CN109829271A - Method for authenticating and Related product - Google Patents

Method for authenticating and Related product Download PDF

Info

Publication number
CN109829271A
CN109829271A CN201811615602.2A CN201811615602A CN109829271A CN 109829271 A CN109829271 A CN 109829271A CN 201811615602 A CN201811615602 A CN 201811615602A CN 109829271 A CN109829271 A CN 109829271A
Authority
CN
China
Prior art keywords
service
target
application service
privileges
target application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811615602.2A
Other languages
Chinese (zh)
Other versions
CN109829271B (en
Inventor
李春林
蓝深
邓裕琳
梁志锋
钟斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Intellifusion Technologies Co Ltd
Original Assignee
Shenzhen Intellifusion Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Intellifusion Technologies Co Ltd filed Critical Shenzhen Intellifusion Technologies Co Ltd
Priority to CN201811615602.2A priority Critical patent/CN109829271B/en
Publication of CN109829271A publication Critical patent/CN109829271A/en
Application granted granted Critical
Publication of CN109829271B publication Critical patent/CN109829271B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the present application provides a kind of method for authenticating and Related product, wherein the described method includes: receiving the application service request for the target application service that target user sends, the record identification of the target user is taken in the application service request;Inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;Receive the query result that the cache server is sent;If in the query result including the identity information of the target user, according to the identity information, Service Privileges of the target user in target application service are determined;The Service Privileges are sent to the target application service;The target response that target application service is sent is received as a result, the target response result is corresponding with the Service Privileges, therefore, is able to ascend the efficiency of authentication.

Description

Method for authenticating and Related product
Technical field
This application involves technical field of data security, and in particular to a kind of method for authenticating and Related product.
Background technique
With the continuous development of internet, application service system Internet-based has also obtained quick development therewith. The service system of types of applications system is increasingly huge, and the number of application service also sharply increases in service system, currently in order to answer Method to network attack is usually that an individual authority mechanism is arranged to each application service, authority mechanism is separately provided When, it is required to be arranged in each application service, therefore, when encountering authentication problem, need again to all application services Authority mechanism is set, causes efficiency of the system in terms of authentication lower.
Summary of the invention
The embodiment of the present application provides a kind of method for authenticating and Related product, is able to ascend the efficiency of authentication.
The first aspect of the embodiment of the present application provides a kind of method for authenticating, which comprises
The application service request for the target application service that target user sends is received, the mesh is taken in the application service request Mark the record identification of user;
Inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
Receive the query result that the cache server is sent;
If the identity information in the query result including the target user is determined according to the identity information Service Privileges of the target user in target application service;
The Service Privileges are sent to the target application service;
The target response that the target application service is sent is received as a result, the target response result and the Service Privileges It is corresponding.
In conjunction with the embodiment of the present application in a first aspect, in the first possible implementation of the first aspect, described According to the identity information, the Service Privileges in target application service of the target user are determined, comprising:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target The permission template of user obtains formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target is determined from the multiple Service Privileges Service Privileges of the user in the target application.
In conjunction with the first aspect of the embodiment of the present application and the first possible implementation of first aspect, in first aspect Second of possible implementation in, the method also includes:
The first response results obtained by the target application service by reference to application service are obtained, it is described with reference to application Service is the associated application service of the target application service;
By first response results and the second response results, the target response is determined as a result, second sound Should result be the target application service creation response results.
The second aspect of the embodiment of the present application provides a kind of authentication device, and described device includes the first receiving unit, life At unit, the second receiving unit, determination unit, transmission unit and third receiving unit, wherein
First receiving unit, the application service request of the target application service for receiving target user's transmission, institute State the record identification that the target user is taken in application service request;
The generation unit, for being sent according to record identification generation inquiry request, and by the inquiry request To cache server;
Second receiving unit, the query result sent for receiving the cache server;
The determination unit, if in the query result include the target user identity information, according to institute Identity information is stated, determines Service Privileges of the target user in target application service;
The transmission unit, for the Service Privileges to be sent to the target application service;
The third receiving unit, for receiving the target response of the target application service transmission as a result, the target Response results are corresponding with the Service Privileges.
In conjunction with the second aspect of the embodiment of the present application, in the first possible implementation of the second aspect, described It is described in terms of the Service Privileges in the target application services for determining the target user according to the identity information Determination unit is used for:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target The permission template of user obtains formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target is determined from the multiple Service Privileges Service Privileges of the user in the target application.
In conjunction with the second aspect of the embodiment of the present application and the first possible implementation of second aspect, in second aspect Second of possible implementation in, described device is also used to:
The first response results obtained by the target application service by reference to application service are obtained, it is described with reference to application Service is the associated application service of the target application service;
By first response results and the second response results, the target response is determined as a result, second sound Should result be the target application service creation response results.
The third aspect of the embodiment of the present application provides a kind of terminal, including processor, input equipment, output equipment and storage Device, the processor, input equipment, output equipment and memory are connected with each other, wherein the memory is for storing computer Program, the computer program include program instruction, and the processor is configured for calling described program instruction, are executed such as this Apply for the step instruction in embodiment first aspect.
The fourth aspect of the embodiment of the present application provides a kind of computer readable storage medium, wherein above-mentioned computer can Read the computer program that storage medium storage is used for electronic data interchange, wherein above-mentioned computer program executes computer The step some or all of as described in the embodiment of the present application first aspect.
5th aspect of the embodiment of the present application provides a kind of computer program product, wherein above-mentioned computer program produces Product include the non-transient computer readable storage medium for storing computer program, and above-mentioned computer program is operable to make to count Calculation machine executes the step some or all of as described in the embodiment of the present application first aspect.The computer program product can be One software installation packet.
Implement the embodiment of the present application, at least has the following beneficial effects:
By the embodiment of the present application, the application service request for the target application service that target user sends is received, it is described to answer The record identification that the target user is taken with service request generates inquiry request according to the record identification, and looks into described It askes request and is sent to cache server, the query result that the cache server is sent is received, if including in the query result The identity information of the target user determines that the target user takes in the target application then according to the identity information The Service Privileges are sent to the target application service by the Service Privileges in business, are received the target application service and are sent Target response as a result, the target response result is corresponding with the Service Privileges, accordingly, with respect in existing scheme, be Each application service is respectively provided with authority mechanism, in the present solution, can receive the application of the target application service of target user's transmission Service request first verifies target user, after being proved to be successful, in the Service Privileges for obtaining target user, in foundation The Service Privileges are responded, and since target application service is arbitrary application service, then this programme can take multiple applications Business is authenticated, so as to promote the efficiency of authentication to a certain extent.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 provides a kind of schematic diagram of universal retrieval system for the embodiment of the present application;
Fig. 2A provides a kind of flow diagram of method for authenticating for the embodiment of the present application;
Fig. 2 B provides the schematic diagram of another method for authenticating for the embodiment of the present application;
Fig. 3 provides the flow diagram of another method for authenticating for the embodiment of the present application;
Fig. 4 provides the flow diagram of another method for authenticating for the embodiment of the present application;
Fig. 5 is a kind of structural schematic diagram of terminal provided by the embodiments of the present application;
Fig. 6 provides the structural schematic diagram of authentication device for the embodiment of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
The description and claims of this application and term " first " in above-mentioned attached drawing, " second " etc. are for distinguishing Different objects, are not use to describe a particular order.In addition, term " includes " and " having " and their any deformations, it is intended that It is to cover and non-exclusive includes.Such as the process, method, system, product or equipment for containing a series of steps or units do not have It is defined in listed step or unit, but optionally further comprising the step of not listing or unit, or optionally also wrap Include other step or units intrinsic for these process, methods, product or equipment.
" embodiment " mentioned in this application is it is meant that a particular feature, structure, or characteristic described can be in conjunction with the embodiments Included at least one embodiment of the application.The phrase, which occurs, in each position in the description might not each mean phase Same embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art are explicitly Implicitly understand, embodiments described herein can be combined with other embodiments.
Electronic device involved by the embodiment of the present application may include the various handheld devices with wireless communication function, Mobile unit, wearable device calculate equipment or are connected to other processing equipments and various forms of radio modem User equipment (user equipment, UE), mobile station (mobile station, MS), terminal device (terminal Device) etc..For convenience of description, apparatus mentioned above is referred to as electronic device.
In order to better understand the embodiment of the present application, first below to a kind of weight discriminating side provided by the embodiments of the present application The universal retrieval system of method is briefly introduced.As shown in Figure 1, universal retrieval system 101 receives the target that target user sends The application service of application service is requested, and the record identification of the target user, universal retrieval system are taken in the application service request 101 obtain the record identification of target user from application service request, and record identification can be understood as after target user registers, System is an identification number of its distribution, and universal retrieval system 101 generates inquiry request according to record identification, and inquiry is asked It asks and is sent to cache server 102, cache server 102 is inquired according to the record identification in inquiry request, inquired As a result, query result can be identity information or null value, and query result is sent to universal retrieval system 101, universal retrieval System 101 then determines that target user answers in target according to the identity information if it is determined that including identity information in query result With the Service Privileges in service, Service Privileges are sent to target application service by universal retrieval system 101, and target application service can Think any one or more in application service A, application service B, application service C or application service D, target application service root Target response is determined according to Service Privileges as a result, and the target response result is sent to universal retrieval system 101, universal retrieval System 101 receives the target response of target application service transmission as a result, the target response result is corresponding with Service Privileges, herein Application service by way of example only, not only include application service A, application service B, application service C and application service D, also It can have other application services.Accordingly, with respect in existing scheme, it is respectively provided with authority mechanism for each application service, this In scheme, it can receive the application service request of the target application service of target user's transmission, target user tested first Card, in the Service Privileges for obtaining target user, is responded, since target is answered after being proved to be successful according to the Service Privileges It is arbitrary application service with service, then this programme can authenticate multiple application services, so as to a certain extent Promote the efficiency of authentication.
Optionally, universal retrieval system is applied to gateway.
Fig. 2A is please referred to, Fig. 2A provides a kind of flow diagram of method for authenticating for the embodiment of the present application.Such as Fig. 2A institute Showing, method for authenticating includes step 201-206, specific as follows:
201, the application service request for the target application service that target user sends is received, institute is taken in the application service request State the record identification of target user.
Optionally, target user can be any user for needing to carry out service request, and target user can pass through electronics Application service request is sent universal retrieval system by device.In order to promote the communication between target user and universal retrieval center Safety may include establishing safety to lead to before target user sends universal retrieval system for application service by electronic device Believe channel, a kind of possible method for establishing secured communication channel is related to universal retrieval center, electronic equipment and agent equipment, generation Reason equipment is believable third party device, is specifically comprised the following steps:
S1, initialization: initial phase mainly completes the registration of universal retrieval center, electronic equipment in agent equipment, master The subscription of topic and the generation of system parameter.Universal retrieval center, electronic equipment are registered to agent equipment, only pass through note The universal retrieval center and electronic equipment of volume could participate in the publication and subscription of theme, and electronic equipment is subscribed to related to agent equipment Theme.Agent equipment generates system public parameter (PK) and master key (MSK), and PK is sent to registered universal retrieval center And electronic equipment.
S2, encryption, publication: encryption, launch phase are mainly universal retrieval center to the corresponding load of the theme to be issued It is encrypted, and is sent to agent equipment.Universal retrieval center uses symmetric encipherment algorithm encrypted payload first, generates ciphertext (CT), access structure is then formulatedThe PK that is centrally generated according to universal retrieval andEncrypted symmetric key, finally will encryption The load of key and encryption afterwards is sent to agent equipment.Agent equipment is receiving the encrypted of universal retrieval center transmission Key filters with after CT and is transmitted to the electronic equipment.
Optionally, access structureIt is a kind of access tree construction.Each non-leaf nodes of access tree is a thresholding, Use KxIt indicates, 0≤Kx≤ num (x), num (x) indicate its son node number.Work as KxWhen=num (x), non-leaf nodes represent with Door;Work as KxWhen=1, non-leaf nodes represents or door;Each leaf node of access tree represents an attribute.Attribute set is full One access tree construction of foot can be with is defined as: setting T is the access tree using r as root node, TxIt is using x as the subtree of the T of root node. If Tx(S)=1, then declared attribute set S meets access structure Tx.If node x is leaf node, and if only if leaf section When the associated attribute att (x) of point x is the element of attribute set S, Tx(S)=1.If node x is non-leaf nodes, at least KxIt is a Child node z meets Tz(S)=1 when, Tx(S)=1.
S3, private key generate: private key generation phase is mainly that agent equipment is that electronic equipment generates corresponding key, for solving The close CT received thereafter.Electronic equipment provides attribute set A to agent equipmenti(attribute can be the feature of subscription end, role etc. Information), agent equipment is according to PK, attribute set AiAnd master key MSK generates private key SK, then sends the private key of generation to The electronic equipment.
Optionally, attribute set AiFor global set U={ A1, A2..., AnA subset.Attribute set AiIndicate electricity The attribute information of sub- equipment i (i-th of electronic equipment), can be feature, role of electronic equipment etc., be the default of electronic equipment Attribute, global set U indicate the set of all electronic equipment attribute informations.
S4, decryption: decryption phase is mainly that electronic equipment encrypted payload is decrypted the process for extracting civilization.Electronics is set It is standby after the encrypted key and CT that receive agent equipment transmission, encrypted key is decrypted according to PK and SK and is obtained pair Claim key.If its attribute set AiMeet the access structure of ciphertextThen can successful decryption ciphertext, communication process has been ensured with this Safety.
By constructing secured communication channel, can guarantee to communicate between electronic equipment and universal retrieval center to a certain extent Safety, reduce illegal electronic equipment and the data transmitted between legal electronic equipment and universal retrieval center stolen Possibility, at the same decrease illegal electronic equipment by intrusion system, distort system so that the significant data in system by The generation for the case where stealing.
Optionally, the payload field of the record identification storage and application service request of target user.
Optionally, a kind of possible method for obtaining record identification includes step A1-A2, specific as follows:
A1, session information is obtained from application service request;
Wherein, necessity when session information can be understood as record electronic device and this session of universal retrieval center is believed Breath, for example, identity etc..
A2, the record identification that the target user is extracted from the session information.
Wherein, record identification is extracted from the field for storing record identification in session information.
Optionally, another method for obtaining record identification can extract note for the payload field in requesting from application service Record mark.Wherein, when carrying out record identification extraction, can by the way of being extracted from lead-in section, can also using from The mode that last field extracts, the mode extracted from lead-in section is it is to be understood that from storage first of record identification The corresponding address of field starts, and extracts to record identification, and the mode that last field extracts from storage it is to be understood that remember The corresponding address of the last one field of record mark starts, and extracts to record identification.
202, inquiry request is generated according to the record identification, and the inquiry request is sent to cache server.
Wherein, the mapping relations being stored in cache server between record identification and the identity information of user, the mapping Relationship is, when user registers or (system user) stores when creating user mapping relations.For example, target user exists When succeeding in registration, for target user's distribution and the unique corresponding record identification of the user, and by the body of the record identification and user Part information is associated storage, obtains the mapping relations.
Optionally, record identification also can have update method, a kind of update method of possible record identification are as follows: every After user logs in, the record identification of user is updated, and by the identity information of updated record identification and user It is associated storage, original record identification is covered with updated record identification, record identification is carried out through the above way The case where update, can dynamically change the record identification of user, cope with, and the record identification of user is stolen, so as to With the safety of lifting system.
Optionally, it after cache server receives inquiry request, is inquired, is inquired in the database by record identification As a result it can be identity information or null value, when query result is identity information, then can differentiate that this request is legitimate request, When query result is null value, then it can differentiate that this request is illegal request, cache server can directly refuse this request.
203, the query result that the cache server is sent is received.
Optionally, when receiving the query result that cache server is sent, universal retrieval center and buffer service can be passed through Secured communication channel between device is received, and the method for building up of secured communication channel can be according to secure communication in step 201 The mode of establishing in channel is established.
If 204, in the query result including the identity information of the target user, according to the identity information, really Make Service Privileges of the target user in target application service.
Optionally, a kind of possible according to identity information, the method for determining Service Privileges may include step B1-B4, tool Body is as follows:
B1, the mesh is determined using the generation method of preset permission template acquisition formula according to the identity information The permission template for marking user obtains formula;
Optionally, preset permission template obtain formula generation method can in the database according to identity information into Row inquiry, obtains multiple generation methods corresponding with the identity information;In the address of service according to target application service, determine The permission template of target user obtains the generation method of formula;According to the generation method, the permission template of target user is determined Obtain formula.
Wherein, target user can access to multiple application services, have different generation sides to different applications Method, then can be inquired in the database, first obtain multiple generation methods, according to target for service address of service, with The generation method of its corresponding permission Target Acquisition formula.Optionally, it is a kind of it is possible according to generation method can be to pass through mind It is generated through network model, the generation method that can also be configured by system manager.Neural network model can pass through training It obtains, may include positive training and reverse train when being trained to neural network model, neural network model may include N Sample data can be input to the first layer of the N layers of neural network, be carried out by first layer by layer neural network in training The first operation result is obtained after forward operation, and the first operation result is input to the second layer after allowing and carries out forward operation, obtains the Two as a result, until N-1 result is input to n-th layer and carries out forward operation, obtain N operation result, to N operation with this As a result reverse train is executed, positive training and reverse train are repeated with this, until neural network model training is completed, N is Positive integer, sample data are as follows: address of service and generation method.In the generation method configured by system manager, system administration When member's configuration, configured using preset configuration template, which is stored in advance and system.
B2, formula is obtained according to the permission template, generates authority acquiring template;
Optionally, a kind of possible permission template obtain formula can be with are as follows: f=a.b (" d "), wherein f is Service Privileges, A is that permission template obtains formula mark, and b is operation platform, and d is application identities.Operation platform can be understood as application service Operation platform.
Optionally, template acquisition formula is standardized, obtains authority acquiring template.Wherein, standardization can be with It is interpreted as, converts formula to the user to corresponding authority acquiring template, the numerical value of fixed each parameter therein obtains The range of each parameter.By taking application identities as an example, the range of application identities is the registered all application services of target user Application identities.
B3, the application identities for obtaining the target application service, and obtain multiple Service Privileges of the target application;
Wherein, it is stored with all Service Privileges of target application in database, target can be obtained directly from database and answered Multiple Service Privileges obtain all permissions possessed by target application.
B4, according to the application identities and the authority acquiring template, determined from the multiple Service Privileges described Service Privileges of the target user in the target application.
Wherein, which is input to the authority acquiring template, executes authority acquiring template corresponding execution generation Code, so that it is determined that Service Privileges of the target user in target application service out.
Optionally, another method for determining Service Privileges can be with are as follows: according to preset identity information and Permission Levels it Between mapping relations, Permission Levels corresponding to the identity grade of target user are determined, according to the corresponding service of Permission Levels Permission obtains the Service Privileges of target user.Wherein, the mapping relations between preset identity information and Permission Levels can lead to It crosses neural network model to be trained to obtain, a kind of possible training process is referred to the training side of aforementioned neurological network model Method is trained to obtain.
Wherein, Permission Levels are higher, and it is more that user can obtain permission.Permission Levels for example can be the first Permission Levels, Second Permission Levels, third Permission Levels and the 4th Permission Levels, Permission Levels are from the first Permission Levels to the 4th Permission Levels It successively increases, the first Permission Levels may include A Service Privileges, and the second Permission Levels include B Service Privileges, third permission etc. Grade includes C Service Privileges, and the 4th Permission Levels include D Service Privileges, and A, B, C, D are positive integer, and D is greater than C, and C is greater than B, B Greater than A.
205, the Service Privileges are sent to the target application service.
Optionally, preset load-balancing method can be used, Service Privileges are sent to target application service.
Wherein, load balancing is the general name of all dispatching algorithms, customized can be realized.It is negative that default provides client It carries balanced dispatching algorithm to realize, algorithm core: using the mechanism of weighted round ring.Weight is also referred to as specific polling probability, Weight and access ratio are directly proportional, are used for the different situation of back-end server performance.
The height of server performance is first depending on to mark weight, performance is better, and weighted value is higher, and performance is lower, weight It is worth lower.If weight is identified with weight, weight=10.
Secondly, when every secondary gateway needs routing instances, current all places are selected in continuous poll Servers-all list In the server of idle state.
Finally select the highest server of weight as the object called, road from all servers being in idle condition The target application service is sent to by requesting the target application service on the server, and by Service Privileges.
Optionally, there is Service Privileges instruction application service to execute service operations corresponding with the Service Privileges.For example, Target application service for obtain contact information service, Service Privileges may include obtain the first estate contact information, Contact information, the contact information of the tertiary gradient, contact information of the fourth estate of second grade etc., the first estate to The important level of four grades successively increases, and important level can be understood as that important level is higher, then user gradation is higher;User etc. Grade is lower, then important level is lower.User can be divided into ordinary user, superuser, member user, gold member user Deng user gradation successively increases, and every kind of user type corresponds to a kind of user gradation.When Service Privileges are to obtain the first estate Contact information, then the contact information of all the first estates of target application service-seeking, and store query result.
Optionally, after target application service receives Service Privileges, service operations corresponding with Service Privileges are being executed When, other application services may be called, then a kind of possible method includes step C1-C2, specific as follows:
The first response results that C1, acquisition are obtained by the target application service by reference to application service, the reference Application service is the associated application service of the target application service;
Wherein, when target application service needs to call with reference to application service, then call request is sent to reference application service, Carry relevant to this calling recalls information in call request, recalls information can be and Service Privileges.Associated application service It can be understood as the application service that can mutually call between two application services.Pass through the service received with reference to application service Permission executes service operations corresponding with the Service Privileges, obtains the first response results.
C2, by first response results and the second response results, determine the target response as a result, described second Response results are the response results of the target application service creation.
Optionally, it after the second response results are the service operations corresponding with Service Privileges of target application service execution, obtains The response results arrived.It may include multiple response parameters in second response results, the first response results can be used as target application clothes The input data of business, and after executing corresponding data processing, the part response parameter in the second response results is obtained, it therefore, will Second response results are as target response result.First response results may be individual response results, not with target application Service generates data processing relationship, it is determined that when target response result, the first response results and the second response results can be made For target response result.
It in this example, can be directly called between different application services, without carrying out mutual authentication Operation, overhead when so as to promote efficiency when being called between service to a certain extent, and mutually call.
206, the target response that the target application service is sent is received as a result, the target response result and the service Permission is corresponding.
Fig. 2 B is please referred to, Fig. 2 B provides the schematic diagram of another method for authenticating for the embodiment of the present application.As shown in Figure 2 B, User initiates to request first, and universal retrieval system intercepts the request, intercept successfully according to the routing iinformation in request Afterwards, session information is taken out from the request, it is whether effective to verification words information in cache server, if in vain, refusal should Request, if effectively, identity information is returned to, and determine Service Privileges according to the identity information, by universal retrieval system Load balancing, send corresponding Service Instance for Service Privileges, Service Instance obtains response knot according to session information Fruit, by the response results by universal retrieval system feedback to target user, wherein Service Instance includes A Service Instance, B clothes Pragmatic example, C Service Instance and D Service Instance, Service Instance is when carrying out intrinsic call without authenticate etc. recognizing between each other Card process.That is, universal retrieval system is forming a safety curtain in user and between being served by, so as to promote service The safety of application.
Optionally, once-through operation behavior needs the support of 1-N service, but without all reflecting in 1-N service Power processing, authentication mechanism of the invention, its core are contacting between all operation behaviors of isolation and the application for providing service, As soon as form a protective layer, user request also be not up to first Service Instance before progress authentication process, the authentication is passed it The 1st, the 2nd, n-th Service Instance can just be connected successively afterwards.
Optionally, in universal retrieval system further include:
(1) service is hiding: all Service Instances are arranged and its interface service provided is externally hidden, unique exposure is Route map information.
(2) all external requests need that service is requested all to have to pass through gateway system, do not provide the energy of direct request service Power, the step for need many and diverse authentication process for carrying out to be removed because of external direct request internal services, directly enhancing Internal service security ability.
(3) the universal retrieval ability of the universal retrieval mechanism offer of gateway system, the phase between all internal services are provided It mutually calls just without being authenticated.
In this example, universal retrieval system intercepts the request, intercepts successfully according to the routing iinformation in request Afterwards, session information is taken out from the request, it is whether effective to verification words information in cache server, if in vain, refusal should Request, if effectively, identity information is returned to, and determine Service Privileges according to the identity information, by universal retrieval system Load balancing, send corresponding Service Instance for Service Privileges, Service Instance obtains response knot according to session information Fruit, by the response results by universal retrieval system feedback to target user, in the present solution, can receive target user's transmission The application service of target application service is requested, and is verified first to target user, after being proved to be successful, is obtaining target user Service Privileges, responded according to the Service Privileges, since target application service is arbitrary application service, then this programme Multiple application services can be authenticated, so as to promote the efficiency of authentication to a certain extent.
Referring to Fig. 3, Fig. 3 provides the flow diagram of another method for authenticating for the embodiment of the present application.Such as Fig. 3 institute Showing, method for authenticating may include step 301-310, specific as follows:
301, the application service request for the target application service that target user sends is received, institute is taken in the application service request State the record identification of target user;
302, the record identification of the target user is obtained from application service request;
303, inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
304, the query result that the cache server is sent is received;
If 305, the identity information in the query result including the target user is adopted according to the identity information The generation method that formula is obtained with preset permission template determines that the permission template of the target user obtains formula;
306, formula is obtained according to the permission template, generates authority acquiring template;
307, the application identities of the target application service are obtained, and obtain multiple services power of the target application Limit;
308, it according to the application identities and the authority acquiring template, is determined from the multiple Service Privileges described Service Privileges of the target user in target application service;
309, the Service Privileges are sent to the target application service;
310, the target response that the target application service is sent is received as a result, the target response result and the service Permission is corresponding.
In this example, by the identity information of target user, determine that the permission template of target user obtains formula, in root Authority acquiring template is determined according to the formula, the permission of target user is obtained by authority acquiring template, is taken in target application When the Service Privileges of business are more, Service Privileges are determined by permission template, Service Privileges can be promoted to a certain extent and obtained Efficiency when taking.
Referring to Fig. 4, Fig. 4 provides the flow diagram of another method for authenticating for the embodiment of the present application.Such as Fig. 4 institute Showing, method for authenticating may include step 401-408, specific as follows:
401, the application service request for the target application service that target user sends is received, institute is taken in the application service request State the record identification of target user;
402, session information is obtained from application service request;
403, the record identification of the target user is extracted from the session information;
404, inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
405, the query result that the cache server is sent is received;
If 406, in the query result including the identity information of the target user, according to the identity information, really Make Service Privileges of the target user in target application service;
407, the Service Privileges are sent to the target application service;
408, the target response that the target application service is sent is received as a result, the target response result and the service Permission is corresponding.
In this example, destination service application is authenticated, and extract record identification in session information, and passes through record Mark is authenticated, and target application service refers to any one application service, then this programme can carry out multiple application services Universal retrieval, relative in existing scheme, when carrying out service request to different application services, each application service is required to It is individually authenticated, causes to authenticate disunity, reduce safety, what this programme can be unified authenticate, and then can one Determine the safety that degree above proposes system.
It is consistent with above-described embodiment, referring to Fig. 5, Fig. 5 is that a kind of structure of terminal provided by the embodiments of the present application is shown It is intended to, as shown, including processor, input equipment, output equipment and memory, the processor, input equipment, output are set Standby and memory is connected with each other, wherein for the memory for storing computer program, the computer program includes that program refers to It enables, the processor is configured for calling described program instruction, and above procedure includes the instruction for executing following steps:
The application service request for the target application service that target user sends is received, the mesh is taken in the application service request Mark the record identification of user;
Inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
Receive the query result that the cache server is sent;
If the identity information in the query result including the target user is determined according to the identity information Service Privileges of the target user in target application service;
The Service Privileges are sent to the target application service;
The target response that the target application service is sent is received as a result, the target response result and the Service Privileges It is corresponding.
In this example, the application service request for the target application service that target user sends is received, the application service is asked The record identification for taking the target user is sought, inquiry request is generated according to the record identification, and the inquiry request is sent out It send to cache server, receives the query result that the cache server is sent, if in the query result including the target The identity information of user determines clothes of the target user in target application service then according to the identity information The Service Privileges are sent to the target application service by business permission, are received the target that the target application service is sent and are rung It answers as a result, the target response result is corresponding with the Service Privileges, accordingly, with respect in existing scheme, being each application Service is respectively provided with authority mechanism, in the present solution, can receive the application service request of the target application service of target user's transmission, Target user is verified first, after being proved to be successful, in the Service Privileges for obtaining target user, according to the Service Privileges It is responded, since target application service is arbitrary application service, then this programme can authenticate multiple application services, So as to promote the efficiency of authentication to a certain extent.
It is above-mentioned that mainly the scheme of the embodiment of the present application is described from the angle of method side implementation procedure.It is understood that , in order to realize the above functions, it comprises execute the corresponding hardware configuration of each function and/or software module for terminal.This Field technical staff should be readily appreciated that, in conjunction with each exemplary unit and algorithm of embodiment description presented herein Step, the application can be realized with the combining form of hardware or hardware and computer software.Some function actually with hardware also It is the mode of computer software driving hardware to execute, the specific application and design constraint depending on technical solution.Profession Technical staff can specifically realize described function to each using distinct methods, but this realization should not be recognized For beyond scope of the present application.
The embodiment of the present application can carry out the division of functional unit according to above method example to terminal, for example, can be right The each functional unit of each function division is answered, two or more functions can also be integrated in a processing unit. Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.It needs Illustrate, is schematical, only a kind of logical function partition to the division of unit in the embodiment of the present application, it is practical to realize When there may be another division manner.
Consistent with the above, referring to Fig. 6, Fig. 6 provides the structural schematic diagram of authentication device for the embodiment of the present application.Mirror Weighing device includes the first receiving unit 601, generation unit 602, the second receiving unit 603, determination unit 604, transmission unit 605 With third receiving unit 606, wherein
First receiving unit 601, the application service request of the target application service for receiving target user's transmission, The record identification of the target user is taken in the application service request;
The generation unit 602, for being sent out according to record identification generation inquiry request, and by the inquiry request It send to cache server;
Second receiving unit 603, the query result sent for receiving the cache server;
The determination unit 604, if in the query result include the target user identity information, basis The identity information determines Service Privileges of the target user in target application service;
The transmission unit 605, for the Service Privileges to be sent to the target application service;
The third receiving unit 606, for receiving the target response of the target application service transmission as a result, the mesh It is corresponding with the Service Privileges to mark response results.
In this example, the application service request for the target application service that target user sends is received, the application service is asked The record identification for taking the target user is sought, inquiry request is generated according to the record identification, and the inquiry request is sent out It send to cache server, receives the query result that the cache server is sent, if in the query result including the target The identity information of user determines clothes of the target user in target application service then according to the identity information The Service Privileges are sent to the target application service by business permission, are received the target that the target application service is sent and are rung It answers as a result, the target response result is corresponding with the Service Privileges, accordingly, with respect in existing scheme, being each application Service is respectively provided with authority mechanism, in the present solution, can receive the application service request of the target application service of target user's transmission, Target user is verified first, after being proved to be successful, in the Service Privileges for obtaining target user, according to the Service Privileges It is responded, since target application service is arbitrary application service, then this programme can authenticate multiple application services, So as to promote the efficiency of authentication to a certain extent.
Optionally, described according to the identity information, determine the target user in the target application service In Service Privileges in terms of, the determination unit 604 is used for:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target The permission template of user obtains formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application service are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target is determined from the multiple Service Privileges Service Privileges of the user in target application service.
Optionally, described device is also used to:
Session information is obtained from application service request;
The record identification of the target user is extracted from the session information.
Optionally, the authentication device is also used to:
The first response results obtained by the target application service by reference to application service are obtained, it is described with reference to application Service is the associated application service of the target application service;
By first response results and the second response results, the target response is determined as a result, second sound Should result be the target application service creation response results.
Optionally, it is described the Service Privileges are sent to the target application service in terms of, the transmission unit 605:
Using preset load-balancing method, the Service Privileges are sent to the target application service.
The embodiment of the present application also provides a kind of computer storage medium, wherein computer storage medium storage is for electricity The computer program of subdata exchange, it is as any in recorded in above method embodiment which execute computer A kind of some or all of method for authenticating step.
The embodiment of the present application also provides a kind of computer program product, and the computer program product includes storing calculating The non-transient computer readable storage medium of machine program, the computer program make computer execute such as above method embodiment Some or all of any method for authenticating of middle record step.
It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of Combination of actions, but those skilled in the art should understand that, the application is not limited by the described action sequence because According to the application, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know It knows, the embodiments described in the specification are all preferred embodiments, related actions and modules not necessarily the application It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed device, it can be by another way It realizes.For example, the apparatus embodiments described above are merely exemplary, such as the division of the unit, it is only a kind of Logical function partition, there may be another division manner in actual implementation, such as multiple units or components can combine or can To be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual Coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of device or unit, It can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, applying for that each functional unit in bright each embodiment can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also be realized in the form of software program module.
If the integrated unit is realized in the form of software program module and sells or use as independent product When, it can store in a computer-readable access to memory.Based on this understanding, the technical solution of the application substantially or Person says that all or part of the part that contributes to existing technology or the technical solution can body in the form of software products Reveal and, which is stored in a memory, including some instructions are used so that a computer equipment (can be personal computer, server or network equipment etc.) executes all or part of each embodiment the method for the application Step.And memory above-mentioned includes: USB flash disk, read-only memory (read-only memory, ROM), random access memory The various media that can store program code such as (random access memory, RAM), mobile hard disk, magnetic or disk.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing relevant hardware by program, which can store in a computer-readable memory, memory It may include: flash disk, read-only memory, random access device, disk or CD etc..
The embodiment of the present application is described in detail above, specific case used herein to the principle of the application and Embodiment is expounded, the description of the example is only used to help understand the method for the present application and its core ideas; At the same time, for those skilled in the art can in specific embodiments and applications according to the thought of the application There is change place, in conclusion the contents of this specification should not be construed as limiting the present application.

Claims (10)

1. a kind of method for authenticating, which is characterized in that the described method includes:
The application service request for the target application service that target user sends is received, the application service request is taken the target and used The record identification at family;
Inquiry request is generated according to the record identification, and the inquiry request is sent to cache server;
Receive the query result that the cache server is sent;
If including the identity information of the target user in the query result, according to the identity information, determine described Service Privileges of the target user in target application service;
The Service Privileges are sent to the target application service;
The target response of the target application service transmission is received as a result, the target response result is opposite with the Service Privileges It answers.
2. determining the target the method according to claim 1, wherein described according to the identity information The Service Privileges in target application service of user, comprising:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target user Permission template obtain formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application service are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target user is determined from the multiple Service Privileges Service Privileges in target application service.
3. the method according to claim 1, wherein the method also includes:
Session information is obtained from application service request;
The record identification of the target user is extracted from the session information.
4. method according to any one of claims 1 to 3, which is characterized in that the method also includes:
The first response results obtained by the target application service by reference to application service are obtained, it is described to refer to application service For the associated application service of the target application service;
By first response results and the second response results, the target response is determined as a result, the second response knot Fruit is the response results of the target application service creation.
5. method according to any one of claims 1 to 3, which is characterized in that described that the Service Privileges are sent to institute State target application service, comprising:
Using preset load-balancing method, the Service Privileges are sent to the target application service.
6. a kind of authentication device, which is characterized in that described device include the first receiving unit, generation unit, the second receiving unit, Determination unit, transmission unit and third receiving unit, wherein
First receiving unit, the application service request of the target application service for receiving target user's transmission are described to answer The record identification of the target user is taken with service request;
The generation unit for generating inquiry request according to the record identification, and the inquiry request is sent to slow Deposit server;
Second receiving unit, the query result sent for receiving the cache server;
The determination unit, if in the query result include the target user identity information, according to the body Part information determines Service Privileges of the target user in target application service;
The transmission unit, for the Service Privileges to be sent to the target application service;
The third receiving unit, for receiving the target response of the target application service transmission as a result, the target response As a result corresponding with the Service Privileges.
7. device according to claim 6, which is characterized in that described according to the identity information, determine the mesh In terms of the Service Privileges in the target application services for marking user, the determination unit is used for:
According to the identity information, the generation method of formula is obtained using preset permission template, determines the target user Permission template obtain formula;
Formula is obtained according to the permission template, generates authority acquiring template;
The application identities of the target application service are obtained, and obtain multiple Service Privileges of the target application;
According to the application identities and the authority acquiring template, the target user is determined from the multiple Service Privileges Service Privileges in target application service.
8. device according to claim 6, which is characterized in that the authentication device is used for:
Session information is obtained from application service request;
The record identification of the target user is extracted from the session information.
9. a kind of terminal, which is characterized in that the processor, defeated including processor, input equipment, output equipment and memory Enter equipment, output equipment and memory to be connected with each other, wherein the memory is for storing computer program, the computer Program includes program instruction, and the processor is configured for calling described program instruction, is executed such as any one of claim 1-5 The method.
10. a kind of computer readable storage medium, which is characterized in that the computer storage medium is stored with computer program, The computer program includes program instruction, and described program instruction makes the processor execute such as right when being executed by a processor It is required that the described in any item methods of 1-5.
CN201811615602.2A 2018-12-27 2018-12-27 Authentication method and related product Active CN109829271B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811615602.2A CN109829271B (en) 2018-12-27 2018-12-27 Authentication method and related product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811615602.2A CN109829271B (en) 2018-12-27 2018-12-27 Authentication method and related product

Publications (2)

Publication Number Publication Date
CN109829271A true CN109829271A (en) 2019-05-31
CN109829271B CN109829271B (en) 2021-07-20

Family

ID=66860581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811615602.2A Active CN109829271B (en) 2018-12-27 2018-12-27 Authentication method and related product

Country Status (1)

Country Link
CN (1) CN109829271B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111260375A (en) * 2019-11-26 2020-06-09 泰康保险集团股份有限公司 Service processing method and device
CN111428099A (en) * 2020-03-23 2020-07-17 中国建设银行股份有限公司 Financial service capability query method based on Internet of things and network management center system
CN112287308A (en) * 2020-10-23 2021-01-29 深圳云之家网络有限公司 Service role authentication method and related device
CN115664838A (en) * 2022-11-09 2023-01-31 阿里巴巴(中国)有限公司 Method, system and device for determining right

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047832A (en) * 2007-04-30 2007-10-03 中兴通讯股份有限公司 Implementing method for service capability authentication and its trigger of internet network TV
CN101453328A (en) * 2007-12-06 2009-06-10 中国移动通信集团公司 Identity management system and identity authentication system
CN101616126A (en) * 2008-06-23 2009-12-30 华为技术有限公司 Realize method, the Apparatus and system of data access authority control
CN103051631A (en) * 2012-12-21 2013-04-17 国云科技股份有限公司 Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system
CN103490886A (en) * 2012-06-12 2014-01-01 阿里巴巴集团控股有限公司 Permission data validation method, device and system
CN107045603A (en) * 2017-04-11 2017-08-15 北京深思数盾科技股份有限公司 Control method and device are called in a kind of application

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047832A (en) * 2007-04-30 2007-10-03 中兴通讯股份有限公司 Implementing method for service capability authentication and its trigger of internet network TV
CN101453328A (en) * 2007-12-06 2009-06-10 中国移动通信集团公司 Identity management system and identity authentication system
CN101616126A (en) * 2008-06-23 2009-12-30 华为技术有限公司 Realize method, the Apparatus and system of data access authority control
CN103490886A (en) * 2012-06-12 2014-01-01 阿里巴巴集团控股有限公司 Permission data validation method, device and system
CN103051631A (en) * 2012-12-21 2013-04-17 国云科技股份有限公司 Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system
CN107045603A (en) * 2017-04-11 2017-08-15 北京深思数盾科技股份有限公司 Control method and device are called in a kind of application

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111260375A (en) * 2019-11-26 2020-06-09 泰康保险集团股份有限公司 Service processing method and device
CN111260375B (en) * 2019-11-26 2023-09-26 泰康保险集团股份有限公司 Service processing method and device
CN111428099A (en) * 2020-03-23 2020-07-17 中国建设银行股份有限公司 Financial service capability query method based on Internet of things and network management center system
CN111428099B (en) * 2020-03-23 2023-12-26 中国建设银行股份有限公司 Financial service capability query method based on Internet of things and website management center system
CN112287308A (en) * 2020-10-23 2021-01-29 深圳云之家网络有限公司 Service role authentication method and related device
CN115664838A (en) * 2022-11-09 2023-01-31 阿里巴巴(中国)有限公司 Method, system and device for determining right

Also Published As

Publication number Publication date
CN109829271B (en) 2021-07-20

Similar Documents

Publication Publication Date Title
CN109829271A (en) Method for authenticating and Related product
CN109714174A (en) A kind of internet of things equipment digital identity management system and its method based on block chain
US20190306148A1 (en) Method for oauth service through blockchain network, and terminal and server using the same
CN108768660A (en) Internet of things equipment identity identifying method based on physics unclonable function
CN109542796A (en) Test method and Related product
CN108259438A (en) A kind of method and apparatus of the certification based on block chain technology
CN108496380A (en) server, mobile terminal and program
CN110110509A (en) Right management method and Related product
EP1208522A1 (en) System, method and computer program product for allowing access to enterprise resources using biometric devices
CN101183932A (en) Security identification system of wireless application service and login and entry method thereof
CN104184713A (en) Terminal identification method, machine identification code registration method, and corresponding system and equipment
CN105022939B (en) Information Authentication method and device
CN108347428A (en) Accreditation System, the method and apparatus of application program based on block chain
CN112000744A (en) Signature method and related equipment
CN104125230B (en) A kind of short message certification service system and authentication method
CN105488875B (en) A kind of gate inhibition's verification method and device
CN113242230A (en) Multi-level authentication and access control system and method based on intelligent contracts
CN109492424A (en) Data assets management method, data assets managing device and computer-readable medium
CN108604990A (en) The application method and device of local authorized certificate in terminal
CN110190969A (en) User identity clone's detection method and system in a kind of anonymous information system
CN109639419A (en) Cryptographic key protection method, cipher key storage device and terminal device
CN106060097B (en) A kind of management system and management method of information security contest
Mehmood et al. Multi-agent based framework for secure and reliable communication among open clouds
US6611916B1 (en) Method of authenticating membership for providing access to a secure environment by authenticating membership to an associated secure environment
HanataniI et al. A study on computational formal verification for practical cryptographic protocol: the case of synchronous RFID authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant