CN115277195A - Method for forwarding distributed resource unified gateway - Google Patents

Method for forwarding distributed resource unified gateway Download PDF

Info

Publication number
CN115277195A
CN115277195A CN202210891686.2A CN202210891686A CN115277195A CN 115277195 A CN115277195 A CN 115277195A CN 202210891686 A CN202210891686 A CN 202210891686A CN 115277195 A CN115277195 A CN 115277195A
Authority
CN
China
Prior art keywords
resource
gateway
service
information
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210891686.2A
Other languages
Chinese (zh)
Inventor
苏鑫
张乙
李明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Fengshun Technology Co ltd
Original Assignee
Chengdu Fengshun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Fengshun Technology Co ltd filed Critical Chengdu Fengshun Technology Co ltd
Priority to CN202210891686.2A priority Critical patent/CN115277195A/en
Publication of CN115277195A publication Critical patent/CN115277195A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a distributed resource uniform gateway forwarding method.A resource provider carries service information and routing information to inform a registration center, and the registration center informs a resource management center of the information to construct a gateway route; the resource user accesses the resources through the gateway route, and the resource user accesses the api through the resource gateway or accesses the html through the resource gateway; the resource provider identifies whether the request is forwarded through the gateway. The invention provides a uniform resource access address and can only access resources through the address, and uniform resource authentication is carried out in the gateway.

Description

Method for forwarding distributed resource unified gateway
Technical Field
The invention belongs to the technical field of data processing, and particularly relates to a distributed resource unified gateway forwarding method.
Background
Information resource management is an application theory which is developed firstly in the united states in the early 70 s and the late 80 s and then gradually spread globally, and is a novel information management theory promoted by the application of modern information technology, particularly information technology taking computers and modern communication technology as cores. Information resource management is classified into narrow and broad meanings. The narrow information resource management is a process of managing information itself, i.e., information contents. Information resource management in a broad sense refers to the process of managing information content and resources related to the information content, such as equipment, facilities, technologies, investments, information staff, and the like.
An enterprise information resource is a collection of information activity elements (information technology, equipment, information producers, etc.) with information as a core, which are accumulated in an information activity by an enterprise. The task of enterprise information resource management is to effectively collect, acquire and process information inside and outside an enterprise, improve the quality, availability and value of enterprise information resources to the maximum extent, and enable all parts of the enterprise to share the information resources.
The explosive development of information technology and the overheating requirement of government, enterprise and social informatization application change the information resource from technical application into ubiquitous important economic resource. Information resources are driving economic growth, system reform, social transition and development, information resource management technology is also going from single to comprehensive, and a large-scale platform integrating various software components is being formed. Information resource management platforms for distributed information resource management are becoming the key to current and future informatization advances.
The API Gateway (API Gateway/API Gateway), as the name implies, is an API-oriented, serial, centralized, strong management and control service appearing at the system boundary, where the boundary is the boundary of an enterprise IT system, and may be understood as an enterprise-level application firewall, and mainly plays a role in isolating external access from an internal system. Before the popularity of the micro-service concept, the API gateway has emerged, for example, a front-end processor system commonly used in the fields of banks, securities, and the like, and the API gateway also solves the problems of access authentication, message conversion, access statistics, and the like.
The popularity of API gateways stems from the rise in the need for interconnection between mobile applications and enterprises in recent years. The mobile application and the enterprise are interconnected, so that objects supported by the background service are expanded to multiple use scenes from the previous single Web application, and the requirements of each use scene on the background service are different. This not only increases the amount of response of the background service, but also increases the complexity of the background service. With the introduction of the micro-service architecture concept, the API gateway becomes a standard component of the micro-service architecture.
At present, the commonly adopted Gateway forwarding method is mostly realized based on Zuul, spring Cloud Gateway and Nginx, but Zuul and Spring Cloud Gateway can not provide a uniform resource address rule, and the address rule can only process to a Gateway prefix and a service Gateway route; static resources such as Js and css in multiple resource providers cannot be processed when the resources are in the same path. Nginx cannot provide a uniform resource address rule, requires a large amount of configuration, and requires a reboot to modify the configuration. Static resources such as Js, css and the like in a plurality of resource providers cannot be processed when the static resources are in the same path; the uniform resource authentication cannot be completed.
Disclosure of Invention
In order to solve the above problems, the present invention provides a forwarding method for a distributed resource unified gateway, which provides a unified resource access address and can only access resources through the address, and performs unified resource authentication in the gateway.
In order to achieve the purpose, the invention adopts the technical scheme that: a forwarding method for a distributed resource unified gateway comprises the following steps:
s10, a resource provider carries service information and routing information to inform a registration center, and the registration center informs a resource management center of the information to construct a gateway route;
s20, the resource user accesses the resources through the gateway route, and the resource user accesses the api through the resource gateway or the html through the resource gateway;
and S30, the resource provider identifies whether the request is forwarded through the gateway.
Further, in step S10, the resource provider carries the service information and the routing information to notify the registry, and the registry notifies the resource management center of the information to construct the gateway route, including the steps of:
s11, configuring service metadata by a resource provider, and indicating that the current service is the resource provider;
s12, starting a resource provider, discovering a registration center, and sending self service information to the registration center;
s13, the registration center receives the service on-line message and informs the resource management center of the service information of the registration center;
s14, the resource management center updates the online service information set after receiving the service change notification and notifies a refreshable route locator in the service of the resource management center to update the gateway route;
s15, the refreshable route locator acquires and caches information of all resource providers in the registration center after receiving the online service change event;
s16, the refreshable route locator generates a new resource provider route rule set according to the cache object provider and provides the new resource provider route rule set for the gateway to use;
s17, the registration center monitors the service offline message and informs the resource management center of the message; the resource management center then performs steps S14-S16 to refresh the cache object provider and gateway routes.
Further, the resource user accesses the api through the resource gateway, including the steps of:
s211, the resource user obtains the resource authentication;
s212, the resource user accesses the resource management center gateway by using the uniform resource access address and carries resource authentication;
s213, the resource management center gateway receives the request, and acquires the resource authentication and the request path;
s214, the resource management center gateway verifies whether the request path is in compliance or not, whether the path rule meets the rule that the gateway provides the uniform resource access address or not is judged, and if the path rule does not meet the rule, the resource management center gateway finishes the request and returns error information;
s215, the resource management center gateway obtains the resource provider service gateway route, the resource category code and the service ID according to the request path, and resolves and splits according to the uniform resource access address rule provided by the gateway;
s216, the resource management center gateway obtains the service name of the resource provider and whether the temporary resource authentication is used or not according to the route of the service gateway of the resource provider.
S217, the resource management center gateway checks whether the resource authentication is valid, and if the resource authentication is invalid, the resource management center gateway finishes requesting and returns error information;
s218, inquiring resource authority according to the resource authentication, the service name of the resource provider, the resource category code and the service ID, and ending the request to return error information if the authority does not exist; if the authority exists, resource information is obtained according to the service name of the resource provider, the resource category code and the service ID;
s219, judging whether the resource information exists or not, and if not, ending the request and returning error information; if the resource information exists, judging whether an interface address exists in the resource information, if not, ending the request and returning error information;
s2110, an interface address exists in the resource information, and the gateway sets a reverse proxy interface address;
s2111, the resource management center gateway encrypts and generates resource identification information according to the service name of the resource provider, the resource category code and the service ID;
s2112, the resource management center gateway adds the resource identification information to the reverse proxy request head;
s2113, the resource management center gateway requests the resource provider by the reverse proxy, receives a return result of the resource provider and returns the result to the resource user.
Further, the resource using party obtains the resource authentication in step S211, including:
the resource user accesses the client certificate interface of the resource management center to obtain resource authentication, and the resource authentication information comprises a service name of the resource user and a service Chinese name of the resource user and does not comprise user information; the resource authentication authority can only be controlled to the service level of a resource user and cannot be controlled to a user;
the resource user accesses the password interface of the resource management center to obtain resource authentication, and the resource authentication information comprises a resource user service name, a resource user service Chinese name and user information; the resource authentication authority is controlled to the user, but the resource user needs to access the resource management center for single sign-on.
Further, the resource user accesses html through the resource gateway, and the method includes the following steps:
s221, the resource user acquires the resource authentication;
s222, the resource user accesses the resource management center gateway by using the uniform resource access address and carries resource authentication;
s223, the resource management center gateway receives the request, and acquires the resource authentication and the request path;
s224, the resource management center gateway verifies whether the request path is in compliance, whether the path rule meets the rule that the gateway provides the uniform resource access address, and if not, the request is ended and error information is returned;
s225, the resource management center gateway obtains the resource provider service gateway route, the resource category code and the service ID according to the request path, and resolves and splits according to the uniform resource access address rule provided by the gateway;
s226, the resource management center gateway acquires the service name of the resource provider and whether to use the temporary resource authentication according to the route of the service gateway of the resource provider.
S227, the resource management center gateway checks whether the resource authentication is valid, and if the resource authentication is invalid, the resource management center gateway finishes requesting and returns error information;
s228, inquiring resource authority according to the resource authentication, the service name of the resource provider, the resource category code and the service ID, and ending the request to return error information if the authority does not exist; if the authority exists, resource information is obtained according to the service name of the resource provider, the resource category code and the service ID;
s229, judging whether the resource information exists or not, if not, ending the request and returning error information; if the resource information exists, judging whether the html address in the resource information exists, if not, ending the request and returning error information; the html address in the resource information exists, the resource provider service address is obtained according to the resource provider service name, and a redirection address is constructed together with the html address;
s2210, the resource management center gateway judges whether to use temporary resource authentication, if not, the resource management center gateway encrypts and generates resource identification information according to the service name of the resource provider, the resource category code and the service ID, and adds the resource authentication and the resource identification information as parameters to a redirection address; if the temporary resource authentication is used, generating a temporary resource authentication according to the resource authentication, the service name of the resource provider, the resource category code, the service ID and the temporary authentication mark, and adding the temporary resource authentication to the redirection address by replacing the original resource authentication as a parameter;
s2211, the resource management center gateway terminates the reverse proxy logic and returns the redirection address to the browser; and the browser redirects and accesses the resource address.
Further, the html address in the resource information exists, the resource provider service address is obtained according to the resource provider service name, and the redirection address is constructed together with the html address, and the method comprises the following steps:
inquiring whether a resource provider service address is set from a resource management center database according to the resource provider service name, and executing the next step if the resource provider service address is set; if not, acquiring an ip and a port of a resource provider through the micro-service registration center, and generating a service address of the resource provider;
constructing a redirection address: resource provider service address + html address in resource information.
Further, in step S30, the resource provider authenticating whether the request is forwarded through the gateway includes the steps of:
s31, the resource provider receives the main resource request and acquires the resource authentication in the request;
s32, the resource provider verifies whether the resource authentication is valid; if the request is invalid, the request is finished and error information is returned;
s33, acquiring authentication information contained in the resource authentication;
s34, the resource provider acquires resource information according to the request;
s35, judging whether the authentication information is temporary resource authentication, if so, checking whether the request is legal by using the authentication information and the resource information, and if not, ending the request and returning error information; if the authentication information is temporary resource authentication and the resource information is verified to be legal, continuing to access the resource; if the authentication information is not temporary resource authentication, acquiring resource identification information in the request;
s36, checking whether the request is legal or not by using the resource identification information and the resource information, and returning error information by an illegal ending request; if the request is legal, the resource is continuously accessed.
The beneficial effects of the technical scheme are as follows:
in the invention, a resource provider carries service information and routing information to inform a registration center, and the registration center informs a resource management center of the information to construct a gateway route; the resource user accesses the resources through the gateway route, and the resource user accesses the api through the resource gateway or accesses the html through the resource gateway; the resource provider identifies whether the request is forwarded through the gateway. The present invention opens resources in multiple resource providers using uniform resource access addresses. The invention restricts the direct access of the resource user to the resource provider. The gateway of the invention automatically identifies the gateway route of the resource provider without configuring the route mapping relation. The invention can adapt to the scenario that the resource is expressed in the form of api (one resource is a single request) and the scenario that the resource is expressed in the form of html (one resource needs a plurality of requests). The invention can adapt to the scene that the resource provider service is separated for the front end and the back end (using js variable and sessionstorage cache resource authentication), and can also adapt to the scene that the resource provider service is not separated for the front end and the back end (using cookie and localstorage cache resource authentication).
Drawings
Fig. 1 is a schematic flow chart of a forwarding method of a uniform gateway for distributed resources according to the present invention;
FIG. 2 is a schematic flow chart of a resource user accessing an api through a resource gateway in an embodiment of the present invention;
FIG. 3 is a schematic flow chart of a resource user accessing html through a resource gateway in an embodiment of the present invention;
fig. 4 is a flowchart illustrating an authentication process of a resource provider according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described with reference to the accompanying drawings.
In this embodiment, referring to fig. 1, the present invention provides a method for forwarding a uniform gateway for distributed resources, including the steps of:
s10, a resource provider carries service information and routing information to inform a registration center, and the registration center informs a resource management center of the information to construct a gateway route;
s20, the resource user accesses the resources through the gateway route, and the resource user accesses the api through the resource gateway or the html through the resource gateway;
and S30, the resource provider identifies whether the request is forwarded through the gateway.
As an optimization scheme of the foregoing embodiment, in step S10, the resource provider notifies the registry of the service information and the routing information, and the registry notifies the resource management center of the information to construct a gateway route, including the steps of:
s11, configuring service metadata by a resource provider, and indicating that the current service is the resource provider;
the service metadata specifically includes a service name (generally, english), a service chinese name, a service type (a value of resource-provider indicates that the current service is a resource provider), a service gateway route (the service name is used for null), and whether to use temporary resource authentication.
The temporary resource authentication is suitable for separating the front end and the back end of the html resource provider, and the temporary resource authentication cache (using js variable and sessionstore cache and additionally containing resource information) is only effective for the current browser window. The temporary resource authentication is only effective to the current resource, and the temporary resource authentication is used for accessing other resources inefficiently.
The non-use of temporary resource authentication is suitable for non-separation of front and back ends of an html resource provider or api resources, and a resource authentication cache (cookie, localstorage cache, which does not contain resource information) acts on all resource requests. At this time, the request needs additional parameter Resource identification information Resource.
The gateway must carry resource information when forwarding the request, and the resource provider does not need to verify the resource authentication, but also needs to verify whether the currently requested resource and the carried resource information are configured. The resource consumer is prevented from directly accessing the resource provider (the resource consumer is unaware of how to attach the resource information to the request).
S12, starting a resource provider, discovering a registration center, and sending self service information (including an IP (Internet protocol) of the resource provider, a port, service metadata and the like) to the registration center;
s13, the registration center receives the service on-line message and informs the resource management center of the service information of the registration center;
s14, after receiving the service change notification, the resource management center updates an online service information set (including an IP (Internet protocol) of a resource provider, a port, service metadata and the like) and notifies a refreshable route locator in service of the resource management center to update the gateway route;
s15, the refreshable route locator acquires and caches information of all resource providers in the registration center after receiving the online service change event;
an online service information set is obtained.
And traversing the online service information set, and searching for the service with the service type value of resource-provider. And generates resource provider information (service name, service Chinese name, service gateway route, use of temporary resource authentication or not) for the service satisfying the condition
And storing the resource provider information into cache objects providers (key value pair type, the key is service gateway routing, and the value is resource provider information).
S16, the refreshable route locator generates a new resource provider routing rule set according to the cache object provider providers and provides the new resource provider routing rule set for the gateway to use;
and traversing all values of the cached objects providers to acquire the information of the single resource provider.
And generating the routing object according to the resource provider information.
Table 1 main resource provider information and routing object mapping rules
Routing objects Resource provider information
Route ID Service name
Service ID Service name
Path rules Service gateway routing/' A
The routing object is added to the resource provider set of routing rules.
S17, the registration center monitors the service offline message and informs the resource management center of the message; the resource management center then performs steps S14-S16 to refresh the cache object providers and gateway routes.
The gateway provides a uniform resource access address: resource management center address/gateway prefix/resource provider serving gateway routing/resource category coding/service id/resource representation.
As an optimization scheme of the foregoing embodiment, as shown in fig. 2, the resource using party accesses the api through the resource gateway, including the steps of:
s211, the resource user acquires resource authentication ResourceToken;
in the first mode, the resource user accesses the credential interface of the OAuth 2.0 client of the resource management center to obtain resource authentication ResourceToken, and the resource authentication information includes the service name of the resource user (OAuth 2.0 client ID) and the service Chinese name of the resource user (OAuth 2.0 client name), but does not include user information. The resource authentication authority can only be controlled to the service level of a resource user and cannot be controlled to a user.
And in the second mode, the resource user accesses the OAuth 2.0 password type interface of the resource management center. And obtaining resource authentication ResourceToken, wherein the resource authentication information comprises a resource user service name (OAuth 2.0 client ID), a resource user service Chinese name (OAuth 2.0 client name) and user information. The resource authentication authority can control the user, but the resource user needs to access the resource management center for single sign-on.
S212, the resource user accesses the resource management center gateway by using the uniform resource access address and carries resource authentication ResourceToken;
s213, the resource management center gateway receives the request, and acquires the resource authentication ResourceToken and the request path uri;
s214, the resource management center gateway verifies whether the request path uri is in compliance or not, whether the path rule meets the requirement of providing a uniform resource access address rule by the gateway or not is judged, and if the path rule does not meet the requirement, the request is ended and error information is returned;
s215, the resource management center gateway obtains the routing, the resource category coding and the service ID of the service gateway of the resource provider according to the request path uri, and the uniform resource access address rule is provided by the gateway for resolution and splitting;
s216, the resource management center gateway obtains the service name of the resource provider and whether the temporary resource authentication is used or not according to the route of the service gateway of the resource provider.
And acquiring resource provider information from the caching objects providers by using the source provider service gateway route as a key, and then acquiring a resource provider service name and whether to use temporary resource authentication from the resource provider information.
S217, the resource management center gateway checks whether the resource authentication ResourceToken is valid, and if the resource authentication ResourceToken is invalid, the resource management center gateway finishes the request and returns error information;
the resource token validity includes whether the resource token exists, whether the decryption can be correctly performed, and whether the validity period is over.
S218, inquiring resource authority according to the resource authentication resource token, the service name of the resource provider, the resource category code and the service ID, and ending the request to return error information if the authority does not exist;
two ways of obtaining resource authentication according to resource users:
for the first mode, the resource token includes the resource user service name and the resource user service Chinese name, and queries whether the resource user service name has the authority of the resource.
For the second method, the resource token includes the name of the resource user service, and the user information (including the user ID), and queries whether the user has the right of the resource.
If the authority exists, resource information is obtained according to the service name of the resource provider, the resource category code and the service ID; the method specifically comprises the following steps:
(1) The gateway obtains an interface calling tool (in this case, a feignment under spring group) according to the service name of the resource provider, and accesses the resource provider to open and query a single resource information interface by using the interface calling tool, wherein the interface calling tool carries a resource type code, a service ID and an Authorization (resource management center authentication).
(2) And the resource provider receives the interface for accessing and querying the single resource information, verifies whether the Authorization is effective or not, continues to execute the process of returning the single resource information if the Authorization is effective, and does not inquire that the resource information returns empty.
(3) Single resource information Structure (json is an example)
Figure BDA0003767814660000091
Figure BDA0003767814660000101
S219, judging whether the resource information exists (judging whether the resource information is empty), if not, ending the request and returning error information; if the resource information exists, judging whether an interface address exists in the resource information, if not, ending the request and returning error information (judging whether the resourceApi in the resource information is empty or an empty character string);
s2110, an interface address exists in the resource information, and the gateway sets a reverse proxy interface address;
s2111, the Resource management center gateway encrypts and generates Resource identification information Resource according to the service name of the Resource provider, the Resource category code and the service ID;
the resource management center gateway requests the reverse proxy for the attached resource information. The resource user does not know the encryption scheme and key.
S2112, the Resource management center gateway adds Resource identification information Resource to a reverse proxy request header (header parameter mode);
s2113, the resource management center gateway requests the resource provider by the reverse proxy, receives a return result of the resource provider and returns the result to the resource user.
As an optimization scheme of the above embodiment, as shown in fig. 3, the resource user accesses html through the resource gateway, including the steps of:
s221, the resource user acquires resource authentication ResourceToken;
in the first mode, the resource user accesses the credential interface of the OAuth 2.0 client of the resource management center to obtain resource authentication ResourceToken, and the resource authentication information includes the service name of the resource user (OAuth 2.0 client ID) and the service Chinese name of the resource user (OAuth 2.0 client name), but does not include user information. The resource authentication authority can only be controlled to the service level of a resource user and cannot be controlled to a user.
And in the second mode, the resource user accesses the OAuth 2.0 password type interface of the resource management center. And obtaining resource authentication ResourceToken, wherein the resource authentication information comprises a resource user service name (OAuth 2.0 client ID), a resource user service Chinese name (OAuth 2.0 client name) and user information. The resource authentication authority can control the user, but the resource user needs to access the resource management center for single sign-on.
S222, the resource user accesses the resource management center gateway by using the uniform resource access address and carries resource authentication ResourceToken;
s223, the resource management center gateway receives the request, and acquires the resource authentication ResourceToken and the request path uri;
s224, the resource management center gateway verifies whether the request path uri is in compliance, whether the path rule meets the uniform resource access address rule provided by the gateway, and if not, the request is ended and error information is returned;
s225, the resource management center gateway obtains the routing, the resource category coding and the service ID of the service gateway of the resource provider according to the request path uri, and the uniform resource access address rule provided by the gateway is analyzed and split;
s226, the resource management center gateway acquires the service name of the resource provider and whether to use the temporary resource authentication according to the route of the service gateway of the resource provider.
And acquiring resource provider information from the caching objects providers by using the source provider service gateway route as a key, and then acquiring a resource provider service name and whether to use temporary resource authentication from the resource provider information.
S227, the resource management center gateway verifies whether the resource authentication ResourceToken is valid or not, and if the resource authentication ResourceToken is invalid, the resource management center gateway finishes the request and returns error information;
the resource token validity includes whether the resource token exists, whether the decryption can be correctly performed, and whether the validity period is over.
S228, inquiring resource authority according to the resource authentication resource token, the service name of the resource provider, the resource category code and the service ID, and ending the request to return error information if the authority does not exist;
according to two ways of acquiring resource authentication by a resource user:
for the first mode, the resource token includes the resource user service name and the resource user service Chinese name, and queries whether the resource user service name has the authority of the resource.
In the second method, the resource token includes the name of the resource user service, and the user information (including the user ID), and queries whether the user has the right of the resource.
If the authority exists, resource information is obtained according to the service name of the resource provider, the resource category code and the service ID; the method specifically comprises the following steps:
(1) The gateway acquires an interface calling tool (referred to as a "resilient client" in this case) according to the service name of the resource provider, accesses the resource provider by using the interface calling tool to open and query a single resource information interface, and carries the resource type code, the service ID, and the Authorization (resource management center authentication).
(2) And the resource provider receives the interface for accessing and inquiring the single resource information, verifies whether the Authorization is effective, and continues to execute the return of the single resource information if the Authorization is effective, and does not inquire that the resource information returns empty.
(3) Single resource information Structure (json is an example)
Figure BDA0003767814660000121
Figure BDA0003767814660000131
S229, judging whether the resource information exists or not, if not, ending the request and returning error information; if the resource information exists, judging whether the html address in the resource information exists, if not, ending the request and returning error information;
and judging whether the resourceAddress in the resource information is empty or an empty character string. The html address only has url path and parameters, and does not contain service ip and port.
The html address in the resource information exists, the resource provider service address is obtained according to the resource provider service name, and a redirection address is constructed together with the html address; the method specifically comprises the following steps:
according to the service name of the resource provider, whether a service address of the resource provider is set or not is inquired from a database of the resource management center; if so, constructing a redirection address; if not, acquiring the ip and the port of the resource provider through the micro service registration center, and generating a service address of the resource provider: http:// ip: port.
Constructing a redirection address: resource provider service address + html address in resource information.
S2210, the gateway judges whether to use temporary Resource authentication, if not, the gateway encrypts and generates Resource identification information Resource according to the service name of the Resource provider, the Resource category code and the service ID, and adds the Resource authentication and the Resource identification information as parameters to the redirection address;
if the temporary resource authentication is used, generating a temporary resource authentication according to the resource authentication, the service name of the resource provider, the resource category code, the service ID and the temporary authentication mark, and adding the temporary resource authentication to the redirection address by replacing the original resource authentication as a parameter;
the temporary resource authentication comprises all information of the original resource token, and a resource provider service name, a resource category code and a service ID are added as a resource identifier and a temporary authentication mark. OAuth 2.0jwt mode encryption generation.
S2211, the gateway terminates the reverse proxy logic and returns the redirection address to the browser; and the browser redirects to access the resource address.
As an optimization solution of the above embodiment, in step S30, as shown in fig. 4, the resource provider identifies whether the request is forwarded through the gateway, including the steps of:
s31, the resource provider receives the main resource request and acquires resource authentication ResourceToken in the request;
for the reverse proxy api, the request address corresponds to step S2110.
For redirection html, the request address corresponds to the main resource request initiated by the browser after step S2211.
S32, the resource provider verifies whether the resource authentication ResourceToken is valid; if the request is invalid, the end request returns an error message.
The resource token validity includes whether the resource token exists, whether the decryption can be correctly performed, and whether the validity period is over.
S33, acquiring authentication information jwtInfo (decrypted identifiable authentication information) contained in the resource authentication ResourceToken according to the resource authentication;
two ways of obtaining resource authentication according to resource users:
for the first mode, the jwtInfo contains the resource consumer service name and the resource consumer service Chinese name.
In the second method, the jwtInfo includes the name of the resource user service, the name of the resource user service message, and user information (including the user ID).
For step S2210 performed with temporary resource authentication, the jwtInfo also contains the resource provider service name, the resource category code, the service ID, and a temporary authentication tag.
S34, the resource provider acquires resource information (including resource category codes and service IDs) according to the request;
and the resource provider identifies according to the main resource request uri path, different identification modes of different resource types of the resource provider are different, and the resource provider processes the resource request uri path by itself.
The primary resource request address is provided by the resource provider definition so the resource provider is fully resolvable.
S35, judging whether the authentication information jwtInfo is temporary resource authentication (whether a temporary authentication mark is included) or not, if the authentication information jwtInfo is temporary resource authentication, checking whether the request is legal or not by using the authentication information jwtInfo and the resource information, and returning error information when the request is ended;
and comparing the current resource provider service name by using the resource provider service name in the jwtInfo.
And comparing the resource type codes and the service IDs in the resource information by using the resource type codes and the service IDs in the jwtInfo, and judging that the resource type codes and the service IDs in the resource information are all right.
If the authentication information jwtInfo is temporary resource authentication and the resource information is verified to be legal, continuing to access the resource; if the authentication information jwtInfo is non-temporary Resource authentication, acquiring Resource identification information Resource in the request;
s36, checking whether the request is legal or not by using the Resource identification information Resource and the Resource information, and returning error information by the end request if the request is illegal; the decryption Resource obtains the Resource provider service name, the Resource class code, and the service ID (encryption corresponds to step S2111 or S2210).
Comparing the service name of the current Resource provider with the service name of the Resource provider in Resource;
comparing the Resource type code and the service ID in the Resource information by using the Resource type code and the service ID in the Resource;
all pairs are considered legal.
If the request is legal, the resource is continuously accessed.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (7)

1. A forwarding method for a distributed resource unified gateway is characterized by comprising the following steps:
s10, a resource provider carries service information and routing information to inform a registration center, and the registration center informs a resource management center of the information to construct a gateway route;
s20, the resource user accesses the resource through the gateway route, and the resource user accesses the api through the resource gateway or accesses the html through the resource gateway;
and S30, the resource provider identifies whether the request is forwarded through the gateway.
2. The forwarding method of a distributed resource unified gateway according to claim 1, wherein in the step S10, the resource provider carries service information and routing information to notify the registry, and the registry notifies the resource management center of the information to construct the gateway route, including the steps of:
s11, configuring service metadata by a resource provider, and indicating that the current service is the resource provider;
s12, starting a resource provider, discovering a registration center, and sending self service information to the registration center;
s13, the registration center receives the service on-line message and informs the resource management center of the service information of the registration center;
s14, the resource management center updates the online service information set after receiving the service change notification and notifies a refreshable route locator in the service of the resource management center to update the gateway route;
s15, the refreshable route locator acquires and caches information of all resource providers in the registration center after receiving the online service change event;
s16, the refreshable route locator generates a new resource provider route rule set according to the cache object provider and provides the new resource provider route rule set for the gateway to use;
s17, the registration center monitors the service offline message and informs the resource management center of the message; the resource management center then performs steps S14-S16 to refresh the cache object provider and gateway routes.
3. The forwarding method of the uniform gateway for distributed resources according to claim 1, wherein the resource user accesses the api through the resource gateway, comprising the steps of:
s211, the resource user obtains the resource authentication;
s212, the resource user accesses the resource management center gateway by using the uniform resource access address, and carries resource authentication;
s213, the resource management center gateway receives the request and acquires the resource authentication and the request path;
s214, the resource management center gateway verifies whether the request path is in compliance or not, whether the path rule meets the rule that the gateway provides the uniform resource access address or not is judged, and if the path rule does not meet the rule, the resource management center gateway finishes the request and returns error information;
s215, the resource management center gateway acquires the route, the resource type code and the service ID of the service gateway of the resource provider according to the request path, and analyzes and splits the route, the resource type code and the service ID according to the uniform resource access address rule provided by the gateway;
s216, the resource management center gateway obtains the service name of the resource provider and whether the temporary resource authentication is used or not according to the route of the service gateway of the resource provider.
S217, the resource management center gateway checks whether the resource authentication is valid, and if the resource authentication is invalid, the resource management center gateway finishes requesting and returns error information;
s218, inquiring resource authority according to the resource authentication, the service name of the resource provider, the resource category code and the service ID, and ending the request to return error information if the authority does not exist; if the authority exists, resource information is obtained according to the service name of the resource provider, the resource category code and the service ID;
s219, judging whether the resource information exists or not, and if not, ending the request and returning error information; if the resource information exists, judging whether an interface address exists in the resource information, if not, ending the request and returning error information;
s2110, if the interface address exists in the resource information, the gateway sets a reverse proxy interface address;
s2111, the resource management center gateway encrypts and generates resource identification information according to the service name of the resource provider, the resource category code and the service ID;
s2112, the resource management center gateway adds the resource identification information to the reverse proxy request head;
s2113, the resource management center gateway requests the resource provider by the reverse proxy, receives a return result of the resource provider and returns the result to the resource user.
4. The forwarding method of claim 3, wherein the step S211 of obtaining the resource authentication by the resource user comprises:
the resource user accesses the client certificate interface of the resource management center to obtain resource authentication, and the resource authentication information comprises a service name of the resource user and a service Chinese name of the resource user and does not comprise user information; the resource authentication authority can only be controlled to the service level of a resource user and cannot be controlled to a user;
the resource user accesses the password interface of the resource management center to obtain resource authentication, and the resource authentication information comprises a resource user service name, a resource user service Chinese name and user information; the resource authentication authority is controlled to the user, but the resource user needs to access the resource management center for single sign-on.
5. The forwarding method of the uniform gateway for distributed resources according to claim 1, wherein the resource user accesses html through the resource gateway, comprising the steps of:
s221, the resource user obtains the resource authentication;
s222, the resource user accesses the resource management center gateway by using the uniform resource access address and carries resource authentication;
s223, the resource management center gateway receives the request and acquires the resource authentication and the request path;
s224, the resource management center gateway verifies whether the request path is in compliance, whether the path rule meets the rule that the gateway provides the uniform resource access address, and if not, the request is ended and error information is returned;
s225, the resource management center gateway obtains the resource provider service gateway route, the resource category code and the service ID according to the request path, and resolves and splits the request path according to the uniform resource access address rule provided by the gateway;
s226, the resource management center gateway acquires the service name of the resource provider and whether to use the temporary resource authentication according to the route of the service gateway of the resource provider.
S227, the resource management center gateway checks whether the resource authentication is valid, and if the resource authentication is invalid, the resource management center gateway finishes requesting and returns error information;
s228, inquiring resource authority according to the resource authentication, the service name of the resource provider, the resource category code and the service ID, and ending the request to return error information if the authority does not exist; if the authority exists, resource information is obtained according to the service name of the resource provider, the resource category code and the service ID;
s229, judging whether the resource information exists or not, if not, ending the request and returning error information; if the resource information exists, judging whether the html address in the resource information exists, if not, ending the request and returning error information; the html address in the resource information exists, the resource provider service address is obtained according to the resource provider service name, and a redirection address is constructed together with the html address;
s2210, the resource management center gateway judges whether to use temporary resource authentication, if not, the resource management center gateway encrypts and generates resource identification information according to the service name of the resource provider, the resource category code and the service ID, and adds the resource authentication and the resource identification information as parameters to a redirection address; if the temporary resource authentication is used, generating a temporary resource authentication according to the resource authentication, the service name of the resource provider, the resource category code, the service ID and the temporary authentication mark, and adding the temporary resource authentication to the redirection address by replacing the original resource authentication as a parameter;
s2211, the resource management center gateway terminates the reverse proxy logic and returns the redirection address to the browser; and the browser redirects and accesses the resource address.
6. The forwarding method of the uniform gateway for distributed resources according to claim 5, wherein an html address exists in the resource information, the service address of the resource provider is obtained according to the service name of the resource provider, and the redirection address is constructed together with the html address, comprising the steps of:
according to the service name of the resource provider, whether a service address of the resource provider is set or not is inquired from a database of the resource management center, and if the service address of the resource provider is set, the next step is executed; if not, acquiring the ip and the port of the resource provider through the micro-service registration center, and generating a service address of the resource provider;
constructing a redirection address: resource provider service address + html address in resource information.
7. The method for forwarding the uniform gateway for distributed resources according to claim 1, wherein in step S30, the resource provider identifies whether the request is forwarded through the gateway, including the steps of:
s31, the resource provider receives the main resource request and acquires the resource authentication in the request;
s32, the resource provider verifies whether the resource authentication is valid; if the request is invalid, the request is finished and error information is returned;
s33, acquiring authentication information contained in the resource authentication;
s34, the resource provider acquires resource information according to the request;
s35, judging whether the authentication information is temporary resource authentication, if so, checking whether the request is legal by using the authentication information and the resource information, and if not, ending the request and returning error information; if the authentication information is temporary resource authentication and the resource information is verified to be legal, continuing to access the resource; if the authentication information is not temporary resource authentication, acquiring resource identification information in the request;
s36, checking whether the request is legal or not by using the resource identification information and the resource information, and if not, ending the request and returning error information; and if the request is legal, continuing to access the resource.
CN202210891686.2A 2022-07-27 2022-07-27 Method for forwarding distributed resource unified gateway Pending CN115277195A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210891686.2A CN115277195A (en) 2022-07-27 2022-07-27 Method for forwarding distributed resource unified gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210891686.2A CN115277195A (en) 2022-07-27 2022-07-27 Method for forwarding distributed resource unified gateway

Publications (1)

Publication Number Publication Date
CN115277195A true CN115277195A (en) 2022-11-01

Family

ID=83770800

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210891686.2A Pending CN115277195A (en) 2022-07-27 2022-07-27 Method for forwarding distributed resource unified gateway

Country Status (1)

Country Link
CN (1) CN115277195A (en)

Similar Documents

Publication Publication Date Title
US8844053B2 (en) Method and system for creating a protected object namespace for a WSDL resource description
RU2658873C2 (en) Method, system and storage medium for user to maintain login state
US8825855B2 (en) Non-intrusive single sign-on mechanism in cloud services
US9628554B2 (en) Dynamic content delivery
AU2009222468B2 (en) Segregating anonymous access to dynamic content on a web server, with cached logons
US20060026286A1 (en) System and method for managing user session meta-data in a reverse proxy
EP2263163B1 (en) Content management
US7451217B2 (en) Method and system for peer-to-peer authorization
US8261330B2 (en) Federated identity brokering
US20060010442A1 (en) System and method for managing security meta-data in a reverse proxy
US7827280B2 (en) System and method for domain name filtering through the domain name system
US20100115613A1 (en) Cacheable Mesh Browsers
KR20050030542A (en) Systems and methods for client-based web crawling
US20030187974A1 (en) Broadcast tiers in decentralized networks
US20150295938A1 (en) Method and apparatus for preventing unauthorized service access
CN102752300B (en) Dynamic antitheft link system and dynamic antitheft link method
MX2011003223A (en) Service provider access.
TW201824047A (en) Attack request determination method, apparatus and server
US20100043050A1 (en) Federating policies from multiple policy providers
CN101076033A (en) Method and system for storing authertication certificate
US8713088B2 (en) Identifying users of remote sessions
Lican et al. Virtual and dynamic hierarchical architecture for E-science grid
Zhou et al. QoS-aware and federated enhancement for UDDI
JP2000106552A (en) Authentication method
US20050234923A1 (en) Method and apparatus for translating a web services address

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Li Hao

Inventor after: Su Xin

Inventor after: Zhang Yi

Inventor after: Li Ming

Inventor before: Su Xin

Inventor before: Zhang Yi

Inventor before: Li Ming