CN105119916B - A kind of authentication method and system based on http - Google Patents

A kind of authentication method and system based on http Download PDF

Info

Publication number
CN105119916B
CN105119916B CN201510516450.0A CN201510516450A CN105119916B CN 105119916 B CN105119916 B CN 105119916B CN 201510516450 A CN201510516450 A CN 201510516450A CN 105119916 B CN105119916 B CN 105119916B
Authority
CN
China
Prior art keywords
url
http
reverse proxy
module
http request
Prior art date
Application number
CN201510516450.0A
Other languages
Chinese (zh)
Other versions
CN105119916A (en
Inventor
陈丛亮
刘德建
毛新生
Original Assignee
福建天晴数码有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 福建天晴数码有限公司 filed Critical 福建天晴数码有限公司
Priority to CN201510516450.0A priority Critical patent/CN105119916B/en
Publication of CN105119916A publication Critical patent/CN105119916A/en
Application granted granted Critical
Publication of CN105119916B publication Critical patent/CN105119916B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/02Network-specific arrangements or communication protocols supporting networked applications involving the use of web-based technology, e.g. hyper text transfer protocol [HTTP]

Abstract

The invention discloses a kind of authentication method and system based on http, method includes:S1:Sort out simultaneously configuration rule to URL;S2:Client sends http request to reverse proxy module;S3:According to URL classifications and the rule, reverse proxy module judges whether the http request has access rights;S4:If so, then reverse proxy module sends http request to operation system module.By the above-mentioned means, the interface that the present invention enables to no authentication function and can not change source code possesses authentication function, security of system is improved.

Description

A kind of authentication method and system based on http

Technical field

The present invention relates to a kind of authentication method and system based on http.

Background technology

Current many service ends are supplied to the http interfaces of mobile phone terminal varied, and authentication mode needs to carry out its source code Modification, and add Authority Verification.If, can not docking port increase Authority Verification without source code.

Existing patent (application number:201310582960.9) disclose a kind of method and phase being authenticated to web page contents The browser answered.Wherein method includes:Private key is set in the Website server of website of anti-fake certificate is needed, and in browser The public key corresponding with private key is set in side;When browser side generates HTTP request, judge that the website that HTTP request accesses is It is no to belong to the website for needing anti-fake certificate;, please in HTTP if the website that HTTP request accesses belongs to the website for needing anti-fake certificate After seeking addition request anti-fake parameter, the HTTP request is sent to corresponding Website server;Receive Website server according to The http response of anti-fake parameter return is asked, the encryption information generated by the private key of website is carried in the http response;Utilize net Whether the encryption information in http response is decrypted the public key stood, judge http response come Self-certified according to solution confidential information Website server.The patent is related to the secure access to webpage, but the user being related to without offer after entrance secure web-page visits The method for asking authority.

The content of the invention

The technical problems to be solved by the invention are:Under secure web-page, realize that access privilege verifies that be does not have The authentication function and interface that can not change source code possesses authentication function, improves security of system.

In order to solve the above-mentioned technical problem, the technical solution adopted by the present invention is:A kind of authenticating party based on http is provided Method, comprise the following steps:

S1:Sort out simultaneously configuration rule to URL;

S2:Client sends http request to reverse proxy module;

S3:According to URL classifications and the rule, reverse proxy module judges whether the http request has access right Limit;

S4:If so, then reverse proxy module sends http request to operation system module.

To solve the above problems, the present invention also provides a kind of authentication method based on http, including client, reverse proxy Module, operation system module and classification configuration module, wherein:

Sort out configuration module to be used to sort out URL simultaneously configuration rule;

Client is used to send http request to reverse proxy module;

Reverse proxy module is used for according to URL classifications and the rule, judges whether the http request has access right Limit;

Reverse proxy module is additionally operable to send http request to operation system module.

The beneficial effects of the present invention are:Prior art is different from, it is of the invention by sorting out simultaneously configuration rule to URL, On the basis of this, reverse proxy module judges that http request when possessing access rights, is just sent to operation system module so that industry The security of business system module is improved.

Brief description of the drawings

Fig. 1 is the schematic flow sheet of the inventive method embodiment one;

Fig. 2 is the schematic flow sheet of the inventive method embodiment two;

Fig. 3 is the structured flowchart of present system embodiment three;

Fig. 4 is the structured flowchart of present system example IV.

Embodiment

To describe the technology contents of the present invention, the objects and the effects in detail, below in conjunction with embodiment and coordinate attached Figure is explained.

The design of most critical of the present invention is:To URL configuration rules, and corresponding authority is set, led in http request certification Later, operation system is transmitted to, improves the security of system.

Fig. 1 is refer to, the embodiment of the present invention one provides a kind of authentication method based on http, comprised the following steps:

S1:Sort out simultaneously configuration rule to URL;

S2:Client sends http request to reverse proxy module;

S3:According to URL classifications and the rule, reverse proxy module judges whether the http request has access right Limit;

S4:If so, then reverse proxy module sends http request to operation system module.

Prior art is different from, the embodiment of the present invention one is by sorting out simultaneously configuration rule to URL, on this basis, reversely Proxy module judges the operation system module that http request when possessing access rights, is just sent to operation system module, is Security is improved.

As shown in Fig. 2 on the basis of embodiment one, the embodiment of the present invention two before step S1 is performed, in addition to:

S0:Configure authentication framework.

Wherein, step S1 is specially:

S11:URL is sorted out using regular expression;

S12:According to URL and its parameter, URL matched rules are set, to match corresponding authority.

Wherein, step S3 is specially:

S31:Reverse proxy module obtains the authentication information in http request by authentication framework;

S32:According to URL classifications and the rule, judge whether the authentication information has access rights.

Wherein, after step s 3, in addition to:

If it is not, then perform S40:Reverse proxy module refuses http request access service system module.

Specifically, authentication framework can be OAuth2.0 authentication frameworks, and OAuth (open to authorize) is an open standard, It allows third party website to access the various information in user in service provider's there storage on the premise of user authorizes.It is this Authorize and be supplied to the third party website without providing user to username and password.OAuth allow user provide a token to Third party website, the corresponding specific third party website of a token, while the token can only access within the specific time Specific resource.

The purpose that the embodiment of the present invention passes through regular expression is to match a kind of URL, i.e., URL is sorted out.Such as Http request:http://abc.com/Id=1, and http://abc.com/In id=2, regular expressions can be used Formula:http://abc.com/Id=(d+) carries out simplifying classification;Wherein, (d+) represents multiple numeric characters.

Client initiation http request is led to reverse proxy module, reverse proxy module according to current authentication information with URL Matching regular expressions its corresponding authority items are crossed, whether certification has permission, if lack of competence, refuses http request access service System module.If having permission, request content is forwarded to operation system module by reverse proxy module.

Wherein, before judgement, URL classification, such as http are first matched://abc.com/This kind of URL of id=(d+) are No permission active user accesses.The specific logic of certification is depending on specific authentication framework.Such as by http request head In cookie be authenticated, if including the certification password of active user in cookie, certification passes through.

In a specific embodiment, client initiates http request:http://abc.com/Id=1 and its certification Information, the authentication information that reverse proxy module is obtained by authentication framework in http request can use the technology being currently known to obtain Take authentication information." authentication information " can be a certification password in http request head, and e.g. user name and user name is close Hash values of code etc..

In the embodiment of the present invention, reverse proxy module be by OAuth2.0 frameworks obtain its current authentication information i.e. from In http request obtain http request head in user name, and verify user name password hash values whether with http request head Hash values are consistent, and it is the user authenticated, that is, the user having permission, and the URL that combination is set unanimously then to confirm active user Matched rule:http://abc.com/Id=(d+), judges in URL rules, and whether active user 1 allows to access; Such as:http://abc.com/Id=(d+) allows user 1, and user 2 accesses, and does not allow user 3 to access;Then will request http://abc.com/Id=1 or http://abc.com/Id=2 is forwarded to operation system module., if user 3, Then refusal passes through, i.e. http://abc.com/Id=3 will be rejected, and be not forwarded in operation system module, alternatively, can Display returns to the unauthorized of http states 401.

Prior art is different from, the embodiment of the present invention two is by setting authentication framework to obtain authentication information, using canonical URL is sorted out expression formula and configuration rule, and on this basis, reverse proxy module judges that http request is possessing access rights When, operation system module is just sent to, otherwise, then refuses http request access service system module so that operation system module Security improved.

As shown in figure 3, the embodiment of the present invention three provides a kind of Verification System 100 based on http, including client 110, Reverse proxy module 120, operation system module 130 and classification configuration module 140, wherein:

Sort out configuration module 140 to be used to sort out URL simultaneously configuration rule;

Client 110 is used to send http request to reverse proxy module 120;

Reverse proxy module 120 is used for according to URL classifications and the rule, judges whether the http request has and accesses Authority;

Reverse proxy module 120 is additionally operable to send http request to operation system module 130.

Wherein, the system 100 described in the embodiment of the present invention four, in addition to:

Frame module 150, for configuring authentication framework.

Wherein, the classification configuration module 140 also includes:

Sort out unit 141, for sorting out using regular expression to URL;

Dispensing unit 142, for according to URL and its parameter, URL matched rules being set, to match corresponding authority.

Specifically, reverse proxy module 120 obtains the authentication information in http request by authentication framework;

And according to URL classifications and the rule, judge whether the authentication information has access rights.

Wherein, reverse proxy module 120 is additionally operable to refuse http request access service system module 130.

Embodiments of the invention are the foregoing is only, are not intended to limit the scope of the invention, it is every to utilize this hair The equivalents that bright specification and accompanying drawing content are made, or the technical field of correlation is directly or indirectly used in, similarly include In the scope of patent protection of the present invention.

Claims (8)

  1. A kind of 1. authentication method based on http, it is characterised in that including:
    S1:Sort out simultaneously configuration rule to URL;
    S2:Client sends http request to reverse proxy module;
    S3:According to URL classifications and the rule, reverse proxy module judges whether the http request has access rights;
    S4:If so, then reverse proxy module sends http request to operation system module;
    Step S1 is specially:
    S11:URL is sorted out using regular expression;
    S12:According to URL and its parameter, URL matched rules are set, to match corresponding authority.
  2. 2. the authentication method based on http according to claim 1, it is characterised in that before step S1, in addition to:
    S0:Configure authentication framework.
  3. 3. the authentication method based on http according to claim 2, it is characterised in that step S3 is specially:
    S31:Reverse proxy module obtains the authentication information in http request by authentication framework;
    S32:According to URL classifications and the rule, judge whether the authentication information has access rights.
  4. 4. the authentication method based on http according to claim 1, it is characterised in that after step S3, in addition to:
    If it is not, then perform S40:Reverse proxy module refuses http request access service system module.
  5. 5. a kind of Verification System based on http, it is characterised in that including client, reverse proxy module, operation system module And sort out configuration module, wherein:
    Sort out configuration module to be used to sort out URL simultaneously configuration rule;
    Client is used to send http request to reverse proxy module;
    Reverse proxy module is used for according to URL classifications and the rule, judges whether the http request has access rights;
    Reverse proxy module is additionally operable to send http request to operation system module;
    The classification configuration module also includes:
    Sort out unit, for sorting out using regular expression to URL;
    Dispensing unit, for according to URL and its parameter, URL matched rules being set, to match corresponding authority.
  6. 6. the Verification System based on http according to claim 5, it is characterised in that also include:
    Frame module, for configuring authentication framework.
  7. 7. the Verification System based on http according to claim 6, it is characterised in that reverse proxy module passes through authentication framework Obtain the authentication information in http request;
    According to URL classifications and the rule, judge whether the authentication information has access rights.
  8. 8. the Verification System based on http according to claim 5, it is characterised in that reverse proxy module is additionally operable to refuse Http request access service system module.
CN201510516450.0A 2015-08-21 2015-08-21 A kind of authentication method and system based on http CN105119916B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510516450.0A CN105119916B (en) 2015-08-21 2015-08-21 A kind of authentication method and system based on http

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510516450.0A CN105119916B (en) 2015-08-21 2015-08-21 A kind of authentication method and system based on http

Publications (2)

Publication Number Publication Date
CN105119916A CN105119916A (en) 2015-12-02
CN105119916B true CN105119916B (en) 2018-04-10

Family

ID=54667804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510516450.0A CN105119916B (en) 2015-08-21 2015-08-21 A kind of authentication method and system based on http

Country Status (1)

Country Link
CN (1) CN105119916B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101441688A (en) * 2007-11-20 2009-05-27 阿里巴巴集团控股有限公司 User authority allocation method and user authority control method
CN101977235A (en) * 2010-11-03 2011-02-16 北京北信源软件股份有限公司 URL (Uniform Resource Locator) filtering method aiming at HTTPS (Hypertext Transport Protocol Server) encrypted website access
CN102253991A (en) * 2011-05-25 2011-11-23 北京星网锐捷网络技术有限公司 Uniform resource locator (URL) storage method, web filtering method, device and system
CN102902780A (en) * 2012-09-28 2013-01-30 五八有限公司 Dynamic matching method and dynamic matching device of uniform resource locator (URL)
CN103065074A (en) * 2012-12-14 2013-04-24 北京思特奇信息技术股份有限公司 Uniform Resource Locator (URL) authority control method based on fine granularity

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101441688A (en) * 2007-11-20 2009-05-27 阿里巴巴集团控股有限公司 User authority allocation method and user authority control method
CN101977235A (en) * 2010-11-03 2011-02-16 北京北信源软件股份有限公司 URL (Uniform Resource Locator) filtering method aiming at HTTPS (Hypertext Transport Protocol Server) encrypted website access
CN102253991A (en) * 2011-05-25 2011-11-23 北京星网锐捷网络技术有限公司 Uniform resource locator (URL) storage method, web filtering method, device and system
CN102902780A (en) * 2012-09-28 2013-01-30 五八有限公司 Dynamic matching method and dynamic matching device of uniform resource locator (URL)
CN103065074A (en) * 2012-12-14 2013-04-24 北京思特奇信息技术股份有限公司 Uniform Resource Locator (URL) authority control method based on fine granularity

Also Published As

Publication number Publication date
CN105119916A (en) 2015-12-02

Similar Documents

Publication Publication Date Title
Shaikh et al. Security threats in cloud computing
US9098687B2 (en) User and device authentication in enterprise systems
US6609198B1 (en) Log-on service providing credential level change without loss of session continuity
JP5635133B2 (en) Secure dynamic privilege delegation
US7568098B2 (en) Systems and methods for enhancing security of communication over a public network
US8151326B2 (en) Using audio in N-factor authentication
EP2608486B1 (en) A computer implemented system and method for providing users with secured access to application servers
US6892307B1 (en) Single sign-on framework with trust-level mapping to authentication requirements
Shim et al. Federated identity management
US6668322B1 (en) Access management system and method employing secure credentials
US9300653B1 (en) Delivery of authentication information to a RESTful service using token validation scheme
US8584224B1 (en) Ticket based strong authentication with web service
US9412283B2 (en) System, design and process for easy to use credentials management for online accounts using out-of-band authentication
US20130205360A1 (en) Protecting user credentials from a computing device
US8984621B2 (en) Techniques for secure access management in virtual environments
KR20140084217A (en) Centralized security management method and system for third party application and corresponding communication system
US8978124B2 (en) Service oriented secure collaborative system for compartmented networks
US9185096B2 (en) Identity verification
WO2014151556A1 (en) Systems and methods for using imaging to authenticate online users
EP2710781A1 (en) Trusted mobile device based security
WO2010075761A1 (en) Method, server and system for providing resource for an access user
JP6348661B2 (en) Company authentication through third-party authentication support
WO2014105263A1 (en) Multi-factor authentication and comprehensive login system for client-server networks
US20140089661A1 (en) System and method for securing network traffic
US8495720B2 (en) Method and system for providing multifactor authentication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant