Specific embodiment
As stated in the Background Art, prior art distorts parameter acquiring other users privacy for illegal user
Behavior judges that often by backend services server is needed according to the current id of user to be verified in data base
Whether middle retrieval registrant can be with access associated data.The money of which not only consumption data storehouse and server
Source and degraded performance, and developer needs the db counterlogics after each parameter carry out difference
Business scenario coding is realized, so that arranging very complicated.For this present applicant proposes a kind of mandate is tested
Card method, by the implantation signature before user to access pages so that link on the page contains signature parameter,
Subsequently judge whether parameter is legal according to the signature in the link for sending, once have user to forge directly refuse,
Require no the complex logics such as db checkings to judge, efficiency is improve on the basis of guaranteeing safety.
As shown in figure 1, a kind of schematic flow sheet of the authority checking method proposed for the application, including it is following
Step:
S101, receives the accessing page request that client sends, and the accessing page request is the client
The operation according to user to the initial authorization page is held to generate, the service chaining in the initial authorization page contains
There is a signing messages, the signing messages server is generated after the User logs in success is confirmed.
As authority checking is that the subsequent access after being logged in successfully for user first is verified, therefore
Before the step, server will also receive the logging request that the client sends, in the logging request
The log-on message of the user is carried, and the User logs in success is judged according to the log-on message working as
When, signing messages corresponding with the user is generated, and the signing messages is implanted into into the initial authorization
Service chaining in the page.
In the preferred embodiment of the application, signing messages can be spliced by ingredient of signing,
And signature process is carried out to the result after the splicing;Generate after subsequently processed the signature
Encryption string is used as the signing messages.
It should be noted that the service chaining includes the URL link and business form of business, it is described
Signature ingredient, is at least included with Types Below:Parameter, the personal information of the user after sequence,
Server key.
Meanwhile, in order to save the resource of network, after this step, carry in can preferentially judging request
Link whether need checking, specifically, what is carried in obtaining the accessing page request first initially awards
The service chaining of the power page;Subsequently recognize whether the service chaining needs checking signature;And according to following
Situation is processed:
(1) when recognizing that the service chaining needs checking signature, continue to obtain the accessing page request
The signing messages of middle carrying;
(2) when recognizing that the service chaining need not verify signature, confirm that authority checking passes through.
S102, the signing messages of the service chaining carried in obtaining the accessing page request.
S103, the label carried in judging signing messages corresponding with the user and the accessing page request
Whether name information is consistent.
S104, when the signature carried in signing messages corresponding with the user with the accessing page request
Information is consistent, confirms that authority checking passes through.
It is in order to the technological thought of the application is expanded on further, in conjunction with application scenarios as shown in Figure 2, right
The technical scheme of the application is illustrated.User enters an initial authorization page, page after Website login
All follow-up business link implantation signatures in the content of face, specifically, modules effect and work(in Fig. 2
Can be as follows:
Signature blocks:It is responsible for the generation of signature, generating mode includes that parameter is ranked up, increases current use
All of above information is spliced and is carried out md5 signatures, encrypted by family information, increase server key
String sign=md5 (parameter+user+key after sequence).
Page rendering module:Initial authorization webpage is implanted in page key parameter signature by template plug-in unit
It is interior
Blocking module:It is responsible for controlling which URL link needs to carry out signature authentication.
Signature verification module:The parameter that the page is transmitted is signed, judge whether sign=page transmission
Signature.
Arranged based on above-mentioned module, the specific embodiment schematic flow sheet is as shown in figure 3, concrete mandate is tested
Card flow process is as follows:
Step a) users in the initial access page, sign to dynamic parameter in web page template by server
And the page is implanted into, export to user.
In this step, user initiates accessing page request to page rendering module by client first,
Whether page rendering module judges the current Successful login of the user, if User logs in success, blocking module
Notify that signature blocks dynamic generates signature.
After signature blocks generation signature is finished, i.e., generated signature is returned to blocking module, intercepted
Module assembled results page, and the link in the page is implanted into the signature that signature blocks are returned, and returns to user
Return initial page.
It should be noted that in the product process of above-mentioned signature, one group of default parameter conduct can be taken
Signature to be selected, when needing to generate signature with specified order (ascending order or descending etc.) successively selection parameter;
Or the information with reference to active user and UID generate exclusive signature;Or it is preset in server
One private key is used as signature, and is used as signature by arranging MD5 codes, and these belong to the guarantor of the application
Shield scope.
Additionally, in specific application scenarios, the form generated by the link on the page is as follows:
http://abc.comId=1&param=abc&sign=DsadfdkfjXXXX
Step b) users are operated on the page, and in the page, the service chaining of privacy contains signature.
When user needs to carry out page access again, user submits the URL parameter of the page for needing to access to,
Now page rendering module indicates that blocking module is intercepted for the accessing page request of user.In this tool
In body embodiment, carrying in URL parameter needs the signature of checking.
By intercepting, whether identification current business link needs checking signature to step c) server ends.
For the accessing page request intercepted, the link that blocking module is accessed according to required for user is sentenced
It is disconnected to judge whether service chaining needs to be verified, then continue later step if desired, if otherwise leading to
Cross the accessing page request.
If step d) users normally access, server dual signature be previously implanted with the page be it is consistent,
Otherwise it is assumed that being unauthorized access, blocker refusal user does not enter the business page.
Based on the carrying signing messages URL parameter obtained by abovementioned steps, blocking module is by label therein
Name information is sent to authentication module, and authentication module indicates that signature blocks are secondary and generates signature, and will generate
Signature verified with the signature obtained from blocking module.In this specific embodiment, checking can be
Compare whether the two is identical, the certification if identical passes through, if otherwise certification does not pass through.
Regardless of authentication result, authentication module all can return the result to blocking module.Subsequently intercept
Module returns corresponding message to page rendering module according to the result:If being verified, page wash with watercolours
Dye module receive for unauthorized result;Be verified, receive for Authorization result.Page rendering module
These results are shown to user by client.
By taking above-mentioned technical proposal, due to being implanted into signing messages in page link in advance, subsequently
Whether the user that the signing messages in linking when can be accessed according to user carries out contrast verification current accessed is legal,
So as to prevent disabled user from the private data for obtaining other users is distorted by parameter, network is improve
Safety.
Another aspect, to reach above technical purpose, the application also proposed a kind of server, such as Fig. 3
It is shown, including:
Receiver module 410, for receiving the accessing page request of client transmission, the accessing page request
Operation for the client according to user to the initial authorization page is generated, in the initial authorization page
Service chaining contains signing messages, the signing messages be the server confirm the User logs in into
Generate after work(;
Acquisition module 420, for obtaining the signing messages of the service chaining carried in the accessing page request;
Judge module 430, for judging signing messages corresponding with the user and the accessing page request
Whether the signing messages of middle carrying is consistent, and visits in signing messages corresponding with the user and the page
Confirm when asking that the signing messages carried in asking is consistent that authority checking passes through.
In specific application scenarios, also include:
Generation module, for receiving the logging request that the client sends, and is logging in letter according to described
Breath judges to generate signing messages corresponding with the user during User logs in success, by the A.L.S.
Service chaining in the breath implantation initial authorization page, carries stepping on for the user in the logging request
Record information.
In specific application scenarios, the generation module specifically for:
Signature ingredient is spliced, and signature process is carried out to the result after the splicing;
Using the encryption string generated after signature process as the signing messages.
In specific application scenarios, also include:
Identification module, for obtaining the business chain of the initial authorization page carried in the accessing page request
Connect, recognize whether the service chaining needs checking signature, and checking is needed in the identification service chaining
The signing messages carried in continuing to obtain the accessing page request during signature, and recognizing the business
Confirm when link need not verify signature that authority checking passes through.
In specific application scenarios, the service chaining includes service chaining and business form, described
Signature ingredient, is at least included with Types Below:
Parameter, the personal information of the user after sequence, server key.
Specifically, server always according to instruction perform above-described embodiment described in authority checking method, specifically
Will not be described here.
Authority checking method and server that the application is provided, due to being implanted into label in page link in advance
Name information, the signing messages in linking when subsequently can be accessed according to user carry out contrast verification current accessed
Whether user is legal such that it is able to prevent disabled user from the privacy number for obtaining other users is distorted by parameter
According to improve the safety of network.
Through the above description of the embodiments, those skilled in the art can be understood that this Shen
Please be realized by hardware, it is also possible to by software plus necessary general hardware platform mode realizing.
Based on such understanding, the technical scheme of the application can be embodied in the form of software product, and this is soft
It (can be CD-ROM, USB flash disk, movement are hard that part product can be stored in a non-volatile memory medium
Disk etc.) in, use including some instructions so that a computer equipment (can be personal computer, take
Business device, or the network equipment etc.) perform method described in the application each implement scene.
It will be appreciated by those skilled in the art that accompanying drawing is a schematic diagram for being preferable to carry out scene, in accompanying drawing
Module or flow process not necessarily implement necessary to the application.
It will be appreciated by those skilled in the art that the module in device in implement scene can be according to implement scene
Description carries out being distributed in the device of implement scene, it is also possible to carries out respective change and is disposed other than this enforcement
In one or more devices of scene.The module of above-mentioned implement scene can merge into a module, also may be used
To be further split into multiple submodule.
Above-mentioned the application sequence number is for illustration only, does not represent the quality of implement scene.
Disclosed above is only that the several of the application are embodied as scene, but, the application is not limited to
This, the changes that any person skilled in the art can think of should all fall into the protection domain of the application.