CN113626795A - Verification method and device of distributed system architecture, electronic equipment and storage medium - Google Patents

Verification method and device of distributed system architecture, electronic equipment and storage medium Download PDF

Info

Publication number
CN113626795A
CN113626795A CN202110917420.6A CN202110917420A CN113626795A CN 113626795 A CN113626795 A CN 113626795A CN 202110917420 A CN202110917420 A CN 202110917420A CN 113626795 A CN113626795 A CN 113626795A
Authority
CN
China
Prior art keywords
verification
user
service
authentication
verification result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110917420.6A
Other languages
Chinese (zh)
Inventor
许勇
王建辉
安心怡
房和佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
ICBC Technology Co Ltd
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
ICBC Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC, ICBC Technology Co Ltd filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110917420.6A priority Critical patent/CN113626795A/en
Publication of CN113626795A publication Critical patent/CN113626795A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The disclosure provides a verification method and device of a distributed system architecture, electronic equipment and a storage medium, which can be applied to the technical field of the internet, the financial field or other fields. The distributed system architecture comprises a certification authority and a plurality of service systems, and the verification method comprises the following steps: configuring configuration information of a plurality of service systems in a certification authority, wherein the configuration information comprises system name information, service routing information and interface information; the authentication mechanism acquires a verification request of a user from a service system and generates a response message according to the verification request; the authentication mechanism generates a verification result according to the configuration information and the response message, and stores the verification result to a plurality of service systems; and the plurality of service systems acquire the operation instruction from the user and respond to the operation instruction of the user according to the verification result.

Description

Verification method and device of distributed system architecture, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a verification method and apparatus for a distributed system architecture, an electronic device, a readable storage medium, and a computer program product.
Background
In the distributed service system architecture, for a node related to a unified authentication authority (ca), identity, login status and data authority of an operating user in other multiple service systems are authenticated. In the related art, an interceptor needs to be added to each service system of a plurality of service systems for authentication, and a unified authentication mechanism CA is directly called or called in a proxy form when a user of the service system performs related function operations, and authentication is performed according to an authentication result returned by a CA service. With the continuous expansion of service systems and functions, when the number of service systems increases and users increase, the user can trigger verification authentication every time the user operates and clicks a page, the pressure of a unified authentication authority CA will be greatly increased, and in order to ensure normal service, a server, memory expansion and the like need to be continuously increased, which results in high hardware cost.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a verification method and apparatus for a distributed system architecture, an electronic device, and a readable storage medium, which can effectively alleviate the service pressure of a unified certification authority.
According to a first aspect of the present disclosure, there is provided a verification method for a distributed system architecture, the distributed system architecture comprising a certification authority and a plurality of business systems, wherein the verification method comprises: configuring configuration information of the plurality of business systems in the certification authority, wherein the configuration information comprises system name information, service routing information and interface information; the authentication mechanism acquires a verification request from a user of a service system and generates a response message according to the verification request; the authentication mechanism generates a verification result according to the configuration information and the response message, and stores the verification result to the plurality of service systems; and the plurality of service systems acquire the operation instruction from the user and respond to the operation instruction of the user according to the verification result.
According to an embodiment of the present disclosure, the generating, by the authentication mechanism, a verification result according to the configuration information and the response packet includes: acquiring configuration information of the plurality of service systems stored in the certification authority; acquiring associated information corresponding to the plurality of service systems according to the configuration information; and integrating the associated information and the response message to generate a verification result.
According to an embodiment of the present disclosure, the obtaining, according to the configuration information, associated information corresponding to the plurality of service systems includes: traversing the plurality of business systems; and acquiring associated information associated with each service system according to the type of the service system, wherein the associated information comprises a verification result service routing interface.
According to an embodiment of the present disclosure, the saving the verification result to the plurality of business systems includes: and storing the verification result to the plurality of business systems in a cache and/or persistent storage mode to generate verification data.
According to the embodiment of the disclosure, after the verification result is saved to the plurality of business systems, determining the expiration time of the verification data is further included.
According to the embodiment of the present disclosure, after the generating of the response message according to the verification request, generating the user session expiration time according to the verification request is further included.
According to an embodiment of the present disclosure, the determining the expiration time of the verification data includes: and the service system determines the failure time of the verification data according to the user session failure time.
According to an embodiment of the present disclosure, the determining the expiration time of the verification data includes: and the service system determines the failure time of the verification data according to the user log-out state.
According to the embodiment of the present disclosure, the verification method further includes updating the configuration information in the certification authority in real time according to the updated states of the plurality of business systems.
According to the embodiment of the present disclosure, the verification result includes verification pass and verification fail, and the responding to the operation instruction of the user according to the verification result includes: if the verification result is that the verification is passed, the plurality of service systems execute the operation instruction of the user; and if the verification result is verification failure, the plurality of service systems do not execute the operation instruction of the user or prompt the user to perform verification operation.
A second aspect of the present disclosure provides a verification apparatus of a distributed system architecture including a certification authority and a plurality of business systems, wherein the verification apparatus includes: a configuration module configured to configure configuration information of the plurality of business systems in the certification authority, the configuration information including system name information, service routing information, and interface information; the first generation module is configured to acquire a verification request from a user of a service system through the certification authority and generate a response message according to the verification request; the second generation module is configured to generate a verification result according to the configuration information and the response message through the authentication mechanism, and store the verification result to the plurality of service systems; and the response module is configured to acquire the operation instruction from the user through the plurality of service systems and respond to the operation instruction of the user according to the verification result.
According to an embodiment of the present disclosure, the second generating module includes a second generating submodule configured to acquire configuration information of the plurality of business systems stored in the certification authority; acquiring associated information corresponding to the plurality of service systems according to the configuration information; and integrating the associated information and the response message to generate a verification result.
According to an embodiment of the present disclosure, the second generating submodule includes an obtaining submodule configured to traverse the plurality of business systems; and acquiring associated information associated with each service system according to the type of the service system, wherein the associated information comprises a verification result service routing interface.
According to an embodiment of the present disclosure, the second generating module further includes a saving sub-module, and the saving sub-module is configured to save the verification result to the plurality of business systems in a form of cache and/or persistent storage, so as to generate verification data.
According to an embodiment of the present disclosure, the verification apparatus further includes a determining module, where the determining module is configured to generate a user session expiration time according to the verification request after the response packet is generated according to the verification request; and enabling the service system to determine the failure time of the verification data according to the user session failure time. Or, the determining module is configured to enable the service system to determine the expiration time of the verification data according to the user logout state.
According to the embodiment of the present disclosure, the response module includes a response submodule, and the response submodule is configured to enable the plurality of service systems to execute the operation instruction of the user if the verification result is that the verification is passed; and if the verification result is verification failure, the plurality of service systems are enabled not to execute the operation instruction of the user, or the user is prompted to carry out verification operation.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; a storage device for storing executable instructions that, when executed by the processor, implement the authentication method according to the above.
A fourth aspect of the disclosure provides a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement the authentication method according to the above.
A fifth aspect of the disclosure provides a computer program product, wherein the product stores a computer program, which when executed is capable of implementing the authentication method according to the above.
According to the embodiment of the disclosure, the verification result is generated through the response message generated based on the verification request of the user and the configuration information of the plurality of service systems, the verification result is stored in the plurality of service systems, and when the user of the service system operates, the operation instruction of the user is responded according to the verification result stored in the service system. After the user is verified, the verification result of the user is stored in the service system, the user does not need to verify through the certification authority when operating, the processing pressure of the certification authority can be effectively reduced when the number of the users accessing the service system is large or the number of the users is large, hardware can be saved at least partially, and cost is reduced.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically shows a schematic diagram of a system architecture to which the authentication method of the embodiments of the present disclosure may be applied;
FIG. 2A schematically illustrates a flow chart of a verification method according to an embodiment of the present disclosure;
FIG. 2B schematically shows a schematic diagram of an implementation of a verification method according to an embodiment of the present disclosure;
FIG. 3 schematically shows a flow chart of generating a verification result of a verification method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart for obtaining association information for a verification method according to an embodiment of the present disclosure;
FIG. 5 schematically shows a flow chart of the execution of the validation method in the business system and certification authority according to an embodiment of the present disclosure;
FIG. 6 schematically shows a block diagram of an authentication apparatus according to an embodiment of the present disclosure;
fig. 7 schematically shows a block diagram of an electronic device adapted to implement the authentication method of the present disclosure, according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a verification method and a device for a distributed system architecture, wherein the distributed system architecture comprises a certification authority and a plurality of service systems, and the verification method comprises the following steps: configuring configuration information of a plurality of service systems in a certification authority, wherein the configuration information comprises system name information, service routing information and interface information; the authentication mechanism acquires a verification request of a user from a service system and generates a response message according to the verification request; the authentication mechanism generates a verification result according to the configuration information and the response message, and stores the verification result to a plurality of service systems; and the plurality of service systems acquire the operation instruction from the user and respond to the operation instruction of the user according to the verification result.
According to the embodiment of the disclosure, the verification result is generated through the response message generated based on the verification request of the user and the configuration information of the plurality of service systems, the verification result is stored in the plurality of service systems, and when the user of the service system operates, the operation instruction of the user is responded according to the verification result stored in the service system. After the user is verified, the verification result of the user is stored in the service system, the user does not need to verify through the certification authority when operating, the processing pressure of the certification authority can be effectively reduced when the number of the users accessing the service system is large or the number of the users is large, hardware can be saved at least partially, and cost is reduced.
Fig. 1 schematically shows a schematic diagram of a system architecture to which the authentication method of the embodiment of the present disclosure can be applied. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios. It should be noted that the verification method and apparatus provided by the embodiment of the present disclosure may be used in related aspects in the internet technology field and the financial field, and may also be used in any field other than the financial field.
As shown in fig. 1, an exemplary system architecture 100 to which the verification method may be applied may include a plurality of business systems 101, 102, 103, 104, a network 105, and a certification authority 106. Network 105 serves as a medium for providing communication links between a plurality of business systems 101, 102, 103, 104 and certificate authorities 106. Network 105 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may interact with a certification authority 106 via a network 105 using a plurality of business systems 101, 102, 103, 104, in particular, for example, to verify identity information of users of the business systems via the certification authority. Various data processing clients or communication client applications can be installed on the plurality of service systems 101, 102, 103, 104, and the service systems are provided with information input devices and can input various user information through the service systems. For example, the business system application may be a banking application, a data analysis application, a shopping application, a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only), and corresponding user identity information may be input through the client applications, and so on.
The business systems 101, 102, 103, 104 may be various electronic devices with information input, information collection, and data processing functions, including but not limited to smart phones, smart televisions, tablets, laptop portable computers, desktop computers, and the like.
The certificate authority 106 may be a system including a security server for providing security services such as certificate application, browsing, certificate revocation lists, and certificate downloads, a CA server, a registration center RA, an LDAP server, and a database server. The CA server is the core of the whole certification authority and is responsible for issuing the certificate. The registration center RA faces the registration center operator. The LDAP server provides directory browsing service, and other users can obtain digital certificates of other users by accessing the LDAP server. The database server is used for storing and managing certification authority data (such as keys, user information and the like), logs and statistical information. The certification authority 106 mainly verifies information such as the identity of a user from the business system.
It should be noted that the verification method provided by the embodiment of the present disclosure is implemented by the interrelation between a plurality of business systems and a certification authority. Specifically, a user in the business system 101, 102, 103, 104 inputs a verification request and sends it to the certification authority 106 through the business system. After receiving the verification request, the authentication mechanism recognizes the identity of the user, generates a verification result, and finally sends the verification result to all the service systems 101, 102, 103, and 104, and the service systems store the verification result of the user, and when the user does not close the current session, and performs related service operations on the service system related to the user, the authentication mechanism does not need to pass through the authentication of the authentication mechanism 106 again. This makes it possible to reduce the processing load on the certification authority 106 when there are many access service systems 101, 102, 103, and 104 or when there are many users, and to achieve hardware saving and cost reduction at least partially.
It should be understood that the number of business systems, networks, and certification authorities in fig. 1 is merely illustrative. There may be any number of business systems, networks, and certification authorities, as desired for an implementation.
The authentication method of the disclosed embodiment will be described in detail below with reference to fig. 2A to 5.
Fig. 2A schematically illustrates a flow chart of a verification method according to an embodiment of the present disclosure. Fig. 2B schematically shows a schematic diagram of an implementation of an authentication method according to an embodiment of the present disclosure.
As shown in fig. 2A, a flow 200 of a verification method of a distributed system architecture according to an embodiment of the present disclosure includes operations S201 to S204. The distributed system architecture includes a Certification Authority (CA) and a plurality of service systems.
In operation S201, configuration information of a plurality of business systems is configured in a certification authority, the configuration information including system name information, service routing information, and interface information.
In the embodiment of the present disclosure, configuration information of a plurality of business systems is configured in the certification authority, for example, the configuration information may be business system name information (a name corresponding to each business system), server routing information, and interface information such as persistent CA certification result interface url and the like. After the certification authority carries out configuration, the configuration information is stored in the certification authority, and subsequent calling is facilitated.
The configuration information supports real-time online synchronous updates. For example, when the name of a service system is changed, the configuration information corresponding to the service system is updated according to the changed state of the service system. When the service system is increased or decreased, the configuration information of the corresponding service system is increased or deleted in real time according to the increase or decrease of the service system, so that the accuracy of the configuration information and the synchronous change of the configuration information and the service system are ensured.
In operation S202, the certification authority obtains a verification request from a user of a service system, and generates a response message according to the verification request.
In an embodiment of the present disclosure, the distributed system architecture includes a plurality of business systems, each business system having a plurality of users. When a user wants to operate a service in a service system, the user needs to complete operations such as login and the like by inputting authentication information (for example, identity information) to acquire a corresponding right, and further perform corresponding operations on the service in the service system.
For example, a user performs a login/logout operation in one of the service systems, and according to the user login/logout operation, the service system generates a verification request of the user and sends the verification request to the certification authority. After obtaining the verification request, the certification authority verifies the information related to the user in the verification request and generates a response message. The response message includes information of passing or failing verification.
In operation S203, the certification authority generates a verification result according to the configuration information and the response packet, and stores the verification result in a plurality of service systems.
In the embodiment of the present disclosure, the generated response messages are all the same, and the configuration information is different for different service systems. Therefore, it is necessary to combine the response packet and the configuration information to generate verification results for different service systems, so as to facilitate the effective transmission and storage of the verification results to multiple service systems, and facilitate the invocation of the verification results by the service systems.
For example, as shown in fig. 2B, the distributed system architecture 210 of the present embodiment includes a plurality of service systems, such as a service system a 211, a service system B212, a service system C213, a service system N214, and a certification authority 216. The business system may communicate with certificate authority 216. Each business system has a different business, and the configuration information configured in certificate authority 216 for the different business systems is also different. Based on the configuration information configured in certificate authority 216, the certificate authority may be enabled to communicate for different business systems.
In one embodiment, for example, a user in business system N214 that needs to operate the business of the business system sends a user authentication request 215 associated with the user to authentication mechanism 216 through business system N214, and authentication mechanism 216 generates an authentication result 217 after receiving the user authentication request, where authentication result 217 is associated with the user. Certificate authority 216 sends the generated verification result 217 to all business systems of the distributed system architecture 210. All the business systems receive and store the verification result 217, and at this time, when the state of the verification result 217 is not changed, when the user (the same as the user identity information in the business system N214) of another business system (for example, the business system a 211, the business system C213, or the like) performs a relevant business operation, the user executes an instruction according to the verification result of the user stored in the business system.
In an alternative embodiment, the certification authority may also accept verification requests from the same user of multiple business systems simultaneously. When the verification result is verification pass and the state of the verification result is not changed, the authentication mechanism 216 does not receive the verification request of the same user. When the verification result is that the verification fails or the state of the verification result changes, then authentication mechanism 216 may receive a verification request from the user. The change in the state of the verification result may mean, for example, that the verification result is invalid, or that a user associated with the verification result logs out through a certification authority.
In an alternative embodiment, after generating the verification result, the certification authority may be configured to send the verification result to the service system associated with the logged-in user, and the service system not associated with the logged-in user does not send the verification result to the service system.
In operation S204, the plurality of service systems acquire an operation instruction from the user, and respond to the operation instruction of the user according to the verification result.
After the verification results are stored in a plurality of service systems, the service systems acquire the operation instructions of the users, and the operation instructions of the corresponding users are obtained according to the stored verification results. For example, the verification result is stored in all the service systems, wherein any one of the service systems judges whether the user is associated with the verification result after receiving an operation instruction of the user, and if so, the user continues to judge whether the verification result is a verification pass or a verification fail, and different operations are responded according to different verification results. If not, a login interface or a verification interface can be displayed on the service system to prompt the user to send a verification request to the certification authority.
According to the embodiment of the disclosure, the authentication mechanism generates the verification result according to the verification request of the user, and stores the verification result in the plurality of service systems of the distributed system architecture, so that when the user in the plurality of service systems logs in, the user directly responds to the operation of the user according to the verification result stored in the service system without authentication through the authentication mechanism, and the processing pressure of the authentication mechanism is effectively reduced.
Fig. 3 schematically shows a flow chart of generating a verification result of a verification method according to an embodiment of the present disclosure.
In an embodiment of the present disclosure, the flowchart 300 of the certification authority generating the verification result according to the configuration information and the response message includes operations S301 to S303.
In operation S301, configuration information of a plurality of business systems stored in a certification authority is acquired.
The configuration information stored in the authentication system includes configuration information of all business systems of the distributed system architecture. For example, name information of all business systems, service routing information of all business systems, and interface information of all business systems are included, and connection to different business systems is possible according to the information.
In operation S302, association information corresponding to a plurality of business systems is acquired according to the configuration information.
According to the configuration information, a connection relation can be established between the authentication mechanism and the service system, and information such as data and the like can be conveniently transmitted to the service system.
Fig. 4 schematically shows a flowchart of obtaining association information according to an authentication method of an embodiment of the present disclosure.
In an embodiment of the present disclosure, the process 400 of acquiring association information corresponding to a plurality of business systems according to configuration information includes operations S401 to S402.
In operation S401, a plurality of business systems are traversed. And traversing all the service systems in the distributed system architecture, thereby ensuring that the final verification result can be transmitted to each service system and effectively preventing data omission.
In operation S402, association information associated with each business system is obtained according to the type of the business system, where the association information includes a verification result service routing interface.
For example, if the types of the business systems are different, the service routing interfaces of the authentication results are also different. The type of the service system may be determined based on a plurality of association information. In one embodiment, the association information may be a verification result service routing interface, and after obtaining the verification result service routing interface, the service system to which the service system is to be accessed is determined.
In alternative embodiments, the association information may also be other information that can determine the type of the service system, such as a user of the service system.
After operation S302 is completed, operation S303 is performed next. In operation S303, the association information and the response packet are integrated to generate a verification result.
In the embodiment of the disclosure, the specific business system of the plurality of business systems in the distributed system architecture can be determined according to the association information. The response message has the relevant information of verification passing and verification failing. The verification result generated by integrating the association information with the response message corresponds to different business systems. Therefore, the authentication mechanism can send the verification result to the corresponding service system according to the difference of the generated verification result, and the service system can be conveniently called. In this embodiment, the association information may be associated with all business systems, and the verification result generated according to the association information may be sent to all business systems.
In an alternative embodiment, the verification result may be generated by integrating the response message with at least one of the user type, number and name of the service system, for example. When the verification result is saved to a plurality of business systems, the verification result can be saved according to the types, the numbers, the names and the like of the users in the business systems. For example, the verification result generated by integrating the user name of a certain user (e.g., user a) and the response message may be sent to the service system with the certain user (e.g., user a), and the other service systems without the certain user (e.g., user a) do not send the verification result. Optionally, the verification result may also be sent to all service systems of the distributed system architecture, so as to facilitate uniform data transmission and data management.
In an embodiment of the present disclosure, saving the verification result to the plurality of business systems includes: and storing the verification result to a plurality of service systems in a cache and/or persistent storage mode to generate verification data.
For example, the verification result is stored in a high-performance nosql cache database redis (remote Dictionary server), and verification data is generated. The validation data may be invoked when a user of the business system performs an operation to determine whether the user has operational rights. The Redis is used as the cache, data can be conveniently shared among the service processes of the service systems, when the verification data of the Redis is stored in the memory, if persistence is not configured, the data are completely lost after the Redis is restarted. In order to improve the safety of the verification data of the Redis and prevent the loss of the verification data, the persistence function of the Redis is started, the verification data is stored on the disk, and after the Redis is restarted, the data can be recovered from the disk.
In embodiments of the present disclosure, the persistence policy may employ rdb (redis database) persistence or aof (application Only file) persistence. The RDB persistence refers to writing a data set snapshot in a memory into a disk within a specified time interval, the actual operation process is a fork subprocess, the data set is written into a temporary file first, after the data set is successfully written, the previous file is replaced, and binary compression storage is used. The AOF persistence is to record each writing and deleting operation processed by the server in a log mode, the query operation is not recorded, the query operation is recorded in a text mode, and a file can be opened to see detailed operations. In the actual selection process, different persistence strategies are selected according to the requirements of users. For example, to achieve higher cache coherency, an AOF persistence policy may be selected, and when write operations are frequent, no backup is enabled in exchange for higher performance, and an RDB persistence policy may be selected.
In an embodiment of the present disclosure, the expiration time of the validation data is determined after saving the validation results to the plurality of business systems. In order to ensure the security of the user information, it is necessary to set the expiration time of the authentication data. For example, when the user logs in for a period of time, no operation is performed, or due to other reasons such as a network, the operation logged out by the user cannot be reflected to a different service system in time. By setting the failure time of the verification data, the verification data is disabled after the user does not have any operation in the service system or after the network loses connection for a period of time. When the user performs related operations in the service system, the authentication mechanism needs to be called again for authentication, so that the security of user data is ensured.
In the embodiment of the present disclosure, after generating the response message according to the verification request, generating the user session expiration time according to the verification request is further included. After the user performs the identity authentication in the service system, there may be a case where no related operation is performed and the user does not log out. Or the network connection between the service systems causes that other service systems cannot update the relevant information in time after the user closes the session window or logs out the session window, so that the other service systems always display the state that the user passes the verification under the condition that the user logs out or closes the session window. By setting the session invalidation time, the authentication data described later can be controlled by other business systems under the condition that the user login state or the session operation is not updated in time, and the data security is improved.
In an embodiment of the present disclosure, determining the expiration time of the verification data includes the service system determining the expiration time of the verification data according to the user session expiration time.
After determining the user session expiration time, integrating the data information with the above-mentioned association information and response message, and sending the data information, the above-mentioned association information and the response message to the corresponding service system. And after receiving the information, the service system determines the failure time of the verification data according to the user session failure time. For example, the user session expiration time is 30 minutes, and when the user is not operating in the business system, the verification data expires after 30 minutes. If the user of the service system wants to operate after 30 minutes, the authentication mechanism needs to be called to verify the identity information of the user, and as mentioned above, the verification result is further sent to part of the service systems or all the service systems for storage.
In an embodiment of the present disclosure, determining the expiration time of the verification data includes the business system determining the expiration time of the verification data according to the user logout status. For example, when a user logout operation of the business system is received, the verification data expiration time of all the business systems is determined according to the user logout operation associated with the verification data. I.e. a user of a certain business system performs a logout operation, the authentication data of other business systems having authentication data related to the user is invalidated. If the user needs to perform the operation of the related authority, the authentication mechanism needs to be called to verify the identity information of the user.
In the embodiment of the present disclosure, the verification result includes verification pass and verification fail, and the responding to the operation instruction of the user according to the verification result includes: if the verification result is that the verification is passed, the plurality of service systems execute the operation instruction of the user; and if the verification result is verification failure, the plurality of service systems do not execute the operation instruction of the user or prompt the user to perform verification operation.
For example, after the certification authority completes certification, the generated response message includes information about pass and fail of the certification. Finally, the verification result generated based on the response message also contains the relevant information of verification passing and verification failing. After receiving the verification result, each service system can respond to the operation instruction of the user according to the information contained in the verification result. For example, if the user of the service system is the same as the user of the verification result, and the verification result includes information that the verification is passed, the service system determines that the user has the corresponding authority, and responds to the operation instruction in the user authority. If the user of the service system is different from the user of the verification result or the verification result contains information of verification failure, the service system determines that the user does not have corresponding authority, and does not execute the operation instruction of the user. Further, the user may be prompted to perform an authentication operation.
Fig. 5 schematically shows a flow chart of the execution of the verification method in the business system and the certification authority according to an embodiment of the present disclosure.
As shown in fig. 5, the flowchart of the verification method of the present disclosure executed at the business system 510 and the certification authority 520 includes operations S501 to S511. The process comprises three stages: an information configuration stage X, a user state storage stage Y and a unified authentication stage Z.
Specifically, the information configuration phase X includes operations S501 to S502.
In operation S501, a plurality of service systems, which may be increased or decreased according to needs, are accessed to the certification authority.
In operation S502, configuration information of a plurality of service systems accessed is configured in a certification authority. The configuration information includes system name information, service routing information, and interface information.
The user state saving stage Y includes operations S503 to S509.
In operation S503, one or more users in the business system start authentication.
In operation S504, a verification request is generated in the business system according to the user' S operation, and the verification request is transmitted to the certification authority.
In operation S505, the authentication mechanism completes the user authentication according to the authentication request, and generates a response message, where the response message includes information of passing or failing authentication.
And after the response message is generated, generating user session failure time of the service system according to the verification request.
In operation S506, the certification authority acquires all configuration information of the configured plurality of business systems.
In operation S507, a plurality of business systems are traversed.
In operation S508, association information associated with each business system is obtained according to the type of the business system, the association information including a verification result service routing interface. And then integrating the associated information and the response message to generate a verification result.
In operation S509, the verification result is saved to a plurality of business systems, for example, all business systems or the business system related to the user of the verification result. And after the verification result is stored in the service system, determining the failure time of the verification data generated by the verification.
The unified authentication phase Z includes operations S510 to S511.
In operation S510, the service system receives an operation instruction from a user.
In operation S511, whether the user performing the operation is authenticated according to the stored authentication result is queried, and an operation instruction of the user is responded according to the query result.
In the embodiment of the disclosure, for the same user, the users in a plurality of service systems need to operate, and only one of the users needs to be connected with the authentication mechanism through the service system, and the identity of the user is verified through the authentication mechanism, so that the user login is realized. And after the user finishes the login verification, the user state (verification result) of the user is stored in all service systems or part of service systems related to the user, and when the same user carries out corresponding authority operation, the operation of the user is responded according to the verification result. The authentication mechanism is not required to verify, so that the processing pressure of the authentication mechanism can be effectively reduced when the number of access service systems of the authentication mechanism is large or the number of users is large, hardware can be saved at least partially, and the cost is reduced.
Fig. 6 schematically shows a block diagram of the structure of an authentication apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the verification apparatus 600 of the embodiment of the present disclosure includes a configuration module 610, a first generation module 620, a second generation module 630, and a response module 640.
The configuration module 610 is configured to configure configuration information of a plurality of service systems in the certification authority, where the configuration information includes system name information, service routing information, and interface information. The configuration module 610 may be configured to perform operation S201 of the embodiment of the present disclosure, and is not described herein again.
The first generating module 620 is configured to obtain a verification request from a user of a service system through a certification authority, and generate a response message according to the verification request. The first generating module 620 may be configured to perform operation S202 in the embodiment of the present disclosure, and is not described herein again.
The second generating module 630 is configured to generate a verification result according to the configuration information and the response message through the authentication mechanism, and store the verification result to the plurality of service systems. The second generating module 630 may be configured to perform operation S203 according to the embodiment of the disclosure, and is not described herein again.
The response module 640 is configured to obtain an operation instruction from the user through the plurality of service systems, and respond to the operation instruction of the user according to the verification result. The response module 640 may be configured to perform operation S204 according to the embodiment of the disclosure, and is not described herein again.
In the embodiment of the present disclosure, the second generating module 630 includes a second generating sub-module 631, and the second generating sub-module 631 is configured to obtain configuration information of the plurality of business systems stored in the certification authority, obtain associated information corresponding to the plurality of business systems according to the configuration information, and integrate the associated information with the response message to generate a verification result.
In the embodiment of the present disclosure, the second generating sub-module 631 includes an obtaining sub-module, and the obtaining sub-module is configured to traverse a plurality of business systems, and obtain associated information associated with each business system according to a type of the business system, where the associated information includes a verification result service routing interface.
In the embodiment of the present disclosure, the second generating module 630 further includes a saving submodule 632, where the saving submodule 632 is configured to save the verification result to the plurality of business systems in the form of cache and/or persistent storage, and generate the verification data.
In the embodiment of the present disclosure, the verification apparatus further includes a determining module 650, where the determining module 650 is configured to generate the user session expiration time according to the verification request after generating the response message according to the verification request; and determining the failure time of the verification data by the service system according to the user session failure time. Alternatively, the determination module 650 is configured to enable the business system to determine the expiration time of the validation data according to the user logout status.
In the embodiment of the present disclosure, the response module 640 includes a response submodule configured to enable the plurality of business systems to execute the operation instruction of the user if the verification result is that the verification passes. And if the verification result is that the verification fails, the plurality of service systems do not execute the operation instruction of the user or prompt the user to perform the verification operation.
According to the embodiment of the present disclosure, any multiple modules of the configuration module 610, the first generation module 620, the second generation module 630, the response module 640, the determination module 650, the second generation sub-module 631, the saving sub-module 632, the obtaining sub-module, and the response sub-module may be combined and implemented in one module, or any one of the modules may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to the embodiment of the present disclosure, at least one of the configuration module 610, the first generation module 620, the second generation module 630, the response module 640, the determination module 650, the second generation submodule 631, the saving submodule 632, the obtaining submodule, and the response submodule may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or by a suitable combination of any of the three implementations. Alternatively, at least one of the configuration module 610, the first generation module 620, the second generation module 630, the response module 640, the determination module 650, the second generation submodule 631, the saving submodule 632, the obtaining submodule, and the response submodule may be at least partially implemented as a computer program module, which may perform corresponding functions when executed.
Fig. 7 schematically shows a block diagram of an electronic device adapted to implement the authentication method of the present disclosure, according to an embodiment of the present disclosure. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. It is noted that the programs may also be stored in one or more memories other than the ROM 702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 700 may also include input/output (I/O) interface 705, which input/output (I/O) interface 705 is also connected to bus 704, according to an embodiment of the present disclosure. The electronic device 700 may also include one or more of the following components connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The above-described computer-readable storage medium carries one or more programs which, when executed, implement an authentication method according to an embodiment of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 702 and/or the RAM 703 and/or one or more memories other than the ROM 702 and the RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the authentication method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 701. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by the processor 701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (14)

1. A verification method for a distributed system architecture, the distributed system architecture comprising a certification authority and a plurality of business systems, wherein the verification method comprises:
configuring configuration information of the plurality of business systems in the certification authority, wherein the configuration information comprises system name information, service routing information and interface information;
the authentication mechanism acquires a verification request from a user of a service system and generates a response message according to the verification request;
the authentication mechanism generates a verification result according to the configuration information and the response message, and stores the verification result to the plurality of service systems;
and the plurality of service systems acquire the operation instruction from the user and respond to the operation instruction of the user according to the verification result.
2. A verification method according to claim 1, wherein the authentication mechanism generating a verification result from the configuration information and the response message comprises:
acquiring configuration information of the plurality of service systems stored in the certification authority;
acquiring associated information corresponding to the plurality of service systems according to the configuration information;
and integrating the associated information and the response message to generate a verification result.
3. The authentication method according to claim 2, wherein the obtaining of the association information corresponding to the plurality of business systems according to the configuration information comprises:
traversing the plurality of business systems;
and acquiring associated information associated with each service system according to the type of the service system, wherein the associated information comprises a verification result service routing interface.
4. The authentication method of claim 1, wherein said saving the authentication results to the plurality of business systems comprises:
and storing the verification result to the plurality of business systems in a cache and/or persistent storage mode to generate verification data.
5. A validation method according to claim 4 further comprising determining a time to failure of the validation data after saving the validation results to the plurality of business systems.
6. The authentication method according to claim 5, further comprising generating a user session expiration time according to the authentication request after the generating of the response message according to the authentication request.
7. The authentication method of claim 6, wherein the determining the expiration time of the authentication data comprises:
and the service system determines the failure time of the verification data according to the user session failure time.
8. The authentication method of claim 5, wherein the determining the expiration time of the authentication data comprises:
and the service system determines the failure time of the verification data according to the user log-out state.
9. A validation method according to any of claims 1 to 8 further comprising updating the configuration information in the certification authority in real time in dependence on the updated status of the plurality of business systems.
10. The authentication method according to any one of claims 1 to 8, wherein the authentication result includes authentication pass and authentication fail,
the responding to the operation instruction of the user according to the verification result comprises the following steps:
if the verification result is that the verification is passed, the plurality of service systems execute the operation instruction of the user;
and if the verification result is verification failure, the plurality of service systems do not execute the operation instruction of the user or prompt the user to perform verification operation.
11. A verification apparatus for a distributed system architecture including a certification authority and a plurality of business systems, wherein the verification apparatus comprises:
a configuration module configured to configure configuration information of the plurality of business systems in the certification authority, the configuration information including system name information, service routing information, and interface information;
the first generation module is configured to acquire a verification request from a user of a service system through the certification authority and generate a response message according to the verification request;
the second generation module is configured to generate a verification result according to the configuration information and the response message through the authentication mechanism, and store the verification result to the plurality of service systems;
and the response module is configured to acquire the operation instruction from the user through the plurality of service systems and respond to the operation instruction of the user according to the verification result.
12. An electronic device, comprising:
one or more processors;
storage means for storing executable instructions which, when executed by the processor, implement the authentication method of any one of claims 1 to 10.
13. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement a method of authentication according to any one of claims 1 to 10.
14. A computer program product, wherein the product stores a computer program which, when executed, is capable of implementing an authentication method according to any one of claims 1 to 10.
CN202110917420.6A 2021-08-11 2021-08-11 Verification method and device of distributed system architecture, electronic equipment and storage medium Pending CN113626795A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110917420.6A CN113626795A (en) 2021-08-11 2021-08-11 Verification method and device of distributed system architecture, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110917420.6A CN113626795A (en) 2021-08-11 2021-08-11 Verification method and device of distributed system architecture, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113626795A true CN113626795A (en) 2021-11-09

Family

ID=78384277

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110917420.6A Pending CN113626795A (en) 2021-08-11 2021-08-11 Verification method and device of distributed system architecture, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113626795A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115237816A (en) * 2022-09-22 2022-10-25 深圳市明源云科技有限公司 System function verification method and device, electronic equipment and readable storage medium
CN115329391A (en) * 2022-10-18 2022-11-11 成都卫士通信息产业股份有限公司 Protection method, device, equipment and medium for text database

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115237816A (en) * 2022-09-22 2022-10-25 深圳市明源云科技有限公司 System function verification method and device, electronic equipment and readable storage medium
CN115237816B (en) * 2022-09-22 2022-12-27 深圳市明源云科技有限公司 System function verification method and device, electronic equipment and readable storage medium
CN115329391A (en) * 2022-10-18 2022-11-11 成都卫士通信息产业股份有限公司 Protection method, device, equipment and medium for text database
CN115329391B (en) * 2022-10-18 2023-01-24 成都卫士通信息产业股份有限公司 Text database protection method, device, equipment and medium

Similar Documents

Publication Publication Date Title
US10621329B2 (en) Mobile application, resource management advice
US11736469B2 (en) Single sign-on enabled OAuth token
US10484385B2 (en) Accessing an application through application clients and web browsers
CN111801923B (en) Replication of resource types and schema metadata for multi-tenant identity cloud services
CN112166588B (en) Tenant replication bootstrapping for multi-tenant identity cloud services
JP6707127B2 (en) Access server authenticity check initiated by end user
US10909064B2 (en) Application architecture supporting multiple services and caching
JP6496404B2 (en) Proxy server in the computer subnetwork
US8955037B2 (en) Access management architecture
US9417897B1 (en) Approaches for managing virtual instance data
CN112035215B (en) Node autonomous method, system and device of node cluster and electronic equipment
US8745088B2 (en) System and method of performing risk analysis using a portal
US9092607B2 (en) Dynamic flow control for access managers
US20240012641A1 (en) Model construction method and apparatus, and medium and electronic device
US11159634B1 (en) Subscription fan out
US10803190B2 (en) Authentication based on client access limitation
CN113626795A (en) Verification method and device of distributed system architecture, electronic equipment and storage medium
CN110717171A (en) Access token management for state saving and reuse
US20220385596A1 (en) Protecting integration between resources of different services using service-generated dependency tags
EP3513316B1 (en) Personalized search environment
US20230376628A1 (en) Privacy Manager for Connected TV and Over-the-Top Applications
US20180139198A1 (en) Key based authorization for programmatic clients
US20230396448A1 (en) Client secure connections for database host
US11632251B1 (en) Commit signing service
CN114745316A (en) Routing method, apparatus, device, medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination