CN114528571A - Resource access and data processing method, device, electronic equipment and medium - Google Patents

Abstract

The disclosure relates to a method, a device, an electronic device and a medium for resource access and data processing, wherein the method for resource access comprises the following steps: receiving an operation instruction of a user in the process of developing or using the application; determining address information and calling information of a target service resource required to be called for executing the operation instruction, wherein the calling information comprises: calling the opportunity, and a target instruction which is required to be executed by the target service resource; generating token information related to the calling opportunity according to resource access information and an encryption algorithm which are acquired from a server side in advance at the calling opportunity; wherein the resource access information is associated with access rights of a user account of the user to the service resource; sending an access request carrying the user account, the token information, the address information and the target instruction to a server; receiving an access response result from the server; and the access response result is obtained by the server after decrypting and verifying the authority of the token information.

Description

Resource access and data processing method, device, electronic equipment and medium

Technical Field

The present disclosure relates to the field of internet and cloud service technologies, and in particular, to a method and an apparatus for resource access and data processing, an electronic device, and a medium.

Background

With the development of internet technology, various complex application systems need to be developed and updated, and in order to improve software development efficiency and reduce workload of software developers, some open platform architectures are developed. The server encapsulates services corresponding to computation, storage or a certain function into a series of Application Programming Interfaces (APIs) that can be identified by the computer, these open APIs are generally called open APIs, and these open APIs are exposed on an open platform, so that a developer can access and use related service resources through these open APIs without accessing source codes in the server or knowing details of internal working mechanisms.

In order to ensure the access security, the server mostly adopts a token with a valid period to perform access verification, and the method has the following problems: (1) the token has certain timeliness, the shorter the validity period is, the stronger the security is, but the pressure of frequently updating the token on the server is also higher, and the open platform at the front end needs to develop logic processing for replacing the token, so that the development amount is increased; (2) at present, a system framework for constructing API access generally supports a GET request form in a hypertext transfer protocol (http), transmitted parameters are exposed and are easy to illegally obtain, and after a token is illegally obtained, an illegal user can simulate the request and risks resources and operation of a server side.

Disclosure of Invention

To solve the technical problem or at least partially solve the technical problem, embodiments of the present disclosure provide a method, an apparatus, an electronic device, and a medium for resource access and data processing.

In a first aspect, an embodiment of the present disclosure provides a method for resource access. The method for accessing the resources comprises the following steps: receiving an operation instruction of a user in the process of developing or using the application; determining address information and calling information of a target service resource required to be called for executing the operation instruction, wherein the calling information comprises: calling time and target instructions to be executed by the target service resources; generating token information related to the calling opportunity according to resource access information and an encryption algorithm which are acquired from a server side in advance at the calling opportunity; wherein the resource access information is associated with the access authority of the user account of the user to the service resource; sending an access request carrying the user account, the token information, the address information and the target instruction to a server; receiving an access response result from the server; and the access response result is obtained by the server after decrypting and verifying the authority of the token information.

According to an embodiment of the present disclosure, the resource access information includes: a user login password associated with the user account and an access key for accessing the service resource. The generating token information related to the call opportunity according to the resource access information and the encryption algorithm acquired in advance from the server at the call opportunity includes: merging the timestamp information corresponding to the calling opportunity and the user login password to obtain a character string; and according to the encryption algorithm, taking the access key as an encryption key, and carrying out encryption calculation on the character string to obtain token information.

According to an embodiment of the present disclosure, the method for accessing resources further includes: resource access information and an encryption algorithm are obtained. The acquiring of the resource access information and the encryption algorithm includes: under the condition of meeting the authorization condition of accessing a specific service resource, initiating an acquisition request for acquiring resource access information and an encryption algorithm corresponding to the specific service resource to a server; and receiving a data packet sent by a server, wherein the data packet carries the resource access information and the encryption algorithm.

According to an embodiment of the present disclosure, the data packet is in a form of a ciphertext encrypted by a predetermined key, and the predetermined key is external security content predetermined between the two parties of the information transmission and reception. The above acquiring resource access information and encryption algorithm further includes: and based on the agreed secret key, decrypting the received data packet in the form of the ciphertext to obtain the resource access information in the form of the plaintext and an encryption algorithm.

According to an embodiment of the present disclosure, the access request includes a POST (a data transmission method in the http protocol) request method in a hypertext transfer protocol (http), and the user account and the token information are both located in a cookie (a data set related to a user identity and tracked and stored on a browser).

In a second aspect, embodiments of the present disclosure provide a method of data processing. The data processing method comprises the following steps: receiving an access request sent by a demand end, wherein information carried by the access request comprises: the method comprises the steps that a user account, token information related to a calling opportunity, address information of a target service resource requested to be called and a target instruction which needs to be executed by the target service resource are obtained; decrypting and verifying the authority of the token information to obtain an access response result; and sending the access response result to the demand side. The token information is generated according to resource access information and an encryption algorithm which are acquired in advance from a server when the demand side calls the target service resource; the resource access information is associated with the access authority of the user account to the service resource.

According to an embodiment of the present disclosure, the decrypting and the authority verifying the token information to obtain the access response result includes: decrypting the token information to obtain decrypted resource access information; according to the decrypted resource access information, identity verification is carried out on the user corresponding to the user account; under the condition that the identity verification of the user account passes, determining whether the user account has a calling authority for the target service resource according to a preset association relation between the user account and the access authority of the service resource; and under the condition that the user account number is determined to have the calling authority for the target service resource, sending the target instruction to the target service resource for data processing according to the address information to obtain a data processing result, wherein the data processing result is used as an access response result.

According to an embodiment of the present disclosure, the decrypting and the authority verifying the token information to obtain an access response result further includes: and obtaining an access response result of access failure under the condition that the identity verification of the user account is not passed or the condition that the user account does not have the calling authority on the target service resource is determined.

According to an embodiment of the present disclosure, the decrypting the token information to obtain decrypted resource access information includes: according to the user account, inquiring preset target resource access information from a database, wherein the target resource access information comprises: the user account is used for accessing a target access secret key of an authorized service resource; according to a decryption algorithm matched with the encryption algorithm, the inquired target access secret key is used as a decryption secret key, and the token information is decrypted to obtain character string information; and splitting the character string information to obtain the decrypted timestamp information and the user login password.

According to an embodiment of the present disclosure, the target resource access information further includes: and the target user login password is associated with the user account. Wherein, the performing identity verification on the user corresponding to the user account according to the decrypted resource access information includes: verifying whether the decrypted timestamp information is consistent with the timestamp information corresponding to the access request; verifying whether the decrypted user login password is consistent with the target user login password; determining that the identity of the user account corresponding to the user account passes the verification under the condition that the decrypted timestamp information obtained by the verification is consistent with the timestamp information corresponding to the access request and the decrypted user login password is consistent with the target user login password; and determining that the identity verification of the user account corresponding to the user account fails under the condition that the decrypted timestamp information obtained through verification is inconsistent with the timestamp information corresponding to the access request and/or the decrypted user login password is inconsistent with the target user login password.

In a third aspect, an embodiment of the present disclosure provides an apparatus for resource access. The device for accessing the resources comprises: the system comprises an instruction receiving module, a resource calling determining module, a token generating module, a data sending module and a data receiving module. The instruction receiving module is used for receiving an operation instruction of a user in the process of developing or using the application. The resource calling determining module is configured to determine address information and calling information of a target service resource that needs to be called to execute the operation instruction, where the calling information includes: and calling the opportunity and the target instruction which needs to be executed by the target service resource. The token generation module is used for generating token information related to the calling opportunity according to resource access information and an encryption algorithm which are acquired from the server side in advance at the calling opportunity. The resource access information is associated with the access authority of the user account of the user to the service resource. The data sending module is used for sending the access request carrying the user account, the token information, the address information and the target instruction to a server. The data receiving module is used for receiving an access response result from the server; and the access response result is obtained by the server after decrypting and verifying the authority of the token information.

In a fourth aspect, an embodiment of the present disclosure provides an apparatus for data processing. The data processing device comprises: the device comprises a request receiving module, a data processing module and a result sending module. The request receiving module is configured to receive an access request sent by a demand end, where information carried by the access request includes: the method comprises the steps of a user account, token information related to a calling opportunity, address information of a target service resource requested to be called and a target instruction to be executed by the target service resource. The token information is generated according to resource access information and an encryption algorithm which are acquired in advance from a server when the demand side calls the target service resource; the resource access information is associated with the access authority of the user account to the service resource. The data processing module is used for decrypting and verifying the authority of the token information to obtain an access response result. The result sending module is used for sending the access response result to the demand end.

In a fifth aspect, embodiments of the present disclosure provide an electronic device. The electronic equipment comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; a memory for storing a computer program; the processor is configured to implement the method for accessing resources or the method for processing data as described above when executing the program stored in the memory.

In a sixth aspect, embodiments of the present disclosure provide a computer-readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method of resource access or the method of data processing as described above.

The technical scheme provided by the embodiment of the disclosure at least has part or all of the following advantages:

the whole logic for accessing the resources is that at the calling time, token information is generated by real-time encryption calculation according to resource access information and an encryption algorithm which are acquired from a server side in advance, and the token information is related to the calling time and the access authority of a user account number to the service resources, so that the requests at different times and the token information generated corresponding to the requests of different users are different, and authority verification is effectively realized; on one hand, the token information corresponding to each access request is recalculated without considering the timeliness of the token information, so that the demand side does not need to difficultly develop the regular updating or replacement of the token, and the service side does not need to face the pressure generated by frequently updating the token; on the other hand, as the generated token information is in an encrypted form and is related to the calling opportunity, the service time is only within a very short time period corresponding to one access request and one access response, even if the access request is intercepted by a lawless person, the carried token information is difficult to crack in a short time, even if the token information can be cracked, a long time is needed, at the moment, the access-response period corresponding to the access request is finished, the token information is invalid, and the safety of the server is effectively ensured; in addition, the fine granularity of authority control can be effectively improved, and the detailed authority control of the service resources of the same system is realized.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.

In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the related art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.

FIG. 1 schematically illustrates a system architecture of a method and apparatus for resource access, a method and apparatus for data processing, and a computer program product suitable for use in embodiments of the present disclosure;

FIG. 2 schematically illustrates a flow diagram of a method of resource access according to an embodiment of the present disclosure;

fig. 3 schematically shows a detailed implementation flowchart of operation S203 according to an embodiment of the present disclosure;

FIG. 4 schematically shows a flow diagram of a method of resource access according to another embodiment of the present disclosure;

fig. 5A schematically illustrates a detailed implementation flowchart of operation S401 according to an embodiment of the present disclosure;

fig. 5B schematically illustrates another detailed implementation flowchart of operation S401 according to an embodiment of the present disclosure;

FIG. 6 schematically shows a flow diagram of a method of data processing according to an embodiment of the present disclosure;

fig. 7 schematically shows a detailed implementation flowchart of operation S602 according to an embodiment of the present disclosure;

FIG. 8 schematically illustrates a block diagram of an apparatus for resource access according to an embodiment of the present disclosure;

fig. 9 schematically shows a block diagram of a data processing apparatus according to an embodiment of the present disclosure; and

fig. 10 schematically shows a block diagram of an electronic device provided in an embodiment of the present disclosure.

Detailed Description

The analysis shows that: in the current method for verifying API authority, a token with a valid period is used for access verification. Specifically, when a third-party application requests to access a protected resource (a service resource corresponding to an API), after a server approves user authorization of the third-party application, the server issues an access token (accesstken) to the third-party application, where the access token includes key attributes of the third-party application, such as an authorized access range and an authorized validity period. The third party application needs to hold the token in the subsequent resource access process until the user actively finishes the authorization or the token automatically expires. An expired token is a new token that can be used to replace a new one and that is within the validity period for continued use. Therefore, the pressure on the server side is great due to frequent token updating, and the open platform at the front end needs to develop the logic processing for replacing the tokens, which increases the development amount.

In addition, the currently and generally used architecture only achieves access limitation on the user and does not achieve fine-grained access limitation on the next layer of resources. For example, for some requirements, it is necessary to limit to a specific resource, such as: a certain user P can access resource A but cannot access resource B, and resource A, B belongs to a resource in the same system; for such a requirement, the current system framework can only limit P, and either access to a and B simultaneously or cannot access to a and B, and cannot achieve finer access control of resources in the same system.

In addition, a system framework for constructing API access usually only supports a GET request form in a hypertext transfer protocol (http), transmitted parameters are exposed and are easy to illegally obtain, and after a token is illegally obtained, an illegal user can simulate the request and risks resources and operation of a service end.

In view of this, embodiments of the present disclosure provide a method, an apparatus, an electronic device, and a medium for resource access and data processing, which can generate token information through real-time encryption calculation based on pre-obtained resource access information and an encryption algorithm, where the token information is related to a call timing and an access right of a user account to a service resource, so that requests at different times and token information generated corresponding to requests of different users are different, thereby effectively implementing right verification, and the method has the advantages of high security and high authentication efficiency, and can control timeliness of a token in real time, where a right control granularity can reach a specific access right of a specific service resource (a service resource corresponding to an API), and after a right of a service end is modified and validated, a token information of a demand end is correspondingly validated immediately, without delay or waiting, thereby achieving more efficient right management and control, the operation efficiency of the open platform is improved.

The method for accessing the resources comprises the following steps: receiving an operation instruction of a user in the process of developing or using the application; determining address information and calling information of a target service resource required to be called for executing the operation instruction, wherein the calling information comprises: calling time and target instructions to be executed by the target service resources; generating token information related to the calling opportunity according to resource access information and an encryption algorithm which are acquired from a server side in advance at the calling opportunity; wherein the resource access information is associated with the access authority of the user account of the user to the service resource; sending an access request carrying the user account, the token information, the address information and the target instruction to a server; receiving an access response result from the server; and the access response result is obtained by the server after decrypting and verifying the authority of the token information.

The data processing method comprises the following steps: receiving an access request sent by a demand end, wherein information carried by the access request comprises: the method comprises the steps that a user account, token information related to a calling opportunity, address information of a target service resource requested to be called and a target instruction which needs to be executed by the target service resource are obtained; decrypting and verifying the authority of the token information to obtain an access response result; and sending the access response result to the demand side. The token information is generated according to resource access information and an encryption algorithm which are acquired in advance from a server when the demand side calls the target service resource; the resource access information is associated with the access authority of the user account to the service resource.

To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.

Fig. 1 schematically shows a system architecture of a method and an apparatus for resource access, a method and an apparatus for data processing, which are applicable to the embodiments of the present disclosure.

Referring to fig. 1, a system architecture 100 of a method and an apparatus for resource access, a method and an apparatus for data processing, which are suitable for the embodiments of the present disclosure, includes: the demand side and the service side 130, and the demand side and the service side 130 perform data interaction through a network. In fig. 1, two types of consumers are taken as examples, for example, a consumer may be a first consumer 110 represented by a terminal device, or may also be a second consumer 120 represented by an application server.

A network is a medium that provides a communication link between the demand side and the service side 130 and may include various connection types such as wired, wireless communication links, or fiber optic cables, among others.

The first demand side 110 may be a terminal device 111, 112, 113 installed with an application or browser and having a demand to call a service resource from the service side 130. The terminal devices 111, 112, 113 are, for example, a notebook computer, a smart phone, a tablet computer, a smart watch, a smart bracelet, a smart robot, and the like. Such applications include, but are not limited to: software development-like applications, financial-like applications, shopping-like applications, image recognition applications, web browser applications, search-like applications, short video-like applications, instant messaging tools, mailbox clients, social platform software, and the like.

The second requirement terminal 120 may be an application server providing the terminal devices 111, 112, 113 with application service support and having a requirement to call service resources from the service terminal 130. The application server may be a service cluster consisting of a plurality of servers, or may be a single server, which is exemplified by application servers 121 and 122 in fig. 1. In some scenarios, the application servers 121, 122 need to call service resources from the service end 130 when providing service support for the terminal devices 111, 112, 113.

The server 130 may be a unified management layer for API service resource access and permission verification, in some embodiments, the server 130 itself has API service resources; in other embodiments, the server 130 is spatially independent from the service cluster where the service resource is located, and the server 130 may perform data interaction with the service cluster where the service resource is located through a network, thereby implementing the call to the API service resource.

The server 130 itself may have a database; or the server 130 may communicate with an external database and have an operation right on data in the external database.

Illustratively, the server 130 may be a cloud server or a conventional server, or alternatively, the server may be a networked electronic device (similar in function to a server) having computing capability and API service resource management authority.

The first user 101 may use a terminal device (corresponding to the first requirement terminal 110) to develop an application, or the second user 102 may use the terminal device to download and use a published application.

In an exemplary scenario, in the process of developing an application by using a terminal device, a first user 101 executes a method for accessing a resource provided by the embodiment of the present disclosure by using a first requirement terminal 110 corresponding to the terminal device, and correspondingly, executes a method for processing data provided by the embodiment of the present disclosure by using a server 130.

For example, in a system architecture formed by the first demand side 110 and the service side 130, as shown by a single-dot chain line in fig. 1, when an application (for example, a software development app through which the first user 101 develops a web shopping application) or a browser (for example, a web version software development system through which the first user 101 develops a web shopping application) on the terminal devices 111, 112, and 113 runs, an access request for calling a target service resource is initiated to the service side 130 by executing the resource access method provided by the embodiment of the present disclosure, and an access response result from the service side 130 is received. The server 130 analyzes and processes the received access request by executing the data processing method provided by the embodiment of the present disclosure, and feeds back an access response result (for example, data obtained according to the access request, a query result, a result obtained by invoking a service resource and performing calculation, and the like) to the terminal devices 111, 112, and 113.

In another exemplary scenario, in the process that the second user 102 uses the terminal device to use the published application, the application server performs service support on the application, and during the period, the application server serves as the second requirement terminal 120, and the service resource needs to be called from the service terminal 130, in this scenario, the second requirement terminal 120 corresponding to the application server executes the method for accessing the resource provided by the embodiment of the present disclosure, and correspondingly, the service terminal 130 executes the method for processing data provided by the embodiment of the present disclosure.

For example, in a system architecture formed by the second requirement client 120 and the server 130, as shown by a two-dot chain line in fig. 1, when an application (for example, an online shopping app) or a browser (for example, a web page version online shopping platform) on the terminal device runs, and when the application server 121 provides service support for running of the application or the browser, the application server 121 initiates an access request for calling a target service resource (a service resource corresponding to an API interface) to the server 130 by executing the resource access method provided by the present disclosure, and receives an access response result from the server 130. The server 130 analyzes and processes the received access request by executing the data processing method provided by the embodiment of the present disclosure, and feeds back an access response result (e.g., data obtained according to the access request, a query result, a result obtained by invoking a service resource and performing calculation, etc.) to the application server 121.

It should be understood that the number of terminal devices and application servers in fig. 1 is merely illustrative. There may be any number of terminal devices and application servers, as desired for implementation.

Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.

A first exemplary embodiment of the present disclosure provides a method of resource access. The method of resource access of the present embodiment may be performed by the first requirement terminal 110 or the second requirement terminal 120 illustrated in fig. 1.

FIG. 2 schematically shows a flow diagram of a method of resource access according to an embodiment of the present disclosure.

Referring to fig. 2, a method for resource access provided by an embodiment of the present disclosure includes the following operations: s201, S202, S203, S204 and S205. Operations S201 to S205 may be performed by a demand side, and as shown in fig. 1, the demand side may be the first demand side 110 represented by the terminal device illustrated in fig. 1, or may be the second demand side 120 represented by the application server.

In operation S201, an operation instruction of a user in developing or using an application is received.

Applications herein may include, but are not limited to: an application program (app) installed on the terminal device, various applets, a web application (an operation of related data is performed based on a browser), or the like.

Such applications include, but are not limited to: software development-like applications, financial-like applications, shopping-like applications, image recognition applications, web browser applications, search-like applications, short video-like applications, instant messaging tools, mailbox clients, social platform software, and the like.

In an implementation scenario, referring to a single-dot chain line in fig. 1, the first user 101 is, for example, a software developer, and the software developer performs an application development process based on a software development application or a web-based software development system installed in the terminal devices 111, 112, and 113, in the process, the software developer performs one or more operations on an interactive interface corresponding to the software development application or the web-based software development system, so that an operation instruction of the first user 101 in the application development process is received on the terminal device.

For example, in an embodiment, the web page version software development system includes: the system comprises an open platform and a plurality of application service resources, wherein the open platform is provided with an API interface, and a user can purchase and use a specific API interface in the open platform (in some open platforms, the user can also use a software development kit (SDK package) corresponding to the API interface at the same time) to call corresponding API service resources, so that the development and construction of the application are realized. In another embodiment, the software development application has a use right for a service resource corresponding to a specific API interface in a pre-purchase manner, and can call the service resource corresponding to an authorized API. The purchase is only an example of an authorization condition for accessing a specific service resource, and in other embodiments, some API service resources may be used without purchase, that is, the authorization condition may be in various forms including purchase, non-purchase (for example, the user point satisfies the preset condition, the user reputation value satisfies the preset condition, and the like).

In another implementation scenario, referring to the two-dot chain line in fig. 1, the second user 102 is, for example, a user of an application or a browser, which may be an organization user or an individual user. The user can implement various operations on an operation interface of the application or a display interface of the browser; thus, an operation instruction of the user during the application process is received at the terminal device, and the terminal device sends a data processing request carrying the operation instruction to the application server 121, so that the operation instruction is received at the application server 121 (corresponding to operation S201).

For example, the operation instructions of the user in the process of developing the application may include, but are not limited to: obtaining a software development requirement investigation result, carrying out a setting instruction of a system framework, carrying out a setting instruction of a database framework, writing and verifying a program code, designing a test case, calling the test case to carry out a software test, and the like.

Taking the application as an online shopping app and the browser as a web page version online shopping platform as an example, the operation instructions of the user in the application using process include but are not limited to: the method comprises the steps of registering an account number, logging in the account number, inquiring a specific commodity, consulting before sale, adding the specific commodity into a shopping cart, paying the specific commodity, checking logistics information of the paid commodity, initiating return after sale and the like.

In operation S202, address information and call information of a target service resource that needs to be called to execute the operation instruction are determined, where the call information includes: and calling the opportunity and the target instruction which needs to be executed by the target service resource.

After the demand side 110 (terminal device) or the demand side 120 (application server) receives an operation instruction of a user in the process of developing or using an application, the operation instruction is analyzed to determine when (corresponding to a call opportunity) in the process of executing the operation instruction, which service resources (target service resources) of the third-party service side 130 (non-application server) need to be called to execute which instruction (target instruction). The calling opportunity refers to a time point corresponding to the target service resource needing to be called.

For example, the target instruction may include, but is not limited to: data viewing instructions, data query instructions, data screening instructions, calculation instructions, data modification instructions, data addition instructions, data deletion instructions and the like. The enumerated instructions can also be subjected to function combination or function division, for example, a data viewing instruction, a data query instruction and a data screening instruction can be subjected to function combination; the calculation instruction can be functionally split to obtain a plurality of sub-calculation instructions and the like.

The specific implementation process of operations S201 and S202 is described by taking the target instruction as the data view instruction as an example. When the operation instruction of the user using the shopping application is to purchase 1 product with a specific color and a specific size, after the demand side 120 (application server) receives the operation instruction, by analyzing the operation instruction, it can be determined that at the current time (call opportunity), the inventory service resource (target service resource, address information of the target service resource is an access address corresponding to the inventory API interface) of the inventory system (an example of the service side) needs to be called to check the inventory, that is, the target instruction is: inventory viewing instructions (view certain parameter, certain parameter value) for a particular color and a particular size of goods.

The data viewing instruction may further be: view advertisement placement statistics, view traffic audit data, and the like. In an implementation scenario corresponding to the data query instruction, data query may be performed through some keywords, for example, a merchant system is invoked to query a non-online shopping platform self-operated commodity containing three keywords of "three years old", "boy" and "clothes". In an implementation scene corresponding to the data screening instruction, for example, a database service including a test case is called, and the existing test cases conforming to the current system framework are screened to obtain a target test case to be returned. In the implementation scene corresponding to the calculation instruction, a settlement system can be called, and the balance transfer list is subjected to the balance calculation of bill balance and bill detail. The scenes of the data modification instruction, the data addition instruction and the data deletion instruction can be understood by reference, and are not illustrated in a one-to-one manner.

In operation S203, at the invocation time, generating token information related to the invocation time according to the resource access information and the encryption algorithm that are acquired in advance from the server; the resource access information is associated with the access authority of the user account of the user to the service resource.

The resource access information acquired by the demand side from the service side in advance is associated with the access authority of the user account to the service resource. For example, for API service resources 1 and 2 in the same system, user account C of user A_AThe API service resource 1 has access right, and the API service resource 2 does not have access right; user account C of user B_BHas access to both API service resource 1 and API service resource 2. In this regard, the server will give the user an account number C_AAllocating a set of resource access information I₁And in the corresponding database of the serverThe above resource access information I will be used₁And the user account C_AThe access rights of the API service resources are associated, and the obtained association relationship is recorded in a manner, for example, as follows: resource access information I₁→C_AHave access to API service resource 1 (unwritten service resource means no access); or can also be: resource access information I₁→C_AHaving access to API service resource 1, C_AThe API service resource 2 does not have access authority (the access authority of the API service resource which does not have access authority is correspondingly described); generally, for simplicity, the association relation recording manner of the first example may be adopted. Similarly, the server gives the user an account C_BAllocating a set of resource access information I₂And the above-mentioned resource access information I₂And the user account C_BAnd associating the access authority of the API service resource, wherein the association relation recording mode is as follows: resource access information I₂→C_BHaving access rights to API service resource 1, C_BHas access to the API service resource 2.

After the resource access information is allocated and the resource access information is associated with the access right, the server side sends the encryption algorithm and the allocated resource access information to the user, for example, the resource access information I is sent to the user through a mailbox or other communication media₁And transmitting the encryption algorithm to the user A to access the resource access information I₂And the encryption algorithm is transmitted to user B.

The encryption algorithm may be a function packet for performing encryption calculation, the encryption algorithm transmitted to all users may be uniform, or may be a function packet with a high level of complexity transmitted to a user with a relatively poor security level, and a function packet with a medium or low level of complexity transmitted to a user with a relatively good security level, according to the difference of the security levels of historical access of the users, the function packets with different levels of complexity are developed by the server in advance, wherein the function packet with a low level of complexity is simulated and illegally intercepted, and decryption test is performed by a decryption tool with a good operation performance, it takes a long time (some require half an hour, some require several days or even longer) to decrypt, and the decrypted access token is disabled in a period corresponding to a current request-response, the safety can be ensured.

For the user, it is not necessary to know the specific logic of the encryption algorithm, and it is only necessary to input the resource access information as input information into the terminal device according to an agreed manner, and execute a preset encryption calculation logic (corresponding to operation S203) by the demand side corresponding to the terminal device or the demand side corresponding to the application server, so that the encrypted token information related to the call opportunity can be output. This encryption calculation logic may be any encryption logic that the server can decrypt.

For example, in an implementation scenario, for an operation instruction of a user a in the process of developing or using an application, a target service resource to be called for executing the operation instruction is determined to be an API service resource 2; according to the resource access information I acquired from the server side in advance at the calling time₁And an encryption algorithm, wherein Token information related to the calling opportunity is generated as Token1, and the Token1 and the user account C of the user A are used_AFor authorized service resources: API service resource 1 is associated with and is associated with a call opportunity.

In operation S204, an access request carrying the user account, the token information, the address information, and the target instruction is sent to a server.

For example, in an implementation scenario, after the Token information Token1 is generated, the Token information Token will carry the user account C_AToken information Token1 and the target service resource to be called: and sending the address information of the API service resource 2 and a target instruction for calling the API service resource 2 to execute to the server.

Receiving an access response result from the server in operation S205; and the access response result is obtained by the server side after decrypting the token information and verifying the authority.

In the above operations S204 to S205, the demand side may obtain a corresponding permission verification result from the server side according to the user account and the token information.

From the server side, since the association relationship between the user account and the access right of the service resource is pre-configured and stored in the server, after receiving the access request, the server determines whether the user account of the current user has the call/access right to the target service resource by decrypting and verifying the authority of the token information.

For example, in the implementation scenario of operation S205, after the Token information Token1 is decrypted and right is verified by the server, the obtained decrypted resource access information is: i is₁And according to the pre-configured and stored association relationship between the user account and the access authority of the service resource, the resource access information I can be determined₁The corresponding resource access authority is as follows: c_AHaving access rights to API service resource 1, C_AThere is no access right to the API service resource 2. Therefore, when the authority verification is carried out, the user A can obtain the following target service resources: the API service resource 2 does not have the verification result of the access right, and thus may feed back the access response result of the access failure to the demand side. Correspondingly, on the side of the demand side, the result of receiving the access response from the service side is as follows: the access fails.

And under the condition that the authority verification is passed, the server side sends a target instruction for calling the target service resource to execute to the corresponding target service resource according to the address information of the target service resource, so that a corresponding data processing result is obtained, and the data processing result is fed back to the demand side as an access response result. Under the condition that the authority verification is not passed, the server side directly feeds back the access response result of the access failure to the demand side, and the calling information is not forwarded to the target service resource without the access authority of the user, so that the access safety is effectively ensured.

Based on the above operations S201 to S205, in the method for accessing resources provided in the embodiment of the present disclosure, the overall logic for accessing resources is to encrypt and calculate, in real time, token information according to resource access information and an encryption algorithm, which are acquired in advance from a server, at a call time, and the token information is related to the call time and the access authority of a user account to service resources, so that the requests at different times and the token information generated corresponding to the requests of different users are different, and authority verification is effectively achieved. The setting of above-mentioned logic can enough promote the security and the fine grit of access management and control simultaneously, can also avoid the various problems that the regular change token corresponds.

Specifically, on one hand, on the other hand, the token information corresponding to each access request is calculated by each demand side in real time at the calling time (recalculation is needed for each request), and the timeliness of the token information does not need to be considered, so that the demand side does not need to take great effort to develop the regular updating or replacement of the token, and the service side does not need to face the pressure generated by frequently updating the token; on the other hand, as the generated token information is in an encrypted form and is related to the calling opportunity, the service time is only within a very short time period corresponding to one access request and one access response, even if the access request is intercepted by a lawless person, the carried token information is difficult to crack in a short time, even if the token information can be cracked, a long time (exceeding the token valid period time) is needed, at the moment, the access-response period corresponding to the access request is finished, the token information is invalid, and the safety of the server is effectively ensured; in addition, the fine granularity of authority control can be effectively improved, and the detailed authority control of the service resources of the same system is realized.

There are many framework technologies for providing API implementation in the market at present, for example, a framework based on python development language, or a Django REST frame (a powerful and flexible toolkit for constructing a WEB API) which is widely applied, based on the above main technology framework products, when a user logs in for authentication and obtains a token, the issued request is in a GET mode, and the request in the GET mode has the characteristic that transmitted parameters are explicitly written in the content of a WEB address (URL), so that information issued by the GET request, including a user name, a password and other important and sensitive information, can be obviously seen, and the effect of including information security cannot be achieved. In the logic of resource calling in the embodiment of the present disclosure, a request mode using POST is supported.

According to the embodiment of the present disclosure, the access request includes a POST request manner in a hypertext transfer protocol, and the user account and the token information are both located in a cookie (a data set that is tracked and stored in a website and related to the user identity). The token information is transmitted by adopting a POST request mode, so that the method is safer than a GET request mode, sensitive information cannot be found in a website, and the token information cannot be exposed to the outside.

In an implementation scenario, when the demand side is a terminal device, the terminal device initiates an access request (query is ready) in a POST request manner, and after the server side receives the access request (if ready), the server side may obtain a corresponding user account and token information from a cookie of the terminal device.

In another implementation scenario, when the demand side is an application server, the application server obtains a corresponding user account and token information from a cookie of the terminal device, and sends an access request carrying the user account and token information to the server side.

In the conventional technology, a server issues a token with a validity period to a user successfully authenticated, the token is valid within a period of time, if the current server wants to limit the user to access a part of API, the token cannot be validated in real time, and the token cannot be validated until the current token passes the validity period, which is not beneficial to the control of the server on the user and cannot bring an instant effect. Compared with the conventional technology, the authority control granularity provided by the embodiment of the disclosure can reach the specific access authority of a certain API, and after an administrator sets or updates the access authority, the corresponding authority control function takes effect immediately, so that the method has no delay or waiting, has higher efficient operation efficiency and is more advantageous.

Fig. 3 schematically shows a detailed implementation flowchart of operation S203 according to an embodiment of the present disclosure.

According to the embodiment of the disclosure, the resource access information acquired in advance from the server includes: a user login password associated with the user account and an access key for accessing the service resource.

Examples of the inventionSex, with the user account C of the user A_AThe associated user login password is: "d! $ x0u824 ^644i @ F (16-bit length), and user account C_AThe associated access key for accessing the service resource (authorized API service resource, e.g. API service resource 1) is: "rVkR 76M 9" (8 bit length). It is to be understood that the lengths of the user login password and the access key are used as examples, and the lengths of the password and the key are not limited in the embodiments of the present disclosure.

Referring to fig. 3, in operation S203, generating token information related to the invocation time according to the resource access information and the encryption algorithm that are acquired from the server in advance at the invocation time includes the following operations: s301 and S302.

In operation S301, the timestamp information corresponding to the call timing is merged with the user login password to obtain a character string.

For example, the timestamp information corresponding to the call timing is: "1632721553"; the time stamp information "1632721553" is associated with the user login password "d! $ x0u824_ ^644i @ F' are combined to obtain a string, for example: "1632721553 d! $ x0u824 ^644i @ F'. It is to be understood that, the time stamp information is before and the user login password is after in the merging process is taken as an example, in other embodiments, the user login password may be placed before and the time stamp information may be placed after the merging process of the time stamp information and the user login password. Under the two conditions, when the server side decrypts and splits the character string, the sequence of the decrypted timestamp information and the user login password for identifying the sequence corresponds to the sequence of the combination.

In operation S302, the access key is used as an encryption key according to the encryption algorithm, and the character string is encrypted to obtain token information.

The encryption algorithm obtained in advance from the server may be various functional packages for performing encryption calculation, including but not limited to: DES encryption algorithm, AES encryption algorithm, RSA encryption algorithm, etc.

Taking the DES encryption algorithm as an example, according to the function package corresponding to the DES encryption algorithm, the access key is input into the DES encryption algorithm as the encryption key, and the character string "1632721553 d! The $ x0u824_ ^644i @ F ″ is input into a function packet corresponding to a DES encryption algorithm as information to be encrypted (the function packet supports input of character strings and keys of various lengths and can output unique token information after corresponding encryption), encryption calculation is performed based on the DES encryption algorithm in the function packet, and unique token information can be output and obtained, where the token information is in the following form, for example:

“N53bTW6tr2X/k/oVgX0PZT1hJ”。

FIG. 4 schematically shows a flow diagram of a method of resource access according to another embodiment of the present disclosure.

According to an embodiment of the present disclosure, the method for accessing a resource includes the following operations in addition to the operations S201 to S205: s401, acquiring resource access information and an encryption algorithm; for simplicity of illustration, only operation S401 and operation S203 are illustrated in fig. 4. The above-described operation S401 is performed before the operation S203.

According to an embodiment of the present disclosure, acquiring resource access information and an encryption algorithm includes: under the condition of meeting the authorization condition of accessing a specific service resource, initiating an acquisition request for acquiring resource access information and an encryption algorithm corresponding to the specific service resource to a server; and receiving a data packet sent by a server, wherein the data packet carries the resource access information and the encryption algorithm.

In the following, a user purchases a specific service resource as an example of the user satisfying an authorization condition for accessing the specific service resource, in other embodiments, some API service resources may be used without purchase, that is, the authorization condition may be in various forms including purchase, non-purchase (for example, the user point satisfies a preset condition, the user reputation value satisfies a preset condition, and the like).

Fig. 5A schematically shows a detailed implementation flowchart of operation S401 according to an embodiment of the present disclosure.

Referring to fig. 5A, in the operation S401, acquiring the resource access information and the encryption algorithm includes the following operations: s501, S502, and S503.

In operation S501, confirmation information on successful payment of a specific service resource to be enjoyed by the user when developing or using an application is received.

For example, an operator of an application (an example of a user) may purchase a specific service resource corresponding to an API interface for a certain application under development or a published application through an open platform on a terminal device, and then have access rights to the specific service resource during development or use of the application (here, an example of satisfying an access authorization condition). When a user pays for a service resource corresponding to a specific API (application programming interface) and a payment system feeds back confirmation information of successful payment to the terminal equipment or the corresponding application server, the confirmation information of successful payment is received at the terminal equipment or the application server (demand side), and the confirmation information triggers the operation of obtaining resource access information and an encryption algorithm. Here, the payment may include a broad meaning such as payment by real or virtual money, deduction payment of points (which can be enjoyed if the minimum threshold value of points is satisfied), deduction payment of reputation values (which can be enjoyed if the minimum threshold value of reputation values is satisfied), and the like.

According to an embodiment of the present disclosure, the confirmation information includes: the service resource management method includes the steps of obtaining user account (used for indicating user identity and also described as user identification, such as login name, user name, mobile phone number and the like of an open platform), payment information, purchased specific service resources (for example, purchased service resources for image recognition), and purchase validity of the specific service resources (for example, the purchase validity is one year, and from the purchase date, the image recognition service resources of one year can be used).

In operation S502, according to the confirmation information, an acquisition request for acquiring the resource access information and the encryption algorithm corresponding to the specific service resource is initiated to the server.

In an implementation scenario, the server is a server side (which may be a cloud server or a conventional server, or other electronic devices capable of providing service resource services) of an API service resource corresponding to an API interface in the open platform.

In operation S503, a data packet sent by a server is received, where the data packet carries the resource access information and the encryption algorithm.

Allocating, at the server, access rights of corresponding service resources to the user identifier corresponding to the client according to the confirmation information (the user account, the payment information, the purchased specific service resources, and the purchase expiration date of the specific service resources), configuring resource access information associated with the access rights, and storing an association relationship between the resource access information and the access rights to the service resources; and the resource access information and the pre-developed encryption algorithm are sent to the demand side.

According to the embodiment of the disclosure, the two information sending and receiving parties corresponding to the demand side (110 or 120 in the example of fig. 1) and the service side (130 in the example of fig. 1) may perform transmission of the resource access information and the encryption algorithm through a predetermined medium, for example, transmission is performed in a manner of mail, or the demand side obtains the data packet through a certain specific access address (an access password is shared by the two sending and receiving parties) given by the access service side.

Fig. 5B schematically shows another detailed implementation flowchart of operation S401 according to an embodiment of the present disclosure.

In order to further improve the security in the information transmission process and avoid the information being stolen or leaked in the transmission process, the data packet is in a ciphertext form encrypted by a promissory key, and the promissory key is external secret content promissed between the information receiving and transmitting parties. For example, the data packet sent by the server is an encrypted compressed packet, and the encrypted and decrypted key is a secret key agreed by both the demand side and the server and kept secret from the outside.

In addition to the above embodiment of encrypting the data packet by using the contract key, referring to fig. 5B, the operation S401 further includes the following operation S504 in addition to the operations S501 to S503: and based on the agreed secret key, decrypting the received data packet in the form of the ciphertext to obtain the resource access information in the form of the plaintext and an encryption algorithm.

A second exemplary embodiment of the present disclosure provides a method of data processing. The method of data processing of the present embodiment may be performed by the server 130 illustrated in fig. 1. In order to understand the whole data flow of the interaction between the demand side and the service side, the related descriptions of the first embodiment and the second embodiment can be combined.

FIG. 6 schematically shows a flow diagram of a method of data processing according to an embodiment of the present disclosure.

Referring to fig. 6, a method for data processing provided by an embodiment of the present disclosure includes the following operations: s601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs authority management on the API service resource corresponding to the API interface accessed by the requirement terminal.

In operation S601, an access request sent by a demand end is received, where information carried in the access request includes: the method comprises the steps of a user account, token information related to a calling opportunity, address information of a target service resource requested to be called and a target instruction to be executed by the target service resource.

The token information is generated according to resource access information and an encryption algorithm which are acquired in advance from a server when the demand side calls the target service resource; the resource access information is associated with the access authority of the user account to the service resource.

In operation S602, the token information is decrypted and authorized to obtain an access response result.

In operation S603, the access response result is transmitted to the requester.

In an embodiment, after the operations S201 to S203 are performed on the demand side, an operation S204 is performed to send an access request carrying the user account, the token information, the address information, and the target instruction to the server. Accordingly, the access request transmitted by the demand side is received at the server side (corresponding to operation S601). Next, the server performs operation S602 to obtain an access response result, and performs operation S603 to send the access response result to the client. Accordingly, the access response result transmitted by the server is received at the client side (corresponding to operation S205).

On one hand, the token information corresponding to each access request is calculated by each demand side in real time at the calling time (recalculation is needed for each request), and the timeliness of the token information is not needed to be considered, so that the demand side does not need to difficultly develop token periodic updating or replacement, and the service side does not need to face the pressure generated by frequent token updating; on the other hand, the token information is in an encrypted form and is related to the calling opportunity, and the using time of the token information is only within a very short time period corresponding to one access request and one access response, so that even if the access request is intercepted by a lawless person, the carried token information is difficult to crack in a short time, and even if the token information can be cracked, a long time (exceeding the valid period time of the token) is needed, at the moment, the access-response period corresponding to the access request is ended, the token information is invalid, and the security of the server is effectively ensured; in addition, the fine granularity of authority control can be effectively improved, and the detailed authority control of the service resources of the same system is realized.

Fig. 7 schematically shows a detailed implementation flowchart of operation S602 according to an embodiment of the present disclosure.

According to an embodiment of the present disclosure, referring to fig. 7, in the operation S602, decrypting and verifying the authority of the token information to obtain an access response result, the method includes the following operations: s701, S702, S703a, and S704 a.

Referring to fig. 7, the operation S602 may further include operations S703b and S704b based on the embodiment including the operations S701, S702, S703a, and S704 a.

In operation S701, the token information is decrypted to obtain decrypted resource access information.

The algorithm used for decryption is a decryption algorithm which is preset by the server and aims at the encryption algorithm, and the corresponding decryption process can be the reverse process of the encryption process.

According to the embodiment of the present disclosure, decrypting the token information to obtain decrypted resource access information includes the following sub-operations: s7011, S7012, S7013.

In sub-operation S7011, according to the user account, pre-configured target resource access information is queried from a database, where the target resource access information includes: the user account is used for accessing a target access key of an authorized service resource.

E.g. the queried user account number C_AThe target access key corresponding to the authorized API service resource 1 is: "rVkR 76M 9".

In sub-operation S7012, according to a decryption algorithm that matches the encryption algorithm, the queried target access key is used as a decryption key, and the token information is decrypted to obtain string information.

Performing decryption calculation, and obtaining the character string information as: "1632721553 d! $ x0u824_ ^644i @ F'.

In sub-operation S7013, the string information is split to obtain decrypted timestamp information and a user login password.

And splitting the character string information according to the sequence consistent with the merging during encryption. For example, according to the sequence that the time stamp information is before and the user login password is after, the time stamp information after decryption is obtained as follows: "1632721553", the decrypted user login password is: "d! $ x0u824 ^644i @ F'.

In operation S702, an identity of the user corresponding to the user account is verified according to the decrypted resource access information.

The pre-configured target resource access information includes, in addition to the target access key, the following: and the target user login password is associated with the user account.

In the operation S702, performing identity verification on the user corresponding to the user account according to the decrypted resource access information includes: verifying whether the decrypted timestamp information is consistent with the timestamp information corresponding to the access request; verifying whether the decrypted user login password is consistent with the target user login password; determining that the identity of the user account corresponding to the user account passes the verification under the condition that the decrypted timestamp information obtained by the verification is consistent with the timestamp information corresponding to the access request and the decrypted user login password is consistent with the target user login password; and determining that the identity verification of the user account corresponding to the user account fails under the condition that the decrypted timestamp information obtained through verification is inconsistent with the timestamp information corresponding to the access request and/or the decrypted user login password is inconsistent with the target user login password.

Based on the above, when the user is subjected to identity verification, whether a user login password obtained after decryption according to token information in the current access request is matched with a user account or not is verified, whether timestamp information carried in the current access request is a timestamp when the access request is initiated or not is also verified, if the timestamp information is inconsistent, verification is not passed, so that access to service resources by a forged request initiated by illegally intercepted token information can be blocked, and the safety of a server is effectively ensured.

In operation S703a, when the identity of the user account passes the identity verification, it is determined whether the user account has a calling right for the target service resource according to a pre-configured association relationship between the user account and an access right of the service resource.

In operation S704a, if it is determined that the user account has the call authority for the target service resource, the target instruction is sent to the target service resource according to the address information to perform data processing, so as to obtain a data processing result, and the data processing result is used as an access response result.

In operation S703b, in a case where the identity check of the user account is not passed, an access response result indicating that the access is failed is obtained.

In operation S704b, in a case that it is determined that the user account does not have the call authority for the target service resource, an access response result of access failure is obtained.

A third exemplary embodiment of the present disclosure provides an apparatus for resource access.

Fig. 8 schematically shows a block diagram of an apparatus for resource access according to an embodiment of the present disclosure.

Referring to fig. 8, an apparatus 800 for resource access provided by an embodiment of the present disclosure includes: an instruction receiving module 801, a resource call determining module 802, a token generating module 803, a data transmitting module 804, and a data receiving module 805.

The instruction receiving module 801 is configured to receive an operation instruction of a user in developing or using an application.

The resource call determining module 802 is configured to determine address information and call information of a target service resource that needs to be called to execute the operation instruction, where the call information includes: and calling the opportunity and the target instruction which needs to be executed by the target service resource.

The token generating module 803 is configured to generate token information related to the invocation time according to the resource access information and the encryption algorithm that are acquired from the server in advance at the invocation time. The resource access information is associated with the access authority of the user account of the user to the service resource.

The data sending module 804 is configured to send an access request carrying the user account, the token information, the address information, and the target instruction to a server.

The data receiving module 805 is configured to receive an access response result from the server; and the access response result is obtained by the server after decrypting and verifying the authority of the token information.

According to an embodiment of the present disclosure, the apparatus 800 for accessing a resource may include, in addition to the instruction receiving module 801, the resource call determining module 802, the token generating module 803, the data sending module 804, and the data receiving module 805: and the access information and encryption algorithm acquisition module is used for acquiring the resource access information and the encryption algorithm.

The access information and encryption algorithm obtaining module may include a functional module or a sub-module for implementing the operations S501 to S503, or the operations S501 to S504.

A fourth exemplary embodiment of the present disclosure provides an apparatus for data processing.

Fig. 9 schematically shows a block diagram of a data processing apparatus according to an embodiment of the present disclosure.

Referring to fig. 9, an apparatus 900 for providing data processing according to an embodiment of the present disclosure includes: a request receiving module 901, a data processing module 902 and a result sending module 903.

The request receiving module 901 is configured to receive an access request sent by a demand end, where information carried in the access request includes: the method comprises the steps of a user account, token information related to a calling opportunity, address information of a target service resource requested to be called and a target instruction to be executed by the target service resource. The token information is generated according to resource access information and an encryption algorithm which are acquired in advance from a server when the demand side calls the target service resource; the resource access information is associated with the access authority of the user account to the service resource.

The data processing module 902 is configured to decrypt and authenticate the token information to obtain an access response result.

The result sending module 903 is configured to send the access response result to the demand side.

In the third embodiment, any multiple of the instruction receiving module 801, the resource call determining module 802, the token generating module 803, the data sending module 804 and the data receiving module 805 may be combined and implemented in one module, or any one of the modules may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. At least one of the instruction receiving module 801, the resource call determining module 802, the token generating module 803, the data sending module 804 and the data receiving module 805 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware and firmware, or in any suitable combination of any of them. Alternatively, at least one of the instruction receiving module 801, the resource call determining module 802, the token generating module 803, the data transmitting module 804 and the data receiving module 805 may be implemented at least in part as a computer program module that, when executed, may perform a corresponding function.

In the fourth embodiment, any multiple of the request receiving module 901, the data processing module 902, and the result sending module 903 may be combined and implemented in one module, or any one of the modules may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. At least one of the request receiving module 901, the data processing module 902 and the result sending module 903 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by any other reasonable manner of integrating or packaging a circuit, etc., or implemented by any one of three implementations of software, hardware and firmware, or any suitable combination of any of them. Alternatively, at least one of the request receiving module 901, the data processing module 902 and the result sending module 903 may be at least partly implemented as a computer program module, which, when executed, may perform a corresponding function.

A fifth exemplary embodiment of the present disclosure provides an electronic apparatus.

Fig. 10 schematically shows a block diagram of an electronic device provided in an embodiment of the present disclosure.

Referring to fig. 10, an electronic device 1000 provided in the embodiment of the present disclosure includes a processor 1001, a communication interface 1002, a memory 1003 and a communication bus 1004, where the processor 1001, the communication interface 1002 and the memory 1003 complete communication with each other through the communication bus 1004; a memory 1003 for storing a computer program; the processor 1001 is configured to implement the resource access method or the data processing method described above when executing the program stored in the memory.

A sixth exemplary embodiment of the present disclosure also provides a computer-readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method of resource access or the method of data processing as described above.

The computer-readable storage medium may be contained in the apparatus/device described in the above embodiments; or may be present alone without being assembled into the device/apparatus. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.

The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (14)

1. A method of resource access, comprising:

receiving an operation instruction of a user in the process of developing or using the application;

determining address information and calling information of a target service resource required to be called for executing the operation instruction, wherein the calling information comprises: calling opportunity and a target instruction which needs to be executed by the target service resource;

generating token information related to the calling opportunity according to resource access information and an encryption algorithm which are acquired from a server side in advance at the calling opportunity; wherein the resource access information is associated with access rights of a user account of the user to a service resource;

sending an access request carrying the user account, the token information, the address information and the target instruction to a server; and

receiving an access response result from the server; and the access response result is obtained by decrypting and verifying the authority of the token information by the server side.

2. The method of claim 1, wherein the resource access information comprises: a user login password and an access key for accessing a service resource associated with the user account;

generating token information related to the call opportunity according to resource access information and an encryption algorithm acquired from a server in advance at the call opportunity, wherein the generating of the token information related to the call opportunity comprises:

merging the timestamp information corresponding to the calling opportunity with the user login password to obtain a character string; and

and according to the encryption algorithm, taking the access key as an encryption key, and carrying out encryption calculation on the character string to obtain token information.

3. The method of claim 1 or 2, further comprising: acquiring resource access information and an encryption algorithm;

the acquiring of the resource access information and the encryption algorithm includes:

under the condition that the authorization condition for accessing the specific service resource is met, initiating an acquisition request for acquiring resource access information and an encryption algorithm corresponding to the specific service resource to a server; and

and receiving a data packet sent by a server, wherein the data packet carries the resource access information and the encryption algorithm.

4. The method according to claim 3, wherein the data packet is in a form of a ciphertext encrypted by a promissory key, and the promissory key is external secret content promissed between the information transmitting and receiving parties;

wherein, the acquiring the resource access information and the encryption algorithm further comprises:

and based on the agreed secret key, decrypting the received data packet in the form of the ciphertext to obtain the resource access information in the form of the plaintext and an encryption algorithm.

5. The method of claim 1, wherein the access request comprises a POST request in hypertext transfer protocol, and wherein the user account and the token information are both located in a cookie.

6. A method of data processing, comprising:

receiving an access request sent by a demand end, wherein information carried by the access request comprises: the method comprises the steps that a user account, token information related to a calling opportunity, address information of a target service resource requested to be called and a target instruction which needs to be executed by the target service resource are obtained; the token information is generated according to resource access information and an encryption algorithm which are acquired from a server side in advance when the demand side calls the target service resource; wherein the resource access information is associated with access rights of the user account to a service resource;

decrypting and verifying the authority of the token information to obtain an access response result; and

and sending the access response result to the demand side.

7. The method of claim 6, wherein the decrypting and the authorization verifying the token information to obtain the access response result comprises:

decrypting the token information to obtain decrypted resource access information;

according to the decrypted resource access information, identity verification is carried out on the user corresponding to the user account;

under the condition that the identity verification of the user account passes, determining whether the user account has a calling authority for the target service resource according to a pre-configured incidence relation between the user account and the access authority of the service resource;

and under the condition that the user account number is determined to have the calling authority for the target service resource, sending the target instruction to the target service resource for data processing according to the address information to obtain a data processing result, wherein the data processing result is used as an access response result.

8. The method of claim 7, wherein decrypting and verifying the authority of the token information to obtain an access response result further comprises:

and obtaining an access response result of access failure under the condition that the identity verification of the user account is not passed or the condition that the user account does not have the calling authority on the target service resource is determined.

9. The method of claim 7, wherein decrypting the token information to obtain decrypted resource access information comprises:

according to the user account, inquiring pre-configured target resource access information from a database, wherein the target resource access information comprises: the user account is used for accessing a target access secret key of an authorized service resource;

according to a decryption algorithm matched with the encryption algorithm, the inquired target access secret key is used as a decryption secret key, and the token information is decrypted to obtain character string information; and

and splitting the character string information to obtain the decrypted timestamp information and the user login password.

10. The method of claim 9, wherein the target resource access information further comprises: a target user login password associated with the user account;

wherein, the performing identity verification on the user corresponding to the user account according to the decrypted resource access information includes:

verifying whether the decrypted timestamp information is consistent with the timestamp information corresponding to the access request;

verifying whether the decrypted user login password is consistent with the target user login password or not;

determining that the identity verification of the user account corresponding to the user account passes under the condition that the decrypted timestamp information obtained by verification is consistent with the timestamp information corresponding to the access request and the decrypted user login password is consistent with the target user login password;

and determining that the identity verification of the user account corresponding to the user account fails under the condition that the decrypted timestamp information obtained by verification is inconsistent with the timestamp information corresponding to the access request and/or the decrypted user login password is inconsistent with the target user login password.

11. An apparatus for resource access, comprising:

the instruction receiving module is used for receiving an operation instruction of a user in the process of developing or using the application;

a resource calling determining module, configured to determine address information and calling information of a target service resource that needs to be called to execute the operation instruction, where the calling information includes: calling opportunity and a target instruction which needs to be executed by the target service resource;

the token generation module is used for generating token information related to the calling opportunity according to resource access information and an encryption algorithm which are acquired from a server side in advance at the calling opportunity; wherein the resource access information is associated with access rights of a user account of the user to a service resource;

the data sending module is used for sending an access request carrying the user account, the token information, the address information and the target instruction to a server; and

the data receiving module is used for receiving an access response result from the server; and the access response result is obtained by decrypting and verifying the authority of the token information by the server side.

12. An apparatus for data processing, comprising:

a request receiving module, configured to receive an access request sent by a demand side, where information carried in the access request includes: the method comprises the steps that a user account, token information related to a calling opportunity, address information of a target service resource requested to be called and a target instruction which needs to be executed by the target service resource are obtained; the token information is generated according to resource access information and an encryption algorithm which are acquired from a server side in advance when the demand side calls the target service resource; wherein the resource access information is associated with access rights of the user account to a service resource;

the data processing module is used for decrypting and verifying the authority of the token information to obtain an access response result; and

and the result sending module is used for sending the access response result to the demand end.

13. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;

a memory for storing a computer program;

a processor for implementing the method of any one of claims 1 to 10 when executing a program stored on a memory.

14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1-10.

Images