CN105357190B - The method and system of access request authentication - Google Patents
The method and system of access request authentication Download PDFInfo
- Publication number
- CN105357190B CN105357190B CN201510703837.7A CN201510703837A CN105357190B CN 105357190 B CN105357190 B CN 105357190B CN 201510703837 A CN201510703837 A CN 201510703837A CN 105357190 B CN105357190 B CN 105357190B
- Authority
- CN
- China
- Prior art keywords
- access request
- request
- address
- server
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The invention discloses a kind of method and system of access request authentication.Wherein, this method comprises: CDN server receives the access request of access terminal, wherein access request includes at least the first identifier for identification access request;If inquiring first identifier in the local cache of CDN server, CDN server authenticates access request in local, wherein authenticates the legitimacy for determining access request;If not inquiring first identifier in the local cache of CDN server, access request is sent to authentication server and authenticated by CDN server.The present invention solve existing time source authentication anti-stealing link method all rely only under any circumstance authentication server come to steal chain request identify, the technical problem for causing authentication server load excessive.
Description
Technical field
The present invention relates to computer fields, in particular to a kind of method and system of access request authentication.
Background technique
With the development of stream media technology, robber's chain behavior of Streaming Media is also becoming increasingly rampant, and means are increasingly brilliant.It is logical to steal chain person
It crosses and places the video resource of other Streaming Media manufacturers in oneself website, usurp the video copy of regular manufacturer, this behavior is not only
Infringement of copyright can be brought, while can also bring bandwidth resources exhausted, the problems such as server crash, Video service quotient is often taken back
Source authentication is embedded in the modes such as processing module in player to identify and steal chain request, then carries out denied access to robber's chain request.
It should be noted that often there are the following problems for the scheme of above-mentioned existing door chain:
(1) anti-stealing link method for returning source authentication all relies only on authentication server to carry out robber's chain request under any circumstance
Identification, causes authentication server load excessive.
(2) it needs to carry out again player using the scheme that insertion processing module encrypts video in player
Exploitation expends resource, and with the complexity of algorithm, also bigger to the degree of dependence of hardware.
(3) scheme of above-mentioned door chain is all directly to refuse robber's chain request recognizing robber's chain request, such
Consequence be steal chain person know quickly his robbers chain behavior be it is unreasonable, then will make quickly and steal chain strategy again.
(4) the scheme accuracy rate of existing access request authentication is low, is easy to cause and is mistaken for Lawful access request illegally
Access request.
For above-mentioned existing time source authentication anti-stealing link method all rely only under any circumstance authentication server come pair
It steals chain request and is identified that the technical problem for causing authentication server load excessive, currently no effective solution has been proposed.
Summary of the invention
The embodiment of the invention provides a kind of method and system of access request authentication, at least to solve existing Hui Yuanjian
The anti-stealing link method of power relies only on authentication server all under any circumstance to identify to robber's chain request, causes authentication service
The excessive technical problem of device load.
According to an aspect of an embodiment of the present invention, a kind of method of access request authentication is provided, this method comprises:
CDN server receives the access request of access terminal, wherein access request includes at least the first mark for identification access request
Know;If inquiring first identifier in the local cache of CDN server, CDN server reflects to access request in local
Power, wherein authenticate the legitimacy for determining access request;If not inquiring in the local cache of CDN server
Access request is sent to authentication server and authenticated by one mark, CDN server.
According to another aspect of an embodiment of the present invention, a kind of system of access request authentication is additionally provided, which includes:
Client, for sending the access request of access terminal, wherein access request is at least used for the first mark of identification access request
Know;CDN server, for receiving access request, if inquiring first identifier in the local cache of CDN server, CDN clothes
Business device authenticates access request in local, if not inquiring first identifier in the local cache of CDN server,
Access request is forwarded by CDN server, wherein authenticates the legitimacy for determining access request;Authentication server, with
CDN server establishes correspondence, authenticates to the access request of CDN server forwarding.
In embodiments of the present invention, the access request of access terminal is received using CDN server, wherein access request is extremely
It less include the first identifier for identification access request;If inquiring first identifier in the local cache of CDN server,
CDN server authenticates access request in local, wherein authenticates the legitimacy for determining access request;If in CDN
First identifier is not inquired in the local cache of server, access request is sent to authentication server and carried out by CDN server
Authentication.The anti-stealing link method for solving existing time source authentication relies only on authentication server all under any circumstance to ask to robber's chain
It asks and is identified, the technical problem for causing authentication server load excessive.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of the method for according to embodiments of the present invention one access request authentication;
Fig. 2 is the flow chart of the method for according to embodiments of the present invention one optionally access request authentication;
Fig. 3 is the flow chart of the method for according to embodiments of the present invention one optionally access request authentication;And
Fig. 4 is the schematic diagram of according to embodiments of the present invention two access request right discriminating system.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work
It encloses.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to
Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product
Or other step or units that equipment is intrinsic.
Embodiment one
According to embodiments of the present invention, the embodiment of a kind of method of access request authentication is provided, it should be noted that
The step of process of attached drawing illustrates can execute in a computer system such as a set of computer executable instructions, also,
It, in some cases, can be to be different from shown in sequence execution herein although logical order is shown in flow charts
The step of out or describing.
Fig. 1 is a kind of flow chart of the method for access request authentication according to an embodiment of the present invention, as shown in Figure 1, the party
Method includes the following steps:
Step S12, CDN server receive the access request of access terminal, wherein access request is included at least for identifying
The first identifier of access request.
Specifically, in the present solution, above-mentioned access request can be URL request, above-mentioned first identifier can for included in
An ID in URL request, the ID are used for each access request of identity user, which can pass through following schemes generation: use
When accessing CDN server by client, above-mentioned client can be by the URI, timestamp, random number of user access request at family
String and KEY use irreversible encryption algorithm for encryption, generate the ID for identifying above-mentioned URL request, then by above-mentioned ID,
The timestamp and random number of plaintext are inserted in behind URL/domain name, generate a resource request URL with uniqueness, then objective
The resource request URL of the above-mentioned ID contained is sent to CDN server by family end, it should be noted that the CDN clothes in the application
Business device can be CDN node server, or CDN Edge Server.
It should be noted that the generation method of the ID of URL request is not limited to aforesaid way, as long as the generation scheme of ID can reach
To the uniqueness of ID.
For example, user A accesses CDN server by client (legitimate client or illegitimate client), in CDN server
It include the ID of identification access request, timestamp, random number string in the URL of the access request of the user A received.User A's
Can access request URL be following example: http://wstest.com.cn/a.flv? k=
68b329da9893e34099c7d8ad5cb9c940&t=554afcb4&U ID=11111111;K is unique ID, and wherein t is
Timestamp, UID are random train).What needs to be explained here is that if user A passes through a legal client (such as portal
Stand) access CDN server when, URL request received by CDN server is the access that above-mentioned legal client is directed to user
Request generates, if user A is by illegal client (third party steals a chain website) access CDN server, CDN service
URL request received by device is what above-mentioned illegal client was stolen or forged.
It should be noted that the scheme of the application, it is only necessary to the exploitation that lightweight is carried out to system client, to the source CDN
Without making any change, the player end in client can be initiated to use code structure and service logic in server
Request of the md5sum (timestamp+random number string+KEY) as random catalogue, therefore in the present solution, player end need to only be done gently
Magnitude exploitation, saves the resource of developer.
Step S14, if inquiring first identifier in the local cache of CDN server, CDN server is in local to visit
Ask that request is authenticated, wherein authenticate the legitimacy for determining access request.
Specifically, in the present solution, above-mentioned CDN server can be inquired first from local cache, in local cache
It inquires comprising in the case of above-mentioned ID, then being asked according to preset authentication policy to this access of user by above-mentioned CDN server
It asks and is authenticated, that is, determine that the access request of above-mentioned user is the access request that chain was requested or stolen to Lawful access.
It should be noted that if having accessed CDN by normal client (such as portal website) before any user
Server, then the access that can then cache the ID and legitimate user of the access request of legitimate user in CDN server is asked
The IP address of the corresponding access terminal of the ID asked, so in above-mentioned steps S14, if protected in the local cache of CDN server
There is the ID of the access request of legitimate user, then CDN server can be used for identifying the legitimacy of this access request.
Step S16, if not inquiring first identifier in the local cache of CDN server, CDN server will be accessed
Request is sent to authentication server and is authenticated.
Specifically, in the present solution, if not having first identifier in the local cache of CDN server, CDN server will be to
Authentication server initiates authentication request, is authenticated by authentication server to above-mentioned access request.
The present embodiment receives the access request of access terminal by CDN server first, wherein access request includes at least
First identifier for identification access request;If inquiring first identifier, CDN service in the local cache of CDN server
Device authenticates access request in local, wherein authenticates the legitimacy for determining access request;If in CDN server
Local cache in do not inquire first identifier, access request is sent to authentication server and authenticated by CDN server, solution
The anti-stealing link method for existing time source authentication of having determined all relies only on authentication server to carry out robber's chain request under any circumstance
Identification, the problem for causing authentication server load excessive.
It should be noted that this programme is using local CDN node server judgement+authentication server judgement mode, energy
The effective pressure for reducing authentication server.
It optionally, can also include the IP address of access terminal, step S14, if in CDN service in above-mentioned access request
First identifier is inquired in the local cache of device, CDN server may include: the step of local authenticates access request
Step S141, CDN server judge whether at least one IP address of local cache includes the IP for accessing terminal
Location, wherein at least one IP address and first identifier have corresponding relationship.
Step S142, in the case where including, CDN server determines that access request is legitimate request.
Step S143, in situation not to be covered, CDN server determines access request to steal chain request.
Specifically, in the present solution, legitimate user passes through conjunction before at least one IP address in above-mentioned steps S141 is
After the client of method sends resource request to CDN server, the multiple IP address cached in CDN server need to illustrate
It is that at least one IP address cached in CDN server and above-mentioned first identifier (ID) have corresponding relationship.In CDN server
Caching in, multiple IP address first identifier (ID) corresponding with multiple IP address be all it is legal, therefore, CDN server connects
After this access request for receiving active user, first judge that the ID cached in the ID and CDN server of the access request of user is
It is no identical, under identical circumstances, CDN server then may determine that this access request of active user IP address whether with
The IP address of caching is identical, and under identical circumstances, then the authentication is passed illustrates that the current access request is legitimate request, if IP
Address is different, then illustrates that the current access request is that illegal robber's chain is requested, authentication does not pass through, it should be noted that in CDN
In the caching of server, a legal ID can correspond to multiple IP address, as long as the IP address packet of this access request of user
It is contained in above-mentioned multiple IP address, then illustrates that this access request of user is legal request, it can be to avoid because of multiple exit
IP leads to the erroneous judgement of access request.
What needs to be explained here is that might not illustrate when being cached with the ID of current access request in CDN server
The current access request one is set to legal access request because ID be possible to forge for the client of current access user or
It steals, the ID cached in CDN server is legal access request, therefore, CDN server with corresponding multiple IP address
It can further judge whether the actual IP address of current access request belongs to above-mentioned multiple IP address.
Optionally, step S16, if not inquiring first identifier, CDN service in the local cache of CDN server
Access request is sent to the step of authentication server is authenticated by device
Step S161, if not inquiring first identifier in the local cache of authentication server, authentication server is true
Determining access request is legitimate request, and caches the corresponding relationship between first identifier and the IP address for accessing terminal.
Specifically, in the present solution, current access request (this access request) can be sent to authentication by CDN server
Server authenticates the current access request by authentication server, if do not had in the local cache of authentication server
The ID for inquiring current access request, then illustrate, which is to access for the first time, and access request will not be robber's chain for the first time
Request, therefore, authentication server then determines that this accesses illegal request for the first time, and caches the ID accessed for the first time and access eventually
Corresponding relationship between the IP address at end.
Step S162, if inquired in the local cache of authentication server comprising first identifier, authentication server is sentenced
Whether at least one IP address of disconnected local cache includes the IP address for accessing terminal, wherein at least one IP address and first
Mark has corresponding relationship;In the case where including, authentication server determines that access request is legitimate request;In feelings not to be covered
Under condition, authentication server determines access request to steal chain request.
Specifically, in the present solution, at least one IP address in above-mentioned steps S162 can pass through conjunction for legitimate user
After the client of method sends resource request to other CDN servers of CDN distributed network, cached in other CDN servers
Legitimate ip address, the ID and ID that then other CDN servers request Lawful access corresponding at least one IP address hair
It send into the caching of authentication server, it should be noted that the ID cached in authentication server has corresponding close at least one
System.In the caching of authentication server, ID at least one corresponding IP address be all it is legal, therefore, authentication server connects
After the current access request for receiving current CDN server forwarding, the ID and authentication service of the current access request of user are first judged
Whether the ID cached in device is identical, and under identical circumstances, authentication server then may determine that the access request of active user
Whether IP address is identical as the IP address of caching, and under identical circumstances, then the authentication is passed, illustrates the current access request to close
Method request illustrates that the current access request is that illegal robber's chain is requested, authentication does not pass through if IP address is different.It needs
Illustrate, in the caching of authentication server, a legal ID can correspond to multiple IP address, as long as this access of user
The IP address of request is included in above-mentioned multiple IP address, then illustrates that this access request of user is legal request.
Optionally, step S16, if not inquiring first identifier, CDN service in the local cache of CDN server
Access request is sent to after authentication server authenticated by device, and method provided in this embodiment can also include:
Authenticating result is sent to CDN server by step S17, authentication server, wherein authenticating result includes at least: being stolen
The IP address of the access terminal of the IP address and legitimate request of the access terminal of chain request.
Specifically, in the present solution, if authentication server is incited somebody to action in the unacceptable situation of current access request authentication
The IP address for stealing the access terminal of chain request is sent to CDN server, leads to if authentication server authenticates current access request
In the case where crossing, the IP address of the access terminal of legitimate request is also sent to CDN server by authentication server, by CDN service
Device handles current access request.
Optionally, in step S17, after authenticating result is sent to CDN server by authentication server, the present embodiment provides
Method can also include:
Step S18, CDN server carry out speed limit or denied access to the IP address for the access terminal for stealing chain request.
Specifically, in the present solution, CDN server can IP address normal feedback resource to legitimate request, to illegal
Robber's chain request to refuse.
In a kind of preferred embodiment, CDN server does not directly carry out denied access to the IP address for stealing chain request, and
It is speed limit, fascination can be played the role of in this way and steal chain person, allows robber chain person to think and steal chain success, can directly hit and steal chain person's
Website user's experience.
Fig. 2 of the application combination below to Fig. 3 describes this programme under a kind of actual application scenarios:
This programme can be applied to prevent the system for illegally stealing chain, may include visitor in the system for preventing illegal robber's chain
Family end, CDN server, authentication server.Client sends access request to CDN node server, and CDN server can oneself
Authenticate simultaneously customer in response end to access request, access request can also be forwarded to authentication server by client, by authenticating
Server is authenticated, and authentication server authenticates the access request, and authenticating result is fed back to CDN server, CDN
Server is according to authenticating result customer in response end.
Specifically, client can initiate with unique ID (can not by URI+ timestamp+four use of random number string+KEY
Reverse encryption algorithm for encryption generate ID), the URL request of the timestamp of plaintext and random number string as catalogue.CDN server be
On the basis of CDN distribution function, realize Edge Server URL is judged and is handled in local, and initiate authentication and it is right
Authenticating result is handled.Authentication server is mainly responsible for sentencing the authentication request that CDN Edge Server module is initiated
It is disconnected, and issue judging result.
In conjunction with Fig. 2, the step of CDN server authenticates access request is as follows:
Step S30, CDN server receive the access request of client.
Step S31, CDN server judge whether the encryption format in access request in URL is correct, and whether timestamp has
Effect, encrypt incorrect or timestamp it is invalid in the case where, step S32 is executed, encryption format is correct, timestamp is effective
Under request, step S33 is executed.
Specifically, above-mentioned steps S31 carries out the verification of time mistake door chain to the URL of access request, mainly includes unique ID
Encryption string correctness and the whether expired verification of timestamp.
Step S32 refuses the access of client, it should be noted that if the encryption format of the URL of access request or
If timestamp is incorrect, then illustrate that the robber's chain mode for stealing chain person is not brilliant, CDN server then directly refuses the access of client
Request.
Step S33, CDN server judge whether local cache caches the corresponding relationship of ID and IP address, the case where being
Under, step S34 is executed, in a case of no, executes step S35.
It should be noted that above-mentioned ID is ID entrained by the access request URL of user.
Step S34, CDN server judge the ID and IP of the ID of local cache and the URL carrying of IP address and access request
Whether address is identical, under identical circumstances, executes step S341, in different situation, executes step S342.
Step S341, the authentication is passed, normal response client.
Step S342, authentication do not pass through, and carry out speed limit to client
Access request is sent to authentication server by step S35, CDN server, by authentication server to the access request
It is authenticated.
Specifically, if the corresponding relationship between ID and IP that the URL of the access request is carried is not in CDN server local
Caching, then CDN server then initiates authentication request to authentication server, and to the corresponding relationship of the URL ID carried and IP in CDN
Fringe node does local cache processing.
Step S36, CDN server receives the authenticating result of authentication server feedback, according to authenticating result customer in response end.
Specifically, if the authenticating result of authentication server response is to authenticate not passing through, CDN fringe node is to responding to visitor
The content at family end does speed limit processing.Specifically, if the authenticating result of authentication server response is that the authentication is passed, CDN server
Normal response content is to client.
As shown in figure 3, authentication server can be as follows the step of authentication to access request:
Step S40, authentication server receive the authentication request that CDN server is sent.
Step S41, authentication server judges the corresponding relationship of the local ID and IP whether cache access is requested, in the feelings for being
Under condition, step S42 is executed, in a case of no, executes step S43.
It should be noted that above-mentioned ID is ID entrained by the access request URL of user.
The ID and IP address that step S42, the ID cached in authentication server and the URL of IP address and access request are carried
In identical situation, step S421 is executed, in different situations, executes step S422.
Step S421, the authentication is passed, and authenticating result is sent to CDN server by authentication server.
Step S422, authentication do not pass through, and authenticating result is sent to CDN server by authentication server.
Step S43, the authentication is passed, and authentication server will be corresponding between the URL of the access request ID carried and IP address
Relationship is cached.
Authenticating result is sent to CDN server by step S44, authentication server.
Embodiment two
The embodiment of the invention also provides a kind of system of access request authentication, which can be used for executing above-mentioned implementation
The method of example one, as shown in figure 4, the system may include: client 20, CDN server 22 and authentication server 24.
Client 20, for sending the access request of access terminal, wherein access request is at least used for identification access request
First identifier.
CDN server 22, for receiving access request, if inquiring the first mark in the local cache of CDN server
Know, CDN server authenticates access request in local, if not inquiring the in the local cache of CDN server
Access request is forwarded by one mark, CDN server, wherein authenticates the legitimacy for determining access request.
Specifically, in the present solution, above-mentioned access request can be URL request, above-mentioned first identifier can for included in
An ID in URL request, the ID are used for each access request of identity user, which can pass through following schemes generation: use
When accessing CDN server by client, above-mentioned client can be by the URI, timestamp, random number of user access request at family
String and KEY use irreversible encryption algorithm for encryption, generate the ID for identifying above-mentioned URL request, then by above-mentioned ID,
The timestamp and random number of plaintext are inserted in behind URL/domain name, generate a resource request URL with uniqueness, then objective
The resource request URL of the above-mentioned ID contained is sent to CDN server by family end, it should be noted that the CDN clothes in the application
Business device can be CDN node server, or CDN Edge Server.
It should be noted that the generation method of the ID of URL request is not limited to aforesaid way, as long as the generation scheme of ID can reach
To the uniqueness of ID.
For example, user A accesses CDN server by client (legitimate client or illegitimate client), in CDN server
It include the ID of identification access request, timestamp, random number string in the URL of the access request of the user A received.User A's
Can access request URL be following example: http://wstest.com.cn/a.flv? k=
68b329da9893e34099c7d8ad5cb9c940&t=554afcb4&U ID=11111111;K is unique ID, and wherein t is
Timestamp, UID are random train).What needs to be explained here is that if user A passes through a legal client (such as portal
Stand) access CDN server when, URL request received by CDN server is the access that above-mentioned legal client is directed to user
Request generates, if user A is by illegal client (third party steals a chain website) access CDN server, CDN service
URL request received by device is what above-mentioned illegal client was stolen or forged.
It should be noted that the scheme of the application, it is only necessary to the exploitation that lightweight is carried out to system client, to the source CDN
Without making any change, the player end in client can be initiated to use code structure and service logic in server
Request of the md5sum (timestamp+random number string+KEY) as random catalogue, therefore in the present solution, player end need to only be done gently
Magnitude exploitation, saves the resource of developer.
Optionally, in the present solution, above-mentioned CDN server can be inquired first from local cache, in local cache
It inquires comprising in the case of above-mentioned ID, then being asked according to preset authentication policy to this access of user by above-mentioned CDN server
It asks and is authenticated, that is, determine that the access request of above-mentioned user is the access request that chain was requested or stolen to Lawful access.
It should be noted that if having accessed CDN by normal client (such as portal website) before any user
Server, then the access that can then cache the ID and legitimate user of the access request of legitimate user in CDN server is asked
The IP address of the corresponding access terminal of the ID asked, so in above-mentioned steps S14, if protected in the local cache of CDN server
There is the ID of the access request of legitimate user, then CDN server can be used for identifying the legitimacy of this access request, if
The ID of the access request of legitimate user is preserved in the local cache of CDN server, CDN server is turned access request
Hair.
Authentication server 24 establishes correspondence with CDN server, reflects to the access request of CDN server forwarding
Power.
Specifically, in the present solution, if not having first identifier in the local cache of CDN server, CDN server will be to
Authentication server initiates authentication request, is authenticated by authentication server to above-mentioned access request.
The present embodiment receives the access request of access terminal by CDN server first, wherein access request includes at least
First identifier for identification access request;If inquiring first identifier, CDN service in the local cache of CDN server
Device authenticates access request in local, wherein authenticates the legitimacy for determining access request;If in CDN server
Local cache in do not inquire first identifier, access request is sent to authentication server and authenticated by CDN server, solution
The anti-stealing link method for existing time source authentication of having determined all relies only on authentication server to carry out robber's chain request under any circumstance
Identification, the problem for causing authentication server load excessive.
Optionally, access request further includes accessing the IP address of terminal, wherein above-mentioned CDN server 22 may include: the
One processor, for judging whether at least one IP address of local cache includes the IP address for accessing terminal, wherein at least one
A IP address and first identifier have corresponding relationship;In the case where including, CDN server determines that access request is legal asks
It asks;In situation not to be covered, CDN server determines access request to steal chain request.
Optionally, above-mentioned authentication server can also include: second processor, if in the local cache of authentication server
In do not inquire first identifier, authentication server determines that access request is legitimate request, and caches first identifier and access eventually
Corresponding relationship between the IP address at end;If inquired in the local cache of authentication server comprising first identifier, authentication
Server judges whether at least one IP address of local cache includes the IP address for accessing terminal, wherein at least one IP
Location and first identifier have corresponding relationship;In the case where including, authentication server determines that access request is legitimate request;Not
Including in the case where, authentication server determines access request to steal chain request.
Optionally, above-mentioned authentication server can also include: communication device, for authenticating result to be sent to CDN service
Device, wherein authenticating result includes at least: the IP of the IP address of the access terminal of chain request and the access terminal of legitimate request is stolen
Address.
Optionally, above-mentioned first processor can be also used for steal chain request access terminal IP address progress speed limit or
Denied access.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment
The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others
Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, Ke Yiwei
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module
It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
On unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the present invention whole or
Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code
Medium.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of method of access request authentication characterized by comprising
CDN server receives the access request of access terminal, wherein the access request is included at least for identifying the access
The first identifier of request;
If inquiring the first identifier in the local cache of the CDN server, the CDN server is in local to institute
It states access request to be authenticated, wherein the legitimacy authenticated for determining the access request;
If not inquiring the first identifier in the local cache of the CDN server, the CDN server will be described
Access request is sent to authentication server and is authenticated;
Wherein, if the CDN server carries out the IP address that authentication includes: the access request to the access request in local
Identical as an IP address in the multiple IP address prestored in the CDN server, then the access request is legal asks
It asks;
If it includes: the access request that the access request is sent to authentication server to carry out authentication by the CDN server
The IP address in multiple IP address prestored in IP address and the authentication server is identical, then the access request is to close
The request of method.
2. the method according to claim 1, wherein the access request further includes the IP of the access terminal
Location, wherein if inquiring the first identifier in the local cache of the CDN server, the CDN server is in local
Carrying out authentication to the access request includes:
The CDN server judges whether at least one IP address of local cache includes the IP address for accessing terminal,
In, at least one described IP address and the first identifier have corresponding relationship;
In the case where including, the CDN server determines that the access request is legitimate request;
In situation not to be covered, the CDN server determines the access request to steal chain request.
3. the method according to claim 1, wherein the access request is sent to mirror by the CDN server
Power server carries out authentication
If not inquiring the first identifier in the local cache of the authentication server, the authentication server is determined
The access request is legitimate request, and caches the corresponding pass between the first identifier and the IP address of the access terminal
System;
If inquired in the local cache of the authentication server comprising the first identifier, the authentication server judgement
Whether at least one IP address of local cache includes the IP address for accessing terminal, wherein at least one described IP address
There is corresponding relationship with the first identifier;
In the case where including, the authentication server determines that the access request is legitimate request;
In situation not to be covered, the authentication server determines the access request to steal chain request.
4. according to the method described in claim 3, it is characterized in that, the access request is sent in the CDN server
After authentication server is authenticated, the method also includes:
Authenticating result is sent to the CDN server by the authentication server, wherein the authenticating result includes at least: institute
State the IP address of the IP address for the access terminal for stealing chain request and the access terminal of the legitimate request.
5. according to the method described in claim 4, it is characterized in that, authenticating result is sent in the authentication server described
After CDN server, the method also includes:
The CDN server carries out speed limit or denied access to the IP address of the access terminal of robber's chain request.
6. a kind of system of access request authentication, which is characterized in that the system comprises:
Client, for sending the access request of access terminal, wherein the access request is at least used to identify the access and asks
The first identifier asked;
CDN server, for receiving the access request, if inquired in the local cache of the CDN server described
First identifier, the CDN server authenticate the access request in local, if in the local of the CDN server
The first identifier is not inquired in caching, the access request is forwarded by the CDN server, wherein the mirror
Weigh the legitimacy for determining the access request;
Authentication server establishes correspondence with the CDN server, to the access request of CDN server forwarding
It is authenticated;
Wherein, if the CDN server carries out the IP address that authentication includes: the access request to the access request in local
Identical as an IP address in the multiple IP address prestored in the CDN server, then the access request is legal asks
It asks;
If it includes: the access request that the access request is sent to authentication server to carry out authentication by the CDN server
The IP address in multiple IP address prestored in IP address and the authentication server is identical, then the access request is to close
The request of method.
7. system according to claim 6, which is characterized in that the access request further includes the IP of the access terminal
Location, wherein the CDN server includes:
First processor, for judging whether at least one IP address of local cache includes the IP address for accessing terminal,
Wherein, at least one described IP address and the first identifier have corresponding relationship;
In the case where including, the CDN server determines that the access request is legitimate request;
In situation not to be covered, the CDN server determines the access request to steal chain request.
8. system according to claim 7, which is characterized in that the authentication server includes:
Second processor, if not inquiring the first identifier in the local cache of the authentication server, the mirror
Power server determine the access request be legitimate request, and cache the first identifier and it is described access terminal IP address it
Between corresponding relationship;
If inquired in the local cache of the authentication server comprising the first identifier, the authentication server judgement
Whether at least one IP address of local cache includes the IP address for accessing terminal, wherein at least one described IP address
There is corresponding relationship with the first identifier;
In the case where including, the authentication server determines that the access request is legitimate request;
In situation not to be covered, the authentication server determines the access request to steal chain request.
9. system according to claim 8, which is characterized in that the authentication server further include:
Communication device, for authenticating result to be sent to the CDN server, wherein the authenticating result includes at least: described
Steal the IP address of the IP address of the access terminal of chain request and the access terminal of the legitimate request.
10. system according to claim 9, which is characterized in that the first processor is also used to request robber's chain
The IP address of access terminal carry out speed limit or denied access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510703837.7A CN105357190B (en) | 2015-10-26 | 2015-10-26 | The method and system of access request authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510703837.7A CN105357190B (en) | 2015-10-26 | 2015-10-26 | The method and system of access request authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105357190A CN105357190A (en) | 2016-02-24 |
| CN105357190B true CN105357190B (en) | 2018-12-07 |
Family
ID=55333054
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510703837.7A Active CN105357190B (en) | 2015-10-26 | 2015-10-26 | The method and system of access request authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105357190B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105844121A (en) * | 2016-03-31 | 2016-08-10 | 乐视控股(北京)有限公司 | Method and system for applying digital watermark to content delivery network (CDN) |
| CN105871888A (en) * | 2016-05-16 | 2016-08-17 | 乐视控股(北京)有限公司 | Identity authentication method, device and system |
| CN107517194B (en) * | 2016-06-17 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Return source authentication method and device of content distribution network |
| CN106357613A (en) * | 2016-08-25 | 2017-01-25 | 乐视控股(北京)有限公司 | Validation method of mobile terminal and validation system thereof |
| CN106790262B (en) * | 2017-02-07 | 2022-02-11 | 腾讯科技(深圳)有限公司 | Authentication method and device |
| CN109982277B (en) * | 2017-12-28 | 2021-04-13 | 中国移动通信集团北京有限公司 | Service authorization method, device and readable medium |
| CN110392016B (en) * | 2018-04-18 | 2022-05-31 | 阿里巴巴集团控股有限公司 | Method, device and system for preventing traffic from being hijacked |
| CN110650112B (en) * | 2018-06-27 | 2022-05-20 | 贵州白山云科技股份有限公司 | Universal authentication method and device and cloud service network system |
| CN110740353B (en) * | 2018-07-20 | 2021-07-09 | 阿里巴巴(中国)有限公司 | Request identification method and device |
| CN109379344B (en) * | 2018-09-27 | 2022-05-10 | 网宿科技股份有限公司 | Authentication method and authentication server for access request |
| CN111193692A (en) * | 2018-11-15 | 2020-05-22 | 北京金山云网络技术有限公司 | Request response method, device, edge node and authentication system |
| CN110062006A (en) * | 2019-05-08 | 2019-07-26 | 福州福昕网络技术有限责任公司 | A kind of client high concurrent method for authenticating and system |
| CN111314365B (en) * | 2020-02-25 | 2022-08-16 | 卓望数码技术(深圳)有限公司 | Application downloading method, application link generating method, device and medium |
| CN112866221B (en) * | 2021-01-11 | 2023-04-07 | 中国邮政储蓄银行股份有限公司 | Authentication method, authentication system, computer-readable storage medium, and processor |
| CN112565305B (en) * | 2021-02-19 | 2022-03-08 | 北京翼辉信息技术有限公司 | Method, system and storage medium for accessing local area network equipment by using domain name |
| CN114500067A (en) * | 2022-02-09 | 2022-05-13 | 厦门元屿安科技有限公司 | Asynchronous attack anti-theft chain method and system based on CDN edge computing network |
| CN117201049A (en) * | 2022-05-31 | 2023-12-08 | 华为技术有限公司 | Cross-domain access method and content distribution network edge server |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102468961A (en) * | 2010-11-18 | 2012-05-23 | 卓望数码技术(深圳)有限公司 | Distributive enterprise identification authentication method, system and embedded terminal |
| CN103888409A (en) * | 2012-12-19 | 2014-06-25 | 中国电信股份有限公司 | Distributed unified authentication method and system |
| CN103986735A (en) * | 2014-06-05 | 2014-08-13 | 北京赛维安讯科技发展有限公司 | CDN (content distribution network) antitheft system and antitheft method |
| CN104811438A (en) * | 2015-03-26 | 2015-07-29 | 网宿科技股份有限公司 | Asynchronous hotlink protection method and system based on scheduling system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011119554A1 (en) * | 2010-03-22 | 2011-09-29 | Echostar Technologies Llc | Systems and methods for securely streaming media content |
| US9930132B2 (en) * | 2014-01-10 | 2018-03-27 | Facebook, Inc. | Content specific router caching |
-
2015
- 2015-10-26 CN CN201510703837.7A patent/CN105357190B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102468961A (en) * | 2010-11-18 | 2012-05-23 | 卓望数码技术(深圳)有限公司 | Distributive enterprise identification authentication method, system and embedded terminal |
| CN103888409A (en) * | 2012-12-19 | 2014-06-25 | 中国电信股份有限公司 | Distributed unified authentication method and system |
| CN103986735A (en) * | 2014-06-05 | 2014-08-13 | 北京赛维安讯科技发展有限公司 | CDN (content distribution network) antitheft system and antitheft method |
| CN104811438A (en) * | 2015-03-26 | 2015-07-29 | 网宿科技股份有限公司 | Asynchronous hotlink protection method and system based on scheduling system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105357190A (en) | 2016-02-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105357190B (en) | The method and system of access request authentication | |
| CN109961292B (en) | Block chain verification code application method, equipment and storage medium | |
| CN104811438B (en) | Asynchronous anti-stealing link method and system based on scheduling system | |
| CN103986735B (en) | CDN (content distribution network) antitheft system and antitheft method | |
| JP6574168B2 (en) | Terminal identification method, and method, system, and apparatus for registering machine identification code | |
| EP1997271B1 (en) | Intersystem single sign-on | |
| CN107770159B (en) | Vehicle accident data recording method and related device and readable storage medium | |
| WO2016184216A1 (en) | Link-stealing prevention method, link-stealing prevention server, and client side | |
| Duc et al. | Defending RFID authentication protocols against DoS attacks | |
| CN109522726A (en) | Method for authenticating, server and the computer readable storage medium of small routine | |
| EP0940960A1 (en) | Authentication between servers | |
| CN109413000B (en) | Anti-stealing-link method and anti-stealing-link network relation system | |
| CN107517179A (en) | A kind of method for authenticating, device and system | |
| WO2012117253A1 (en) | An authentication system | |
| CN109413228A (en) | IPv6 generation method and system based on block chain domain name system | |
| CN108876365A (en) | A kind of intelligent contract generating block issue mechanism | |
| JP2018501567A (en) | Device verification method and equipment | |
| JP4256361B2 (en) | Authentication management method and system | |
| CN112532599B (en) | Dynamic authentication method, device, electronic equipment and storage medium | |
| CN106330968B (en) | Identity authentication method and device for access equipment | |
| CN108259406A (en) | Examine the method and system of SSL certificate | |
| US20100017888A1 (en) | Method, device and system for transferring license | |
| CN111275419A (en) | Block chain wallet signature right confirming method, device and system | |
| CN106331042B (en) | Single sign-on method and device for heterogeneous user system | |
| CN109492424A (en) | Data assets management method, data assets managing device and computer-readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |