Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
Interface provided by the present application calls the control method of permission, can be applied in application environment as shown in Figure 1.Its
In, external system 101 is communicated with management of product center 102 by network, and external system 101 is to management of product center 102
Registration obtains the permission using certain products and product corresponding interface.When external system 101 needs to call management of product center
When the function of 102 a certain interfaces, corresponding product and interface authority are identified in management of product center, when identification passes through,
There is provided interface corresponding function for the external system 101.External system 101 and management of product center 102 may each be terminal or
Person's server.Wherein, terminal can be, but not limited to be various personal computers, laptop, smart phone, tablet computer and
Portable wearable device, server can be with the server clusters of the either multiple server compositions of independent server come real
It is existing.
In one embodiment, management of product center 102 can refer to that SAAS (Software as a Service) is serviced,
The SAAS service may include API gateway, business service and unified certification service etc..Wherein, business service and unified certification
Service may each be server.
SAAS provides complete software solution, and tenant can be purchased in a manner of fee-for-use from cloud service provider
The product of SAAS offer is provided.User can be connected to the application by Internet (usually using Web browser).SAAS services institute
Some foundation structure, middleware, application software and application data are all located in the data center of service provider.Service provider
It is responsible for management hardware and software, and is ensured according to service agreement appropriate using the availability and safety with data.SAAS clothes
Business can allow user to be quickly constructed and put into operation by the application of minimum preceding period cost.
SAAS service can store product (including but not limited to software product), product resource, money by rights database
The information such as source license, product permission, tenant, tenant role, user.The customized product resource of product, resource grant and product
Permission, each interface correspond to one group of resource and resource grant.SAAS is serviced while being provided tenant's registration and tenant's user management
Service.SAAS service may include SAAS service login platform, and tenant user can call the SAAS service login platform, SAAS
Service carries out registration according to tenant and tenant's user information for tenant user and determines the corresponding product permission of each product and production
Product permission deposit caching (rights database).Tenant calls the corresponding product resource of SAAS service open interface registration, resource to be permitted
It can be with product permission.When there is the user in tenant to need to call a certain interface, SAAS is serviced according to corresponding resource and resource
The permission of the user is identified in license.
In one embodiment, entire interface calls the control method of permission can be in micro services framework
It is realized in (MicroService Architecture).Wherein, micro services are a kind of framework styles, are by one or more micro-
Service a large complicated software application of composition.Each micro services in framework can be disposed independently, between each micro services
It is loose coupling.Each micro services, which only focus on, to be completed a task and completes the task well, each Charge-de-Mission one
A small professional ability.Specific to the embodiment of the present invention, external system, API gateway, business service and unified certification service are equal
It can refer to a micro services, cooperate between these micro services, realize effective control to user right.Wherein, external system
System refers to the system where tenant.
The embodiment of the present invention provides control method, device, computer equipment and the storage medium of a kind of interface calling permission.
It is described in detail separately below.
In one embodiment, as shown in Fig. 2, providing a kind of control method of interface calling permission.It answers in this way
For being illustrated for the unified certification server-side in SAAS service, include the following steps:
S201, the user login information that API gateway (api-gateWay) is sent is received, according to the user login information
Determine the product permission of currently logged on user.
In this step, institute's product to be used is determined when user logs in and sends out the corresponding user login information of the product
Give API gateway;After API gateway receives the user login information, unified certification service, unified certification service are sent it to
Judge whether user has the permission using corresponding product according to user login information.
Wherein, API gateway refers to the entrance of external system access SAAS service, and external system passes through the API gateway energy
It is enough to be interacted with SAAS service, call the interface of SAAS service.Unified certification service is accomplished that the identification to information, unified
Authentication service realized by server, the embodiment of the present invention to the form of unified certification service with no restrictions.
In one embodiment, user login information may include user information, product information and corresponding with the product
Token, token computer identity certification in be token, unified certification service can determine that the production of login user according to token
Product permission, that is, determine whether the login user has the permission using corresponding product.
In one embodiment, it when the interface that user needs that SAAS is called to service, needs to establish connection with SAAS service
Relationship can log in SAAS service by SAAS service login platform.
In one embodiment, when user logs in, message is sent to API gateway, which includes stem (header), institute
The information such as product, the interface recalls information of selection.API gateway carries out safety, integrality etc. after user logs in, to message
Verifying.
S202, the product permission that currently logged on user is returned to API gateway, are forwarded with triggering API gateway to business service
The product interface call request of currently logged on user.
In this step, after unified certification services the product permission for determining currently logged on user, the production is returned to API gateway
Product permission, to trigger product interface call request of the API gateway to business service forwarding currently logged on user.
In one embodiment, product permission can be that corresponding product can be used, cannot use corresponding product etc..
In one embodiment, if unified certification, which services, determines that currently logged on user has the permission using corresponding product,
Product the authentication is passed information is returned to API gateway, so that the interface of API gateway triggering following authenticates.If unified certification service is true
Determine the permission that currently logged on user does not use corresponding product, then returns to product failed authentication information to API gateway.API gateway
Receive after product failed authentication information can not triggering following interface authentication, i.e., no longer carry out the process of interface authentication.
S203, the interface authentication request that business service is sent is received, current log in is used according to the interface authentication request
The product interface at family calls permission to be identified;The product interface calling that the interface authentication request is forwarded according to API gateway is asked
It asks to obtain.
In this step, unified certification service is fed back after determining that user has using the permission of corresponding product to API gateway
Product permission identifies the information passed through.API gateway is after determining that user has using the permission of corresponding product, when being logged according to user
Product interface call request determine that user needs which interface called, and generate product interface call request, which connect
Mouth call request is sent to business service, and business service generates interface authentication request according to the product interface call request, and will
The interface authentication request is sent to unified certification service, calls the permission of corresponding interface to reflect by unified certification service for user
It is fixed.
Wherein, business service refers to the server for handling concrete application, i.e., when user logs in and product permission is reflected
After passing through calmly, specific interface service is completed:The product interface call request of currently logged on user is passed through into interface authentication request
Mode be sent to unified certification service, interface authority identification pass through after, the business of corresponding interface is handled, with response user's
Product interface call request.
If S204, product interface call permission, identification passes through, and returns to interface response instruction to the business service;It is described to connect
Mouth response instruction executes the function of the product corresponding interface for triggering the business service.
In this step, if the permission identification of interface passes through, unified certification service returns to interface response instruction to business service.
Business service responds the function of instruction execution corresponding interface according to the interface.
The present embodiment can control the permission of multi-user and be managed collectively, can be carried out simultaneously for different users
Targetedly identification can effectively improve the efficiency of multi-user authority control.
In one embodiment, the user login information for receiving API gateway and sending, according to the user login information
Before the step of determining the product permission of currently logged on user, further include:Receive the registration request of tenant;In the registration request
It include that the tenant requests the product of registration and the user information of multiple users;It is the rent according to the registration request
Family is registered, and determines product permission of the multiple user under each product, and determines that each product permission is corresponding
token。
In one embodiment, it when certain product of the tenant in needing to service using SAAS, is serviced to SAAS and sends note
Volume is requested, and the product, desired which interface registered in the product and tenant institute to be registered is included in the registration request
Including user.Tenant pays corresponding expense according to the charging standard that SAAS is serviced.Unified certification service in SAAS service
It is that the tenant registers according to the registration request, i.e., each user uses the permission of corresponding product and interface in determining tenant,
Product permission is embodied by token.
The present embodiment is registered for tenant, determines that the user in tenant to the access right of corresponding product and interface, is
The subsequent permission to user's calling physical interface carries out identification and prepares, and is able to achieve centralized management of the SAAS service to tenant, has
The product that effect prevents unregistered user from SAAS service arbitrarily being used to provide.
In one embodiment, product permission of the multiple user of the determination under each product, and determination is each
After the step of product permission corresponding token, further include:The product permission is stored in the rights database pre-established
In, and the token is returned into the tenant, so that the token is distributed to corresponding user by the tenant.
In one embodiment, token can also be stored in rights database, unified certification service based on subscriber is sent
The direct search access right database of token in whether with the presence of corresponding token, that is, can determine the user whether have using correspond to
The permission of product.
Determining product permission is stored in the rights database pre-established, and the token is returned by the present embodiment
To the tenant, tenant receives the token.Tenant is serviced to SAAS in the product for needing to be serviced using SAAS and sends request,
And the token is taken in request message, to show itself attribute, unified certification service is facilitated to identify it.It will produce
Product permission is stored in rights database, it needs to be determined that login user product permission when inquire the rights database and can learn
As a result, it is convenient direct, the control efficiency that interface calls permission can be effectively improved.
In one embodiment, the user login information includes token;There are effective times by the token;Described
Before the step of determining the product permission of currently logged on user according to the user login information, further include:Judging the token is
It is no within effective time.
In the present embodiment, unified certification service determined whether to carry out subsequent permission number according to the effective time of token
According to library inquiry.If the effective time of token terminates, it is not necessarily to search access right database, determines user without using corresponding product
Permission;If the effective time of token is not finished, subsequent product authentication process is completed.
In one embodiment, the step of the product permission that currently logged on user is determined according to the user login information
Suddenly, including:If the token, within effective time, product permission corresponding with the token, obtains in search access right database
To the product permission of currently logged on user.
In one embodiment, it may include token in the heading of user login information, selected product, connect
The information such as mouth recalls information.API gateway obtains token from the stem of message, and token is sent to unified certification service, by
Unified certification service determines whether user has the permission using corresponding product according to the token.
In one embodiment, product permission corresponding with the token in search access right database, is currently logged in
The step of product permission of user, including:According to Product Definition information corresponding in token search access right database;Determine with
The corresponding authority definition information of the Product Definition information, judging whether the user has according to the authority definition information makes
With the permission of corresponding product.
Wherein, Product Definition information refer to servicing to SAAS provided by the relevant title of product, ID, function description,
The information such as Permission Levels can store in the product table of rights database, and product table is as shown in Figure 3.Authority definition information refers to
Be to user using a certain product permission information, can store in the product authority list of rights database, product power
Table is limited as shown in figure 4, in the product authority list, includes the information such as permission ID, product IDs, authority name.Wherein, product table
It is relevant between product authority list.Unified certification service can be inquired each provided by SAAS service by product table
Product can be inquired when receiving the user login information of API gateway transmission according to the token in user login information
Product authority list simultaneously determines that the user uses the permission of the product.
In one embodiment, rights database can not also include product table, directly by Product Definition information and permission
Information is defined to be placed in a product authority list.
The present embodiment determines whether user has the permission using corresponding product in conjunction with effective time and product permission, can
The accuracy of dual guarantee permission identification.
In one embodiment, multiple tenant ID (enterprise ID) and user are stored in the rights database
ID(user ID);The user login information for receiving API gateway and sending, is currently stepped on according to user login information determination
After the step of employing the product permission at family, further include:If it is determined that currently logged on user has the permission using corresponding product, according to
The stored tenant ID of the rights database and User ID are that the currently logged on user distributes tenant ID and User ID, and will
The tenant ID and User ID distributed returns to the API gateway.
In one embodiment, if it is determined that currently logged on user has the permission using corresponding product, then after user logs in
Tenant ID and User ID are distributed for the currently logged on user.Therefore, the user for being capable of providing tenant ID and user's id information is
Through the user for logging in SAAS service and having passed through the identification of product permission.
The present embodiment is convenient for subsequent docking to there is the user for the permission for using corresponding product to distribute tenant ID and User ID
The identification of mouth permission.
In one embodiment, the interface authentication request is forwarded according to API gateway product interface call request, tenant
ID and User ID obtain;It is described to call permission to reflect according to product interface of the interface authentication request to currently logged on user
Fixed step, including:According to the interface authentication request, corresponding tenant ID and User ID are identified;If the correspondence
Tenant ID and User ID identification pass through, then product interface call permission identification passes through, currently logged on user have call correspond to
The permission of interface.
In one embodiment, interface may include open visit interface, sign-on access interface and authorization access interface.
Wherein, open visit interface is referred to as exempting to step on access interface, is that service opening completely does not need any control;It logs in and visits
Ask that interface is that service is only open and controls to login user without permission that user A logins successfully i.e. user A and got tenant ID
And User ID, then it is assumed that user A has the permission for calling corresponding interface;Authorizing access interface is that service is only open to specific weights
The user of limit needs the legitimacy to tenant ID and User ID to identify.
In one embodiment, the process identified product permission can be realized by business service, when business takes
When the interface for being engaged in determining that currently logged on user is called is authorization access interface, asked to unified certification service transmission interface authentication
It asks, tenant ID and User ID is identified by unified certification service.If passing through to the identification of tenant ID and User ID, determine
Currently logged on user has the permission for calling corresponding interface, returns to identification by information to business service, is agreed to by business service
The interface call request of the user and the function of executing corresponding interface;If the identification to tenant ID and User ID does not pass through, sentence
Determine currently logged on user and does not have the permission for calling corresponding interface, the process of the function without subsequent execution corresponding interface.
In the present embodiment, tenant ID and User ID provided by unified certification service for user are identified, if the tenant
ID and User ID are legal, then determine that currently logged on user has the permission for calling corresponding interface.Interface identifies that mode is simple, simultaneously
Further interface can be authenticated on the basis of qualified products pass through, guarantee the safety of SAAS service.
In one embodiment, the step of calling permission to identify the product interface of currently logged on user further include:
If business service determines that the interface that the currently logged on user is called is open visit interface, determine that currently logged on user has
Call the permission of corresponding interface;If business service determines that the interface that the currently logged on user is called is sign-on access interface,
Judge whether be corresponding with tenant ID and User ID in the interface authentication request;If so, then user has the power for calling corresponding interface
Limit.If business service determines the interface that the currently logged on user is called for authorization access interface, to unified certification service
Transmission interface authentication request is serviced by unified certification and determines whether currently logged on user has the permission for calling corresponding interface.
The present embodiment carries out different identification modes for different interfaces, can effectively improve and carry out permission control to user
The efficiency of system.
In one embodiment, as shown in figure 5, providing a kind of control method of interface calling permission, include the following steps:
S501, the registration request for receiving tenant;It include the product and more that the tenant requests registration in registration request
The user information of a user.
S502, it is that tenant registers according to registration request, determines product permission of each user under each product, and
Determine the corresponding token of each product permission.
In S503, the rights database for pre-establishing product permission deposit, and the token is returned into the rent
Family, so that token is distributed to corresponding user by tenant.
S504, the user login information that API gateway is sent is received, judges whether the token in user login information is having
It imitates in the time.
If S505, token, within effective time, product permission corresponding with the token, obtains in search access right database
The product permission of currently logged on user.
S506, if it is determined that currently logged on user has the permission using corresponding product, according to the stored rent of rights database
Family ID and User ID are that currently logged on user distributes tenant ID and User ID, and the tenant ID and User ID that are distributed are returned to
API gateway.
S507, the product permission that currently logged on user is returned to API gateway, are forwarded with triggering API gateway to business service
The product interface call request of currently logged on user.
S508, the interface authentication request that business service is sent is received, according to the interface authentication request to currently logged on user
Product interface call permission identified;Wherein, the product interface calling that interface authentication request is forwarded according to API gateway is asked
It asks, tenant ID and User ID are obtained.
S509, according to interface authentication request, corresponding tenant ID and User ID are identified;If corresponding tenant ID and
User ID identification passes through, then product interface calls permission identification to pass through, and currently logged on user has the permission for calling corresponding interface.
If S510, product interface call permission, identification passes through, and returns to interface response instruction to the business service;The interface
Response instruction executes the function of product corresponding interface for triggering business service.
The present embodiment can control the permission of multi-user and be managed collectively, can be carried out simultaneously for different users
Targetedly identification can effectively improve the efficiency of multi-user authority control.
The above method in order to better understand, an interface of the present invention detailed below call the control method of permission
Application example.The timing diagram of the application example can be as shown in Figure 6.
Equipment registration (is not shown) in Fig. 6:
1, unified certification service receives the registration request of tenant;It include the production that tenant requests registration in the registration request
The user information of product and multiple users;Unified certification service is that the tenant registers according to the registration request, is determined each
Product permission of a user under each product, and determine the corresponding token of each product permission.
2, unified certification service is by the rights database that pre-establishes of product permission deposit, and by the token
Return to the tenant;Tenant distributes to corresponding user after receiving user login information, by the token.
Permission controls (i.e. interface calling):
3, currently logged on user sends the call request of product interface to API gateway in the form of message, includes in the message
There are the token, interface recalls information (for calling the interface for sending short message) etc..
4, API gateway services to unified certification and sends the call request of product interface, and unified certification service is according to corresponding
Token judges whether user has the permission using corresponding product;If it is determined that user has the permission using corresponding product, then to API
Gateway returns to tenant ID and User ID.
5, API gateway sends the product information that the authentication is passed to short message service service and sends distributed tenant ID and use
Family ID.
If 6, the interface recalls information of short message service service based on subscriber determines that called interface is authorization access interface,
Interface authentication request is then generated according to the tenant ID and User ID, is serviced to unified certification and sends the interface authentication request.
7, unified certification service is when receiving the interface authentication request of short message service service transmission, to corresponding tenant ID and
The legitimacy of User ID is identified.
If 8, according to the legitimacy of tenant ID and User ID determine interface permission identification pass through, unified certification service to this
Short message service service returns to interface response instruction.
9, short message service service executes corresponding short message and sends operation, and will ask accordingly according to the function of corresponding interface
Response message is asked to return to user (external system).
The present embodiment can control the permission of multi-user and be managed collectively, and can be carried out simultaneously for different users
It targetedly identifies, the efficiency of multi-user authority control can be effectively improved.
It should be noted that for the various method embodiments described above, describing for simplicity, it is all expressed as a series of
Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described, because according to
According to the present invention, certain steps can use other sequences or carry out simultaneously.
Based on thought identical with the interface calling control method of permission in above-described embodiment, the present invention also provides interfaces
The control device of permission is called, which can be used for executing the control method that above-mentioned interface calls permission.For ease of description, it connects
Mouth calls in the structural schematic diagram of the control device embodiment of permission, illustrate only part related to the embodiment of the present invention,
It will be understood by those skilled in the art that the restriction of schematic structure not structure twin installation, may include more more or less than illustrating
Component, perhaps combine certain components or different component layouts.
As described in Figure 7, interface call permission control device include product authentication module 701, permission return module 702,
Interface authentication module 703 and interface respond module 704, detailed description are as follows:
Product authentication module 701 logs according to the user and believes for receiving the user login information of API gateway transmission
Cease the product permission for determining currently logged on user.
Permission return module 702, for returning to the product permission of currently logged on user to API gateway, to trigger API gateway
Product interface call request to business service forwarding currently logged on user.
Interface authentication module 703 is asked for receiving the interface authentication request of business service transmission according to interface authentication
It asks and calls permission to identify the product interface of currently logged on user;What the interface authentication request was forwarded according to API gateway
Product interface call request obtains.
And interface respond module 704 is returned if calling permission identification to pass through for product interface to the business service
The response instruction of tieback mouth;The interface response instruction executes the function of the product corresponding interface for triggering the business service
Energy.
The present embodiment can control the permission of multi-user and be managed collectively, can be carried out simultaneously for different users
Targetedly identification can effectively improve the efficiency of multi-user authority control.
In one embodiment, the interface calls the control device of permission, further includes:Registration request receiving module is used
In the registration request for receiving tenant;It include that the tenant requests the product registered and multiple users in the registration request
User information;Registration module determines that the multiple user exists for being that the tenant registers according to the registration request
Product permission under each product, and determine the corresponding token of each product permission.
In one embodiment, further include:Permission memory module, for the product permission to be stored in the power pre-established
It limits in database, and the token is returned into the tenant, so that the token is distributed to corresponding use by the tenant
Family.
In one embodiment, the user login information includes token;There are effective times by the token;Also wrap
It includes:Time judgment module, for judging the token whether within effective time.
In one embodiment, the product authentication module, if being also used to the token within effective time, inquiry power
Product permission corresponding with the token in database is limited, the product permission of currently logged on user is obtained.
In one embodiment, multiple tenant ID and User ID are stored in the rights database;The interface calls
The control device of permission further includes:ID distribution module, for if it is determined that currently logged on user has the permission using corresponding product,
It is that the currently logged on user distributes tenant ID and User ID according to the stored tenant ID of the rights database and User ID,
And the tenant ID and User ID that are distributed are returned into the API gateway.
In one embodiment, the interface authentication request is forwarded according to API gateway product interface call request, tenant
ID and User ID obtain;The interface authentication module is also used to according to the interface authentication request, to corresponding tenant ID and use
Family ID is identified;If the corresponding tenant ID and User ID identification pass through, product interface calls permission identification to pass through, when
Preceding login user has the permission for calling corresponding interface.
It should be noted that interface of the invention calls the control device of permission and the control of interface calling permission of the invention
Method processed corresponds, and calls the technical characteristic and its advantages of the embodiment elaboration of the control method of permission in above-mentioned interface
The embodiment of control device for calling permission suitable for interface, particular content can be found in chatting in embodiment of the present invention method
It states, details are not described herein again, hereby give notice that.
In addition, the interface of above-mentioned example calls in the embodiment of the control device of permission, the logic of each program module is drawn
Divide and be merely illustrative of, can according to need in practical application, such as the configuration requirement of corresponding hardware or the reality of software
Above-mentioned function distribution is completed by different program modules, i.e., calls the control of permission to fill the interface by existing convenient consideration
The internal structure set is divided into different program modules, to complete all or part of the functions described above.
In one embodiment, a kind of computer equipment is provided, which can be server, internal junction
Composition can be as shown in Figure 8.The computer equipment include by system bus connect processor, memory, network interface and
Database.Wherein, the processor of the computer equipment is for providing calculating and control ability.The memory packet of the computer equipment
Include non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system, computer program and data
Library.The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium.The calculating
The database of machine equipment is used for as rights database storage Product Definition information, authority definition information, tenant ID and User ID
Etc. information.The network interface of the computer equipment is used to communicate with external terminal by network connection, connects to exterior terminal
Whether mouth is identified using the permission of corresponding product and interface.To realize one kind when the computer program is executed by processor
The control method of interface calling permission.
It will be understood by those skilled in the art that structure shown in Fig. 8, only part relevant to application scheme is tied
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
In one embodiment, a kind of computer equipment is provided, including memory, processor and storage are on a memory
And the computer program that can be run on a processor, processor realize following steps when executing computer program:Receive API gateway
The user login information of transmission determines the product permission of currently logged on user according to the user login information;It is returned to API gateway
The product permission of currently logged on user is returned, to trigger product interface tune of the API gateway to business service forwarding currently logged on user
With request;Receive the interface authentication request that business service is sent, the production according to the interface authentication request to currently logged on user
Product interface calls permission to be identified;The product interface call request that the interface authentication request is forwarded according to API gateway obtains;
If product interface calls permission, identification passes through, and returns to interface response instruction to the business service;The interface response instruction is used
The function of the product corresponding interface is executed in the triggering business service.
In one embodiment, following steps are also realized when processor executes computer program:The reception API gateway hair
The user login information sent, before the step of product permission of currently logged on user is determined according to the user login information, also
Including:Receive the registration request of tenant;It include the product and multiple that the tenant requests registration in the registration request
The user information of user;It is that the tenant registers according to the registration request, determines the multiple user in each product
Under product permission, and determine the corresponding token of each product permission.
In one embodiment, following steps are also realized when processor executes computer program:The determination is the multiple
Product permission of the user under each product, and after the step of determining each product permission corresponding token, further include:It will
In the rights database that the product permission deposit pre-establishes, and the token is returned into the tenant, so that the rent
Family the token is distributed into corresponding user.
In one embodiment, following steps are also realized when processor executes computer program:The user login information
Including token;There are effective times by the token;The production that currently logged on user is determined according to the user login information
Before the step of product permission, further include:Judge the token whether within effective time.
In one embodiment, following steps are also realized when processor executes computer program:It is described according to the user
Log-on message determines the step of product permission of currently logged on user, including:If the token is within effective time, inquiry power
Product permission corresponding with the token in database is limited, the product permission of currently logged on user is obtained.
In one embodiment, following steps are also realized when processor executes computer program:In the rights database
It is stored with multiple tenant ID and User ID;The user login information for receiving API gateway and sending, logs according to the user and believes
After the step of ceasing the product permission for determining currently logged on user, further include:It is produced if it is determined that currently logged on user has using corresponding
The permission of product is that the currently logged on user distributes tenant ID according to the stored tenant ID of the rights database and User ID
And User ID, and the tenant ID and User ID that are distributed are returned into the API gateway.
In one embodiment, following steps are also realized when processor executes computer program:The interface authentication request
It is obtained according to the call request of product interface, tenant ID and the User ID that API gateway forwards;It is described according to the interface authentication request
The step of calling permission to identify the product interface of currently logged on user, including:According to the interface authentication request, to right
The tenant ID and User ID answered is identified;If the corresponding tenant ID and User ID identification pass through, product interface is called
Permission identification passes through, and currently logged on user has the permission for calling corresponding interface.
In one embodiment, a kind of computer readable storage medium is provided, computer program is stored thereon with, is calculated
Machine program realizes following steps when being executed by processor:The user login information that API gateway is sent is received, is stepped on according to the user
Record information determines the product permission of currently logged on user;The product permission of currently logged on user is returned to, to API gateway with triggering
Product interface call request of the API gateway to business service forwarding currently logged on user;Receive the interface mirror that business service is sent
Power request calls permission to identify according to product interface of the interface authentication request to currently logged on user;The interface
The product interface call request that authentication request is forwarded according to API gateway obtains;If product interface calls permission, identification passes through, to institute
It states business service and returns to interface response instruction;The interface response instruction executes the product pair for triggering the business service
Answer the function of interface.
In one embodiment, following steps are also realized when computer program is executed by processor:The reception API gateway
The user login information of transmission, before the step of product permission of currently logged on user is determined according to the user login information,
Further include:Receive the registration request of tenant;It include the product and more that the tenant requests registration in the registration request
The user information of a user;It is that the tenant registers according to the registration request, determines the multiple user in each production
Product permission under product, and determine the corresponding token of each product permission.
In one embodiment, following steps are also realized when computer program is executed by processor:The determination is described more
Product permission of a user under each product, and after the step of determining each product permission corresponding token, further include:
In the rights database that product permission deposit is pre-established, and the token is returned into the tenant, so that described
The token is distributed to corresponding user by tenant.
In one embodiment, following steps are also realized when computer program is executed by processor:The user logs in letter
Breath includes token;There are effective times by the token;It is described to determine currently logged on user's according to the user login information
Before the step of product permission, further include:Judge the token whether within effective time.
In one embodiment, following steps are also realized when computer program is executed by processor:It is described according to the use
Family log-on message determines the step of product permission of currently logged on user, including:If the token is within effective time, inquiry
Product permission corresponding with the token in rights database, obtains the product permission of currently logged on user.
In one embodiment, following steps are also realized when computer program is executed by processor:The rights database
In be stored with multiple tenant ID and User ID;The user login information for receiving API gateway and sending, logs according to the user
After information determines the step of product permission of currently logged on user, further include:If it is determined that currently logged on user has using correspondence
The permission of product is that the currently logged on user distributes tenant according to the stored tenant ID of the rights database and User ID
ID and User ID, and the tenant ID and User ID that are distributed are returned into the API gateway.
In one embodiment, following steps are also realized when computer program is executed by processor:The interface authentication is asked
The call request of product interface, tenant ID and the User ID that rooting is forwarded according to API gateway obtain;It is described to be asked according to interface authentication
The step of calling permission to identify the product interface of currently logged on user is asked, including:It is right according to the interface authentication request
Corresponding tenant ID and User ID are identified;If the corresponding tenant ID and User ID identification pass through, product interface tune
Passed through with permission identification, currently logged on user has the permission for calling corresponding interface.
It will appreciated by the skilled person that realizing all or part of the process in above-described embodiment method, being can
It is completed with instructing relevant hardware by computer program, the program can be stored in a computer-readable storage and be situated between
In matter, sells or use as independent product.The more specific example (non-exhaustive list) of computer-readable medium includes
Below:Electrical connection section (electronic device) with one or more wiring, portable computer diskette box (magnetic device), arbitrary access
Memory (RAM), read-only memory (ROM), erasable edit read-only storage (EPROM or flash memory), optical fiber dress
It sets and portable optic disk read-only storage (CDROM).In addition, computer-readable medium, which can even is that, to be printed on it
The paper of described program or other suitable media, because can be for example by carrying out optical scanner to paper or other media, then
It edited, interpreted or is handled when necessary with other suitable methods electronically to obtain described program, then by it
Storage is in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware
Any one of column technology or their combination are realized:With for realizing the logic gates of logic function to data-signal
Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
The term " includes " of the embodiment of the present invention and " having " and their any deformations, it is intended that cover non-exclusive
Include.Such as contain series of steps or the process, method, system, product or equipment of (module) unit are not limited to
The step of listing or unit, but optionally further comprising the step of not listing or unit, or optionally further comprising for these
The intrinsic other step or units of process, method, product or equipment.
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, should not be understood as to the invention patent range
Limitation.It should be pointed out that for those of ordinary skill in the art, without departing from the inventive concept of the premise,
Various modifications and improvements can be made, and these are all within the scope of protection of the present invention.Therefore, the scope of protection of the patent of the present invention
It should be determined by the appended claims.