CN105429978B - Data access method, equipment and system - Google Patents

Data access method, equipment and system Download PDF

Info

Publication number
CN105429978B
CN105429978B CN201510781737.6A CN201510781737A CN105429978B CN 105429978 B CN105429978 B CN 105429978B CN 201510781737 A CN201510781737 A CN 201510781737A CN 105429978 B CN105429978 B CN 105429978B
Authority
CN
China
Prior art keywords
server
application platform
module
authentication information
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510781737.6A
Other languages
Chinese (zh)
Other versions
CN105429978A (en
Inventor
张舜华
王伟
赵金鑫
何小锋
包辰明
李响
梁可尊
刘威
谢潇宇
王力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN201510781737.6A priority Critical patent/CN105429978B/en
Publication of CN105429978A publication Critical patent/CN105429978A/en
Application granted granted Critical
Publication of CN105429978B publication Critical patent/CN105429978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Storage Device Security (AREA)

Abstract

A kind of data access method of present invention offer, equipment and system, the method includes:Application platform obtains authentication information from the server of the first system;The application platform accesses the data on the server of second system by the authentication information got.Implement the present invention, it can be by making the server different from some system of open system be used as the authorization server for generating authentication information, to realize in open system without ensure that authorization server is detached with the role of Resource Server in the case of individually establishing an authorization server, hardware cost is reduced.

Description

Data access method, equipment and system
Technical field
The present invention relates to the communications fields, more particularly, it is related to data access method, equipment and system.
Background technology
With the development of internet, internet system is more and more huger, and data volume also quickly increases, in order to allow third party Using in the construction for participating in system, major internet system such as abundant system application, such as wechat, Sina weibo is all supported OAuth2.0 (open to authorize) agreement is to establish the ecological catenary system of oneself.The OAuth2.0 agreements are that an open standard (is permitted Perhaps third-party application accesses the various information that user stores in service provider there under the premise of user authorizes).
However, in the prior art, supporting the open the Internet system of OAuth2.0 to need to establish two servers, that is, using In the authorization server for generating authentication information and for the Resource Server of storage resource, therefore, for supporting OAuth2.0's Higher hardware and software cost is needed for the early development of internet system.
Invention content
In order to solve the above technical problems, a kind of data access method of present invention offer, equipment and system.
On the one hand, embodiments of the present invention provide a kind of data access method, the method includes:
Application platform obtains authentication information from the server of the first system;
The application platform accesses the data on the server of second system by the authentication information got.
Correspondingly, embodiment of the present invention provides a kind of application platform, and the application platform includes:
Acquisition module, for obtaining authentication information from the server of the first system;
Access modules, the authentication information for being got by the acquisition module access on the server of second system Data.
On the other hand, embodiment of the present invention provides a kind of data access method, the method includes:
The server of the first system generates authentication information and verification information;
The authentication information of generation is sent to application platform and believes the verification of generation by the server of the first system Breath is sent to the server of second system in order to which the application platform accesses the second system by the authentication information Data on server.
Another aspect, embodiment of the present invention provide a kind of data access method, the method includes:
What the verification information and application platform that the server of the server reception the first system of second system is sent were sent Access request;
The server of the second system parses authentication information from the access request;
The server of the second system according to the authentication information and the verification information to the application platform into Row verification processing;
If being verified, the server of the second system is corresponding with the access request to application platform transmission Data.
In another aspect, embodiment of the present invention provides a kind of data access system, the system comprises:It answers as described above With platform, it is located at the server of the first system, and, it is located at the server of second system;Wherein,
The server of the first system includes:
Generation module, for generating authentication information and verification information,
Sending module, the authentication information for generating the generation module are sent to the application platform and will be described The verification information that generation module generates is sent to the server of the second system in order to which the application platform is recognized by described Demonstrate,prove the data on the server of second system described in message reference;
The server of the second system includes:
Receiving module, the verification information and application platform hair that the server for receiving the first system is sent The access request sent,
Parsing module, for parsing authentication information from the access request that the receiving module receives,
Authentication module, authentication information and the receiving module for being parsed according to the parsing module are received Verification information to the application platform carry out verification processing,
Sending module, for when the authentication module is determined as being verified, to the application platform send with it is described The corresponding data of access request.
Implement data access method, equipment and system provided by the invention, can by make different from open system certain The server of a system is as the authorization server for generating authentication information, to realize in open system without individually establishing It ensure that authorization server is detached with the role of Resource Server in the case of one authorization server, reduce hardware cost.
Description of the drawings
Fig. 1 is the flow chart according to a kind of data access method of embodiment of the present invention;
Fig. 2 shows a kind of embodiments of processing S110 shown in FIG. 1;
Fig. 3 is the flow chart according to another data access method of embodiment of the present invention;
Fig. 4 shows a kind of embodiment of processing S210 shown in Fig. 3;
Fig. 5 is the flow chart according to another data access method of embodiment of the present invention;
Fig. 6 is the flow chart according to another data access method of embodiment of the present invention;
Fig. 7 is the Organization Chart according to the data access system of embodiment of the present invention;
Fig. 8 shows the structural schematic diagram of application platform 100 shown in Fig. 7;
Fig. 9 shows the structural schematic diagram of acquisition module 110 shown in Fig. 8;
Figure 10 shows the structural schematic diagram of server 200 shown in Fig. 7;
Figure 11 shows the structural schematic diagram of generation module 210 shown in Fig. 10;
Figure 12 shows the structural schematic diagram of server 300 shown in Fig. 7.
Specific implementation mode
To keep the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with attached drawing to this hair It is bright to be described in further detail.
Fig. 1 is according to a kind of flow chart of data access method of embodiment of the present invention, and referring to Fig. 1, this method includes:
S110:Application platform obtains authentication information from the server of the first system.Wherein it is preferred to the second system It can be a kind of existing system.
S120:Application platform is accessed by the authentication information got on a kind of server of second system (open system) Data.
Wherein, in embodiments of the present invention, the authentication information for example can be that access token either accesses order The cipher-text information of board.
As shown in Fig. 2, in embodiments of the present invention, above-mentioned processing S110 can be accomplished by the following way:
S111:The application platform calls the login page of the first system, in order to the service of the first system Device receives the log-on message of user by the login page and judges awarding for the application platform according to the log-on message Power state.
S112:The application platform receives the server of the first system in the licensing status for determining the application platform For the authentication information generated and sent after having authorized.
Fig. 3 is the flow chart according to another data access method of embodiment of the present invention.Referring to Fig. 3, this method packet It includes:
S210:The server of the first system generates authentication information and verification information.Wherein it is preferred to the second system It can be a kind of existing system.
S220:The authentication information of generation is sent to application platform and testing generation by the server of the first system Card information is sent to the server of second system in order to which the application platform accesses second system by the authentication information Data on the server of system.
As shown in figure 4, in embodiments of the present invention, above-mentioned processing S210 can be accomplished by the following way:
S211:The server of the first system receives the log-on message of user.
S212:The server of the first system verifies whether the user authorizes described answer according to the log-on message of reception At least part of data of the user described in platform access on the server of the third system, if so, S213 is executed, Otherwise, processing S211 is returned.
S213:The server of the first system generates authentication information and verification information.
In embodiments of the present invention, the server of the first system can generate access token, by the access Token is as the authentication information and the verification information;It is enabled alternatively, being accessed described in key pair by the application platform Board is encrypted, using the cipher-text information of the access token as the authentication information, by the plaintext of the access token The key is sent to the server of the second system by information as the verification information.
Fig. 5 is the flow chart according to another data access method of embodiment of the present invention.Referring to Fig. 5, this method packet It includes:
S310:The server of second system receives the verification information and application platform hair that the server of the first system is sent The access request sent.Wherein it is preferred to which the second system can be a kind of existing system.
S320:The server of the second system parses authentication information from the access request.
S330:The server of the second system is flat to the application according to the authentication information and the verification information Platform carries out verification processing and executes S340 if being verified, if authentication failed, executes S350.
S340:The server of the second system sends data corresponding with the access request to the application platform, Return to processing S310.
S350:The server identification current accessed of second system is that the false falseness for accessing and adjusting the application platform is visited Ask number.
S360:It is predetermined that the server of the second system judges whether the false access times after adjustment are more than or equal to Threshold value, if so, S370 is executed, if it is not, then returning to processing S310.
S370:The server of the second system shields the application platform, returns to processing S310.
Certainly, the implementation of the present invention is not limited to this, when the verification result of above-mentioned processing S330 is authentication failed, also The access of the application platform can directly be refused and corresponding information is prompted to be then back to processing S310.
Below to the data access of the present invention by taking the first system is the application market for buying the application platform as an example The process flow of method is specifically described.As shown in fig. 6, this method includes:
S410:Application platform (a kind of third-party application) calls the first system (such as can after user initiates register To be the application market for buying the application platform) login page.
S420:The server of the first system by the login page receive user log-on message (including user name and The information such as password), judge whether the user buys the application platform (in the implementation of the present invention according to the log-on message of user In mode, as long as user has purchased a certain system and is defaulted as the user system is authorized to access it storing on service provider Data), if so, execute S430, otherwise, return S410.
In embodiments of the present invention, the server of the first system can directly be according to the judgement of the log-on message of user It is no to have authorized without being required for user to carry out Authorized operation before generating authentication information every time.
S430:The server of the first system generates access token, passes through the key pair of the application platform access token It is encrypted, using the cipher-text information of access token as authentication information, using the cleartext information of access token as verification information.
Wherein, in embodiments of the present invention, the server of the first system can for example log in user Session identifier as access token.
S440:Authentication information is sent to application platform by the server of the first system, by verification information and described Key is sent to a kind of server of second system (open system).
S450:The application platform sends the access with the authentication information to the server of the second system and asks It asks.
Wherein, in embodiments of the present invention, the application platform for example can using the authentication information as Cookie (data being stored on user local terminal) is stored, and can when accessing the server of the second system To carry the cookie, in this regard, needing to ensure that the application platform, the first system and second system possess identical second-level domain The name space with overcome the problems, such as cannot cross-domain name send cookie.
S460:The server of the second system parses authentication information from the access request, according to the certification Information and verification information carry out verification processing to the application platform and execute S470 if being verified, if authentication failed, Then execute S480.
Wherein, the verification processing can specifically be accomplished by the following way:The server by utilizing institute of the second system It states key pair authentication information to be decrypted, the authentication information after decryption is matched with verification information, if successful match, test Card passes through, if it fails to match, authentication failed.
S470:The server of the second system sends data corresponding with the access request to the application platform, Return to S410.
S480:The server identification current accessed of second system is that the false falseness for accessing and adjusting the application platform is visited Ask number.
S490:The server of second system judges whether the false access times after adjustment are greater than or equal to predetermined threshold, If so, executing S500, otherwise, S410 is returned to.
S500:The server of the second system shields the application platform, returns to S410.
Fig. 7 is the Organization Chart according to the data access system of embodiment of the present invention.Referring to Fig. 7, the system comprises:It answers With platform (a kind of third-party application) 100, it is located at the server 200 of the first system, and the server positioned at second system 300, wherein the second system is a kind of open system for supporting open standard, it is preferable that the first system can be one Kind existing system, specifically:
Application platform 100, for executing operations described below:Authentication information is obtained from server 200;Pass through the certification got Data on information access server 300.
In embodiments of the present invention, 100 operation to be performed of above application platform are for example in application platform 100 Client-side executes.
Server 200, for executing operations described below:Generate authentication information and verification information;The authentication information of generation is sent out It gives application platform 100 and the verification information of generation is sent to 300 in order to which the application platform 100 passes through the certification Data on server 300 described in message reference.
Server 300, for executing operations described below:Receive the verification information and application platform 100 that server 200 is sent The access request of transmission;Authentication information is parsed from the access request;Believed according to the authentication information and the verification Breath carries out verification processing to the application platform 100;If being verified, sent and the access to the application platform 100 Ask corresponding data.
Fig. 8 shows the structural schematic diagram of application platform 100 shown in Fig. 7, and referring to Fig. 8, application platform 100 includes:It obtains Modulus block 110 and access modules 120, specifically:
Acquisition module 110, for obtaining authentication information from the server 200.
Access modules 120, the authentication information for being got by the acquisition module 110 access the server 300 On data.
In embodiments of the present invention, above-mentioned acquisition module 110 and access modules 120 for example can be all configured at Client-side.
As shown in figure 9, in embodiments of the present invention, acquisition module 110 may include:It call unit 111 and connects Unit 112 is received, specifically:
Call unit 111, the login page for calling the first system, in order to which the server 200 passes through institute Login page is stated to receive the log-on message of user and judge the mandate shape of the application platform 100 according to the log-on message State;
Receiving unit 112 is for receiving the server 200 in the licensing status for determining the application platform 100 The authentication information generated and sent after mandate.
Figure 10 shows the structural schematic diagram of server 200 shown in Fig. 7.Referring to Figure 10, the server 200 includes: Generation module 210 and sending module 220, specifically:
Generation module 210, for generating authentication information and verification information.
Sending module 220, the authentication information for generating the generation module 210 be sent to application platform 100 and The verification information that the generation module 210 generates is sent to server 300 in order to which the application platform 100 is recognized by described Demonstrate,prove the data on server 300 described in message reference.
As shown in figure 11, in embodiments of the present invention, the generation module 210 may include:Receiving unit 211, Authentication unit 212 and generation unit 213, specifically:
Receiving unit 211, the log-on message for receiving user.
Authentication unit 212, the log-on message for being received according to the receiving unit 211 verify whether the user authorizes The application platform 100 accesses at least part of data of the user on the server 300.
Generation unit 213 is believed for when the authentication unit 212 is verified as having authorized, generating authentication information and verification Breath.
In embodiments of the present invention, the server 200 can generate access token;Using the access token as The authentication information and the verification information, alternatively, place is encrypted in access token described in key pair by application platform Reason, using the cipher-text information of the access token as the authentication information, using the cleartext information of the access token as described in Verification information, and the key is sent to the server 300.
Figure 12 shows the structural schematic diagram of server 300 shown in Fig. 7.Referring to Figure 12, the server 300 includes: Receiving module 310, parsing module 320, authentication module 330, sending module 340, identification and adjustment module 350, judgment module 360 And shroud module 370, specifically:
Receiving module 310, what verification information and application platform 100 for receiving the transmission of the server 200 were sent Access request.
Parsing module 320, for parsing authentication information from the access request that the receiving module 310 receives.
Authentication module 330, the authentication information for being parsed according to the parsing module 320 and the receiving module 310 verification informations received carry out verification processing to the application platform 100.
Sending module 340, for when the authentication module 330 is determined as being verified, being sent out to the application platform 100 Send data corresponding with the access request.
Identification and adjustment module 350, for when the authentication module 330 is determined as authentication failed, identifying current accessed For the false false access times accessed and adjust the application platform 100.
Judgment module 360, for judging whether the false access times after the identification and adjustment module 350 adjust are more than Or it is equal to predetermined threshold.
Shroud module 370, for the false access times after judging result of the judgment module 360 is the adjustment When more than or equal to the predetermined threshold, the application platform 100 is shielded.
Certainly, the implementation of the present invention is not limited to this, such as can be by being used to be determined as when the authentication module 330 When authentication failed, refuses the access of the application platform 100 and prompt refusal and the reminding module of corresponding information described to replace Identification and adjustment module 350, comparison module 360 and shroud module 370.
Implement data access method, equipment and system provided by the invention, can by make different from open system certain The server of a system is as the authorization server for generating authentication information, to realize in open system without individually establishing It ensure that authorization server is detached with the role of Resource Server in the case of one authorization server, reduce hardware cost.
Through the above description of the embodiments, those skilled in the art can be understood that the present invention can be by The mode of software combination hardware platform is realized.Based on this understanding, technical scheme of the present invention makes tribute to background technology That offers can be expressed in the form of software products in whole or in part, which can be stored in storage and be situated between In matter, such as ROM/RAM, magnetic disc, CD, including some instructions use is so that a computer equipment (can be individual calculus Machine, server, smart mobile phone either network equipment etc.) it executes described in certain parts of each embodiment of the present invention or embodiment Method.
The term and wording used in description of the invention is just to for example, be not intended to constitute restriction.Ability Field technique personnel should be appreciated that under the premise of not departing from the basic principle of disclosed embodiment, to the above embodiment In each details can carry out various change.Therefore, the scope of the present invention is only determined by claim, in the claims, unless It is otherwise noted, all terms should be understood by the broadest rational meaning.

Claims (2)

1. a kind of data access method, which is characterized in that the method includes:
The access that the server of second system receives the verification information of the server transmission of the first system and application platform is sent Request;
The server of the second system parses authentication information from the access request;
The server of the second system tests the application platform according to the authentication information and the verification information Card processing;
If being verified, the server of the second system sends number corresponding with the access request to the application platform According to;
If authentication failed, the server identification current accessed of second system is the false void accessed and adjust the application platform False access times;
The server of the second system judges whether the false access times after adjustment are more than or equal to predetermined threshold;
If the false access times after the adjustment are more than or equal to the predetermined threshold, the server of the second system The application platform is shielded;Wherein,
The server of the first system judges the licensing status of the application platform according to the logon information of user, is awarded described Power state is in the case of having authorized, to generate the authentication information.
2. a kind of data access system, which is characterized in that the system comprises:
Application platform is located at the server of the first system, and, it is located at the server of second system;Wherein,
The application platform includes:
Acquisition module, for obtaining authentication information from the server positioned at the first system,
Access modules, the authentication information for being got by the acquisition module access the server for being located at second system On data;
Server positioned at the first system includes:
Generation module, for generating authentication information and verification information,
Sending module, the authentication information for generating the generation module are sent to the application platform and by the generations The verification information that module generates is sent to the server of the second system in order to which the application platform is believed by the certification Breath accesses the data on the server of the second system;Wherein,
The server of the first system judges the licensing status of the application platform according to the logon information of user, is awarded described Power state is in the case of having authorized, to generate the authentication information;
Server positioned at the second system includes:
Receiving module, what the verification information and the application platform that the server for receiving the first system is sent were sent Access request,
Parsing module, for parsing authentication information from the access request that the receiving module receives,
Authentication module, what authentication information and the receiving module for being parsed according to the parsing module were received tests It demonstrate,proves information and verification processing is carried out to the application platform,
Sending module, for when the authentication module is determined as being verified, being sent and the access to the application platform Corresponding data are asked,
Identification and adjustment module, for when the authentication module is determined as authentication failed, identification current accessed to be false accesses And the false access times of the application platform are adjusted,
Judgment module, for judging whether the false access times after the identification and adjustment module adjustment are more than or equal in advance Determine threshold value,
Shroud module, for the judging result when the judgment module for adjustment after false access times more than or equal to institute When stating predetermined threshold, the application platform is shielded.
CN201510781737.6A 2015-11-13 2015-11-13 Data access method, equipment and system Active CN105429978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510781737.6A CN105429978B (en) 2015-11-13 2015-11-13 Data access method, equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510781737.6A CN105429978B (en) 2015-11-13 2015-11-13 Data access method, equipment and system

Publications (2)

Publication Number Publication Date
CN105429978A CN105429978A (en) 2016-03-23
CN105429978B true CN105429978B (en) 2018-10-30

Family

ID=55507920

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510781737.6A Active CN105429978B (en) 2015-11-13 2015-11-13 Data access method, equipment and system

Country Status (1)

Country Link
CN (1) CN105429978B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10454672B2 (en) * 2017-05-25 2019-10-22 Facebook, Inc. Systems and methods for preventing session fixation over a domain portal
CN110022279B (en) * 2018-01-08 2021-11-26 普天信息技术有限公司 Method and system for authentication in micro-service system
WO2020102974A1 (en) * 2018-11-20 2020-05-28 深圳市欢太科技有限公司 Data access method, data access apparatus, and mobile terminal
CN112104588A (en) * 2019-06-17 2020-12-18 北京车和家信息技术有限公司 Login authentication method and system, terminal and server

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739708A (en) * 2011-04-07 2012-10-17 腾讯科技(深圳)有限公司 System and method for accessing third party application based on cloud platform
CN103685139A (en) * 2012-08-30 2014-03-26 中兴通讯股份有限公司 Authentication and authorization processing method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739708A (en) * 2011-04-07 2012-10-17 腾讯科技(深圳)有限公司 System and method for accessing third party application based on cloud platform
CN103685139A (en) * 2012-08-30 2014-03-26 中兴通讯股份有限公司 Authentication and authorization processing method and device

Also Published As

Publication number Publication date
CN105429978A (en) 2016-03-23

Similar Documents

Publication Publication Date Title
CN104917727B (en) A kind of method, system and device of account's authentication
CN106797371B (en) Method and system for user authentication
CN103001974B (en) Log-in control method based on Quick Response Code, system and device
CN104954330B (en) A kind of methods, devices and systems to be conducted interviews to data resource
CN103916244B (en) Verification method and device
US10547602B2 (en) Communications methods and apparatus related to web initiated sessions
CN105847245B (en) Electronic mailbox login authentication method and device
CN104767731B (en) A kind of Restful move transactions system identity certification means of defence
CN101873331B (en) Safety authentication method and system
CN104917721B (en) Authorization method, device and system based on oAuth agreement
CN104144163B (en) Auth method, apparatus and system
US9009793B2 (en) Dynamic pin dual factor authentication using mobile device
CN105429978B (en) Data access method, equipment and system
CN111030812A (en) Token verification method, device, storage medium and server
CN102217280B (en) Method, system, and server for user service authentication
CN105721412A (en) Method and device for authenticating identity between multiple systems
CN106953831A (en) A kind of authorization method of user resources, apparatus and system
CN105681259A (en) Open authorization method and apparatus and open platform
US20170034164A1 (en) Multifactor authentication for mail server access
CN105681258B (en) Session method and conversational device based on third-party server
CN107370765A (en) A kind of ftp server identity identifying method and system
CN106209727B (en) Session access method and device
JP2015099470A (en) System, method, and server for authentication, and program
CN107241329A (en) Account login process method and device
CN107493293A (en) A kind of method of sip terminal access authentication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant