Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
Small routine in the embodiment of the present invention refers to that a kind of developed based on certain programmed language is completed, without downloading and peace
Dress, so that it may the mobile terminal application used.Small routine in the operating system of mobile terminal without installing manually, it usually needs relies on
It is carried out as carrier using the application platform can be instant messaging application in application platform.Usual developer passes through little Cheng
After sequence development platform completes the exploitation of small routine, the small routine that exploitation is completed is distributed to the server-side of the application platform, with this
Application platform realizes docking.
Refering to fig. 1, Fig. 1 is the implementation process schematic diagram of the method for authenticating of the small routine in first embodiment of the invention.This
The executing subject of the method for authenticating of small routine in embodiment is server.The method for authenticating of small routine as described in Figure can wrap
Include following steps:
S101 obtains the client from application platform if receiving user's authorization identifying request from client
The encrypted characters string for receiving and forwarding, and key is obtained from the application platform, wherein the encrypted characters string is answered by described
It is encrypted to obtain with user information of the platform to the user for currently logging in the application platform, the client is small routine
Client, the small routine rely on the application platform as carrier.
User needs to be introduced into the application platform that the small routine is carried on mobile terminal when using the small routine of mobile terminal
In, the client that the small routine is found in application platform logs in entrance.When user is when the client of small routine logs in, little Cheng
The corresponding server needs of sequence authenticate the user information of the user, to determine whether the user is the use with permission
Family.User specifically can trigger the request of user's authorization identifying, client by one key of virtual key in client log-in interface
The request of user's authorization identifying is sent to server.
If server receives the request of user's authorization identifying from client, obtains client and relied on from small routine
Application platform in the encrypted characters string that receives and forward, and the application platform relied on from small routine obtains key.It needs
Illustrate, client directly passes through api interface and obtains encrypted characters string, the API from the application platform relied on small routine
The application platform that interface is relied on by the small routine data sharing interface open to the client of small routine, the visitor for small routine
Family end obtains encrypted characters string information from application platform;It is flat from the application relied on small routine that server then passes through api interface
Platform obtains key, and the application platform which is relied on by small routine connects to the open data sharing of the server of small routine
Mouthful, the server for small routine obtains key information from application platform;Not due to corresponding encrypted characters string and key
By any public network, therefore it is difficult to be distorted, it is possible thereby to guarantee encrypted characters string and key that server obtains
Safety.User information of the application platform that encrypted characters string is relied on by small routine to the user for currently logging in application platform
It is encrypted to obtain, user information includes at least cell-phone number information, and certain user information further includes the pet name, gender and region etc.
Information;The key that server is obtained from application platform be application platform to the user information of the current user for logging in application platform into
Row encryption obtains the encryption key of encrypted characters string.
S102 is decrypted to obtain the user information according to encrypted characters string described in the key pair.
In S102, server is decrypted to obtain the user by the key pair encryption character string obtained from application platform
User information to get arrive corresponding cell-phone number information, the user information obtained certainly further includes the pet name, gender and region etc.
Information.
S103 generates authorization successfully notice if inquiring the user information in the user information database prestored, and
The user identifier of the user of the application platform is received, and authentication information is generated according to the user identifier of the user and is deposited
It stores up to database, and successfully notice is sent to the client by the authentication information and the authorization.
In S103, server stores all user informations with load right in the user information database prestored, clothes
Business device judges above-mentioned user information whether is inquired in the user information database prestored, when server is in the user information database prestored
In inquire above-mentioned user information, then determine that the user has permission, when server is not inquired in the user information database prestored
To above-mentioned user information, then determine that the user does not have permission.It should be noted that server can be by user information database
Corresponding cell-phone number information whether is inquired, when server inquires corresponding cell-phone number information, that is, can determine that the user has
Otherwise permission then determines that the user does not have permission.
Server generates authorization successfully notice when determining that the user has permission, and flat from application by api interface
Platform receives the user identifier of the user, and generates authentication information according to the user identifier of the user, and by authentication information store to
Database, the authentication information are used to guarantee the communication security between server and client.Above-mentioned user identifier is application platform
OpenID of user when using small routine, i.e. user identifier is that the user of application platform is unique when using the small routine
Identification information.Wherein, above-mentioned authentication information include token, refreshToken parameter, token_expires_in parameter and
The information such as API key.Above-mentioned token information be include user identifier, timestamp and signature, wherein signature is according in token
User identifier and timestamp compress to obtain the character string with certain length by hash algorithm.Refresh token ginseng
Number is used as an encrypted characters string, and for refreshing to token, API key makes requests as between server and client
Or the key information of response.Token_expires_in parameter as a kind of for indicating the parameter of the time-out time of token,
The time-out time of the middle general default setting of token_expires_in parameter is 10 minutes, and every 10 minutes, corresponding token was just
It can fail, need token_expires_in parameter to pass through refreshToken parameter at this time to make requests, to refresh one
Parameter value corresponding to secondary token, wherein time-out time can be repaired in the configuration of server according to demand by administrative staff
Change.
Authentication information and the successful notice of authorization are sent to client by server, asking between client and server
Summation response will all be encrypted by authentication information, to guarantee the safety of data transmission;Furthermore client according to authorization at
The notice of function shows that small routine logs in successful notice in display interface, logs in into so that user can view in time small routine
The notice of function.
Above as can be seen that user is asked by one key of virtual key triggering user's authorization identifying in client log-in interface
It asks, server reception client directly passes through api interface and obtains encrypted characters string from the application platform relied on small routine, with
And key is obtained from the application platform relied on small routine by api interface, due to corresponding encrypted characters string and key
It is interface provided by the application platform directly relied on by small routine to obtain, and without any public network, because
This is difficult to be distorted, it is possible thereby to guarantee the safety for the encrypted characters string and key that server obtains;Server is pre-
All user informations with load right are stored in the user information database deposited, server judges in the user information database prestored
Above-mentioned user information whether is inquired, when server inquires above-mentioned user information in the user information database prestored, is then determined
The user has permission, so that user when small routine client logs in, is guaranteeing that authentication information is authentic and valid
Meanwhile a key operation may be implemented, simplify login process, saves user in landfall process the time it takes, improve user's body
It tests.
Referring to Fig.2, Fig. 2 is the implementation process schematic diagram of the method for authenticating for the small routine that second embodiment of the invention provides.
The difference of the present embodiment and first embodiment is, further includes S204 after S202 in the present embodiment.Wherein S201~S203
It is identical as S101~S103 in first embodiment, referring specifically to the associated description of S101~S103 in first embodiment, this
Place does not repeat.S204 is specific as follows:
S204 generates the notice of authorization failure if not inquiring the user information in the user information database prestored,
And the notice of the authorization failure is sent to the client.
Server stores all user informations with load right in the user information database prestored, and server judges
Whether above-mentioned user information is inquired in the user information database prestored, when server inquires in the user information database prestored
User information is stated, then server determines that the user has permission, and works as and do not inquire the use in the user information database prestored
Family information, then server determines that the user does not have permission.It should be noted that whether server is especially by user information
Corresponding cell-phone number information is inquired in library to judge that user has permission, when server inquires corresponding cell-phone number letter
Breath, that is, can determine that the user has permission, otherwise, then server determines that the user does not have permission.When server determines the use
When family does not have permission, the notice of authorization failure can be generated, and the notice of authorization failure is sent to client, client according to
The notice of authorization failure shows that small routine logs in the notice of failure in display interface, so that user can view small routine in time
Log in the notice of failure.
It is the implementation process schematic diagram of the method for authenticating for the small routine that third embodiment of the invention provides refering to Fig. 3, Fig. 3.
The difference of the present embodiment and first embodiment is, further includes S304~S307 after S303 in the present embodiment, S301~
S303 is identical as step S101~S103 in first embodiment, referring specifically to the correlation of S101~S103 in first embodiment
Description, does not repeat herein.S304~S307 is specific as follows:
S304, receives the request of data of the client, the request of data include token, required parameter, random number, when
Between stab and request ciphertext, the request ciphertext be the client pass through token described in the API key pair, the request ginseng
Several, the described random number and the timestamp carry out encryption generation.
The authentication information stored in server include at least API key, when user client pass through authentication after,
In the corresponding function of client executing, corresponding request of data will be initiated by client to server, wherein the data are asked
It asks including token, required parameter, random number, timestamp and request ciphertext, request ciphertext is specially that client passes through token, asks
Parameter, random number and timestamp is asked to carry out encryption generation, wherein the key encrypted is API key.Server receives client
Request of data, server can first handle the request of data of client, judge whether to the request of data of letting pass, and
Corresponding response is executed according to the request of data.
S305 obtains the API key in the data base querying according to the token in the request of data, according to described
Token described in API key pair, the required parameter, the random number and the timestamp carry out encryption and generate comparison ciphertext.
Server will be inquired in the data of storage authentication information after receiving the token in request of data according to token
Encryption generation is carried out to token, required parameter, random number and timestamp to corresponding API key, and using API key as salt figure
The comparison ciphertext of verification is compared with request ciphertext, in order to guarantee the safety of data, passes through the comparison ciphertext of encryption generation
With request ciphertext verification is compared, due to compare ciphertext and request ciphertext be all according to token, required parameter, random number and
Timestamp carries out encryption generation by salt figure of API key, when the request of data that client is sent to server is disliked by criminal
Meaning, which intercepts, simultaneously distorts the information in required parameter, by will compare ciphertext with request ciphertext that verification is compared can to find in time
The situation, avoids the leakage of information, to ensure that the safety carried out data transmission between server and client side.
S306, if the comparison ciphertext is consistent with the request ciphertext, the request of data of letting pass.
S307 intercepts the request of data if the comparison ciphertext and the request ciphertext are inconsistent.
Server will compare ciphertext and be compared with request ciphertext, if comparing, ciphertext is consistent with request ciphertext, and data are asked
Required parameter in asking was not tampered with, and illustrated that the request of data is safe, therefore server will let pass the request of data,
And corresponding response is executed according to the request of data.If comparing ciphertext and request ciphertext being inconsistent, the request in request of data
Parameter is tampered with, and illustrates that the request of data is unsafe, therefore server will intercept the request of data.
Further, the generation method for comparing ciphertext includes:
Using the API key as salt figure to the token, the required parameter, the random number and the timestamp into
The encryption of row Message Digest 5 generates the comparison ciphertext.
Since the request of data that client is sent to server includes token, required parameter, random number, timestamp and is asked
Ciphertext is sought, which is to carry out the encryption of MD5 Message Digest 5 by salt figure of API key to generate.Server is to data
When the safety of request is verified, server compares close using API key as salt figure progress MD5 Message Digest 5 encryption generation
Verification is compared with request ciphertext according to ciphertext is compared for text, and according to the comparison result logarithm for comparing ciphertext and request ciphertext
It is verified according to the safety of request, so as to reduce the risk of leaking data.
When making requests and respond between server and client, by the comparison ciphertext generated by encryption and request ciphertext
Verification is compared, due to compare ciphertext and request ciphertext be all according to token, required parameter, random number and timestamp with
API key is that salt figure carries out encryption generation, when client is sent to the request of data of server by criminal's malicious intercepted simultaneously
The information in required parameter is distorted, verification is compared can find the situation in time with request ciphertext by the way that ciphertext will be compared,
The leakage of information is avoided, to ensure that the safety carried out data transmission between server and client side.
It is the implementation process schematic diagram of the method for authenticating for the small routine that fourth embodiment of the invention provides refering to Fig. 4, Fig. 4.
The difference of the present embodiment and 3rd embodiment is, further includes S4051~S4052 before S405 in the present embodiment, S4051 it
After further include S4053~S4054, S401~S407 is identical as S301~S307 in 3rd embodiment, referring specifically to third
The associated description of S301~S307, does not repeat herein in embodiment.S4051~S4054 is specific as follows:
S4051, judgement whether there is the identical request of data within a preset time.
Server before being compared verification to the comparison ciphertext in request of data, can first judge be within a preset time
No there are identical request of data, which refers to the request of data comprising same request parameter, wherein in advance
If the time is the preset time interval of server, such as ten minutes.Due to for normal request of data, within a short period of time,
Client will not send multiple request of data, and when within a short period of time, server is receiving the multiple identical of client transmission
Request of data, then the request of data may be the request of malice, need to take interception measure.
S4052, if the identical request of data is not present within a preset time, determining the request of data not is weight
Put attack.
When identical request of data is not present in preset time, then it is to reset to attack that server, which determines the request of data not,
It hits, server will be compared verification to the comparison ciphertext in request of data.
Further, after the S4051, further includes:
S4053 determines that the request of data is attacked to reset if there is the identical request of data within a preset time
It hits, and refuses the request of data;
Limitation access list is added in the Internet protocol address of client corresponding to the request of data by S4054.
If there is identical request of data within a preset time, illustrate that the request of data is Replay Attack, it may be possible to dislike
The request of data of meaning, then will directly refuse request of data, and server is by the internet ip of client corresponding to the request of data
Limitation access list is added in protocol address.
It is a kind of schematic diagram for server that fifth embodiment of the invention provides refering to Fig. 5, Fig. 5.Server includes each
Unit is used to execute each step in the corresponding embodiment of FIG. 1 to FIG. 4.Referring specifically to the corresponding embodiment of FIG. 1 to FIG. 4
In associated description.For ease of description, only the parts related to this embodiment are shown.Referring to Fig. 5, server 5 includes:
Acquiring unit 101, if obtaining the client for receiving user's authorization identifying request from client
The encrypted characters string for receiving and forwarding from application platform, and key is obtained from the application platform, wherein the encrypted characters
String is encrypted to obtain by user information of the application platform to the user for currently logging in the application platform, the client
For the client of small routine, the small routine relies on the application platform as carrier.
Decryption unit 102 is decrypted to obtain the user information for the encrypted characters string according to the key pair.
First generation unit 103, if for inquiring the user information in the user information database prestored, generation is awarded
Power successfully notice, and the user identifier of the user of the reception application platform, and according to the user identifier of the user
It generates authentication information and stores to database, and successfully notice is sent to the visitor by the authentication information and the authorization
Family end.
Optionally, the server further include:
Second generation unit, if for not inquiring the user information in the user information database prestored, generation is awarded
The notice of failure is weighed, and the notice of the authorization failure is sent to the client.
Optionally, the authentication information includes at least API key, the server further include:
Receiving unit, for receiving the request of data of the client, the request of data include token, required parameter,
Random number, timestamp and request ciphertext, the request ciphertext for the client by token described in the API key pair,
The required parameter, the random number and the timestamp carry out encryption generation.
Encryption unit, for obtaining the API key in the data base querying according to the token in the request of data,
Encryption, which is carried out, according to token described in the API key pair, the required parameter, the random number and the timestamp generates ratio
To ciphertext.
Execution unit, if consistent with the request ciphertext for the comparison ciphertext, the request of data of letting pass;If institute
It states comparison ciphertext and the request ciphertext is inconsistent, then intercept the request of data.
Optionally, the server further include:
Judging unit whether there is the identical request of data for judging within a preset time;
First judging unit, if determining the number for the identical request of data to be not present within a preset time
It is not Replay Attack according to request.
Optionally, the server further include:
Second judging unit, if determining the data for there is the identical request of data within a preset time
Request is Replay Attack, and refuses the request of data;
Limiting unit, for limitation access name to be added in the Internet protocol address of client corresponding to the request
It is single.
Optionally, the generation method for comparing ciphertext, comprising:
Using the API key as salt figure to the token, the required parameter, the random number and the timestamp into
The encryption of row Message Digest 5 generates the comparison ciphertext.
Fig. 6 is a kind of schematic diagram for server that sixth embodiment of the invention provides.As shown in fig. 6, the clothes of the embodiment
Business device 6 includes: processor 60, memory 61 and is stored in the memory 61 and can run on the processor 60
Computer program 62, such as the control program of server.The processor 60 is realized above-mentioned when executing the computer program 62
Step in the appraisal procedure embodiment of each server, such as S101 shown in FIG. 1 to S103.Alternatively, the processor 60
Realize the function of each unit in above-mentioned each Installation practice when executing the computer program 62, for example, unit 103 shown in Fig. 3 to
103 functions.
Illustratively, the computer program 62 can be divided into one or more units, one or more of
Unit is stored in the memory 61, and is executed by the processor 60, to complete the present invention.One or more of lists
Member can be the series of computation machine program instruction section that can complete specific function, and the instruction segment is for describing the computer journey
Implementation procedure of the sequence 62 in the server 6.For example, the computer program 62 can be divided into acquiring unit, decryption
Unit and the first generation unit, each unit concrete function are as described above.
The server may include, but be not limited only to, processor 60, memory 61.It will be understood by those skilled in the art that
Fig. 6 is only the example of server 6, does not constitute the restriction to server 6, may include than illustrating more or fewer portions
Part perhaps combines certain components or different components, such as the server can also include input and output server, net
Network access server, bus etc..
Alleged processor 60 can be central processing unit (Central Processing Unit, CPU), can also be
Other general processors, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor is also possible to any conventional processor
Deng.
The memory 61 can be the internal storage unit of the server 6, such as the hard disk or memory of server 6.
The memory 61 is also possible to the external storage servers of the server 6, such as the plug-in type being equipped on the server 6
Hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card
(Flash Card) etc..Further, the memory 61 can also both include the internal storage unit of the server 6 or wrap
Include external storage servers.The memory 61 is for other journeys needed for storing the computer program and the server
Sequence and data.The memory 61 can be also used for temporarily storing the data that has exported or will export.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although referring to aforementioned reality
Applying example, invention is explained in detail, those skilled in the art should understand that: it still can be to aforementioned each
Technical solution documented by embodiment is modified or equivalent replacement of some of the technical features;And these are modified
Or replacement, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution should all
It is included within protection scope of the present invention.