CN107124431A - Method for authenticating, device, computer-readable recording medium and right discriminating system - Google Patents
Method for authenticating, device, computer-readable recording medium and right discriminating system Download PDFInfo
- Publication number
- CN107124431A CN107124431A CN201710482304.XA CN201710482304A CN107124431A CN 107124431 A CN107124431 A CN 107124431A CN 201710482304 A CN201710482304 A CN 201710482304A CN 107124431 A CN107124431 A CN 107124431A
- Authority
- CN
- China
- Prior art keywords
- client
- service
- call request
- call
- calling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
Abstract
The application provides a kind of method for authenticating, device, computer-readable recording medium and right discriminating system, and this method can include:The call request that client is sent is received, the call request is used to call service to service end;The client is authenticated, to determine whether the client has the authority for calling the service;After the client is authenticated successfully, the call request is forwarded to the service end, to cause the service end to respond the call request and call the service.The application is authenticated by security platform to the client for calling service, so as to ensure that only there is the client for the authority for calling the service service could be called, improves security;Meanwhile, authentication operations are performed by security platform, are conducive to being managed collectively the authority of client, are improved the efficiency of management.
Description
Technical field
The application is related to communication technique field, more particularly to a kind of method for authenticating, device, computer-readable recording medium and
Right discriminating system.
Background technology
System service refers to program, routine or the process for performing appointing system function, to support other programs.However,
In internet industry now, either internal services or external service, all do not provide safe mechanism and it are sealed
Dress and protection, Service Source can be called arbitrarily, cause the presence of serious potential safety hazard.
The content of the invention
In view of this, the application provides a kind of method for authenticating, device, computer-readable recording medium and right discriminating system, leads to
Cross and provide the mechanism of safety to service to solve the security hidden trouble caused by Service Source can be called arbitrarily.
To achieve the above object, the application offer technical scheme is as follows:
According to the first aspect of the application, it is proposed that a kind of right discriminating system, including:Client, service end and security platform;
The client sends call request to the security platform, and the call request is used to call clothes to service end
Business;
The security platform is authenticated to the client, and the service is called to determine whether the client has
Authority;And after the client is authenticated successfully, the call request is forwarded to the service end;
The service end responds the call request and calls the service.
According to the second aspect of the application, it is proposed that a kind of method for authenticating, applied to security platform;Methods described includes:
The call request that client is sent is received, the call request is used to call service to service end;
The client is authenticated, to determine whether the client has the authority for calling the service;
After the client is authenticated successfully, the call request is forwarded to the service end, to cause the service end
Respond the call request and call the service.
According to the third aspect of the application, it is proposed that a kind of authentication device, applied to security platform;Described device includes:
Receiving unit, receives the call request that client is sent, and the call request is used to call service to service end;
Authenticating unit, is authenticated to the client, to determine whether the client has the power for calling the service
Limit;
Retransmission unit, after the client is authenticated successfully, forwards the call request, to cause to the service end
Service end is stated to respond the call request and call the service.
According to the fourth aspect of the application, it is proposed that a kind of computer-readable recording medium, it is stored thereon with computer and refers to
Order, is realized as any one of above-mentioned technical scheme when the instruction is executed by processor the step of method.
From above technical scheme, the application is authenticated by security platform to the client for calling service, so that
Ensure that only there is the client for the authority for calling the service service could be called, improve security;Meanwhile, authentication
Operation is performed by security platform, is conducive to being managed collectively the authority of client, is improved the efficiency of management.
Brief description of the drawings
Fig. 1 is the flow chart that service is called in correlation technique.
Fig. 2 is the schematic diagram serviced using gateway mode unified call in correlation technique.
Fig. 3 is a kind of flow chart of method for authenticating shown in the exemplary embodiment of the application one.
Fig. 4 is a kind of schematic diagram of network architecture shown in the exemplary embodiment of the application one.
Fig. 5 is the flow chart of another method for authenticating shown in the exemplary embodiment of the application one.
Fig. 6 is corresponding relation between the service of the security platform record shown in the exemplary embodiment of the application one and client
Schematic diagram.
Fig. 7 is the flow chart that the use certificate mode shown in the exemplary embodiment of the application one is authenticated.
Fig. 8 is the structural representation of a kind of electronic equipment shown in the exemplary embodiment of the application one.
Fig. 9 is a kind of block diagram of authentication device shown in the exemplary embodiment of the application one.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind ", " described " and "the" of singulative used in the application and appended claims are also intended to including majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from
In the case of the application scope, the first information can also be referred to as the second information, similarly, and the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
Usually contained in multiple services (such as, using in " Alipay " comprising pay the bill, transfer accounts, withdrawing deposit etc. services),
And in the related art, realize calling based between service and service for service.Refer to Fig. 1, Fig. 1 is called in correlation technique
The flow chart of service, as shown in figure 1, its invoked procedure may comprise steps of:
Step 102, generation security key values are encrypted according to preset algorithm in required parameter by service A.
In which it is assumed that calling service B for service A, that is, it is service call side to service A.Below by securitykey values referred to as
For sk values.
Step 104, service A sends call request to service B.
Wherein, required parameter and sk values are included in call request.
Step 106, service B is received after call request, is read the required parameter in call request and is preset according to above-mentioned
Algorithm it is encrypted generation new sk values.
Step 108, compare new sk values and whether sk values are equal.
Step 110, when new sk values and equal sk values, determine that call request is legal and returns to related data to service A.
Meanwhile, serviced, with reference to Fig. 2 which is illustrated using gateway mode unified call in correlation technique.
As shown in Fig. 2 such as having service 1-6, then calling for service is realized by gateway between each service, is united by gateway
One forwarding call request.
It can be seen that, there is following defect in correlation technique:
1st, carry out management and control can not be called to service
As long as the constant service A of preset algorithm just can call service B with unconfined, and service A to service B when needing to limit
When calling, preset algorithm can only be changed;But after change algorithm, other services can not call service B, and causing can not be right
What is serviced calls carry out management and control, there is serious potential safety hazard;
2nd, the problem of there is Single Point of Faliure
, can not be real between each service that will cause in system once gateway breaks down from Fig. 2 schematic diagram
Now call, i.e., whole system can be fed through to when a single point breaks down, so as to cause whole system to be paralysed, reduce system
Stability, security.
Therefore, the application is by way of improving and calling service, to solve drawbacks described above present in correlation technique.To be right
The application is further described that there is provided the following example:
Fig. 3 is a kind of flow chart of method for authenticating shown in the exemplary embodiment of the application one, and this method is applied to safety
Platform, may comprise steps of:
Step 302, the call request that client is sent is received.
In the present embodiment, the application is called another based on application with realizing calling for service between application, i.e., by application
A certain service in one application.For example, when " Alipay " is using service " withdrawing deposit ", it is necessary to call the service of its bank bound
" deposit ", then serviced from " Alipay " to bank's request call " deposit ".Wherein, service call side is client, and service is carried
Supplier is service end, and the call request is used to call service to service end.
Step 304, the client is authenticated, to determine whether the client has the power for calling the service
Limit.
In the present embodiment, the user of one side client-side can apply calling service by logging in security platform;
The user of another aspect service end can be audited by logging in security platform come the application to client.Security platform is in visitor
After family end is by examination & verification, service and the corresponding relation of the identification information of the client that the client application is called are recorded.Wherein,
The corresponding relation is stored in zookeeper cluster servers.
Based on above-mentioned review mechanism, security platform (can include the visitor in the call request for receiving client transmission
The identification information at family end) after, transfer the pre-recorded service and the corresponding relation of the client of the service can be called, and
According to the identification information and the corresponding relation, determine whether the client has the authority for calling the service;Wherein, when
When the client has the authority for calling the service, judge that the client is authenticated successfully.By (i.e. objective to service call side
Family end) authenticated, judge whether it has the authority for calling the service, on the one hand can improve the security for calling service,
Prevent that service from maliciously being called;On the other hand it can prevent that Service Source from arbitrarily being called, so as to avoid because unrestrictedly calling clothes
The problem of business causes to take service end a large amount of process resources, improve the performance of service end.
In the present embodiment, when detect (can be by servicing for the disabling operation that services described in the client call
The User logs in security platform of side performs the disabling operation) when, delete the identification information of the client and the service
Corresponding relation.Because the corresponding relation is deleted, when being serviced described in the follow-up client to service end request call, peace
Full platform will judge the client failed authentication, i.e., described client can not call the service.Security platform passes through upper
The mode of response disabling operation is stated, can further preventing Service Source from arbitrarily being called, (such as, the user of service side can be with
Service is called to limit to apply by logging in the above-mentioned corresponding relation of security platform modification), so as to avoid because unrestrictedly calling
The problem of service causes to take service end a large amount of process resources, improve the performance of service end.
Step 306, after the client is authenticated successfully, the call request is forwarded to the service end, to cause
Service end is stated to respond the call request and call the service.
In the present embodiment, generation signature can be encrypted to required parameter using AES, is called so as to verify
The legitimacy of request, (such as prevents other application from pretending to be the client illegally to call clothes with the security for improving call request
Business).Specifically, including the first signature and required parameter of the client in the call request, first signature is by visitor
The safe key at family end is calculated according to preset algorithm with the required parameter and obtained;Wherein, the safe key is by the safety
Platform is issued to client in advance, and the required parameter is used to obtain corresponding data in the service end.
Based on the configuration of above-mentioned data, legitimacy can be verified by following manner:Read asking in the call request
Seek parameter, and safe key of the local record corresponding to the client and the request read are joined according to the preset algorithm
Number is calculated, to obtain the second signature;If first signature is equal with the described second signature, performs and called described in forwarding
The operation of request, to cause the service end to return to corresponding data to the client, otherwise refusal performs forwarding operation.
From above technical scheme, in the technical scheme of the application, service call based on application between application,
On the one hand compared in correlation technique based on calling between service and service, it is possible to achieve carry out management and control is called to service,
The security for calling service is improved, meanwhile, authentication operations are performed by security platform, are conducive to entering the authority of service call side
Row unified management, improves the efficiency of management;On the other hand compared to being serviced in correlation technique using gateway mode unified call, respectively
Call the operation of service to be independent of each other between individual application, it is achieved thereby that " decentralization ", i.e., in the absence of Single Point of Faliure the problem of,
Improve stability, the security of each application system.
In order to make it easy to understand, the technical scheme of the application is described in detail with reference to concrete scene and accompanying drawing.Fig. 4
It is a kind of schematic diagram of network architecture shown in the exemplary embodiment of the application one.As shown in figure 4, the network architecture can include
Security platform, service end, client and network.
Security platform can include console, component software, zookeeper cluster servers;Wherein, console can be used
In issuing identification information and safe key to client, service end, and examination & verification calls the application of service and after examination & verification passes through
Record the corresponding relation of the service and client;Component software (hereinafter referred to as sdk.jar), which can be used for calling transmission, asks
The client asked is authenticated, and verifies the legitimacy of the call request;Zookeeper cluster servers can be used for storage
The corresponding relation of above-mentioned console record, and the identification information and safe key issued to each client, service end.Separately
Outside, it can also be implanted into security platform in dubbo frameworks, dubbo frameworks and quote sdk.jar to perform authentication and checking conjunction
The operation of method.
Service end and client are application, and multiple services can be included in.Wherein, service call side is client
End, service provider is service end.
And the network for being interacted between security platform, service end, client, it can include polytype wired
Or wireless network.Such as, network can include PSTN (Public SwitchedTelephone
Network, PSTN), internet, dedicated network etc., the application is not limited this.
It can be seen that, in the implementation process of the technical scheme of the application, it is related between security platform, service end, client
Tripartite's data interaction;With reference to the interaction of tripartite, the technical scheme to the application is described.Fig. 5 is referred to, is schemed
5 be the flow chart of another method for authenticating shown in the exemplary embodiment of the application one.As shown in figure 5, this method is applied to peace
Full platform, may comprise steps of:
Step 502, client sends registration request to security platform.
Step 504, service end sends registration request to security platform.
Step 506, security platform generates corresponding identification information and safe key.
In the present embodiment, it is client as the application of service call side, is service as the application of service provider
End.For example, when application 1 is to during application 2 request calls service, using 1 as client, service end is used as using 2;Conversely, working as
Using 2 to during application 1 request call service, using 2 as client, service end is used as using 1.
Client and service end need to register on security platform when initializing operation, to cause security platform generation pair
Should be in the identification information and safe key of client, and generation is corresponding to the identification information and safe key of service end.Wherein,
Identification information can be AccessKey (or being Access Key ID, hereinafter referred to as ak), and safe key can be
SecurityKey (or being Secret Access Key, hereinafter referred to as sk).
Step 508, security platform issues ak, sk of the service end to service end.
Step 510, security platform issues ak, sk of the client to client.
Step 512, client calls service to security platform application.
In the present embodiment, the user of client-side can apply calling service by logging in security platform.
Step 514, the application for calling service that security platform examination & verification is received.
In the present embodiment, the user (keeper for servicing side application) of service side can be flat by logging in safety
Platform is audited come the application to client.
Step 516, security platform is after client is by examination & verification, service and the client that record client application is called
Identification information corresponding relation.
In the present embodiment, ak, sk for issuing and record corresponding relation can be stored in zookeeper by security platform
In cluster server, so that uniform service, it is ensured that service-conformance.The corresponding relation recorded below in conjunction with Fig. 6 to security platform
It is illustrated.Fig. 6 is right between the service of the security platform record shown in the exemplary embodiment of the application one and client
The schematic diagram that should be related to.As shown in fig. 6, including service 1, service 2, service 3 using 1 (identification information is ak1).Make in application 1
During for service provider, service 1 can be employed 2 (identification information is ak2), using 3 (identification information is ak3), using 4 (marks
Information is ak4) call;Service 2 can be employed 2, be called using 4;Service 3 can be employed 3, using 4, using 5, (identification information is
Ak5) call.
In the present embodiment, step 502-516 is performed by the console in security platform.
Step 518, client sends call request to security platform.
Step 520, security platform judges whether the client has the authority for calling asked service.
Step 522, security platform verifies the legitimacy of call request.
In the present embodiment, the ak comprising client, the first signature, required parameter (are used to obtain service in call request
Corresponding data in end);First signature is by the sk and required parameter of client according to preset algorithm (such as MD5, SHA1, HMAC
Etc. any AES, the application is not limited this) calculate obtain.
Security platform can transfer pair recorded in above-mentioned steps 516 after the call request of client transmission is received
It should be related to, and the ak in call request and the corresponding relation, determine whether client has the authority for calling the service;Its
In, when client has the authority for calling the service, judge that client is authenticated successfully.By to service call side (i.e. client
End) authenticated, judge whether it has the authority for calling the service, on the one hand can improve the security for calling service, separately
On the one hand it can prevent that Service Source from arbitrarily being called, so as to avoid calling service to cause occupancy service end largely to be located because unrestricted
The problem of managing resource, improves the performance of service end.
For example, Fig. 6 corresponding relation is undertaken in, in one case, it is assumed that application 2 (now as client) please
Ask and call service 3, then security platform can be determined using 2 authorities for not calling service 3 by searching Fig. 6 corresponding relation,
Judge to apply 2 failed authentications;In another case, it is assumed that 2 request calls of application service 2, then security platform is by searching
Fig. 6 corresponding relation can determine there is the authority for calling service 2 using 2, that is, judge to authenticate successfully using 2.
Security platform can be after authentication operations have been performed, and further the legitimacy of checking call request, is called with improving
The security (such as preventing other application from pretending to be the client illegally to call service) of request.Specifically, security platform is read
The ak of the client included in call request, the first signature, required parameter, then read in local zookeeper cluster servers
The sk corresponding to the ak of storage, and the sk and required parameter are calculated according to above-mentioned preset algorithm, to obtain the second label
Name;If the first signature is equal with the second signature, the operation that call request is forwarded to service end is performed, to cause service end to visitor
Family end returns to corresponding data, and otherwise refusal performs forwarding operation.
Step 524, security platform forwards call request to service end.
Step 526, service end returns to the corresponding data for calling service to client.
In the present embodiment, when security platform detects the disabling operation for client call service, client is deleted
The ak at end and the corresponding relation of the service.Because the corresponding relation is deleted, when the follow-up client is to service end request call
During the service, security platform will judge that the client failed authentication, the i.e. client can not call the service.Security platform leads to
The mode of above-mentioned response disabling operation is crossed, can further prevent Service Source from arbitrarily being called (such as, to service the user of side
Service can be called to limit to apply by logging in the above-mentioned corresponding relation of security platform modification), so as to avoid because unrestricted
The problem of service causes to take service end a large amount of process resources is called, the performance of service end is improved.
To sum up, in the technical scheme of the application, service call based on application between application, on the one hand compared to phase
Based on calling between service and service in the technology of pass, it is possible to achieve call carry out management and control to service, improve and call service
Security, meanwhile, authentication operations are performed by security platform, are conducive to being managed collectively the authority of service call side, are carried
The efficiency of management is risen;On the other hand compared to being serviced in correlation technique using gateway mode unified call, adjusted between each application
Be independent of each other with the operation of service, it is achieved thereby that " decentralization ", i.e., in the absence of Single Point of Faliure the problem of, improving each should
With the stability of system, security.
In the technical scheme of the application, security platform can also be applied to the authentication of certificate mode.With reference to Fig. 7 pairs
The authentication process is described in detail.As shown in fig. 7, the process may comprise steps of:
Step 702, client is to security platform application certificate.
Step 704, service end is to security platform application certificate.
Step 706, security platform generates certificate (public key for including service end), the certificate of service end of client respectively
(public key for including client).
Step 708, security platform issues the certificate of service end to service end.
Step 710, security platform issues the certificate of client to client.
In the present embodiment, client is received after certificate, be locally stored itself private key and service end public key;Clothes
Business termination receive after certificate, be locally stored itself private key and client public key.
Step 712, client is signed according to the private key of itself to call request, and to service end send this call please
Ask.
Step 714, service end carries out sign test according to the public key for the client being locally stored to the call request received.
Step 716, if sign test success, corresponding data are returned to client;Otherwise the call request is refused.
In the present embodiment, when service end calls service to client request, its authentication process is similar with said process,
It will not be repeated here.
, can be with for above-mentioned Fig. 5 using identification information, the authentication mode of safe key in the technical scheme of the application
Life cycle management is carried out to identification information and safe key, such as, the identification information and safety for regularly updating each application are close
Key;For Fig. 7 by the way of certification authority, life cycle management can also be carried out to certificate, such as, and application certificate, download
Certificate, more new authentication, certificate revocation, hang-up certificate, solution hang certificate etc.., can be effective by above-mentioned life cycle management mechanism
The security of raising system, prevents service by illegal application call.
Meanwhile, when needing to update safe key, (such as, in order to prevent safe key from revealing, or safe key is out of date
Deng), the second safe key that can be in preset duration simultaneously using the first safe key after updating and before updating, i.e., this
One safe key and second safe key are simultaneously effective in preset duration, using first safe key and second safety
Key can be by the checking of legitimacy in above-mentioned steps 522.And after preset duration, only first safe key has
Effect, second safe key failure.Wherein, preset duration can flexibly be set according to actual conditions, and the application enters not to this
Row limitation.For the update mode of identification information, certificate, it can be updated, will not be repeated here using aforesaid way.
Fig. 8 shows the structural representation of the electronic equipment of the exemplary embodiment according to the application.It refer to Fig. 8,
In hardware view, the electronic equipment includes processor 802, internal bus 804, network interface 806, internal memory 808 and non-volatile
Property memory 810, is also possible that the hardware required for other business certainly.Processor 802 is from nonvolatile memory 810
Corresponding computer program is read into internal memory 808 and then is run, authentication device is formed on logic level.Certainly, except soft
Outside part implementation, the application is not precluded from other implementations, such as the mode of logical device or software and hardware combining etc.
Deng, that is to say, that the executive agent of following handling process is not limited to each logic unit or hardware or logic device
Part.
Fig. 9 is refer to, in Software Implementation, the authentication device can include receiving unit 901, authenticating unit 902
With retransmission unit 903.Wherein:
Receiving unit 901, receives the call request that client is sent, and the call request is used to call clothes to service end
Business;
Authenticating unit 902, is authenticated to the client, and the service is called to determine whether the client has
Authority;
Retransmission unit 903, after the client is authenticated successfully, the call request is forwarded to the service end, so that
The service end is obtained to respond the call request and call the service.
Optionally, the identification information of the client is included in the call request;The authenticating unit 902 is specifically used
In:
Transfer the pre-recorded service and the corresponding relation of the client of the service can be called;
According to the identification information and the corresponding relation, determine whether the client has the power for calling the service
Limit;Wherein, when the client has the authority for calling the service, judge that the client is authenticated successfully.
Optionally, the corresponding relation is stored in zookeeper cluster servers.
Optionally, in addition to:
Unit 904 is deleted, when detecting the disabling operation for being serviced described in the client call, the visitor is deleted
The identification information at family end and the corresponding relation of the service.
Optionally,
The first signature and required parameter comprising the client in the call request, first signature is by client
Safe key and the required parameter calculate and obtain according to preset algorithm;Wherein, the safe key is by the security platform
Issue in advance to client, the required parameter is used to obtain corresponding data in the service end;
Methods described also includes:Reading unit 905, reads the required parameter in the call request, and according to described pre-
Safe key of the imputation method to local record corresponding to the client and the required parameter read are calculated, to obtain the
Two signatures;If first signature is equal with the described second signature, the operation of the forwarding call request is performed, to cause
State service end and return to corresponding data to the client, otherwise refusal performs forwarding operation.
The function of unit and the implementation process of effect specifically refer to correspondence step in the above method in said apparatus
Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, and the part shown as unit can be or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Selection some or all of module therein is needed to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
In the exemplary embodiment, a kind of non-transitorycomputer readable storage medium including instructing, example are additionally provided
Such as include the memory of instruction, above-mentioned instruction can be completed the above method by the computing device of authentication device, this method can be with
Including:
The call request that client is sent is received, the call request is used to call service to service end;
The client is authenticated, to determine whether the client has the authority for calling the service;
After the client is authenticated successfully, the call request is forwarded to the service end, to cause the service end
Respond the call request and call the service.
Optionally, the identification information of the client is included in the call request;It is described that the client is reflected
Power, including:
Transfer the pre-recorded service and the corresponding relation of the client of the service can be called;
According to the identification information and the corresponding relation, determine whether the client has the power for calling the service
Limit;Wherein, when the client has the authority for calling the service, judge that the client is authenticated successfully.
Optionally, the corresponding relation is stored in zookeeper cluster servers.
Optionally, in addition to:
When detecting the disabling operation for being serviced described in the client call, the mark letter of the client is deleted
Breath and the corresponding relation of the service.
Optionally,
The first signature and required parameter comprising the client in the call request, first signature is by client
Safe key and the required parameter calculate and obtain according to preset algorithm;Wherein, the safe key is by the security platform
Issue in advance to client, the required parameter is used to obtain corresponding data in the service end;
Methods described also includes:The required parameter in the call request is read, and according to the preset algorithm to local
The safe key corresponding to the client of record and the required parameter of reading are calculated, to obtain the second signature;If institute
State that the first signature is equal with the described second signature, then perform the operation of the forwarding call request, with cause the service end to
The client returns to corresponding data, and otherwise refusal performs forwarding operation.
Wherein, the non-transitorycomputer readable storage medium can be ROM, random access memory (RAM), CD-
ROM, tape, floppy disk and optical data storage devices etc., the application are not limited this.
The preferred embodiment of the application is the foregoing is only, not to limit the application, all essences in the application
God is with principle, and any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.
Claims (12)
1. a kind of right discriminating system, it is characterised in that including:Client, service end and security platform;
The client sends call request to the security platform, and the call request is used to call service to service end;
The security platform is authenticated to the client, to determine whether the client has the power for calling the service
Limit;And after the client is authenticated successfully, the call request is forwarded to the service end;
The service end responds the call request and calls the service.
2. a kind of method for authenticating, it is characterised in that applied to security platform;Methods described includes:
The call request that client is sent is received, the call request is used to call service to service end;
The client is authenticated, to determine whether the client has the authority for calling the service;
After the client is authenticated successfully, the call request is forwarded to the service end, to cause the service end to respond
The call request simultaneously calls the service.
3. method according to claim 2, it is characterised in that the mark comprising the client is believed in the call request
Breath;It is described that the client is authenticated, including:
Transfer the pre-recorded service and the corresponding relation of the client of the service can be called;
According to the identification information and the corresponding relation, determine whether the client has the authority for calling the service;Its
In, when the client has the authority for calling the service, judge that the client is authenticated successfully.
4. method according to claim 3, it is characterised in that the corresponding relation is stored in zookeeper cluster services
In device.
5. method according to claim 3, it is characterised in that also include:
When detecting the disabling operation for servicing described in the client call, delete the identification information of the client with
The corresponding relation of the service.
6. method according to claim 2, it is characterised in that
The first signature and required parameter comprising the client, the described first peace signed by client in the call request
Full key is calculated with the required parameter according to preset algorithm to be obtained;Wherein, the safe key is advance by the security platform
Issue to client, the required parameter is used to obtain corresponding data in the service end;
Methods described also includes:The required parameter in the call request is read, and according to the preset algorithm to local record
Safe key corresponding to the client and the required parameter that reads calculated, to obtain the second signature;If described
One signature is equal with the described second signature, then execution forwards the operation of the call request, to cause the service end to described
Client returns to corresponding data, and otherwise refusal performs forwarding operation.
7. a kind of authentication device, it is characterised in that applied to security platform;Described device includes:
Receiving unit, receives the call request that client is sent, and the call request is used to call service to service end;
Authenticating unit, is authenticated to the client, to determine whether the client has the authority for calling the service;
Retransmission unit, after the client is authenticated successfully, forwards the call request, to cause the clothes to the service end
Business end responds the call request and calls the service.
8. device according to claim 7, it is characterised in that the mark comprising the client is believed in the call request
Breath;The authenticating unit specifically for:
Transfer the pre-recorded service and the corresponding relation of the client of the service can be called;
According to the identification information and the corresponding relation, determine whether the client has the authority for calling the service;Its
In, when the client has the authority for calling the service, judge that the client is authenticated successfully.
9. device according to claim 8, it is characterised in that the corresponding relation is stored in zookeeper cluster services
In device.
10. device according to claim 8, it is characterised in that also include:
Unit is deleted, when detecting the disabling operation for being serviced described in the client call, the client is deleted
Identification information and the corresponding relation of the service.
11. device according to claim 7, it is characterised in that
The first signature and required parameter comprising the client, the described first peace signed by client in the call request
Full key is calculated with the required parameter according to preset algorithm to be obtained;Wherein, the safe key is advance by the security platform
Issue to client, the required parameter is used to obtain corresponding data in the service end;
Methods described also includes:Reading unit, reads the required parameter in the call request, and according to the preset algorithm pair
The safe key corresponding to the client of local record and the required parameter of reading are calculated, to obtain the second signature;
If first signature is equal with the described second signature, the operation of the forwarding call request is performed, to cause the service
Hold to the client and return to corresponding data, otherwise refusal performs forwarding operation.
12. a kind of computer-readable recording medium, is stored thereon with computer instruction, it is characterised in that the instruction is by processor
Realized during execution as any one of claim 1-6 the step of method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710482304.XA CN107124431B (en) | 2017-06-22 | 2017-06-22 | Authentication method, device, computer readable storage medium and authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710482304.XA CN107124431B (en) | 2017-06-22 | 2017-06-22 | Authentication method, device, computer readable storage medium and authentication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107124431A true CN107124431A (en) | 2017-09-01 |
| CN107124431B CN107124431B (en) | 2020-03-06 |
Family
ID=59719339
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710482304.XA Active CN107124431B (en) | 2017-06-22 | 2017-06-22 | Authentication method, device, computer readable storage medium and authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107124431B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679831A (en) * | 2017-10-09 | 2018-02-09 | 金蝶软件(中国)有限公司 | A kind of method and relevant apparatus of calling ERP functions |
| CN108199852A (en) * | 2018-04-02 | 2018-06-22 | 上海企越信息技术有限公司 | A kind of method for authenticating, right discriminating system and computer readable storage medium |
| CN108418814A (en) * | 2018-02-12 | 2018-08-17 | 广州市贝聊信息科技有限公司 | Interface authentication method, apparatus and computer readable storage medium based on dubbo frames |
| CN109274699A (en) * | 2018-11-28 | 2019-01-25 | 北京锐安科技有限公司 | Method for authenticating, device, server and storage medium |
| CN109376124A (en) * | 2018-08-22 | 2019-02-22 | 香港中文大学(深圳) | A kind of metadata storing method and computer readable storage medium |
| CN109828852A (en) * | 2019-01-23 | 2019-05-31 | 北京奇艺世纪科技有限公司 | A kind of right management method, device, system, equipment and readable storage medium storing program for executing |
| CN110138741A (en) * | 2019-04-15 | 2019-08-16 | 平安科技(深圳)有限公司 | Micro services management method, device and computer equipment based on management platform |
| CN110278133A (en) * | 2019-07-31 | 2019-09-24 | 中国工商银行股份有限公司 | Inspection method, device, calculating equipment and the medium executed by server |
| CN110545173A (en) * | 2019-07-29 | 2019-12-06 | 大众问问(北京)信息科技有限公司 | method and device for safety verification and request sending |
| CN110619206A (en) * | 2019-08-15 | 2019-12-27 | 中国平安财产保险股份有限公司 | Operation and maintenance risk control method, system, equipment and computer readable storage medium |
| CN110995756A (en) * | 2019-12-20 | 2020-04-10 | 广州酷狗计算机科技有限公司 | Method and device for calling service |
| CN110995994A (en) * | 2019-12-09 | 2020-04-10 | 上海瑾盛通信科技有限公司 | Image shooting method and related device |
| CN111031037A (en) * | 2019-12-12 | 2020-04-17 | 北京金山云网络技术有限公司 | Authentication method and device for object storage service and electronic equipment |
| CN112134705A (en) * | 2019-06-24 | 2020-12-25 | 北京思源政通科技集团有限公司 | Data authentication method and device, storage medium and electronic device |
| CN113254047A (en) * | 2021-06-16 | 2021-08-13 | 前海七剑科技(深圳)有限公司 | Vehicle configuration upgrading method, vehicle-mounted terminal, server, vehicle and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103188204A (en) * | 2011-12-27 | 2013-07-03 | 腾讯科技(深圳)有限公司 | Service control method and system in open platform |
| US20140156742A1 (en) * | 2011-08-18 | 2014-06-05 | Tencent Technology (Shenzhen) Company Limited | System and method for updating software, server and client thereof |
| CN104754009A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团广东有限公司 | Service acquisition and invocation method, device, client-side and server |
| US20160028738A1 (en) * | 2013-12-16 | 2016-01-28 | Tencent Technology (Shenzhen) Company Limited | Validity verification method and intermediate server |
| CN106470184A (en) * | 2015-08-14 | 2017-03-01 | 阿里巴巴集团控股有限公司 | Safety certifying method, apparatus and system |
| CN106506494A (en) * | 2016-10-27 | 2017-03-15 | 上海斐讯数据通信技术有限公司 | Application access method of open platform |
-
2017
- 2017-06-22 CN CN201710482304.XA patent/CN107124431B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140156742A1 (en) * | 2011-08-18 | 2014-06-05 | Tencent Technology (Shenzhen) Company Limited | System and method for updating software, server and client thereof |
| CN103188204A (en) * | 2011-12-27 | 2013-07-03 | 腾讯科技(深圳)有限公司 | Service control method and system in open platform |
| US20160028738A1 (en) * | 2013-12-16 | 2016-01-28 | Tencent Technology (Shenzhen) Company Limited | Validity verification method and intermediate server |
| CN104754009A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团广东有限公司 | Service acquisition and invocation method, device, client-side and server |
| CN106470184A (en) * | 2015-08-14 | 2017-03-01 | 阿里巴巴集团控股有限公司 | Safety certifying method, apparatus and system |
| CN106506494A (en) * | 2016-10-27 | 2017-03-15 | 上海斐讯数据通信技术有限公司 | Application access method of open platform |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679831B (en) * | 2017-10-09 | 2021-01-08 | 金蝶软件(中国)有限公司 | Method and related device for calling ERP function |
| CN107679831A (en) * | 2017-10-09 | 2018-02-09 | 金蝶软件(中国)有限公司 | A kind of method and relevant apparatus of calling ERP functions |
| CN108418814A (en) * | 2018-02-12 | 2018-08-17 | 广州市贝聊信息科技有限公司 | Interface authentication method, apparatus and computer readable storage medium based on dubbo frames |
| CN108199852A (en) * | 2018-04-02 | 2018-06-22 | 上海企越信息技术有限公司 | A kind of method for authenticating, right discriminating system and computer readable storage medium |
| CN108199852B (en) * | 2018-04-02 | 2021-02-26 | 上海企越信息技术有限公司 | Authentication method, authentication system and computer readable storage medium |
| CN109376124A (en) * | 2018-08-22 | 2019-02-22 | 香港中文大学(深圳) | A kind of metadata storing method and computer readable storage medium |
| CN109274699A (en) * | 2018-11-28 | 2019-01-25 | 北京锐安科技有限公司 | Method for authenticating, device, server and storage medium |
| CN109828852A (en) * | 2019-01-23 | 2019-05-31 | 北京奇艺世纪科技有限公司 | A kind of right management method, device, system, equipment and readable storage medium storing program for executing |
| CN110138741A (en) * | 2019-04-15 | 2019-08-16 | 平安科技(深圳)有限公司 | Micro services management method, device and computer equipment based on management platform |
| CN110138741B (en) * | 2019-04-15 | 2022-06-17 | 平安科技(深圳)有限公司 | Micro-service management method and device based on unified management platform and computer equipment |
| CN112134705A (en) * | 2019-06-24 | 2020-12-25 | 北京思源政通科技集团有限公司 | Data authentication method and device, storage medium and electronic device |
| CN110545173A (en) * | 2019-07-29 | 2019-12-06 | 大众问问(北京)信息科技有限公司 | method and device for safety verification and request sending |
| CN110278133A (en) * | 2019-07-31 | 2019-09-24 | 中国工商银行股份有限公司 | Inspection method, device, calculating equipment and the medium executed by server |
| CN110619206A (en) * | 2019-08-15 | 2019-12-27 | 中国平安财产保险股份有限公司 | Operation and maintenance risk control method, system, equipment and computer readable storage medium |
| CN110619206B (en) * | 2019-08-15 | 2024-04-02 | 中国平安财产保险股份有限公司 | Operation and maintenance risk control method, system, equipment and computer readable storage medium |
| CN110995994A (en) * | 2019-12-09 | 2020-04-10 | 上海瑾盛通信科技有限公司 | Image shooting method and related device |
| CN110995994B (en) * | 2019-12-09 | 2021-09-14 | 上海瑾盛通信科技有限公司 | Image shooting method and related device |
| CN111031037A (en) * | 2019-12-12 | 2020-04-17 | 北京金山云网络技术有限公司 | Authentication method and device for object storage service and electronic equipment |
| CN110995756B (en) * | 2019-12-20 | 2022-07-05 | 广州酷狗计算机科技有限公司 | Method and device for calling service |
| CN110995756A (en) * | 2019-12-20 | 2020-04-10 | 广州酷狗计算机科技有限公司 | Method and device for calling service |
| CN113254047A (en) * | 2021-06-16 | 2021-08-13 | 前海七剑科技(深圳)有限公司 | Vehicle configuration upgrading method, vehicle-mounted terminal, server, vehicle and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107124431B (en) | 2020-03-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107124431A (en) | Method for authenticating, device, computer-readable recording medium and right discriminating system | |
| US10958437B2 (en) | Object signing within a cloud-based architecture | |
| JP5522307B2 (en) | System and method for remote maintenance of client systems in electronic networks using software testing with virtual machines | |
| EP3275159B1 (en) | Technologies for secure server access using a trusted license agent | |
| CN108111473B (en) | Unified management method, device and system for hybrid cloud | |
| CN106452772B (en) | Terminal authentication method and device | |
| CN107483509A (en) | A kind of auth method, server and readable storage medium storing program for executing | |
| US20150113618A1 (en) | Verifying the security of a remote server | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| US10257171B2 (en) | Server public key pinning by URL | |
| WO2014048749A1 (en) | Inter-domain single sign-on | |
| CN108496323B (en) | Certificate importing method and terminal | |
| CN106936797A (en) | The management method and system of magnetic disk of virtual machine and file encryption key in a kind of cloud | |
| KR20160018554A (en) | Roaming internet-accessible application state across trusted and untrusted platforms | |
| EP3570517B1 (en) | Authentication technique making use of emergency credential | |
| CN108111518A (en) | A kind of single-point logging method and system based on security password proxy server | |
| US11868476B2 (en) | Boot-specific key access in a virtual device platform | |
| CN116996305A (en) | Multi-level security authentication method, system, equipment, storage medium and entry gateway | |
| WO2018233638A1 (en) | Method and apparatus for determining security state of ai software system | |
| CN111769956B (en) | Service processing method, device, equipment and medium | |
| CN114978677A (en) | Asset access control method, device, electronic equipment and computer readable medium | |
| CN117063174A (en) | Security module and method for inter-app trust through app-based identity | |
| CN109802927A (en) | A kind of security service providing method and device | |
| CN108200013B (en) | Cloud-based remote security access method, device and system | |
| CN115021995B (en) | Multi-channel login method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |