CN110493239A - The method and apparatus of authentication - Google Patents
The method and apparatus of authentication Download PDFInfo
- Publication number
- CN110493239A CN110493239A CN201910791081.4A CN201910791081A CN110493239A CN 110493239 A CN110493239 A CN 110493239A CN 201910791081 A CN201910791081 A CN 201910791081A CN 110493239 A CN110493239 A CN 110493239A
- Authority
- CN
- China
- Prior art keywords
- identity token
- authentication
- request
- rear end
- permission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention discloses the method and apparatus of authentication, are related to field of computer technology.One specific embodiment of this method, comprising: after reception logins successfully, the identity token of rear end return;According to the identity token, authentication request is sent to the rear end;Receive permission and routing that rear end returns;According to the permission and routing, the displayed page of front end is rendered.The embodiment solves the prior art using the rear end unified management technological deficiency that identity token is big to rear end pressure, system implementations are complicated, and then realize that rear end only provides permissions data to front end, simplify the process of rights management, rear end reaches the technical effect that permission, processing rendering more safe and convenient are independently distributed in front end without being monitored to page jump.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of method and apparatus of authentication.
Background technique
The prior art uses MVC (" model "-" view "-" controller ") framework, and there are conversation recordings to be stored in service
In device, user needs to complete authentication operations by server in the system of access.The mode for obtaining permission is rear end control authority, preceding
Only record signs and issues session control unique identification (sessionID) at end.
In realizing process of the present invention, at least there are the following problems in the prior art for inventor's discovery:
1. front end (client) and the degree of coupling of rear end (namely server) are higher, in exploitation the front and rear end
It cannot develop respectively, it is higher to lead to develop consumed time, human cost;
2. in the server by session control unique identification (sessionID) storage of a large number of users, causing memory and money
The waste in source;
3. making rear end that can just determine the user for needing to authenticate according to the unique identification, horizontal extension is more difficult, flexibly
Property is lower.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of method and apparatus of authentication, after being able to solve prior art use
The end unified management technological deficiency that identity token is big to rear end pressure, system implementations are complicated, and then realize that rear end only provides
Permissions data simplifies the process of rights management to front end, and rear end reaches front end and independently distribute without being monitored to page jump
The technical effect of permission, processing rendering more safe and convenient.
To achieve the above object, according to an aspect of an embodiment of the present invention, a kind of displayed page for front end is provided
The method of authentication, comprising:
After reception logins successfully, the identity token of rear end return;
According to the identity token, authentication request is sent to the rear end;
Receive permission and routing that rear end returns;
According to the permission and routing, the displayed page of front end is rendered.
Optionally, according to the identity token, authentication request is sent to before the rear end, comprising:
Parameter in front-end configuration response blocker and request;
Wherein, the parameter in the request is used to that request header parameter secondary authentication to be arranged in authentication request;The response
Blocker whether there is identity token for checking to return in the request header parameter.
Optionally, it receives after logining successfully, after the identity token that rear end returns, comprising:
The identity token is stored to the local storage space of the front end or is updated in the local storage space
Through existing identity token.
Optionally, according to the permission and routing, the displayed page of front end is rendered, comprising:
According to the state supervisor in gradual frame, the permission and routing are parsed;
By the permission and routing after parsing, updates or store into state supervisor;
According to the permission and routing in state supervisor, the displayed page of front end is rendered;
Wherein, the parsing includes: to modify to routing data and/or be converted into custom instruction to permission.
Optionally, according to the permission and routing in state supervisor, the displayed page of front end is rendered, comprising:
The permission and routing after parsing in status register are called, to the routing dynamic carry;
According to the dynamic carry, the displayed page of front end after rendering.
Another aspect according to an embodiment of the present invention provides a kind of method of authentication applied to rear end, comprising:
Receive logging request;
According to the login domain, judge whether the log on request can succeed;If so, the successful message is returned
To front end, and cache the first identity token and its key that the logging request is included;If it is not, then returning to mistake;
Receive authentication request;
According to the Authentication domain and the key, the second identity token corresponding to the authentication request and described the are verified
Whether one identity token is consistent;
According to second identity token be compared with first identity token as a result, determine authenticating result.
Optionally, further includes: when the rear end, which receives, exits request, remove the first identity token in the caching and
Its key.
Optionally, before reception logging request, comprising:
The function and/or setting session control for configuring session control of forgoing intercept template.
Optionally, according to the login domain, before judging whether the logging request can succeed, comprising:
Using the filter in rear end, authenticates the identity token in the logging request and whether update or expired;
If so, failed authentication.
Optionally, according to the Authentication domain and the key, the second identity token corresponding to the authentication request is verified
It is whether consistent with first identity token, comprising:
It is determined as the second identity by the identity token in authentication request by parsing encryption using identity token adaptation
Token;
Second identity token is compared with the first identity token being stored in rear end, is judged whether consistent.
Optionally, it is authenticated according to what second identity token was compared with first identity token as a result, determining
As a result, comprising:
Trigger the identity token flush mechanism of filter;
The update of identity token is judged whether there is, if not and second identity token and first identity token one
It causes, then verifies the authentication request success.
Another aspect according to an embodiment of the present invention provides a kind of device that the displayed page for front end authenticates, packet
It includes:
Identity token receiving module, after being logined successfully for reception, the identity token of rear end return;
Authentication request sending module, for according to the identity token, authentication request to be sent to the rear end;
Respond module is received, for receiving the permission and routing of rear end return;
Page rendering module, for rendering the displayed page of front end according to the permission and routing.
Another aspect according to an embodiment of the present invention provides a kind of device of authentication applied to rear end, feature
It is, comprising:
Logging request receiving module, for receiving logging request;
Log on request judgment module, for judging whether the log on request can succeed according to the login domain;If so,
The successful message is then back to front end, and caches the first identity token that the logging request is included and its close
Key;If it is not, then returning to mistake;
Authentication request receiving module, for receiving authentication request;
Authentication request authentication module, for verifying corresponding to the authentication request according to the Authentication domain and the key
The second identity token and first identity token it is whether consistent;
Authenticating result determining module, for what is be compared according to second identity token with first identity token
As a result, determining authenticating result.
Another aspect according to an embodiment of the present invention provides a kind of system of authentication, comprising:
For front end displayed page authenticate device, and, the device of the authentication applied to rear end.
Other side according to an embodiment of the present invention provides a kind of authentication electronic equipment, comprising:
One or more processors;
Storage device, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of processing
Device realizes method for authenticating provided by the invention.
Still another aspect according to an embodiment of the present invention provides a kind of computer-readable medium, is stored thereon with calculating
Machine program realizes method for authenticating provided by the invention when described program is executed by processor.
One embodiment in foregoing invention have the following advantages that or the utility model has the advantages that
The technological means that the present invention is decoupled by front and back end utilizes front-end processing, management, the technology hand for storing identity token
Section solves the prior art using the rear end unified management technology that identity token is big to rear end pressure, system implementations are complicated
Defect, and then realize that rear end only provides permissions data to front end, simplifies the process of rights management, rear end be not necessarily to page jump into
Row monitoring reaches the technical effect that permission, processing rendering more safe and convenient are independently distributed in front end.
Further effect possessed by above-mentioned non-usual optional way adds hereinafter in conjunction with specific embodiment
With explanation.
Detailed description of the invention
Attached drawing for a better understanding of the present invention, does not constitute an undue limitation on the present invention.Wherein:
Fig. 1 is the schematic diagram for the main flow that a kind of displayed page for front end according to an embodiment of the present invention authenticates;
Fig. 2 is the schematic diagram for the detailed process that a kind of displayed page for front end according to an embodiment of the present invention authenticates;
Fig. 3 is a kind of schematic diagram of the main flow of authentication applied to rear end according to an embodiment of the present invention;
Fig. 4 is a kind of schematic diagram of the detailed process of authentication applied to rear end according to an embodiment of the present invention;
Fig. 5 is the schematic diagram for the main modular that the displayed page according to an embodiment of the present invention for front end authenticates;
Fig. 6 is the schematic diagram of the main modular of the authentication according to an embodiment of the present invention applied to rear end;
Fig. 7 is that the embodiment of the present invention can be applied to exemplary system architecture figure therein;
Fig. 8 is adapted for the structural representation of the computer system for the terminal device or server of realizing the embodiment of the present invention
Figure.
Specific embodiment
Below in conjunction with attached drawing, an exemplary embodiment of the present invention will be described, including the various of the embodiment of the present invention
Details should think them only exemplary to help understanding.Therefore, those of ordinary skill in the art should recognize
It arrives, it can be with various changes and modifications are made to the embodiments described herein, without departing from scope and spirit of the present invention.Together
Sample, for clarity and conciseness, descriptions of well-known functions and structures are omitted from the following description.
During authentication, front-end and back-end two parts are related generally to.In order to enable simplify development process, it can be preceding
During rear end is developed, front and rear end is not depended on mutually, the degree of coupling of front and back end is reduced, so that the exploitation of front and rear end can
To carry out simultaneously, to reduce the development time, project development efficiency is improved.
Optionally, front end can complete the exhibition of AFE(analog front end) data using the tool (for example, MOCKJS) of AFE(analog front end) data
Show, rear end exploitation can more stress data processing and service logic, and then reach the technical effect for shortening the development time.
By separating the front and rear end of system, so that the more convenient extension of the framework of system, adaptable, flexibility ratio
The degree of coupling that is high, reducing front and back end utilizes system resource preferably.
By reducing the degree of coupling of the front end portion of system and rear end part, so that working as the system deployment in the cluster
When front and rear end part can be disposed respectively so that not influencing entire cluster when certain equipment delay machine in cluster
It operates normally, and then reaches the more reasonable technical effect of resource distribution.
Fig. 1 is the schematic diagram for the main flow that a kind of displayed page for front end according to an embodiment of the present invention authenticates, such as
Shown in Fig. 1, comprising:
Step S101, it receives after logining successfully, the identity token that rear end returns;
Step S102, according to the identity token, authentication request is sent to the rear end;
Step S103, permission and routing that rear end returns are received;
Step S104, according to the permission and routing, the displayed page of front end is rendered.
It the front end portion can be complete using the gradual frame (VUE.js frame) at the page interface of building data-driven
At above-mentioned steps.The routing can be dynamic routing, and specifically, the dynamic routing can be by the VUEX (condition managing of VUE
Device) and ROUTER (router) completion.
When user has initiated the request of login system, first can by it is described log in the system request be sent to rear end into
Row verifying.If being proved to be successful, the rear end can feed back the identity token of the user, that is, show to login successfully, still
When logining successfully, do not obtain the routing and corresponding permission of user also, it is also necessary to it is corresponding with rear end acquisition routing and
Corresponding permission.
The technological means that the present invention is decoupled by front and back end utilizes front-end processing, management, the technology hand for storing identity token
Section solves the prior art using the rear end unified management technology that identity token is big to rear end pressure, system implementations are complicated
Defect, and then realize that rear end only provides permissions data to front end, simplifies the process of rights management, rear end be not necessarily to page jump into
Row monitoring reaches the technical effect that permission, processing rendering more safe and convenient are independently distributed in front end.
Optionally, according to the identity token, authentication request is sent to before the rear end, comprising:
Parameter in front-end configuration response blocker and request may be implemented front end and be managed to request and response;
Wherein, the parameter in the request is used to that request header (HEADER) parameter secondary authentication to be arranged in authentication request,
It can be convenient by setting request header parameter and authenticated for other requests after login.
The response blocker is used to check in request header parameter described in the response returned with the presence or absence of identity token.If
There are identity tokens, then store the identity token to the local storage space of the front end (such as in browser
In cookie) or update already existing identity token in the local storage space.
Optionally, according to the permission and routing, the displayed page of front end is rendered, comprising:
Front end login page when jumping, routing monitoring carried out to the page, method used by monitoring can be with
For ROUTER.beforeEach method.According to the state supervisor (VUEX) in gradual frame, to the permission and route into
Row parsing;
By the permission and routing after parsing, updates or store into state supervisor;
According to the permission and routing in state supervisor, the displayed page of front end is rendered;
Wherein, parse to the permission and routing includes: to modify to routing data, convert permission to and make by oneself
Justice instructs and/or the state of permission is updated or is stored.
Specifically, the permission for completing parsing and routing can be stored in the state supervisor (state) of VUEX, in turn
The convenient time update in Status Change, and realize the global change of state.
This programme moves to the prior art in front end in the step of rear end parsing permission and routing, so that the calculating pressure of rear end
Power reduces, and prior art rear end is avoided to calculate the technological deficiency that pressure is big, logic is complicated.
Optionally, according to the permission and routing in state supervisor, the displayed page of front end is rendered, comprising:
The permission and routing after parsing in status register are called, to the routing dynamic carry;
According to the dynamic carry, the displayed page of front end after rendering.
The method for realizing dynamic carry can be ROUTER.addRoute.Wherein, the ROUTER.addRoute
It is the built-in method of VUE routing (vue-router), it acts as the corresponding routing permissions of calling the method addition, and then make
The page renders corresponding content according to the permission and is shown.
The detailed process for being applied to front end is described in detail with a specific embodiment below.
Fig. 2 is the schematic diagram for the detailed process that a kind of displayed page for front end according to an embodiment of the present invention authenticates.Such as
Shown in Fig. 2, comprising:
Step S201, the logging request of user is sent to rear end;
Step S202, user's logging request result information of rear end feedback is obtained;If the result information is successfully to log in,
It then obtains token and executes S203;If the result information is failure, the information of the login failure is shown in front end;
Step S203, the variation that routing is monitored using ROUTER.beforeEach method, requests the permission of user, triggers
VUEX;
Step S204, permission is routed using VUEX, and the routing after parsing is stored in state supervisor (state);
Step S205, routing dynamic carry, the exhibition of front end after being rendered are carried out according to ROUTER.addRoutes method
Show the page.
Fig. 3 is a kind of schematic diagram of the main flow of authentication applied to rear end according to an embodiment of the present invention.Such as Fig. 3 institute
Show, comprising:
Step S301, the logging request of user is received;
Step S302, it can use the filter (Filter) in rear end, authenticate the identity token in the logging request
Whether update or expired;If the identity token there is a situation where to update or is expired, failed authentication needs to receive use again
The logging request at family.The request logged in by the way that the filter is arranged to user, authenticated is uniformly processed, and assists front end to request
It is uniformly processed.
Step S303, according to the login domain (logging in Realm), judge whether the log on request succeeds;If so, will
The successful message is back to front end, and caches the first identity token and its key that the logging request is included;If
It is no, then return to mistake;
Step S304, authentication request is received;
Step S305, it according to the Authentication domain (authentication Realm) and the key, verifies corresponding to the authentication request
Whether the second identity token and first identity token are consistent;Step S306, according to second identity token and described the
It is that one identity token is compared as a result, determine authenticating result.
Wherein, step S302 is optional step.
By that will log in and authentication is respectively adopted and logs in domain and separately handle with Authentication domain, and using filter setting identity order
Board flush mechanism is further ensured that the safety of system so that identity token is not easy to be stolen.
During user logs in, filter only to identity token whether update with expired progress, without to logging in
Intercept process is done in request.Be determined that the identity token do not need to update and when there is no expired situation, by login field into
Row login process.Wherein, described log in domain can determine user using calling the login function of shiro frame to be judged
Whether successfully log in.If not succeeding, the information of mistake will be returned.Further include before error message is returned to front end,
The operation of processing is made a decision in the filter.
When logining successfully, identity token can be sent to front end, while the identity token being cached to rear end, used
It is operated in subsequent authentication.
Optionally, further includes: when the rear end, which receives, exits request, remove the first identity token in the caching and
Its key.
Due to JWT identity token once check out can continuously effective before the deadline, when control key just determines authentication
Whether succeed, ensure that back-end services safety.When user is in logging state, the identity is ceaselessly inputted in order to prevent and is enabled
The identity token can be stored in the caching of rear end by the key of board.
Key due to generating identity token be it is private, in the buffer, user log off when, needs record
The key of caching is removed, and then prevents to log in without key, reaches the technical effect of the safety of guarantee system.
Front end is responsible for voluntarily managing identity token, and then the technical program can be expanded to each platform, enhancing by realization
The cross-platform processing capacity of system.Therefore it is not necessarily to store identity token in rear end, that is, do not need the session control of storage user
Unique identification sessionID, identity token can be provided by front end, be solved in distributed type assemblies due to certain equipment breakdown
User identity token is lost, the technological means operated required for user is unable to complete.
Therefore optionally, before reception logging request, comprising:
Configuration forgo session control function (the Session function in the Shiro frame that needs to forgo in configuration, simultaneously
Shiro is set and intercepts template) and/or setting session control interception template (addition noSessionCreate parameter).
Shiro is made to will not continue to generate session function by aforesaid operations.
Optionally, according to the Authentication domain and the key, the second identity token corresponding to the authentication request is verified
It is whether consistent with first identity token, comprising:
It is determined as the second identity by the identity token in authentication request by parsing encryption using identity token adaptation
Token;
Second identity token is compared with the first identity token being stored in rear end, is judged whether consistent.
Authentication is requested, authentication request can enter by Filter entrance, trigger customized login and generate body
Part token., can be by judging whether the identity token is the customized token of system when entering in Authentication domain, and then reach
Screen the purpose of error token.
JWT identity token adaptation can also be used in Authentication domain, verify the identity token of this authentication request carrying
It is encrypted by the key of local cache, if be proved to be successful, triggers the flush mechanism of the identity token of filter, judged
Whether regenerate identity token and is sent to front end.
By above-mentioned technological means, can achieve prevents identity token from being falsely used, and more flexible control token uses
Technical effect.If authentication failed, handled in the method that uniformly fails into filter, and then ensure that Back end data safety
Property.
Optionally, it is authenticated according to what second identity token was compared with first identity token as a result, determining
As a result, comprising:
Trigger the identity token flush mechanism of filter;
The update of identity token is judged whether there is, if not and second identity token and first identity token one
It causes, then verifies the authentication request success.
By the way that the process of front-end and back-end to be respectively set, so that development process is more clear simplification, and then reach front and back
End exploitation can carry out simultaneously, and front end is not need to rely on rear end that analogue data displaying can be completed, and the exploitation of rear end is not necessarily to
It is concerned about in page processing and rendering, can be more concerned with the processing and service logic of data, and then reach simplified project development process,
Raising project total quality, reduces the technical effect of development time.
Since the framework decision systems of system obtain the process of permission, request authentication, by the way that front and back end is decoupled so that frame
The more convenient extension of structure design, can support multiple line upper mounting plates, more preferably cope with changeable business, either at mobile terminal or the end PC
It can authentication flexibly and fast.Front and back end unified plan is got rid of in terms of clustered deploy(ment), it can be achieved that front and back end is respectively independent
Deployment reduces accident series connection well and occurs, that is, do not influence entire business cluster in cluster the problem of a certain equipment, makes
Obtaining system resource can more fully utilize, and reach the Experience Degree for improving client, get rid of rear end and render slow technological deficiency, into
And reduce the front end page load time.And front and back end decoupling can make rear end be absorbed in processing data, promote each section
Performance, but also the maintenance of system is clearly easy.
The present invention is able to solve the problem of distributed deployment permission and request authentication, using front-end processing, manages and deposits
Respective identity is stored up, rather than is managed collectively by rear end, the pressure and complexity of rear end are alleviated.It is rendered by the permission of front end,
Simplify rights management process, rear end is only to provide a permissions data to front end, and remaining is by front end independent process permission point
Match, it is more safe and efficient.Page jump be not concerned about in rear end, is all to be distributed and managed according to permission oneself by front end to route.
Fig. 4 is a kind of schematic diagram of the detailed process of authentication applied to rear end according to an embodiment of the present invention.Such as Fig. 4 institute
Show, comprising:
Step S401, the logging request of user is obtained;
Step S402, whether updated or expired using the identity token in filter verifying logging request;
Step S403, according to the login domain, judge whether the log on request succeeds;If so, by described successful
Message is back to front end, and caches the first identity token and its key that the logging request is included;If it is not, then returning to mistake
Accidentally, failed authentication;
Step S404, according to the Authentication domain and the key, it is whether consistent that identity token is verified according to JWT;If so, holding
Row S405;If it is not, then failed authentication;
Step S405, filter flush mechanism is called, identity token is judged whether there is;If so, completing authentication;If
It is no, then fail.
Fig. 5 is the schematic diagram for the main modular that the displayed page according to an embodiment of the present invention for front end authenticates, such as Fig. 5 institute
Show, comprising:
Identity token receiving module 501, after being logined successfully for reception, the identity token of rear end return;
Authentication request sending module 502, for according to the identity token, authentication request to be sent to the rear end;
Respond module 503 is received, for receiving the permission and routing of rear end return;
Page rendering module 504, for rendering the displayed page of front end according to the permission and routing.
Fig. 6 is the schematic diagram of the main modular of the authentication according to an embodiment of the present invention applied to rear end, as shown in fig. 6,
Include:
Logging request receiving module 601, for receiving logging request;
Log on request judgment module 602, for judging whether the log on request can succeed according to the login domain;If
Be the successful message is then back to front end, and cache the first identity token that the logging request is included and its
Key;If it is not, then returning to mistake;
Authentication request receiving module 603, for receiving authentication request;
Authentication request authentication module 604, for it is right to verify the authentication request according to the Authentication domain and the key
Whether the second identity token answered and first identity token are consistent;
Authenticating result determining module 605, for being compared according to second identity token and first identity token
Pair as a result, determine authenticating result.
Another aspect according to an embodiment of the present invention provides a kind of system of authentication, comprising:
For front end displayed page authenticate device, and, the device of the authentication applied to rear end.
Fig. 7 is shown can be using the method for authenticating of the embodiment of the present invention or the exemplary system architecture 700 of authentication device.
As shown in fig. 7, system architecture 700 may include terminal device 701,702,703, network 704 and server 705.
Network 704 between terminal device 701,702,703 and server 705 to provide the medium of communication link.Network 704 can be with
Including various connection types, such as wired, wireless communication link or fiber optic cables etc..
User can be used terminal device 701,702,703 and be interacted by network 704 with server 705, to receive or send out
Send message etc..Various telecommunication customer end applications, such as the application of shopping class, net can be installed on terminal device 701,702,703
(merely illustrative) such as the application of page browsing device, searching class application, instant messaging tools, mailbox client, social platform softwares.
Terminal device 701,702,703 can be the various electronic equipments with display screen and supported web page browsing, packet
Include but be not limited to smart phone, tablet computer, pocket computer on knee and desktop computer etc..
Server 705 can be to provide the server of various services, such as utilize terminal device 701,702,703 to user
The shopping class website browsed provides the back-stage management server (merely illustrative) supported.Back-stage management server can be to reception
To the data such as information query request analyze etc. processing, and by processing result (such as target push information, product letter
Breath -- merely illustrative) feed back to terminal device.
It should be noted that method for authenticating provided by the embodiment of the present invention is generally executed by server 705, correspondingly,
Authentication device is generally positioned in server 705.
It should be understood that the number of terminal device, network and server in Fig. 7 is only schematical.According to realization need
It wants, can have any number of terminal device, network and server.
Below with reference to Fig. 8, it illustrates the computer systems 800 for the terminal device for being suitable for being used to realize the embodiment of the present invention
Structural schematic diagram.Terminal device shown in Fig. 8 is only an example, function to the embodiment of the present invention and should not use model
Shroud carrys out any restrictions.
As shown in figure 8, computer system 800 includes central processing module (CPU) 801, it can be read-only according to being stored in
Program in memory (ROM) 802 or be loaded into the program in random access storage device (RAM) 803 from storage section 808 and
Execute various movements appropriate and processing.In RAM 803, also it is stored with system 800 and operates required various programs and data.
CPU 801, ROM 802 and RAM 803 are connected with each other by bus 804.Input/output (I/O) interface 805 is also connected to always
Line 804.
I/O interface 805 is connected to lower component: the importation 806 including keyboard, mouse etc.;It is penetrated including such as cathode
The output par, c 807 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage section 808 including hard disk etc.;
And the communications portion 809 of the network interface card including LAN card, modem etc..Communications portion 809 via such as because
The network of spy's net executes communication process.Driver 810 is also connected to I/O interface 805 as needed.Detachable media 811, such as
Disk, CD, magneto-optic disk, semiconductor memory etc. are mounted on as needed on driver 810, in order to read from thereon
Computer program be mounted into storage section 808 as needed.
Particularly, disclosed embodiment, the process described above with reference to flow chart may be implemented as counting according to the present invention
Calculation machine software program.For example, embodiment disclosed by the invention includes a kind of computer program product comprising be carried on computer
Computer program on readable medium, the computer program include the program code for method shown in execution flow chart.In
In such embodiment, which can be downloaded and installed from network by communications portion 809, and/or from can
Medium 811 is dismantled to be mounted.When the computer program is executed by central processing module (CPU) 801, system of the invention is executed
The above-mentioned function of middle restriction.
It should be noted that computer-readable medium shown in the present invention can be computer-readable signal media or meter
Calculation machine readable storage medium storing program for executing either the two any combination.Computer readable storage medium for example can be --- but not
Be limited to --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor system, device or device, or any above combination.Meter
The more specific example of calculation machine readable storage medium storing program for executing can include but is not limited to: have the electrical connection, just of one or more conducting wires
Taking formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable type may be programmed read-only storage
Device (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device,
Or above-mentioned any appropriate combination.In the present invention, computer readable storage medium can be it is any include or storage journey
The tangible medium of sequence, the program can be commanded execution system, device or device use or in connection.And at this
In invention, computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal,
Wherein carry computer-readable program code.The data-signal of this propagation can take various forms, including but unlimited
In electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be that computer can
Any computer-readable medium other than storage medium is read, which can send, propagates or transmit and be used for
By the use of instruction execution system, device or device or program in connection.Include on computer-readable medium
Program code can transmit with any suitable medium, including but not limited to: wireless, electric wire, optical cable, RF etc. are above-mentioned
Any appropriate combination.
Flow chart and block diagram in attached drawing are illustrated according to the system of various embodiments of the invention, method and computer journey
The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation
A part of one module, program segment or code of table, a part of above-mentioned module, program segment or code include one or more
Executable instruction for implementing the specified logical function.It should also be noted that in some implementations as replacements, institute in box
The function of mark can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are practical
On can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Also it wants
It is noted that the combination of each box in block diagram or flow chart and the box in block diagram or flow chart, can use and execute rule
The dedicated hardware based systems of fixed functions or operations is realized, or can use the group of specialized hardware and computer instruction
It closes to realize.
Being described in module involved in the embodiment of the present invention can be realized by way of software, can also be by hard
The mode of part is realized.Described module also can be set in the processor, for example, can be described as: a kind of processor packet
It includes sending module, obtain module, determining module and first processing module.Wherein, the title of these modules is under certain conditions simultaneously
The restriction to the module itself is not constituted, for example, sending module is also described as " sending picture to the server-side connected
The module of acquisition request ".
As on the other hand, the present invention also provides a kind of computer-readable medium, which be can be
Included in equipment described in above-described embodiment;It is also possible to individualism, and without in the supplying equipment.Above-mentioned calculating
Machine readable medium carries one or more program, when said one or multiple programs are executed by the equipment, makes
Obtaining the equipment includes: a kind of method that the displayed page for front end authenticates, specifically:
After reception logins successfully, the identity token of rear end return;
According to the identity token, authentication request is sent to the rear end;
Receive permission and routing that rear end returns;
According to the permission and routing, the displayed page of front end is rendered.
And/or provide a kind of method of authentication applied to rear end, comprising:
Receive logging request;
According to the login domain, judge whether the log on request can succeed;If so, the successful message is returned
To front end, and cache the first identity token and its key that the logging request is included;If it is not, then returning to mistake;
Receive authentication request;
According to the Authentication domain and the key, the second identity token corresponding to the authentication request and described the are verified
Whether one identity token is consistent;
According to second identity token be compared with first identity token as a result, determine authenticating result.
Technical solution according to an embodiment of the present invention, can achieve it is following the utility model has the advantages that
The technological means that the present invention is decoupled by front and back end utilizes front-end processing, management, the technology hand for storing identity token
Section solves the prior art using the rear end unified management technology that identity token is big to rear end pressure, system implementations are complicated
Defect, and then realize that rear end only provides permissions data to front end, simplifies the process of rights management, rear end be not necessarily to page jump into
Row monitoring reaches the technical effect that permission, processing rendering more safe and convenient are independently distributed in front end.
Above-mentioned specific embodiment, does not constitute a limitation on the scope of protection of the present invention.Those skilled in the art should be bright
It is white, design requirement and other factors are depended on, various modifications, combination, sub-portfolio and substitution can occur.It is any
Made modifications, equivalent substitutions and improvements etc. within the spirit and principles in the present invention, should be included in the scope of the present invention
Within.
Claims (16)
1. a kind of method that the displayed page for front end authenticates characterized by comprising
After reception logins successfully, the identity token of rear end return;
According to the identity token, authentication request is sent to the rear end;
Receive permission and routing that rear end returns;
According to the permission and routing, the displayed page of front end is rendered.
2. the method according to claim 1, wherein authentication request is sent to institute according to the identity token
Before stating rear end, comprising:
Parameter in front-end configuration response blocker and request;
Wherein, the parameter in the request is used to that request header parameter secondary authentication to be arranged in authentication request;The response intercepts
Device whether there is identity token for checking to return in the request header parameter.
3. according to the method described in claim 2, it is characterized in that, receive login successfully after, rear end return identity token it
Afterwards, comprising:
The identity token is stored into the local storage space of the front end or the update local storage space and has been deposited
Identity token.
4. according to the method described in claim 3, it is characterized in that, rendering the displaying page of front end according to the permission and routing
Face, comprising:
According to the state supervisor in gradual frame, the permission and routing are parsed;
By the permission and routing after parsing, updates or store into state supervisor;
According to the permission and routing in state supervisor, the displayed page of front end is rendered;
Wherein, the parsing includes: to modify to routing data and/or be converted into custom instruction to permission.
5. according to the method described in claim 4, it is characterized in that, according to the permission and routing in state supervisor, before rendering
The displayed page at end, comprising:
The permission and routing after parsing in status register are called, to the routing dynamic carry;
According to the dynamic carry, the displayed page of front end after rendering.
6. a kind of method of the authentication applied to rear end characterized by comprising
Receive logging request;
According to the login domain, judge whether the log on request can succeed;If so, before the successful message is back to
End, and cache the first identity token and its key that the logging request is included;If it is not, then returning to mistake;
Receive authentication request;
According to the Authentication domain and the key, the second identity token corresponding to the authentication request and first body are verified
Whether part token is consistent;
According to second identity token be compared with first identity token as a result, determine authenticating result.
7. according to the method described in claim 6, it is characterized by further comprising: being removed when the rear end receives and exits request
The first identity token and its key in the caching.
8. according to the method described in claim 6, it is characterized in that, before receiving logging request, comprising:
The function and/or setting session control for configuring session control of forgoing intercept template.
9. according to the method described in claim 6, it is characterized in that, whether judging the logging request according to the login domain
Before capable of succeeding, comprising:
Using the filter in rear end, authenticates the identity token in the logging request and whether update or expired;
If so, failed authentication.
10. according to the method described in claim 9, it is characterized in that, verifying the mirror according to the Authentication domain and the key
Whether the second corresponding identity token of power request and first identity token are consistent, comprising:
It is determined as the second identity token by the identity token in authentication request by parsing encryption using identity token adaptation;
Second identity token is compared with the first identity token being stored in rear end, is judged whether consistent.
11. according to the method described in claim 10, it is characterized in that, according to second identity token and first identity
It is that token is compared as a result, determine authenticating result, comprising:
Trigger the identity token flush mechanism of filter;
The update of identity token is judged whether there is, if not and second identity token is consistent with first identity token,
Then verify the authentication request success.
12. a kind of device that the displayed page for front end authenticates characterized by comprising
Identity token receiving module, after being logined successfully for reception, the identity token of rear end return;
Authentication request sending module, for according to the identity token, authentication request to be sent to the rear end;
Respond module is received, for receiving the permission and routing of rear end return;
Page rendering module, for rendering the displayed page of front end according to the permission and routing.
13. a kind of device of the authentication applied to rear end characterized by comprising
Logging request receiving module, for receiving logging request;
Log on request judgment module, for judging whether the log on request can succeed according to the login domain;If so, will
The successful message is back to front end, and caches the first identity token and its key that the logging request is included;If
It is no, then return to mistake;
Authentication request receiving module, for receiving authentication request;
Authentication request authentication module verifies corresponding to the authentication request for according to the Authentication domain and the key
Whether two identity tokens and first identity token are consistent;
Authenticating result determining module, the knot for being compared according to second identity token with first identity token
Fruit determines authenticating result.
14. a kind of system of authentication characterized by comprising
It is the device of the displayed page authentication of front end described in claim 12,
With, described in claim 13 applied to rear end authentication device.
15. a kind of electronic equipment of authentication characterized by comprising
One or more processors;
Storage device, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of processors are real
The now method as described in any in claim 1-11.
16. a kind of computer-readable medium, is stored thereon with computer program, which is characterized in that described program is held by processor
The method as described in any in claim 1-11 is realized when row.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910791081.4A CN110493239B (en) | 2019-08-26 | 2019-08-26 | Authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910791081.4A CN110493239B (en) | 2019-08-26 | 2019-08-26 | Authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110493239A true CN110493239A (en) | 2019-11-22 |
| CN110493239B CN110493239B (en) | 2021-11-12 |
Family
ID=68553402
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910791081.4A Active CN110493239B (en) | 2019-08-26 | 2019-08-26 | Authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110493239B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111181941A (en) * | 2019-12-23 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
| CN111488095A (en) * | 2020-04-07 | 2020-08-04 | 中国人民财产保险股份有限公司 | User login management method and device |
| CN112231658A (en) * | 2020-09-23 | 2021-01-15 | 傲普(上海)新能源有限公司 | VUE-based ERP dynamic authority control method |
| CN112615844A (en) * | 2020-12-14 | 2021-04-06 | 浪潮云信息技术股份公司 | Login and authentication system applied to front-end and back-end separation scene |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070136794A1 (en) * | 2005-12-08 | 2007-06-14 | Microsoft Corporation | Request authentication token |
| CN101064695A (en) * | 2007-05-16 | 2007-10-31 | 杭州看吧科技有限公司 | P2P(Peer to Peer) safe connection method |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN104754009A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团广东有限公司 | Service acquisition and invocation method, device, client-side and server |
| CN106162574A (en) * | 2015-04-02 | 2016-11-23 | 成都鼎桥通信技术有限公司 | Group system is applied universal retrieval method, server and terminal |
| CN106470190A (en) * | 2015-08-19 | 2017-03-01 | 中兴通讯股份有限公司 | A kind of Web real-time communication platform authentication cut-in method and device |
| CN106506668A (en) * | 2016-11-23 | 2017-03-15 | 山东浪潮云服务信息科技有限公司 | A kind of method that object storage is realized based on distributed storage |
| CN106682028A (en) * | 2015-11-10 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining web application |
| WO2017088441A1 (en) * | 2015-11-24 | 2017-06-01 | 腾讯科技(深圳)有限公司 | Identity authentication method, server, and storage medium |
| CN107493250A (en) * | 2016-06-12 | 2017-12-19 | 阿里巴巴集团控股有限公司 | A kind of method that web-page requests are authenticated, client and server |
| CN108471432A (en) * | 2018-07-11 | 2018-08-31 | 北京智芯微电子科技有限公司 | Prevent web application interface by the method for malicious attack |
| CN108809988A (en) * | 2018-06-14 | 2018-11-13 | 北京中电普华信息技术有限公司 | A kind of authentication method and system of request |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109218773A (en) * | 2017-06-30 | 2019-01-15 | 武汉斗鱼网络科技有限公司 | A kind of method for authenticating and device of video flowing address |
| CN109246089A (en) * | 2018-08-20 | 2019-01-18 | 北京交通大学 | A kind of the front and back end separation architecture access control system and method for based role |
| CN109740379A (en) * | 2019-01-03 | 2019-05-10 | 山东浪潮通软信息科技有限公司 | A kind of front end authority control method |
| CN109784033A (en) * | 2018-12-13 | 2019-05-21 | 平安科技(深圳)有限公司 | Operating right Dynamic Configuration and relevant device based on page menus |
-
2019
- 2019-08-26 CN CN201910791081.4A patent/CN110493239B/en active Active
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070136794A1 (en) * | 2005-12-08 | 2007-06-14 | Microsoft Corporation | Request authentication token |
| CN101064695A (en) * | 2007-05-16 | 2007-10-31 | 杭州看吧科技有限公司 | P2P(Peer to Peer) safe connection method |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN104754009A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团广东有限公司 | Service acquisition and invocation method, device, client-side and server |
| CN106162574A (en) * | 2015-04-02 | 2016-11-23 | 成都鼎桥通信技术有限公司 | Group system is applied universal retrieval method, server and terminal |
| CN106470190A (en) * | 2015-08-19 | 2017-03-01 | 中兴通讯股份有限公司 | A kind of Web real-time communication platform authentication cut-in method and device |
| CN106682028A (en) * | 2015-11-10 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining web application |
| WO2017088441A1 (en) * | 2015-11-24 | 2017-06-01 | 腾讯科技(深圳)有限公司 | Identity authentication method, server, and storage medium |
| CN107493250A (en) * | 2016-06-12 | 2017-12-19 | 阿里巴巴集团控股有限公司 | A kind of method that web-page requests are authenticated, client and server |
| CN106506668A (en) * | 2016-11-23 | 2017-03-15 | 山东浪潮云服务信息科技有限公司 | A kind of method that object storage is realized based on distributed storage |
| CN109218773A (en) * | 2017-06-30 | 2019-01-15 | 武汉斗鱼网络科技有限公司 | A kind of method for authenticating and device of video flowing address |
| CN108809988A (en) * | 2018-06-14 | 2018-11-13 | 北京中电普华信息技术有限公司 | A kind of authentication method and system of request |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN108471432A (en) * | 2018-07-11 | 2018-08-31 | 北京智芯微电子科技有限公司 | Prevent web application interface by the method for malicious attack |
| CN109246089A (en) * | 2018-08-20 | 2019-01-18 | 北京交通大学 | A kind of the front and back end separation architecture access control system and method for based role |
| CN109784033A (en) * | 2018-12-13 | 2019-05-21 | 平安科技(深圳)有限公司 | Operating right Dynamic Configuration and relevant device based on page menus |
| CN109740379A (en) * | 2019-01-03 | 2019-05-10 | 山东浪潮通软信息科技有限公司 | A kind of front end authority control method |
Non-Patent Citations (1)
| Title |
|---|
| 王鹤琴,等: "基于MVVM模式的WEB开发研究", 《菏泽学院学报》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111181941A (en) * | 2019-12-23 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
| CN111181941B (en) * | 2019-12-23 | 2022-07-05 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
| CN111488095A (en) * | 2020-04-07 | 2020-08-04 | 中国人民财产保险股份有限公司 | User login management method and device |
| CN112231658A (en) * | 2020-09-23 | 2021-01-15 | 傲普(上海)新能源有限公司 | VUE-based ERP dynamic authority control method |
| CN112615844A (en) * | 2020-12-14 | 2021-04-06 | 浪潮云信息技术股份公司 | Login and authentication system applied to front-end and back-end separation scene |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110493239B (en) | 2021-11-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110493239A (en) | The method and apparatus of authentication | |
| CN111062024B (en) | Application login method and device | |
| CN108234653A (en) | A kind of method and device of processing business request | |
| US20170295159A1 (en) | Authenticating Clients Using Tokens | |
| CN105556919B (en) | Dual factor anthentication is carried out using service request bill | |
| CN108881108A (en) | The method and apparatus of rights management | |
| CN110958237A (en) | Authority verification method and device | |
| US8489736B2 (en) | Mediation device, mediation method and mediation system | |
| CN109756337A (en) | A kind of safety access method and device of service interface | |
| CN105871838A (en) | Third party account login control method and user center platform | |
| CN111314340A (en) | Authentication method and authentication platform | |
| CN109767200B (en) | Electronic payment method, device, system and storage medium | |
| CN106341233A (en) | Authentication method for client to log into server, device, system and electronic device | |
| CN112583834B (en) | Method and device for single sign-on through gateway | |
| CN110493308B (en) | Distributed consistency system session method and device, storage medium and server | |
| CN109347888A (en) | Method for authenticating, gateway and authentication device based on RESTful | |
| CN110247758A (en) | The method, apparatus and code management device of Password Management | |
| CN110120952A (en) | A kind of total management system single-point logging method, device, computer equipment and storage medium | |
| CN109828924A (en) | Test method, device and calculating equipment and medium | |
| CN104580081A (en) | Integrated SSO (single sign on) system | |
| CN112202744A (en) | Multi-system data communication method and device | |
| CN105100068A (en) | System and method for realizing single sign-on | |
| CN114422343B (en) | Service configuration method, device, system and computer readable storage medium | |
| CN113296744A (en) | Application development system and method | |
| CN108390878A (en) | Method, apparatus for verifying network request safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Room 221, 2 / F, block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone, 100176 Patentee after: Jingdong Technology Holding Co.,Ltd. Address before: Room 221, 2 / F, block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone, 100176 Patentee before: Jingdong Digital Technology Holding Co.,Ltd. Address after: Room 221, 2 / F, block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone, 100176 Patentee after: Jingdong Digital Technology Holding Co.,Ltd. Address before: Room 221, 2 / F, block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone, 100176 Patentee before: JINGDONG DIGITAL TECHNOLOGY HOLDINGS Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |