CN108600266B - Statement filtering authentication method and system - Google Patents

Statement filtering authentication method and system Download PDF

Info

Publication number
CN108600266B
CN108600266B CN201810438971.2A CN201810438971A CN108600266B CN 108600266 B CN108600266 B CN 108600266B CN 201810438971 A CN201810438971 A CN 201810438971A CN 108600266 B CN108600266 B CN 108600266B
Authority
CN
China
Prior art keywords
authentication
request
service
interface
tag
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810438971.2A
Other languages
Chinese (zh)
Other versions
CN108600266A (en
Inventor
柳永诠
曾明
高原
孙强
倪国永
张柳
代红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Julong Co Ltd
Original Assignee
Julong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Julong Co Ltd filed Critical Julong Co Ltd
Priority to CN201810438971.2A priority Critical patent/CN108600266B/en
Publication of CN108600266A publication Critical patent/CN108600266A/en
Application granted granted Critical
Publication of CN108600266B publication Critical patent/CN108600266B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a statement filtering authentication method and an authentication system, which comprises the following steps: the client sends an interface request to the server receiving end; a server receiving end receives an interface request from a client; triggering a corresponding pre-filter to perform filtering authentication on request parameters in an interface request according to a set authentication annotation statement, wherein the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to a request interface, the annotation authentication tag has multiple tag attributes, each tag attribute corresponds to one filtering authentication algorithm which is preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; and judging whether the filtering authentication is successful, if so, executing the interface and returning a result, otherwise, throwing out the abnormal authentication failure. The filtering authentication device effectively saves the memory resource of the physical server, ensures the security of the request and processes the request authentication more efficiently.

Description

Statement filtering authentication method and system
Technical Field
The invention relates to an encryption and decryption method, in particular to a statement filtering authentication method and an authentication system.
Background
At present, with the deep development of the internet +, software systems have been deep into different scenes of various industries, and the connection between different systems is becoming tighter and tighter. Therefore, with the advent of various cloud platforms, combination systems, single sign-on services, and the like, communication between systems on the same platform and between systems is becoming more frequent, and thus, the requirements for security and reliability of communication are becoming higher. The services are that the original single software system is split into different functional components, and the different functional components are communicated with each other through contract dependency relationship among the services to form a complete system application, and the services under the unified platform can be communicated with each other and can also be communicated with non-trusted services outside the platform, such as a browser software end, an android system software end, an apple system software end, a client system software end and the like. However, in any communication mode, it is necessary to ensure the security and reliability of the request before the execution of the communication request is acquired.
At present, for the requirement of cross-platform unified authentication in the prior art, a single sign-on solution is generally used, and an authentication system needs an authentication server which is a browser application deployed independently; the server side is mainly responsible for authentication work of the user, interacts with the database and jumps to a corresponding request picture in a redirection mode after authentication is finished. The authentication client and the system client are deployed together, and authentication protection is carried out on protected resources in a filtering mode. For each request for accessing protected resources, the client analyzes whether the request parameters contain user credentials, and if not, client authentication or server authentication is carried out; in practical application scenarios, single sign-on needs to be combined with an authority control framework, such as apache shiro (JAVA security framework). The security framework uses the user session to cache the user authentication information, which also indicates that the client needs to store the user state cache. The client security framework uses the cache information to perform request authentication, and simultaneously provides a group of declaration interfaces, so that the interfaces can be subjected to authority verification description, the interceptors perform authority verification, and interface access is performed after the interfaces pass.
In summary, for the requirement of cross-platform unified authentication, an independently deployed authentication server is required, and thus, for a cross-region distributed deployment scheme, there are disadvantages that the deployment mode of the authentication server is fixed, the network constraint is strong, and the load balancing or distributed scheme is complex. The non-trust request means that the requesting client and the receiving server are not on the same cloud platform, and the client validity cannot be inquired in the registry. In many practical scenes, many cross-platform applications such as a WeChat end, a mobile phone end, a browser end and the like cannot be deployed in a unified cloud platform. Therefore, the non-trusted request needs to perform user authority authentication, such as user basic information, user role, user resource authority, and the like. And the client combines the authority control frame, needs to store the user state, caches the user authority information, and does not support stateless conversation. The client interfaces communicate with each other without corresponding security authentication strategies, and only user information can be mutually transmitted and the user authentication strategies are adopted for correspondence. The problem derived from this is that the existing non-trusted authentication system has low security of encryption algorithm, is easy to copy, and is not beneficial to the non-trusted client and the client server, so it is necessary to develop an encryption and decryption method to solve the above problem.
Disclosure of Invention
In view of the disadvantages of the prior art, the present invention provides a declaration filtering authentication method and system, so as to effectively solve the technical problems mentioned in the background art.
A claim filtering authentication method, comprising the steps of:
s1, the client sends an interface request to the server receiving end;
s2, the server receiving end receives the interface request from the client;
s3, according to the set authentication annotation statement, triggering the corresponding pre-filter to perform filtering authentication on the request parameters in the interface request, wherein the authentication annotation statement is used for confirming the filtering authentication algorithm to be executed by the pre-filter based on the annotation authentication tag corresponding to the request interface, the annotation authentication tag has multiple tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute;
and S4, judging whether the filtering authentication is successful, if so, executing an interface and returning a result, otherwise, throwing out abnormal authentication failure.
Further, the annotation authentication tag is defined as the following attributes according to the interface authentication requirement: including but not limited to a credit service authentication tag, a guest authentication tag, a signed-in authentication tag, a role authentication tag, and a permission authentication tag.
Further, before step S1, a user status data structure matched with the server recipient is further constructed, where the user status data structure is used to provide the user status information required by the filtering authentication process in S3, and is integrated into a data packet together with the request parameter in the interface request and sent to the server recipient, and the request parameter is written with the authentication key and the service key for the server authentication; the user state information at least comprises a user authority certificate, user basic information and authority data, wherein the user authority certificate is used for acquiring a unique user login state identifier, namely a keyword of the user state information under the stateless session condition; the authority data comprises role encoding data and resource authority encoding data.
Further, the filtering authentication algorithm corresponding to the trust service authentication tag includes the following steps:
(11) acquiring an authentication key in a request parameter and judging whether the request parameter is empty, if so, throwing out abnormal authentication failure, otherwise, carrying out the next step;
(12) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(13) based on a token decryption algorithm of the credit granting service end, decrypting the authentication secret key to obtain a decrypted service code of the client;
(14) judging whether the service code is empty, if so, throwing out abnormal authentication failure, and if not, carrying out the next step;
(15) judging whether the service code exists in a set local credit authorization service registry or not, otherwise, throwing out abnormal authentication failure;
(16) determining the attribute of the annotation authentication tag corresponding to the request interface, namely the allowed service coding array;
(17) if the length of the service coding array is 0, determining that any credit service can be authenticated;
(18) and (3) circulating the service code array in the step (16), judging whether a value identical to the service code of the client in the step (13) exists or not, if so, confirming that the authentication is passed, and otherwise, throwing out abnormal authentication failure.
Further, the filtering authentication algorithm corresponding to the guest authentication tag includes the following steps:
(21) acquiring a service key in the request parameter;
(22) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the service key;
(23) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(24) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(25) if the service code is null, acquiring an authentication key in the request parameter;
(26) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain decrypted authentication information;
(27) judging whether the authentication information is empty or does not contain the dynamic certificate attribute, and passing the authentication and terminating; otherwise, the abnormal authentication is thrown out and fails.
Further, the filtering authentication algorithm corresponding to the logged-in authentication tag includes the following steps:
(31) acquiring a service key in the request parameter;
(32) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(33) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(34) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(35) if the service code is null, acquiring an authentication key in the request parameter;
(36) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain decrypted authentication information;
(37) judging whether the authentication information is empty or not, if the authentication information is not empty and the authentication information contains the dynamic certificate attribute, passing the authentication and terminating; otherwise, the abnormal authentication is thrown out and fails.
Further, the filtering authentication algorithm corresponding to the role authentication tag includes the following steps:
(401) acquiring a service key in the request parameter;
(402) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(403) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(404) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(405) if the service code is null, acquiring an authentication key in the request parameter;
(406) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain decrypted authentication information;
(407) judging whether the authentication information is empty or not, if so, throwing out abnormal authentication failure;
(408) acquiring the attribute of the role array of the object corresponding to the authentication information;
(409) determining the attribute of the annotation authentication tag corresponding to the request interface, namely the allowed character coding array;
(410) acquiring the logic condition attribute of the annotation authentication tag corresponding to the request interface,
(411) if the logic condition attribute value is 'AND', circulating the label role array in the step (408) and the user role array in the step (409), and if any label role does not exist in the user role array, throwing abnormal authentication failure;
(412) if the logic condition attribute value is 'OR', circulating the label role array in the step (408) and the user role array in the step (409), and if none of the label roles is consistent with the value in the user role array, throwing abnormal authentication failure; otherwise, the authentication is passed.
Further, the filtering authentication algorithm corresponding to the authority authentication tag includes the following steps:
(501) acquiring a service key in the request parameter;
(502) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(503) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(504) judging whether the client service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(505) if the service code is null, acquiring an authentication key in the request parameter;
(506) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain decrypted authentication information;
(507) judging whether the authentication information is empty or not, if so, throwing out abnormal authentication failure;
(508) acquiring the authority array attribute of the object corresponding to the authentication information;
(509) determining the attribute of an annotation authentication tag corresponding to the request interface, namely an allowed permission coding array;
(510) acquiring the logic condition attribute of the annotation authentication tag corresponding to the request interface,
(511) if the logic condition attribute value is 'yes', circulating the label role array in the step (508) and the user role array in the step (509), and if any label authority is matched with the user authority, throwing abnormal authentication failure;
(512) if the logic condition attribute value is 'OR', circulating the label role array in the step (508) and the user role array in the step (509), and if none of the label authorities is matched with the user authorities, throwing abnormal authentication failure; otherwise, the authentication is passed.
Further, the annotation tag attribute further comprises a custom authentication tag.
A claim filtering authentication system, comprising:
the client is used for sending an interface request to the server receiving end;
the server receiving end is used for receiving an interface request from a client and triggering a corresponding pre-filter to carry out filtering authentication on request parameters in the interface request according to a set authentication annotation statement, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to a request interface, the annotation authentication tag has multiple tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the system is also used for judging whether the filtering authentication is successful, if so, executing an interface and returning a result, otherwise, throwing out abnormal authentication failure; the annotation authentication tag is defined as the following attributes according to the interface authentication requirement: including but not limited to a credit service authentication tag, a guest authentication tag, a signed-in authentication tag, a role authentication tag, and a permission authentication tag.
The first processing module is used for sending an interface request to the server receiving end at the client; a user state data structure matched with the server receiving end is constructed in advance, wherein the user state data structure is used for providing required user state information for a filtering authentication process, and is integrated into a data packet together with request parameters in an interface request to be sent to the server receiving end, and the request parameters are written with an authentication key and a service key used for authentication of the server end; the user state information at least comprises a user authority certificate, user basic information and authority data, wherein the user authority certificate is used for acquiring a unique user login state identifier, namely a keyword of the user state information under the stateless session condition; the authority data comprises role encoding data and resource authority encoding data.
Compared with the prior art, the invention has the beneficial effects that:
the authentication information of the user corresponding to the invention adopts a data structure mode of role authority, and has the advantages of high universality, lower complexity of use, good expansibility and wider scene support; meanwhile, the annotated statement filtering authentication device is used, so that the description of authentication parameters is clearer and simpler for the development of a server-side interface, and the definition of codes is better as the authentication parameters are separated from main services; the receiving end is matched with an interface interception technology, so that the authentication process is more transparent for developers, the development process is simplified, the development efficiency is improved, the support degree of stateless conversation is higher and the reliability of load balancing is higher through an authentication encryption transmission mode; the same request at the same time can ensure that the authentication result is consistent for any load end, so that the load balancing equipment can more flexibly allocate request resources without excessive limitation; the support of the stateless session strategy ensures that the authentication information of the user is separated from the cache of the server and is processed by the client more. By taking the browser client as an example, the authentication information is cached to each client, so that the memory utilization rate of the server is effectively reduced, and system resources are saved.
In conclusion, the filtering authentication device of the invention effectively saves the memory resource of the physical server, ensures the security of the request, and more efficiently processes the request authentication.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of an authentication method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the embodiment shown in fig. 1, a declaration filtering authentication method is provided, which includes the following steps:
a claim filtering authentication method, comprising the steps of:
s1, the client sends an interface request to the server receiving end;
s2, the server receiving end receives the interface request from the client;
s3, according to the set authentication annotation statement, triggering the corresponding pre-filter to perform filtering authentication on the request parameters in the interface request, wherein the authentication annotation statement is used for confirming the filtering authentication algorithm to be executed by the pre-filter based on the annotation authentication tag corresponding to the request interface, the annotation authentication tag has multiple tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute;
and S4, judging whether the filtering authentication is successful, if so, executing an interface and returning a result, otherwise, throwing out abnormal authentication failure.
In an optional implementation mode, based on a switching-oriented design mode, the declaration filtering authentication method adopts an automatic authentication mechanism to execute authentication; the method is characterized in that a group of interface method annotation authentication tags are established to describe the authentication parameters of the interface, and a fully automatic authentication mechanism is carried out on each request by defining pre-filters of different annotation authentication tags; the annotation authentication tag is defined as the following attributes according to the interface authentication requirement: including but not limited to a credit service authentication tag, a guest authentication tag, a signed-in authentication tag, a role authentication tag, and a permission authentication tag.
In an alternative embodiment, before step S1, a user status data structure matching the server recipient is also constructed, it may employ a json (javascript Object notification) JS Object tag, where the user state data structure is used to provide the required user state information for the filtering authentication process in S3, and is integrated into a data packet together with the request parameters in the interface request to be sent to the server receiver, the request parameters are written with an authentication key and a service key for the server side authentication, since the interface request parameters are mainly provided for the service interface, the key parameters, namely the authentication key and the service key, are not part of the service parameters, but are written by the background of the request end for the authentication of the service end, after the use is finished, the request parameters are deleted, so that the effect of no-perception automation is achieved; the user state information at least comprises a user authority certificate, user basic information and authority data, wherein the user authority certificate is used for acquiring a unique user login state identifier, namely a keyword of the user state information under the stateless session condition; the authority data comprises role encoding data and resource authority encoding data. After a user logs in a specific user state, basic user information cached by the system mainly comprises user information, role authority information and the like; the authority certificate is a unique index randomly generated when a user logs in, the authority certificate is bound with the current login (namely bound with the user state) of the user and the like to log out or log in again, and a unique identifier generated by the last login is invalidated; example authentication data structure: { token: dynamic credential, user: user basic information, roles: role coding array, properties: resource rights encode data }. Wherein, the user authority code adopts' resource: permission: the attribute "structure is right description, coded with": "separate, each node may be omitted, a node omitted or a". dot..
In an optional implementation manner, the filtering authentication algorithm corresponding to the trust service authentication tag includes the following steps:
(11) acquiring an authentication key in a request parameter and judging whether the request parameter is empty, if so, throwing out abnormal authentication failure, otherwise, carrying out the next step;
(12) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(13) based on a token decryption algorithm of the credit granting service end, decrypting the authentication secret key to obtain a decrypted service code of the client;
(14) judging whether the service code is empty, if so, throwing out abnormal authentication failure, and if not, carrying out the next step;
(15) judging whether the service code exists in a set local credit authorization service registry or not, otherwise, throwing out abnormal authentication failure;
(16) determining the attribute of the annotation authentication tag corresponding to the request interface, namely the allowed service coding array;
(17) if the length of the service coding array is 0, determining that any credit service can be authenticated;
(18) and (3) circulating the service code array in the step (16), judging whether a value identical to the service code of the client in the step (13) exists or not, if so, confirming that the authentication is passed, and otherwise, throwing out abnormal authentication failure.
In an optional implementation manner, the filtering authentication algorithm corresponding to the guest authentication tag includes the following steps:
(21) acquiring a service key in the request parameter;
(22) acquiring a corresponding instance from the set interface parameter dictionary and deleting the attribute information of the service key;
(23) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(24) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(25) if the service code is null, acquiring an authentication key in the request parameter;
(26) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain a Json object of decrypted authentication information;
(27) judging whether the authentication information is empty or does not contain the dynamic certificate attribute, and passing the authentication and terminating; otherwise, the abnormal authentication is thrown out and fails.
In an alternative embodiment, the signed-in authentication tag is used for a member signed in an account to pass authentication, and the corresponding filtering authentication algorithm comprises the following steps:
(31) acquiring a service key in the request parameter;
(32) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(33) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(34) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(35) if the service code is null, acquiring an authentication key in the request parameter;
(36) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication key to obtain a decrypted authentication information Json object;
(37) judging whether the authentication information is empty or not, if the authentication information is not empty and the authentication information contains the dynamic certificate attribute, passing the authentication and terminating; otherwise, the abnormal authentication is thrown out and fails.
In an alternative embodiment, the role authentication tag only authenticates the login account with the tag-defined role (i.e. the role encoding parameters declared in time), and executes the request, and the corresponding filtering authentication algorithm comprises the following steps:
(401) acquiring a service key in the request parameter;
(402) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(403) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(404) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(405) if the service code is null, acquiring an authentication key in the request parameter;
(406) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication key to obtain a decrypted authentication information Json object;
(407) judging whether the authentication information is empty or not, if so, throwing out abnormal authentication failure;
(408) acquiring the attribute of the role array of the object corresponding to the authentication information;
(409) determining the attribute of the annotation authentication tag corresponding to the request interface, namely the allowed character coding array;
(410) acquiring the logic condition attribute of the annotation authentication tag corresponding to the request interface,
(411) if the logic condition attribute value is 'AND', circulating the label role array in the step (408) and the user role array in the step (409), and if any label role does not exist in the user role array, throwing abnormal authentication failure;
(412) if the logic condition attribute value is 'OR', circulating the label role array in the step (408) and the user role array in the step (409), and if none of the label roles is consistent with the value in the user role array, throwing abnormal authentication failure; otherwise, the authentication is passed.
In an optional implementation manner, the filtering authentication algorithm corresponding to the authority authentication tag includes the following steps:
the filtering authentication algorithm corresponding to the authority authentication label comprises the following steps:
(501) acquiring a service key in the request parameter;
(502) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(503) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(504) judging whether the client service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(505) if the service code is null, acquiring an authentication key in the request parameter;
(506) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication key to obtain a decrypted authentication information Json object;
(507) judging whether the authentication information is empty or not, if so, throwing out abnormal authentication failure;
(508) acquiring the authority array attribute of the object corresponding to the authentication information;
(509) determining the attribute of an annotation authentication tag corresponding to the request interface, namely an allowed permission coding array;
(510) acquiring the logic condition attribute of the annotation authentication tag corresponding to the request interface,
(511) if the logic condition attribute value is 'yes', circulating the label role array in the step (508) and the user role array in the step (509), and if any label authority is matched with the user authority, throwing abnormal authentication failure;
(512) if the attribute value of the logic condition is 'OR', circulating the label role array in the step (508) and the user role array in the step (509), and if none of the label authorities is matched with the user authorities, throwing abnormal authentication failure; otherwise, the authentication is passed.
In an optional implementation manner, the annotation tag attribute further includes a custom authentication tag, so that a developer can implement a custom authentication policy by the custom authentication tag, that is, if the actual scene of the project is not satisfied, the developer can define the authentication tag (i.e., the custom authentication tag) by himself, thereby implementing the authentication policy of the specific scene.
In an optional implementation manner, the token decryption algorithm of the trust service side includes the following steps:
taking a dynamic parameter dictionary preset by the credit client as an initialization parameter, and obtaining the ordered parameter dictionary; performing character string conversion on the ordered parameter dictionary to obtain a parameter character string; carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext; carrying out byte array conversion on the parameter ciphertext to obtain a parameter ciphertext byte array; decoding the key token parameters to obtain a key token byte array; carrying out symmetric algorithm decryption on the secret key token byte array by using the parameter ciphertext byte array to obtain a service number byte array; and performing character string conversion on the service number byte array to obtain the service number.
In an optional implementation manner, the non-trusted server token decryption algorithm includes the following steps:
calling a set first parameter module to obtain an interface request dynamic parameter to form a first parameter, calling a set second parameter module to obtain a user authority certificate to form a second parameter, wherein the interface request dynamic parameter is provided by the non-trusted client and is set by a service interface according to needs, and the user authority certificate is extracted from the user authority information; adding a timestamp in the first parameter; sequencing the attribute sequence of the first parameter and converting character strings to obtain a parameter character string; carrying out asymmetric encryption on the parameter character string and intercepting a first authentication key; acquiring a user authority certificate from the second parameter and performing character string conversion to obtain an authentication information character string; symmetrically encrypting the authentication information character string by using the first authentication key as an encryption auxiliary parameter to obtain an authentication parameter; merging the authentication information character string and the time stamp and carrying out asymmetric encryption to obtain an encrypted character string; performing asymmetric encryption on the encrypted character string to obtain a second authentication key; confirming the key length of a second authentication key and inserting the second authentication key into the authentication parameter to obtain a first ciphertext character string, wherein the insertion position of the second authentication key is an index position represented by a random number, the index position dynamically inserts the ciphertext of the second authentication key into the corresponding insertion position in the authentication key, the random number is an arbitrary integer between 1 and 99 randomly generated according to a set numerical range, and the confirmation rule of the key length is that when the random number exceeds the key length of the second authentication key, the random number is set as the key length of the second authentication key; and writing the random number and the key length of the second authentication key into the first ciphertext string to obtain a second ciphertext string, namely the authentication key token, and writing the second ciphertext string into the first parameter.
In an alternative embodiment, the algorithm for right matching includes the following steps:
s1, establishing a third parameter for obtaining a user authority code array, and establishing a fourth parameter for obtaining a matching authority code; s2, acquiring an authority node attribute array; s3, circulating the third parameters and dividing each object in the third parameters to obtain a user authority attribute array; s4, initializing the related temporary variables; s5, circulating the authority node attribute array in the S2; s6, if the length of the user permission attribute array in the S5 is less than or equal to the index of the current cycle, or the attribute of the index of the current cycle in the user permission attribute array in the S3 is equal to "+", terminating the cycle S5; s7, taking the index value corresponding to the loop in S5, comparing the user authority attribute with the current node attribute, and if the user authority attribute is equal to the current node attribute, continuing to loop S5; s8 otherwise, setting the temporary variable in S4 to NO; s9, ending the loop S5; s10, if the temporary variable is yes, ending the matching algorithm and returning a result; s11, ending the loop S3; and S12, finishing the matching algorithm and returning no result.
In an alternative embodiment, initializing, i.e. verifying, the temporary variable involved in S4 requires cyclic checking of the array, so that each right attribute is checked to be passed, and the result is recorded in the temporary variable; here, "result is yes" means "set the variable initial value to true".
The embodiment of the present invention further provides a declaration filtering authentication system, which is characterized by including:
the client is used for sending an interface request to the server receiving end;
the server receiving end is used for receiving an interface request from a client and triggering a corresponding pre-filter to carry out filtering authentication on request parameters in the interface request according to a set authentication annotation statement, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to a request interface, the annotation authentication tag has multiple tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the system is also used for judging whether the filtering authentication is successful, if so, executing an interface and returning a result, otherwise, throwing out abnormal authentication failure; the annotation authentication tag is defined as the following attributes according to the interface authentication requirement: including but not limited to a credit service authentication tag, a guest authentication tag, a signed-in authentication tag, a role authentication tag, and a permission authentication tag.
The first processing module is used for sending an interface request to the server receiving end at the client; a user state data structure matched with the server receiving end is constructed in advance, wherein the user state data structure is used for providing required user state information for a filtering authentication process, and is integrated into a data packet together with request parameters in an interface request to be sent to the server receiving end, and the request parameters are written with an authentication key and a service key used for authentication of the server end; the user state information at least comprises a user authority certificate, user basic information and authority data, wherein the user authority certificate is used for acquiring a unique user login state identifier, namely a keyword of the user state information under the stateless session condition; the authority data comprises role encoding data and resource authority encoding data.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1. A claim filtering authentication method, comprising the steps of:
s1, the client sends an interface request to the server receiving end;
s2, the server receiving end receives the interface request from the client;
s3, according to the set authentication annotation statement, triggering the corresponding pre-filter to perform filtering authentication on the request parameters in the interface request, wherein the authentication annotation statement is used for confirming the filtering authentication algorithm to be executed by the pre-filter based on the annotation authentication tag corresponding to the request interface, the annotation authentication tag has multiple tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the annotation authentication tag is defined as the following attributes according to the interface authentication requirement: including but not limited to a credit service authentication tag, a guest authentication tag, a signed-in authentication tag, a role authentication tag, and a permission authentication tag;
s4, judging whether the filtering authentication is successful, if so, executing an interface and returning a result, otherwise, throwing out abnormal authentication failure;
before step S1, a user status data structure matching the server recipient is further constructed, where the user status data structure is used to provide the user status information required by the filtering authentication process in S3, and is integrated into a data packet together with the request parameters in the interface request and sent to the server recipient, and the request parameters are written with the authentication key and the service key for the server to authenticate; the user state information at least comprises a user authority certificate, user basic information and authority data, wherein the user authority certificate is used for acquiring a unique user login state identifier, namely a keyword of the user state information under the stateless session condition; the authority data comprises role encoding data and resource authority encoding data.
2. The claim filtering authentication method as claimed in claim 1, wherein:
the filtering authentication algorithm corresponding to the authorization service authentication tag comprises the following steps:
(11) acquiring an authentication key in a request parameter and judging whether the request parameter is empty, if so, throwing out abnormal authentication failure, otherwise, carrying out the next step;
(12) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(13) based on a token decryption algorithm of the credit granting service end, decrypting the authentication secret key to obtain a decrypted service code of the client;
(14) judging whether the service code is empty, if so, throwing out abnormal authentication failure, and if not, carrying out the next step;
(15) judging whether the service code exists in a set local credit authorization service registry or not, otherwise, throwing out abnormal authentication failure;
(16) determining the attribute of the annotation authentication tag corresponding to the request interface, namely the allowed service coding array;
(17) if the length of the service coding array is 0, determining that any credit service can be authenticated;
(18) and (3) circulating the service code array in the step (16), judging whether a value identical to the service code of the client in the step (13) exists or not, if so, confirming that the authentication is passed, and otherwise, throwing out abnormal authentication failure.
3. The claim filtering authentication method as claimed in claim 1, wherein:
the filtering authentication algorithm corresponding to the tourist authentication label comprises the following steps:
(21) acquiring a service key in the request parameter;
(22) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the service key;
(23) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(24) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(25) if the service code is null, acquiring an authentication key in the request parameter;
(26) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain decrypted authentication information;
(27) judging whether the authentication information is empty or does not contain the dynamic certificate attribute, and passing the authentication and terminating; otherwise, the abnormal authentication is thrown out and fails.
4. The claim filtering authentication method as claimed in claim 1, wherein:
the filtering authentication algorithm corresponding to the logged-in authentication label comprises the following steps:
(31) acquiring a service key in the request parameter;
(32) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(33) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(34) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(35) if the service code is null, acquiring an authentication key in the request parameter;
(36) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain decrypted authentication information;
(37) judging whether the authentication information is empty or not, if the authentication information is not empty and the authentication information contains the dynamic certificate attribute, passing the authentication and terminating; otherwise, the abnormal authentication is thrown out and fails.
5. The claim filtering authentication method as claimed in claim 1, wherein:
the filtering authentication algorithm corresponding to the role authentication label comprises the following steps:
(401) acquiring a service key in the request parameter;
(402) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(403) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(404) judging whether the service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(405) if the service code is null, acquiring an authentication key in the request parameter;
(406) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain decrypted authentication information;
(407) judging whether the authentication information is empty or not, if so, throwing out abnormal authentication failure;
(408) acquiring the attribute of the role array of the object corresponding to the authentication information;
(409) determining the attribute of the annotation authentication tag corresponding to the request interface, namely the allowed character coding array;
(410) acquiring the logic condition attribute of the annotation authentication tag corresponding to the request interface,
(411) if the logic condition attribute value is 'AND', circulating the label role array in the step (408) and the user role array in the step (409), and if any label role does not exist in the user role array, throwing abnormal authentication failure;
(412) if the logic condition attribute value is 'OR', circulating the label role array in the step (408) and the user role array in the step (409), and if none of the label roles is consistent with the value in the user role array, throwing abnormal authentication failure; otherwise, the authentication is passed.
6. The claim filtering authentication method as claimed in claim 1, wherein:
the filtering authentication algorithm corresponding to the authority authentication label comprises the following steps:
(501) acquiring a service key in the request parameter;
(502) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(503) judging whether the service key is empty or not, and if not, executing a token decryption algorithm of the credit granting server side to obtain a decrypted service code of the client side;
(504) judging whether the client service code is empty or not, if not, judging whether the service code exists in a set local authorization service registry, and if so, passing the authentication and terminating;
(505) if the service code is null, acquiring an authentication key in the request parameter;
(506) based on a token decryption algorithm of a non-trusted service end, decrypting the authentication secret key to obtain decrypted authentication information;
(507) judging whether the authentication information is empty or not, if so, throwing out abnormal authentication failure;
(508) acquiring the authority array attribute of the object corresponding to the authentication information;
(509) determining the attribute of an annotation authentication tag corresponding to the request interface, namely an allowed permission coding array;
(510) acquiring the logic condition attribute of the annotation authentication tag corresponding to the request interface,
(511) if the logic condition attribute value is 'yes', circulating the label role array in the step (508) and the user role array in the step (509), and if any label authority is matched with the user authority, throwing abnormal authentication failure;
(512) if the logic condition attribute value is 'OR', circulating the label role array in the step (508) and the user role array in the step (509), and if none of the label authorities is matched with the user authorities, throwing abnormal authentication failure; otherwise, the authentication is passed.
7. The claim filtering authentication method as claimed in claim 1, wherein:
the annotation authentication tag attributes further include a custom authentication tag.
8. A claim filtering authentication system, comprising:
the client is used for sending an interface request to the server receiving end;
the server receiving end is used for receiving an interface request from a client and triggering a corresponding pre-filter to carry out filtering authentication on request parameters in the interface request according to a set authentication annotation statement, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to a request interface, the annotation authentication tag has multiple tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the system is also used for judging whether the filtering authentication is successful, if so, executing an interface and returning a result, otherwise, throwing out abnormal authentication failure; the annotation authentication tag is defined as the following attributes according to the interface authentication requirement: including but not limited to a credit service authentication tag, a guest authentication tag, a signed-in authentication tag, a role authentication tag, and a permission authentication tag;
the first processing module is used for sending an interface request to the server receiving end at the client; a user state data structure matched with the server receiving end is constructed in advance, wherein the user state data structure is used for providing required user state information for a filtering authentication process, and is integrated into a data packet together with request parameters in an interface request to be sent to the server receiving end, and the request parameters are written with an authentication key and a service key used for authentication of the server end; the user state information at least comprises a user authority certificate, user basic information and authority data, wherein the user authority certificate is used for acquiring a unique user login state identifier, namely a keyword of the user state information under the stateless session condition; the authority data comprises role encoding data and resource authority encoding data.
CN201810438971.2A 2018-05-09 2018-05-09 Statement filtering authentication method and system Active CN108600266B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810438971.2A CN108600266B (en) 2018-05-09 2018-05-09 Statement filtering authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810438971.2A CN108600266B (en) 2018-05-09 2018-05-09 Statement filtering authentication method and system

Publications (2)

Publication Number Publication Date
CN108600266A CN108600266A (en) 2018-09-28
CN108600266B true CN108600266B (en) 2020-09-22

Family

ID=63636086

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810438971.2A Active CN108600266B (en) 2018-05-09 2018-05-09 Statement filtering authentication method and system

Country Status (1)

Country Link
CN (1) CN108600266B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112149108A (en) * 2020-09-15 2020-12-29 京东数字科技控股股份有限公司 Access control method, device, electronic equipment and storage medium
CN112231686B (en) * 2020-10-20 2024-02-27 城云科技(中国)有限公司 System security authentication method and device based on security authentication identification
CN115442372A (en) * 2022-09-16 2022-12-06 平安付科技服务有限公司 Interface calling method and micro-service application system applying same

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505309A (en) * 2002-11-20 2004-06-16 Securely processing client credentials used for web-based access to resources
CN104539615A (en) * 2014-12-29 2015-04-22 中国南方电网有限责任公司 Cascading authentication method based on CAS

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8533746B2 (en) * 2006-11-01 2013-09-10 Microsoft Corporation Health integration platform API

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505309A (en) * 2002-11-20 2004-06-16 Securely processing client credentials used for web-based access to resources
CN104539615A (en) * 2014-12-29 2015-04-22 中国南方电网有限责任公司 Cascading authentication method based on CAS

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"A Survey on Internet of Things From Industrial Market Perspective";C.Perera,C.H.Liu,S.Jayawardena and M.Chen;《IEEE Access》;20141231;全文 *
"Java安全框架Shiro在Web中的研究与应用";翁云翔;《中国优秀硕士学位论文全文数据库 信息科技辑》;20160715;正文第2.3.2节、2.4.3节 *

Also Published As

Publication number Publication date
CN108600266A (en) 2018-09-28

Similar Documents

Publication Publication Date Title
CN109067728B (en) Access control method and device for application program interface, server and storage medium
US11252140B2 (en) Systems and methods for securely calling APIs on an API gateway from applications needing first party authentication
CN106209749B (en) Single sign-on method and device, and related equipment and application processing method and device
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
CN108600268B (en) Encryption and decryption method applied to non-credit authentication and non-credit authentication system
US10218691B2 (en) Single sign-on framework for browser-based applications and native applications
US10320771B2 (en) Single sign-on framework for browser-based applications and native applications
CN106685973B (en) Remember method and device, log-in control method and the device of log-on message
CN108616540B (en) Platform authentication method and system based on cross-platform encryption algorithm and declarative filtering authentication
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
US20180020008A1 (en) Secure asynchronous communications
JP2019185775A (en) Authority authentication method for block chain infrastructure, terminal, and server using the same
US11411731B2 (en) Secure API flow
US11811739B2 (en) Web encryption for web messages and application programming interfaces
CN108600266B (en) Statement filtering authentication method and system
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
CN107040501B (en) Authentication method and device based on platform as a service
KR20220002455A (en) Improved transmission of data or messages in the vehicle using the SOME/IP communication protocol
CN109962892A (en) A kind of authentication method and client, server logging in application
US11977620B2 (en) Attestation of application identity for inter-app communications
CN116192483A (en) Authentication method, device, equipment and medium
CN108292997B (en) Authentication control system and method, server device, client device, authentication method, and recording medium
KR101637155B1 (en) A system providing trusted identity management service using trust service device and its methods of operation
CN116668056A (en) Extending OIDC authentication to service accounts for dual authorization
CN114070616A (en) Distributed session sharing method and system based on redis cache

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant