CN110430213A - Service request processing method, apparatus and system - Google Patents
Service request processing method, apparatus and system Download PDFInfo
- Publication number
- CN110430213A CN110430213A CN201910754278.0A CN201910754278A CN110430213A CN 110430213 A CN110430213 A CN 110430213A CN 201910754278 A CN201910754278 A CN 201910754278A CN 110430213 A CN110430213 A CN 110430213A
- Authority
- CN
- China
- Prior art keywords
- browser
- service request
- request
- verification platform
- verifying
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
This application discloses a kind of service request processing methods, apparatus and system, and in the method, firewall box intercepts the service request that browser is sent to service server;If what service request did not carried verification platform distribution is verified mark, and detects that the safety of service request is uncertain, browser is redirected to the verification platform by firewall box, with user's progress behavior verifying by verification platform to the browser.The verification platform is verified mark in the case where confirming that the user of the browser is real user by behavior verifying for the browser assignment, and indicates that the browser carries the service request for being verified mark to service server transmission;If firewall box detect the service request carry the verification platform distribution be verified mark, which is sent to the service server.The scheme of the application can reduce the situation that normal users are intercepted by the service request that user end to server is sent.
Description
Technical field
This application involves field of communication technology more particularly to a kind of service request processing methods, apparatus and system.
Background technique
In order to guarantee the safety of operation system, client must be first to the service request that the server of operation system is sent
After firewall is verified, it can just be received by the server of operation system.
Wherein, it during firewall processing business is requested, is frequently encountered the uncertain business of some safeties and asks
It asks, in that case, for the safety of operation system, firewall can also intercept these service requests.However, these safety
Property uncertain service request in much belong to the service request that real user is normally initiated, and it is true to intercept these by firewall
The service request of real user then would necessarily affect the normal access to operation system.
Summary of the invention
In view of this, this application provides a kind of service request processing method, apparatus and system, it is logical to reduce normal users
Cross the intercepted situation of the service request of user end to server transmission.
To achieve the above object, on the one hand, this application provides a kind of service request processing methods, set applied to firewall
It is standby, comprising:
Intercept the service request that browser is sent to service server;
If what the service request did not carried verification platform distribution is verified mark, and detect that the business is asked
The safety asked is uncertain, and the browser is redirected to the verification platform, to pass through verification platform to the browser
User carry out behavior verifying;Wherein, the verification platform is confirming that the user of the browser is by behavior verifying
In the case where real user, it is verified mark for the browser assignment, and indicates that the browser is sent out to service server
It send and carries the service request for being verified mark;
If what the service request carried verification platform distribution is verified mark, by the service request
It is sent to the service server.
Preferably, if the service request carries the mark that is verified of verification platform distribution, general
The service request is sent to the service server, comprising:
If the service request, which carries, is verified mark, the mark that is verified is sent to verification platform
Verifying identifies whether to be distributed by the verification platform to be verified described in verifying;
If it is described be verified be identified as verification platform distribution be verified mark, by the service request
It is sent to the service server.
Preferably, it is verified mark what the service request did not carried verification platform distribution, and described in detecting
In the uncertain situation of the safety of service request, further includes:
Obtain the associated first request characteristic parameter of the service request;
The first request characteristic parameter is transferred to the verification platform, so that the verification platform is from the browser
The second request characteristic parameter is obtained, and requests the comparison result of characteristic parameter according to the first request characteristic parameter and second,
It determines the behavior Validation Mode of behavior verifying, and behavior is carried out based on user of the behavior Validation Mode to the browser and is tested
Card.
It is preferably, described that the browser is redirected to the verification platform, comprising:
It is returned to the browser and redirects link, the verification platform is directed toward in the redirection link;
It is described that the access characteristic parameter is transferred to the verification platform, comprising:
The first request characteristic parameter is carried, in redirection link so that the browser accesses the verifying
When platform, the first request characteristic parameter is sent to the verification platform.
Another aspect, present invention also provides a kind of service request processing systems, comprising:
Firewall box and verification platform;
Wherein, the firewall box is used for, and intercepts the service request that browser is sent to service server;If described
What service request did not carried verification platform distribution is verified mark, and detects that the safety of the service request is not true
It is fixed, the browser is redirected to the verification platform;If the service request carries the verification platform distribution
It is verified mark, then the service request is sent to the service server;
The verification platform, for after the access request for receiving the browser, Xiang Suoshu browser to return to verifying
The page, the verifying page show the operation indicating for behavior verifying;The user of the browser is obtained in the verifying
The input operand evidence of the page;According to the corresponding behavior Validation Mode of the verifying page, to the input operand according to progress
Behavior verifying, obtains behavior verification result;It is real user in the user that the behavior verification result characterizes the browser
In the case of, it is verified mark for the browser assignment, and indicate that the browser is sent to the service server and carry
There is the service request for being verified mark.
Preferably, the firewall box is also used to, and does not carry the verifying of verification platform distribution in the service request
It by mark, and detects in the uncertain situation of the safety of the service request, obtains the service request associated the
One request characteristic parameter;The first request characteristic parameter is transferred to the verification platform;
The verification platform returns to the verifying page to the browser specifically:
The second request characteristic parameter is obtained from the browser;It is special according to the first request characteristic parameter and the second request
The comparison result for levying parameter determines the behavior Validation Mode of behavior verifying;It is tested to browser return is described with the behavior
Demonstrate,prove the verifying page of pattern match.
Preferably, the browser is being redirected to the verification platform by the firewall box, and, by described
One request characteristic parameter is transferred to the verification platform, specifically:
It is returned to the browser and redirects link, the redirections link direction verification platform, and described reset
The first request characteristic parameter is carried into link, wherein the browser is based on the redirection and links to the verifying
The access request that platform is sent carries the first request characteristic parameter in the access request.
Preferably, described to be verified mark for the browser assignment, and indicate that the browser takes to the business
Business device, which is sent, carries the service request for being verified mark, comprising:
Into the browser, storage is verified mark, and the browser is redirected to the service server,
The service request for being verified mark is carried so that the browser is sent to the service server.
Another aspect, present invention also provides a kind of service request processing units, are applied to firewall box, comprising:
Request interception unit, the service request sent for intercepting browser to service server;
Verify directed element, if for the service request do not carry verification platform distribution be verified mark,
And detect that the safety of the service request is uncertain, the browser is redirected to the verification platform, by testing
It demonstrate,proves platform and behavior verifying is carried out to the user of the browser;Wherein, the verification platform is verifying confirmation by the behavior
In the case that the user of the browser is real user, it is verified mark for the browser assignment, and indicate described clear
Device of looking at is sent to service server carries the service request for being verified mark;
Traffic element is requested, if being verified mark for what the service request carried verification platform distribution
Know, then the service request is sent to the service server.
Preferably, the request traffic element, comprising:
Identity verification subelement is verified mark if carried for the service request, and the verifying is logical
It crosses mark and is sent to verification platform verifying, identify whether to be distributed by the verification platform to be verified described in verifying;
Request current subelement, if for it is described be verified be identified as the verification platform distribution be verified mark
Know, then the service request is sent to the service server.
By the above content it is found that in the embodiment of the present application, firewall box is intercepting browser to service server
After the service request of transmission, if detecting that the safety of the service request is uncertain, and the service request does not carry verifying
Platform distribution is verified mark, then the service request can be redirected to verification platform by firewall box, to pass through verifying
Platform carries out behavior verifying to the user of the browser.And verification platform determines that the user of the browser is by behavior verifying
In the case where real user, it is verified mark the browser assignment, and indicates that browser is taken to service server transmission
The service request of mark is verified with this, in this way, firewall box identifies that is carried in service request is verified mark,
Then allow the service request being sent to the service server, avoids firewall box and intercept all uncertain industry of safety
The case where business request, so that the service request that real user is initiated can be sent to business service by firewall box
Device reduces the situation that normal users are intercepted by the service request that client is sent to service server.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only embodiments herein, for ability
For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to the attached drawing of offer other
Attached drawing.
Fig. 1 shows a kind of a kind of composed structure schematic diagram of service request processing system of the application;
Fig. 2 shows a kind of flow diagrams of service request processing method one embodiment of the application;
Fig. 3 shows a kind of flow diagram of another embodiment of service request processing method of the application;
Fig. 4 shows a kind of a kind of process interaction schematic diagram of service request processing method of the application;
Fig. 5 shows a kind of a kind of composed structure schematic diagram of service request processing unit of the application.
Specific embodiment
The scheme of the application is suitable for that the front end of the service server of operation system is provided with the scene of firewall box,
In the case where firewall box does not know service request safety, to reduce the service request of normal users initiation by no interception
The case where.
The scheme of the application in order to facilitate understanding is first introduced the service request processing system of the application.
In the embodiment of the present application, the service request processing system is before service request reaches service server, to industry
The system that business request carries out risk identification.Business processing request includes at least: firewall box and logical with the firewall box
Cross the connected verification platform of network, the verification platform firewall box can not be determined the service request of safety carry out into
One step card.
As shown in Figure 1, it illustrates a kind of a kind of structure composed schematic diagrames of service request processing system of the application.
As seen from Figure 1, which includes: firewall box 101 and verification platform 102.
Wherein, firewall box 101 and verification platform 102 establish connection by network.
Wherein, verification platform may include one or more authentication servers 103, operation performed by the verification platform
It can regard as by one or more authentication servers completions in the verification platform.Correspondingly, firewall box is tested with this
The connection of card platform can regard firewall box as and is connected with the authentication server in verification platform by network.
Wherein, firewall plug-in unit can have been run in the firewall box, it can be to some by operation firewall plug-in unit
Service request carries out safety detection.
It (is referred to as browsed it is understood that the firewall box is set to service server 104 with browser client
Device) between 105.Wherein, service server can be the server in the operation system for provide business service, e.g., website service
Device, server of application platform etc..The client is to access the client of the service server.
Wherein, the service request that client is sent to service server can pass through firewall box.
Correspondingly, firewall box intercepts the service request that client is sent to service server, service request is carried out
Safety detection, and in the case where confirming that service request belongs to safe request, service request is sent to the business service
Device.
Wherein, the mode that firewall box carries out safety detection to service request can be set as needed.It can manage
Solution, firewall box can not determine all service requests to be safety or unsafe, some service requests are
Firewall box can not determine safety.In the present embodiment, if firewall box can not determine the safety of service request
Property, then the service request can be redirected to the verification platform to be verified again, to verify the browsing for issuing the service request
Whether the user of device is real user, avoids passing through the modes such as machine simulation malicious access service server.
As shown in figure 1, can also be connected by network implementations between browser client and verification platform.
The operation of firewall box side and verification platform side in order to facilitate understanding, below with reference to flow chart respectively from this two
The method for processing business of the application is introduced in a equipment side.
Such as Fig. 2, it illustrates a kind of flow diagram of method for processing business one embodiment of the application, the present embodiment
Method is applied to firewall box, and the method for the present embodiment may include:
S201 intercepts the service request that browser is sent to service server.
Wherein, the purpose of firewall box interception service request is to detect the safety of service request, so that firewall is set
It is standby to determine whether that the service request is sent to service server.
S202, if the service request do not carry verification platform distribution be verified mark, and detect the business
The safety of request is uncertain, which is redirected to the verification platform, with the use by verification platform to the browser
Family carries out behavior verifying.
Wherein, firewall box can first detect whether the service request carries verifying after intercepting service request
Platform distribution is verified mark.Wherein, it is verified mark and shows that the user of verification platform verifying browser is true uses
The mark at family.As it can be seen that illustrating the browser of the service request before current time if carrying this is verified mark
Because send the uncertain service request of safety and be redirected to verification platform, and the browser be verified it is flat
Platform is verified, and in that case, then illustrates the access request for initiating the service request to operation system for normal users,
Therefore, which can be sent to the service server of operation system.
Opposite, if the service request, which does not carry this, is verified mark, illustrate the browser of the service request
It is browser not yet authenticated by verification platform, in that case, firewall box can verify the peace of the service request
Quan Xing.
It wherein, can be by the industry if firewall box can be confirmed that the service request belongs to safe service request
Business request is sent to service server;If firewall confirms that the service request is unsafe service request, can abandon
The service request, so that the service request not allowed to be sent to the service server.If firewall box can not confirm the industry
Whether business request belongs to safe or unsafe service request, i.e. the safety of service request is uncertain, then firewall box
The browser of the service request can be redirected to the verification platform.
Wherein, browser is redirected to verification platform can be with are as follows: returns to the browser and redirects link, the redirection
Verification platform is directed toward in link, so that browser is based on the redirection links and accesses verification platform.Optionally, the redirection chain
The verifying page that can be directed toward verification platform is connect, so that can show in a browser after browser accesses the verification platform
For verifying the verifying page of user behavior.
Correspondingly, whether the user that the verification platform can be verified to verify browser by the behavior to browser is true
Real user.If verified in the case where confirming that the user of the browser is real user by the behavior, which is should
Browser assignment is verified mark, and indicates that the browser carries the industry for being verified mark to service server transmission
Business request.
Wherein, verification platform can be identifying code input verifying, sliding block dragging verifying, short message to the behavior verifying of browser
Identifying code verifying etc. a variety of behavior Validation Modes.Correspondingly, the user of browser can the behavior according to needed for verification platform test
The prompt information of card carries out corresponding input operation, so as to verification platform according to the input operand of browser client according to being gone
To verify, so that whether the user for analyzing browser is real user.
Wherein, the relevant operation that the concrete operations of verification platform side may refer to verification platform side in Examples hereinafter is said
Bright, details are not described herein.
Alternatively, it is contemplated that verification platform may provide a variety of behavior verifying moulds for behavior verifying
Formula, and in order to which verification platform can select suitable behavior Validation Mode from a variety of behavior Validation Modes, the application can be with
The relevant characteristic parameter of service request is sent to verification platform, clear when being based on this feature parameter with behavior verifying so as to verification platform
The characteristic parameter of device side look at is compared, and according to comparison result housing choice behavior Validation Mode.
Specifically, the associated first request characteristic parameter of the available service request of firewall box.Wherein, this first
Request characteristic parameter can be the characteristic information for issuing the browser of service request.What these data can be carried from service request
It is obtained in parameter, is also possible to obtain from the cookies of browser.
Such as, the first request characteristic parameter may include: the corresponding IP address of browser of initiating business request, domain name,
One or more of proxy information and the request time of service request etc. information.In addition to this, first request is special
Sign parameter can also be including the attribute information of the browser recorded in the cookies of browser, such as browser version, kernel, screen
Curtain resolution ratio and OS Type etc. can also include the other parts or total data recorded in cookies.
Correspondingly, being verified mark what the service request did not carried verification platform distribution, and the business is detected
In the uncertain situation of the safety of request, which can also be transferred to the verification platform.This
In the case of, the verification platform from browser obtain second request characteristic parameter after, can according to this first request characteristic parameter and
The comparison result of second request characteristic parameter, determines the behavior Validation Mode of behavior verifying, and Behavior-based control Validation Mode is to clear
Look at device user carry out behavior verifying.
Wherein, which can be identical as the parameter type that the first request characteristic parameter is included, only
But the second request characteristic parameter is accessed related to the browser after browser is redirected to the verification platform
Characteristic parameter, therefore, difference at the time of accessed by the first request characteristic parameter and the second required parameter.It is understood that
, the first request characteristic parameter and the second request characteristic parameter can reflect browser in the Parameters variation feelings of different moments
Condition, and large change whether there is based on the environment that the two request characteristic parameters can reflect out browser, so as to first
Step judges a possibility that user of browser is not belonging to real user size, and then is conducive to the suitable behavior of verification platform selection
Validation Mode.
Optionally, it under the premise of firewall sends to browser and redirects link, can be taken in the redirection links
With this first request characteristic parameter, so as to browser access verification platform when, by browser by this first request characteristic parameter
It is sent to the verification platform.
S203, if the service request carry the verification platform distribution be verified mark, by the service request
It is sent to the service server.
By the introduction of step S202 it is found that if service request, which carries, is verified mark, although illustrating firewall
Can not confirm whether the service request that browser issues is safe, but have verified that the user of the browser is by verification platform
Real user, in that case, it can be identified that the service request that the browser issues is the service request of safety, so as to
The service request is directly sent to service server.
It is understood that in order to avoid browser forgery is verified mark, if service request carries the verifying
By mark, then this can be verified to mark and be sent to verification platform verifying, be verified to verify this and identify whether
It is distributed by the verification platform.If verified platform confirm this be verified be identified as the verification platform distribution be verified mark
Know, then the service request can be sent to service server by the firewall box.
It is understood that in order to reduce confirmation, this is verified the complexity of mark, verification platform and firewall box
Between can make an appointment encryption key and decruption key used by having encryption, in that case, which is
This of browser assignment is verified mark and can also use encryption keys.Correspondingly, adding if service request carries
It is close to be verified mark, and the firewall box can use preset decruption key to the encryption be verified identify into
Row decryption, it is determined that decrypt this be verified be identified as verification platform distribution be verified mark, so as to fair
Perhaps it sends service request to service server.
Certainly, confirmation, which is verified, identifies whether that the mode for being verified mark distributed for verification platform can also have it
He is possible, without restriction herein.
It is understood that the verifying can also be arranged in the application in order to further ensure the safety of service server
The effective time for being verified mark of platform distribution.Correspondingly, this, which is verified mark, also has the generation moment, it is basic herein
On, which can be verified mark under the premise of confirmation service request carries and is verified mark according to this
Whether the duration between generation moment and the current time of knowledge is more than effective time, if being less than effective time, it is determined that should
It is still valid to be verified mark, so that the service request is sent to service server.
As it can be seen that firewall box is after intercepting the service request that browser is sent to service server, if detection
Safety to the service request is uncertain, and the service request do not carry verification platform distribution be verified mark, then prevent
The service request can be redirected to verification platform by wall with flues equipment, to carry out behavior by user of the verification platform to the browser
Verifying.And in the case that verification platform determines the user of the browser for real user by behavior verifying, the browsing
Device distribution is verified mark, and indicates that browser carries this to service server transmission and is verified the service request of mark,
In this way, firewall box identifies that is carried in service request is verified mark, then allow the service request being sent to this
Service server avoids the case where firewall box intercepts all safeties uncertain service request, so that really
Client-initiated service request can be sent to service server by firewall box, reduce normal users by client to
The intercepted situation of the service request that service server is sent.
From verification platform side, the service request processing method to the application is introduced below.As shown in figure 3, it illustrates
A kind of flow diagram of another embodiment of service request processing method of the application, the present embodiment are applied to verification platform, this
The method of embodiment may include:
S301 returns to the verifying page to browser after receiving the access request of browser.
Wherein, which is redirected to access transmitted by the verification platform by firewall box for browser and asks
It asks.Such as, firewall box is after browser sends the redirection instruction for carrying and redirecting and linking, and browser is reset based on this
The access request sent to link to verification platform.
Wherein, the verifying page shows the operation indicating for behavior verifying.The verifying page be verification platform for pair
The page needed for the user of browser carries out behavior verifying.Such as, at least one behavior can be shown in the verifying page to test
The corresponding operation indicating of card mode, for example, the operation indicating that the verifying page is shown can when behavior Validation Mode is dragging sliding block
Think " sliding block please be drag to slide to the right ";When behavior Validation Mode is that character input is verified, operation indicating can be that " please input and mention
Show the character shown in frame ".
Optionally, directing or through browser in firewall box is that the verification platform returns to the first request characteristic parameter
In the case where (e.g., carried in access request this first request characteristic parameter), which can also obtain from browser
Second request characteristic parameter.Such as, after verification platform receives access request, by the connection with browser from browser
The second request characteristic parameter is obtained in cookies.For another example, after receiving access request, initial verifying is returned to browser
The page (can not include specific behavior Validation Mode and operation indicating), and by being run in the verifying page in a browser
Plug-in unit obtained from the cookies of browser second request characteristic parameter.
Correspondingly, according to the comparison result of the first request characteristic parameter and the second request characteristic parameter, the behavior of determination is tested
The behavior Validation Mode of card.It is then possible to browser return and the matched verifying page of behavior Validation Mode, in the verifying
Operation indicating corresponding with behavior Validation Mode is shown in the page.Such as, it is returned after receiving access request to browser
Verify the page, and after determining behavior Validation Mode, update the verifying page, with shown in the verifying page of update with
The corresponding operation indicating of behavior Validation Mode.
Alternatively, it is returned in firewall box to the browser and redirects link, and the redirection chain
In the case where connecing carrying the first request characteristic parameter, browser links the visit sent to verification platform based on redirection
It asks request, the first request characteristic parameter is carried in the access request.In that case, verification platform can be asked from the access
It asks middle and obtains the first request characteristic parameter.
S302 obtains input operand evidence of the user in the verifying page of browser.
Wherein, the input operand evidence on the verifying page can reflect out user and be used to go based on what operation indicating was inputted
For the data of verifying, therefore, just have the input operand according to can reflect out user input operation whether with behavior Validation Mode
Required user's input behavior is consistent.
S303 is obtained according to the corresponding behavior Validation Mode of the verifying page to input operand according to behavior verifying is carried out
Behavior verification result.
Wherein, behavior verification result is defeated in the user of the verifying page according to corresponding user for characterizing input operand
Whether consistent with the input operation of user needed for behavior Validation Mode enter operation.Wherein, if the user on the verifying page is defeated
User needed for entering operation and behavior Validation Mode inputs operation unanimously, then can be confirmed that the user of browser belongs to true use
Family.As it can be seen that whether the user that the verification result can reflect out browser is real user.
Such as, it is verified by sliding block of behavior Validation Mode, and needs sliding block dragging to designated position to the left.If that defeated
User can be characterized dragging sliding block is to designated position in the verifying page by entering operation data, then behavior verification result is the defeated of user
Enter user required for operation and Validation Mode and inputs operation unanimously.
S304, in the case where the user that behavior verification result characterizes the browser is real user, for the browser
Distribution is verified mark, and indicates that the browser carries the business for being verified mark to service server transmission and asks
It asks.
Wherein, it is the real user by verifying that this, which is verified and identifies the user for indicating the browser,.
Wherein, instruction browser sends the mode for carrying the service request for being verified mark to the service server
Can there are many.
Such as, browser can be redirected to the service server, so that browser is sent to service server again
Carry the service request for being verified mark.For example, verification platform can be sent to browser redirects instruction, this is reset
Browser, which is used to indicate, to instruction is redirected to the service server.Correspondingly, browser can be sent to service server again
The service request for being verified mark is carried, in that case, verification platform, which detects, carries verifying in the service request
By mark, then the service request can be transmitted to service server, to avoid not identifying this due to firewall box
The safety of service request, and the service request is directly shielded, the service request initiated so as to cause real user can not be sent out
It is sent to service server.
Such as, to browser assignment, this is verified mark to verification platform, so that browser, which stores this, is verified mark.
Correspondingly, browser can send to carry and test to service server after browser is redirected to the service server
The service request that card passes through mark.
Alternatively, which is verified mark for the browser assignment and can be to browser
What cookies was stored as the browser assignment is verified mark.Correspondingly, browser is redirected to the service server
Later, browser can take out from cookies and be verified mark, and carry the cookies to service server transmission
This of middle storage is verified the service request of mark.
It is understood that the safety in order to guarantee data interaction between firewall box and verification platform, improves industry
The reliability for requests verification of being engaged in, the data interacted between firewall box and verification platform can also be added using the key of setting
It is close.Such as, firewall will be transferred to verification platform after the first request characteristic parameter encryption.
In order to the scheme of more thorough understanding the application, below from the angle of interaction between each equipment to the application
Service request processing method be introduced.
Such as Fig. 4, it illustrates a kind of a kind of process of service request processing method of the application interaction schematic diagram, the present embodiment
Method may include:
S401, firewall box intercept the service request that browser is sent to service server.
S402, firewall box detection service request whether carry verification platform distribution be verified mark, if
It is to then follow the steps S403;If not, thening follow the steps S404.
Service request is sent to service server by S403, firewall box.
If service request, which carries, is verified mark, illustrate that issuing the browser of service request has not been for the first time
To transmission service request, and the browser has already passed through verification platform verifying.
S404, as the service request do not carry verification platform distribution be verified mark, then firewall box is to this
Service request carries out safety detection.
Wherein, the testing result of safety detection can be based on the history of parameter and browser entrained by service request
Access times, access frequency etc. are comprehensive to be determined, specific detection mode the application is without restriction.
S405, if can not determine the safety of the service request through detecting, firewall box obtains the service request
Relevant fisrt feature parameter.
The fisrt feature parameter at least can reflect out the attributive character of the current time browser.The fisrt feature parameter
It can be obtained from the cookies of browser, the parametric synthesis that can be combined with service request carrying obtains.Such as, first is special
Sign parameter may include: the IP address etc. of client where the running environment, resolution ratio and browser of browser.
It is understood that the business can be asked if confirming that the service request belongs to safe request through detection
It asks and is sent to service server;If the service request belongs to unsafe request, the service request can be abandoned, this part
Different from existing way, the application repeats no more, in the case that the application focuses on the safety that can not determine the service request
The processing carried out.
S406, firewall box encrypt the fisrt feature parameter using preset encryption key, obtain encrypted the
One characteristic parameter, and send first to browser and redirect instruction.
Such as, Advanced Encryption Standard (Advanced can be used by encrypting the fisrt feature parameter
EncryptionStandard, AES) encryption, it is of course also possible to use other Encryption Algorithm encrypt.
The first redirection instruction carries redirection link, and redirection link carries encrypted fisrt feature
The verifying page of verification platform is directed toward in parameter, redirection link.
The first redirection instruction is used to indicate browser and accesses redirection link, is redirected to browser with realizing
The verifying page of the verification platform.
Wherein, for the ease of distinguishing, the redirection instruction that firewall box is sent to browser is known as first and redirects
Instruction, and the redirection instruction that subsequent authentication platform is sent to browser is known as second and redirects instruction.
It is of course also possible to be to carry the encrypted fisrt feature parameter in redirecting instruction.
S407, browser send the access request for carrying encrypted fisrt feature parameter to verification platform.
S408, verification platform decrypt fisrt feature parameter using preset decruption key from browser, to browser
The data of the verifying page are returned to, so that the data of browser load and the runtime verification page, realization shows this in a browser
Verify the page.
S409, the plug-in unit verified in the page that verification platform is run by browser side, is obtained from the cookies of browser
Take second feature parameter.
Wherein, it after which is the access request that verification platform receives browser, is obtained from browser
To for characterizing the relevant parameter of the current attributive character of browser.
Wherein, second feature parameter is obtained from the cookies of browser by plug-in unit in the verifying page is only one kind
Optional way is applied equally to the present embodiment for above-mentioned other modes.
S410, verification platform are determined according to the comparison result of fisrt feature parameter and second feature parameter to browser
Behavior Validation Mode.
Such as, it compares fisrt feature parameter and whether the attribute value of parameter of the same race in second feature parameter is mutually same.
Wherein, determine that behavior Validation Mode can be set as needed based on comparing result, it such as can be according to generation attribute
It is worth the quantity of the parameter of variation, to determine the risk high and low level of browser, then selection is matched with current risk degree
Behavior Validation Mode.
S411, verification platform updates the verifying page of browser side according to behavior Validation Mode, with verifying in the updated
Display and the matched operation indicating of behavior Validation Mode in the page.
S412, verification platform obtain input operand evidence of the user of browser in the verifying page;
S413, verification platform according to the input operand accordingly and behavior Validation Mode determines that the user of browser is
In the case where real user, into the cookies of browser, write-in distribution is verified mark.
It is understood that if verification platform determines user according to the input operand evidence acquired in the verifying page
User in the verifying page inputs operation and the input operation of user needed for behavior Validation Mode is inconsistent, then verification platform can
Not execute subsequent operation, and end operation process;It is also possible to for browser assignment one verifying not by mark, in this way,
Subsequent browser accesses service server again, then can carry the verifying and not pass through mark, in this way, firewall box can identify
The verifying does not pass through mark out, then directly abandons, or in the case where detecting the uncertain situation of service request safety, lose
It abandons to service request.
S414, verification platform send second to browser and redirect instruction.
Redirection instruction is used to indicate browser access service server.It is such as that browser is sent to service server
Carry the service request for being verified mark.
S415, browser are redirected in response to second and are indicated, obtain stored in cookies be verified mark, and to
Service server sends carrying, and this is verified the service request of mark.
It is understood that after browser issues service request in step S415, it can retriggered execution step
S401, i.e. firewall box can intercept the service request, be verified mark since the service request carries this, then this time
Firewall box can execute step S403, and service request is transmitted to service server.
Another aspect, present invention also provides a kind of service request processing units.As shown in figure 5, it illustrates the application
A kind of a kind of composed structure schematic diagram of service request processing unit, the device are applied to firewall box, comprising:
Request interception unit 501, the service request sent for intercepting browser to service server;
Verify directed element 502, if for the service request do not carry verification platform distribution be verified mark
Know, and detect that the safety of the service request is uncertain, the browser is redirected to the verification platform, to pass through
Verification platform carries out behavior verifying to the user of the browser;Wherein, the verification platform is verified really by the behavior
In the case where recognizing the user of the browser for real user, it is verified mark for the browser assignment, and described in instruction
Browser is sent to service server carries the service request for being verified mark;
Traffic element 503 is requested, if carrying being verified for the verification platform distribution for the service request
Mark, then be sent to the service server for the service request.
Optionally, the request traffic element, comprising:
Identity verification subelement is verified mark if carried for the service request, and the verifying is logical
It crosses mark and is sent to verification platform verifying, identify whether to be distributed by the verification platform to be verified described in verifying;
Request current subelement, if for it is described be verified be identified as the verification platform distribution be verified mark
Know, then the service request is sent to the service server.
In one possible implementation, the device further include: parameter acquiring unit, for the service request not
Carry verification platform distribution is verified mark, and detects in the uncertain situation of the safety of the service request,
Obtain the associated first request characteristic parameter of the service request;
The verifying directed element is also used to the first request characteristic parameter and is transferred to the verification platform, so as to described
Verification platform obtains the second request characteristic parameter from the browser, and according to the first request characteristic parameter and the second request
The comparison result of characteristic parameter determines the behavior Validation Mode of behavior verifying, and based on the behavior Validation Mode to described clear
Look at device user carry out behavior verifying.
Optionally, the verifying directed element is when being redirected to the verification platform for the browser, be specifically used for
The browser, which returns, redirects link, and the verification platform is directed toward in the redirection link, and, it is taken in the redirection link
With the first request characteristic parameter, when accessing the verification platform so as to the browser, by the first request feature ginseng
Number is sent to the verification platform.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight
Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other.
For device class embodiment, since it is basically similar to the method embodiment, so being described relatively simple, related place ginseng
See the part explanation of embodiment of the method.
The foregoing description of the disclosed embodiments can be realized those skilled in the art or using the present invention.To this
A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and the general principles defined herein can
Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited
It is formed on the embodiments shown herein, and is to fit to consistent with the principles and novel features disclosed in this article widest
Range.
The above is only the preferred embodiment of the present invention, it is noted that those skilled in the art are come
It says, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications also should be regarded as
Protection scope of the present invention.
Claims (10)
1. a kind of service request processing method, which is characterized in that be applied to firewall box, comprising:
Intercept the service request that browser is sent to service server;
If what the service request did not carried verification platform distribution is verified mark, and the service request is detected
Safety is uncertain, and the browser is redirected to the verification platform, with the use by verification platform to the browser
Family carries out behavior verifying;Wherein, the verification platform is confirming that the user of the browser is true by behavior verifying
In the case where user, it is verified mark for the browser assignment, and indicates that the browser is taken to service server transmission
With the service request for being verified mark;
If what the service request carried verification platform distribution is verified mark, the service request is sent
To the service server.
If 2. the method according to claim 1, wherein the service request to carry the verifying flat
Platform distribution is verified mark, then the service request is sent to the service server, comprising:
If the service request, which carries, is verified mark, by it is described be verified mark and be sent to verification platform test
Card identifies whether to be distributed by the verification platform to be verified described in verifying;
If it is described be verified be identified as verification platform distribution be verified mark, the service request is sent
To the service server.
3. the method according to claim 1, wherein not carrying verification platform distribution in the service request
It is verified mark, and is detected in the uncertain situation of the safety of the service request, further includes:
Obtain the associated first request characteristic parameter of the service request;
The first request characteristic parameter is transferred to the verification platform, so that the verification platform is obtained from the browser
Second request characteristic parameter, and according to the comparison result of the first request characteristic parameter and the second request characteristic parameter, it determines
The behavior Validation Mode of behavior verifying, and behavior verifying is carried out based on user of the behavior Validation Mode to the browser.
4. according to the method described in claim 3, it is characterized in that, described that the browser is redirected to the verifying is flat
Platform, comprising:
It is returned to the browser and redirects link, the verification platform is directed toward in the redirection link;
It is described that the access characteristic parameter is transferred to the verification platform, comprising:
The first request characteristic parameter is carried, in redirection link so that the browser accesses the verification platform
When, the first request characteristic parameter is sent to the verification platform.
5. a kind of service request processing system characterized by comprising
Firewall box and verification platform;
Wherein, the firewall box is used for, and intercepts the service request that browser is sent to service server;If the business
What request did not carried verification platform distribution is verified mark, and detects that the safety of the service request is uncertain, general
The browser is redirected to the verification platform;If the verifying that the service request carries the verification platform distribution is logical
Mark is crossed, then the service request is sent to the service server;
The verification platform, for after the access request for receiving the browser, Xiang Suoshu browser returns to the verifying page,
The verifying page shows the operation indicating for behavior verifying;The user of the browser is obtained in the verifying page
Input operand evidence;According to the corresponding behavior Validation Mode of the verifying page, the input operand is tested according to carry out behavior
Card, obtains behavior verification result;In the case where the user that the behavior verification result characterizes the browser is real user,
It is verified mark for the browser assignment, and indicates that the browser carries described test to service server transmission
The service request that card passes through mark.
6. system according to claim 5, which is characterized in that the firewall box is also used to, in the service request
Do not carry verification platform distribution is verified mark, and detects the uncertain situation of the safety of the service request
Under, obtain the associated first request characteristic parameter of the service request;The first request characteristic parameter is transferred to described test
Demonstrate,prove platform;
The verification platform returns to the verifying page to the browser specifically:
The second request characteristic parameter is obtained from the browser;According to the first request characteristic parameter and the second request feature ginseng
Several comparison results determines the behavior Validation Mode of behavior verifying;The described and behavior, which is returned, to the browser verifies mould
The matched verifying page of formula.
7. system according to claim 6, which is characterized in that the firewall box is redirected to by the browser
The verification platform, and, the first request characteristic parameter is transferred to the verification platform, specifically:
It is returned to the browser and redirects link, the verification platform, and the redirection chain are directed toward in the redirection link
Connect middle carrying the first request characteristic parameter, wherein the browser is based on the redirection and links to the verification platform
The access request sent carries the first request characteristic parameter in the access request.
8. system according to claim 5, which is characterized in that it is described to be verified mark for the browser assignment, and
It indicates that the browser is sent to the service server and carries the service request for being verified mark, comprising:
Into the browser, storage is verified mark, and the browser is redirected to the service server, so as to
The browser is sent to the service server carries the service request for being verified mark.
9. a kind of service request processing unit, which is characterized in that be applied to firewall box, comprising:
Request interception unit, the service request sent for intercepting browser to service server;
Directed element is verified, if not carrying the mark that is verified of verification platform distribution for the service request, and is examined
The safety for measuring the service request is uncertain, and the browser is redirected to the verification platform, with flat by verifying
Platform carries out behavior verifying to the user of the browser;Wherein, the verification platform is by described in behavior verifying confirmation
In the case that the user of browser is real user, it is verified mark for the browser assignment, and indicate the browser
It is sent to service server and carries the service request for being verified mark;
Traffic element is requested, if being verified mark for what the service request carried verification platform distribution,
The service request is sent to the service server.
10. device according to claim 9, which is characterized in that the request traffic element, comprising:
Identity verification subelement, is verified mark if carried for the service request, is verified mark for described
Knowledge is sent to verification platform verifying, identifies whether to be distributed by the verification platform to be verified described in verifying;
Request current subelement, if for it is described be verified be identified as the verification platform distribution be verified mark,
The service request is then sent to the service server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910754278.0A CN110430213B (en) | 2019-08-15 | 2019-08-15 | Service request processing method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910754278.0A CN110430213B (en) | 2019-08-15 | 2019-08-15 | Service request processing method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110430213A true CN110430213A (en) | 2019-11-08 |
| CN110430213B CN110430213B (en) | 2022-02-01 |
Family
ID=68416498
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910754278.0A Active CN110430213B (en) | 2019-08-15 | 2019-08-15 | Service request processing method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110430213B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172677A (en) * | 2020-09-11 | 2022-03-11 | 北京金山云网络技术有限公司 | Identification method, device and system for second dial IP |
| CN114826739A (en) * | 2022-04-27 | 2022-07-29 | 中国银行股份有限公司 | Verification method, verification device and server |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060200566A1 (en) * | 2005-03-07 | 2006-09-07 | Ziebarth Wayne W | Software proxy for securing web application business logic |
| US7568092B1 (en) * | 2005-02-09 | 2009-07-28 | Sun Microsystems, Inc. | Security policy enforcing DHCP server appliance |
| CN101729540A (en) * | 2009-12-02 | 2010-06-09 | 江西省电力信息通讯有限公司 | Synchronous single sing-on method based on application layer identity messages |
| US8181010B1 (en) * | 2006-04-17 | 2012-05-15 | Oracle America, Inc. | Distributed authentication user interface system |
| CN102857484A (en) * | 2011-07-01 | 2013-01-02 | 阿里巴巴集团控股有限公司 | Method, system and device for implementing single sign-on |
| CN103530791A (en) * | 2012-07-05 | 2014-01-22 | 华为技术有限公司 | Method, device and system for marking retargeting users |
| CN104767719A (en) * | 2014-01-07 | 2015-07-08 | 阿里巴巴集团控股有限公司 | Method and server for determining whether log-in terminal of website being mobile terminal or not |
| CN107018119A (en) * | 2016-08-30 | 2017-08-04 | 阿里巴巴集团控股有限公司 | Authentication system, method and platform |
| CN107277038A (en) * | 2017-07-18 | 2017-10-20 | 北京微影时代科技有限公司 | Access control method, device and system |
| CN107360162A (en) * | 2017-07-12 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of network application means of defence and device |
| CN108206828A (en) * | 2017-12-28 | 2018-06-26 | 浙江宇视科技有限公司 | A kind of double monitoring method of controlling security and system |
| CN109964196A (en) * | 2016-09-30 | 2019-07-02 | 帕洛阿尔托网络公司 | Dual factor anthentication is as network service |
-
2019
- 2019-08-15 CN CN201910754278.0A patent/CN110430213B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7568092B1 (en) * | 2005-02-09 | 2009-07-28 | Sun Microsystems, Inc. | Security policy enforcing DHCP server appliance |
| US20060200566A1 (en) * | 2005-03-07 | 2006-09-07 | Ziebarth Wayne W | Software proxy for securing web application business logic |
| US8181010B1 (en) * | 2006-04-17 | 2012-05-15 | Oracle America, Inc. | Distributed authentication user interface system |
| CN101729540A (en) * | 2009-12-02 | 2010-06-09 | 江西省电力信息通讯有限公司 | Synchronous single sing-on method based on application layer identity messages |
| CN102857484A (en) * | 2011-07-01 | 2013-01-02 | 阿里巴巴集团控股有限公司 | Method, system and device for implementing single sign-on |
| CN103530791A (en) * | 2012-07-05 | 2014-01-22 | 华为技术有限公司 | Method, device and system for marking retargeting users |
| CN104767719A (en) * | 2014-01-07 | 2015-07-08 | 阿里巴巴集团控股有限公司 | Method and server for determining whether log-in terminal of website being mobile terminal or not |
| CN107018119A (en) * | 2016-08-30 | 2017-08-04 | 阿里巴巴集团控股有限公司 | Authentication system, method and platform |
| CN109964196A (en) * | 2016-09-30 | 2019-07-02 | 帕洛阿尔托网络公司 | Dual factor anthentication is as network service |
| CN107360162A (en) * | 2017-07-12 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of network application means of defence and device |
| CN107277038A (en) * | 2017-07-18 | 2017-10-20 | 北京微影时代科技有限公司 | Access control method, device and system |
| CN108206828A (en) * | 2017-12-28 | 2018-06-26 | 浙江宇视科技有限公司 | A kind of double monitoring method of controlling security and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172677A (en) * | 2020-09-11 | 2022-03-11 | 北京金山云网络技术有限公司 | Identification method, device and system for second dial IP |
| CN114826739A (en) * | 2022-04-27 | 2022-07-29 | 中国银行股份有限公司 | Verification method, verification device and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110430213B (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324276B (en) | Method, system, terminal and electronic device for logging in application | |
| CN107135073B (en) | Interface calling method and device | |
| JP6574168B2 (en) | Terminal identification method, and method, system, and apparatus for registering machine identification code | |
| US20160142438A1 (en) | Method of identifying and counteracting internet attacks | |
| CN109522726A (en) | Method for authenticating, server and the computer readable storage medium of small routine | |
| US10713657B2 (en) | Systems and methods for estimating authenticity of local network of device initiating remote transaction | |
| CN102281286A (en) | Flexible end-point compliance and strong authentication for distributed hybrid enterprises | |
| CN110365684B (en) | Access control method and device for application cluster and electronic equipment | |
| CN109274652A (en) | Identity information verifies system, method and device and computer storage medium | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| JP2019536157A (en) | System and method for transparent multi-factor authentication and security approach posture check | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| CN108040044A (en) | A kind of management method and system for realizing eSIM card security authentications | |
| CN106453378A (en) | Data authentication method, apparatus and system | |
| CN106330828A (en) | Method for network secure access, terminal device and authentication server | |
| US20180302437A1 (en) | Methods of identifying and counteracting internet attacks | |
| US20220255929A1 (en) | Systems and methods for preventing unauthorized network access | |
| CN109756460A (en) | A kind of anti-replay-attack method and device | |
| CN107733853A (en) | Page access method, apparatus, computer and medium | |
| CN105704094A (en) | Application access authority control method and device | |
| CN110430213A (en) | Service request processing method, apparatus and system | |
| CN106209905A (en) | A kind of network safety managing method and device | |
| WO2018026108A1 (en) | Method, authorized terminal and computer-readable recording medium for deciding on gate access permission by means of network | |
| CN105141642B (en) | A kind of method and device preventing illegal user's behavior | |
| KR20170103691A (en) | Authentication mehtod and system using ip address and short message service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |