CN108901022B - Micro-service unified authentication method and gateway - Google Patents
Micro-service unified authentication method and gateway Download PDFInfo
- Publication number
- CN108901022B CN108901022B CN201810689051.8A CN201810689051A CN108901022B CN 108901022 B CN108901022 B CN 108901022B CN 201810689051 A CN201810689051 A CN 201810689051A CN 108901022 B CN108901022 B CN 108901022B
- Authority
- CN
- China
- Prior art keywords
- service
- authentication
- micro
- gateway
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/16—Gateway arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a micro-service unified authentication method which is used for realizing micro-service authentication of various service types, has the characteristics of flexible configuration and no invasion to a micro-service module, and improves the flexibility of the micro-service authentication. The method provided by the embodiment of the invention comprises the following steps: the gateway receives a micro-service authentication request sent by a client, and extracts a Uniform Resource Identifier (URI) from the authentication request; the gateway sends the URI to a gateway management micro-service, and the gateway management micro-service is used for storing a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter; the gateway receives the corresponding micro service interface type, the micro service address, the micro service authentication type and the authentication voucher parameter sent by the gateway management micro service, and extracts the corresponding authentication voucher parameter from the authentication request; the gateway sends the URI and the corresponding authentication voucher parameters to an authentication service for authentication and receives a corresponding authentication result.
Description
Technical Field
The invention relates to the technical field of micro services, in particular to a micro service unified authentication method.
Background
In the era of mobile internet, the business is more and more complex. Taking the cloud as an example, the business can be divided into instant messaging, enterprise organization architecture, colleague circle, etc. according to the domain. The amount of data per service module is huge. The requirements of isolation, horizontal expansion, flexible upgrade, multi-team collaborative development and the like cannot be met by using the single application. Therefore, cloud users adopt micro-service technology architecture approved by industry, and the divided micro-services are hundreds. Hundreds of microservices, each potentially supporting requests from multiple sources, such as PC Web sites, PC desktop sites, mobile clients, and open platforms. In the early development stage of clouds, in order to seek for speed, micro-services in charge of different teams adopt different technical stacks, such as Spring MVC, Play frame and the like based on HTTP protocol, and also similar Motan, Bubbo and the like based on TCP. Many microservices implement their own authentication logic. Today, a great burden is brought to the expansion and maintenance of services. Therefore, a uniform authentication process is urgently needed.
Generally, unified microservice authentication is to put the authentication logic scattered in microservice into a global gateway by extraction. Gateway solutions currently on the market include:
(1) kong, based on Nginx, Lua realized high performance gateway, provides authentication implementation such as Http Basic, OAuth2.0, HMAC, JWT, LDAP, etc.
(2) Spring CloudZuul, a gateway realized based on J2EE and Spring, has functions of safety authentication, filtering, fusing, routing, load loading and the like. By discovering the micro-service instance from the service center, the Spring cloud zuul can achieve dynamic load balancing, and is a good choice for the micro-service gateway.
The gateway in the market at present, as a gateway of micro service based on Java technology stack, has different defects:
(1) kong, configured based on a configuration file manner, is not flexible enough; based on C and Lua, the development difficulty is large; higher development cost is needed to get through with the existing Java micro-service governing system; the built-in Http Basic authentication cannot be communicated by the user system.
(2) The Spring Cloud Zuul does not provide any authentication function, and needs to be integrated with other authentication components, so that the volume of the project is larger and larger, and the project is not flexible enough; the Spring CloudZuul only supports the Http micro-service and cannot get through with the RPC micro-service. After the Spring Cloud Zuul is integrated with OAuth2, the service microservice still needs to invoke the authentication service to authenticate the access token (accessoken), which makes too much intrusion to the service microservice.
Disclosure of Invention
The embodiment of the invention provides a micro-service unified authentication method, which is used for realizing micro-service authentication of multiple service types, has the characteristics of flexible configuration and no invasion to a micro-service module, and improves the flexibility of the micro-service authentication.
The first aspect of the embodiments of the present invention provides a method for authenticating a micro service, which configures a gateway management micro service and an authentication service on a gateway, and includes:
the gateway receives a micro-service authentication request sent by a client, and extracts a Uniform Resource Identifier (URI) from the authentication request;
the gateway sends the URI to the gateway management micro-service, and the gateway management micro-service is used for storing a mapping table of the URI and micro-service interface type, a micro-service address, a micro-service authentication type and authentication voucher parameters;
the gateway receives the corresponding micro service interface type, micro service address, micro service authentication type and authentication voucher parameter sent by the gateway management micro service, and extracts the corresponding authentication voucher parameter from the authentication request;
and the gateway sends the URI and the corresponding authentication certificate parameter to the authentication service for authentication and receives a corresponding authentication result.
Preferably, the method further comprises:
if the authentication result is successful, the gateway receives an authentication success prompt sent by the authentication service and the identity information of the client;
the gateway takes the identity information and the authentication request as parameters, constructs first request information and sends the first request information to a service micro server;
the gateway receives the service response sent by the service micro server and sends the service response to the client;
and if the authentication result is failure, the gateway receives an authentication failure prompt sent by the authentication service and sends the authentication failure prompt to the client.
Preferably, a micro-service client class and a service center are configured on the gateway, the micro-service client class is used for storing a micro-service domain name, and the service center is used for storing a mapping table between the micro-service domain name and a micro-service IP address;
after the gateway receives the authentication success prompt sent by the authentication service and the identity information of the client if the authentication result is successful, the method further includes:
if the service micro service is the RPC service type, the gateway sends a micro service domain name to be called to the micro service client class, so that the micro service client class obtains a corresponding micro service IP address from the service center and sends the micro service IP address to the gateway.
Preferably, after the gateway receives the corresponding micro service interface type, micro service address, micro service authentication type and authentication credential parameter sent by the gateway management micro service, the method further includes:
and the gateway caches the corresponding micro service interface type, micro service address, micro service authentication type and authentication voucher parameter for the validity period so as to accelerate the next authentication process.
Preferably, after the authentication result is successful, the method further includes:
and the gateway caches the validity period of the successful authentication prompt so as to accelerate the next authentication process.
Preferably, the first and second liquid crystal materials are,
if the service microservice is of the Http service type, the gateway writes the identity information of the client into a Http Header in the first request message, and sends the identity information to the service microserver so that the service microserver can read the identity information to perform secondary confirmation;
if the service micro service is the RPC service type, the gateway writes the identity information of the client into the first request information by using an additional parameter, and sends the identity information to the service micro server, so that the service micro server can read the identity information to perform secondary confirmation.
Preferably, after the gateway receives the authentication success prompt sent by the authentication service and the identity information of the client if the authentication result is successful, the method further includes:
and if the client and the service micro server belong to the same local area network, the gateway directly accesses the service micro server.
Preferably, the gateway and the gateway management microservice are communicated by adopting an Http protocol, and the communication format is a Json format.
In a second aspect of the embodiments of the present invention, a gateway is provided, where the gateway is configured with a gateway management microservice and an authentication service, and the gateway management microservice and the authentication service includes:
the first receiving unit is used for receiving a micro-service authentication request sent by a client and extracting a Uniform Resource Identifier (URI) from the authentication request;
the sending unit is used for sending the URI to the gateway management micro-service, and the gateway management micro-service is used for storing a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication certificate parameter;
a second receiving unit, configured to receive the corresponding micro service interface type, micro service address, micro service authentication type, and authentication credential parameter sent by the gateway management micro service, and extract the corresponding authentication credential parameter from the authentication request;
and the authentication unit is used for sending the URI and the corresponding authentication certificate parameter to the authentication service for authentication and receiving a corresponding authentication result.
The embodiment of the present invention further provides a computer apparatus, which includes a processor, and the processor executes a computer program stored in a memory, so as to implement the micro-service unified authentication method provided in the first aspect of the embodiment of the present invention.
An embodiment of the present invention further provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, is configured to implement the micro-service unified authentication method provided in the first aspect of the embodiment of the present invention.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the invention, a gateway receives a micro-service authentication request sent by a client, and extracts a Uniform Resource Identifier (URI) from the authentication request; then sending the URI to a gateway management micro-service, wherein the gateway management micro-service is used for storing a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter; the gateway receives the corresponding micro service interface type, the micro service address, the micro service authentication type and the authentication voucher parameter sent by the gateway management micro service, and extracts the corresponding authentication voucher parameter from the authentication request; the gateway sends the URI and the corresponding authentication voucher parameters to an authentication service for authentication and receives a corresponding authentication result. In the embodiment of the invention, the authentication logic of the micro service is extracted to the gateway, and the gateway is configured to manage the micro service and the authentication service, so that the interface mapping and the authentication service of the micro service respectively adopt the independent micro service instead of being limited by a configuration file or an appointed, and the configuration cost is lower, so that the authentication service is more flexible and the expansibility is stronger.
Drawings
FIG. 1 is a diagram of an embodiment of a unified authentication method for microservice in an embodiment of the present invention;
FIG. 2 is a diagram of a web page management background according to an embodiment of the present invention;
FIG. 3 is a flow chart of the exchange between the client and the gateway according to the embodiment of the present invention;
FIG. 4 is a diagram of another embodiment of a unified authentication method for microservice in an embodiment of the present invention;
FIG. 5 is a diagram of another embodiment of a unified authentication method for microservice in an embodiment of the present invention;
FIG. 6 is a diagram of an embodiment of a gateway in an embodiment of the invention;
fig. 7 is a schematic diagram of another embodiment of the gateway in the embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a micro-service same authentication method, which is used for realizing micro-service authentication of multiple service types, has the characteristics of flexible configuration and no invasion to a micro-service module, and improves the flexibility of the micro-service authentication.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
At present, in the era of mobile internet, taking cloud as an example, each business module needs to have a PC Web end, a PC desktop end and a mobile client at the same time, and even more, each business module is provided to an eco-circle partner through an open platform interface. Different authorization and authentication methods are required for the inherent technical characteristics of each end. If the PCWeb side is browser-dependent, the use of Session and Cookie is a natural choice. The mobile client compares the price appropriately using the general token. The open platform may issue an access token to the partner's client in OAuth2. For a time-limited download scenario for files like a cloud home network disk, it is appropriate to use JWT. Therefore, for a complex service scene, it is impossible to achieve the optimum only by using a single technical scheme, and the authentication scheme is necessarily mixed and utilized according to the situation.
The gateway realization in the market at present, as the gateway of the microservice based on Java technology stack, all have different defects:
(1) kong, configured based on a configuration file manner, is not flexible enough; based on C and Lua, the development difficulty is large; higher development cost is needed to get through with the existing Java micro-service governing system; the built-in Http Basic authentication cannot be communicated by the user system.
(2) The Spring CloudZuul does not provide any authentication function, and needs to be integrated with other authentication components, so that the volume of the project is larger and larger, and the project is not flexible enough; the Spring CloudZuul only supports the Http micro-service and cannot get through with the RPC micro-service. After the Spring cloud zuul and OAuth2 are integrated, the service microservice still needs to call the authentication service to identify the access token (accessoken), and the invasion to the service microservice is too large.
Based on the limitation of the existing gateway to the micro-service authentication, the invention provides a micro-service unified authentication method, which has the characteristics of flexible configuration and no invasion to a micro-service module, and improves the flexibility of the micro-service authentication.
For convenience of understanding, the micro-service unified authentication method in the present invention is described below, and referring to fig. 1, an embodiment of the micro-service unified authentication method in the embodiment of the present invention includes:
the invention extracts the authentication logic to the gateway, and configures the gateway management micro service and the authentication service on the gateway, wherein the specific authentication method comprises the following steps:
101. the gateway receives a micro-service authentication request sent by a client, and extracts a Uniform Resource Identifier (URI) from the authentication request;
at present, in the era of mobile internet, taking cloud as an example, each business module needs to have a PC Web end, a PC desktop end and a mobile client at the same time, and even more, the business module can be provided for an eco-circle partner through an open platform interface. Different authorization and authentication methods are required for the inherent technical characteristics of each end. If the Web side of the PC depends on a browser, the use of Session and Cookie is a natural choice. The mobile client compares the price appropriately using the general token. The open platform may issue an access token to the partner's client in OAuth2. For a time-limited download scenario for files like a cloud home network disk, it is appropriate to use JWT.
Specifically, Session and Cookie are used when a user accesses a protected page for the first time, since no identity basis is carried, a server side requires credentials such as an account number and a password for initial authentication, and after authentication is successful, identity information is recorded as Session which is stored in the server side or directly returned to the client side. The transmission to the client is by way of a Cookie header field of HTTP. The server side can send all Session information to the client side through Cookie header fields; the Session can also be stored in the server, and the ID corresponding to the Session is only put in the Cookie field, so that the size of the content which is effectively sent to the client can be effectively reduced. By virtue of the nature of the Cookie being carried with each request by the browser, the front-end program does not need additional work to handle the authentication-related logic. Session and Cookie are therefore the preferred authentication means for Web services.
For the Session and Cookie technologies, if Session information is directly placed in a Cookie and sent to a client, a network request flow is large because each request carries the last response Cookie. Meanwhile, if Session or SeesionId in the Cookie does not set HttpOnly as true, the browser can put Session into the document object, and the external JS script of the webpage can obtain Session through JS, so as to steal the certificate and impersonate the stolen user, therefore, the authentication scheme of Session and Cookie has XSS security risk.
Specifically, the general token is a unique token generated after the authentication of the server is passed, the identity information and the token are stored in the server in an associated manner, and the token is returned to the visitor. And carrying the token when accessing next time, using the unique token by the server side to inquire the session information, and checking whether the token is valid. If valid, continued access is allowed while identity information is provided to the business logic. The token is similar to the server side for storing the Session, and meanwhile, the HTTP Cookie is not relied on, and the token validity and the interpretation right of the associated identity information are completely controlled by the server side.
For a generic token, if used on a Web site, additional processing logic is required to make each request carry a token. During a session, the service end needs to continuously extend the validity period of the token, otherwise, the phenomenon that the sudden authentication expires during the continuous access process occurs. The server also needs additional technology to store and manage the token and the identity information.
JWT and JSON Web Token are authentication tokens based on JSON standards, the JWT is formed by three sections of information, and JWT character strings are formed by linking three sections of information texts together through '. The' is a character string. The first part, which we call the header, includes the type and encryption algorithm used for the signature. The second part is called payload, which comprises JWT standard field and user-defined field, namely identity information, the third part is signature, the encrypted header of base64 and the encrypted payload of base64 use character string formed by ". multidot.n" connection, and then salt combination encryption is carried out by the encryption mode stated in the header, and the result constitutes the third part of JWT. JWT has the advantage of cross-language because both the header and payload are JSON format data. The head part and the load part contain metadata and service data such as an encryption algorithm, expiration time, use times and the like, a server side does not need to perform secondary query to obtain identity information, expiration time and the like during authentication, the authentication efficiency is higher, and extra storage is not needed. The tail part is provided with a cryptographic signature and has the characteristic of being incapable of being tampered, namely the head part and the load are incapable of being modified. JWT does not rely on the Cookie field of HTTP for transmission, and is suitable for non-HTTP interfaces.
For JWT, although its header and payload portions are "encrypted" using base64, base64 is not an encryption algorithm per se, but rather an encoding algorithm for converting general byte data into ASCII strings. The cost of decoding the base64 field is zero. The entire JWT is just one plaintext string that cannot be tampered with. Without fully understanding the "encryption" and signature characteristics of JWT, developers are likely to place confidential business data into the payload area, with a significant security risk. Since control information of the validity of the JWT (number of uses, duration of validity) is also put in the payload, once a JWT is issued, it is impossible to disable it in advance at the expiration date, which is an uncontrolled technical solution in an emergency.
Based on the fact that different terminals in the prior art are suitable for different optimized authentication modes and are limited by specific micro-service types, in the embodiment, authentication logics of various micro-services are extracted to the gateway, and the gateway adopts independent micro-service configuration, namely, the gateway management micro-service and the authentication service are configured on the gateway, so that the gateway supports different types of micro-service authentication, such as HTTP service types and RPC service types, and the flexibility and the expansibility of the micro-service authentication are improved.
Specifically, the gateway in this embodiment receives an authentication request sent by the client, where the authentication request is used to authenticate the identity of the client accessing the micro service, and when the access identity of the client is legal, the gateway allows the client to access the corresponding micro service, otherwise, the gateway denies the client to access the micro service. Generally, an authentication request as an interactive operation carries an authentication credential parameter, a URI uniform resource identifier, and the like, where the URI is a character string used to identify a name of an internet resource, and allows a user to perform an interactive operation on any resource through a specific protocol, that is, the URI carries specific protocol information followed between interactive parties in the authentication request.
After receiving the authentication request sent by the client, the gateway extracts a specific URI from the authentication request, and performs step 102.
It is easily understood that the client in this embodiment may be any one of a PC Web side, a PC desktop side, a mobile client, and a development platform, and is not limited herein.
102. The gateway sends the URI to a gateway management micro-service, and the gateway management micro-service is used for storing a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter;
and after the gateway extracts the URI in the authentication request, the URI is sent to the gateway management micro-service, wherein a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter is stored in the gateway management micro-service, so that the gateway management micro-service reads the corresponding micro-service interface type, the micro-service address, the micro-service authentication type and the authentication voucher parameter from the mapping table after receiving the URI, and further sends the corresponding micro-service interface type, the micro-service address, the micro-service authentication type and the authentication voucher parameter to the gateway.
Furthermore, the gateway management micro-service can further provide a webpage management background for mapping configuration and interface authentication configuration of different interfaces besides providing an interface for the gateway to inquire, and the gateway management micro-service can take effect immediately after the configuration is completed without restarting the gateway, thereby realizing dynamic configuration of the service micro-service interface authentication mode and improving the flexibility of the service micro-service authentication mode. Fig. 2 shows a schematic diagram of a web page management background.
103. The gateway receives the corresponding micro service interface type, the micro service address, the micro service authentication type and the authentication voucher parameter sent by the gateway management micro service, and extracts the corresponding authentication voucher parameter from the authentication request;
after receiving the micro service interface type, the micro service address, the micro service authentication type and the authentication voucher parameter corresponding to the URI, the gateway extracts the authentication voucher parameter corresponding to the URI from the authentication request for executing step 104.
Specifically, the authentication voucher parameters include a session cookie, an access Token, and the like, which are not limited herein.
Preferably, in order to accelerate the authentication process for the client at the next time, after receiving the micro service interface type, the micro service address, the micro service authentication type and the authentication credential parameter corresponding to the URI, the gateway may cache the validity period of each parameter, so that when the authentication process is executed for the client within the validity period, step 102 may be omitted, thereby accelerating the authentication process.
104. The gateway sends the URI and the corresponding authentication voucher parameters to an authentication service for authentication and receives a corresponding authentication result.
The gateway sends the URI and the corresponding authentication voucher parameters to an authentication service for authentication, and receives a corresponding authentication result after the authentication service completes authentication. It is easy to understand that, the authentication service stores in advance a corresponding relationship table between the URI, the authentication credential and the client, so as to authenticate the identity of the client after receiving the URI and the credential parameters.
Specifically, the authentication result includes authentication success and authentication failure, and for different authentication results, the gateway executes a corresponding operation instruction to complete access to the microservice, and specifically, the specific operation instruction will be described in detail in the following embodiments, and details are not described here again.
Furthermore, in order to flexibly add more authentication services, a service center can be configured on the gateway, wherein, the service center is used for storing the instance address of the authentication service, and the gateway and the authentication service are communicated by adopting an http protocol, and the interactive parameter between the gateway and the authentication service adopts a JSON format, thus, when a plurality of authentication modes are needed to be added to a single service microservice, only one row of configuration is needed to be added in the configuration file, and newly adding new serviceId of authentication service in the configuration, Chinese short, the mapping relationship between the source certificate field and the authentication parameter field, thus, the gateway can inquire the instance address of the newly added authentication service from the service center when receiving the authentication request sent by the client, and the authentication request is authenticated to the newly added authentication service address, thereby increasing the flexibility and expansibility of authentication service configuration.
In the embodiment of the invention, a gateway receives a micro-service authentication request sent by a client, and extracts a Uniform Resource Identifier (URI) from the authentication request; then sending the URI to a gateway management micro-service, wherein the gateway management micro-service is used for storing a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter; the gateway receives the corresponding micro service interface type, the micro service address, the micro service authentication type and the authentication voucher parameter sent by the gateway management micro service, and extracts the corresponding authentication voucher parameter from the authentication request; the gateway sends the URI and the corresponding authentication voucher parameters to an authentication service for authentication and receives a corresponding authentication result. In the embodiment of the invention, the authentication logic of the micro service is extracted to the gateway, and the gateway is configured to manage the micro service and the authentication service, so that the interface mapping and the authentication service of the micro service respectively adopt the independent micro service instead of being limited by a configuration file or an appointed, and the configuration cost is lower, so that the authentication service is more flexible and the expansibility is stronger.
Fig. 3 is an interaction flowchart between a client and a gateway and a micro service, and based on the embodiment shown in fig. 1, after the gateway receives an authentication result sent by an authentication service, an operation instruction of the gateway based on different authentication results is described in detail below, please refer to fig. 4, another embodiment of the unified authentication method for a micro service in an embodiment of the present invention includes:
401. if the authentication result is successful, the gateway receives an authentication success prompt sent by the authentication service and the identity information of the client;
when the authentication request of the authentication service to the client is successfully authenticated, the authentication service sends a prompt of successful authentication to the gateway and sends the identity information of the client to the gateway so that the gateway can continuously access the business micro-server according to the information, wherein the business micro-server is mainly used for managing various micro-services, such as instant messaging, enterprise organization structures, coworkers and the like.
Preferably, when the authentication is successful, the gateway may further perform a validity period cache on the authentication result of the client, so that the gateway omits an authentication procedure for the client in the validity period, so as to accelerate an access procedure of the client to the microserver.
402. The gateway takes the identity information and the authentication request as parameters, constructs first request information and sends the first request information to the service micro server;
after obtaining the identity information of the client, the gateway constructs first request information by taking the identity information and the authentication request of the client as parameters, and sends the first request information to the service micro server, wherein the first request information is used for making an access request for the service micro server.
Here, for the first request message, it is only necessary to include the identity information of the client and the authentication request parameter of the client in the first request message, and the specific composition format of the first message is not limited.
Further, if the service type of the service microservice is an Http protocol type, the gateway may write the identity information of the client in the first request information, so that the microserver can quickly read the identity information of the client, match the identity information of the client with the client identity information prestored in the service parameters, and complete secondary confirmation of the microserver on the identity of the access client.
If the service type of the service microserver is RPC, the gateway may write the identity information of the client into the first request information in the form of an additional parameter (for example, called as attachment in Motan), so that the microserver can read the identity information of the client quickly, match the identity information of the client with the client identity information prestored in the service parameter, and complete secondary confirmation of the microserver on the identity of the access client.
It should be noted that, if the client and the service micro server accessed by the client are in the same local area network, in order to increase the access speed, the gateway may directly access the corresponding service micro server after the authentication service completes the identity authentication of the client, and the process of secondary confirmation is omitted.
It is easily understood that, in this embodiment, by configuring the gateway, the gateway supports authentication of micro services of different service types, so that flexibility of authentication of micro services and scalability of authentication of micro services are enhanced.
403. The gateway receives a service response sent by the service micro server and sends the service response to the client;
and after the gateway sends the first request message to the micro server, the micro server executes a specific service response, sends the service response to the gateway, and sends the service response to the corresponding access client through the gateway so as to execute a normal micro service application process.
404. And if the authentication result is failure, the gateway receives an authentication failure prompt sent by the authentication server and sends the authentication failure prompt to the client.
When the authentication server fails to authenticate the authentication request of the client, the authentication server sends a prompt of authentication failure to the gateway, and the gateway sends the prompt of authentication failure to the access client so as to deny the client access to the micro service.
In the embodiment of the invention, when the authentication result of the client is successful, the gateway caches the authentication result of the client for the validity period, so that the authentication process of the client by the gateway is omitted in the validity period, and the authentication speed of the client is improved; secondly, the gateway writes the identity information of the client into the Http Header in the first request information, or writes the identity information of the client into the first request information in the form of an additional parameter (for example, called attribute in Motan), so that the microservice can quickly read the identity information of the client for secondary confirmation, and the authentication speed of the client is further improved.
Based on the embodiment described in fig. 4, when the service type of the micro service is RPC, a conventional RPC call refers jar to a caller engineering, and when the gateway needs to call many micro services, the way of referring many jar packets is not preferable, and for this problem, the embodiment of the present invention may configure a micro service client generic service and a service center on the gateway, where the micro service client is used to store a domain name of the micro service, and the service center stores a mapping table of the micro service domain name and a micro service IP address, so that when the client calls the micro service, after the authentication service successfully authenticates the client, the following steps are specifically performed to complete the call of the micro service, please refer to fig. 5, another embodiment of the unified authentication method for the micro service in the embodiment of the present invention includes:
501. and the gateway sends the micro service domain name to be called to the micro service client class, so that the micro service client class acquires the corresponding micro service IP address from the service center and sends the micro service IP address to the gateway.
And after the authentication service successfully authenticates the micro service, the gateway sends a micro service domain name to be called to the micro service client class, so that the micro service client class GenericService acquires an IP address corresponding to the micro service domain name from the service center and sends the IP address to the gateway.
After the gateway obtains the IP address of the micro-service, RPC calling of the micro-service can be completed according to the IP address, so that a jar packet calling mode is avoided, and convenience of RPC micro-service calling is improved.
With reference to fig. 6, a method for unified authentication of micro services in an embodiment of the present invention is described above, and a gateway in an embodiment of the present invention is described below, where the gateway is configured with a gateway management micro service and an authentication service to complete unified authentication of the micro service, where an embodiment of the gateway in an embodiment of the present invention includes:
a first receiving unit 601, configured to receive a micro-service authentication request sent by a client, and extract a URI uniform resource identifier from the authentication request;
a sending unit 602, configured to send the URI to the gateway management microservice, where the gateway management microservice is configured to store a mapping table of the URI and a microservice interface type, a microservice address, a microservice authentication type, and an authentication credential parameter;
a second receiving unit 603, configured to receive a corresponding micro service interface type, a micro service address, a micro service authentication type, and an authentication credential parameter sent by the gateway management micro service, and extract the corresponding authentication credential parameter from the authentication request;
an authentication unit 604, configured to send the URI and the corresponding authentication credential parameter to the authentication service for authentication, and receive a corresponding authentication result.
Preferably, when the authentication result is that the authentication is successful, the gateway further includes:
a third receiving unit 605, configured to receive the authentication success prompt sent by the authentication service and the identity information of the client;
a constructing and sending unit 606, configured to construct first request information by using the identity information and the authentication request as parameters, and send the first request information to the service microserver;
a first receiving and sending unit 607, configured to receive a service response sent by the service microserver, and send the service response to the client;
preferably, when the authentication result is authentication failure, the gateway further includes:
a second receiving and sending unit 608, configured to receive the authentication failure prompt sent by the authentication server, and send the authentication failure prompt to the client.
It should be noted that the functions of the above units have been described in detail in the embodiments illustrated in fig. 1 to 4, and are not described again here.
In the embodiment of the present invention, the first receiving unit 601 is configured to receive a micro-service authentication request sent by a client, and extract a URI uniform resource identifier from the authentication request; then, the URI is sent to a gateway management microservice through a sending unit 602, and the gateway management microservice is used for storing a mapping table of the URI, a microservice interface type, a microservice address, a microservice authentication type, and an authentication voucher parameter; the second receiving unit 603 receives the corresponding micro service interface type, micro service address, micro service authentication type and authentication voucher parameter sent by the gateway management micro service, and extracts the corresponding authentication voucher parameter from the authentication request; the authentication unit 604 sends the URI and the corresponding authentication credential parameter to an authentication service for authentication, and receives a corresponding authentication result. In the embodiment of the invention, the authentication logic of the micro service is extracted to the gateway, and the gateway is configured to manage the micro service and the authentication service, so that the interface mapping and the authentication service of the micro service respectively adopt the independent micro service instead of being limited by a configuration file or an appointed, and the configuration cost is lower, so that the authentication service is more flexible and the expansibility is stronger.
Based on the embodiment described in fig. 6, in order to improve the authentication speed for the client, after the gateway receives the micro service interface type, the micro service address, the micro service authentication type, and the authentication voucher parameter, a certain caching validity period may be set for each parameter, and further, after the authentication for the client is successful, a certain caching validity period may be set for the authentication result, so as to simplify the authentication procedure within the validity period, please refer to fig. 7, the gateway in the embodiment of the present invention may further include:
the first caching unit 701 is configured to cache the validity period of the corresponding micro service interface type, micro service address, micro service authentication type, and authentication credential parameter, so as to accelerate the next authentication process.
A second caching unit 702, configured to cache the validity period of the prompt that the authentication is successful, so as to accelerate the next authentication process.
It should be noted that the functions of the above units are described in detail in the embodiments illustrated in fig. 1 and fig. 4, and are not described again here.
In the embodiment of the invention, after the gateway receives the micro-service interface type, the micro-service address, the micro-service authentication type and the authentication voucher parameter, or when the authentication result of the client is successful, the first cache unit 701 and the second cache unit 702 on the gateway respectively cache the parameters and the authentication result of the client for the validity period, so that the authentication process of the gateway to the client is omitted in the validity period, and the authentication speed of the client is improved.
The gateway in the embodiment of the present invention is described above from the perspective of the modular functional entity, and the computer apparatus in the embodiment of the present invention is described below from the perspective of hardware processing:
the computer device is used for realizing the function of a gateway, and one embodiment of the computer device in the embodiment of the invention comprises the following steps:
a processor and a memory;
the memory is used for storing the computer program, and the processor is used for realizing the following steps when executing the computer program stored in the memory:
receiving a micro-service authentication request sent by a client, and extracting a URI uniform resource identifier from the authentication request;
the URI is sent to a gateway management micro-service, and the gateway management micro-service is used for storing a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter;
receiving a corresponding micro service interface type, a micro service address, a micro service authentication type and an authentication voucher parameter which are sent by a gateway management micro service, and extracting the corresponding authentication voucher parameter from an authentication request;
and sending the URI and the corresponding authentication certificate parameter to an authentication service for authentication, and receiving a corresponding authentication result.
In some embodiments of the present invention, the processor may be further configured to:
if the authentication result is successful, receiving an authentication success prompt sent by the authentication service and identity information of the client;
establishing first request information by taking the identity information and the authentication request as parameters, and sending the first request information to the service micro server;
receiving a service response sent by the service micro server, and sending the service response to the client;
and if the authentication result is failure, receiving an authentication failure prompt sent by the authentication service, and sending the authentication failure prompt to the client.
Preferably, a micro-service client class and a service center are configured on the gateway, the micro-service client class is used for storing a micro-service domain name, and the service center is used for storing a mapping table between the micro-service domain name and a micro-service IP address;
in some embodiments of the present invention, after receiving the authentication success prompt and the identity information of the client sent by the authentication service if the authentication result is successful, the processor may further be configured to implement the following steps:
and if the service micro service is the RPC service type, sending a micro service domain name to be called to the micro service client class, so that the micro service client class acquires a corresponding micro service IP address from the service center and sends the micro service IP address to the gateway.
In some embodiments of the present invention, the processor may be further configured to:
and caching the valid period of the corresponding micro-service interface type, the micro-service address, the micro-service authentication type and the authentication voucher parameter so as to accelerate the next authentication process.
In some embodiments of the present invention, the processor may be further configured to:
and caching the validity period of the prompt of successful authentication so as to accelerate the next authentication process.
In some embodiments of the present invention, the processor may be further configured to:
if the service microservice is of the Http service type, the gateway writes the identity information of the client into a Http Header in the first request message and sends the Http Header to the service microserver so that the service microserver can read the identity information to perform secondary confirmation;
if the service microservice is the RPC service type, the gateway writes the identity information of the client in the first request information by using the additional parameters and sends the first request information to the service microserver so that the service microserver can read the identity information to perform secondary confirmation.
In some embodiments of the present invention, the processor may be further configured to:
if the client and the service micro server belong to the same local area network, the gateway directly accesses the service micro server.
In some embodiments of the present invention, the processor may be further configured to:
the gateway and the gateway management microservice are communicated by adopting an Http protocol, and the communication format is a Json format.
It is to be understood that, when the processor in the computer apparatus described above executes the computer program, the functions of each unit in the corresponding apparatus embodiments may also be implemented, and are not described herein again. Illustratively, the computer program may be partitioned into one or more modules/units that are stored in the memory and executed by the processor to implement the invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of the computer program at the gateway. For example, the computer program may be divided into units in the above-mentioned gateways, which may implement the specific functions as explained for the respective gateways above.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing equipment. The computer device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the processor, memory are merely examples of a computer apparatus and are not meant to be limiting, and that more or fewer components may be included, or certain components may be combined, or different components may be included, for example, the computer apparatus may also include input output devices, network access devices, buses, etc.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable gate array (FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware component, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like which is the control center for the computer device and which connects the various parts of the overall computer device using various interfaces and lines.
The memory may be used to store the computer programs and/or modules, and the processor may implement various functions of the computer device by running or executing the computer programs and/or modules stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the terminal, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The present invention also provides a computer-readable storage medium for implementing the functionality of a gateway, having a computer program stored thereon, which, when executed by a processor, may be adapted to perform the steps of:
receiving a micro-service authentication request sent by a client, and extracting a URI uniform resource identifier from the authentication request;
the URI is sent to a gateway management micro-service, and the gateway management micro-service is used for storing a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter;
receiving a corresponding micro service interface type, a micro service address, a micro service authentication type and an authentication voucher parameter which are sent by a gateway management micro service, and extracting the corresponding authentication voucher parameter from an authentication request;
and sending the URI and the corresponding authentication certificate parameter to an authentication service for authentication, and receiving a corresponding authentication result.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
if the authentication result is successful, receiving an authentication success prompt sent by the authentication service and identity information of the client;
establishing first request information by taking the identity information and the authentication request as parameters, and sending the first request information to the service micro server;
receiving a service response sent by the service micro server, and sending the service response to the client;
and if the authentication result is failure, receiving an authentication failure prompt sent by the authentication service, and sending the authentication failure prompt to the client.
Preferably, a micro-service client class and a service center are configured on the gateway, the micro-service client class is used for storing a micro-service domain name, and the service center is used for storing a mapping table between the micro-service domain name and a micro-service IP address;
in some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
and if the service micro service is the RPC service type, sending a micro service domain name to be called to the micro service client class, so that the micro service client class acquires a corresponding micro service IP address from the service center and sends the micro service IP address to the gateway.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
and caching the valid period of the corresponding micro-service interface type, the micro-service address, the micro-service authentication type and the authentication voucher parameter so as to accelerate the next authentication process.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
and caching the validity period of the prompt of successful authentication so as to accelerate the next authentication process.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
if the service microservice is of the Http service type, the gateway writes the identity information of the client into a Http Header in the first request message and sends the Http Header to the service microserver so that the service microserver can read the identity information to perform secondary confirmation;
if the service microservice is the RPC service type, the gateway writes the identity information of the client in the first request information by using the additional parameters and sends the first request information to the service microserver so that the service microserver can read the identity information to perform secondary confirmation.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
if the client and the service micro server belong to the same local area network, the gateway directly accesses the service micro server.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
the gateway and the gateway management microservice are communicated by adopting an Http protocol, and the communication format is a Json format.
It will be appreciated that the integrated units, if implemented as software functional units and sold or used as a stand-alone product, may be stored in a corresponding one of the computer readable storage media. Based on such understanding, all or part of the flow of the method according to the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium and used by a processor to implement the steps of the above embodiments of the method. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (11)
1. A micro-service unified authentication method is characterized in that a gateway management micro-service and authentication service are configured on a gateway, and the method comprises the following steps:
the gateway receives a micro-service authentication request sent by a client, and extracts a Uniform Resource Identifier (URI) from the authentication request;
the gateway sends the URI to the gateway management micro-service, and the gateway management micro-service is used for storing the URI and a mapping table of a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter;
the gateway receives the corresponding micro service interface type, micro service address, micro service authentication type and authentication voucher parameter sent by the gateway management micro service, and extracts the corresponding authentication voucher parameter from the authentication request;
the gateway sends the URI and the authentication voucher parameter extracted from the authentication request to the authentication service for authentication and receives the corresponding authentication result.
2. The method of claim 1, further comprising:
if the authentication result is successful, the gateway receives an authentication success prompt sent by the authentication service and the identity information of the client;
the gateway takes the identity information and the authentication request as parameters, constructs first request information and sends the first request information to a service micro server;
the gateway receives the service response sent by the service micro server and sends the service response to the client;
and if the authentication result is failure, the gateway receives an authentication failure prompt sent by the authentication service and sends the authentication failure prompt to the client.
3. The method according to claim 2, wherein a micro-service client class and a service center are configured on the gateway, the micro-service client class is used for storing a micro-service domain name, and the service center is used for storing a mapping table between the micro-service domain name and a micro-service IP address;
after the gateway receives the authentication success prompt sent by the authentication service and the identity information of the client if the authentication result is successful, the method further includes:
if the service micro service is the RPC service type, the gateway sends a micro service domain name to be called to the micro service client class, so that the micro service client class obtains a corresponding micro service IP address from the service center and sends the micro service IP address to the gateway.
4. The method of claim 1, wherein after the gateway receives the corresponding micro service interface type, micro service address, micro service authentication type and authentication credential parameters sent by the gateway management micro service, the method further comprises:
and the gateway caches the corresponding micro service interface type, micro service address, micro service authentication type and authentication voucher parameter for the validity period so as to accelerate the next authentication process.
5. The method of claim 2, wherein after the authenticating is successful, the method further comprises:
and the gateway caches the validity period of the successful authentication prompt so as to accelerate the next authentication process.
6. The method of claim 2,
if the service microservice is of the Http service type, the gateway writes the identity information of the client into a Http Header in the first request message, and sends the identity information to the service microserver so that the service microserver can read the identity information to perform secondary confirmation;
if the service micro service is the RPC service type, the gateway writes the identity information of the client into the first request information by using an additional parameter, and sends the identity information to the service micro server, so that the service micro server can read the identity information to perform secondary confirmation.
7. The method as claimed in claim 2, wherein after the gateway receives the authentication success prompt sent by the authentication service and the identity information of the client if the authentication result is successful, the method further comprises:
and if the client and the service micro server belong to the same local area network, the gateway directly accesses the service micro server.
8. The method of claim 1, wherein the gateway and the gateway management microservice communicate using Http protocol, and wherein the communication format is Json format.
9. A gateway having gateway management microservice and authentication services deployed thereon, comprising:
the first receiving unit is used for receiving a micro-service authentication request sent by a client and extracting a Uniform Resource Identifier (URI) from the authentication request;
the sending unit is used for sending the URI to the gateway management micro-service, and the gateway management micro-service is used for storing the URI and a mapping table of a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter;
a second receiving unit, configured to receive the corresponding micro service interface type, micro service address, micro service authentication type, and authentication credential parameter sent by the gateway management micro service, and extract the corresponding authentication credential parameter from the authentication request;
and the authentication unit is used for sending the URI and the authentication certificate parameter extracted from the authentication request to the authentication service for authentication and receiving a corresponding authentication result.
10. A computer arrangement comprising a processor, characterized in that the processor, when executing a computer program stored on a memory, is adapted to carry out the method of microservice unified authentication according to any of the claims 1 to 8.
11. A readable storage medium, on which a computer program is stored, which, when being executed by a processor, is adapted to carry out the method for microservice unified authentication according to any of the claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810689051.8A CN108901022B (en) | 2018-06-28 | 2018-06-28 | Micro-service unified authentication method and gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810689051.8A CN108901022B (en) | 2018-06-28 | 2018-06-28 | Micro-service unified authentication method and gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108901022A CN108901022A (en) | 2018-11-27 |
| CN108901022B true CN108901022B (en) | 2021-08-20 |
Family
ID=64346964
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810689051.8A Active CN108901022B (en) | 2018-06-28 | 2018-06-28 | Micro-service unified authentication method and gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108901022B (en) |
Families Citing this family (61)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109274699A (en) * | 2018-11-28 | 2019-01-25 | 北京锐安科技有限公司 | Method for authenticating, device, server and storage medium |
| CN111262821A (en) * | 2018-12-01 | 2020-06-09 | 星际空间(天津)科技发展有限公司 | Authentication method based on micro-service |
| CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
| CN109635550B (en) * | 2018-12-12 | 2021-08-17 | 苏州思必驰信息科技有限公司 | Permission verification method, gateway and system for cluster data |
| CN109672612A (en) * | 2018-12-13 | 2019-04-23 | 中国电子科技集团公司电子科学研究院 | API gateway system |
| CN109347888A (en) * | 2018-12-21 | 2019-02-15 | 北京博明信德科技有限公司 | Method for authenticating, gateway and authentication device based on RESTful |
| CN109670300B (en) * | 2018-12-25 | 2020-12-22 | 钛马信息网络技术有限公司 | Micro-service cloud platform interface management and control system and method |
| CN109815683B (en) * | 2018-12-29 | 2021-09-14 | 深圳云天励飞技术有限公司 | Authority verification method and related device |
| CN109784709A (en) * | 2019-01-07 | 2019-05-21 | 中车青岛四方机车车辆股份有限公司 | IT application in enterprises collaboration applications method and system |
| CN109525613B (en) * | 2019-01-16 | 2021-11-09 | 湖南快乐阳光互动娱乐传媒有限公司 | Request processing system and method |
| CN109922158A (en) * | 2019-03-22 | 2019-06-21 | 泰康保险集团股份有限公司 | Data processing method, device, medium and electronic equipment based on micro services |
| CN110049048B (en) * | 2019-04-22 | 2021-07-20 | 易联众民生(厦门)科技有限公司 | Data access method, equipment and readable medium for government affair public service |
| CN110120946B (en) * | 2019-04-29 | 2021-07-20 | 武汉理工大学 | Unified authentication system and method for Web and micro-service |
| CN110149211B (en) * | 2019-05-15 | 2023-04-07 | 杭州朗和科技有限公司 | Service authentication method, service authentication device, medium, and electronic device |
| CN110266764B (en) * | 2019-05-21 | 2021-10-26 | 深圳壹账通智能科技有限公司 | Gateway-based internal service calling method and device and terminal equipment |
| CN110233886B (en) * | 2019-05-30 | 2021-07-20 | 华南理工大学 | High-availability service management system for massive micro-services and implementation method |
| CN110333957B (en) * | 2019-05-30 | 2024-02-02 | 深圳创芯在线科技有限公司 | Remote Procedure Call (RPC) service calling method, device and computer equipment |
| CN110493186B (en) * | 2019-07-10 | 2023-05-26 | 五八有限公司 | Function state adjusting method and device |
| CN112350978A (en) * | 2019-08-08 | 2021-02-09 | 中移(苏州)软件技术有限公司 | Service processing method, system, device and storage medium |
| CN110493239B (en) * | 2019-08-26 | 2021-11-12 | 京东数字科技控股有限公司 | Authentication method and device |
| CN111031008B (en) * | 2019-11-25 | 2022-05-24 | 北京小向创新人工智能科技有限公司 | Method for gateway to uniformly intercept and judge whether user request is released |
| CN110958237A (en) * | 2019-11-26 | 2020-04-03 | 苏州思必驰信息科技有限公司 | Authority verification method and device |
| CN111131397B (en) * | 2019-12-02 | 2022-09-30 | 京东科技信息技术有限公司 | Application management method and system, gateway platform, server and storage medium |
| CN111010385A (en) * | 2019-12-09 | 2020-04-14 | 山东浪潮商用系统有限公司 | RESTful-based secure interaction method |
| CN111125655A (en) * | 2019-12-20 | 2020-05-08 | 紫光云(南京)数字技术有限公司 | Method for secure communication of OSS-API interface |
| CN111049854B (en) * | 2019-12-25 | 2021-12-14 | 微民保险代理有限公司 | Service request transmission method and device |
| CN111182537A (en) * | 2019-12-31 | 2020-05-19 | 北京指掌易科技有限公司 | Network access method, device and system for mobile application |
| CN111181991B (en) * | 2020-01-03 | 2022-06-17 | 深圳融卡科技有限公司 | Method and device for constructing terminal access platform of Internet of things |
| CN111262836B (en) * | 2020-01-09 | 2021-11-09 | 腾讯科技(深圳)有限公司 | Micro-service authorization method, device and storage medium |
| CN111290865A (en) * | 2020-02-10 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Service calling method and device, electronic equipment and storage medium |
| CN111147525A (en) * | 2020-02-27 | 2020-05-12 | 深圳市伊欧乐科技有限公司 | Authentication method, system, server and storage medium based on API gateway |
| CN111585973A (en) * | 2020-04-16 | 2020-08-25 | 北京明略软件系统有限公司 | Method and device for managing access |
| CN113535254A (en) * | 2020-04-20 | 2021-10-22 | 华为技术有限公司 | Micro-service processing method, micro-service deployment method and related device |
| CN111786998A (en) * | 2020-06-30 | 2020-10-16 | 成都新潮传媒集团有限公司 | Authority management method and device based on micro-service calling and storage medium |
| CN111917837A (en) * | 2020-07-13 | 2020-11-10 | 西安即刻易用网络科技有限公司 | Web micro application program publishing system and implementation method thereof |
| CN111865984A (en) * | 2020-07-21 | 2020-10-30 | 浪潮云信息技术股份公司 | Stateless authentication method for micro-service system |
| CN111884917A (en) * | 2020-07-28 | 2020-11-03 | 浪潮云信息技术股份公司 | Gateway system based on micro service and gateway dynamic routing method |
| CN112003911A (en) * | 2020-08-11 | 2020-11-27 | 上海博泰悦臻电子设备制造有限公司 | Communication connection method for cloud platform and cloud platform |
| CN112153012B (en) * | 2020-09-01 | 2021-07-06 | 珠海市卓轩科技有限公司 | Multi-terminal contact access method, device and storage medium |
| CN114449513A (en) * | 2020-10-16 | 2022-05-06 | 中移(上海)信息通信科技有限公司 | Authentication method, device and equipment of road side equipment and computer storage medium |
| CN112261047B (en) * | 2020-10-22 | 2023-11-03 | 上海擎感智能科技有限公司 | Gateway access method, mobile terminal and computer storage medium |
| CN112351015B (en) * | 2020-10-28 | 2023-03-14 | 广州助蜂网络科技有限公司 | Gateway control method based on API |
| CN112367383A (en) * | 2020-10-30 | 2021-02-12 | 深圳云之家网络有限公司 | Service calling method and related equipment |
| CN112506679A (en) * | 2020-12-17 | 2021-03-16 | 中国联合网络通信集团有限公司 | RPC service calling method and equipment |
| CN112671751B (en) * | 2020-12-18 | 2023-05-02 | 福建新大陆软件工程有限公司 | Authentication method, system, equipment and medium based on micro-service architecture |
| CN112559994B (en) * | 2020-12-25 | 2023-12-01 | 北京百度网讯科技有限公司 | Access control method, device, equipment and storage medium |
| CN112738069B (en) * | 2020-12-25 | 2022-11-04 | 神思旭辉医疗信息技术有限责任公司 | Fusion method, system and server based on stateful authentication mechanism and stateless authentication mechanism |
| CN112804224B (en) * | 2021-01-07 | 2023-07-14 | 沈阳麟龙科技股份有限公司 | Authentication and authorization method and device based on micro-service, medium and electronic equipment |
| CN112818325A (en) * | 2021-01-30 | 2021-05-18 | 浪潮云信息技术股份公司 | Method for realizing API gateway independent authentication based on application |
| CN113014565B (en) * | 2021-02-19 | 2022-04-01 | 北京天维信通科技有限公司 | Zero trust architecture for realizing port scanning prevention and service port access method and equipment |
| CN113595978B (en) * | 2021-06-23 | 2023-08-01 | 北京国电通网络技术有限公司 | Data penetration method based on micro-service architecture and related equipment |
| CN113422686B (en) * | 2021-06-24 | 2022-09-27 | 平安国际智慧城市科技股份有限公司 | Gateway layer authentication method, system, electronic device and storage medium |
| CN113572779A (en) * | 2021-07-28 | 2021-10-29 | 重庆允成互联网科技有限公司 | Gateway authentication system, method, computer equipment and storage medium |
| CN113806104A (en) * | 2021-08-02 | 2021-12-17 | 北京房江湖科技有限公司 | Interface access request processing method, API gateway, server and system |
| CN114189358A (en) * | 2021-11-16 | 2022-03-15 | 深圳航天智慧城市系统技术研究院有限公司 | Service security policy management method based on private cloud |
| CN114401098B (en) * | 2021-12-28 | 2022-08-12 | 智昌科技集团股份有限公司 | Application system and method for quickly constructing microservice |
| CN114553967A (en) * | 2022-01-14 | 2022-05-27 | 青岛海尔科技有限公司 | Calling method and related device between micro services |
| CN114465895A (en) * | 2022-03-03 | 2022-05-10 | 上海微盟企业发展有限公司 | Request distribution method, device, equipment and storage medium based on micro service |
| CN114978999A (en) * | 2022-03-31 | 2022-08-30 | 华润网络(深圳)有限公司 | Method and device for multi-dimensional scheduling of traffic, computer equipment and storage medium |
| CN114500107B (en) * | 2022-04-02 | 2022-06-17 | 公安部信息通信中心 | Cross-platform service cooperation and authentication system |
| CN116743833B (en) * | 2023-08-16 | 2023-11-03 | 雄安国创中心科技有限公司 | Method and device for enhancing communication capability and network control capability of terminal and service |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101170733A (en) * | 2007-11-22 | 2008-04-30 | 中兴通讯股份有限公司 | An authentication and charging control method, device and system for WAP service |
| CN101741817A (en) * | 2008-11-21 | 2010-06-16 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
| CN106998551A (en) * | 2016-01-25 | 2017-08-01 | 中兴通讯股份有限公司 | A kind of method, system, device and the terminal of application access authentication |
| CN107181675A (en) * | 2017-06-20 | 2017-09-19 | 北京奇艺世纪科技有限公司 | Service calling method and device |
| CN107295077A (en) * | 2017-06-16 | 2017-10-24 | 深圳易嘉恩科技有限公司 | Distributed cloud platform system based on micro services framework |
| CN107948284A (en) * | 2017-11-24 | 2018-04-20 | 泰康保险集团股份有限公司 | A kind of service inserting method, equipment and system based on micro services framework |
| CN108200146A (en) * | 2017-12-29 | 2018-06-22 | 华南理工大学 | A kind of micro services framework implementation method of lightweight |
| US10425386B2 (en) * | 2016-05-11 | 2019-09-24 | Oracle International Corporation | Policy enforcement point for a multi-tenant identity and data security management cloud service |
-
2018
- 2018-06-28 CN CN201810689051.8A patent/CN108901022B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101170733A (en) * | 2007-11-22 | 2008-04-30 | 中兴通讯股份有限公司 | An authentication and charging control method, device and system for WAP service |
| CN101741817A (en) * | 2008-11-21 | 2010-06-16 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
| CN106998551A (en) * | 2016-01-25 | 2017-08-01 | 中兴通讯股份有限公司 | A kind of method, system, device and the terminal of application access authentication |
| US10425386B2 (en) * | 2016-05-11 | 2019-09-24 | Oracle International Corporation | Policy enforcement point for a multi-tenant identity and data security management cloud service |
| CN107295077A (en) * | 2017-06-16 | 2017-10-24 | 深圳易嘉恩科技有限公司 | Distributed cloud platform system based on micro services framework |
| CN107181675A (en) * | 2017-06-20 | 2017-09-19 | 北京奇艺世纪科技有限公司 | Service calling method and device |
| CN107948284A (en) * | 2017-11-24 | 2018-04-20 | 泰康保险集团股份有限公司 | A kind of service inserting method, equipment and system based on micro services framework |
| CN108200146A (en) * | 2017-12-29 | 2018-06-22 | 华南理工大学 | A kind of micro services framework implementation method of lightweight |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108901022A (en) | 2018-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108901022B (en) | Micro-service unified authentication method and gateway | |
| TWI725958B (en) | Cloud host service authority control method, device and system | |
| US11153303B2 (en) | Secure authentication of a device through attestation by another device | |
| US11283805B2 (en) | Cloud device account configuration method, apparatus and system, and data processing method | |
| EP3162103B1 (en) | Enterprise authentication via third party authentication support | |
| US9584515B2 (en) | Enterprise system authentication and authorization via gateway | |
| WO2016188256A1 (en) | Application access authentication method, system, apparatus and terminal | |
| CN109768965B (en) | Login method, equipment and storage medium of server | |
| US10356612B2 (en) | Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access | |
| CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
| US20220006800A1 (en) | Injection of Tokens or Client Certificates for Managed Application Communication | |
| CN111698250B (en) | Access request processing method and device, electronic equipment and computer storage medium | |
| CN113630377B (en) | Single sign-on for hosted mobile devices | |
| CN111786969B (en) | Single sign-on method, device and system | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| Ferry et al. | Security evaluation of the OAuth 2.0 framework | |
| Beltran | Characterization of web single sign-on protocols | |
| CN109861973A (en) | Information transferring method, device, electronic equipment and computer-readable medium | |
| CN113341798A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
| US10791119B1 (en) | Methods for temporal password injection and devices thereof | |
| US20180198675A1 (en) | Techniques for accessing logical networks via a virtualized gateway | |
| CN103716280A (en) | Data transmission method, server and system | |
| Ferdous et al. | Portable personal identity provider in mobile phones | |
| Gibbons et al. | Security evaluation of the OAuth 2.0 framework | |
| Urien et al. | A new convergent identity system based on eap-tls smart cards |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |