresponding to the data request after the verification is successful, wherein the specified storage space comprises at least part of the authentication information and the session identifier which are stored in an associated manner by the main control server.
One aspect of the present disclosure provides a distributed apparatus for data transmission of micro services, which is disposed in a master control server, and includes: the encapsulated data request receiving module is used for receiving an encapsulated data request from the gateway, wherein the encapsulated data request comprises identity authentication information; the packaged data request response module is used for responding to the packaged data request, verifying the authentication information if the request header of the packaged data request comprises a source token representing the source token from the specified gateway, and associatively storing the session identifier and at least part of the authentication information in a specified storage space; and the distributed data request generating module is used for setting a session token in a request header of the packaged data request to obtain the distributed data request and sending the distributed data request to the secondary server side if the verification is successful, wherein the session token comprises a session identifier, so that the secondary server side verifies at least part of authentication information in the authentication information acquired from the specified storage space based on the session identifier, and returns a request result corresponding to the data request after the verification is successful.
One aspect of the present disclosure provides an apparatus for distributed micro-service data transmission, disposed in a secondary server, where the apparatus includes: the distributed data request receiving module is used for receiving a distributed data request from a master control server end; the distributed data request response module is used for responding to the distributed data request, if a request header of the distributed data request comprises a source token and a session token, and the session token comprises a session identifier, acquiring at least part of authentication information in identity authentication information from a specified storage space based on the session identifier for authentication, wherein the specified storage space comprises at least part of authentication information and the session identifier which are stored in a manner of realizing association by a main control server; and the request result returning module is used for returning a request result corresponding to the distributed data request after the verification is successful, wherein the request result comprises a token string and encrypted target data, so that the master control server carries out tampering detection on the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
One aspect of the present disclosure provides a system for distributed micro-service data transmission, including: client, gateway, master control server end and secondary server end, wherein: the gateway is used for receiving a data request from the client, wherein the data request comprises identity authentication information and request object information; responding to the data request, and adding a source token and a session identifier to a request head of the data request to obtain a packaged data request; sending the encapsulated data request to a master control server; the main control server side is used for responding to the encapsulated data request, verifying the authentication information if the request header of the encapsulated data request comprises a source token representing the source token from the gateway, and associatively storing the session identification and at least part of the authentication information in a specified storage space; if the verification is successful, setting a session token in a request header of the encapsulated data request to obtain a distributed data request, and sending the distributed data request to a secondary server side; the secondary server side is used for responding to the distributed data request, and if a request head of the distributed data request comprises a source token and a session token, and the session token comprises a session identifier, at least part of authentication information in the identity authentication information acquired from the specified storage space based on the session identifier is authenticated; and returning a request result corresponding to the distributed data request after the verification is successful, wherein the request result comprises a token string and encrypted target data, so that the master control server carries out tamper detection on the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
Another aspect of the present disclosure provides an electronic device comprising one or more processors and a storage device, wherein the storage device is configured to store executable instructions, which when executed by the processors, implement the method as above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the above method when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as above when executed.
According to the distributed microservice data transmission method, the distributed microservice data transmission device, the distributed microservice data transmission system and the electronic equipment, the request head of the data request comprises the source token and the Session identifier, wherein the source token is used for authenticating the source validity of the data request or the request result, and the Session identifier enables the secondary server side to verify at least part of verification information in identity verification information acquired from the designated storage space based on the Session identifier, so that the problem of inconsistent distributed sessions (sessions) is effectively solved, and the safety of cross-domain data access is improved.
The distributed micro-service data transmission method, the device, the system and the electronic equipment provided by the embodiment of the disclosure are expanded on the basis of the existing encryption algorithm, and the idea of asymmetric encryption and decryption algorithm is integrated, so that the encryption method not only ensures the safe transmission of data encryption, but also ensures the safe transmission of a secret key, and greatly improves the safety in data transmission.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which the methods, apparatuses of distributed microservice data transfer may be applied, according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of distributed microservice data transfer according to an embodiment of the present disclosure;
fig. 3 schematically illustrates a data flow diagram for a gateway according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram of a method of distributed microservice data transfer, according to another embodiment of the present disclosure;
fig. 5 schematically shows a data flow diagram at the master server side according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow diagram of a method of distributed microservice data transfer, according to another embodiment of the present disclosure;
FIG. 7 schematically illustrates a security authentication flow diagram according to an embodiment of the disclosure;
FIG. 8 schematically shows an actual key generation process diagram according to an embodiment of the disclosure;
FIG. 9 is a schematic diagram that schematically illustrates a header of encrypted target data, in accordance with an embodiment of the present disclosure;
FIG. 10 is a schematic diagram that schematically illustrates a tail portion of encrypted target data, in accordance with an embodiment of the present disclosure;
FIG. 11 schematically illustrates a flow diagram of a method of distributed microservice data transfer, according to another embodiment of the present disclosure;
FIG. 12 schematically illustrates a block diagram of an apparatus for distributed microservice data transfer, in accordance with an embodiment of the present disclosure;
FIG. 13 schematically illustrates a block diagram of an apparatus for distributed microservice data transfer, according to another embodiment of the present disclosure;
FIG. 14 schematically illustrates a block diagram of an apparatus for distributed microservice data transfer, according to another embodiment of the present disclosure;
FIG. 15 schematically illustrates a block diagram of a distributed microservice data transmission system in accordance with an embodiment of the present disclosure;
FIG. 16 schematically illustrates a logic diagram executed by a distributed microservice data transport system in accordance with an embodiment of the present disclosure; and
fig. 17 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more features.
A distributed system of a microservice framework is formed by a plurality of discrete services based on business logic through data sharing and information interaction, has the characteristics of low coupling, easiness in development, easiness in deployment, easiness in expansion and contraction and the like, has natural advantages under the condition of processing high concurrency requirements, and is the most important technical route and system framework under the current situation of solving a large business. In view of this, the data security cross-domain access in the distributed system is one of the urgent requirements and research and exploration in the aspect of data security transmission at present.
Currently, the distributed framework is mainly divided into two styles, namely Remote Procedure Call (RPC) and RestFul (a design style and a development mode of network application programs). With the gradual development of internet technology in recent years, a RestFul style framework represented by a Spring Cloud (ordered set of a series of frameworks) based on a hypertext transfer protocol (HTTP) lightweight protocol occupies an important position. The Spring Cloud framework is popular and simplifies packaging to provide an efficient and concise way for building a distributed system. In addition, with the continuous update of Java, the response programming technology represented by WebFlux (a set of brand new Reactive Web technology stack, which realizes complete non-blocking, supports Reactive Sreams backpressure, and the like, and the operating environment is not limited to Servlet containers, such as Netty, and the like) technology is increasingly favored due to its natural advantages in the current high-concurrency environment by virtue of its asynchronous non-blocking characteristic. Spring authorities also become increasingly aligned toward responsive programming, and will not maintain previously non-responsive components, and subsequently continue to push out and upgrade responsive replacement components. Therefore, the distributed system framework is built by combining a SpringCloud framework and a WebFlux technology based on emerging technology.
In terms of a distributed Security framework, the Spring Security OAuth2 Security framework is a commonly used distributed Security framework. But since the frame is now open source and the load is heavy. The method designs a new, simpler and efficient customized distributed security authentication framework by combining the idea of the JWT protocol with the characteristics of an organization (such as a financial organization). In addition, the framework simultaneously combines an independently developed expansion encryption algorithm, and the safe transmission of data among distributed systems is ensured.
The purpose of the present disclosure is to provide a secure data transmission scheme between distributed microservices. On the basis of the existing distributed framework, the problem of distributed Session storage is solved. In addition, the independently developed expansion encryption algorithm is fused and the existing safety framework idea is combined to ensure the safe transmission and the authentication and identification of the data.
The embodiment of the disclosure provides a method, a device, a system and an electronic device for distributed micro-service data transmission. The distributed microservice data transmission method executed by the gateway comprises a data request encapsulation process and a data request transmission process. In the data request packaging process, firstly, a data request from a client is received, wherein the data request comprises identity authentication information and request object information; then, responding to the data request, adding a source token and a session identifier to a request head of the data request to obtain the encapsulated data request. And entering a data request process after the data request encapsulation process is finished, and sending the encapsulated data request to the main control server so that the main control server transmits the session identifier to the secondary server in response to the source token, so that the secondary server can verify at least part of authentication information in the authentication information acquired from the specified storage space based on the session identifier, and return a request result corresponding to the data request after the verification is successful, wherein the specified storage space comprises at least part of the authentication information and the session identifier which are stored in an associated manner by the main control server.
It should be noted that the method, apparatus, system and electronic device for distributed micro-service data transmission provided in the embodiments of the present disclosure may be used in the aspects related to micro-service data transmission of big data and distributed technology, and may also be used in various fields other than big data and distributed technology, such as financial fields. The application fields of the distributed microservice data transmission method, the device, the system and the electronic equipment provided by the embodiment of the disclosure are not limited.
Fig. 1 schematically illustrates an application scenario of a distributed microservice data transmission method, apparatus, system and electronic device according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and servers 105, 106, 107. The network 104 may include a plurality of routers, network wires, etc. to provide a medium for communication links between the terminal devices 101, 102, 103 and the servers 105, 106, 107. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user can use the terminal devices 101, 102, 103 to interact with other terminal devices and servers 105, 106, 107 via the network 104 to receive or transmit information and the like, such as data request transmission, service request transmission, processing result reception and the like. The terminal devices 101, 102, 103 may be installed with various communication client applications, such as bank-type applications, web browser applications, office-type applications, search-type applications, instant messaging tools, mailbox clients, social platform software, etc. (for example only).
The terminal devices 101, 102, 103 include, but are not limited to, smart phones, virtual reality devices, augmented reality devices, tablets, laptop computers, and the like.
The servers 105, 106, 107 may receive the request and process the request. For example, the servers 105, 106, 107 may be back office management servers, gateways, server clusters, and the like. The background management server may analyze and process the received data request, and feed back a processing result (such as target data) to the terminal device.
It should be noted that the parameter verification method provided by the embodiments of the present disclosure may be generally executed by the servers 105, 106, 107. It should be understood that the number of terminal devices, networks, and servers are merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically illustrates a flow chart of a method of distributed microservice data transfer in accordance with an embodiment of the present disclosure.
As shown in fig. 2, the method for distributed microservice data transmission performed by a gateway may include operations S201 to S203.
In operation S201, a data request originating from a client is received, the data request including authentication information and request object information.
In this embodiment, a data request originating from a client may first pass through a static resource server (Nginx) and then be sent by the Nginx to a gateway. The gateway can be an independent gateway or integrated on the master control server.
For example, the user accesses a login page to perform a login operation, and sends a data request (which may be a data request for a certain service), and the data request is routed to a Gateway (Gateway) of the framework through nginnx.
In one embodiment, the method may further include processing, by the circuit breaker, the request header parameter or the response header parameter to perform a fusing process or a downgrading process on the service forwarding and/or invoking. For example, a fuse degradation guarantee is provided for service forwarding calls through a breaker (e.g., Resilience 4J).
In operation S202, in response to the data request, a source token and a session identifier are added to a request header of the data request, so as to obtain an encapsulated data request.
And a Session identifier (Session ID) is transmitted through a request header parameter, so that the consistency of the distributed sessions is ensured.
Fig. 3 schematically illustrates a data flow diagram of a gateway according to an embodiment of the present disclosure.
As shown in fig. 3, all data requests (requests) are routed to the Gateway (Gateway) of the framework via the Nginx, and all requests need to be forwarded via the Gateway. After the request reaches the Gateway, a parameter source token (tkn1) is set for the request header through a Gateway global filter, and the parameter source token is used for checking whether the requests all come from the Gateway by the downstream service, namely judging whether the requests are called through legal operation. The global filter may include a front-Breaker (Circuit-Breaker) and a rear-Breaker. The gateway may also include a router (router) to set a source token (tkn1) at the head of the data request the request results fed back by the downstream server may include a source token (tkn1) and a session token (tkn2), which may include a session identification.
In operation S203, the encapsulated data request is sent to the main control server, so that the main control server transmits a session identifier to the secondary server in response to the source token, so that the secondary server can verify at least part of authentication information in authentication information obtained from a specified storage space based on the session identifier, and return a request result corresponding to the data request after the verification is successful, where the specified storage space includes at least part of the authentication information and the session identifier that are associated and stored by the main control server.
In one embodiment, sending the encapsulated data request to the master server may include the following operations.
First, a target main control server side and a secondary server side corresponding to request object information are determined based on a service discovery framework.
And then, sending the encapsulated data request to the target main control server side and the secondary server side.
Sending the encapsulated data request to the target master server and the secondary server may include the following operations.
First, the service discovery framework determines a target secondary server from a plurality of secondary servers corresponding to the target master server based on a load balancing policy. The load balancing policy is used for distributing data requests from the client based on the operating states of the plurality of secondary server sides (such as the utilization rate of a Central Processing Unit (CPU), the memory utilization rate, the number of maintained connections and the like), for example, distributing the data requests to the secondary servers in an idle state as much as possible.
And then, the target main control server is called to transmit the data request to the target main control server, so that the target main control server transmits the data request to the target secondary server by calling the target secondary server.
For example, Gateway packages the request, searches for the downstream service in Eureka through the service order, and calls the downstream user-service through the load balancing policy.
In an embodiment, after sending the encapsulated data request to the master server, the method may further include the following operation.
Firstly, a request result from a master control server side is received, wherein the request result comprises decrypted target data.
Then, if the request result includes the source token, the decrypted target data is transmitted to the client.
Through the operation, the source validity verification can be conveniently carried out on the main control server side and the secondary server side based on the source token. In addition, the main control server side can bind and store the session identifier and the authentication information in the designated storage space, so that the secondary server side can acquire the authentication information from the designated storage space based on the session identifier to perform authentication, and the information transmission safety is improved.
Another aspect of the present disclosure provides a method of distributed microservice data transfer performed by a master server side.
Fig. 4 schematically illustrates a flow chart of a method of distributed microservice data transfer, according to another embodiment of the present disclosure.
As shown in fig. 4, the method may include operations S401 to S403.
In operation S401, an encapsulated data request is received from a gateway, where the encapsulated data request includes authentication information.
In operation S402, in response to the encapsulated data request, if a request header of the encapsulated data request includes a source token characterizing the source token from the specified gateway, the authentication information is verified, and at least part of the session identification and the authentication information is associatively stored in a specified storage space.
For example, after the encapsulated data request arrives at the master server side (user-service), as shown in fig. 4, the master server side checks whether the request header of the data request contains the source token tkn 1. If so, the database is queried to determine if the login information (authentication information) was successfully authenticated and a Session (Session) value is set to place in Redis. The Session value may include at least part of the authentication information. When the Session value only includes part of the authentication information, the security of the authentication information is improved, and the privacy protection capability is improved.
In operation S403, if the verification is successful, a session token is set in a request header of the encapsulated data request, a distributed data request is obtained, and the distributed data request is sent to the secondary server.
The session token comprises a session identifier, so that the secondary server side verifies at least part of authentication information in the authentication information acquired from the specified storage space based on the session identifier, and returns a request result corresponding to the data request after verification is successful.
Fig. 5 schematically shows a data flow diagram at the master server side according to an embodiment of the present disclosure.
As shown in fig. 5, after logging in the master server successfully through the authentication information included in the data request, the master server invokes each secondary server. The master server calls each local secondary server through Reactive WebClient, and sets parameters tkn2 (storing Session ID information) in the request header. For example, whether the source token is included in the request header may be detected by the user-service, and if the source token is not included, an illegal request may be determined. If the source token is included, whether the client initiating the data request is the first login server is judged, and if so, the session identification and the session value (which may include at least part of the authentication information) are stored in a designated storage space in an associated manner. This facilitates the secondary server determining authentication information from the specified storage space based on the session identification.
For example, the secondary server first determines whether the request header includes tkn1 and tkn2, and checks the source validity of the request. And then reading the information (sn) in the Redis through the Session ID for identity verification. The data is then read from the database and encrypted via tkn1, tkn2 according to a predetermined encryption/decryption algorithm, such as an expanded encryption algorithm developed autonomously. Finally, tkn1 and sn1 are respectively subjected to Base64 encryption, SHA256 salt addition encryption is carried out on the information after the two are encrypted by using tkn2 as salt to obtain a sec1 encryption string, tkn1, tkn2 and sec1 after the Base64 encryption are combined into a JWT string, and the JWT string and the encrypted data information are combined and transmitted back to the main control system. It should be noted that the Base64 algorithm and the SHA256 algorithm are only shown by way of example, and various other algorithms may be used for encryption, which should not be construed as limiting the present disclosure.
In one embodiment, the request result includes a token string. Accordingly, the above method may further include the following operations. Tamper detection is performed on the request result based on a token string, the token string being generated based on at least the source token and the session identification.
For example, the request result also includes a check bit. Accordingly, tamper detection of the request result based on the token string may include the following operations.
First, a token string is obtained from the request result.
The source token and session token are then obtained from the token string.
Then, at least part of the authentication information is obtained from the designated storage space based on the session token.
Then, at least part of the authentication information in the source token and the authentication information is subjected to first encryption to obtain a first encryption result.
And then, carrying out second encryption on the first encryption result by taking the session token as salt to obtain comparison bit.
Then, if the check bit and the comparison bit are consistent, the tamper detection passes.
For example, the main control server receives the response information and then analyzes the data, acquires a Token string (such as a Json Web Token string, abbreviated as a JET string) from the response header, decrypts the Token string by Base64 to obtain tkn1 and tkn2, acquires Session information (sn2) from tkn2 Redis, encrypts sn2 and tkn1 by Base64 respectively, encrypts the secret information by SHA256 by tkn2 to obtain sec2, compares the sec1 with the sec2, and if the Token string is consistent with the Session information, the data is not tampered. In addition, the target data of the client can be continuously returned through the Gateway, the response head parameters are packaged and sorted through the interceptor when the target data pass through the Gateway, and the data are decrypted and displayed before the page of the client is rendered.
In an embodiment, the main control server may analyze, decrypt, and the like the received request result to obtain decrypted target data, so as to send the decrypted target data to the client, thereby reducing the computation amount of the client.
For example, the decryption process for the request result may be implemented based on the inverse of the encryption process for the target data by the secondary server side. The encryption process of the target data by the secondary server side will be described in detail in the following section. For example, the master server parses ind1 and ind2 (detailed in the encryption and decryption algorithm section), generates an original key according to Session information obtained from tkn2, and regenerates an actual key dKey. And decrypting according to the encryption inverse operation to obtain data.
For example, after receiving the request result from the secondary server, the method may further include the following operations.
First, a request result from the secondary server side is received.
Then, a first sequence string is analyzed from the request result, the value of the first sequence string is used as a target subscript, and a first array with a first specified length is intercepted from the head of the target data after encryption in the request result.
And then, performing a first reversible bit operation on the first array and the actual key to obtain decrypted first sub-target data, wherein the actual key is generated based on at least part of authentication information in the authentication information.
And then, replacing the first array of the head part of the encrypted target data by the decrypted first sub-target data to obtain the decrypted target data.
For example, after receiving the request result from the secondary server, the method may further include the following operations.
And intercepting a second array of a second specified length from the tail of the encrypted target data in the request result, wherein the first array and the second array are different.
And performing second reversible bit operation on the second array and the actual secret key to obtain decrypted second sub-target data.
And replacing the second sub-target data after decryption with the second digital group at the tail part of the encrypted target data to obtain the decrypted target data.
Another aspect of the present disclosure provides a method of distributed microservice data transfer performed by a secondary server side.
Fig. 6 schematically illustrates a flow chart of a method of distributed microservice data transfer, according to another embodiment of the present disclosure.
As shown in fig. 6, the method may include operations S601 to S603.
In operation S601, a distributed data request from a master server is received.
In operation S602, in response to the distributed data request, if the request header of the distributed data request includes the source token and the session token, and the session token includes the session identifier, at least part of the authentication information in the authentication information is obtained from the specified storage space based on the session identifier for authentication, and the specified storage space includes at least part of the authentication information and the session identifier that are stored in association by the master server.
In operation S603, a request result corresponding to the distributed data request is returned after the verification is successful.
The request result comprises a token string and encrypted target data, so that the master server carries out tamper detection on the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
Fig. 7 schematically illustrates a security authentication flow diagram according to an embodiment of the present disclosure.
As shown in fig. 7, after the data request (request) is sent to the Gateway (Gateway), the Gateway may set tkn1 and a Session identifier (Session ID) in the request header, and the host system stores the Session value and the Session ID in the Redis in association with each other. The master control system needs to verify the identity of the data request: whether from a designated gateway. The main control system sends the distributed data request comprising the Session token and the Session identifier to the secondary system, the secondary system acquires identity authentication information from Redis based on the Session ID, acquires target data corresponding to the distributed data request from a database after the authentication is passed, encrypts the target data, and generates a JWT string so that the main control system can perform tamper-proof detection based on the JWT string. The master system, upon receiving the request result from the secondary system, may determine whether it has been tampered with based on JWT.
At present, most encryption algorithms are open source or foreign encryption algorithms, and a set of expanded encryption algorithms is designed according to the self characteristics of a framework on the basis.
The following is an exemplary description of the target data encryption process.
In one embodiment, only the header of the target data may be encrypted, for example, the method for generating the request result may include the following operations.
First, a first sequence string is randomly generated, with the value of the first sequence string as a target index.
Then, a third array of the first specified length is truncated from the header of the target data. The first specified length may be a preset length that does not exceed the length of the target data.
And then, performing a first reversible bit operation on the third array and the actual key to obtain the encrypted first sub-target data, wherein the actual key is generated based on at least part of the authentication information in the authentication information.
And then, replacing the third array of the head of the target data by the encrypted first sub-target data to obtain the encrypted target data.
In one embodiment, only the tail of the target data may be encrypted, and the generation method of the request result may further include the following operations.
First, a fourth array of a second specified length is truncated from the end of the target data, where the third array and the fourth array are different.
And then, performing second reversible bit operation on the fourth array and the actual secret key to obtain encrypted second sub-target data.
And then, replacing the fourth array at the tail part of the target data by the encrypted second sub-target data to obtain the encrypted target data.
The header and the trailer of the target data may be encrypted at the same time, which is not limited herein.
In one embodiment, the actual key may be generated as follows.
First, a second sequence string is randomly generated.
And then, encrypting at least part of the authentication information in the identity authentication information by adopting an irreversible encryption and decryption algorithm to obtain an original secret key.
Then, a first segment of the same length as the source token is obtained from the original key.
Then, the value of the first sequence string is used as a target subscript, and the values corresponding to the target subscript in the first segment and the source token are replaced to obtain an actual key.
Fig. 8 schematically shows an actual key generation process diagram according to an embodiment of the present disclosure.
As shown in fig. 8, the encryption process occurs at each local secondary server, and first two random sequences ind1 and ind2 are generated respectively, and then irreversible encryption is performed according to Session information, such as MD5 encryption to generate an original key1, and then a segment s1 with the same length of tkn1 is cut from the key1, and s1 and tkn1 are replaced by using the ind1 value (as shown in the right array in fig. 8) as a subscript. The actual encryption key2 is obtained after the replacement.
Fig. 9 schematically shows a schematic diagram of a header of encrypted target data according to an embodiment of the present disclosure.
As shown in fig. 9, the data to be encrypted is cut from the header by a length (e.g., L) specified by the lengthind2/2, or of course, other lengths) of the data1, performing a first reversible bit operation (e.g., an exclusive-or bit operation or a shift operation) on the data1 and the key2 with the ind2 value (as shown in the right array in fig. 9) as a subscript to obtain data11, and then returning the data to the original data.
Fig. 10 schematically shows a schematic diagram of a tail portion of encrypted target data according to an embodiment of the present disclosure.
As shown in FIG. 10, a segment and a specified length (e.g., L) are cut from the end of dataind2And/2) array data2 with the same length, performing a second reversible bit operation (such as an exclusive-or bit operation or a shift operation) on the data2 and the key2 by using the value of the second half of the ind2 as a subscript to obtain data22, and returning the data22 to the original data.
The ind1 may then be combined with ind2 and the encrypted Data spliced together as a return value back to the master system.
In the embodiment of the disclosure, the full-flow asynchronous non-blocking responsive programming is realized by combining a Spring Cloud distributed architecture based on a Spring Boot frame and an http lightweight protocol and by adopting a Web Flux technology, so that the method has great advantages in coping with a high concurrency environment, and meanwhile, the functional programming is realized by combining a lambda expression, so that the frame is more concise and efficient to realize, and the latest responsive technical components such as Resilience4J and WebClient can be compatible. Secondly, the framework at least partially solves the problem of inconsistent distributed sessions, and combines the framework with the current open-source safety framework idea to customize a distributed authentication tamper-proof system more suitable for the framework. It is particularly pointed out that the Base64 encryption algorithm used for the security authentication part is also autonomously implemented again according to the existing Base64 idea. And finally, based on the fact that most encryption algorithms are from open source encryption algorithms at present, the encryption algorithm related in the disclosure is expanded on the basis of the existing encryption algorithm and is integrated with the idea of asymmetric encryption algorithm, the encryption method not only ensures the safe transmission of data encryption, but also ensures the safe transmission of a secret key, and the safety in the data transmission is greatly improved.
Another aspect of the present disclosure provides a method of distributed microservice data transmission performed by a distributed system.
Fig. 11 schematically illustrates a flow chart of a method of distributed microservice data transfer, according to another embodiment of the present disclosure. The distributed system comprises a client, a gateway, a master control server and a secondary server.
As shown in fig. 11, the method may include operations S1101 to S1107.
In operation S1101, the gateway receives a data request originating from a client, the data request including authentication information and request object information.
In operation S1102, the gateway adds a source token and a session identifier to a request header of the data request in response to the data request, so as to obtain an encapsulated data request.
In operation S1103, the gateway sends the encapsulated data request to the master server.
In operation S1104, the master server side, in response to the encapsulated data request, verifies the authentication information if a request header of the encapsulated data request includes a source token from the gateway, and associatively stores the session identifier and at least a part of the authentication information in a designated storage space.
In operation S1105, if the verification is successful, the main control server sets a session token in the request header of the encapsulated data request, obtains a distributed data request, and sends the distributed data request to the secondary server.
In operation S1106, the secondary server side, in response to the distributed data request, verifies at least part of the authentication information in the authentication information obtained from the specified storage space based on the session identifier if the request header of the distributed data request includes the source token and the session token, and the session token includes the session identifier.
In operation S1107, the secondary server returns a request result corresponding to the distributed data request after the verification is successful.
And the request result comprises a token string and encrypted target data, so that the master control server carries out tamper detection on the encrypted target data on the basis of the token string, and the token string is generated at least on the basis of the source token and the session identifier.
Another aspect of the present disclosure provides an apparatus for distributed micro-service data transmission, which is disposed in a gateway.
Fig. 12 schematically illustrates a block diagram of an apparatus for distributed microservice data transfer, in accordance with an embodiment of the present disclosure.
As shown in fig. 12, the apparatus 1200 may include a data request receiving module 1210, a data request responding module 1220, and an encapsulated data request sending module 1230.
The data request receiving module 1210 is configured to receive a data request from a client, where the data request includes authentication information and request object information.
The data request response module 1220 is configured to, in response to the data request, add a source token and a session identifier to a request header of the data request, so as to obtain an encapsulated data request.
The encapsulated data request sending module 1230 is configured to send an encapsulated data request to the main control server, so that the main control server transmits a session identifier to the secondary server in response to the source token, so that the secondary server can perform authentication on at least part of authentication information in authentication information acquired from a specified storage space based on the session identifier from the main control server, and return a request result corresponding to the data request after the authentication is successful, where the specified storage space includes at least part of the authentication information and the session identifier that are stored in association by the main control server.
Another aspect of the present disclosure provides an apparatus for distributed micro-service data transmission, which is disposed in a master server.
Fig. 13 schematically illustrates a block diagram of an apparatus for distributed microservice data transfer, according to another embodiment of the present disclosure.
As shown in fig. 13, the apparatus 1300 includes: an encapsulated data request receiving module 1310, an encapsulated data request responding module 1320, and a distributed data request generating module 1330.
The encapsulated data request receiving module 1310 is configured to receive an encapsulated data request from a gateway, where the encapsulated data request includes authentication information.
The encapsulated data request response module 1320 is configured to respond to the encapsulated data request, verify the authentication information if a request header of the encapsulated data request includes a source token characterizing a source from a specified gateway, and store at least a part of the session identifier and the authentication information in a specified storage space in an associated manner.
The distributed data request generating module 1330 is configured to, if the verification is successful, set a session token in a request header of the encapsulated data request, obtain a distributed data request, and send the distributed data request to the secondary server, where the session token includes a session identifier, so that the secondary server performs verification on at least part of authentication information in the authentication information obtained from the specified storage space based on the session identifier, and returns a request result corresponding to the data request after the verification is successful.
Another aspect of the present disclosure provides an apparatus for distributed micro-service data transmission, which is disposed in a secondary server.
Fig. 14 schematically illustrates a block diagram of an apparatus for distributed microservice data transfer, according to another embodiment of the present disclosure.
As shown in fig. 14, the apparatus 1400 may include a distributed data request receiving module 1410, a distributed data request responding module 1420, and a request result returning module 1430.
The distributed data request receiving module 1410 is configured to receive a distributed data request from the master server.
The distributed data request response module 1420 is configured to, in response to the distributed data request, if a request header of the distributed data request includes a source token and a session token, and the session token includes a session identifier, obtain at least part of authentication information in the authentication information from a specified storage space based on the session identifier for authentication, where the specified storage space includes at least part of the authentication information and the session identifier that are associated and stored by the master server.
The request result returning module 1430 is configured to return a request result corresponding to the distributed data request after the verification is successful, where the request result includes a token string and encrypted target data, so that the master server performs tamper detection on the encrypted target data based on the token string, where the token string is generated based on at least the source token and the session identifier.
Another aspect of the present disclosure provides a system for distributed microservice data transmission.
Fig. 15 schematically illustrates a block diagram of a distributed microservice data transfer system in accordance with an embodiment of the present disclosure.
As shown in fig. 15, the system may include: the system comprises a client, a gateway, a master control server and a secondary server.
Specifically, the system may include a static resource server nginn, a Gateway routing interception system, a user login and authentication system, a master control system, and secondary data storage systems in various regions.
The gateway is used for receiving a data request from a client, wherein the data request comprises authentication information and request object information; responding to the data request, and adding a source token and a session identifier to a request head of the data request to obtain a packaged data request; and sending the encapsulated data request to a master control server.
The main control server side is used for responding to the encapsulated data request, verifying the authentication information if the request header of the encapsulated data request comprises a source token representing the source token from the gateway, and associatively storing the session identification and at least part of the authentication information in a specified storage space; and if the verification is successful, setting a session token in a request header of the encapsulated data request to obtain a distributed data request, and sending the distributed data request to the secondary server side.
The secondary server side is used for responding to the distributed data request, and if a request head of the distributed data request comprises a source token and a session token, and the session token comprises a session identifier, at least part of authentication information in the identity authentication information acquired from the specified storage space based on the session identifier is authenticated; and returning a request result corresponding to the distributed data request after the verification is successful, wherein the request result comprises a token string and encrypted target data, so that the master control server carries out tamper detection on the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
Figure 16 schematically illustrates a logic diagram executed by a distributed microservice data transfer system in accordance with an embodiment of the present disclosure.
As shown in fig. 16, the security authentication of the framework mainly combines the distributed Session consistency and the idea of the JWT protocol, and combines the customized design of the encryption algorithm itself. As shown in fig. 5, the wrapping tkn1 parameter is added to the forwarded request header after the request arrives at Gateway. After the user-service is reached, the validity of the request source is verified, then a request header tkn2 for storing Session ID information is added, the request is forwarded to the master control system continuously, the master control system judges the validity of the request according to tkn1 and tkn2, data reading operation corresponding to user authority is carried out by reading the Session information, and the request is forwarded to secondary server ends in various regions. After each secondary server judges the request source, Session information sn1 is read from redis according to tkn2, base64 encryption is carried out on tkn1 and sn1 respectively, and SHA256 encryption is carried out on the encrypted information by taking tkn2 as salt to generate a string of irreversible digital signature sec 1. And then encrypting the data. Finally, tkn1 and tkn2 encrypted by Base64 and sec1 form a JWT string together and are combined with the encrypted data to be transmitted back to the master control system.
After receiving the response, the master control system analyzes the JWT string, decrypts the JWT string through Base64 to obtain tkn1 and tkn2, obtains Session information sn2 from redis through tkn2, generates a string of digital signature information sec2 by using tkn2 as salt for tkn1 and sn2 after Base64 is encrypted, compares sec1 with sec2, and if the two are consistent, indicates that the link is safe.
It should be noted that the implementation, solved technical problems, implemented functions, and achieved technical effects of each module/unit and the like in the apparatus and system partial embodiment are respectively the same as or similar to the implementation, solved technical problems, implemented functions, and achieved technical effects of each corresponding step in the method partial embodiment, and are not described in detail herein.
Any of the modules, units, or at least part of the functionality of any of them according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules and units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, units according to the embodiments of the present disclosure may be implemented at least partly as a hardware circuit, e.g. a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or by any other reasonable way of integrating or packaging a circuit in hardware or firmware, or in any one of three implementations, or in a suitable combination of any of them. Alternatively, one or more of the modules, units according to embodiments of the present disclosure may be implemented at least partly as computer program modules, which, when executed, may perform the respective functions.
For example, any of the data request receiving module 1210, the data request responding module 1220 and the encapsulated data request sending module 1230 may be combined and implemented in one module, or any one of the modules may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to the embodiment of the present disclosure, at least one of the data request receiving module 1210, the data request responding module 1220 and the packaged data request sending module 1230 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or implemented by a suitable combination of any several of them. Alternatively, at least one of the data request receiving module 1210, the data request responding module 1220 and the encapsulated data request transmitting module 1230 may be at least partially implemented as a computer program module, which when executed, may perform a corresponding function.
Fig. 17 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 17 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 17, an electronic apparatus 1700 according to an embodiment of the present disclosure includes a processor 1701 which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1702 or a program loaded from a storage portion 1708 into a Random Access Memory (RAM) 1703. The processor 1701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1701 may also include on-board memory for caching purposes. The processor 1701 may include a single processing unit or multiple processing units for performing the different actions of the method flow according to embodiments of the present disclosure.
In the RAM 1703, various programs and data necessary for the operation of the electronic apparatus 1700 are stored. The processor 1701, the ROM 1702, and the RAM 1703 are communicatively coupled to each other via a bus 1704. The processor 1701 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1702 and/or the RAM 1703. Note that the programs may also be stored in one or more memories other than ROM 1702 and RAM 1703. The processor 1701 may also execute various operations of the method flows according to the embodiments of the present disclosure by executing programs stored in one or more memories.
According to embodiments of the present disclosure, the electronic device 1700 may also include an input/output (I/O) interface 1705, the input/output (I/O) interface 1705 also being connected to the bus 1704. Electronic device 1700 may also include one or more of the following components connected to I/O interface 1705: an input section 1706 including a keyboard, a mouse, and the like; an output portion 1707 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 1708 including a hard disk and the like; and a communication section 1709 including a network interface card such as a LAN card, a modem, or the like. The communication section 1709 performs communication processing via a network such as the internet. A driver 1710 is also connected to the I/O interface 1705 as necessary. A removable medium 1711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1710 as necessary, so that a computer program read out therefrom is mounted into the storage portion 1708 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 1709, and/or installed from the removable media 1711. The computer program, when executed by the processor 1701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 1702 and/or RAM 1703 described above and/or one or more memories other than the ROM 1702 and RAM 1703.
The present disclosure also provides a computer program comprising one or more programs. The above-described method may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 1709, and/or installed from the removable media 1711. The computer program, when executed by the processor 1701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
It will be appreciated by those skilled in the art that various combinations and/or combinations of the features recited in the various embodiments of the disclosure and/or the claims may be made even if such combinations or combinations are not explicitly recited in the disclosure. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (20)

1. A method of distributed microservice data transfer performed by a gateway, comprising:
receiving a data request from a client, wherein the data request comprises authentication information and request object information;
responding to the data request, adding a source token and a session identifier to a request head of the data request to obtain a packaged data request; and
and sending the encapsulated data request to a master control server so that the master control server transmits the session identifier to a secondary server in response to the source token, so that the secondary server can verify at least part of authentication information in the authentication information acquired from a specified storage space based on the session identifier, and return a request result corresponding to the data request after the verification is successful, wherein the specified storage space comprises at least part of the authentication information and the session identifier which are stored in an associated manner by the master control server.
2. The method of claim 1, further comprising: after sending the encapsulated data request to the master server,
receiving a request result from the master control server, wherein the request result comprises decrypted target data; and
and if the request result comprises the source token, transmitting the decrypted target data to the client.
3. The method of claim 1, wherein the sending the encapsulated data request to the master server comprises:
determining a target main control server side and a secondary server side corresponding to the request object information based on a service discovery framework; and
and sending the encapsulated data request to the target main control server side and the secondary server side.
4. The method of claim 3, wherein the sending the encapsulated data request to the target master server and the secondary server comprises:
the service discovery framework determines a target secondary server side from a plurality of secondary server sides corresponding to the target main control server side based on a load balancing strategy; and
and transmitting the data request to the target main control server by calling the target main control server, so that the target main control server transmits the data request to the target secondary server by calling the target secondary server.
5. The method of claim 1, further comprising:
the request header parameters or the response header parameters are processed by the breaker to perform fusing processing or degrading processing on service forwarding and/or calling.
6. A method for distributed microservice data transmission performed by a master server, comprising:
receiving an encapsulated data request from a gateway, wherein the encapsulated data request comprises identity authentication information;
responding to the encapsulated data request, if a request header of the encapsulated data request comprises a source token which is used for representing a source from a specified gateway, verifying the authentication information, and associatively storing a session identification and at least part of the authentication information in a specified storage space; and
if the verification is successful, setting a session token in a request header of the encapsulated data request to obtain a distributed data request, and sending the distributed data request to a secondary server side,
the session token comprises a session identifier, so that the secondary server side verifies at least part of authentication information in the identity authentication information acquired from the specified storage space based on the session identifier, and returns a request result corresponding to the data request after verification is successful.
7. The method of claim 6, further comprising:
receiving a request result from the secondary server side;
analyzing a first sequence string from the request result, wherein the value of the first sequence string is used as a target subscript, and intercepting a first array with a first specified length from the head of the encrypted target data in the request result;
performing a first reversible bit operation on the first array and an actual secret key to obtain decrypted first sub-target data, wherein the actual secret key is generated based on at least part of authentication information in identity authentication information; and
and replacing the first array of the head part of the encrypted target data by the decrypted first sub-target data to obtain the decrypted target data.
8. The method of claim 7, further comprising: after said receiving the request result from the secondary server side,
intercepting a second array with a second specified length from the tail of the encrypted target data in the request result, wherein the first array is different from the second array;
performing a second reversible bit operation on the second array and the actual secret key to obtain decrypted second sub-target data; and
and replacing the second sub-target data with the second digital group at the tail part of the encrypted target data to obtain the decrypted target data.
9. The method of claim 6, wherein the request result comprises a token string;
the method further comprises the following steps:
tamper detection of the request result is performed based on the token string, which is generated based on at least the source token and the session identification.
10. The method of claim 9, wherein the request result further comprises a check bit;
the tamper detection of the request result based on the token string comprises:
obtaining a token string from the request result;
obtaining a source token and a session token from the token string;
acquiring at least part of authentication information in the identity authentication information from the specified storage space based on the session token;
performing first encryption on at least part of the source token and the authentication information to obtain a first encryption result;
performing second encryption on the first encryption result by taking the session token as salt to obtain comparison alignment; and
and if the check bit is consistent with the comparison bit, the tampering detection is passed.
11. A method of distributed microservice data transfer performed by a secondary server, comprising:
receiving a distributed data request from a master control server;
responding to the distributed data request, if a request header of the distributed data request comprises a source token and a session token, and the session token comprises a session identifier, acquiring at least part of authentication information in identity authentication information from a specified storage space based on the session identifier for authentication, wherein the specified storage space comprises at least part of authentication information and the session identifier for realizing associated storage by the master control server; and
returning a request result corresponding to the distributed data request after the verification is successful,
the request result comprises a token string and encrypted target data, so that the master control server side carries out tampering detection on the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
12. The method of claim 11, wherein the method of generating the request result comprises:
randomly generating a first sequence string, wherein the value of the first sequence string is used as a target subscript;
intercepting a third array of a first specified length from a header of the target data;
performing a first reversible bit operation on the third array and an actual secret key to obtain encrypted first sub-target data, wherein the actual secret key is generated based on at least part of authentication information in identity authentication information; and
and replacing the third array of the head of the target data with the encrypted first sub-target data to obtain the encrypted target data.
13. The method of claim 12, wherein the method for generating the request result further comprises:
intercepting a fourth array of a second specified length from the tail of the target data, wherein the third array and the fourth array are different;
performing a second reversible bit operation on the fourth array and the actual secret key to obtain encrypted second sub-target data; and
and replacing the fourth array at the tail part of the target data by using the encrypted second sub-target data to obtain the encrypted target data.
14. The method of claim 12, wherein the actual key is generated by:
randomly generating a second sequence string;
encrypting at least part of the authentication information in the identity authentication information by using an irreversible encryption and decryption algorithm to obtain an original secret key;
obtaining a first segment with the same length as the source token from the original secret key; and
and taking the value of the first sequence string as a target subscript, and replacing the first segment with the value corresponding to the target subscript in the source token to obtain the actual key.
15. A method for distributed microservice data transmission performed by a distributed system, the distributed system comprising a client, a gateway, a master server, and a secondary server, the method comprising:
the gateway receives a data request from a client, wherein the data request comprises authentication information and request object information;
responding to the data request by the gateway, and adding a source token and a session identifier to a request header of the data request to obtain a packaged data request;
the gateway sends the encapsulated data request to a master control server;
the master control server side responds to the encapsulated data request, if a request header of the encapsulated data request comprises a source token representing the gateway, the authentication information is verified, and a session identifier and at least part of authentication information in the authentication information are associatively stored in a designated storage space;
if the master server side successfully verifies, setting a session token in a request header of the encapsulated data request to obtain a distributed data request, and sending the distributed data request to a secondary server side;
responding to the distributed data request by the secondary server side, if a request header of the distributed data request comprises a source token and a session token, and the session token comprises a session identifier, verifying at least part of authentication information in the identity authentication information acquired from the specified storage space based on the session identifier; and
the secondary server side returns a request result corresponding to the distributed data request after the verification is successful,
the request result comprises a token string and encrypted target data, so that the master control server side carries out tampering detection on the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
16. An apparatus for distributed micro-service data transmission, disposed in a gateway, the apparatus comprising:
the data request receiving module is used for receiving a data request from a client, wherein the data request comprises authentication information and request object information;
a data request response module, configured to respond to the data request, add a source token and a session identifier to a request header of the data request, and obtain a packaged data request; and
and the encapsulated data request sending module is used for sending the encapsulated data request to the main control server so that the main control server responds to the source token and transmits the session identifier to the secondary server, so that the secondary server can verify at least part of authentication information in the authentication information acquired from a specified storage space based on the session identifier from the main control server, and returns a request result corresponding to the data request after the authentication is successful, wherein the specified storage space comprises at least part of authentication information and session identifier which are stored in an associated manner by the main control server.
17. A distributed micro-service data transmission device is arranged in a master control server, and comprises:
the encapsulated data request receiving module is used for receiving an encapsulated data request from a gateway, wherein the encapsulated data request comprises identity authentication information;
the encapsulated data request response module is used for responding to the encapsulated data request, verifying the authentication information if the request header of the encapsulated data request comprises a source token from a designated gateway, and associatively storing the session identification and at least part of the authentication information in a designated storage space; and
and the distributed data request generating module is used for setting a session token in a request header of the packaged data request to obtain a distributed data request and sending the distributed data request to the secondary server side if the verification is successful, wherein the session token comprises a session identifier, so that the secondary server side verifies at least part of authentication information in the authentication information acquired from the specified storage space based on the session identifier, and returns a request result corresponding to the data request after the verification is successful.
18. A distributed micro-service data transmission device is arranged in a secondary server side, and the device comprises:
the distributed data request receiving module is used for receiving a distributed data request from a master control server end;
a distributed data request response module, configured to respond to the distributed data request, if a request header of the distributed data request includes a source token and a session token, and the session token includes a session identifier, obtain at least part of authentication information in authentication information from a specified storage space based on the session identifier for authentication, where the specified storage space includes at least part of the authentication information and the session identifier in a manner that the master control server implements associated storage; and
and the request result returning module is used for returning a request result corresponding to the distributed data request after the verification is successful, wherein the request result comprises a token string and encrypted target data, so that the master control server side can tamper and detect the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
19. A system of distributed microservice data transmission, comprising: client, gateway, master control server end and secondary server end, wherein:
the gateway is used for receiving a data request from a client, wherein the data request comprises authentication information and request object information; responding to the data request, adding a source token and a session identifier to a request head of the data request to obtain a packaged data request; sending the encapsulated data request to a master control server;
the master control server is used for responding to the encapsulated data request, verifying the authentication information if a request header of the encapsulated data request comprises a source token representing a source from the gateway, and associatively storing a session identifier and at least part of authentication information in the authentication information in a specified storage space; if the verification is successful, setting a session token in a request header of the encapsulated data request to obtain a distributed data request, and sending the distributed data request to a secondary server side; and
the secondary server side is used for responding to the distributed data request, and if a request header of the distributed data request comprises a source token and a session token, and the session token comprises a session identifier, at least part of authentication information in the authentication information acquired from the specified storage space based on the session identifier is authenticated; and returning a request result corresponding to the distributed data request after the verification is successful, wherein the request result comprises a token string and encrypted target data, so that the master control server side can tamper and detect the encrypted target data based on the token string, and the token string is generated at least based on the source token and the session identifier.
20. An electronic device, comprising:
one or more processors;
storage means for storing executable instructions which, when executed by the processor, implement a method according to any one of claims 1 to 5, or implement a method according to any one of claims 6 to 10, or implement a method according to any one of claims 11 to 14.
CN202110439097.6A 2021-04-23 2021-04-23 Distributed micro-service data transmission method, device, system and electronic equipment Active CN113141365B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110439097.6A CN113141365B (en) 2021-04-23 2021-04-23 Distributed micro-service data transmission method, device, system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110439097.6A CN113141365B (en) 2021-04-23 2021-04-23 Distributed micro-service data transmission method, device, system and electronic equipment

Publications (2)

Publication Number Publication Date
CN113141365A CN113141365A (en) 2021-07-20
CN113141365B true CN113141365B (en) 2022-06-24

Family

ID=76813401

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110439097.6A Active CN113141365B (en) 2021-04-23 2021-04-23 Distributed micro-service data transmission method, device, system and electronic equipment

Country Status (1)

Country Link
CN (1) CN113141365B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023015412A1 (en) * 2021-08-09 2023-02-16 中国科学院深圳先进技术研究院 Cross-domain access control method and system, storage medium, and device
CN113691510A (en) * 2021-08-09 2021-11-23 中国科学院深圳先进技术研究院 Cross-domain access control method, system, storage medium and equipment
CN115134396A (en) * 2022-06-24 2022-09-30 京东方科技集团股份有限公司 Service calling method and device, electronic equipment and storage medium
CN115134152A (en) * 2022-06-29 2022-09-30 北京天融信网络安全技术有限公司 Data transmission method, data transmission device, storage medium, and electronic apparatus

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086822A (en) * 2019-05-07 2019-08-02 北京智芯微电子科技有限公司 The realization method and system of unified identity authentication strategy towards micro services framework
CN111030818A (en) * 2020-01-09 2020-04-17 上海金仕达软件科技有限公司 Uniform session management method and system based on micro-service gateway

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11252140B2 (en) * 2018-11-30 2022-02-15 Jpmorgan Chase Bank, N.A. Systems and methods for securely calling APIs on an API gateway from applications needing first party authentication
US11356458B2 (en) * 2019-03-15 2022-06-07 Mastercard International Incorporated Systems, methods, and computer program products for dual layer federated identity based access control

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086822A (en) * 2019-05-07 2019-08-02 北京智芯微电子科技有限公司 The realization method and system of unified identity authentication strategy towards micro services framework
CN111030818A (en) * 2020-01-09 2020-04-17 上海金仕达软件科技有限公司 Uniform session management method and system based on micro-service gateway

Also Published As

Publication number Publication date
CN113141365A (en) 2021-07-20

Similar Documents

Publication Publication Date Title
CN113141365B (en) Distributed micro-service data transmission method, device, system and electronic equipment
CN108683747B (en) Resource obtaining, distributing and downloading method, device, equipment and storage medium
CN110199508B (en) Secure data distribution of sensitive data across content distribution networks
US9037511B2 (en) Implementation of secure communications in a support system
CN112422532B (en) Service communication method, system and device and electronic equipment
CN111132138B (en) Transparent communication protection method and device for mobile application program
US11303431B2 (en) Method and system for performing SSL handshake
CN106412024B (en) A kind of page acquisition methods and device
CN112235266B (en) Data processing method, device, equipment and storage medium
US11470060B2 (en) Private exchange of encrypted data over a computer network
CN108616540B (en) Platform authentication method and system based on cross-platform encryption algorithm and declarative filtering authentication
US20130019092A1 (en) System to Embed Enhanced Security / Privacy Functions Into a User Client
CN115333839B (en) Data security transmission method, system, equipment and storage medium
CN113949566A (en) Resource access method, device, electronic equipment and medium
CN104579657A (en) Method and device for identity authentication
CN107026828A (en) A kind of anti-stealing link method cached based on internet and internet caching
CN115604862A (en) Video streaming transmission method and system
CN114372245A (en) Block chain-based Internet of things terminal authentication method, system, device and medium
CN110995730B (en) Data transmission method and device, proxy server and proxy server cluster
CN111262837B (en) Data encryption method, data decryption method, system, equipment and medium
CN113992734A (en) Session connection method, device and equipment
CN116599772B (en) Data processing method and related equipment
CN114244607B (en) Single sign-on method, system, device, medium, and program
US20230188364A1 (en) Partial payload encryption with integrity protection
Pinto et al. HTTP-DTNSec: An HTTP-Based Security Extension for Delay/Disruption Tolerant Networking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant