CN109829271B - Authentication method and related product - Google Patents

Authentication method and related product Download PDF

Info

Publication number
CN109829271B
CN109829271B CN201811615602.2A CN201811615602A CN109829271B CN 109829271 B CN109829271 B CN 109829271B CN 201811615602 A CN201811615602 A CN 201811615602A CN 109829271 B CN109829271 B CN 109829271B
Authority
CN
China
Prior art keywords
service
target
application service
authority
target user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811615602.2A
Other languages
Chinese (zh)
Other versions
CN109829271A (en
Inventor
李春林
蓝深
邓裕琳
梁志锋
钟斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Intellifusion Technologies Co Ltd
Original Assignee
Shenzhen Intellifusion Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Intellifusion Technologies Co Ltd filed Critical Shenzhen Intellifusion Technologies Co Ltd
Priority to CN201811615602.2A priority Critical patent/CN109829271B/en
Publication of CN109829271A publication Critical patent/CN109829271A/en
Application granted granted Critical
Publication of CN109829271B publication Critical patent/CN109829271B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The embodiment of the application provides an authentication method and a related product, wherein the method comprises the following steps: receiving an application service request of a target application service sent by a target user, wherein the application service request carries a record identifier of the target user; generating a query request according to the record identifier, and sending the query request to a cache server; receiving a query result sent by the cache server; if the query result comprises the identity information of the target user, determining the service authority of the target user in the target application service according to the identity information; sending the service permission to the target application service; and receiving a target response result sent by the target application service, wherein the target response result corresponds to the service authority, so that the authentication efficiency can be improved.

Description

Authentication method and related product
Technical Field
The application relates to the technical field of data security, in particular to an authentication method and a related product.
Background
With the continuous development of the internet, the internet-based application service system is also rapidly developed. The service systems of various application systems are increasingly huge, the number of application services in the service systems is also increased sharply, and the current method for dealing with network attacks generally includes setting an individual authority mechanism for each application service, and setting the authority mechanism in each application service when setting the authority mechanism individually, so that when an authentication problem is encountered, the authority mechanism needs to be set for all the application services again, resulting in low efficiency of the system in authentication.
Disclosure of Invention
The embodiment of the application provides an authentication method and a related product, which can improve the authentication efficiency.
A first aspect of an embodiment of the present application provides an authentication method, where the method includes:
receiving an application service request of a target application service sent by a target user, wherein the application service request carries a record identifier of the target user;
generating a query request according to the record identifier, and sending the query request to a cache server;
receiving a query result sent by the cache server;
if the query result comprises the identity information of the target user, determining the service authority of the target user in the target application service according to the identity information;
sending the service permission to the target application service;
and receiving a target response result sent by the target application service, wherein the target response result corresponds to the service authority.
With reference to the first aspect of the embodiment of the present application, in a first possible implementation manner of the first aspect, the determining, according to the identity information, a service right of the target user in the target application service includes:
determining the authority template acquisition formula of the target user by adopting a preset authority template acquisition formula generation method according to the identity information;
generating an authority acquisition template according to the authority template acquisition formula;
acquiring an application identifier of the target application and acquiring a plurality of service authorities of the target application;
and determining the service authority of the target user in the target application from the plurality of service authorities according to the application identifier and the authority acquisition template.
With reference to the first aspect and the first possible implementation manner of the first aspect of the embodiment of the present application, in a second possible implementation manner of the first aspect, the method further includes:
acquiring a first response result obtained by the target application service through a reference application service, wherein the reference application service is an associated application service of the target application service;
and determining the target response result according to the first response result and the second response result, wherein the second response result is a response result generated by the target application service.
A second aspect of embodiments of the present application provides an authentication apparatus, which includes a first receiving unit, a generating unit, a second receiving unit, a determining unit, a transmitting unit, and a third receiving unit, wherein,
the first receiving unit is configured to receive an application service request of a target application service sent by a target user, where the application service request carries a record identifier of the target user;
the generating unit is used for generating a query request according to the record identifier and sending the query request to a cache server;
the second receiving unit is configured to receive the query result sent by the cache server;
the determining unit is configured to determine, according to the identity information, a service right of the target user in the target application service if the query result includes the identity information of the target user;
the sending unit is used for sending the service authority to the target application service;
the third receiving unit is configured to receive a target response result sent by the target application service, where the target response result corresponds to the service right.
With reference to the second aspect of the embodiment of the present application, in a first possible implementation manner of the second aspect, in the determining, according to the identity information, a service right of the target user in the target application service, the determining unit is configured to:
determining the authority template acquisition formula of the target user by adopting a preset authority template acquisition formula generation method according to the identity information;
generating an authority acquisition template according to the authority template acquisition formula;
acquiring an application identifier of the target application and acquiring a plurality of service authorities of the target application;
and determining the service authority of the target user in the target application from the plurality of service authorities according to the application identifier and the authority acquisition template.
With reference to the second aspect of the embodiment of the present application and the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the apparatus is further configured to:
acquiring a first response result obtained by the target application service through a reference application service, wherein the reference application service is an associated application service of the target application service;
and determining the target response result according to the first response result and the second response result, wherein the second response result is a response result generated by the target application service.
A third aspect of the embodiments of the present application provides a terminal, including a processor, an input device, an output device, and a memory, where the processor, the input device, the output device, and the memory are connected to each other, where the memory is used to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the step instructions in the first aspect of the embodiments of the present application.
A fourth aspect of embodiments of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program for electronic data exchange, where the computer program makes a computer perform part or all of the steps as described in the first aspect of embodiments of the present application.
A fifth aspect of embodiments of the present application provides a computer program product, wherein the computer program product comprises a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform some or all of the steps as described in the first aspect of embodiments of the present application. The computer program product may be a software installation package.
The embodiment of the application has at least the following beneficial effects:
through the embodiment of the application, the application service request of the target application service sent by the target user is received, the application service request carries the record identifier of the target user, the query request is generated according to the record identifier, the query request is sent to the cache server, the query result sent by the cache server is received, if the query result comprises the identity information of the target user, the service authority of the target user in the target application service is determined according to the identity information, the service authority is sent to the target application service, the target response result sent by the target application service is received, and the target response result corresponds to the service authority, so that compared with the existing scheme, an authority mechanism is set for each application service, in the scheme, the application service request of the target application service sent by the target user can be received, the method comprises the steps of firstly verifying a target user, obtaining the service authority of the target user after the verification is successful, and responding according to the service authority.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a unified authentication system according to an embodiment of the present application;
fig. 2A is a schematic flowchart of an authentication method according to an embodiment of the present application;
fig. 2B is a schematic diagram of another authentication method provided in the embodiment of the present application;
fig. 3 is a schematic flowchart of another authentication method provided in the embodiment of the present application;
fig. 4 is a schematic flowchart of another authentication method provided in the embodiment of the present application;
fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an authentication device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," and the like in the description and claims of the present application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The electronic device according to the embodiments of the present application may include various handheld devices, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to a wireless modem, and various forms of User Equipment (UE), Mobile Stations (MS), terminal equipment (terminal device), and so on. For convenience of description, the above-mentioned apparatuses are collectively referred to as electronic devices.
In order to better understand the embodiment of the present application, first, a brief description is given below of a unified authentication system applying an authentication method provided in the embodiment of the present application. As shown in fig. 1, a unified authentication system 101 receives an application service request of a target application service sent by a target user, where the application service request carries a record identifier of the target user, the unified authentication system 101 obtains the record identifier of the target user from the application service request, where the record identifier can be understood as an identifier number allocated to the target user by the system after the target user is registered, the unified authentication system 101 generates a query request according to the record identifier and sends the query request to a cache server 102, the cache server 102 queries according to the record identifier in the query request to obtain a query result, where the query result can be identity information or a null value and sends the query result to the unified authentication system 101, and if the unified authentication system 101 determines that the query result includes the identity information, the service authority of the target user in the target application service is determined according to the identity information, the unified authentication system 101 sends the service authority to the target application service, the target application service may be any one or more of an application service a, an application service B, an application service C, or an application service D, the target application service determines a target response result according to the service authority and sends the target response result to the unified authentication system 101, the unified authentication system 101 receives the target response result sent by the target application service, and the target response result corresponds to the service authority, where the application service is only an example, and not only includes the application service a, the application service B, the application service C, and the application service D, but also may have other application services. Therefore, compared with the prior art, the authority mechanism is set for each application service, the scheme can receive the application service request of the target application service sent by the target user, firstly verify the target user, after the verification is successful, obtain the service authority of the target user, and respond according to the service authority, and because the target application service is any application service, the scheme can authenticate a plurality of application services, thereby improving the authentication efficiency to a certain extent.
Optionally, the unified authentication system is applied to the gateway.
Referring to fig. 2A, fig. 2A is a schematic flowchart of an authentication method according to an embodiment of the present application. As shown in fig. 2A, the authentication method includes steps 201 and 206, which are as follows:
201. receiving an application service request of a target application service sent by a target user, wherein the application service request carries a record identifier of the target user.
Alternatively, the target user may be any user who needs to apply for a service, and the target user may send an application service request to the unified authentication system through the electronic device. In order to improve the communication security between the target user and the unified authentication center, before the target user sends the application service to the unified authentication system through the electronic device, a possible method for establishing the secure communication channel may include establishing a secure communication channel, where the secure communication channel is established by the unified authentication center, the electronic device, and a proxy device, and the proxy device is a trusted third-party device, and specifically includes the following steps:
s1, initialization: the initialization stage mainly completes the registration of the unified authentication center and the electronic equipment in the proxy equipment, the subscription of the theme and the generation of system parameters. The unified authentication center and the electronic equipment register to the agent equipment, the electronic equipment can participate in the publishing and subscribing of the theme only through the registered unified authentication center and the registered electronic equipment, and the electronic equipment subscribes the related theme to the agent equipment. The agent device generates a system public Parameter (PK) and a master key (MSK), and sends the PK to the registered unified authentication center and the electronic device.
S2, encryption and release: the encryption and release stage is mainly that the unified authentication center encrypts the load corresponding to the subject to be released and sends the load to the agent equipment. Firstly, the unified authentication center encrypts a load by adopting a symmetric encryption algorithm to generate a Ciphertext (CT), and then an access structure is formulated
Figure BDA0001925762040000061
PK and generated according to unified authentication center
Figure BDA0001925762040000062
And encrypting the symmetric key, and finally sending the encrypted key and the encrypted load to the proxy equipment. And after receiving the encrypted key and the encrypted CT sent by the unified authentication center, the proxy equipment filters and forwards the key and the CT to the electronic equipment.
Optionally, an access structure
Figure BDA0001925762040000063
Is an access tree structure. Each non-leaf node of the access tree is a threshold, denoted by KxIs represented by 0<=Kx<Num (x), num (x) indicates the number of child nodes. When K isxNum (x), the non-leaf node represents the and gate; when K isxWhen 1, the non-leaf node represents an or gate; each leaf node of the access tree represents an attribute. The attribute set satisfying an access tree structure can be defined as: let T be an access tree with r as the root node, TxIs a subtree of T with x as the root node. If T isx(S) < 1 > indicates that the attribute set S satisfies the access structure Tx. If node x is a leaf node, T is a set of attributes S if and only if the attribute att (x) associated with leaf node x is an element of attribute set Sx(S) ═ 1. If node x is a non-leaf node, at least KxChild node z satisfies TzWhen (S) is 1, Tx(S)=1。
S3, private key generation: the private key generation stage is mainly that the agent device generates a corresponding secret key for the electronic device to decrypt the CT received thereafter. Electronic device providing attribute set A to proxy devicei(the attribute can be the information of the characteristics, roles and the like of the subscriber), the proxy device collects A according to PK and attributeiAnd the master key MSK generates a private key SK and then transmits the generated private key SK to the electronic device.
Optionally, attribute set AiIs a global set of U ═ A1,A2,…,AnA subset of. Attribute set AiThe attribute information indicating the electronic device i (i-th electronic device) may be a feature, a role, or the like of the electronic device, and is a default attribute of the electronic device, and the global set U indicates a set of attribute information of all the electronic devices.
S4, decryption: the decryption stage is mainly a process of decrypting the encrypted load by the electronic equipment to extract the civilization. After the electronic device receives the encrypted secret key and the CT sent by the proxy device, the electronic device decrypts the encrypted secret key according to the PK and the SK to obtain a symmetric secret key. If its attribute set AiAccess structure satisfying ciphertext
Figure BDA0001925762040000071
The ciphertext can be successfully decrypted, so that the safety of the communication process is guaranteed.
By constructing the secure communication channel, the security of communication between the electronic equipment and the unified authentication center can be ensured to a certain extent, the possibility that the illegal electronic equipment steals data transmitted between the legal electronic equipment and the unified authentication center is reduced, and the occurrence of the situation that the important data in the system is stolen by the illegal electronic equipment through an intrusion system and a tampering system is also reduced.
Optionally, the record of the target user identifies a payload field that holds and applies the service request.
Optionally, a method for possibly obtaining record identifiers includes steps a1-a2, as follows:
a1, obtaining session information from the application service request;
the session information may be understood as necessary information, such as an identity, when the electronic device and the unified authentication center perform a session at this time.
A2, extracting the record identification of the target user from the session information.
Wherein the record identification is extracted from a field in the session information in which the record identification is stored.
Alternatively, another method for obtaining the record identifier may be to extract the record identifier from a payload field in the application service request. When extracting the record identifier, a way of extracting from the first field may be adopted, and a way of extracting from the last field may also be adopted, where the way of extracting from the first field may be understood as extracting the record identifier from an address corresponding to the first field in which the record identifier is stored, and the way of extracting from the last field may be understood as extracting the record identifier from an address corresponding to the last field in which the record identifier is stored.
202. And generating a query request according to the record identifier, and sending the query request to a cache server.
The cache server stores a mapping relationship between the record identifier and the identity information of the user, where the mapping relationship is stored when the user registers or when the user is created (system user). For example, when the target user successfully registers, the target user is assigned with a record identifier uniquely corresponding to the user, and the record identifier and the identity information of the user are stored in an associated manner, so that the mapping relationship is obtained.
Optionally, the record identifier may also have an updating method, and one possible updating method of the record identifier is as follows: after the user logs in each time, the record identification of the user is updated, the updated record identification and the identity information of the user are stored in a correlation mode, the original record identification is covered by the updated record identification, the record identification is updated in the mode, the record identification of the user can be dynamically changed, the condition that the record identification of the user is stolen can be met, and therefore the safety of the system can be improved.
Optionally, after receiving the query request, the cache server queries in the database by recording the identifier, where the query result may be identity information or a null value, and when the query result is the identity information, it may be determined that the request is a legal request, and when the query result is the null value, it may be determined that the request is an illegal request, and the cache server may directly reject the request.
203. And receiving the query result sent by the cache server.
Optionally, when receiving the query result sent by the cache server, the query result may be received through a secure communication channel between the unified authentication center and the cache server, and the method for establishing the secure communication channel may be established according to the method for establishing the secure communication channel in step 201.
204. And if the query result comprises the identity information of the target user, determining the service authority of the target user in the target application service according to the identity information.
Optionally, a possible method for determining the service right according to the identity information may include steps B1-B4, which are as follows:
b1, determining the authority template acquisition formula of the target user by adopting a preset authority template acquisition formula generation method according to the identity information;
optionally, the generation method of the preset authority template acquisition formula may be to query the database according to the identity information to obtain a plurality of generation methods corresponding to the identity information; determining a generation method of an authority template acquisition formula of a target user according to a service address of a target application service; according to the generation method, an authority template acquisition formula of the target user is determined.
The target user can access a plurality of application services, different applications have different generation methods, the query can be carried out in the database, a plurality of generation methods are obtained first, and the generation method of the authority target acquisition formula corresponding to the service address used for the service according to the target is adopted. Alternatively, a possible generation method may be a generation method configured by a neural network model or a system administrator. The neural network model can be obtained through training, can include forward training and reverse training when training the neural network model, the neural network model can include N layer neural network, when training, can input sample data into the first layer of this N layer neural network, obtain first operation result after carrying out the forward operation through the first layer, let after input first operation result into the second layer and carry out the forward operation, obtain the second result, with this, carry out forward operation until the N-1 result is input to the N layer, obtain the N operation result, carry out reverse training to the N operation result, with this forward training and reverse training of repeated execution, until the completion of neural network model training, N is the positive integer, sample data is: a service address and a generation method. According to the generation method of the system administrator configuration, when the system administrator configures, a preset configuration template is adopted for configuration, and the template is stored in advance and is used for the system.
B2, generating an authority acquisition template according to the authority template acquisition formula;
optionally, one possible authority template obtaining formula may be: a.b ("d"), where f is the service authority, a is the authority template acquisition formula identifier, b is the operating platform, and d is the application identifier. The running platform can be understood as a running platform of an application service.
Optionally, the template obtaining formula is standardized to obtain an authority obtaining template. The normalization can be understood as converting a formula into an authority acquisition template corresponding to the user direction, fixing the numerical value of each parameter in the authority acquisition template, and acquiring the range of each parameter. Taking the application identifier as an example, the range of the application identifier is the application identifiers of all application services registered by the target user.
B3, acquiring an application identifier of the target application service, and acquiring a plurality of service permissions of the target application;
all the service permissions of the target application are stored in the database, and a plurality of service permissions of the target application can be directly acquired from the database, namely all the permissions of the target application are acquired.
B4, according to the application identification and the authority acquisition template, determining the service authority of the target user in the target application from the plurality of service authorities.
And inputting the application identifier into the authority acquisition template, and executing an execution code corresponding to the authority acquisition template so as to determine the service authority of the target user in the target application service.
Optionally, another method for determining the service right may be: and determining the authority level corresponding to the identity level of the target user according to the preset mapping relation between the identity information and the authority level, and obtaining the service authority of the target user according to the service authority corresponding to the authority level. The preset mapping relation between the identity information and the authority level can be obtained by training through a neural network model, and a possible training process can be obtained by training according to the training method of the neural network model.
Wherein the higher the privilege level, the more privileges the user can get. The permission levels can be, for example, a first permission level, a second permission level, a third permission level and a fourth permission level, the permission levels are sequentially increased from the first permission level to the fourth permission level, the first permission level can include a number of service permissions, the second permission level includes B number of service permissions, the third permission level includes C number of service permissions, the fourth permission level includes D number of service permissions, A, B, C, D is a positive integer, D is greater than C, C is greater than B, and B is greater than a.
205. And sending the service authority to the target application service.
Optionally, a preset load balancing method may be adopted to send the service permission to the target application service.
The load balancing strategy is a general term of all scheduling algorithms and can be realized in a self-defined mode. The default implementation of a scheduling algorithm for providing client load balance is as follows: a weighted round robin mechanism is employed. The weight can also be called a designated polling probability, and is in direct proportion to the access ratio and is used for the situation that the performances of the back-end servers are different.
The weight is marked according to the performance of the server, the better the performance is, the higher the weight is, the lower the performance is, and the lower the weight is. If the weight is identified by weight, weight is 10.
Secondly, when the gateway needs a routing instance, all the server lists are continuously polled, and all the servers in the idle state are selected.
And finally, selecting the server with the highest weight from all the servers in the idle state as a calling object, routing the request to the target application service on the server, and sending the service authority to the target application service.
Optionally, the service right has a service operation instructing the application service to execute corresponding to the service right. For example, the target application service is a service for acquiring contact information, the service permission may include acquiring contact information of a first level, contact information of a second level, contact information of a third level, contact information of a fourth level, and the like, the importance levels of the first level to the fourth level sequentially increase, and the importance level may be understood as that the higher the importance level is, the higher the user level is; the lower the user rating, the lower the importance rating. The users can be divided into ordinary users, privileged users, member users, golden member users and the like, the user levels of the users are sequentially increased, and each user type corresponds to one user level. And when the service authority is to acquire the contact information of the first level, the target application service inquires all the contact information of the first level and stores the inquiry result.
Optionally, after the target application service receives the service right, when a service operation corresponding to the service right is executed, another application service may be invoked, and a possible method includes steps C1-C2, which are specifically as follows:
c1, acquiring a first response result obtained by the target application service through a reference application service, wherein the reference application service is an associated application service of the target application service;
when the target application service needs to call the reference application service, a call request is sent to the reference application service, the call request carries call information related to the call, and the call information can be a service authority. An associated application service may be understood as an application service between two application services that can be invoked with each other. And executing the service operation corresponding to the service authority by the reference application service through the received service authority to obtain a first response result.
And C2, determining the target response result according to the first response result and the second response result, wherein the second response result is a response result generated by the target application service.
Optionally, the second response result is a response result obtained after the target application service executes the service operation corresponding to the service permission. The second response result may include a plurality of response parameters, and the first response result may be used as input data of the target application service, and after performing corresponding data processing, obtain a part of the response parameters in the second response result, so that the second response result is used as the target response result. The first response result may also be a separate response result, and a data processing relationship is not generated with the target application service, and when the target response result is determined, the first response result and the second response result may be used as the target response result.
In this example, different application services can be directly called without mutual authentication operation, so that efficiency of calling between services and system overhead of phase intermodulation can be improved to a certain extent.
206. And receiving a target response result sent by the target application service, wherein the target response result corresponds to the service authority.
Referring to fig. 2B, fig. 2B is a schematic diagram of another authentication method according to an embodiment of the present application. As shown in fig. 2B, a user first initiates a request, the unified authentication system intercepts the request according to routing information in the request, after the interception is successful, session information is taken out from the request, whether the check session information is valid in the cache server, if not, the request is rejected, if so, identity information is returned, service authority is determined according to the identity information, the service authority is sent to a corresponding service instance through a load balancing policy in the unified authentication system, the service instance obtains a response result according to the session information, and the response result is fed back to a target user through the unified authentication system, wherein the service instance includes a service instance, B service instance, C service instance, and D service instance, and the service instances do not need authentication processes such as authentication among each other when performing internal invocation. That is, the unified authentication system forms a security barrier between the user and the service application, so that the security of the service application can be improved.
Optionally, one operation behavior needs to be supported by 1-N services, but authentication processing is not required to be performed on all 1-N services, the core of the authentication mechanism of the present invention is to isolate all operation behaviors from applications providing services, to form a protection layer, to perform authentication processing before a user request does not reach a first service instance, and to connect the 1 st, 2 nd and nth service instances after authentication is passed.
Optionally, the unified authentication system further includes:
(1) hiding of the service: all service instances and the interface services provided by the service instances are set to be hidden from the outside, and the only exposure is the routing mapping information.
(2) All external requests need to request services and need to pass through a gateway system, and the capability of directly requesting services is not provided, so that the complicated authentication processing which needs to be carried out by the external direct requests for the internal services is eliminated, and the safety capability of the internal services is directly enhanced.
(3) With the uniform authentication capability provided by the uniform authentication mechanism of the gateway system, mutual calling among all internal services does not need to be authenticated.
In the example, the unified authentication system intercepts the request according to the routing information in the request, after the interception is successful, session information is taken out from the request, whether the check session information is valid or not is checked in the cache server, if the check session information is invalid, the request is rejected, if the check session information is valid, identity information is returned, service authority is determined according to the identity information, the service authority is sent to a corresponding service instance through a load balancing strategy in the unified authentication system, the service instance obtains a response result according to the session information, and the response result is fed back to the target user through the unified authentication system. The scheme can authenticate a plurality of application services, thereby improving the authentication efficiency to a certain extent.
Referring to fig. 3, fig. 3 is a schematic flowchart of another authentication method according to an embodiment of the present application. As shown in fig. 3, the authentication method may include steps 301 and 310 as follows:
301. receiving an application service request of a target application service sent by a target user, wherein the application service request carries a record identifier of the target user;
302. acquiring a record identifier of the target user from the application service request;
303. generating a query request according to the record identifier, and sending the query request to a cache server;
304. receiving a query result sent by the cache server;
305. if the query result comprises the identity information of the target user, determining an authority template acquisition formula of the target user by adopting a preset authority template acquisition formula generation method according to the identity information;
306. generating an authority acquisition template according to the authority template acquisition formula;
307. acquiring an application identifier of the target application service and acquiring a plurality of service authorities of the target application;
308. determining the service authority of the target user in the target application service from the plurality of service authorities according to the application identifier and the authority acquisition template;
309. sending the service permission to the target application service;
310. and receiving a target response result sent by the target application service, wherein the target response result corresponds to the service authority.
In the example, the authority template acquisition formula of the target user is determined through the identity information of the target user, the authority acquisition template is determined according to the formula, the authority of the target user is acquired through the authority acquisition template, the service authority is determined through the authority template when the service authority of the target application service is more, and the efficiency of acquiring the service authority can be improved to a certain extent.
Referring to fig. 4, fig. 4 is a schematic flowchart illustrating another authentication method according to an embodiment of the present application. As shown in fig. 4, the authentication method may include steps 401 and 408, which are as follows:
401. receiving an application service request of a target application service sent by a target user, wherein the application service request carries a record identifier of the target user;
402. obtaining session information from the application service request;
403. extracting the record identification of the target user from the session information;
404. generating a query request according to the record identifier, and sending the query request to a cache server;
405. receiving a query result sent by the cache server;
406. if the query result comprises the identity information of the target user, determining the service authority of the target user in the target application service according to the identity information;
407. sending the service permission to the target application service;
408. and receiving a target response result sent by the target application service, wherein the target response result corresponds to the service authority.
In the example, the target service application is authenticated, the record identifier is extracted from the session information, the authentication is performed through the record identifier, the target application service generally refers to any one application service, and then the scheme can perform unified authentication on a plurality of application services.
In accordance with the foregoing embodiment, please refer to fig. 5, fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present application, and as shown in the drawing, the terminal includes a processor, an input device, an output device, and a memory, where the processor, the input device, the output device, and the memory are connected to each other, where the memory is used to store a computer program, the computer program includes program instructions, the processor is configured to call the program instructions, and the program includes instructions for performing the following steps:
receiving an application service request of a target application service sent by a target user, wherein the application service request carries a record identifier of the target user;
generating a query request according to the record identifier, and sending the query request to a cache server;
receiving a query result sent by the cache server;
if the query result comprises the identity information of the target user, determining the service authority of the target user in the target application service according to the identity information;
sending the service permission to the target application service;
and receiving a target response result sent by the target application service, wherein the target response result corresponds to the service authority.
In this example, an application service request of a target application service sent by a target user is received, the application service request carries a record identifier of the target user, a query request is generated according to the record identifier, the query request is sent to a cache server, a query result sent by the cache server is received, if the query result includes identity information of the target user, a service authority of the target user in the target application service is determined according to the identity information, the service authority is sent to the target application service, a target response result sent by the target application service is received, the target response result corresponds to the service authority, therefore, compared with the existing scheme, an authority mechanism is set for each application service, in the scheme, an application service request of the target application service sent by the target user can be received, the method comprises the steps of firstly verifying a target user, obtaining the service authority of the target user after the verification is successful, and responding according to the service authority.
The above description has introduced the solution of the embodiment of the present application mainly from the perspective of the method-side implementation process. It is understood that the terminal includes corresponding hardware structures and/or software modules for performing the respective functions in order to implement the above-described functions. Those of skill in the art will readily appreciate that the present application is capable of hardware or a combination of hardware and computer software implementing the various illustrative elements and algorithm steps described in connection with the embodiments provided herein. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the terminal may be divided into the functional units according to the above method example, for example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
In accordance with the above, please refer to fig. 6, fig. 6 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present application. The authentication apparatus includes a first receiving unit 601, a generating unit 602, a second receiving unit 603, a determining unit 604, a transmitting unit 605, and a third receiving unit 606, wherein,
the first receiving unit 601 is configured to receive an application service request of a target application service sent by a target user, where the application service request carries a record identifier of the target user;
the generating unit 602 is configured to generate an inquiry request according to the record identifier, and send the inquiry request to a cache server;
the second receiving unit 603 is configured to receive the query result sent by the cache server;
the determining unit 604 is configured to determine, according to the identity information, a service right of the target user in the target application service if the query result includes the identity information of the target user;
the sending unit 605 is configured to send the service right to the target application service;
the third receiving unit 606 is configured to receive a target response result sent by the target application service, where the target response result corresponds to the service right.
In this example, an application service request of a target application service sent by a target user is received, the application service request carries a record identifier of the target user, a query request is generated according to the record identifier, the query request is sent to a cache server, a query result sent by the cache server is received, if the query result includes identity information of the target user, a service authority of the target user in the target application service is determined according to the identity information, the service authority is sent to the target application service, a target response result sent by the target application service is received, the target response result corresponds to the service authority, therefore, compared with the existing scheme, an authority mechanism is set for each application service, in the scheme, an application service request of the target application service sent by the target user can be received, the method comprises the steps of firstly verifying a target user, obtaining the service authority of the target user after the verification is successful, and responding according to the service authority.
Optionally, in the aspect of determining the service right of the target user in the target application service according to the identity information, the determining unit 604 is configured to:
determining the authority template acquisition formula of the target user by adopting a preset authority template acquisition formula generation method according to the identity information;
generating an authority acquisition template according to the authority template acquisition formula;
acquiring an application identifier of the target application service and acquiring a plurality of service authorities of the target application;
and determining the service authority of the target user in the target application service from the plurality of service authorities according to the application identifier and the authority acquisition template.
Optionally, the apparatus is further configured to:
obtaining session information from the application service request;
and extracting the record identification of the target user from the session information.
Optionally, the authentication device is further configured to:
acquiring a first response result obtained by the target application service through a reference application service, wherein the reference application service is an associated application service of the target application service;
and determining the target response result according to the first response result and the second response result, wherein the second response result is a response result generated by the target application service.
Optionally, in terms of sending the service right to the target application service, the sending unit 605:
and sending the service authority to the target application service by adopting a preset load balancing method.
Embodiments of the present application also provide a computer storage medium, wherein the computer storage medium stores a computer program for electronic data exchange, and the computer program enables a computer to execute part or all of the steps of any one of the authentication methods as described in the above method embodiments.
Embodiments of the present application further provide a computer program product, which includes a non-transitory computer-readable storage medium storing a computer program, and the computer program causes a computer to execute part or all of the steps of any one of the authentication methods as described in the above method embodiments.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some interfaces, devices or units, and may be an electric or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may be implemented in the form of a software program module.
The integrated units, if implemented in the form of software program modules and sold or used as stand-alone products, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a memory, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned memory comprises: various media capable of storing program codes, such as a usb disk, a read-only memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and the like.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable memory, which may include: flash memory disks, read-only memory, random access memory, magnetic or optical disks, and the like.
The foregoing detailed description of the embodiments of the present application has been presented to illustrate the principles and implementations of the present application, and the above description of the embodiments is only provided to help understand the method and the core concept of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (8)

1. A method of authentication, the method comprising:
receiving an application service request of a target application service sent by a target user, wherein the application service request carries a record identifier of the target user;
generating a query request according to the record identifier, and sending the query request to a cache server;
receiving a query result sent by the cache server;
if the query result comprises the identity information of the target user, determining the service authority of the target user in the target application service according to the identity information;
sending the service permission to the target application service;
receiving a target response result sent by the target application service, wherein the target response result corresponds to the service authority;
the determining the service authority of the target user in the target application service according to the identity information comprises:
determining the authority template acquisition formula of the target user by adopting a preset authority template acquisition formula generation method according to the identity information;
generating an authority acquisition template according to the authority template acquisition formula;
acquiring an application identifier of the target application service and acquiring a plurality of service authorities of the target application;
determining the service authority of the target user in the target application service from the plurality of service authorities according to the application identifier and the authority acquisition template;
the determining the authority template acquisition formula of the target user by adopting a preset authority template acquisition formula generation method according to the identity information comprises the following steps:
inquiring in a database according to the identity information to obtain a plurality of generation methods corresponding to the identity information;
determining a generation method of an authority template acquisition formula of a target user according to a service address of a target application service;
according to the generation method, an authority template acquisition formula of the target user is determined.
2. The method of claim 1, further comprising:
obtaining session information from the application service request;
and extracting the record identification of the target user from the session information.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
acquiring a first response result obtained by the target application service through a reference application service, wherein the reference application service is an associated application service of the target application service;
and determining the target response result according to the first response result and the second response result, wherein the second response result is a response result generated by the target application service.
4. The method according to claim 1 or 2, wherein the sending the service right to the target application service comprises:
and sending the service authority to the target application service by adopting a preset load balancing method.
5. An authentication apparatus, characterized in that the apparatus comprises a first receiving unit, a generating unit, a second receiving unit, a determining unit, a transmitting unit and a third receiving unit, wherein,
the first receiving unit is configured to receive an application service request of a target application service sent by a target user, where the application service request carries a record identifier of the target user;
the generating unit is used for generating a query request according to the record identifier and sending the query request to a cache server;
the second receiving unit is configured to receive the query result sent by the cache server;
the determining unit is configured to determine, according to the identity information, a service right of the target user in the target application service if the query result includes the identity information of the target user;
the sending unit is used for sending the service authority to the target application service;
the third receiving unit is configured to receive a target response result sent by the target application service, where the target response result corresponds to the service right;
in the aspect of determining the service permission of the target user in the target application service according to the identity information, the determining unit is configured to:
determining the authority template acquisition formula of the target user by adopting a preset authority template acquisition formula generation method according to the identity information;
generating an authority acquisition template according to the authority template acquisition formula;
acquiring an application identifier of the target application service and acquiring a plurality of service authorities of the target application;
determining the service authority of the target user in the target application service from the plurality of service authorities according to the application identifier and the authority acquisition template;
in the aspect of determining the authority template acquisition formula of the target user by using a preset authority template acquisition formula generation method according to the identity information, the determination unit is configured to:
inquiring in a database according to the identity information to obtain a plurality of generation methods corresponding to the identity information;
determining a generation method of an authority template acquisition formula of a target user according to a service address of a target application service;
according to the generation method, an authority template acquisition formula of the target user is determined.
6. The apparatus of claim 5, wherein the authentication means is configured to:
obtaining session information from the application service request;
and extracting the record identification of the target user from the session information.
7. A terminal, comprising a processor, an input device, an output device, and a memory, the processor, the input device, the output device, and the memory being interconnected, wherein the memory is configured to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-4.
8. A computer-readable storage medium, characterized in that the computer storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the method according to any of claims 1-4.
CN201811615602.2A 2018-12-27 2018-12-27 Authentication method and related product Active CN109829271B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811615602.2A CN109829271B (en) 2018-12-27 2018-12-27 Authentication method and related product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811615602.2A CN109829271B (en) 2018-12-27 2018-12-27 Authentication method and related product

Publications (2)

Publication Number Publication Date
CN109829271A CN109829271A (en) 2019-05-31
CN109829271B true CN109829271B (en) 2021-07-20

Family

ID=66860581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811615602.2A Active CN109829271B (en) 2018-12-27 2018-12-27 Authentication method and related product

Country Status (1)

Country Link
CN (1) CN109829271B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111260375B (en) * 2019-11-26 2023-09-26 泰康保险集团股份有限公司 Service processing method and device
CN111428099B (en) * 2020-03-23 2023-12-26 中国建设银行股份有限公司 Financial service capability query method based on Internet of things and website management center system
CN115664838B (en) * 2022-11-09 2023-03-21 阿里巴巴(中国)有限公司 Method, system and device for determining right

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047832A (en) * 2007-04-30 2007-10-03 中兴通讯股份有限公司 Implementing method for service capability authentication and its trigger of internet network TV
CN101453328A (en) * 2007-12-06 2009-06-10 中国移动通信集团公司 Identity management system and identity authentication system
CN101616126A (en) * 2008-06-23 2009-12-30 华为技术有限公司 Realize method, the Apparatus and system of data access authority control
CN103051631A (en) * 2012-12-21 2013-04-17 国云科技股份有限公司 Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system
CN103490886A (en) * 2012-06-12 2014-01-01 阿里巴巴集团控股有限公司 Permission data validation method, device and system
CN107045603A (en) * 2017-04-11 2017-08-15 北京深思数盾科技股份有限公司 Control method and device are called in a kind of application

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047832A (en) * 2007-04-30 2007-10-03 中兴通讯股份有限公司 Implementing method for service capability authentication and its trigger of internet network TV
CN101453328A (en) * 2007-12-06 2009-06-10 中国移动通信集团公司 Identity management system and identity authentication system
CN101616126A (en) * 2008-06-23 2009-12-30 华为技术有限公司 Realize method, the Apparatus and system of data access authority control
CN103490886A (en) * 2012-06-12 2014-01-01 阿里巴巴集团控股有限公司 Permission data validation method, device and system
CN103051631A (en) * 2012-12-21 2013-04-17 国云科技股份有限公司 Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system
CN107045603A (en) * 2017-04-11 2017-08-15 北京深思数盾科技股份有限公司 Control method and device are called in a kind of application

Also Published As

Publication number Publication date
CN109829271A (en) 2019-05-31

Similar Documents

Publication Publication Date Title
CN111212095B (en) Authentication method, server, client and system for identity information
EP3251324B1 (en) Secure access to cloud-based services
JP6716745B2 (en) Blockchain-based authorization authentication method, terminal and server using this
KR101560440B1 (en) Methods and apparatus for secure dynamic authority delegation
US9219722B2 (en) Unclonable ID based chip-to-chip communication
US8037515B2 (en) Methods and apparatus for providing application credentials
US10348706B2 (en) Assuring external accessibility for devices on a network
US9003191B2 (en) Token-based authentication using middle tier
CN110322940B (en) Access authorization method and system for medical data sharing
US8977857B1 (en) System and method for granting access to protected information on a remote server
US20090034725A1 (en) Method of and system for encryption and authentication
JP7421771B2 (en) Methods, application servers, IOT devices and media for implementing IOT services
US20120240211A1 (en) Policy-based authentication
US20130139235A1 (en) Application-based credential management for multifactor authentication
CN109829271B (en) Authentication method and related product
CN110569658A (en) User information processing method and device based on block chain network, electronic equipment and storage medium
Dey et al. MDA: message digest-based authentication for mobile cloud computing
CN111460400A (en) Data processing method and device and computer readable storage medium
Hosen et al. SPTM-EC: A security and privacy-preserving task management in edge computing for IIoT
Guo et al. Using blockchain to control access to cloud data
Chae et al. A study on secure user authentication and authorization in OAuth protocol
CN110138558A (en) Transmission method, equipment and the computer readable storage medium of session key
CN115459905A (en) System and method for safety certification and high-availability message communication of Internet of things equipment
CN111737725A (en) User marking method, device, server and storage medium
US20230229752A1 (en) Attestation of application identity for inter-app communications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant