CN109829271A - Method for authenticating and Related product - Google Patents
Method for authenticating and Related product Download PDFInfo
- Publication number
- CN109829271A CN109829271A CN201811615602.2A CN201811615602A CN109829271A CN 109829271 A CN109829271 A CN 109829271A CN 201811615602 A CN201811615602 A CN 201811615602A CN 109829271 A CN109829271 A CN 109829271A
- Authority
- CN
- China
- Prior art keywords
- service
- target
- application service
- privileges
- target application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the present application provides a kind of method for authenticating and Related product, wherein the described method includes: receiving the application service request for the target application service that target user sends, the record identification of the target user is taken in the application service request;Inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;Receive the query result that the cache server is sent;If in the query result including the identity information of the target user, according to the identity information, Service Privileges of the target user in target application service are determined;The Service Privileges are sent to the target application service;The target response that target application service is sent is received as a result, the target response result is corresponding with the Service Privileges, therefore, is able to ascend the efficiency of authentication.
Description
Technical field
This application involves technical field of data security, and in particular to a kind of method for authenticating and Related product.
Background technique
With the continuous development of internet, application service system Internet-based has also obtained quick development therewith.
The service system of types of applications system is increasingly huge, and the number of application service also sharply increases in service system, currently in order to answer
Method to network attack is usually that an individual authority mechanism is arranged to each application service, authority mechanism is separately provided
When, it is required to be arranged in each application service, therefore, when encountering authentication problem, need again to all application services
Authority mechanism is set, causes efficiency of the system in terms of authentication lower.
Summary of the invention
The embodiment of the present application provides a kind of method for authenticating and Related product, is able to ascend the efficiency of authentication.
The first aspect of the embodiment of the present application provides a kind of method for authenticating, which comprises
The application service request for the target application service that target user sends is received, the mesh is taken in the application service request
Mark the record identification of user;
Inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
Receive the query result that the cache server is sent;
If the identity information in the query result including the target user is determined according to the identity information
Service Privileges of the target user in target application service;
The Service Privileges are sent to the target application service;
The target response that the target application service is sent is received as a result, the target response result and the Service Privileges
It is corresponding.
In conjunction with the embodiment of the present application in a first aspect, in the first possible implementation of the first aspect, described
According to the identity information, the Service Privileges in target application service of the target user are determined, comprising:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target
The permission template of user obtains formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target is determined from the multiple Service Privileges
Service Privileges of the user in the target application.
In conjunction with the first aspect of the embodiment of the present application and the first possible implementation of first aspect, in first aspect
Second of possible implementation in, the method also includes:
The first response results obtained by the target application service by reference to application service are obtained, it is described with reference to application
Service is the associated application service of the target application service;
By first response results and the second response results, the target response is determined as a result, second sound
Should result be the target application service creation response results.
The second aspect of the embodiment of the present application provides a kind of authentication device, and described device includes the first receiving unit, life
At unit, the second receiving unit, determination unit, transmission unit and third receiving unit, wherein
First receiving unit, the application service request of the target application service for receiving target user's transmission, institute
State the record identification that the target user is taken in application service request;
The generation unit, for being sent according to record identification generation inquiry request, and by the inquiry request
To cache server;
Second receiving unit, the query result sent for receiving the cache server;
The determination unit, if in the query result include the target user identity information, according to institute
Identity information is stated, determines Service Privileges of the target user in target application service;
The transmission unit, for the Service Privileges to be sent to the target application service;
The third receiving unit, for receiving the target response of the target application service transmission as a result, the target
Response results are corresponding with the Service Privileges.
In conjunction with the second aspect of the embodiment of the present application, in the first possible implementation of the second aspect, described
It is described in terms of the Service Privileges in the target application services for determining the target user according to the identity information
Determination unit is used for:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target
The permission template of user obtains formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target is determined from the multiple Service Privileges
Service Privileges of the user in the target application.
In conjunction with the second aspect of the embodiment of the present application and the first possible implementation of second aspect, in second aspect
Second of possible implementation in, described device is also used to:
The first response results obtained by the target application service by reference to application service are obtained, it is described with reference to application
Service is the associated application service of the target application service;
By first response results and the second response results, the target response is determined as a result, second sound
Should result be the target application service creation response results.
The third aspect of the embodiment of the present application provides a kind of terminal, including processor, input equipment, output equipment and storage
Device, the processor, input equipment, output equipment and memory are connected with each other, wherein the memory is for storing computer
Program, the computer program include program instruction, and the processor is configured for calling described program instruction, are executed such as this
Apply for the step instruction in embodiment first aspect.
The fourth aspect of the embodiment of the present application provides a kind of computer readable storage medium, wherein above-mentioned computer can
Read the computer program that storage medium storage is used for electronic data interchange, wherein above-mentioned computer program executes computer
The step some or all of as described in the embodiment of the present application first aspect.
5th aspect of the embodiment of the present application provides a kind of computer program product, wherein above-mentioned computer program produces
Product include the non-transient computer readable storage medium for storing computer program, and above-mentioned computer program is operable to make to count
Calculation machine executes the step some or all of as described in the embodiment of the present application first aspect.The computer program product can be
One software installation packet.
Implement the embodiment of the present application, at least has the following beneficial effects:
By the embodiment of the present application, the application service request for the target application service that target user sends is received, it is described to answer
The record identification that the target user is taken with service request generates inquiry request according to the record identification, and looks into described
It askes request and is sent to cache server, the query result that the cache server is sent is received, if including in the query result
The identity information of the target user determines that the target user takes in the target application then according to the identity information
The Service Privileges are sent to the target application service by the Service Privileges in business, are received the target application service and are sent
Target response as a result, the target response result is corresponding with the Service Privileges, accordingly, with respect in existing scheme, be
Each application service is respectively provided with authority mechanism, in the present solution, can receive the application of the target application service of target user's transmission
Service request first verifies target user, after being proved to be successful, in the Service Privileges for obtaining target user, in foundation
The Service Privileges are responded, and since target application service is arbitrary application service, then this programme can take multiple applications
Business is authenticated, so as to promote the efficiency of authentication to a certain extent.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 provides a kind of schematic diagram of universal retrieval system for the embodiment of the present application;
Fig. 2A provides a kind of flow diagram of method for authenticating for the embodiment of the present application;
Fig. 2 B provides the schematic diagram of another method for authenticating for the embodiment of the present application;
Fig. 3 provides the flow diagram of another method for authenticating for the embodiment of the present application;
Fig. 4 provides the flow diagram of another method for authenticating for the embodiment of the present application;
Fig. 5 is a kind of structural schematic diagram of terminal provided by the embodiments of the present application;
Fig. 6 provides the structural schematic diagram of authentication device for the embodiment of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.
The description and claims of this application and term " first " in above-mentioned attached drawing, " second " etc. are for distinguishing
Different objects, are not use to describe a particular order.In addition, term " includes " and " having " and their any deformations, it is intended that
It is to cover and non-exclusive includes.Such as the process, method, system, product or equipment for containing a series of steps or units do not have
It is defined in listed step or unit, but optionally further comprising the step of not listing or unit, or optionally also wrap
Include other step or units intrinsic for these process, methods, product or equipment.
" embodiment " mentioned in this application is it is meant that a particular feature, structure, or characteristic described can be in conjunction with the embodiments
Included at least one embodiment of the application.The phrase, which occurs, in each position in the description might not each mean phase
Same embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art are explicitly
Implicitly understand, embodiments described herein can be combined with other embodiments.
Electronic device involved by the embodiment of the present application may include the various handheld devices with wireless communication function,
Mobile unit, wearable device calculate equipment or are connected to other processing equipments and various forms of radio modem
User equipment (user equipment, UE), mobile station (mobile station, MS), terminal device (terminal
Device) etc..For convenience of description, apparatus mentioned above is referred to as electronic device.
In order to better understand the embodiment of the present application, first below to a kind of weight discriminating side provided by the embodiments of the present application
The universal retrieval system of method is briefly introduced.As shown in Figure 1, universal retrieval system 101 receives the target that target user sends
The application service of application service is requested, and the record identification of the target user, universal retrieval system are taken in the application service request
101 obtain the record identification of target user from application service request, and record identification can be understood as after target user registers,
System is an identification number of its distribution, and universal retrieval system 101 generates inquiry request according to record identification, and inquiry is asked
It asks and is sent to cache server 102, cache server 102 is inquired according to the record identification in inquiry request, inquired
As a result, query result can be identity information or null value, and query result is sent to universal retrieval system 101, universal retrieval
System 101 then determines that target user answers in target according to the identity information if it is determined that including identity information in query result
With the Service Privileges in service, Service Privileges are sent to target application service by universal retrieval system 101, and target application service can
Think any one or more in application service A, application service B, application service C or application service D, target application service root
Target response is determined according to Service Privileges as a result, and the target response result is sent to universal retrieval system 101, universal retrieval
System 101 receives the target response of target application service transmission as a result, the target response result is corresponding with Service Privileges, herein
Application service by way of example only, not only include application service A, application service B, application service C and application service D, also
It can have other application services.Accordingly, with respect in existing scheme, it is respectively provided with authority mechanism for each application service, this
In scheme, it can receive the application service request of the target application service of target user's transmission, target user tested first
Card, in the Service Privileges for obtaining target user, is responded, since target is answered after being proved to be successful according to the Service Privileges
It is arbitrary application service with service, then this programme can authenticate multiple application services, so as to a certain extent
Promote the efficiency of authentication.
Optionally, universal retrieval system is applied to gateway.
Fig. 2A is please referred to, Fig. 2A provides a kind of flow diagram of method for authenticating for the embodiment of the present application.Such as Fig. 2A institute
Showing, method for authenticating includes step 201-206, specific as follows:
201, the application service request for the target application service that target user sends is received, institute is taken in the application service request
State the record identification of target user.
Optionally, target user can be any user for needing to carry out service request, and target user can pass through electronics
Application service request is sent universal retrieval system by device.In order to promote the communication between target user and universal retrieval center
Safety may include establishing safety to lead to before target user sends universal retrieval system for application service by electronic device
Believe channel, a kind of possible method for establishing secured communication channel is related to universal retrieval center, electronic equipment and agent equipment, generation
Reason equipment is believable third party device, is specifically comprised the following steps:
S1, initialization: initial phase mainly completes the registration of universal retrieval center, electronic equipment in agent equipment, master
The subscription of topic and the generation of system parameter.Universal retrieval center, electronic equipment are registered to agent equipment, only pass through note
The universal retrieval center and electronic equipment of volume could participate in the publication and subscription of theme, and electronic equipment is subscribed to related to agent equipment
Theme.Agent equipment generates system public parameter (PK) and master key (MSK), and PK is sent to registered universal retrieval center
And electronic equipment.
S2, encryption, publication: encryption, launch phase are mainly universal retrieval center to the corresponding load of the theme to be issued
It is encrypted, and is sent to agent equipment.Universal retrieval center uses symmetric encipherment algorithm encrypted payload first, generates ciphertext
(CT), access structure is then formulatedThe PK that is centrally generated according to universal retrieval andEncrypted symmetric key, finally will encryption
The load of key and encryption afterwards is sent to agent equipment.Agent equipment is receiving the encrypted of universal retrieval center transmission
Key filters with after CT and is transmitted to the electronic equipment.
Optionally, access structureIt is a kind of access tree construction.Each non-leaf nodes of access tree is a thresholding,
Use KxIt indicates, 0≤Kx≤ num (x), num (x) indicate its son node number.Work as KxWhen=num (x), non-leaf nodes represent with
Door;Work as KxWhen=1, non-leaf nodes represents or door;Each leaf node of access tree represents an attribute.Attribute set is full
One access tree construction of foot can be with is defined as: setting T is the access tree using r as root node, TxIt is using x as the subtree of the T of root node.
If Tx(S)=1, then declared attribute set S meets access structure Tx.If node x is leaf node, and if only if leaf section
When the associated attribute att (x) of point x is the element of attribute set S, Tx(S)=1.If node x is non-leaf nodes, at least KxIt is a
Child node z meets Tz(S)=1 when, Tx(S)=1.
S3, private key generate: private key generation phase is mainly that agent equipment is that electronic equipment generates corresponding key, for solving
The close CT received thereafter.Electronic equipment provides attribute set A to agent equipmenti(attribute can be the feature of subscription end, role etc.
Information), agent equipment is according to PK, attribute set AiAnd master key MSK generates private key SK, then sends the private key of generation to
The electronic equipment.
Optionally, attribute set AiFor global set U={ A1, A2..., AnA subset.Attribute set AiIndicate electricity
The attribute information of sub- equipment i (i-th of electronic equipment), can be feature, role of electronic equipment etc., be the default of electronic equipment
Attribute, global set U indicate the set of all electronic equipment attribute informations.
S4, decryption: decryption phase is mainly that electronic equipment encrypted payload is decrypted the process for extracting civilization.Electronics is set
It is standby after the encrypted key and CT that receive agent equipment transmission, encrypted key is decrypted according to PK and SK and is obtained pair
Claim key.If its attribute set AiMeet the access structure of ciphertextThen can successful decryption ciphertext, communication process has been ensured with this
Safety.
By constructing secured communication channel, can guarantee to communicate between electronic equipment and universal retrieval center to a certain extent
Safety, reduce illegal electronic equipment and the data transmitted between legal electronic equipment and universal retrieval center stolen
Possibility, at the same decrease illegal electronic equipment by intrusion system, distort system so that the significant data in system by
The generation for the case where stealing.
Optionally, the payload field of the record identification storage and application service request of target user.
Optionally, a kind of possible method for obtaining record identification includes step A1-A2, specific as follows:
A1, session information is obtained from application service request;
Wherein, necessity when session information can be understood as record electronic device and this session of universal retrieval center is believed
Breath, for example, identity etc..
A2, the record identification that the target user is extracted from the session information.
Wherein, record identification is extracted from the field for storing record identification in session information.
Optionally, another method for obtaining record identification can extract note for the payload field in requesting from application service
Record mark.Wherein, when carrying out record identification extraction, can by the way of being extracted from lead-in section, can also using from
The mode that last field extracts, the mode extracted from lead-in section is it is to be understood that from storage first of record identification
The corresponding address of field starts, and extracts to record identification, and the mode that last field extracts from storage it is to be understood that remember
The corresponding address of the last one field of record mark starts, and extracts to record identification.
202, inquiry request is generated according to the record identification, and the inquiry request is sent to cache server.
Wherein, the mapping relations being stored in cache server between record identification and the identity information of user, the mapping
Relationship is, when user registers or (system user) stores when creating user mapping relations.For example, target user exists
When succeeding in registration, for target user's distribution and the unique corresponding record identification of the user, and by the body of the record identification and user
Part information is associated storage, obtains the mapping relations.
Optionally, record identification also can have update method, a kind of update method of possible record identification are as follows: every
After user logs in, the record identification of user is updated, and by the identity information of updated record identification and user
It is associated storage, original record identification is covered with updated record identification, record identification is carried out through the above way
The case where update, can dynamically change the record identification of user, cope with, and the record identification of user is stolen, so as to
With the safety of lifting system.
Optionally, it after cache server receives inquiry request, is inquired, is inquired in the database by record identification
As a result it can be identity information or null value, when query result is identity information, then can differentiate that this request is legitimate request,
When query result is null value, then it can differentiate that this request is illegal request, cache server can directly refuse this request.
203, the query result that the cache server is sent is received.
Optionally, when receiving the query result that cache server is sent, universal retrieval center and buffer service can be passed through
Secured communication channel between device is received, and the method for building up of secured communication channel can be according to secure communication in step 201
The mode of establishing in channel is established.
If 204, in the query result including the identity information of the target user, according to the identity information, really
Make Service Privileges of the target user in target application service.
Optionally, a kind of possible according to identity information, the method for determining Service Privileges may include step B1-B4, tool
Body is as follows:
B1, the mesh is determined using the generation method of preset permission template acquisition formula according to the identity information
The permission template for marking user obtains formula;
Optionally, preset permission template obtain formula generation method can in the database according to identity information into
Row inquiry, obtains multiple generation methods corresponding with the identity information;In the address of service according to target application service, determine
The permission template of target user obtains the generation method of formula;According to the generation method, the permission template of target user is determined
Obtain formula.
Wherein, target user can access to multiple application services, have different generation sides to different applications
Method, then can be inquired in the database, first obtain multiple generation methods, according to target for service address of service, with
The generation method of its corresponding permission Target Acquisition formula.Optionally, it is a kind of it is possible according to generation method can be to pass through mind
It is generated through network model, the generation method that can also be configured by system manager.Neural network model can pass through training
It obtains, may include positive training and reverse train when being trained to neural network model, neural network model may include N
Sample data can be input to the first layer of the N layers of neural network, be carried out by first layer by layer neural network in training
The first operation result is obtained after forward operation, and the first operation result is input to the second layer after allowing and carries out forward operation, obtains the
Two as a result, until N-1 result is input to n-th layer and carries out forward operation, obtain N operation result, to N operation with this
As a result reverse train is executed, positive training and reverse train are repeated with this, until neural network model training is completed, N is
Positive integer, sample data are as follows: address of service and generation method.In the generation method configured by system manager, system administration
When member's configuration, configured using preset configuration template, which is stored in advance and system.
B2, formula is obtained according to the permission template, generates authority acquiring template;
Optionally, a kind of possible permission template obtain formula can be with are as follows: f=a.b (" d "), wherein f is Service Privileges,
A is that permission template obtains formula mark, and b is operation platform, and d is application identities.Operation platform can be understood as application service
Operation platform.
Optionally, template acquisition formula is standardized, obtains authority acquiring template.Wherein, standardization can be with
It is interpreted as, converts formula to the user to corresponding authority acquiring template, the numerical value of fixed each parameter therein obtains
The range of each parameter.By taking application identities as an example, the range of application identities is the registered all application services of target user
Application identities.
B3, the application identities for obtaining the target application service, and obtain multiple Service Privileges of the target application;
Wherein, it is stored with all Service Privileges of target application in database, target can be obtained directly from database and answered
Multiple Service Privileges obtain all permissions possessed by target application.
B4, according to the application identities and the authority acquiring template, determined from the multiple Service Privileges described
Service Privileges of the target user in the target application.
Wherein, which is input to the authority acquiring template, executes authority acquiring template corresponding execution generation
Code, so that it is determined that Service Privileges of the target user in target application service out.
Optionally, another method for determining Service Privileges can be with are as follows: according to preset identity information and Permission Levels it
Between mapping relations, Permission Levels corresponding to the identity grade of target user are determined, according to the corresponding service of Permission Levels
Permission obtains the Service Privileges of target user.Wherein, the mapping relations between preset identity information and Permission Levels can lead to
It crosses neural network model to be trained to obtain, a kind of possible training process is referred to the training side of aforementioned neurological network model
Method is trained to obtain.
Wherein, Permission Levels are higher, and it is more that user can obtain permission.Permission Levels for example can be the first Permission Levels,
Second Permission Levels, third Permission Levels and the 4th Permission Levels, Permission Levels are from the first Permission Levels to the 4th Permission Levels
It successively increases, the first Permission Levels may include A Service Privileges, and the second Permission Levels include B Service Privileges, third permission etc.
Grade includes C Service Privileges, and the 4th Permission Levels include D Service Privileges, and A, B, C, D are positive integer, and D is greater than C, and C is greater than B, B
Greater than A.
205, the Service Privileges are sent to the target application service.
Optionally, preset load-balancing method can be used, Service Privileges are sent to target application service.
Wherein, load balancing is the general name of all dispatching algorithms, customized can be realized.It is negative that default provides client
It carries balanced dispatching algorithm to realize, algorithm core: using the mechanism of weighted round ring.Weight is also referred to as specific polling probability,
Weight and access ratio are directly proportional, are used for the different situation of back-end server performance.
The height of server performance is first depending on to mark weight, performance is better, and weighted value is higher, and performance is lower, weight
It is worth lower.If weight is identified with weight, weight=10.
Secondly, when every secondary gateway needs routing instances, current all places are selected in continuous poll Servers-all list
In the server of idle state.
Finally select the highest server of weight as the object called, road from all servers being in idle condition
The target application service is sent to by requesting the target application service on the server, and by Service Privileges.
Optionally, there is Service Privileges instruction application service to execute service operations corresponding with the Service Privileges.For example,
Target application service for obtain contact information service, Service Privileges may include obtain the first estate contact information,
Contact information, the contact information of the tertiary gradient, contact information of the fourth estate of second grade etc., the first estate to
The important level of four grades successively increases, and important level can be understood as that important level is higher, then user gradation is higher;User etc.
Grade is lower, then important level is lower.User can be divided into ordinary user, superuser, member user, gold member user
Deng user gradation successively increases, and every kind of user type corresponds to a kind of user gradation.When Service Privileges are to obtain the first estate
Contact information, then the contact information of all the first estates of target application service-seeking, and store query result.
Optionally, after target application service receives Service Privileges, service operations corresponding with Service Privileges are being executed
When, other application services may be called, then a kind of possible method includes step C1-C2, specific as follows:
The first response results that C1, acquisition are obtained by the target application service by reference to application service, the reference
Application service is the associated application service of the target application service;
Wherein, when target application service needs to call with reference to application service, then call request is sent to reference application service,
Carry relevant to this calling recalls information in call request, recalls information can be and Service Privileges.Associated application service
It can be understood as the application service that can mutually call between two application services.Pass through the service received with reference to application service
Permission executes service operations corresponding with the Service Privileges, obtains the first response results.
C2, by first response results and the second response results, determine the target response as a result, described second
Response results are the response results of the target application service creation.
Optionally, it after the second response results are the service operations corresponding with Service Privileges of target application service execution, obtains
The response results arrived.It may include multiple response parameters in second response results, the first response results can be used as target application clothes
The input data of business, and after executing corresponding data processing, the part response parameter in the second response results is obtained, it therefore, will
Second response results are as target response result.First response results may be individual response results, not with target application
Service generates data processing relationship, it is determined that when target response result, the first response results and the second response results can be made
For target response result.
It in this example, can be directly called between different application services, without carrying out mutual authentication
Operation, overhead when so as to promote efficiency when being called between service to a certain extent, and mutually call.
206, the target response that the target application service is sent is received as a result, the target response result and the service
Permission is corresponding.
Fig. 2 B is please referred to, Fig. 2 B provides the schematic diagram of another method for authenticating for the embodiment of the present application.As shown in Figure 2 B,
User initiates to request first, and universal retrieval system intercepts the request, intercept successfully according to the routing iinformation in request
Afterwards, session information is taken out from the request, it is whether effective to verification words information in cache server, if in vain, refusal should
Request, if effectively, identity information is returned to, and determine Service Privileges according to the identity information, by universal retrieval system
Load balancing, send corresponding Service Instance for Service Privileges, Service Instance obtains response knot according to session information
Fruit, by the response results by universal retrieval system feedback to target user, wherein Service Instance includes A Service Instance, B clothes
Pragmatic example, C Service Instance and D Service Instance, Service Instance is when carrying out intrinsic call without authenticate etc. recognizing between each other
Card process.That is, universal retrieval system is forming a safety curtain in user and between being served by, so as to promote service
The safety of application.
Optionally, once-through operation behavior needs the support of 1-N service, but without all reflecting in 1-N service
Power processing, authentication mechanism of the invention, its core are contacting between all operation behaviors of isolation and the application for providing service,
As soon as form a protective layer, user request also be not up to first Service Instance before progress authentication process, the authentication is passed it
The 1st, the 2nd, n-th Service Instance can just be connected successively afterwards.
Optionally, in universal retrieval system further include:
(1) service is hiding: all Service Instances are arranged and its interface service provided is externally hidden, unique exposure is
Route map information.
(2) all external requests need that service is requested all to have to pass through gateway system, do not provide the energy of direct request service
Power, the step for need many and diverse authentication process for carrying out to be removed because of external direct request internal services, directly enhancing
Internal service security ability.
(3) the universal retrieval ability of the universal retrieval mechanism offer of gateway system, the phase between all internal services are provided
It mutually calls just without being authenticated.
In this example, universal retrieval system intercepts the request, intercepts successfully according to the routing iinformation in request
Afterwards, session information is taken out from the request, it is whether effective to verification words information in cache server, if in vain, refusal should
Request, if effectively, identity information is returned to, and determine Service Privileges according to the identity information, by universal retrieval system
Load balancing, send corresponding Service Instance for Service Privileges, Service Instance obtains response knot according to session information
Fruit, by the response results by universal retrieval system feedback to target user, in the present solution, can receive target user's transmission
The application service of target application service is requested, and is verified first to target user, after being proved to be successful, is obtaining target user
Service Privileges, responded according to the Service Privileges, since target application service is arbitrary application service, then this programme
Multiple application services can be authenticated, so as to promote the efficiency of authentication to a certain extent.
Referring to Fig. 3, Fig. 3 provides the flow diagram of another method for authenticating for the embodiment of the present application.Such as Fig. 3 institute
Showing, method for authenticating may include step 301-310, specific as follows:
301, the application service request for the target application service that target user sends is received, institute is taken in the application service request
State the record identification of target user;
302, the record identification of the target user is obtained from application service request;
303, inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
304, the query result that the cache server is sent is received;
If 305, the identity information in the query result including the target user is adopted according to the identity information
The generation method that formula is obtained with preset permission template determines that the permission template of the target user obtains formula;
306, formula is obtained according to the permission template, generates authority acquiring template;
307, the application identities of the target application service are obtained, and obtain multiple services power of the target application
Limit;
308, it according to the application identities and the authority acquiring template, is determined from the multiple Service Privileges described
Service Privileges of the target user in target application service;
309, the Service Privileges are sent to the target application service;
310, the target response that the target application service is sent is received as a result, the target response result and the service
Permission is corresponding.
In this example, by the identity information of target user, determine that the permission template of target user obtains formula, in root
Authority acquiring template is determined according to the formula, the permission of target user is obtained by authority acquiring template, is taken in target application
When the Service Privileges of business are more, Service Privileges are determined by permission template, Service Privileges can be promoted to a certain extent and obtained
Efficiency when taking.
Referring to Fig. 4, Fig. 4 provides the flow diagram of another method for authenticating for the embodiment of the present application.Such as Fig. 4 institute
Showing, method for authenticating may include step 401-408, specific as follows:
401, the application service request for the target application service that target user sends is received, institute is taken in the application service request
State the record identification of target user;
402, session information is obtained from application service request;
403, the record identification of the target user is extracted from the session information;
404, inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
405, the query result that the cache server is sent is received;
If 406, in the query result including the identity information of the target user, according to the identity information, really
Make Service Privileges of the target user in target application service;
407, the Service Privileges are sent to the target application service;
408, the target response that the target application service is sent is received as a result, the target response result and the service
Permission is corresponding.
In this example, destination service application is authenticated, and extract record identification in session information, and passes through record
Mark is authenticated, and target application service refers to any one application service, then this programme can carry out multiple application services
Universal retrieval, relative in existing scheme, when carrying out service request to different application services, each application service is required to
It is individually authenticated, causes to authenticate disunity, reduce safety, what this programme can be unified authenticate, and then can one
Determine the safety that degree above proposes system.
It is consistent with above-described embodiment, referring to Fig. 5, Fig. 5 is that a kind of structure of terminal provided by the embodiments of the present application is shown
It is intended to, as shown, including processor, input equipment, output equipment and memory, the processor, input equipment, output are set
Standby and memory is connected with each other, wherein for the memory for storing computer program, the computer program includes that program refers to
It enables, the processor is configured for calling described program instruction, and above procedure includes the instruction for executing following steps:
The application service request for the target application service that target user sends is received, the mesh is taken in the application service request
Mark the record identification of user;
Inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
Receive the query result that the cache server is sent;
If the identity information in the query result including the target user is determined according to the identity information
Service Privileges of the target user in target application service;
The Service Privileges are sent to the target application service;
The target response that the target application service is sent is received as a result, the target response result and the Service Privileges
It is corresponding.
In this example, the application service request for the target application service that target user sends is received, the application service is asked
The record identification for taking the target user is sought, inquiry request is generated according to the record identification, and the inquiry request is sent out
It send to cache server, receives the query result that the cache server is sent, if in the query result including the target
The identity information of user determines clothes of the target user in target application service then according to the identity information
The Service Privileges are sent to the target application service by business permission, are received the target that the target application service is sent and are rung
It answers as a result, the target response result is corresponding with the Service Privileges, accordingly, with respect in existing scheme, being each application
Service is respectively provided with authority mechanism, in the present solution, can receive the application service request of the target application service of target user's transmission,
Target user is verified first, after being proved to be successful, in the Service Privileges for obtaining target user, according to the Service Privileges
It is responded, since target application service is arbitrary application service, then this programme can authenticate multiple application services,
So as to promote the efficiency of authentication to a certain extent.
It is above-mentioned that mainly the scheme of the embodiment of the present application is described from the angle of method side implementation procedure.It is understood that
, in order to realize the above functions, it comprises execute the corresponding hardware configuration of each function and/or software module for terminal.This
Field technical staff should be readily appreciated that, in conjunction with each exemplary unit and algorithm of embodiment description presented herein
Step, the application can be realized with the combining form of hardware or hardware and computer software.Some function actually with hardware also
It is the mode of computer software driving hardware to execute, the specific application and design constraint depending on technical solution.Profession
Technical staff can specifically realize described function to each using distinct methods, but this realization should not be recognized
For beyond scope of the present application.
The embodiment of the present application can carry out the division of functional unit according to above method example to terminal, for example, can be right
The each functional unit of each function division is answered, two or more functions can also be integrated in a processing unit.
Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.It needs
Illustrate, is schematical, only a kind of logical function partition to the division of unit in the embodiment of the present application, it is practical to realize
When there may be another division manner.
Consistent with the above, referring to Fig. 6, Fig. 6 provides the structural schematic diagram of authentication device for the embodiment of the present application.Mirror
Weighing device includes the first receiving unit 601, generation unit 602, the second receiving unit 603, determination unit 604, transmission unit 605
With third receiving unit 606, wherein
First receiving unit 601, the application service request of the target application service for receiving target user's transmission,
The record identification of the target user is taken in the application service request;
The generation unit 602, for being sent out according to record identification generation inquiry request, and by the inquiry request
It send to cache server;
Second receiving unit 603, the query result sent for receiving the cache server;
The determination unit 604, if in the query result include the target user identity information, basis
The identity information determines Service Privileges of the target user in target application service;
The transmission unit 605, for the Service Privileges to be sent to the target application service;
The third receiving unit 606, for receiving the target response of the target application service transmission as a result, the mesh
It is corresponding with the Service Privileges to mark response results.
In this example, the application service request for the target application service that target user sends is received, the application service is asked
The record identification for taking the target user is sought, inquiry request is generated according to the record identification, and the inquiry request is sent out
It send to cache server, receives the query result that the cache server is sent, if in the query result including the target
The identity information of user determines clothes of the target user in target application service then according to the identity information
The Service Privileges are sent to the target application service by business permission, are received the target that the target application service is sent and are rung
It answers as a result, the target response result is corresponding with the Service Privileges, accordingly, with respect in existing scheme, being each application
Service is respectively provided with authority mechanism, in the present solution, can receive the application service request of the target application service of target user's transmission,
Target user is verified first, after being proved to be successful, in the Service Privileges for obtaining target user, according to the Service Privileges
It is responded, since target application service is arbitrary application service, then this programme can authenticate multiple application services,
So as to promote the efficiency of authentication to a certain extent.
Optionally, described according to the identity information, determine the target user in the target application service
In Service Privileges in terms of, the determination unit 604 is used for:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target
The permission template of user obtains formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application service are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target is determined from the multiple Service Privileges
Service Privileges of the user in target application service.
Optionally, described device is also used to:
Session information is obtained from application service request;
The record identification of the target user is extracted from the session information.
Optionally, the authentication device is also used to:
The first response results obtained by the target application service by reference to application service are obtained, it is described with reference to application
Service is the associated application service of the target application service;
By first response results and the second response results, the target response is determined as a result, second sound
Should result be the target application service creation response results.
Optionally, it is described the Service Privileges are sent to the target application service in terms of, the transmission unit
605:
Using preset load-balancing method, the Service Privileges are sent to the target application service.
The embodiment of the present application also provides a kind of computer storage medium, wherein computer storage medium storage is for electricity
The computer program of subdata exchange, it is as any in recorded in above method embodiment which execute computer
A kind of some or all of method for authenticating step.
The embodiment of the present application also provides a kind of computer program product, and the computer program product includes storing calculating
The non-transient computer readable storage medium of machine program, the computer program make computer execute such as above method embodiment
Some or all of any method for authenticating of middle record step.
It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of
Combination of actions, but those skilled in the art should understand that, the application is not limited by the described action sequence because
According to the application, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know
It knows, the embodiments described in the specification are all preferred embodiments, related actions and modules not necessarily the application
It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed device, it can be by another way
It realizes.For example, the apparatus embodiments described above are merely exemplary, such as the division of the unit, it is only a kind of
Logical function partition, there may be another division manner in actual implementation, such as multiple units or components can combine or can
To be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of device or unit,
It can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, applying for that each functional unit in bright each embodiment can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also be realized in the form of software program module.
If the integrated unit is realized in the form of software program module and sells or use as independent product
When, it can store in a computer-readable access to memory.Based on this understanding, the technical solution of the application substantially or
Person says that all or part of the part that contributes to existing technology or the technical solution can body in the form of software products
Reveal and, which is stored in a memory, including some instructions are used so that a computer equipment
(can be personal computer, server or network equipment etc.) executes all or part of each embodiment the method for the application
Step.And memory above-mentioned includes: USB flash disk, read-only memory (read-only memory, ROM), random access memory
The various media that can store program code such as (random access memory, RAM), mobile hard disk, magnetic or disk.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can store in a computer-readable memory, memory
It may include: flash disk, read-only memory, random access device, disk or CD etc..
The embodiment of the present application is described in detail above, specific case used herein to the principle of the application and
Embodiment is expounded, the description of the example is only used to help understand the method for the present application and its core ideas;
At the same time, for those skilled in the art can in specific embodiments and applications according to the thought of the application
There is change place, in conclusion the contents of this specification should not be construed as limiting the present application.
Claims (10)
1. a kind of method for authenticating, which is characterized in that the described method includes:
The application service request for the target application service that target user sends is received, the application service request is taken the target and used
The record identification at family;
Inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
Receive the query result that the cache server is sent;
If including the identity information of the target user in the query result, according to the identity information, determine described
Service Privileges of the target user in target application service;
The Service Privileges are sent to the target application service;
The target response of the target application service transmission is received as a result, the target response result is opposite with the Service Privileges
It answers.
2. determining the target the method according to claim 1, wherein described according to the identity information
The Service Privileges in target application service of user, comprising:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target user
Permission template obtain formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application service are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target user is determined from the multiple Service Privileges
Service Privileges in target application service.
3. the method according to claim 1, wherein the method also includes:
Session information is obtained from application service request;
The record identification of the target user is extracted from the session information.
4. method according to any one of claims 1 to 3, which is characterized in that the method also includes:
The first response results obtained by the target application service by reference to application service are obtained, it is described to refer to application service
For the associated application service of the target application service;
By first response results and the second response results, the target response is determined as a result, the second response knot
Fruit is the response results of the target application service creation.
5. method according to any one of claims 1 to 3, which is characterized in that described that the Service Privileges are sent to institute
State target application service, comprising:
Using preset load-balancing method, the Service Privileges are sent to the target application service.
6. a kind of authentication device, which is characterized in that described device include the first receiving unit, generation unit, the second receiving unit,
Determination unit, transmission unit and third receiving unit, wherein
First receiving unit, the application service request of the target application service for receiving target user's transmission are described to answer
The record identification of the target user is taken with service request;
The generation unit for generating inquiry request according to the record identification, and the inquiry request is sent to slow
Deposit server;
Second receiving unit, the query result sent for receiving the cache server;
The determination unit, if in the query result include the target user identity information, according to the body
Part information determines Service Privileges of the target user in target application service;
The transmission unit, for the Service Privileges to be sent to the target application service;
The third receiving unit, for receiving the target response of the target application service transmission as a result, the target response
As a result corresponding with the Service Privileges.
7. device according to claim 6, which is characterized in that described according to the identity information, determine the mesh
In terms of the Service Privileges in the target application services for marking user, the determination unit is used for:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target user
Permission template obtain formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application service are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target user is determined from the multiple Service Privileges
Service Privileges in target application service.
8. device according to claim 6, which is characterized in that the authentication device is used for:
Session information is obtained from application service request;
The record identification of the target user is extracted from the session information.
9. a kind of terminal, which is characterized in that the processor, defeated including processor, input equipment, output equipment and memory
Enter equipment, output equipment and memory to be connected with each other, wherein the memory is for storing computer program, the computer
Program includes program instruction, and the processor is configured for calling described program instruction, is executed such as any one of claim 1-5
The method.
10. a kind of computer readable storage medium, which is characterized in that the computer storage medium is stored with computer program,
The computer program includes program instruction, and described program instruction makes the processor execute such as right when being executed by a processor
It is required that the described in any item methods of 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811615602.2A CN109829271B (en) | 2018-12-27 | 2018-12-27 | Authentication method and related product |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811615602.2A CN109829271B (en) | 2018-12-27 | 2018-12-27 | Authentication method and related product |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109829271A true CN109829271A (en) | 2019-05-31 |
CN109829271B CN109829271B (en) | 2021-07-20 |
Family
ID=66860581
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811615602.2A Active CN109829271B (en) | 2018-12-27 | 2018-12-27 | Authentication method and related product |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109829271B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111260375A (en) * | 2019-11-26 | 2020-06-09 | 泰康保险集团股份有限公司 | Service processing method and device |
CN111428099A (en) * | 2020-03-23 | 2020-07-17 | 中国建设银行股份有限公司 | Financial service capability query method based on Internet of things and network management center system |
CN112287308A (en) * | 2020-10-23 | 2021-01-29 | 深圳云之家网络有限公司 | Service role authentication method and related device |
CN115664838A (en) * | 2022-11-09 | 2023-01-31 | 阿里巴巴(中国)有限公司 | Method, system and device for determining right |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101047832A (en) * | 2007-04-30 | 2007-10-03 | 中兴通讯股份有限公司 | Implementing method for service capability authentication and its trigger of internet network TV |
CN101453328A (en) * | 2007-12-06 | 2009-06-10 | 中国移动通信集团公司 | Identity management system and identity authentication system |
CN101616126A (en) * | 2008-06-23 | 2009-12-30 | 华为技术有限公司 | Realize method, the Apparatus and system of data access authority control |
CN103051631A (en) * | 2012-12-21 | 2013-04-17 | 国云科技股份有限公司 | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system |
CN103490886A (en) * | 2012-06-12 | 2014-01-01 | 阿里巴巴集团控股有限公司 | Permission data validation method, device and system |
CN107045603A (en) * | 2017-04-11 | 2017-08-15 | 北京深思数盾科技股份有限公司 | Control method and device are called in a kind of application |
-
2018
- 2018-12-27 CN CN201811615602.2A patent/CN109829271B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101047832A (en) * | 2007-04-30 | 2007-10-03 | 中兴通讯股份有限公司 | Implementing method for service capability authentication and its trigger of internet network TV |
CN101453328A (en) * | 2007-12-06 | 2009-06-10 | 中国移动通信集团公司 | Identity management system and identity authentication system |
CN101616126A (en) * | 2008-06-23 | 2009-12-30 | 华为技术有限公司 | Realize method, the Apparatus and system of data access authority control |
CN103490886A (en) * | 2012-06-12 | 2014-01-01 | 阿里巴巴集团控股有限公司 | Permission data validation method, device and system |
CN103051631A (en) * | 2012-12-21 | 2013-04-17 | 国云科技股份有限公司 | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system |
CN107045603A (en) * | 2017-04-11 | 2017-08-15 | 北京深思数盾科技股份有限公司 | Control method and device are called in a kind of application |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111260375A (en) * | 2019-11-26 | 2020-06-09 | 泰康保险集团股份有限公司 | Service processing method and device |
CN111260375B (en) * | 2019-11-26 | 2023-09-26 | 泰康保险集团股份有限公司 | Service processing method and device |
CN111428099A (en) * | 2020-03-23 | 2020-07-17 | 中国建设银行股份有限公司 | Financial service capability query method based on Internet of things and network management center system |
CN111428099B (en) * | 2020-03-23 | 2023-12-26 | 中国建设银行股份有限公司 | Financial service capability query method based on Internet of things and website management center system |
CN112287308A (en) * | 2020-10-23 | 2021-01-29 | 深圳云之家网络有限公司 | Service role authentication method and related device |
CN115664838A (en) * | 2022-11-09 | 2023-01-31 | 阿里巴巴(中国)有限公司 | Method, system and device for determining right |
Also Published As
Publication number | Publication date |
---|---|
CN109829271B (en) | 2021-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109829271A (en) | Method for authenticating and Related product | |
CN109714174A (en) | A kind of internet of things equipment digital identity management system and its method based on block chain | |
US20190306148A1 (en) | Method for oauth service through blockchain network, and terminal and server using the same | |
CN108768660A (en) | Internet of things equipment identity identifying method based on physics unclonable function | |
CN109542796A (en) | Test method and Related product | |
CN108259438A (en) | A kind of method and apparatus of the certification based on block chain technology | |
CN108496380A (en) | server, mobile terminal and program | |
CN110110509A (en) | Right management method and Related product | |
EP1208522A1 (en) | System, method and computer program product for allowing access to enterprise resources using biometric devices | |
CN101183932A (en) | Security identification system of wireless application service and login and entry method thereof | |
CN104184713A (en) | Terminal identification method, machine identification code registration method, and corresponding system and equipment | |
CN105022939B (en) | Information Authentication method and device | |
CN108347428A (en) | Accreditation System, the method and apparatus of application program based on block chain | |
CN112000744A (en) | Signature method and related equipment | |
CN104125230B (en) | A kind of short message certification service system and authentication method | |
CN105488875B (en) | A kind of gate inhibition's verification method and device | |
CN113242230A (en) | Multi-level authentication and access control system and method based on intelligent contracts | |
CN109492424A (en) | Data assets management method, data assets managing device and computer-readable medium | |
CN108604990A (en) | The application method and device of local authorized certificate in terminal | |
CN110190969A (en) | User identity clone's detection method and system in a kind of anonymous information system | |
CN109639419A (en) | Cryptographic key protection method, cipher key storage device and terminal device | |
CN106060097B (en) | A kind of management system and management method of information security contest | |
Mehmood et al. | Multi-agent based framework for secure and reliable communication among open clouds | |
US6611916B1 (en) | Method of authenticating membership for providing access to a secure environment by authenticating membership to an associated secure environment | |
HanataniI et al. | A study on computational formal verification for practical cryptographic protocol: the case of synchronous RFID authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |