CN115987645A - Gateway-based security Gateway - Google Patents
Gateway-based security Gateway Download PDFInfo
- Publication number
- CN115987645A CN115987645A CN202211675801.9A CN202211675801A CN115987645A CN 115987645 A CN115987645 A CN 115987645A CN 202211675801 A CN202211675801 A CN 202211675801A CN 115987645 A CN115987645 A CN 115987645A
- Authority
- CN
- China
- Prior art keywords
- gateway
- interface
- request
- function
- based security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a Gateway-based security Gateway. The Gateway-based security Gateway includes: the method comprises the steps that a user-defined processor is compiled, so that the Gateway can be used in a micro-service architecture, meanwhile, the overall safety processing is achieved, the redundancy of rear-end service codes is reduced, a uniform return data type is provided for rear-end services, and the front-end function can be more quickly connected; when the Gateway starts the signature verification function, verifying the interface data of the request; step three, when the Gateway starts the interface encryption and decryption function, decrypting the requested parameters and encrypting the returned content; and step four, when the Gateway starts the interface authentication function, the request is authenticated. The Gateway-based security Gateway provided by the invention carries out innovation of signature, interface request decryption and returned content encryption based on the Spring Cloud Gateway, and has the advantages of realizing security function on the Gateway and not needing to carry out the function on a service system.
Description
Technical Field
The invention belongs to the technical field of Gateway security gateways, and particularly relates to a Gateway-based security Gateway.
Background
In the early stage of project development, the traffic is relatively small, a single application can realize the required functions, and the difficulty in development, deployment, operation and maintenance can be reduced by the single application. However, with the expansion of services and the increase of users, a single service architecture cannot well support the requirement of projects, and a micro service architecture is generated. The core of the micro-service is to split the traditional single application into one service according to the service, so that the decoupling is complete, each service provides a specific function, and one service only does one thing, similar to a process. Each service can be deployed individually, and even own database, and one such small service is a micro-service. Two popular microservice architecture solutions at present are Spring Cloud Netflix and Spring Cloud aliba, and no matter which microservice solution, the gateway is an essential core component. The Spring Cloud Gateway (based on Netty, webFlux) is a second-generation Gateway framework launched by Spring Cloud officials, the performance of the Spring Cloud Gateway is about 1.5 times of that of a first-generation Gateway Zuul, and in order to reduce redundancy of back-end codes, a common back-end service needs to perform uniform safety check.
Through retrieval, in the related technology, a data processing method and device of a security gateway and the security gateway are disclosed, and the method comprises the following steps: a network key exchange protocol IKE service processing module sends a control instruction to a bottom hardware module; receiving a network data message transmitted by the bottom hardware module according to the control instruction, and processing the network data message to obtain a processing result; the bottom hardware module comprises: the central processing unit CPU, a transfer field programmable gate array FPGA module in communication connection with the CPU and an algorithm FPGA module in communication connection with the interface FPGA module; and the interface FPGA module sends the received network data message to the algorithm FPGA module according to the control instruction to perform safe operation processing or sends the network data message to the CPU for processing. The computing capability of the CPU is released, the development difficulty and period of software are reduced, and the safety and the response capability are improved.
Through retrieval, in the related art, a VPN security gateway is disclosed, which comprises an intranet communication unit, an extranet communication unit, an encryption and decryption unit and a management unit, wherein: the intranet communication unit is used for transmitting intranet data to the encryption and decryption unit and transmitting the decryption data transmitted by the encryption and decryption unit into an intranet; the external network communication unit is used for transmitting the external network data to the encryption and decryption unit and transmitting the encrypted data transmitted by the encryption and decryption unit into the external network; the encryption and decryption unit is used for correspondingly processing the corresponding data information transmitted by the internal network communication unit and the external network communication unit; and the management unit is used for uniformly managing the intranet communication unit, the extranet communication unit and the encryption and decryption unit and monitoring the working states of the intranet communication unit, the extranet communication unit and the encryption and decryption unit. The invention improves the isolation performance of the VPN security gateway.
But the Spring Cloud Gateway does not currently support security functions. Therefore, if it is desired to construct a microservice solution using a better performance Spring Cloud Gateway, it is necessary to solve the problem that the Spring Cloud Gateway does not support the security function.
Therefore, there is a need to provide a new Gateway-based security Gateway to solve the above technical problems.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a Gateway-based security Gateway which makes signature, interface request decryption and content return encryption innovation based on Spring Cloud Gateway, realizes security function on the Gateway and does not need to make such function on a service system.
In order to solve the above technical problem, the Gateway-based security Gateway provided by the present invention comprises: the method comprises the steps that a user-defined processor is compiled, so that the Gateway can be used in a micro-service architecture, meanwhile, the overall safety processing is achieved, the redundancy of rear-end service codes is reduced, a uniform return data type is provided for rear-end services, and the front-end function can be more quickly connected;
step two, when the Gateway starts the signature verification function, verifying the interface data of the request;
step three, when the Gateway starts the interface encryption and decryption function, decrypting the requested parameters and encrypting the returned content;
and step four, when the Gateway starts the interface authentication function, the request is authenticated.
As a further scheme of the invention, the self-defined processor comprises a signature processor, an interface encryption and decryption processor and an authentication processor.
As a further scheme of the present invention, the second step is specifically as follows:
(1) Finding the distributed AppSecret according to the requested interface AppKey parameter, and adding the AppSecret into the parameter pair;
(2) After caching the signatures in the parameters, deleting the signatures in the parameter pairs, and then sequencing according to the request parameter sequence;
(3) And using MD5 encryption, comparing the encrypted result with the cached signature, if the result is consistent with the cached signature, determining the result to be correct, otherwise determining the result to be an illegal request, and rejecting the request.
As a further scheme of the present invention, the third step is specifically as follows:
(1) Decrypting the parameter key by using an RSA private key according to the requested interface parameter;
(2) After the key is decrypted, the AES secret key is taken to decrypt the data, and the subsequent request is continued;
(3) And after receiving the downstream returned content, generating a random AES secret key, encrypting the data, encrypting the AES secret key by using the RSA public key, and returning the AES secret key to the interface caller.
As a further scheme of the present invention, the fourth step is specifically as follows:
(1) According to the requested interface Header, taking Token of the authority information;
(2) And obtaining the login information of the current Token according to the Token, analyzing the authority of the login user, comparing the address and the authority of the current request interface, and if the current user does not have the authority to access the interface, rejecting the request.
Compared with the related art, the Gateway-based security Gateway provided by the invention has the following beneficial effects:
1. the invention makes signature, interface request decryption and content encryption innovation based on Spring Cloud Gateway, and realizes security function on Gateway without doing the function on service system;
2. the invention realizes global security processing by self-defining, can be used in micro-service projects, and only needs to use the Spring Cloud Gateway in the micro-service projects, thereby greatly reducing the code compiling amount of each back-end service, reducing the code development and maintenance work, facilitating the butt joint work of interfaces between the front end and the back end, and reducing the work difficulty of joint debugging.
Drawings
In order to facilitate understanding for those skilled in the art, the present invention will be further described with reference to the accompanying drawings.
Fig. 1 is a data flow diagram for encrypting and decrypting an interface back end based on a Gateway according to an embodiment of the present invention.
Detailed Description
Please refer to fig. 1 in combination, wherein fig. 1 is a data flow diagram of encryption and decryption of an interface back end based on a Gateway according to an embodiment of the present invention. The Gateway-based security Gateway includes: the method comprises the steps that a user-defined processor is compiled, so that the Gateway can be used in a micro-service architecture, meanwhile, the overall safety processing is achieved, the redundancy of rear-end service codes is reduced, a uniform return data type is provided for rear-end services, and the front-end function can be more quickly connected;
step two, when the Gateway starts the signature verification function, verifying the interface data of the request;
step three, when the Gateway starts the interface encryption and decryption function, decrypting the requested parameters and encrypting the returned content;
and step four, when the Gateway starts the interface authentication function, the request is authenticated.
The self-defined processor comprises a signature processor, an interface encryption and decryption processor and an authentication processor.
The second step is as follows:
(1) Finding the distributed AppSecret according to the requested interface AppKey parameter, and adding the AppSecret into the parameter pair;
(2) After the signatures in the parameters are cached, the signatures in the parameter pairs are deleted, and then the signatures are sequenced according to the request parameter sequence;
(3) And using MD5 encryption, comparing the encrypted result with the cached signature, if the encrypted result is consistent with the cached signature, considering the encrypted result to be correct, otherwise, considering the encrypted result to be an illegal request, and rejecting the request.
The third step is as follows:
(1) Decrypting the parameter key by using an RSA private key according to the requested interface parameter;
(2) After the key is decrypted, the AES secret key is taken to decrypt the data, and the subsequent request is continued;
(3) And after receiving the downstream returned content, generating a random AES secret key, encrypting the data, encrypting the AES secret key by using the RSA public key, and returning the AES secret key to the interface caller.
The fourth step is as follows:
(1) According to the requested interface Header, taking Token of the authority information;
(2) And acquiring login information of the current Token according to the Token, analyzing the authority of the login user, comparing the current request interface address with the authority, and if the current user does not have the authority to access the interface, rejecting the request.
The invention realizes global security processing by self-definition, can be used in micro-service projects, and only needs to use the Spring Cloud Gateway in the micro-service projects, thereby greatly reducing the code compiling amount of each back-end service, reducing the code development and maintenance work, facilitating the butt joint work of interfaces between front and back ends, and reducing the working difficulty of joint debugging.
Example 1
A Gateway-based security Gateway (as shown in fig. 1), comprising the steps of:
s1, creating a Springboot project for the Gateway, and specifically comprising the following steps:
(1) Firstly, building a Springboot project, and then using a maven tool or a gradle tool;
(2) Introducing a gateway jar package in the SpringBoot project: spring-ring-stator-gateway;
(3) Deleting the web jar packet after introducing the gateway jar packet so as to avoid causing unnecessary abnormal information;
(4) After introducing the jar packet, introducing a configuration file of a Springboot project, and setting a project port number and a project name in the configuration file;
s2, a Filter folder is created in the SpringBoot project, an encrypt folder is created under the Filter folder, a RequestDecryptFilter processing class is created under the encrypt folder, the RequestDecryptFilter processing class is inherited from a GlobalFilter and Ordered, and then a Filter method for realizing the GlobalFilter is as follows:
(1) Firstly, judging whether an encryption and decryption function is started or not in the filter method, and if not, directly returning to the switch.
(2) Taking out exchange parameters, obtaining a ServerHttpRequest of the current request, judging whether the HttpMethod of the current request is a POST method or a PUT method, and if not, directly returning to a chain.
(3) Taking a request path to the current request, judging whether decryption is not needed to be configured, and if decryption is not needed to be configured, directly returning to the file.
(4) Calling a server request, body ToMono (string, class) method to take body Data of the request, converting the body Data into a RequestDTO object, wherein the content of the object comprises an encrypted AES secret Key Key and Data, firstly decrypting the Key by using a private Key of RSA, taking the Key to an AES secret Key, then decrypting the Data by using the AES secret Key, taking request parameters of a plaintext, and then reassembling and inserting the request parameters into a buffer area through a body insert class;
s3, creating a ResponseEncryptFilter processing class under an encrypt folder in the SpringBoot project, and inheriting from GlobalFilter and Ordered. Then the filter method for realizing GlobalFilter is as follows:
(1) Firstly, judging whether an encryption and decryption function is started or not in the filter method, and if not, directly returning to the switch.
(2) An exchange parameter is taken out, and the ServerHttpRequest of the current request is obtained. Then taking a request path of the current request, judging whether encryption is not needed to be configured, and if the encryption is not needed to be configured, directly returning to the switch.
(3) Taking the ServerHttpResponse under ServerWebExchange for returning, taking the Data of the cache region from the ServerHttpResponse, and converting the Data into String which is the returning content Data of the plaintext;
(4) Random 32-bit character strings are generated by random Util random starting as AES secret keys, after the Data are encrypted by the secret keys, RSA public keys are used for encrypting keys, the encrypted keys and the Data are reassembled and inserted into a buffer area, and the Key and the Data are returned to an interface calling party;
s4, creating an signature folder under a Filter folder in the SpringBoot project, creating a PresignatureFilter class under the signature folder, inheriting from GlobalFilter, ordered, and then realizing the Filter method of the GlobalFilter as follows:
(1) Firstly, judging whether a signature verification function is started or not in the filter method, and if not, directly returning to the file.
(2) If the current is POST or PUT method, the parameter pair is taken from Body, otherwise the request parameter pair is taken from URI;
(3) Taking sign parameters from the parameter pairs, and if no sign exists, returning to the sign verification failure;
(4) Taking appkey parameters from the parameter pairs, finding corresponding appSerets configured by the system according to appkeys, inserting the appSerets into the parameter pairs, sequencing according to the parameter name sequence, assembling into a character string, taking md5, comparing the md5 with sign obtained in the front, if the signature is consistent, otherwise, returning to the step of signature verification failure;
s5, creating an authentication folder under a Filter folder in the SpringBoot project, creating an Access manager class under the authentication folder, inheriting from a reactive authorization manager, ordered, and then realizing a verify method of the reactive authorization manager as follows:
(1) Judging whether a verification authentication function is opened or not in the verify method, if not, directly returning to return mono.
(2) Taking the authority list in the Authentication parameter, searching whether the current request interface address exists in the authority list, if not, indicating that the current user does not have the authority to access the interface, and rejecting the request.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered as the technical solutions and the inventive concepts of the present invention within the technical scope of the present invention.
Claims (5)
1. A Gateway-based security Gateway, comprising:
the method comprises the steps that a user-defined processor is compiled, so that the user-defined processor can use a Gateway in a micro service architecture and simultaneously realize global safety processing, the redundancy of a back-end service code is reduced, a uniform return data type is provided for a back-end service, and the front-end function can be more quickly connected;
step two, when the Gateway starts the signature verification function, verifying the interface data of the request;
step three, when the Gateway starts the interface encryption and decryption function, decrypting the requested parameters and encrypting the returned content;
and step four, when the Gateway starts the interface authentication function, the Gateway requests authentication.
2. The Gateway-based security Gateway of claim 1, wherein: the self-defined processor comprises a signature processor, an interface encryption and decryption processor and an authentication processor.
3. The Gateway-based security Gateway of claim 1, wherein: the second step is as follows:
(1) Finding the distributed AppSecret according to the requested interface AppKey parameter, and adding the AppSecret into the parameter pair;
(2) After the signatures in the parameters are cached, the signatures in the parameter pairs are deleted, and then the signatures are sequenced according to the request parameter sequence;
(3) And using MD5 encryption, comparing the encrypted result with the cached signature, if the result is consistent with the cached signature, determining the result to be correct, otherwise determining the result to be an illegal request, and rejecting the request.
4. The Gateway-based security Gateway of claim 1, wherein: the third step is as follows:
(1) Decrypting the parameter key by using an RSA private key according to the requested interface parameter;
(2) After the key is decrypted, the AES secret key is taken to decrypt the data, and the subsequent request is continued;
(3) And after receiving the downstream returned content, generating a random AES secret key, encrypting the data, encrypting the AES secret key by using the RSA public key, and returning the AES secret key to the interface caller.
5. The Gateway-based security Gateway of claim 1, wherein:
the fourth step is as follows:
(1) According to the requested interface Header, taking Token of the authority information;
(2) And acquiring login information of the current Token according to the Token, analyzing the authority of the login user, comparing the current request interface address with the authority, and if the current user does not have the authority to access the interface, rejecting the request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211675801.9A CN115987645A (en) | 2022-12-26 | 2022-12-26 | Gateway-based security Gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211675801.9A CN115987645A (en) | 2022-12-26 | 2022-12-26 | Gateway-based security Gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115987645A true CN115987645A (en) | 2023-04-18 |
Family
ID=85971826
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211675801.9A Pending CN115987645A (en) | 2022-12-26 | 2022-12-26 | Gateway-based security Gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987645A (en) |
-
2022
- 2022-12-26 CN CN202211675801.9A patent/CN115987645A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11556556B2 (en) | System and method for conducting searches at target devices | |
| Cervesato et al. | Breaking and fixing public-key Kerberos | |
| US7039713B1 (en) | System and method of user authentication for network communication through a policy agent | |
| CN101051904B (en) | Method for landing by account number cipher for protecting network application sequence | |
| CN104935568A (en) | Interface authentication signature method facing cloud platform | |
| Abadi et al. | Just fast keying in the pi calculus | |
| JP2005509938A (en) | Method, apparatus and computer program for implementing mutual challenge response authentication protocol using operating system functions | |
| CN102111349A (en) | Security certificate gateway | |
| Dey et al. | Message digest as authentication entity for mobile cloud computing | |
| US20020162023A1 (en) | Method and system for authentication through a communications pipe | |
| Ranjan et al. | Security analysis of TLS authentication | |
| CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
| CN211352206U (en) | IPSec VPN cryptographic machine based on quantum key distribution | |
| CN102025748A (en) | Method, device and system for acquiring user name of Kerberos authentication mode | |
| CN112865965B (en) | Train service data processing method and system based on quantum key | |
| CN107276996A (en) | The transmission method and system of a kind of journal file | |
| CN115987645A (en) | Gateway-based security Gateway | |
| Miculan et al. | Automated verification of Telegram’s MTProto 2.0 in the symbolic model | |
| CN113810422A (en) | Emqx browser architecture-based secure connection method for data of internet of things platform device | |
| Hagalisletto et al. | Using the mobile phone in two-factor authentication | |
| Farrell | Why didn't we spot that?[Practical Security] | |
| Bella | What is correctness of security protocols? | |
| Jain | “Sec-KeyD” an efficient key distribution protocol for critical infrastructures | |
| Yang et al. | A High Security Signature Algorithm Based on Kerberos for REST-style Cloud Storage Service | |
| Bresciani et al. | ProVerif analysis of the ZRTP protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |