WO2018121249A1 - Ssl protocol-based access control method and device - Google Patents

Ssl protocol-based access control method and device Download PDF

Info

Publication number
WO2018121249A1
WO2018121249A1 PCT/CN2017/115713 CN2017115713W WO2018121249A1 WO 2018121249 A1 WO2018121249 A1 WO 2018121249A1 CN 2017115713 W CN2017115713 W CN 2017115713W WO 2018121249 A1 WO2018121249 A1 WO 2018121249A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
access request
authentication
certificate
server
Prior art date
Application number
PCT/CN2017/115713
Other languages
French (fr)
Chinese (zh)
Inventor
王琪
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2018121249A1 publication Critical patent/WO2018121249A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to an access control method and apparatus based on an SSL protocol.
  • SSL Secure Sockets Layer
  • TCP Transmission Control Protocol
  • SSL Handshake Protocol It is built on the SSL record protocol to authenticate the identity, negotiate encryption algorithms, and exchange encryption keys before the actual data transmission begins.
  • the SSL protocol is divided into one-way authentication and two-way authentication.
  • One-way authentication requires the server to provide a digital certificate to the client, and the client authenticates the server.
  • Two-way authentication requires both the client and the server to provide a digital certificate to each other and verify the digital certificate of the other party.
  • one server (unique IP address and port) provides external SSL services, mostly using a single authentication method, either using one-way authentication or using dual
  • the authentication system needs to be set up separately for different authentication methods, and the utilization efficiency of resources is low.
  • the embodiment of the invention provides an access control method and device based on the SSL protocol, which is used to solve the problem that the authentication system needs to be separately set up in different authentication modes in the prior art, and the resource utilization efficiency is low.
  • the SSL protocol-based access control method includes: an ingress server receiving an access request sent by a terminal; the ingress server determining a secure socket layer SSL authentication mode corresponding to the access request; After the two-way authentication with the terminal is passed, the portal server adds the identifier information of the terminal to the access request and sends the identifier to the background server, where the background server is configured to carry the identifier of the terminal according to the access request. Information to determine the access rights of the terminal.
  • the ingress server performs the bidirectional authentication with the terminal, including: the ingress server sends the certificate of the ingress server to the terminal, and receives an authentication result of the terminal to the ingress server;
  • the portal server sends a certificate acquisition request to the terminal; the portal server receives the terminal certificate sent by the terminal, and the terminal certificate includes the identifier information of the terminal; the portal server completes the Terminal authentication.
  • the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, so that the certificate authority is configured according to the certificate authority
  • the CSR generates the terminal certificate; the terminal receives the terminal certificate sent by the certificate authority.
  • the ingress server determines the SSL authentication mode corresponding to the access request, where the ingress server receives the access request sent by the terminal, where the access request includes a port number; The port number determines that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the portal server receives the access request sent by the terminal, where the ingress server receives the https request sent by the terminal, and the portal server adds the identifier information of the terminal to the access request and sends the request a background server, including: the portal server will be the https The request is converted into an http request, and the identification information of the terminal is inserted in the header of the http request; the portal server sends the http request that adds the identification information to the background server.
  • the embodiment of the present invention provides an access control method based on SSL authentication, which includes: a background server receives an access request sent by an ingress server; and the background server determines, according to whether the access request includes identifier information of the terminal, The SSL authentication mode corresponding to the access request; the background server verifies the terminal according to the SSL authentication mode corresponding to the access request; and the background server processes the access request after verifying the terminal, and The portal server sends the processing result.
  • the background server performs the verification on the terminal according to the SSL authentication mode corresponding to the access request, including: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes The login account and the password of the terminal, the background server verifies whether the login account and the password match; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes The identification information of the terminal, the background server verifies whether the identification information of the terminal is already registered.
  • an embodiment of the present invention provides an access control device based on an SSL protocol, including: an ingress transceiver module, configured to receive an access request sent by a terminal, and an ingress authentication module, configured to determine an SSL authentication mode corresponding to the access request An ingress processing module, configured to add the identification information of the terminal to the access request after the bidirectional authentication is passed, and the access transceiver module is further configured to: The request is sent to the background server, and the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal.
  • the ingress and receiving transceiver module is configured to: send a certificate of the ingress server to the terminal, and receive an authentication result of the terminal to the ingress server; send a certificate obtaining request to the terminal;
  • the terminal certificate sent by the terminal, the terminal certificate includes the identifier information of the terminal, and the ingress processing module is specifically configured to complete the authentication of the terminal according to the terminal certificate.
  • the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, The certificate issuing authority generates the terminal certificate according to the CSR; the terminal receives the terminal certificate sent by the certificate issuing authority.
  • the access request includes a port number
  • the ingress authentication module is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the ingress transceiver module is configured to receive an https request sent by the terminal; the ingress processing module is specifically configured to convert the https request into an http request, and in the header of the http request Inserting the identifier information of the terminal; the ingress transceiver module is configured to send the http request for adding the identifier information to the background server.
  • an embodiment of the present invention provides an access control apparatus based on SSL authentication, including:
  • a background transceiver module configured to receive an access request sent by the portal server
  • a background authentication module configured to determine an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal;
  • a background processing module configured to perform verification on the terminal according to an SSL authentication manner corresponding to the access request
  • the background processing module is further configured to process the access request after verifying the pass of the terminal;
  • the background transceiver module is further configured to send a processing result to the portal server.
  • the background processing module is further configured to: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes a login account and a password of the terminal, and verify the login account. Whether the password is matched with the password; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes the identifier information of the terminal, and it is verified whether the identifier information of the terminal is already registered.
  • an embodiment of the present application provides an electronic device, including a transceiver, a processor, a memory, and a communication interface, wherein the transceiver, the processor, the memory, and the communication interface pass through a bus connection;
  • the transceiver is configured to receive an access request sent by the terminal, and send the access request to a background server, where the background server is configured to: according to whether the access request carries the identifier information of the terminal. Determine the access rights of the terminal;
  • the processor is configured to read a program in the memory and perform the following methods:
  • the memory is configured to store one or more executable programs, and may store data used by the processor when performing operations.
  • an embodiment of the present application provides an electronic device, including a transceiver, a processor, a memory, and a communication interface, wherein the transceiver, the processor, the memory, and the communication interface pass through a bus connection;
  • the transceiver is configured to receive an access request sent by an ingress server, and send a processing result to the ingress server;
  • the processor is configured to read a program in the memory, and execute the following method:
  • the memory is configured to store one or more executable programs, and may store data used by the processor when performing operations.
  • the embodiment of the present application provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions for causing the computer to perform the first aspect or the The method of any of the possible implementations of the aspect, or the computer instructions for causing the computer to perform the method of the second aspect or any possible implementation of the second aspect.
  • an embodiment of the present application provides a computer program product, where the computer program product includes a calculation program stored on a non-transitory computer readable storage medium, the computer program includes program instructions, when the program instruction is The computer executes the first aspect when the computer executes Or a method in any of the possible implementations of the first aspect, or causing a computer to perform the method of the second aspect or any possible implementation of the second aspect.
  • the ingress server receives the access request sent by the terminal, and determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication according to the access request. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different.
  • the background server may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal.
  • the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem.
  • FIG. 1 is a schematic diagram of a system architecture to which an embodiment of the present invention is applied;
  • FIG. 2 is a flowchart of an access control method based on an SSL protocol according to an embodiment of the present invention
  • FIG. 3 is a flowchart of an SSL-based access control method in which an SSL authentication mode is one-way authentication according to Embodiment 1 of the present invention
  • FIG. 4 is a flowchart of an SSL-based access control method in which the SSL authentication mode is two-way authentication according to Embodiment 2 of the present invention
  • FIG. 5 is a schematic structural diagram of an access control apparatus based on an SSL protocol according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of another access control apparatus based on an SSL protocol according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
  • a system architecture applicable to an embodiment of the present invention includes a terminal 101, an ingress server 102, and a background server 103.
  • the terminal 101 may be an electronic device with a wireless communication function, such as a mobile phone, a tablet computer, or a dedicated handheld device, or may be a device connected to the Internet by a wired access method such as a personal computer (PC), a notebook computer, or a server.
  • Server 102 can be a network device such as a computer.
  • the portal server 102 is an F5 server that provides Internet access portals and load balancing of the various portals.
  • the processing of different SSL authentication modes may be processed by different portal servers 102, that is, one portal server 102 handles one-way authentication, and another portal server 102 handles mutual authentication; or may be implemented by different ports of the same portal server 102, that is, an entry.
  • One port on server 102 handles one-way authentication
  • the other port on the same ingress server 102 handles two-way authentication.
  • the background server 103 can be a stand-alone device, or a server cluster formed by multiple servers, for processing an access request sent by the terminal. If the background server 103 is a plurality of servers, the application deployed in each background server The system is completely consistent, that is, each background server can process the access request corresponding to the two-way authentication and the access request corresponding to the one-way authentication.
  • the portal server 102 and the background server 103 can employ cloud computing technology for information processing.
  • the terminal 101 can communicate with the server 102 through the INTERNET network, or communicate with the server 102 through a mobile communication system such as a Global System for Mobile Communications (GSM) or a Long Term Evolution (LTE) system. .
  • GSM Global System for Mobile Communications
  • LTE Long Term Evolution
  • FIG. 2 is a schematic flowchart diagram of an access control method based on the SSL protocol provided by an embodiment of the present invention.
  • a monitoring method for monitoring software provided by an embodiment of the present invention includes the following steps:
  • Step 201 The ingress server receives an access request sent by the terminal.
  • Step 202 The ingress server determines a secure socket layer SSL authentication mode corresponding to the access request.
  • Step 203 If the two-way authentication is performed, the portal server adds the identification information of the terminal to the access request and sends the information to the background server after the two-way authentication is passed. Whether the request carries the identification information of the terminal to determine the access right of the terminal.
  • the ingress server receives the access request sent by the terminal, and determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication according to the access request. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different.
  • the background server may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal.
  • the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem.
  • the browser When the user browses the network resource or manages the network resource, the browser sends an access request to the server through the browser on the terminal, and the server replies to the terminal with the information requested by the terminal based on the access request.
  • the information transmitted between the browser of the terminal and the server may be based on HTTP (Hyper Text Transport Protocol).
  • HTTP Hyper Text Transport Protocol
  • the SSL protocol is added to the HTTP, that is, HTTP is changed to HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer).
  • the portal server receives the access request sent by the terminal, including:
  • the portal server receives an https request sent by the terminal.
  • HTTP is a standard for requesting and responding between a client and a server.
  • the client is installed on the terminal, and the server can be a website.
  • the server can be a website.
  • the client initiates an HTTP request to the specified port on the server.
  • Resources are stored on the server, such as HTML (HyperText Markup Language) files and images.
  • a request is initiated by the client to establish a TCP connection to the server's designated port.
  • the HTTP server listens on the port for requests sent by the client. After processing the received request, the server replies with a response message to the client, and the content of the response message may be a file requested by the client, an error message, or some other information.
  • HTTP sends messages in clear text, it does not provide any way of data encryption, and the security is very low. If an attacker intercepts a transmission message between the browser and the server, the information can be directly read.
  • HTTPS Secure Sockets Layer Hypertext Transfer Protocol
  • SSL relies on digital certificates to verify the identity of the server or client and encrypt the communication between the client and the server.
  • the portal server After the portal server receives the access request sent by the terminal, since the access request is based on HTTPS, the portal server needs to determine how to authenticate the digital certificate according to the access request.
  • Digital certificate The authentication is divided into two modes: two-way authentication and one-way authentication. A digital certificate with two-way authentication and one-way authentication is required on the ingress server.
  • the two-way authenticated digital certificate and the one-way authenticated digital certificate can be configured in different entry servers, such that one ingress server only processes the access request corresponding to the two-way authentication, and the other ingress server only processes the access request corresponding to the one-way authentication.
  • Access requests of different authentication modes are sent to the corresponding ingress server according to different IP addresses or different network domain names, that is, the access request corresponding to the mutual authentication is sent to the ingress server that processes the mutual authentication according to the IP address of the ingress server that processes the mutual authentication;
  • the access request corresponding to the one-way authentication is sent to the ingress server that processes the one-way authentication according to the IP address of the ingress server that processes the one-way authentication.
  • the digital certificate of the two-way authentication and the one-way authentication is configured on one of the ingress servers, and the authentication mode corresponding to the access request is distinguished by different ports.
  • the ingress server determines the SSL authentication mode corresponding to the access request, including:
  • the access server receives the access request sent by the terminal, where the access request includes a port number
  • the ingress server determines, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the server or port corresponding to the two-way authentication is different from the server or port corresponding to the two-way authentication. That is, if the authentication mode corresponding to the client is two-way authentication, the access request initiated by the client is directly sent to the server or port corresponding to the mutual authentication. If the authentication mode corresponding to the client is one-way authentication, the access request initiated by the client is sent to the server or port corresponding to the one-way authentication. Therefore, if the same ingress server receives the access request sent by the terminal, it can determine the SSL authentication mode corresponding to the access request according to the port number carried in the access request.
  • the ingress server After the SSL authentication mode is determined to be two-way authentication or one-way authentication, the ingress server performs SSL authentication with the client.
  • the ingress server performs mutual authentication with the terminal, including:
  • the portal server sends the certificate of the portal server to the terminal and receives an authentication result of the terminal to the portal server;
  • the portal server sends a certificate acquisition request to the terminal
  • the portal server completes authentication of the terminal according to the terminal certificate.
  • the ingress server determines that the authentication mode corresponding to the access request sent by the terminal is two-way authentication, and sends the certificate of the ingress server to the terminal, and the terminal authenticates the certificate of the ingress server, and the authentication succeeds after the authentication succeeds. . Because it is a two-way authentication, the ingress server sends a certificate requesting to acquire the terminal to the terminal. After receiving the certificate of the terminal, the portal server verifies the certificate of the terminal, thereby completing the SSL mutual authentication between the ingress server and the terminal.
  • the ingress server only needs to send the digital certificate of the server to the terminal, so that the client verifies the certificate of the ingress server, and the terminal does not need to send the certificate of the terminal to the ingress server.
  • the difference between the two SSL authentication methods is that the terminal sends the certificate to the server in the two-way authentication, and the terminal does not send the certificate to the server in the one-way authentication. Therefore, in the embodiment of the present invention, the two-way authentication sends the certificate to the ingress server, and the identifier information of the terminal is added to the certificate and sent to the ingress server, and the ingress server sends the obtained identification information of the terminal to the access request. To the background server, the background server can obtain the identification information of the terminal from the access request corresponding to the mutual authentication.
  • the one-way authentication is that the ingress server sends the certificate of the ingress server to the terminal, and the terminal does not need to send the certificate of the terminal to the ingress server, the ingress server does not obtain the identification information of the terminal, therefore, in the case of one-way authentication, the portal The access request sent by the server to the background server does not carry the identification information of the terminal.
  • the background server can determine whether the authentication method corresponding to the access request is two-way authentication or one-way authentication according to whether the access request carries the identifier information of the terminal, thereby determining the authority corresponding to the access request.
  • the terminal generates a certificate request CSR file according to the identification information of the terminal;
  • the terminal receives the terminal certificate sent by the certificate authority.
  • the terminal generates a private key file and a CSR (Certificate Signing Request) file by using a unique identifier such as a MAC (Message Authentication Code) of the terminal, a terminal serial number, and the like, and sends the CSR file to the certificate authority.
  • the certificate authority signs the CSR file by using the private key of the certificate authority, and generates a certificate public key file, that is, a certificate issued to the user terminal, and sends the terminal certificate back to the terminal, and the terminal certificate can be used for authenticating the terminal.
  • the terminal certificate carries the identification information of the terminal, and the terminal sends the terminal certificate to the portal server, and the portal server can obtain the identifier information of the terminal from the terminal certificate and add it to the access request.
  • the portal server adds the identification information of the terminal to the access request and sends the information to the background server, including:
  • the ingress server converts the https request into an http request, and inserts the identification information of the terminal in a packet header of the http request;
  • the portal server sends the http request that joins the identification information to the background server.
  • HTTPS is a more secure communication protocol than HTTP
  • HTTPS requires the background server to process the certificate sent by the other party, which increases the workload of the background server. Since the connection between the ingress server and the backend server belongs to the intranet connection, the security is already high, and the communication does not need to be encrypted. Therefore, the ingress server converts the https request into an http request and sends it to the background server. At the same time, if the authentication method corresponding to the access request is the two-way authentication, the ingress server adds the http request to the identification information of the terminal, so that the background server can determine the authentication mode corresponding to the access request as the mutual authentication according to the identification information of the terminal in the access request. .
  • the background server after receiving the access request, processes the access request according to the authentication mode corresponding to the access request, and specifically includes:
  • the background server receives the access request sent by the portal server
  • the background server enters the terminal according to the SSL authentication mode corresponding to the access request.
  • Line verification
  • the background server After the background server passes the verification of the terminal, the background server processes the access request and sends the processing result to the portal server.
  • the two types of SSL authentication methods are two-way authentication or one-way authentication.
  • the background server performs different authentication on the terminal according to the access request.
  • the access request includes a login account and a password of the terminal, and the background server verifies whether the login account and the password match.
  • the background server verifies whether the login account and password carried in the access request are correct and match, and returns the processing result to the terminal according to the source address.
  • the packet header of the access request includes the identifier information of the terminal, and the background server verifies whether the identifier information of the terminal is already registered.
  • the background server will register the terminal identification information in advance. In this way, when the terminal sends an access request, the background server verifies whether the identification information of the terminal carried in the access request is stored in the background server, and if so, passes the verification of the access request, otherwise it does not pass.
  • the SSL authentication mode in the first embodiment is one-way authentication.
  • the specific steps are as shown in FIG. 3, including:
  • Step 301 The terminal sends an https request to the portal server, where the https request includes an account and a password, and the access address is a port number.
  • the login account and password, and the port number are used to obtain the registration from the portal server when registering the terminal.
  • Step 302 The ingress server determines, according to the port number in the https request, that the SSL authentication mode corresponding to the https request is one-way authentication.
  • Step 303 The portal server sends the certificate of the portal server to the terminal.
  • Step 304 After receiving the verification pass message fed back by the terminal, the portal server will https please Seek to convert to http request.
  • Step 305 The portal server sends the http request to the background server.
  • Step 306 The background server determines that the authentication mode corresponding to the http request is one-way authentication, according to the identifier information of the terminal that does not include the terminal.
  • Step 307 The background server processes the http request.
  • Step 308 The background server sends the processing result to the portal server.
  • Step 309 The portal server sends the processing result to the terminal.
  • the SSL authentication mode in the second embodiment is two-way authentication. The specific steps are as shown in Figure 4.
  • Step 401 The terminal sends an https request to the portal server, where the https request includes an access address, that is, a port number.
  • Step 402 The ingress server determines, according to the port number in the https request, that the SSL authentication mode corresponding to the https request is two-way authentication.
  • Step 403 The portal server sends the certificate of the portal server to the terminal.
  • Step 404 The terminal verifies the certificate of the portal server, and feeds back the verification result to the portal server.
  • Step 405 After receiving the verification pass message fed back by the terminal, the ingress server sends a certificate request to the terminal.
  • Step 406 The terminal sends the terminal certificate to the portal server, where the terminal certificate includes the identifier information of the terminal.
  • Step 407 After the portal server verifies the terminal certificate, the https request is converted into an http request, and the identifier information of the terminal is added to the http request.
  • Step 408 The portal server sends the http request to the background server.
  • Step 409 The background server determines, according to the identifier information of the terminal in the http request, that the authentication mode corresponding to the http request is two-way authentication.
  • Step 410 The background server processes the http request.
  • Step 411 The background server sends the processing result to the portal server.
  • Step 412 The portal server sends the processing result to the terminal.
  • the embodiment of the present invention further provides an apparatus for access control based on the SSL protocol. As shown in FIG. 5, the method includes:
  • the ingress transceiver module 501 is configured to receive an access request sent by the terminal.
  • the ingress authentication module 502 is configured to determine an SSL authentication mode corresponding to the access request.
  • the ingress processing module 503 is configured to add the identifier information of the terminal to the access request after the mutual authentication with the terminal is successful if the two-way authentication is performed.
  • the ingress and receiving module 501 is further configured to send the access request to the background server, where the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal.
  • the ingress transceiver module 501 is specifically configured to:
  • the ingress processing module is specifically configured to complete authentication of the terminal according to the terminal certificate.
  • the terminal certificate is obtained by:
  • the terminal generates a certificate request CSR file according to the identification information of the terminal;
  • the terminal receives the terminal certificate sent by the certificate authority.
  • the access request includes a port number
  • the ingress authentication module 502 is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the ingress transceiver module 501 is configured to receive an https request sent by the terminal.
  • the ingress processing module 503 is configured to: convert the https request into an http request, and insert the identifier information of the terminal in a packet header of the http request;
  • the ingress transceiver module 501 is configured to send the http request that adds the identifier information to the background server.
  • Another access control device based on SSL authentication includes:
  • the background transceiver module 601 is configured to receive an access request sent by the portal server;
  • the background authentication module 602 is configured to determine an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal.
  • the background processing module 603 is configured to perform verification on the terminal according to the SSL authentication mode corresponding to the access request.
  • the background processing module 603 is further configured to process the access request after verifying the pass of the terminal;
  • the background transceiver module 601 is further configured to send a processing result to the portal server.
  • the background processing module 603 is further configured to:
  • the access request includes a login account and a password of the terminal, and verify whether the login account and the password match;
  • the packet header of the access request includes the identifier information of the terminal, and the identifier information of the terminal is verified to be registered.
  • FIG. 7 is a schematic structural diagram of an electronic device provided by the present application.
  • the electronic device 700 includes a transceiver 701, a processor 702, a memory 703, and a communication interface 704; wherein the transceiver 701, the processor 7012, the memory 703, and the communication interface 704 are connected to one another via a bus 705.
  • the memory 703 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 703 may be a volatile memory, such as a random-access memory (RAM), or a non-volatile memory, such as a flash memory. ), hard disk drive (HDD) or solid-state drive (SSD); It can also be any combination of any one or more of the above-described volatile memory and non-volatile memory.
  • the memory 703 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
  • Operation instructions include various operation instructions for implementing various operations.
  • Operating system Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
  • the bus 705 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 7, but it does not mean that there is only one bus or one type of bus.
  • the communication interface 704 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface, or a combination thereof.
  • the wireless communication interface can be a WLAN interface.
  • the processor 702 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. It can also be a hardware chip.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination thereof. .
  • the transceiver 701 is configured to receive an access request sent by the terminal, and send the access request to the background server, where the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal;
  • the processor 702 is configured to read a program in the memory 703 and perform the following methods:
  • the memory 703 is configured to store one or more executable programs, and may store data used by the processor 702 when performing operations.
  • the transceiver 701 is specifically configured to: send a certificate of the electronic device to the terminal, and receive an authentication result of the terminal to the electronic device; send a certificate acquisition request to the terminal;
  • the terminal certificate sent by the terminal, the terminal certificate includes the identification information of the terminal, and the processor 702 is specifically configured to complete the authentication of the terminal according to the terminal certificate.
  • the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, so that the certificate authority is configured according to the certificate authority
  • the CSR generates the terminal certificate; the terminal receives the terminal certificate sent by the certificate authority.
  • the access request includes a port number
  • the processor 702 is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the transceiver 701 is configured to receive an https request sent by the terminal, and send the http request that adds the identifier information to the background server, where the processor 702 is specifically configured to: The request is converted into an http request, and the identification information of the terminal is inserted in the header of the http request.
  • the electronic device receives the access request sent by the terminal, and determines, according to the access request, whether the corresponding SSL authentication mode is two-way authentication or one-way authentication. If the SSL authentication mode of the access request is two-way authentication, the electronic device and the terminal perform mutual authentication. After the two-way authentication is passed, the electronic device adds the identification information of the terminal to the access request, and sends the access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different.
  • the background server may determine the SSL authentication mode between the terminal and the electronic device according to whether the access request carries the identification information of the terminal, thereby further determining the final Access rights.
  • the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem.
  • FIG. 8 is a schematic structural diagram of an electronic device provided by the present application.
  • the electronic device 800 includes a transceiver 801, a processor 802, a memory 803, and a communication interface 804; wherein the transceiver 801, the processor 8012, the memory 803, and the communication interface 804 are connected to one another via a bus 805.
  • the memory 803 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 803 may be a volatile memory, such as a random-access memory (RAM), or a non-volatile memory, such as a flash memory.
  • RAM random-access memory
  • non-volatile memory such as a flash memory.
  • HDD hard disk drive
  • SSD solid-state drive
  • the memory 803 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
  • Operation instructions include various operation instructions for implementing various operations.
  • Operating system Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
  • the bus 805 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 8, but it does not mean that there is only one bus or one type of bus.
  • the communication interface 804 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface, or a combination thereof.
  • the wireless communication interface can be a WLAN interface.
  • the processor 802 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. It can also be a hardware chip.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination.
  • the transceiver 801 is configured to receive an access request sent by an ingress server, and send a processing result to the ingress server.
  • the processor 802 is configured to read a program in the memory 803 and perform the following methods:
  • the memory 803 is configured to store one or more executable programs, and may store data used by the processor 802 when performing operations.
  • the processor 802 is further configured to: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes a login account and a password of the terminal, and verify the login account. Whether the password is matched with the password; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes the identifier information of the terminal, and it is verified whether the identifier information of the terminal is already registered.
  • the portal server receives the access request sent by the terminal, and according to the access The request determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the electronic device. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different.
  • the electronic device may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal.
  • the SSL mutual authentication system and the SSL one-way authentication system can be set on the same electronic device (unique IP address and port), which improves the flexibility of the electronic device to process access requests, saves server resources, and solves the problem.
  • embodiments of the present application can be provided as a method, system, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the computer readable memory is stored in the computer readable memory.
  • the instructions in the production result include an article of manufacture of the instruction device that implements the functions specified in one or more blocks of the flowchart or in a flow or block of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of telecommunication, and specifically, to a secure sockets layer (SSL) protocol-based access control method and device. The method comprises: a portal server receives an access request transmitted from a terminal; the portal server determines a SSL authentication method corresponding to the access request; if bi-directional authentication is determined, after the bidirectional authentication is successfully performed between the portal server and the terminal, the portal server adds identifier information of the terminal into the access request and transmits the same to a backend server; and the backend server determines, according to whether the access request contains the identifier information of the terminal, an access permission of the terminal. The invention is utilized to resolve an issue of low resource utilization efficiency owing to establishing separate authentication systems for different authentication methods in the prior art.

Description

一种基于SSL协议的访问控制方法及装置Access control method and device based on SSL protocol
本申请要求在2016年12月30日提交中华人民共和国知识产权局、申请号为201611264199.4,发明名称为“一种基于SSL协议的访问控制方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on December 30, 2016, the Intellectual Property Office of the People's Republic of China, the application number is 201611264199.4, and the invention name is "an access control method and device based on the SSL protocol". This is incorporated herein by reference.
技术领域Technical field
本申请实施例涉及通信技术领域,尤其涉及一种基于SSL协议的访问控制方法及装置。The embodiments of the present invention relate to the field of communications technologies, and in particular, to an access control method and apparatus based on an SSL protocol.
背景技术Background technique
伴随着网络技术的发展和智能终端的普及,在电子商务、网上银行等互联网支付领域,信息交互的安全性成为大家关注的焦点。通常,在通信的双方建立一条加密通道对传输数据进行加密传输的方式已得到广泛的应用。With the development of network technology and the popularity of intelligent terminals, in the field of Internet payment such as e-commerce and online banking, the security of information interaction has become the focus of attention. Generally, the way in which an encrypted channel is established on both sides of the communication to encrypt and transmit the transmitted data has been widely used.
SSL(Secure Sockets Layer,安全套接层)是为网络通信提供安全及数据完整性的一种安全协议。SSL协议介于TCP(Transmission Control Protocol传输控制协议)层与应用层之间,是Web浏览器与Web服务器之间安全交换信息的协议,提供两个基本的安全服务:鉴别与保密。SSL协议可分为两层:SSL记录协议(SSL Record Protocol):它建立在可靠的传输协议(如TCP)之上,为高层协议提供数据封装、压缩、加密等基本功能的支持。SSL握手协议(SSL Handshake Protocol):它建立在SSL记录协议之上,用于在实际的数据传输开始前,通讯双方进行身份认证、协商加密算法、交换加密密钥等。SSL (Secure Sockets Layer) is a security protocol that provides security and data integrity for network communications. The SSL protocol is between the TCP (Transmission Control Protocol) layer and the application layer. It is a protocol for secure exchange of information between a Web browser and a Web server. It provides two basic security services: authentication and confidentiality. The SSL protocol can be divided into two layers: the SSL Record Protocol: it is built on a reliable transport protocol (such as TCP) to provide basic functions such as data encapsulation, compression, and encryption for higher layer protocols. SSL Handshake Protocol: It is built on the SSL record protocol to authenticate the identity, negotiate encryption algorithms, and exchange encryption keys before the actual data transmission begins.
根据认证方式的不同,SSL协议分为单向认证和双向认证两种。单向认证为服务器需要向客户端提供数字证书,客户端对服务器进行身份验证。双向认证为客户端和服务器双方均需要向对方提供数字证书,并对对方的数字证书进行验证。目前的技术方案中,一个服务器(唯一的IP地址和端口)对外提供SSL服务,多是使用单一认证方式,要么使用单向认证,要么使用双 向认证,不同认证方式需单独搭建认证系统,资源的利用效率较低。According to different authentication methods, the SSL protocol is divided into one-way authentication and two-way authentication. One-way authentication requires the server to provide a digital certificate to the client, and the client authenticates the server. Two-way authentication requires both the client and the server to provide a digital certificate to each other and verify the digital certificate of the other party. In the current technical solution, one server (unique IP address and port) provides external SSL services, mostly using a single authentication method, either using one-way authentication or using dual To the certification, the authentication system needs to be set up separately for different authentication methods, and the utilization efficiency of resources is low.
发明内容Summary of the invention
本发明实施例提供一种基于SSL协议的访问控制方法及装置,用以解决现有技术中不同认证方式需单独搭建认证系统,资源的利用效率低的问题。The embodiment of the invention provides an access control method and device based on the SSL protocol, which is used to solve the problem that the authentication system needs to be separately set up in different authentication modes in the prior art, and the resource utilization efficiency is low.
第一方面,本发明实施例提供的基于SSL协议的访问控制方法包括:入口服务器接收终端发送的访问请求;所述入口服务器确定所述访问请求对应的安全套接层SSL认证方式;若为双向认证,则所述入口服务器在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中并发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来确定终端的访问权限。In a first aspect, the SSL protocol-based access control method provided by the embodiment of the present invention includes: an ingress server receiving an access request sent by a terminal; the ingress server determining a secure socket layer SSL authentication mode corresponding to the access request; After the two-way authentication with the terminal is passed, the portal server adds the identifier information of the terminal to the access request and sends the identifier to the background server, where the background server is configured to carry the identifier of the terminal according to the access request. Information to determine the access rights of the terminal.
可选的,所述入口服务器在与所述终端双向认证通过,包括:所述入口服务器向所述终端发送所述入口服务器的证书并接收所述终端对所述入口服务器的认证结果;所述入口服务器向所述终端发送证书获取请求;所述入口服务器接收所述终端发送的终端证书,所述终端证书中包括所述终端的标识信息;所述入口服务器根据所述终端证书完成对所述终端的认证。Optionally, the ingress server performs the bidirectional authentication with the terminal, including: the ingress server sends the certificate of the ingress server to the terminal, and receives an authentication result of the terminal to the ingress server; The portal server sends a certificate acquisition request to the terminal; the portal server receives the terminal certificate sent by the terminal, and the terminal certificate includes the identifier information of the terminal; the portal server completes the Terminal authentication.
可选的,所述终端证书通过如下方式获得:所述终端根据所述终端的标识信息,生成证书请求CSR文件;所述终端向证书颁发机构发送所述CSR,以使所述证书颁发机构根据所述CSR生成所述终端证书;所述终端接收所述证书颁发机构发送的所述终端证书。Optionally, the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, so that the certificate authority is configured according to the certificate authority The CSR generates the terminal certificate; the terminal receives the terminal certificate sent by the certificate authority.
可选的,所述入口服务器确定所述访问请求对应的SSL认证方式,包括:所述入口服务器接收所述终端发送的所述访问请求,所述访问请求中包括端口号;所述入口服务器根据所述端口号,确定所述访问请求对应的SSL认证方式为双向认证或单向认证。Optionally, the ingress server determines the SSL authentication mode corresponding to the access request, where the ingress server receives the access request sent by the terminal, where the access request includes a port number; The port number determines that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
可选的,所述入口服务器接收终端发送的访问请求,包括:所述入口服务器接收所述终端发送的https请求;所述入口服务器将所述终端的标识信息加入所述访问请求中并发送给后台服务器,包括:所述入口服务器将所述https 请求转换成http请求,并在所述http请求的报文头中插入所述终端的标识信息;所述入口服务器将加入标识信息的所述http请求发送给所述后台服务器。Optionally, the portal server receives the access request sent by the terminal, where the ingress server receives the https request sent by the terminal, and the portal server adds the identifier information of the terminal to the access request and sends the request a background server, including: the portal server will be the https The request is converted into an http request, and the identification information of the terminal is inserted in the header of the http request; the portal server sends the http request that adds the identification information to the background server.
第二方面,本发明实施例提供一种基于SSL认证的访问控制方法,包括:后台服务器接收入口服务器发送的访问请求;所述后台服务器根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;所述后台服务器根据所述访问请求对应的SSL认证方式,对所述终端进行验证;所述后台服务器在对终端验证通过后,处理所述访问请求,并向所述入口服务器发送处理结果。In a second aspect, the embodiment of the present invention provides an access control method based on SSL authentication, which includes: a background server receives an access request sent by an ingress server; and the background server determines, according to whether the access request includes identifier information of the terminal, The SSL authentication mode corresponding to the access request; the background server verifies the terminal according to the SSL authentication mode corresponding to the access request; and the background server processes the access request after verifying the terminal, and The portal server sends the processing result.
可选的,所述后台服务器根据所述访问请求对应的SSL认证方式,对所述终端进行验证,包括:若所述访问请求对应的SSL认证方式为单向认证,则所述访问请求中包括所述终端的登录账号和密码,所述后台服务器验证所述登录账号和所述密码是否匹配;若所述访问请求对应的SSL认证方式为双向认证,则所述访问请求的报文头中包括所述终端的标识信息,所述后台服务器验证所述终端的标识信息是否已登记。Optionally, the background server performs the verification on the terminal according to the SSL authentication mode corresponding to the access request, including: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes The login account and the password of the terminal, the background server verifies whether the login account and the password match; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes The identification information of the terminal, the background server verifies whether the identification information of the terminal is already registered.
第三方面,本发明实施例提供一种基于SSL协议的访问控制装置,包括:入口收发模块,用于接收终端发送的访问请求;入口认证模块,用于确定所述访问请求对应的SSL认证方式;入口处理模块,用于若为双向认证,则在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中;所述入口收发模块,还用于将所述访问请求发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来确定终端的访问权限。In a third aspect, an embodiment of the present invention provides an access control device based on an SSL protocol, including: an ingress transceiver module, configured to receive an access request sent by a terminal, and an ingress authentication module, configured to determine an SSL authentication mode corresponding to the access request An ingress processing module, configured to add the identification information of the terminal to the access request after the bidirectional authentication is passed, and the access transceiver module is further configured to: The request is sent to the background server, and the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal.
可选的,所述入口收发模块,具体用于:向所述终端发送所述入口服务器的证书并接收所述终端对所述入口服务器的认证结果;向所述终端发送证书获取请求;接收所述终端发送的终端证书,所述终端证书中包括所述终端的标识信息;所述入口处理模块,具体用于根据所述终端证书完成对所述终端的认证。Optionally, the ingress and receiving transceiver module is configured to: send a certificate of the ingress server to the terminal, and receive an authentication result of the terminal to the ingress server; send a certificate obtaining request to the terminal; The terminal certificate sent by the terminal, the terminal certificate includes the identifier information of the terminal, and the ingress processing module is specifically configured to complete the authentication of the terminal according to the terminal certificate.
可选的,所述终端证书通过如下方式获得:所述终端根据所述终端的标识信息,生成证书请求CSR文件;所述终端向证书颁发机构发送所述CSR, 以使所述证书颁发机构根据所述CSR生成所述终端证书;所述终端接收所述证书颁发机构发送的所述终端证书。Optionally, the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, The certificate issuing authority generates the terminal certificate according to the CSR; the terminal receives the terminal certificate sent by the certificate issuing authority.
可选的,所述访问请求中包括端口号;所述入口认证模块,具体用于根据所述端口号,确定所述访问请求对应的SSL认证方式为双向认证或单向认证。Optionally, the access request includes a port number, and the ingress authentication module is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
可选的,所述入口收发模块,用于接收所述终端发送的https请求;所述入口处理模块,具体用于将所述https请求转换成http请求,并在所述http请求的报文头中插入所述终端的标识信息;所述入口收发模块,用于将加入标识信息的所述http请求发送给所述后台服务器。Optionally, the ingress transceiver module is configured to receive an https request sent by the terminal; the ingress processing module is specifically configured to convert the https request into an http request, and in the header of the http request Inserting the identifier information of the terminal; the ingress transceiver module is configured to send the http request for adding the identifier information to the background server.
第四方面,本发明实施例提供一种基于SSL认证的访问控制装置,包括:In a fourth aspect, an embodiment of the present invention provides an access control apparatus based on SSL authentication, including:
后台收发模块,用于接收入口服务器发送的访问请求;a background transceiver module, configured to receive an access request sent by the portal server;
后台认证模块,用于根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;a background authentication module, configured to determine an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal;
后台处理模块,用于根据所述访问请求对应的SSL认证方式,对所述终端进行验证;a background processing module, configured to perform verification on the terminal according to an SSL authentication manner corresponding to the access request;
所述后台处理模块,还用于在对终端验证通过后,处理所述访问请求;The background processing module is further configured to process the access request after verifying the pass of the terminal;
所述后台收发模块,还用于向所述入口服务器发送处理结果。The background transceiver module is further configured to send a processing result to the portal server.
可选的,所述后台处理模块,还用于:若所述访问请求对应的SSL认证方式为单向认证,则所述访问请求中包括所述终端的登录账号和密码,验证所述登录账号和所述密码是否匹配;若所述访问请求对应的SSL认证方式为双向认证,则所述访问请求的报文头中包括所述终端的标识信息,验证所述终端的标识信息是否已登记。Optionally, the background processing module is further configured to: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes a login account and a password of the terminal, and verify the login account. Whether the password is matched with the password; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes the identifier information of the terminal, and it is verified whether the identifier information of the terminal is already registered.
第五方面,本申请实施例提供一种电子设备,包括收发器、处理器、存储器和通信接口,其中,所述收发器、所述处理器、所述存储器和所述通信接口之间通过总线连接;In a fifth aspect, an embodiment of the present application provides an electronic device, including a transceiver, a processor, a memory, and a communication interface, wherein the transceiver, the processor, the memory, and the communication interface pass through a bus connection;
所述收发器,用于接收终端发送的访问请求;将所述访问请求发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来 确定终端的访问权限;The transceiver is configured to receive an access request sent by the terminal, and send the access request to a background server, where the background server is configured to: according to whether the access request carries the identifier information of the terminal. Determine the access rights of the terminal;
所述处理器,用于读取所述存储器中的程序,执行以下方法:The processor is configured to read a program in the memory and perform the following methods:
确定所述访问请求对应的SSL认证方式;若为双向认证,则在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中;Determining an SSL authentication mode corresponding to the access request; if the two-way authentication is performed, adding the identification information of the terminal to the access request after the two-way authentication is passed;
所述存储器,用于存储一个或多个可执行程序,可以存储所述处理器在执行操作时所使用的数据。The memory is configured to store one or more executable programs, and may store data used by the processor when performing operations.
第六方面,本申请实施例提供一种电子设备,包括收发器、处理器、存储器和通信接口,其中,所述收发器、所述处理器、所述存储器和所述通信接口之间通过总线连接;In a sixth aspect, an embodiment of the present application provides an electronic device, including a transceiver, a processor, a memory, and a communication interface, wherein the transceiver, the processor, the memory, and the communication interface pass through a bus connection;
所述收发器,用于接收入口服务器发送的访问请求;向所述入口服务器发送处理结果;The transceiver is configured to receive an access request sent by an ingress server, and send a processing result to the ingress server;
所述处理器,所述处理器,用于读取所述存储器中的程序,执行以下方法:The processor, the processor, is configured to read a program in the memory, and execute the following method:
根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;根据所述访问请求对应的SSL认证方式,对所述终端进行验证;对终端验证通过后,处理所述访问请求;Determining, according to the identifier information of the terminal, the SSL authentication mode corresponding to the access request, and verifying the terminal according to the SSL authentication mode corresponding to the access request; Access request
所述存储器,用于存储一个或多个可执行程序,可以存储所述处理器在执行操作时所使用的数据。The memory is configured to store one or more executable programs, and may store data used by the processor when performing operations.
第七方面,本申请实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行第一方面或第一方面的任意可能的实现方式中的方法,或者所述计算机指令用于使所述计算机执行第二方面或第二方面的任意可能的实现方式中的方法。In a seventh aspect, the embodiment of the present application provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions for causing the computer to perform the first aspect or the The method of any of the possible implementations of the aspect, or the computer instructions for causing the computer to perform the method of the second aspect or any possible implementation of the second aspect.
第八方面,本申请实施例提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行第一方面 或第一方面的任意可能的实现方式中的方法,或者使计算机执行第二方面或第二方面的任意可能的实现方式中的方法。In an eighth aspect, an embodiment of the present application provides a computer program product, where the computer program product includes a calculation program stored on a non-transitory computer readable storage medium, the computer program includes program instructions, when the program instruction is The computer executes the first aspect when the computer executes Or a method in any of the possible implementations of the first aspect, or causing a computer to perform the method of the second aspect or any possible implementation of the second aspect.
本发明实施例中,入口服务器接收终端发送的访问请求,并根据该访问请求确定对应的SSL认证方式为双向认证还是单向认证。若该访问请求的SSL认证方式为双向认证,则入口服务器与终端进行双向认证。双向认证通过后,入口服务器将终端的标识信息加入访问请求中,并将加入标识信息的访问请求发送给后台服务器。由于双向认证能够为终端的访问提供更为安全的保证,相较于双向认证,单向认证的安全性较低。因此,对于不同的认证方式,对应的访问请求的权限不同。后台服务器可以根据访问请求中是否携带终端的标识信息,来确定终端与入口服务器之间的SSL认证方式,从而进一步确定终端的访问权限。这样,可以将SSL双向认证的系统和SSL单向认证的系统设置于同一台后台服务器(唯一的IP地址和端口),提高了后台服务器处理访问请求的灵活性,节省了服务器资源,解决了现有技术中不同认证方式需要单独搭建认证系统的问题。In the embodiment of the present invention, the ingress server receives the access request sent by the terminal, and determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication according to the access request. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different. The background server may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal. In this way, the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem. There are different authentication methods in the technology that require the establishment of a separate authentication system.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying for inventive labor.
图1为本发明实施例所适用的一种系统架构的示意图;1 is a schematic diagram of a system architecture to which an embodiment of the present invention is applied;
图2为本发明实施例中一种基于SSL协议的访问控制方法的流程图;2 is a flowchart of an access control method based on an SSL protocol according to an embodiment of the present invention;
图3为本发明实施例一中SSL认证方式为单向认证的基于SSL协议的访问控制方法的流程图;3 is a flowchart of an SSL-based access control method in which an SSL authentication mode is one-way authentication according to Embodiment 1 of the present invention;
图4为本发明实施例二中SSL认证方式为双向认证的基于SSL协议的访问控制方法的流程图; 4 is a flowchart of an SSL-based access control method in which the SSL authentication mode is two-way authentication according to Embodiment 2 of the present invention;
图5为本发明实施例中一种基于SSL协议的访问控制装置的结构示意图;FIG. 5 is a schematic structural diagram of an access control apparatus based on an SSL protocol according to an embodiment of the present invention; FIG.
图6为本发明实施例中另一种基于SSL协议的访问控制装置的结构示意图;6 is a schematic structural diagram of another access control apparatus based on an SSL protocol according to an embodiment of the present invention;
图7为本申请实施例提供的一种电子设备的结构示意图;FIG. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure;
图8为本申请实施例提供的一种电子设备的结构示意图。FIG. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
具体实施方式detailed description
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部份实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The present invention will be further described in detail with reference to the accompanying drawings, in which . All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
如图1所示,本发明实施例所适用的一种系统架构,包括终端101、入口服务器102和后台服务器103。终端101可以是手机、平板电脑或者是专用的手持设备等具有无线通信功能的电子设备,也可以是个人计算机(personal computer,简称PC),笔记本电脑,服务器等有线接入方式连接上网的设备。服务器102可以是计算机等网络设备。优选地,入口服务器102为F5服务器,提供互联网访问入口和各个入口的负载均衡。不同SSL认证方式的处理,可以由不同入口服务器102进行处理,即一个入口服务器102处理单向认证,另一个入口服务器102处理双向认证;也可以由同一个入口服务器102的不同端口实现,即入口服务器102上的一个端口处理单向认证,同一个入口服务器102上的另一个端口处理双向认证。后台服务器103可以是一个独立的设备,也可以是多个服务器所形成的服务器集群,用于处理终端发来的访问请求,若后台服务器103为多个服务器,则每个后台服务器中部署的应用系统完全一致,即每个后台服务器均可以处理双向认证对应的访问请求,以及单向认证对应的访问请求。入口服务器102和后台服务器103可以采用云计算技术进行信息处理。 As shown in FIG. 1 , a system architecture applicable to an embodiment of the present invention includes a terminal 101, an ingress server 102, and a background server 103. The terminal 101 may be an electronic device with a wireless communication function, such as a mobile phone, a tablet computer, or a dedicated handheld device, or may be a device connected to the Internet by a wired access method such as a personal computer (PC), a notebook computer, or a server. Server 102 can be a network device such as a computer. Preferably, the portal server 102 is an F5 server that provides Internet access portals and load balancing of the various portals. The processing of different SSL authentication modes may be processed by different portal servers 102, that is, one portal server 102 handles one-way authentication, and another portal server 102 handles mutual authentication; or may be implemented by different ports of the same portal server 102, that is, an entry. One port on server 102 handles one-way authentication, and the other port on the same ingress server 102 handles two-way authentication. The background server 103 can be a stand-alone device, or a server cluster formed by multiple servers, for processing an access request sent by the terminal. If the background server 103 is a plurality of servers, the application deployed in each background server The system is completely consistent, that is, each background server can process the access request corresponding to the two-way authentication and the access request corresponding to the one-way authentication. The portal server 102 and the background server 103 can employ cloud computing technology for information processing.
终端101可以通过INTERNET网络与服务器102进行通信,也可以通过全球移动通信系统(Global System for Mobile Communications,简称GSM)、长期演进(long term evolution,简称LTE)系统等移动通信系统与服务器102进行通信。The terminal 101 can communicate with the server 102 through the INTERNET network, or communicate with the server 102 through a mobile communication system such as a Global System for Mobile Communications (GSM) or a Long Term Evolution (LTE) system. .
图2示例性示出了本发明实施例提供的一种基于SSL协议的访问控制方法流程示意图。FIG. 2 is a schematic flowchart diagram of an access control method based on the SSL protocol provided by an embodiment of the present invention.
基于前述内容,如图2所示,本发明实施例提供的一种针对监控软件的监控方法,包括以下步骤:Based on the foregoing, as shown in FIG. 2, a monitoring method for monitoring software provided by an embodiment of the present invention includes the following steps:
步骤201、入口服务器接收终端发送的访问请求。Step 201: The ingress server receives an access request sent by the terminal.
步骤202、所述入口服务器确定所述访问请求对应的安全套接层SSL认证方式。Step 202: The ingress server determines a secure socket layer SSL authentication mode corresponding to the access request.
步骤203、若为双向认证,则所述入口服务器在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中并发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来确定终端的访问权限。Step 203: If the two-way authentication is performed, the portal server adds the identification information of the terminal to the access request and sends the information to the background server after the two-way authentication is passed. Whether the request carries the identification information of the terminal to determine the access right of the terminal.
本发明实施例中,入口服务器接收终端发送的访问请求,并根据该访问请求确定对应的SSL认证方式为双向认证还是单向认证。若该访问请求的SSL认证方式为双向认证,则入口服务器与终端进行双向认证。双向认证通过后,入口服务器将终端的标识信息加入访问请求中,并将加入标识信息的访问请求发送给后台服务器。由于双向认证能够为终端的访问提供更为安全的保证,相较于双向认证,单向认证的安全性较低。因此,对于不同的认证方式,对应的访问请求的权限不同。后台服务器可以根据访问请求中是否携带终端的标识信息,来确定终端与入口服务器之间的SSL认证方式,从而进一步确定终端的访问权限。这样,可以将SSL双向认证的系统和SSL单向认证的系统设置于同一台后台服务器(唯一的IP地址和端口),提高了后台服务器处理访问请求的灵活性,节省了服务器资源,解决了现有技术中不同认证方式需要单独搭建认证系统的问题。 In the embodiment of the present invention, the ingress server receives the access request sent by the terminal, and determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication according to the access request. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different. The background server may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal. In this way, the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem. There are different authentication methods in the technology that require the establishment of a separate authentication system.
用户浏览网络资源或对网络资源进行管理时,通过终端上的浏览器向服务器发送访问请求,服务器基于该访问请求向终端回复终端请求的信息。其中,终端的浏览器和服务器之间传输信息可以基于HTTP(Hyper Text Transport Protocol,超文本传输协议)。为了保证终端和服务器之间信息传输的安全性,在HTTP的基础上加入了SSL协议,即将HTTP换为HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer,基于安全套接层的超文本传输协议)。When the user browses the network resource or manages the network resource, the browser sends an access request to the server through the browser on the terminal, and the server replies to the terminal with the information requested by the terminal based on the access request. The information transmitted between the browser of the terminal and the server may be based on HTTP (Hyper Text Transport Protocol). In order to ensure the security of information transmission between the terminal and the server, the SSL protocol is added to the HTTP, that is, HTTP is changed to HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer).
本发明实施例中,上述步骤201,所述入口服务器接收终端发送的访问请求,包括:In the embodiment of the present invention, in step 201, the portal server receives the access request sent by the terminal, including:
所述入口服务器接收所述终端发送的https请求。The portal server receives an https request sent by the terminal.
HTTP是一个客户端与服务器之间请求和应答的标准。客户端安装于终端上,服务器端可以是网站。通过使用网络浏览器、网络爬虫或者其它的工具,客户端发起一个到服务器上指定端口的HTTP请求。服务器上存储着资源,比如HTML(HyperText Markup Language,超级文本标记语言)文件和图像。HTTP is a standard for requesting and responding between a client and a server. The client is installed on the terminal, and the server can be a website. By using a web browser, web crawler, or other tool, the client initiates an HTTP request to the specified port on the server. Resources are stored on the server, such as HTML (HyperText Markup Language) files and images.
通常,由客户端发起一个请求,建立一个到服务器指定端口的TCP连接。HTTP服务器则在那个端口监听客户端发送过来的请求。将收到的请求处理之后,服务器向客户端回复响应消息,响应消息的内容可能是客户端请求的文件、错误消息、或者其它一些信息。Typically, a request is initiated by the client to establish a TCP connection to the server's designated port. The HTTP server listens on the port for requests sent by the client. After processing the received request, the server replies with a response message to the client, and the content of the response message may be a file requested by the client, an error message, or some other information.
由于HTTP以明文方式发送消息,不提供任何方式的数据加密,安全性很低,如果攻击者截取了浏览器和服务器之间的传输报文,就可以直接读懂其中的信息。Since HTTP sends messages in clear text, it does not provide any way of data encryption, and the security is very low. If an attacker intercepts a transmission message between the browser and the server, the information can be directly read.
为了解决HTTP的这一缺陷,需要使用另一个协议:安全套接字层超文本传输协议HTTPS。为了数据传输的安全,HTTPS在HTTP的基础上加入了SSL协议,SSL依靠数字证书来验证服务器或客户端的身份,并为客户端和服务器之间的通信加密。In order to solve this shortcoming of HTTP, another protocol is needed: Secure Sockets Layer Hypertext Transfer Protocol HTTPS. For the security of data transmission, HTTPS adds SSL protocol based on HTTP. SSL relies on digital certificates to verify the identity of the server or client and encrypt the communication between the client and the server.
入口服务器接收到终端发送的访问请求后,由于该访问请求是基于HTTPS,则入口服务器需要根据访问请求确定如何认证数字证书。数字证书 的认证分为两种方式,双向认证和单向认证,需要入口服务器上配置双向认证和单向认证的数字证书。可以将双向认证的数字证书与单向认证的数字证书配置于不同入口服务器内,这样,一个入口服务器只处理双向认证对应的访问请求,另一个入口服务器只处理单向认证对应的访问请求。不同认证方式的访问请求根据不同的IP地址或者不同网络域名,发送到相应的入口服务器,即双向认证对应的访问请求根据处理双向认证的入口服务器的IP地址,发送至处理双向认证的入口服务器;单向认证对应的访问请求根据处理单向认证的入口服务器的IP地址,发送至处理单向认证的入口服务器。较佳的,本发明实施例中,在一个入口服务器上同时配置双向认证和单向认证的数字证书,通过不同的端口区分访问请求对应的认证方式。则上述步骤202,所述入口服务器确定所述访问请求对应的SSL认证方式,包括:After the portal server receives the access request sent by the terminal, since the access request is based on HTTPS, the portal server needs to determine how to authenticate the digital certificate according to the access request. Digital certificate The authentication is divided into two modes: two-way authentication and one-way authentication. A digital certificate with two-way authentication and one-way authentication is required on the ingress server. The two-way authenticated digital certificate and the one-way authenticated digital certificate can be configured in different entry servers, such that one ingress server only processes the access request corresponding to the two-way authentication, and the other ingress server only processes the access request corresponding to the one-way authentication. Access requests of different authentication modes are sent to the corresponding ingress server according to different IP addresses or different network domain names, that is, the access request corresponding to the mutual authentication is sent to the ingress server that processes the mutual authentication according to the IP address of the ingress server that processes the mutual authentication; The access request corresponding to the one-way authentication is sent to the ingress server that processes the one-way authentication according to the IP address of the ingress server that processes the one-way authentication. Preferably, in the embodiment of the present invention, the digital certificate of the two-way authentication and the one-way authentication is configured on one of the ingress servers, and the authentication mode corresponding to the access request is distinguished by different ports. Then, in step 202, the ingress server determines the SSL authentication mode corresponding to the access request, including:
所述入口服务器接收所述终端发送的所述访问请求,所述访问请求中包括端口号;The access server receives the access request sent by the terminal, where the access request includes a port number;
所述入口服务器根据所述端口号,确定所述访问请求对应的SSL认证方式为双向认证或单向认证。The ingress server determines, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
由于双向认证和单向认证连接对应的服务器或端口不一样,也就是说,若客户端对应的认证方式为双向认证,则客户端发起的访问请求是直接发送到双向认证对应的服务器或端口;若客户端对应的认证方式为单向认证,则客户端发起的访问请求是发送到单向认证对应的服务器或端口。因此,若同一个入口服务器接收到终端发送的访问请求后,可以根据该访问请求中携带的端口号来判断该访问请求对应的SSL认证方式。The server or port corresponding to the two-way authentication is different from the server or port corresponding to the two-way authentication. That is, if the authentication mode corresponding to the client is two-way authentication, the access request initiated by the client is directly sent to the server or port corresponding to the mutual authentication. If the authentication mode corresponding to the client is one-way authentication, the access request initiated by the client is sent to the server or port corresponding to the one-way authentication. Therefore, if the same ingress server receives the access request sent by the terminal, it can determine the SSL authentication mode corresponding to the access request according to the port number carried in the access request.
确定了SSL认证方式为双向认证或者单向认证之后,入口服务器执行与客户端之间的SSL认证。After the SSL authentication mode is determined to be two-way authentication or one-way authentication, the ingress server performs SSL authentication with the client.
若SSL认证方式为双向认证,则上述步骤203中,入口服务器与所述终端进行双向认证,包括:If the SSL authentication mode is two-way authentication, in the foregoing step 203, the ingress server performs mutual authentication with the terminal, including:
所述入口服务器向所述终端发送所述入口服务器的证书并接收所述终端对所述入口服务器的认证结果; The portal server sends the certificate of the portal server to the terminal and receives an authentication result of the terminal to the portal server;
所述入口服务器向所述终端发送证书获取请求;The portal server sends a certificate acquisition request to the terminal;
所述入口服务器接收所述终端发送的终端证书,所述终端证书中包括所述终端的标识信息;Receiving, by the portal server, a terminal certificate sent by the terminal, where the terminal certificate includes identifier information of the terminal;
所述入口服务器根据所述终端证书完成对所述终端的认证。The portal server completes authentication of the terminal according to the terminal certificate.
具体来说,入口服务器判断终端发送的访问请求对应的认证方式为双向认证后,向终端发送入口服务器的证书,终端对入口服务器的证书进行认证,认证通过后会向入口服务器反馈认证成功的结果。由于是双向认证,则入口服务器向终端发送请求获取终端的证书,入口服务器接收到终端的证书后,对该终端的证书进行验证,由此完成入口服务器与终端之间的SSL双向认证。Specifically, the ingress server determines that the authentication mode corresponding to the access request sent by the terminal is two-way authentication, and sends the certificate of the ingress server to the terminal, and the terminal authenticates the certificate of the ingress server, and the authentication succeeds after the authentication succeeds. . Because it is a two-way authentication, the ingress server sends a certificate requesting to acquire the terminal to the terminal. After receiving the certificate of the terminal, the portal server verifies the certificate of the terminal, thereby completing the SSL mutual authentication between the ingress server and the terminal.
若访问请求对应的认证方式为单向认证,则只需要入口服务器将服务器的数字证书发送给终端,使客户端对入口服务器的证书进行验证,终端无需将终端的证书发送给入口服务器。If the authentication mode corresponding to the access request is one-way authentication, the ingress server only needs to send the digital certificate of the server to the terminal, so that the client verifies the certificate of the ingress server, and the terminal does not need to send the certificate of the terminal to the ingress server.
也就是说,两种SSL认证方式的不同之处在于,双向认证中终端将证书发送给服务器,单向认证中终端不向服务器发送证书。因此,本发明实施例中,双向认证将证书发送给入口服务器,则可以在证书中加入终端的标识信息,一同发送给入口服务器,入口服务器再将获得的终端的标识信息放入访问请求中发送给后台服务器,则后台服务器可以从双向认证对应的访问请求中获取终端的标识信息。另一方面,单向认证是入口服务器将入口服务器的证书发送给终端,而终端无需发送终端的证书给入口服务器,则入口服务器不获取终端的标识信息,因此,单向认证的情况下,入口服务器发送给后台服务器的访问请求中不携带终端的标识信息。这样,后台服务器可以根据访问请求中是否携带终端的标识信息,判断该访问请求对应的认证方式是双向认证还是单向认证,从而确定该访问请求对应的权限。That is to say, the difference between the two SSL authentication methods is that the terminal sends the certificate to the server in the two-way authentication, and the terminal does not send the certificate to the server in the one-way authentication. Therefore, in the embodiment of the present invention, the two-way authentication sends the certificate to the ingress server, and the identifier information of the terminal is added to the certificate and sent to the ingress server, and the ingress server sends the obtained identification information of the terminal to the access request. To the background server, the background server can obtain the identification information of the terminal from the access request corresponding to the mutual authentication. On the other hand, the one-way authentication is that the ingress server sends the certificate of the ingress server to the terminal, and the terminal does not need to send the certificate of the terminal to the ingress server, the ingress server does not obtain the identification information of the terminal, therefore, in the case of one-way authentication, the portal The access request sent by the server to the background server does not carry the identification information of the terminal. In this way, the background server can determine whether the authentication method corresponding to the access request is two-way authentication or one-way authentication according to whether the access request carries the identifier information of the terminal, thereby determining the authority corresponding to the access request.
上述终端证书通过以下方式获得:The above terminal certificate is obtained by the following methods:
所述终端根据所述终端的标识信息,生成证书请求CSR文件;The terminal generates a certificate request CSR file according to the identification information of the terminal;
所述终端向证书颁发机构发送所述CSR,以使所述证书颁发机构根据所述CSR生成所述终端证书; Sending, by the terminal, the CSR to a certificate authority, so that the certificate issuing authority generates the terminal certificate according to the CSR;
所述终端接收所述证书颁发机构发送的所述终端证书。The terminal receives the terminal certificate sent by the certificate authority.
具体来说,终端利用终端的MAC(Message Authentication Code,消息认证码)、终端序列号等唯一标识生成私钥文件和CSR(Certificate Signing Request,证书请求)文件,并将CSR文件发送给证书颁发机构。证书颁发机构使用证书颁发机构的私钥对该CSR文件签名,就生成了证书公钥文件,也就是颁发给用户终端的证书,并将该终端证书发送回终端,该终端证书可以用于认证终端的安全性。因此,终端证书中携带该终端的标识信息,终端将终端证书发送给入口服务器,入口服务器可以从终端证书中获取终端的标识信息,并将其加入访问请求中。Specifically, the terminal generates a private key file and a CSR (Certificate Signing Request) file by using a unique identifier such as a MAC (Message Authentication Code) of the terminal, a terminal serial number, and the like, and sends the CSR file to the certificate authority. . The certificate authority signs the CSR file by using the private key of the certificate authority, and generates a certificate public key file, that is, a certificate issued to the user terminal, and sends the terminal certificate back to the terminal, and the terminal certificate can be used for authenticating the terminal. Security. Therefore, the terminal certificate carries the identification information of the terminal, and the terminal sends the terminal certificate to the portal server, and the portal server can obtain the identifier information of the terminal from the terminal certificate and add it to the access request.
此外,入口服务器将将所述终端的标识信息加入所述访问请求中并发送给后台服务器,包括:In addition, the portal server adds the identification information of the terminal to the access request and sends the information to the background server, including:
所述入口服务器将所述https请求转换成http请求,并在所述http请求的报文头中插入所述终端的标识信息;The ingress server converts the https request into an http request, and inserts the identification information of the terminal in a packet header of the http request;
所述入口服务器将加入标识信息的所述http请求发送给所述后台服务器。The portal server sends the http request that joins the identification information to the background server.
虽然HTTPS相较于HTTP是更为安全的通信协议,但是HTTPS需要后台服务器处理对方发来的证书,加重了后台服务器的工作量。由于入口服务器与后台服务器之间的连接属于内网连接,安全性已经很高,通信无需加密,因此,入口服务器将https请求转换为http请求,发送给后台服务器。同时,若访问请求对应的认证方式为双向认证,入口服务器将http请求中加入终端的标识信息,使得后台服务器可以根据访问请求中携带终端的标识信息,确定该访问请求对应的认证方式为双向认证。Although HTTPS is a more secure communication protocol than HTTP, HTTPS requires the background server to process the certificate sent by the other party, which increases the workload of the background server. Since the connection between the ingress server and the backend server belongs to the intranet connection, the security is already high, and the communication does not need to be encrypted. Therefore, the ingress server converts the https request into an http request and sends it to the background server. At the same time, if the authentication method corresponding to the access request is the two-way authentication, the ingress server adds the http request to the identification information of the terminal, so that the background server can determine the authentication mode corresponding to the access request as the mutual authentication according to the identification information of the terminal in the access request. .
相应的,本发明实施例中,后台服务器接收到访问请求后,根据该访问请求对应的认证方式,对访问请求进行处理,具体包括:Correspondingly, in the embodiment of the present invention, after receiving the access request, the background server processes the access request according to the authentication mode corresponding to the access request, and specifically includes:
后台服务器接收入口服务器发送的访问请求;The background server receives the access request sent by the portal server;
所述后台服务器根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;Determining, by the background server, an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal;
所述后台服务器根据所述访问请求对应的SSL认证方式,对所述终端进 行验证;The background server enters the terminal according to the SSL authentication mode corresponding to the access request. Line verification
所述后台服务器在对终端验证通过后,处理所述访问请求,并向所述入口服务器发送处理结果。After the background server passes the verification of the terminal, the background server processes the access request and sends the processing result to the portal server.
由于SSL认证方式为两种,双向认证或单向认证,则针对不同的认证方式,后台服务器根据访问请求,对终端进行不同验证。The two types of SSL authentication methods are two-way authentication or one-way authentication. For different authentication methods, the background server performs different authentication on the terminal according to the access request.
若所述访问请求对应的SSL认证方式为单向认证,则所述访问请求中包括所述终端的登录账号和密码,所述后台服务器验证所述登录账号和所述密码是否匹配。If the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes a login account and a password of the terminal, and the background server verifies whether the login account and the password match.
对于单向认证,由于这种认证方式的安全性较低,则需要用户预先注册账户。后台服务器接收到访问请求后,验证该访问请求中携带的登录账号和密码是否正确且匹配,并将处理结果按源地址返回终端。For one-way authentication, since the security of this authentication method is low, the user needs to register the account in advance. After receiving the access request, the background server verifies whether the login account and password carried in the access request are correct and match, and returns the processing result to the terminal according to the source address.
若所述访问请求对应的SSL认证方式为双向认证,则所述访问请求的报文头中包括所述终端的标识信息,所述后台服务器验证所述终端的标识信息是否已登记。If the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes the identifier information of the terminal, and the background server verifies whether the identifier information of the terminal is already registered.
对于双向认证,这种认证方式的安全性较高,无需用户通过账号密码登录,后台服务器中会预先将终端的标识信息进行登记。这样,当终端发来访问请求时,后台服务器验证该访问请求中携带的终端的标识信息是否已存储在后台服务器中,若是,则通过对该访问请求的验证,否则不通过。For two-way authentication, the security of this authentication method is high. You do not need to log in through the account password. The background server will register the terminal identification information in advance. In this way, when the terminal sends an access request, the background server verifies whether the identification information of the terminal carried in the access request is stored in the background server, and if so, passes the verification of the access request, otherwise it does not pass.
为了更清楚地理解本发明,下面以具体的实施例对上述流程进行详细描述,实施例一中的SSL认证方式为单向认证,具体步骤如图3所示,包括:For a clearer understanding of the present invention, the foregoing process is described in detail with reference to the specific embodiment. The SSL authentication mode in the first embodiment is one-way authentication. The specific steps are as shown in FIG. 3, including:
步骤301、终端向入口服务器发送https请求,该https请求中包括账号和密码,以及访问地址即端口号。其中,登录账号和密码,以及端口号,为终端注册时,向入口服务器申请获取。Step 301: The terminal sends an https request to the portal server, where the https request includes an account and a password, and the access address is a port number. The login account and password, and the port number are used to obtain the registration from the portal server when registering the terminal.
步骤302、入口服务器根据https请求中的端口号,确定该https请求对应的SSL认证方式为单向认证。Step 302: The ingress server determines, according to the port number in the https request, that the SSL authentication mode corresponding to the https request is one-way authentication.
步骤303、入口服务器向终端发送入口服务器的证书。Step 303: The portal server sends the certificate of the portal server to the terminal.
步骤304、在接收到终端反馈的验证通过消息后,入口服务器将https请 求转换为http请求。Step 304: After receiving the verification pass message fed back by the terminal, the portal server will https please Seek to convert to http request.
步骤305、入口服务器将http请求发送给后台服务器。Step 305: The portal server sends the http request to the background server.
步骤306、后台服务器根据http请求中不包括终端的标识信息,确定该http请求对应的认证方式为单向认证。Step 306: The background server determines that the authentication mode corresponding to the http request is one-way authentication, according to the identifier information of the terminal that does not include the terminal.
步骤307、后台服务器处理该http请求。Step 307: The background server processes the http request.
步骤308、后台服务器向入口服务器发送处理结果。Step 308: The background server sends the processing result to the portal server.
步骤309、入口服务器向终端发送处理结果。Step 309: The portal server sends the processing result to the terminal.
实施例二中的SSL认证方式为双向认证,具体步骤如图4所示,包括:The SSL authentication mode in the second embodiment is two-way authentication. The specific steps are as shown in Figure 4.
步骤401、终端向入口服务器发送https请求,该https请求中包括访问地址即端口号。Step 401: The terminal sends an https request to the portal server, where the https request includes an access address, that is, a port number.
步骤402、入口服务器根据https请求中的端口号,确定该https请求对应的SSL认证方式为双向认证。Step 402: The ingress server determines, according to the port number in the https request, that the SSL authentication mode corresponding to the https request is two-way authentication.
步骤403、入口服务器向终端发送入口服务器的证书。Step 403: The portal server sends the certificate of the portal server to the terminal.
步骤404、终端对入口服务器的证书进行验证,并向入口服务器反馈验证结果。Step 404: The terminal verifies the certificate of the portal server, and feeds back the verification result to the portal server.
步骤405、在接收到终端反馈的验证通过消息后,入口服务器向终端发送证书请求。Step 405: After receiving the verification pass message fed back by the terminal, the ingress server sends a certificate request to the terminal.
步骤406、终端将终端证书发送给入口服务器,其中,终端证书中包括终端的标识信息。Step 406: The terminal sends the terminal certificate to the portal server, where the terminal certificate includes the identifier information of the terminal.
步骤407、入口服务器对终端证书验证通过后,将https请求转换为http请求,并将终端的标识信息加入http请求中。Step 407: After the portal server verifies the terminal certificate, the https request is converted into an http request, and the identifier information of the terminal is added to the http request.
步骤408、入口服务器将http请求发送给后台服务器。Step 408: The portal server sends the http request to the background server.
步骤409、后台服务器根据http请求中包括终端的标识信息,确定该http请求对应的认证方式为双向认证。Step 409: The background server determines, according to the identifier information of the terminal in the http request, that the authentication mode corresponding to the http request is two-way authentication.
步骤410、后台服务器处理该http请求。Step 410: The background server processes the http request.
步骤411、后台服务器向入口服务器发送处理结果。Step 411: The background server sends the processing result to the portal server.
步骤412、入口服务器向终端发送处理结果。 Step 412: The portal server sends the processing result to the terminal.
基于相同的技术构思,本发明实施例还提供一种基于SSL协议的访问控制方法装置,如图5所示,包括:Based on the same technical concept, the embodiment of the present invention further provides an apparatus for access control based on the SSL protocol. As shown in FIG. 5, the method includes:
入口收发模块501,用于接收终端发送的访问请求;The ingress transceiver module 501 is configured to receive an access request sent by the terminal.
入口认证模块502,用于确定所述访问请求对应的SSL认证方式;The ingress authentication module 502 is configured to determine an SSL authentication mode corresponding to the access request.
入口处理模块503,用于若为双向认证,则在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中;The ingress processing module 503 is configured to add the identifier information of the terminal to the access request after the mutual authentication with the terminal is successful if the two-way authentication is performed.
所述入口收发模块501,还用于将所述访问请求发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来确定终端的访问权限。The ingress and receiving module 501 is further configured to send the access request to the background server, where the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal.
可选的,所述入口收发模块501,具体用于:Optionally, the ingress transceiver module 501 is specifically configured to:
向所述终端发送所述入口服务器的证书并接收所述终端对所述入口服务器的认证结果;Sending the certificate of the portal server to the terminal and receiving an authentication result of the terminal to the portal server;
向所述终端发送证书获取请求;Sending a certificate acquisition request to the terminal;
接收所述终端发送的终端证书,所述终端证书中包括所述终端的标识信息;Receiving a terminal certificate sent by the terminal, where the terminal certificate includes identification information of the terminal;
所述入口处理模块,具体用于根据所述终端证书完成对所述终端的认证。The ingress processing module is specifically configured to complete authentication of the terminal according to the terminal certificate.
可选的,所述终端证书通过如下方式获得:Optionally, the terminal certificate is obtained by:
所述终端根据所述终端的标识信息,生成证书请求CSR文件;The terminal generates a certificate request CSR file according to the identification information of the terminal;
所述终端向证书颁发机构发送所述CSR,以使所述证书颁发机构根据所述CSR生成所述终端证书;Sending, by the terminal, the CSR to a certificate authority, so that the certificate issuing authority generates the terminal certificate according to the CSR;
所述终端接收所述证书颁发机构发送的所述终端证书。The terminal receives the terminal certificate sent by the certificate authority.
可选的,所述访问请求中包括端口号;Optionally, the access request includes a port number;
所述入口认证模块502,具体用于根据所述端口号,确定所述访问请求对应的SSL认证方式为双向认证或单向认证。The ingress authentication module 502 is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
可选的,所述入口收发模块501,用于接收所述终端发送的https请求;Optionally, the ingress transceiver module 501 is configured to receive an https request sent by the terminal.
所述入口处理模块503,具体用于将所述https请求转换成http请求,并在所述http请求的报文头中插入所述终端的标识信息; The ingress processing module 503 is configured to: convert the https request into an http request, and insert the identifier information of the terminal in a packet header of the http request;
所述入口收发模块501,用于将加入标识信息的所述http请求发送给所述后台服务器。The ingress transceiver module 501 is configured to send the http request that adds the identifier information to the background server.
另一种基于SSL认证的访问控制装置,如图6所示,包括:Another access control device based on SSL authentication, as shown in FIG. 6, includes:
后台收发模块601,用于接收入口服务器发送的访问请求;The background transceiver module 601 is configured to receive an access request sent by the portal server;
后台认证模块602,用于根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;The background authentication module 602 is configured to determine an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal.
后台处理模块603,用于根据所述访问请求对应的SSL认证方式,对所述终端进行验证;The background processing module 603 is configured to perform verification on the terminal according to the SSL authentication mode corresponding to the access request.
所述后台处理模块603,还用于在对终端验证通过后,处理所述访问请求;The background processing module 603 is further configured to process the access request after verifying the pass of the terminal;
所述后台收发模块601,还用于向所述入口服务器发送处理结果。The background transceiver module 601 is further configured to send a processing result to the portal server.
可选的,所述后台处理模块603,还用于:Optionally, the background processing module 603 is further configured to:
若所述访问请求对应的SSL认证方式为单向认证,则所述访问请求中包括所述终端的登录账号和密码,验证所述登录账号和所述密码是否匹配;If the SSL authentication mode corresponding to the access request is a one-way authentication, the access request includes a login account and a password of the terminal, and verify whether the login account and the password match;
若所述访问请求对应的SSL认证方式为双向认证,则所述访问请求的报文头中包括所述终端的标识信息,验证所述终端的标识信息是否已登记。If the SSL authentication mode corresponding to the access request is a two-way authentication, the packet header of the access request includes the identifier information of the terminal, and the identifier information of the terminal is verified to be registered.
应理解,以上各个单元的划分仅仅是一种逻辑功能的划分,实际实现时可以全部或部分集成到一个物理实体上,也可以物理上分开。It should be understood that the division of each unit above is only a division of a logical function, and the actual implementation may be integrated into one physical entity in whole or in part, or may be physically separated.
基于相同构思,本申请提供一种电子设备,可用于执行上述入口服务器执行的基于SSL协议的访问控制方法流程。图7为本申请提供的一种电子设备的结构示意图。该电子设备700包括收发器701、处理器702、存储器703和通信接口704;其中,收发器701、处理器7012、存储器703和通信接口704通过总线705相互连接。Based on the same concept, the present application provides an electronic device, which can be used to execute the SSL protocol-based access control method process performed by the above-mentioned portal server. FIG. 7 is a schematic structural diagram of an electronic device provided by the present application. The electronic device 700 includes a transceiver 701, a processor 702, a memory 703, and a communication interface 704; wherein the transceiver 701, the processor 7012, the memory 703, and the communication interface 704 are connected to one another via a bus 705.
其中,存储器703用于存储程序。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器703可以为易失性存储器(volatile memory),例如随机存取存储器(random-access memory,简称RAM);也可以为非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,简称HDD)或固态硬盘(solid-state drive,简称SSD); 还可以为上述任一种或任多种易失性存储器和非易失性存储器的组合。Among them, the memory 703 is used to store programs. In particular, the program can include program code, the program code including computer operating instructions. The memory 703 may be a volatile memory, such as a random-access memory (RAM), or a non-volatile memory, such as a flash memory. ), hard disk drive (HDD) or solid-state drive (SSD); It can also be any combination of any one or more of the above-described volatile memory and non-volatile memory.
存储器703存储了如下的元素,可执行模块或者数据结构,或者它们的子集,或者它们的扩展集:The memory 703 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
操作指令:包括各种操作指令,用于实现各种操作。Operation instructions: include various operation instructions for implementing various operations.
操作系统:包括各种系统程序,用于实现各种基础业务以及处理基于硬件的任务。Operating system: Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
总线705可以是外设部件互连标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图7中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 705 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 7, but it does not mean that there is only one bus or one type of bus.
通信接口704可以为有线通信接入口,无线通信接口或其组合,其中,有线通信接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线通信接口可以为WLAN接口。The communication interface 704 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface can be a WLAN interface.
处理器702可以是中央处理器(central processing unit,简称CPU),网络处理器(network processor,简称NP)或者CPU和NP的组合。还可以是硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,简称ASIC),可编程逻辑器件(programmable logic device,简称PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logicdevice,简称CPLD),现场可编程逻辑门阵列(field-programmable gate array,简称FPGA),通用阵列逻辑(generic array logic,简称GAL)或其任意组合。The processor 702 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. It can also be a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination thereof. .
所述收发器701,用于接收终端发送的访问请求;将所述访问请求发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来确定终端的访问权限; The transceiver 701 is configured to receive an access request sent by the terminal, and send the access request to the background server, where the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal;
所述处理器702,用于读取所述存储器703中的程序,执行以下方法:The processor 702 is configured to read a program in the memory 703 and perform the following methods:
确定所述访问请求对应的SSL认证方式;若为双向认证,则在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中;Determining an SSL authentication mode corresponding to the access request; if the two-way authentication is performed, adding the identification information of the terminal to the access request after the two-way authentication is passed;
所述存储器703,用于存储一个或多个可执行程序,可以存储所述处理器702在执行操作时所使用的数据。The memory 703 is configured to store one or more executable programs, and may store data used by the processor 702 when performing operations.
可选的,所述收发器701,具体用于:向所述终端发送所述电子设备的证书并接收所述终端对所述电子设备的认证结果;向所述终端发送证书获取请求;接收所述终端发送的终端证书,所述终端证书中包括所述终端的标识信息;所述处理器702,具体用于根据所述终端证书完成对所述终端的认证。Optionally, the transceiver 701 is specifically configured to: send a certificate of the electronic device to the terminal, and receive an authentication result of the terminal to the electronic device; send a certificate acquisition request to the terminal; The terminal certificate sent by the terminal, the terminal certificate includes the identification information of the terminal, and the processor 702 is specifically configured to complete the authentication of the terminal according to the terminal certificate.
可选的,所述终端证书通过如下方式获得:所述终端根据所述终端的标识信息,生成证书请求CSR文件;所述终端向证书颁发机构发送所述CSR,以使所述证书颁发机构根据所述CSR生成所述终端证书;所述终端接收所述证书颁发机构发送的所述终端证书。Optionally, the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, so that the certificate authority is configured according to the certificate authority The CSR generates the terminal certificate; the terminal receives the terminal certificate sent by the certificate authority.
可选的,所述访问请求中包括端口号;所述处理器702,具体用于根据所述端口号,确定所述访问请求对应的SSL认证方式为双向认证或单向认证。Optionally, the access request includes a port number, and the processor 702 is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
可选的,所述收发器701,用于接收所述终端发送的https请求;将加入标识信息的所述http请求发送给所述后台服务器;所述处理器702,具体用于将所述https请求转换成http请求,并在所述http请求的报文头中插入所述终端的标识信息。Optionally, the transceiver 701 is configured to receive an https request sent by the terminal, and send the http request that adds the identifier information to the background server, where the processor 702 is specifically configured to: The request is converted into an http request, and the identification information of the terminal is inserted in the header of the http request.
本发明实施例中,电子设备接收终端发送的访问请求,并根据该访问请求确定对应的SSL认证方式为双向认证还是单向认证。若该访问请求的SSL认证方式为双向认证,则电子设备与终端进行双向认证。双向认证通过后,电子设备将终端的标识信息加入访问请求中,并将加入标识信息的访问请求发送给后台服务器。由于双向认证能够为终端的访问提供更为安全的保证,相较于双向认证,单向认证的安全性较低。因此,对于不同的认证方式,对应的访问请求的权限不同。后台服务器可以根据访问请求中是否携带终端的标识信息,来确定终端与电子设备之间的SSL认证方式,从而进一步确定终 端的访问权限。这样,可以将SSL双向认证的系统和SSL单向认证的系统设置于同一台后台服务器(唯一的IP地址和端口),提高了后台服务器处理访问请求的灵活性,节省了服务器资源,解决了现有技术中不同认证方式需要单独搭建认证系统的问题。In the embodiment of the present invention, the electronic device receives the access request sent by the terminal, and determines, according to the access request, whether the corresponding SSL authentication mode is two-way authentication or one-way authentication. If the SSL authentication mode of the access request is two-way authentication, the electronic device and the terminal perform mutual authentication. After the two-way authentication is passed, the electronic device adds the identification information of the terminal to the access request, and sends the access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different. The background server may determine the SSL authentication mode between the terminal and the electronic device according to whether the access request carries the identification information of the terminal, thereby further determining the final Access rights. In this way, the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem. There are different authentication methods in the technology that require the establishment of a separate authentication system.
基于相同构思,本申请提供一种电子设备,可用于执行上述后台服务器侧执行的基于SSL协议的访问控制方法流程。图8为本申请提供的一种电子设备的结构示意图。该电子设备800包括收发器801、处理器802、存储器803和通信接口804;其中,收发器801、处理器8012、存储器803和通信接口804通过总线805相互连接。Based on the same concept, the present application provides an electronic device, which can be used to execute the SSL protocol-based access control method process executed by the background server side. FIG. 8 is a schematic structural diagram of an electronic device provided by the present application. The electronic device 800 includes a transceiver 801, a processor 802, a memory 803, and a communication interface 804; wherein the transceiver 801, the processor 8012, the memory 803, and the communication interface 804 are connected to one another via a bus 805.
其中,存储器803用于存储程序。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器803可以为易失性存储器(volatile memory),例如随机存取存储器(random-access memory,简称RAM);也可以为非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,简称HDD)或固态硬盘(solid-state drive,简称SSD);还可以为上述任一种或任多种易失性存储器和非易失性存储器的组合。Among them, the memory 803 is used to store programs. In particular, the program can include program code, the program code including computer operating instructions. The memory 803 may be a volatile memory, such as a random-access memory (RAM), or a non-volatile memory, such as a flash memory. A hard disk drive (HDD) or a solid-state drive (SSD); or any combination of any one or more of the above-mentioned volatile memory and non-volatile memory.
存储器803存储了如下的元素,可执行模块或者数据结构,或者它们的子集,或者它们的扩展集:The memory 803 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
操作指令:包括各种操作指令,用于实现各种操作。Operation instructions: include various operation instructions for implementing various operations.
操作系统:包括各种系统程序,用于实现各种基础业务以及处理基于硬件的任务。Operating system: Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
总线805可以是外设部件互连标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图8中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。 The bus 805 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 8, but it does not mean that there is only one bus or one type of bus.
通信接口804可以为有线通信接入口,无线通信接口或其组合,其中,有线通信接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线通信接口可以为WLAN接口。The communication interface 804 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface can be a WLAN interface.
处理器802可以是中央处理器(central processing unit,简称CPU),网络处理器(network processor,简称NP)或者CPU和NP的组合。还可以是硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,简称ASIC),可编程逻辑器件(programmable logic device,简称PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,简称CPLD),现场可编程逻辑门阵列(field-programmable gate array,简称FPGA),通用阵列逻辑(generic array logic,简称GAL)或其任意组合。The processor 802 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. It can also be a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination.
所述收发器801,用于接收入口服务器发送的访问请求;向所述入口服务器发送处理结果;The transceiver 801 is configured to receive an access request sent by an ingress server, and send a processing result to the ingress server.
所述处理器802,所述处理器802,用于读取所述存储器803中的程序,执行以下方法:The processor 802 is configured to read a program in the memory 803 and perform the following methods:
根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;根据所述访问请求对应的SSL认证方式,对所述终端进行验证;对终端验证通过后,处理所述访问请求;Determining, according to the identifier information of the terminal, the SSL authentication mode corresponding to the access request, and verifying the terminal according to the SSL authentication mode corresponding to the access request; Access request
所述存储器803,用于存储一个或多个可执行程序,可以存储所述处理器802在执行操作时所使用的数据。The memory 803 is configured to store one or more executable programs, and may store data used by the processor 802 when performing operations.
可选的,所述处理器802,还用于:若所述访问请求对应的SSL认证方式为单向认证,则所述访问请求中包括所述终端的登录账号和密码,验证所述登录账号和所述密码是否匹配;若所述访问请求对应的SSL认证方式为双向认证,则所述访问请求的报文头中包括所述终端的标识信息,验证所述终端的标识信息是否已登记。Optionally, the processor 802 is further configured to: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes a login account and a password of the terminal, and verify the login account. Whether the password is matched with the password; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes the identifier information of the terminal, and it is verified whether the identifier information of the terminal is already registered.
本发明实施例中,入口服务器接收终端发送的访问请求,并根据该访问 请求确定对应的SSL认证方式为双向认证还是单向认证。若该访问请求的SSL认证方式为双向认证,则入口服务器与终端进行双向认证。双向认证通过后,入口服务器将终端的标识信息加入访问请求中,并将加入标识信息的访问请求发送给电子设备。由于双向认证能够为终端的访问提供更为安全的保证,相较于双向认证,单向认证的安全性较低。因此,对于不同的认证方式,对应的访问请求的权限不同。电子设备可以根据访问请求中是否携带终端的标识信息,来确定终端与入口服务器之间的SSL认证方式,从而进一步确定终端的访问权限。这样,可以将SSL双向认证的系统和SSL单向认证的系统设置于同一台电子设备(唯一的IP地址和端口),提高了电子设备处理访问请求的灵活性,节省了服务器资源,解决了现有技术中不同认证方式需要单独搭建认证系统的问题。In the embodiment of the present invention, the portal server receives the access request sent by the terminal, and according to the access The request determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the electronic device. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different. The electronic device may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal. In this way, the SSL mutual authentication system and the SSL one-way authentication system can be set on the same electronic device (unique IP address and port), which improves the flexibility of the electronic device to process access requests, saves server resources, and solves the problem. There are different authentication methods in the technology that require the establishment of a separate authentication system.
本领域内的技术人员应明白,本申请实施例可提供为方法、系统、或计算机程序产品。因此,本申请实施例可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present application can be provided as a method, system, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
本申请实施例是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器 中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the computer readable memory is stored in the computer readable memory. The instructions in the production result include an article of manufacture of the instruction device that implements the functions specified in one or more blocks of the flowchart or in a flow or block of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请实施例的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the embodiments of the present application without departing from the spirit and scope of the application. Thus, it is intended that the present invention cover the modifications and variations of the embodiments of the present invention.

Claims (23)

  1. 一种基于SSL协议的访问控制方法,其特征在于,包括:An access control method based on the SSL protocol, which is characterized in that it comprises:
    入口服务器接收终端发送的访问请求;The portal server receives an access request sent by the terminal;
    所述入口服务器确定所述访问请求对应的安全套接层SSL认证方式;Determining, by the portal server, a secure socket layer SSL authentication mode corresponding to the access request;
    若为双向认证,则所述入口服务器在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中并发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来确定终端的访问权限。If the two-way authentication is performed, the ingress server adds the identification information of the terminal to the access request and sends the identifier to the background server after the bidirectional authentication is passed. The identification information of the terminal is carried to determine the access authority of the terminal.
  2. 如权利要求1所述的方法,其特征在于,所述入口服务器在与所述终端双向认证通过,包括:The method of claim 1, wherein the portal server is authenticated by the terminal in both directions, including:
    所述入口服务器向所述终端发送所述入口服务器的证书并接收所述终端对所述入口服务器的认证结果;The portal server sends the certificate of the portal server to the terminal and receives an authentication result of the terminal to the portal server;
    所述入口服务器向所述终端发送证书获取请求;The portal server sends a certificate acquisition request to the terminal;
    所述入口服务器接收所述终端发送的终端证书,所述终端证书中包括所述终端的标识信息;Receiving, by the portal server, a terminal certificate sent by the terminal, where the terminal certificate includes identifier information of the terminal;
    所述入口服务器根据所述终端证书完成对所述终端的认证。The portal server completes authentication of the terminal according to the terminal certificate.
  3. 如权利要求2所述的方法,其特征在于,所述终端证书通过如下方式获得:The method of claim 2 wherein said terminal certificate is obtained by:
    所述终端根据所述终端的标识信息,生成证书请求CSR文件;The terminal generates a certificate request CSR file according to the identification information of the terminal;
    所述终端向证书颁发机构发送所述CSR,以使所述证书颁发机构根据所述CSR生成所述终端证书;Sending, by the terminal, the CSR to a certificate authority, so that the certificate issuing authority generates the terminal certificate according to the CSR;
    所述终端接收所述证书颁发机构发送的所述终端证书。The terminal receives the terminal certificate sent by the certificate authority.
  4. 如权利要求1所述的方法,其特征在于,所述入口服务器确定所述访问请求对应的SSL认证方式,包括:The method of claim 1, wherein the ingress server determines an SSL authentication mode corresponding to the access request, including:
    所述入口服务器接收所述终端发送的所述访问请求,所述访问请求中包括端口号;The access server receives the access request sent by the terminal, where the access request includes a port number;
    所述入口服务器根据所述端口号,确定所述访问请求对应的SSL认证方 式为双向认证或单向认证。Determining, by the portal server, the SSL authenticator corresponding to the access request according to the port number The formula is two-way authentication or one-way authentication.
  5. 如权利要求2所述的方法,其特征在于,所述入口服务器接收终端发送的访问请求,包括:The method of claim 2, wherein the portal server receives an access request sent by the terminal, including:
    所述入口服务器接收所述终端发送的https请求;The portal server receives an https request sent by the terminal;
    所述入口服务器将所述终端的标识信息加入所述访问请求中并发送给后台服务器,包括:The ingress server adds the identification information of the terminal to the access request and sends the information to the background server, including:
    所述入口服务器将所述https请求转换成http请求,并在所述http请求的报文头中插入所述终端的标识信息;The ingress server converts the https request into an http request, and inserts the identification information of the terminal in a packet header of the http request;
    所述入口服务器将加入标识信息的所述http请求发送给所述后台服务器。The portal server sends the http request that joins the identification information to the background server.
  6. 一种基于SSL认证的访问控制方法,其特征在于,包括:An access control method based on SSL authentication, comprising:
    后台服务器接收入口服务器发送的访问请求;The background server receives the access request sent by the portal server;
    所述后台服务器根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;Determining, by the background server, an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal;
    所述后台服务器根据所述访问请求对应的SSL认证方式,对所述终端进行验证;The background server performs verification on the terminal according to the SSL authentication mode corresponding to the access request;
    所述后台服务器在对终端验证通过后,处理所述访问请求,并向所述入口服务器发送处理结果。After the background server passes the verification of the terminal, the background server processes the access request and sends the processing result to the portal server.
  7. 如权利要求6所述的方法,其特征在于,所述后台服务器根据所述访问请求对应的SSL认证方式,对所述终端进行验证,包括:The method according to claim 6, wherein the background server performs verification on the terminal according to the SSL authentication mode corresponding to the access request, including:
    若所述访问请求对应的SSL认证方式为单向认证,则所述访问请求中包括所述终端的登录账号和密码,所述后台服务器验证所述登录账号和所述密码是否匹配;If the SSL authentication mode corresponding to the access request is a one-way authentication, the access request includes a login account and a password of the terminal, and the background server verifies whether the login account and the password match;
    若所述访问请求对应的SSL认证方式为双向认证,则所述访问请求的报文头中包括所述终端的标识信息,所述后台服务器验证所述终端的标识信息是否已登记。If the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes the identifier information of the terminal, and the background server verifies whether the identifier information of the terminal is already registered.
  8. 一种基于SSL协议的访问控制装置,其特征在于,包括: An access control device based on the SSL protocol, comprising:
    入口收发模块,用于接收终端发送的访问请求;An access transceiver module, configured to receive an access request sent by the terminal;
    入口认证模块,用于确定所述访问请求对应的SSL认证方式;An ingress authentication module, configured to determine an SSL authentication mode corresponding to the access request;
    入口处理模块,用于若为双向认证,则在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中;An ingress processing module, configured to add the identification information of the terminal to the access request after the two-way authentication is passed, if the two-way authentication is performed;
    所述入口收发模块,还用于将所述访问请求发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来确定终端的访问权限。The ingress and receiving module is further configured to send the access request to the background server, where the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal.
  9. 如权利要求8所述的装置,其特征在于,所述入口收发模块,具体用于:The device according to claim 8, wherein the ingress transceiver module is specifically configured to:
    向所述终端发送所述入口服务器的证书并接收所述终端对所述入口服务器的认证结果;Sending the certificate of the portal server to the terminal and receiving an authentication result of the terminal to the portal server;
    向所述终端发送证书获取请求;Sending a certificate acquisition request to the terminal;
    接收所述终端发送的终端证书,所述终端证书中包括所述终端的标识信息;Receiving a terminal certificate sent by the terminal, where the terminal certificate includes identification information of the terminal;
    所述入口处理模块,具体用于根据所述终端证书完成对所述终端的认证。The ingress processing module is specifically configured to complete authentication of the terminal according to the terminal certificate.
  10. 如权利要求9所述的装置,其特征在于,所述终端证书通过如下方式获得:The apparatus of claim 9, wherein the terminal certificate is obtained by:
    所述终端根据所述终端的标识信息,生成证书请求CSR文件;The terminal generates a certificate request CSR file according to the identification information of the terminal;
    所述终端向证书颁发机构发送所述CSR,以使所述证书颁发机构根据所述CSR生成所述终端证书;Sending, by the terminal, the CSR to a certificate authority, so that the certificate issuing authority generates the terminal certificate according to the CSR;
    所述终端接收所述证书颁发机构发送的所述终端证书。The terminal receives the terminal certificate sent by the certificate authority.
  11. 如权利要求8所述的装置,其特征在于,所述访问请求中包括端口号;The apparatus according to claim 8, wherein said access request includes a port number;
    所述入口认证模块,具体用于根据所述端口号,确定所述访问请求对应的SSL认证方式为双向认证或单向认证。The ingress authentication module is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  12. 如权利要求9所述的装置,其特征在于, The device of claim 9 wherein:
    所述入口收发模块,用于接收所述终端发送的https请求;The ingress transceiver module is configured to receive an https request sent by the terminal;
    所述入口处理模块,具体用于将所述https请求转换成http请求,并在所述http请求的报文头中插入所述终端的标识信息;The ingress processing module is configured to: convert the https request into an http request, and insert the identifier information of the terminal in a packet header of the http request;
    所述入口收发模块,用于将加入标识信息的所述http请求发送给所述后台服务器。The ingress transceiver module is configured to send the http request that adds the identifier information to the background server.
  13. 一种基于SSL认证的访问控制装置,其特征在于,包括:An access control device based on SSL authentication, comprising:
    后台收发模块,用于接收入口服务器发送的访问请求;a background transceiver module, configured to receive an access request sent by the portal server;
    后台认证模块,用于根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;a background authentication module, configured to determine an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal;
    后台处理模块,用于根据所述访问请求对应的SSL认证方式,对所述终端进行验证;a background processing module, configured to perform verification on the terminal according to an SSL authentication manner corresponding to the access request;
    所述后台处理模块,还用于在对终端验证通过后,处理所述访问请求;The background processing module is further configured to process the access request after verifying the pass of the terminal;
    所述后台收发模块,还用于向所述入口服务器发送处理结果。The background transceiver module is further configured to send a processing result to the portal server.
  14. 如权利要求13所述的装置,其特征在于,所述后台处理模块,还用于:The device according to claim 13, wherein the background processing module is further configured to:
    若所述访问请求对应的SSL认证方式为单向认证,则所述访问请求中包括所述终端的登录账号和密码,验证所述登录账号和所述密码是否匹配;If the SSL authentication mode corresponding to the access request is a one-way authentication, the access request includes a login account and a password of the terminal, and verify whether the login account and the password match;
    若所述访问请求对应的SSL认证方式为双向认证,则所述访问请求的报文头中包括所述终端的标识信息,验证所述终端的标识信息是否已登记。If the SSL authentication mode corresponding to the access request is a two-way authentication, the packet header of the access request includes the identifier information of the terminal, and the identifier information of the terminal is verified to be registered.
  15. 一种电子设备,其特征在于,包括收发器、处理器、存储器和通信接口,其中,所述收发器、所述处理器、所述存储器和所述通信接口之间通过总线连接;An electronic device, comprising: a transceiver, a processor, a memory, and a communication interface, wherein the transceiver, the processor, the memory, and the communication interface are connected by a bus;
    所述收发器,用于接收终端发送的访问请求;将所述访问请求发送给后台服务器,所述后台服务器用于根据访问请求中是否携带终端的标识信息来确定终端的访问权限;The transceiver is configured to receive an access request sent by the terminal, and send the access request to the background server, where the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal;
    所述处理器,用于读取所述存储器中的程序,执行以下方法: The processor is configured to read a program in the memory and perform the following methods:
    确定所述访问请求对应的SSL认证方式;若为双向认证,则在与所述终端双向认证通过后,将所述终端的标识信息加入所述访问请求中;Determining an SSL authentication mode corresponding to the access request; if the two-way authentication is performed, adding the identification information of the terminal to the access request after the two-way authentication is passed;
    所述存储器,用于存储一个或多个可执行程序,可以存储所述处理器在执行操作时所使用的数据。The memory is configured to store one or more executable programs, and may store data used by the processor when performing operations.
  16. 如权利要求15所述的电子设备,其特征在于,所述收发器,具体用于:The electronic device according to claim 15, wherein the transceiver is specifically configured to:
    向所述终端发送所述电子设备的证书并接收所述终端对所述电子设备的认证结果;Transmitting a certificate of the electronic device to the terminal and receiving an authentication result of the electronic device by the terminal;
    向所述终端发送证书获取请求;Sending a certificate acquisition request to the terminal;
    接收所述终端发送的终端证书,所述终端证书中包括所述终端的标识信息;Receiving a terminal certificate sent by the terminal, where the terminal certificate includes identification information of the terminal;
    所述处理器,具体用于根据所述终端证书完成对所述终端的认证。The processor is specifically configured to complete authentication of the terminal according to the terminal certificate.
  17. 如权利要求16所述的电子设备,其特征在于,所述终端证书通过如下方式获得:The electronic device of claim 16, wherein the terminal certificate is obtained by:
    所述终端根据所述终端的标识信息,生成证书请求CSR文件;The terminal generates a certificate request CSR file according to the identification information of the terminal;
    所述终端向证书颁发机构发送所述CSR,以使所述证书颁发机构根据所述CSR生成所述终端证书;Sending, by the terminal, the CSR to a certificate authority, so that the certificate issuing authority generates the terminal certificate according to the CSR;
    所述终端接收所述证书颁发机构发送的所述终端证书。The terminal receives the terminal certificate sent by the certificate authority.
  18. 如权利要求15所述的电子设备,其特征在于,所述访问请求中包括端口号;The electronic device according to claim 15, wherein the access request includes a port number;
    所述处理器,具体用于根据所述端口号,确定所述访问请求对应的SSL认证方式为双向认证或单向认证。The processor is specifically configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  19. 如权利要求16所述的电子设备,其特征在于,The electronic device of claim 16 wherein:
    所述收发器,用于接收所述终端发送的https请求;将加入标识信息的所述http请求发送给所述后台服务器;The transceiver is configured to receive an https request sent by the terminal, and send the http request that adds the identifier information to the background server;
    所述处理器,具体用于将所述https请求转换成http请求,并在所述http 请求的报文头中插入所述终端的标识信息。The processor is specifically configured to convert the https request into an http request, and at the http The identification information of the terminal is inserted into the requested packet header.
  20. 一种电子设备,其特征在于,包括收发器、处理器、存储器和通信接口,其中,所述收发器、所述处理器、所述存储器和所述通信接口之间通过总线连接;An electronic device, comprising: a transceiver, a processor, a memory, and a communication interface, wherein the transceiver, the processor, the memory, and the communication interface are connected by a bus;
    所述收发器,用于接收入口服务器发送的访问请求;向所述入口服务器发送处理结果;The transceiver is configured to receive an access request sent by an ingress server, and send a processing result to the ingress server;
    所述处理器,所述处理器,用于读取所述存储器中的程序,执行以下方法:The processor, the processor, is configured to read a program in the memory, and execute the following method:
    根据所述访问请求中是否包括终端的标识信息,确定所述访问请求对应的SSL认证方式;根据所述访问请求对应的SSL认证方式,对所述终端进行验证;对终端验证通过后,处理所述访问请求;Determining, according to the identifier information of the terminal, the SSL authentication mode corresponding to the access request, and verifying the terminal according to the SSL authentication mode corresponding to the access request; Access request
    所述存储器,用于存储一个或多个可执行程序,可以存储所述处理器在执行操作时所使用的数据。The memory is configured to store one or more executable programs, and may store data used by the processor when performing operations.
  21. 如权利要求20所述的电子设备,其特征在于,所述处理器,还用于:The electronic device according to claim 20, wherein the processor is further configured to:
    若所述访问请求对应的SSL认证方式为单向认证,则所述访问请求中包括所述终端的登录账号和密码,验证所述登录账号和所述密码是否匹配;If the SSL authentication mode corresponding to the access request is a one-way authentication, the access request includes a login account and a password of the terminal, and verify whether the login account and the password match;
    若所述访问请求对应的SSL认证方式为双向认证,则所述访问请求的报文头中包括所述终端的标识信息,验证所述终端的标识信息是否已登记。If the SSL authentication mode corresponding to the access request is a two-way authentication, the packet header of the access request includes the identifier information of the terminal, and the identifier information of the terminal is verified to be registered.
  22. 一种非暂态计算机可读存储介质,其特征在于,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行权利要求1~5任一所述方法,或者所述计算机指令用于使所述计算机执行权利要求6~7任一所述方法。A non-transitory computer readable storage medium, wherein the non-transitory computer readable storage medium stores computer instructions for causing the computer to perform the method of any one of claims 1 to 5. Or the computer instructions are for causing the computer to perform the method of any of claims 6-7.
  23. 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行权利要求1~5任一所述方法;或者使所述计算机执行权利要求6~7任一所述方法。 A computer program product, comprising: a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, The computer executes the method of any one of claims 1 to 5; or causes the computer to perform the method of any of claims 6-7.
PCT/CN2017/115713 2016-12-30 2017-12-12 Ssl protocol-based access control method and device WO2018121249A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611264199.4A CN106790194B (en) 2016-12-30 2016-12-30 Access control method and device based on SSL (secure socket layer) protocol
CN201611264199.4 2016-12-30

Publications (1)

Publication Number Publication Date
WO2018121249A1 true WO2018121249A1 (en) 2018-07-05

Family

ID=58951407

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/115713 WO2018121249A1 (en) 2016-12-30 2017-12-12 Ssl protocol-based access control method and device

Country Status (2)

Country Link
CN (1) CN106790194B (en)
WO (1) WO2018121249A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111222121A (en) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN112019339A (en) * 2019-05-31 2020-12-01 西安理邦科学仪器有限公司 Automatic digital certificate distribution method and device
CN112511550A (en) * 2020-12-02 2021-03-16 迈普通信技术股份有限公司 Communication method, communication device, electronic device and storage medium
CN112770317A (en) * 2020-12-31 2021-05-07 上海遨有信息技术有限公司 Sensing layer secure access authentication method for ubiquitous power Internet of things
CN113179323A (en) * 2021-04-29 2021-07-27 杭州迪普科技股份有限公司 HTTPS request processing method, device and system for load balancing equipment
CN113364795A (en) * 2021-06-18 2021-09-07 北京天空卫士网络安全技术有限公司 Data transmission method and proxy server
CN114513362A (en) * 2022-02-22 2022-05-17 中国银行股份有限公司 Long connection communication processing method and device based on TLS protocol
CN114531467A (en) * 2020-11-04 2022-05-24 中移(苏州)软件技术有限公司 Information processing method, equipment and system
CN114785611A (en) * 2022-05-10 2022-07-22 山东高速信息集团有限公司 Communication protocol configuration method, equipment and medium for intelligent monitoring terminal
EP4161012A4 (en) * 2020-05-27 2023-11-08 Hangzhou Hikvision Digital Technology Co., Ltd. Authentication method and apparatus, electronic device, server, program, and storage medium

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790194B (en) * 2016-12-30 2020-06-19 中国银联股份有限公司 Access control method and device based on SSL (secure socket layer) protocol
CN107241428B (en) * 2017-06-30 2019-11-26 北京百度网讯科技有限公司 A kind of method and apparatus for realizing https in the shared fictitious host computer based on container
CN109587097A (en) * 2017-09-29 2019-04-05 阿里巴巴集团控股有限公司 A kind of system, method and apparatus for realizing secure access internal network
CN107911398B (en) * 2018-01-04 2020-12-15 世纪龙信息网络有限责任公司 Identity information authentication method, device and system
CN108989290A (en) * 2018-06-21 2018-12-11 上海二三四五网络科技有限公司 A kind of control method and control device for realizing server network access limitation in outer net
CN110399713A (en) * 2018-07-27 2019-11-01 腾讯科技(北京)有限公司 A kind of method and relevant apparatus of authentification of message
CN111343126A (en) * 2018-12-18 2020-06-26 武汉信安珞珈科技有限公司 Method and system for processing digital certificate application
CN111491296A (en) * 2019-01-28 2020-08-04 上海擎感智能科技有限公司 Marathon L B-based access authentication method and system, server and vehicle-mounted client
CN111491298A (en) * 2019-01-28 2020-08-04 上海擎感智能科技有限公司 Authentication method and system based on EMQTT server access, server and client
CN110012016B (en) * 2019-04-10 2021-04-27 山东师创云服务有限公司 Method and system for controlling resource access in hybrid cloud environment
CN112118206B (en) * 2019-06-19 2022-04-12 贵州白山云科技股份有限公司 Decryption method, device, system, medium and equipment
CN112312389B (en) * 2019-07-29 2022-05-06 中国移动通信集团广东有限公司 Communication information transmission method, communication information transmission device, storage medium and electronic equipment
CN111818100B (en) * 2020-09-04 2021-02-02 腾讯科技(深圳)有限公司 Method for configuring channel across networks, related equipment and storage medium
CN112512040A (en) * 2020-12-11 2021-03-16 北京中交国通智能交通系统技术有限公司 High-adaptability ETC security authentication equipment authorization method, device and system
CN114531303B (en) * 2022-04-24 2022-07-12 北京天维信通科技有限公司 Server port hiding method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883106A (en) * 2010-06-30 2010-11-10 赛尔网络有限公司 Network access authentication method and server based on digital certificate
EP2341724A2 (en) * 2010-01-04 2011-07-06 Tata Consultancy Services Limited System and method for secure transaction of data between wireless communication device and server
CN103179565A (en) * 2011-12-23 2013-06-26 中国银联股份有限公司 Safety information interaction system, terminal, server and method based on thin terminal mode
CN103685187A (en) * 2012-09-14 2014-03-26 华耀(中国)科技有限公司 Method for switching SSL (Secure Sockets Layer) authentication mode on demands to achieve resource access control
CN104735058A (en) * 2015-03-04 2015-06-24 深信服网络科技(深圳)有限公司 Encryption method and system based on security protocol SSL
CN106790194A (en) * 2016-12-30 2017-05-31 中国银联股份有限公司 A kind of access control method and device based on ssl protocol

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150406B (en) * 2006-09-18 2011-06-08 华为技术有限公司 Network device authentication method and system and relay forward device based on 802.1x protocol
CN101800639A (en) * 2009-02-09 2010-08-11 华为终端有限公司 Method, system and device for realizing ebanking services
CN103684768A (en) * 2012-09-10 2014-03-26 中国银联股份有限公司 POS system and method for bidirectional authentication in POS system
CN104700261B (en) * 2013-12-10 2018-11-27 中国银联股份有限公司 The safe networking initial method and its system of POS terminal
CN104954123A (en) * 2014-03-28 2015-09-30 中国银联股份有限公司 Intelligent POS terminal main key updating system and updating method
CN104639534B (en) * 2014-12-30 2019-02-12 北京奇虎科技有限公司 The loading method and browser device of web portal security information

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2341724A2 (en) * 2010-01-04 2011-07-06 Tata Consultancy Services Limited System and method for secure transaction of data between wireless communication device and server
CN101883106A (en) * 2010-06-30 2010-11-10 赛尔网络有限公司 Network access authentication method and server based on digital certificate
CN103179565A (en) * 2011-12-23 2013-06-26 中国银联股份有限公司 Safety information interaction system, terminal, server and method based on thin terminal mode
CN103685187A (en) * 2012-09-14 2014-03-26 华耀(中国)科技有限公司 Method for switching SSL (Secure Sockets Layer) authentication mode on demands to achieve resource access control
CN104735058A (en) * 2015-03-04 2015-06-24 深信服网络科技(深圳)有限公司 Encryption method and system based on security protocol SSL
CN106790194A (en) * 2016-12-30 2017-05-31 中国银联股份有限公司 A kind of access control method and device based on ssl protocol

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112019339A (en) * 2019-05-31 2020-12-01 西安理邦科学仪器有限公司 Automatic digital certificate distribution method and device
CN112019339B (en) * 2019-05-31 2024-02-27 西安理邦科学仪器有限公司 Automatic distribution method and device for digital certificates
CN111222121A (en) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
EP4161012A4 (en) * 2020-05-27 2023-11-08 Hangzhou Hikvision Digital Technology Co., Ltd. Authentication method and apparatus, electronic device, server, program, and storage medium
CN114531467B (en) * 2020-11-04 2023-04-14 中移(苏州)软件技术有限公司 Information processing method, equipment and system
US11928449B2 (en) 2020-11-04 2024-03-12 China Mobile (Suzhou) Software Technology Co., Ltd. Information processing method, device, apparatus and system, medium, andprogram
CN114531467A (en) * 2020-11-04 2022-05-24 中移(苏州)软件技术有限公司 Information processing method, equipment and system
CN112511550A (en) * 2020-12-02 2021-03-16 迈普通信技术股份有限公司 Communication method, communication device, electronic device and storage medium
CN112511550B (en) * 2020-12-02 2022-02-22 迈普通信技术股份有限公司 Communication method, communication device, electronic device and storage medium
CN112770317A (en) * 2020-12-31 2021-05-07 上海遨有信息技术有限公司 Sensing layer secure access authentication method for ubiquitous power Internet of things
CN113179323A (en) * 2021-04-29 2021-07-27 杭州迪普科技股份有限公司 HTTPS request processing method, device and system for load balancing equipment
CN113179323B (en) * 2021-04-29 2023-07-04 杭州迪普科技股份有限公司 HTTPS request processing method, device and system for load balancing equipment
CN113364795B (en) * 2021-06-18 2023-03-24 北京天空卫士网络安全技术有限公司 Data transmission method and proxy server
CN113364795A (en) * 2021-06-18 2021-09-07 北京天空卫士网络安全技术有限公司 Data transmission method and proxy server
CN114513362A (en) * 2022-02-22 2022-05-17 中国银行股份有限公司 Long connection communication processing method and device based on TLS protocol
CN114785611A (en) * 2022-05-10 2022-07-22 山东高速信息集团有限公司 Communication protocol configuration method, equipment and medium for intelligent monitoring terminal
CN114785611B (en) * 2022-05-10 2024-05-07 山东高速信息集团有限公司 Communication protocol configuration method, equipment and medium for intelligent monitoring terminal

Also Published As

Publication number Publication date
CN106790194A (en) 2017-05-31
CN106790194B (en) 2020-06-19

Similar Documents

Publication Publication Date Title
WO2018121249A1 (en) Ssl protocol-based access control method and device
US10447674B2 (en) Key exchange through partially trusted third party
US10257699B2 (en) Mobile device user authentication for accessing protected network resources
CN108702393B (en) Method and system for service authorization handshake
US9021552B2 (en) User authentication for intermediate representational state transfer (REST) client via certificate authority
US10412098B2 (en) Signed envelope encryption
US9369286B2 (en) System and methods for facilitating authentication of an electronic device accessing plurality of mobile applications
US10623399B1 (en) Virtual requests
US8532620B2 (en) Trusted mobile device based security
US11102191B2 (en) Enabling single sign-on authentication for accessing protected network services
KR101708587B1 (en) Bidirectional authorization system, client and method
US20140068702A1 (en) Single sign-on system and method
WO2016127914A1 (en) Redirection method, apparatus, and system
US20140359741A1 (en) Mutually Authenticated Communication
US20130339736A1 (en) Periodic platform based web session re-validation
WO2019178942A1 (en) Method and system for performing ssl handshake
US10257171B2 (en) Server public key pinning by URL
US9313191B1 (en) Virtual requests
WO2013100967A1 (en) Web authentication using client platform root of trust
US8799649B2 (en) One time passwords with IPsec and IKE version 1 authentication
WO2023071751A1 (en) Authentication method and communication apparatus
US20230403155A1 (en) Whitelisting clients accessing resources via a secure web gateway with time-based one time passwords for authentication
EP3220604B1 (en) Methods for client certificate delegation and devices thereof
US11882120B2 (en) Identity intermediary service authorization
WO2019184206A1 (en) Identity authentication method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17887585

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17887585

Country of ref document: EP

Kind code of ref document: A1