CN113271310A - Method for checking and managing request authority - Google Patents
Method for checking and managing request authority Download PDFInfo
- Publication number
- CN113271310A CN113271310A CN202110572555.3A CN202110572555A CN113271310A CN 113271310 A CN113271310 A CN 113271310A CN 202110572555 A CN202110572555 A CN 202110572555A CN 113271310 A CN113271310 A CN 113271310A
- Authority
- CN
- China
- Prior art keywords
- service
- request
- web layer
- layer service
- configuration file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Abstract
The invention discloses a method for checking and managing request permission, which comprises the following steps: loading an authority rule configuration file after the Auth service is started; after the Web layer service is started, loading a local rule configuration file according to the service requirement; the request of the intelligent terminal reaches Web layer service and is released to the next link after verification; after the bottom layer service finishes the service, the result is returned to the Web layer service, and the Web layer service is added with a local rule configuration file and forwarded to the Auth service; auth service generates an authorization identity certificate, then caches the authorization identity certificate and returns the authorization identity certificate in the original way; the Web layer service is combined with the bottom layer service processing result and then returned to the intelligent terminal in the original way; if the request is a common request, the Web layer service inquires whether matched authorization information exists in the cache, and if the matched authorization information exists, the Web layer service releases the request to the bottom layer service to complete the service request; the invention ensures that the enterprise cloud service request does not carry out repeated verification in the specified time, the verification result can be universal in the associated service, and the time consumption is reduced.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method for verifying and managing request permission.
Background
The network request is usually provided with a permission verification mechanism, and the more the enterprise cloud-associated services are, the more complicated the verification mechanism is and the longer the time is consumed; in general, each service checks whether the identity of the request is legal at the first layer after the request arrives, and the legal request is transmitted to the next layer. The check logic is run once per request. Thus, the cloud runs a large amount of duplicate check business logic.
Disclosure of Invention
The invention aims to provide a method for verifying and managing request permission, and aims to provide an authorization management method, so that an enterprise cloud service request is not repeatedly verified within a specified time, a verification result can be universal in associated services, and time consumption is reduced.
In order to achieve the purpose, the invention adopts the technical scheme that: a method for verifying and managing request authority comprises the following steps:
loading a permission rule configuration file after the Auth service is started, wherein the permission rule configuration file comprises a permission rule tree;
after the Web layer service is started, loading a local rule configuration file according to business needs, wherein the local rule configuration file comprises basic information and coordinate information in the authority rule tree;
after the Web layer service loads the local rule configuration file, subscribing the message theme according to the local rule configuration file;
after the request of the intelligent terminal reaches the Web layer service, the Web layer service performs simple verification according to the local rule configuration file and then releases the verification to the next link;
if the request is the only allowed request for obtaining the authorization, the request is released to the bottom layer service to complete the service request, the result is returned to the Web layer service after the bottom layer service completes the service, and the Web layer service is added with the local rule configuration file and forwarded to the Auth service;
the Auth service generates an authorization identity certificate according to the forwarded request and the authority rule, and then caches the authorization identity certificate and returns the authorization identity certificate in the original path;
after receiving the authorization result returned by the Auth service, the Web layer service returns the authorization result to the intelligent terminal in an original path by combining the previous bottom layer service processing result;
and if the request is a common request, the Web layer service directly inquires whether matched authorization information exists in the cache according to the local rule configuration file, if so, the Web layer service releases the authorization information to the bottom layer service to complete the service request, otherwise, the Web layer service refuses the service request.
As a further improvement of the invention, the method also comprises the following steps:
if the request is revocation authorization, the Web layer service sends the request to the Auth service, the Auth service broadcasts a revocation message after receiving the request, and other Web layer services subscribed with the message subject apply corresponding revocation service logic after receiving the revocation message.
As a further improvement of the invention, the intelligent terminal is a smart phone or a PC.
The invention has the beneficial effects that:
the invention enables the management of the network request authority rules of the complex cloud system to be unified by providing the service with the network request authority management, the authorization rules of each service can be dynamically adjusted, and the identity verification logic is not repeatedly operated when the network request is processed. The request access speed is improved, the operation pressure of the server is reduced, and the system authority management is simplified.
Drawings
FIG. 1 is a block diagram of an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Examples
As shown in fig. 1, a method for verifying and managing request permission includes:
1. loading an authority rule configuration file after the Auth service is started, wherein the authority rule configuration file comprises a full system authority rule tree;
2. after the Web layer service is started, loading a local rule configuration file according to service needs, such as loading a and loading B in a mode A and B in fig. 1, wherein the local rule configuration files a and B contain coordinate information in an authority rule tree besides basic information;
3. after the Web layer service loads the local rule configuration file, subscribing the message theme according to the local rule configuration file;
4. after the request of the smart phone or the PC reaches the Web service, the Web layer service performs simple verification according to the local rule configuration file a/b and then releases the verification to the next link;
5. if the request is the only allowed request for obtaining the authorization, the request is released to the bottom layer service to complete the service request, the result is returned to the Web layer service after the bottom layer service completes the service, and the Web layer service is added with a local rule configuration file a/b and forwarded to the Auth service;
6. the Auth service generates an authorization identity certificate according to the forwarded request and the authority rule, and then caches the authorization identity certificate and returns the authorization identity certificate in the original path;
7. after receiving the authorization result returned by Auth, the Web layer service returns the authorization result to the smart phone or the PC in an original way by combining the previous bottom layer service processing result;
8. if the request is a common request, the Web layer service directly inquires whether matched authorization information exists in the cache according to the local rule configuration file a/b, if so, the Web layer service releases the request to the bottom layer service to complete the service request, otherwise, the Web layer service refuses the service request;
9. if the request is revocation authorization, after the request is completed in step 7, the Web layer service sends a request to the Auth service, after the Auth service receives the request, the Auth service broadcasts a revocation message to the whole system, and other Web layer services subscribed with the message subject apply corresponding revocation service logic after receiving the message.
This embodiment is further illustrated below:
1. in the authorization stage, after the request is finished with the specific service logic, the authorization identity is generated and cached for a plurality of minutes. After the request is completed, the service layer sends the request result to the Auth service, the Auth service generates request identity information according to the preset rule of the configuration file and returns the request identity information in the original path, and meanwhile, the Auth service caches the identity certificate for a plurality of minutes.
2. And in the verification stage, the request is transferred to Auth service through the Web layer service, the Auth service returns a verification result, the Web layer service loads a preset rule a according to a local rule configuration file after being started, the request is subjected to basic operation according to the identity information and the rule a in the request after arriving, the request is checked with a cache, if the request is matched with the rule a, the request is released to the bottom layer service, and otherwise the request is rejected.
3. The method comprises the steps that authorization is canceled, a Web layer service runs corresponding business after receiving a message which is sent by an Auth service and cancels a certain authorization identity, the Web layer service subscribes the message of the Auth service according to a preset rule loaded by a configuration file after being started, if the Web layer service A and the Web layer service B have business association, the Web layer service A initiates a request to the Auth service after receiving a request of the authorization identity before cancellation, the Auth service broadcasts cancellation information in a whole network according to the rule in the request and clears cache, and the service B which subscribes the message runs corresponding logic after receiving the message, such as liquidation business.
4. Auth service loading authority rules and Web service loading rules belong to a many-to-one relationship, wherein the rules M are loaded in Auth service, and the rules N are loaded in Web layer service. The rule M includes detailed identity creation rules, verification rules, and the like. The rule N contains the positioning information of the rule N in the rule M, such as rule version, rule timeliness, rule applicable service range and the like. According to the positioning information, the rule can be accurately positioned in the rule M and a rule tree is formed.
The above-mentioned embodiments only express the specific embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.
Claims (3)
1. A method for verifying and managing request permission, comprising:
loading a permission rule configuration file after the Auth service is started, wherein the permission rule configuration file comprises a permission rule tree;
after the Web layer service is started, loading a local rule configuration file according to business needs, wherein the local rule configuration file comprises basic information and coordinate information in the authority rule tree;
after the Web layer service loads the local rule configuration file, subscribing the message theme according to the local rule configuration file;
after the request of the intelligent terminal reaches the Web layer service, the Web layer service performs simple verification according to the local rule configuration file and then releases the verification to the next link;
if the request is the only allowed request for obtaining the authorization, the request is released to the bottom layer service to complete the service request, the result is returned to the Web layer service after the bottom layer service completes the service, and the Web layer service is added with the local rule configuration file and forwarded to the Auth service;
the Auth service generates an authorization identity certificate according to the forwarded request and the authority rule, and then caches the authorization identity certificate and returns the authorization identity certificate in the original path;
after receiving the authorization result returned by the Auth service, the Web layer service returns the authorization result to the intelligent terminal in an original path by combining the previous bottom layer service processing result;
and if the request is a common request, the Web layer service directly inquires whether matched authorization information exists in the cache according to the local rule configuration file, if so, the Web layer service releases the authorization information to the bottom layer service to complete the service request, otherwise, the Web layer service refuses the service request.
2. The method for verifying and managing request permission according to claim 1, further comprising:
if the request is revocation authorization, the Web layer service sends the request to the Auth service, the Auth service broadcasts a revocation message after receiving the request, and other Web layer services subscribed with the message subject apply corresponding revocation service logic after receiving the revocation message.
3. The method for verifying and managing request permission according to claim 1 or 2, wherein the smart terminal is a smart phone or a PC.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110572555.3A CN113271310B (en) | 2021-05-25 | 2021-05-25 | Method for checking and managing request authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110572555.3A CN113271310B (en) | 2021-05-25 | 2021-05-25 | Method for checking and managing request authority |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113271310A true CN113271310A (en) | 2021-08-17 |
| CN113271310B CN113271310B (en) | 2022-10-11 |
Family
ID=77232705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110572555.3A Active CN113271310B (en) | 2021-05-25 | 2021-05-25 | Method for checking and managing request authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113271310B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100077469A1 (en) * | 2008-09-19 | 2010-03-25 | Michael Furman | Single Sign On Infrastructure |
| CN101952830A (en) * | 2007-10-05 | 2011-01-19 | 通用电气智能平台有限公司 | Methods and systems for user authorization |
| CN106713271A (en) * | 2016-11-25 | 2017-05-24 | 国云科技股份有限公司 | Web system log in constraint method based on single sign-on |
| US20170366395A1 (en) * | 2015-06-02 | 2017-12-21 | ALTR Solutions, Inc. | Automated sensing of network conditions for dynamically provisioning efficient vpn tunnels |
| CN109672675A (en) * | 2018-12-20 | 2019-04-23 | 成都三零瑞通移动通信有限公司 | A kind of WEB authentication method of the cryptographic service middleware based on OAuth2.0 |
| CN111814186A (en) * | 2020-07-13 | 2020-10-23 | 四川虹魔方网络科技有限公司 | Menu authority access control method of intelligent equipment operation platform |
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
| CN112597472A (en) * | 2021-03-03 | 2021-04-02 | 北京视界云天科技有限公司 | Single sign-on method, device and storage medium |
-
2021
- 2021-05-25 CN CN202110572555.3A patent/CN113271310B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101952830A (en) * | 2007-10-05 | 2011-01-19 | 通用电气智能平台有限公司 | Methods and systems for user authorization |
| US20100077469A1 (en) * | 2008-09-19 | 2010-03-25 | Michael Furman | Single Sign On Infrastructure |
| US20170366395A1 (en) * | 2015-06-02 | 2017-12-21 | ALTR Solutions, Inc. | Automated sensing of network conditions for dynamically provisioning efficient vpn tunnels |
| CN106713271A (en) * | 2016-11-25 | 2017-05-24 | 国云科技股份有限公司 | Web system log in constraint method based on single sign-on |
| CN109672675A (en) * | 2018-12-20 | 2019-04-23 | 成都三零瑞通移动通信有限公司 | A kind of WEB authentication method of the cryptographic service middleware based on OAuth2.0 |
| CN111814186A (en) * | 2020-07-13 | 2020-10-23 | 四川虹魔方网络科技有限公司 | Menu authority access control method of intelligent equipment operation platform |
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
| CN112597472A (en) * | 2021-03-03 | 2021-04-02 | 北京视界云天科技有限公司 | Single sign-on method, device and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| HAIYANG QIAN、CHANDRA SEKHAR SURAPANENI、STEPHEN DISPENSA: ""Service management architecture and system capacity design for PhoneFactor—A two-factor authentication service"", 《2009 IFIP/IEEE INTERNATIONAL SYMPOSIUM ON INTEGRATED NETWORK MANAGEMENT》 * |
| 沈海波、洪帆: ""面向Web服务的基于属性的访问控制研究"", 《计算机科学》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113271310B (en) | 2022-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11170118B2 (en) | Network system and method for access management authentication and authorization | |
| US20190013943A1 (en) | Methods and systems implemented in a network architecture with nodes capable of performing message-based transactions | |
| CN107465692B (en) | Unified user identity authentication method, system and storage medium | |
| CN103716326A (en) | Resource access method and URG | |
| CN101729541B (en) | Method and system for accessing resources of multi-service platform | |
| CN105897704B (en) | The methods, devices and systems of permission addition, permission addition request | |
| CN113271311B (en) | Digital identity management method and system in cross-link network | |
| CN103179099A (en) | Unified certification method for accessing to open website platforms and website platform | |
| CN102571815A (en) | Method of integrated ERP (Enterprise Resource Planning) user authentication for e-procurement private cloud | |
| CN108053088A (en) | A kind of Subscriber Management System, method and apparatus | |
| CN112866421B (en) | Intelligent contract operation method and device based on distributed cache and NSQ | |
| CN110673933A (en) | ZooKeeper-based distributed asynchronous queue implementation method, device, equipment and medium | |
| CN110990879A (en) | Data evidence storing method based on block chain | |
| CN111260421B (en) | Electronic invoice management and control method and device based on block chain | |
| CN107277188A (en) | A kind of method, client, server and operation system for determining IP address attaching information | |
| CN105991592A (en) | Same-natural-person identity maintenance method and apparatus, and server | |
| CN105827873B (en) | A kind of solution strange land client traffic handles limited method and device | |
| JP7427169B2 (en) | Common database architecture to support large-scale transactions and node archiving on MaaS platforms | |
| CN113271310B (en) | Method for checking and managing request authority | |
| CN113010238A (en) | Permission determination method, device and system for micro application call interface | |
| CN113269639A (en) | Business processing method, device, equipment and medium based on block chain intelligent contract | |
| CN107770203B (en) | Service request forwarding method, device and system | |
| CN109828852B (en) | Authority management method, device, system, equipment and readable storage medium | |
| CN111277499A (en) | Gateway-based real-time effective dynamic routing method | |
| CN112953951B (en) | User login verification and security detection method and system based on domestic CPU |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |