CN110602218B - Method and related device for assembling cloud service in user-defined manner - Google Patents
Method and related device for assembling cloud service in user-defined manner Download PDFInfo
- Publication number
- CN110602218B CN110602218B CN201910877062.3A CN201910877062A CN110602218B CN 110602218 B CN110602218 B CN 110602218B CN 201910877062 A CN201910877062 A CN 201910877062A CN 110602218 B CN110602218 B CN 110602218B
- Authority
- CN
- China
- Prior art keywords
- service
- application
- user information
- key
- cloud service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
Abstract
The embodiment of the invention provides a custom-assembled cloud service and a related device, which are used for providing the custom-assembled cloud service for business applications through a plurality of decoupled cloud services, and the authentication signature service is provided by a third party, so that the front-end business applications can complete the development of business by purchasing the cloud service provided by a service provider, the ecology of the cloud service is promoted, and the repeatability of the business development is avoided. The method provided by the embodiment of the invention comprises the following steps: receiving first user information sent by a business application, wherein the first user information at least comprises the type of the business application, a unique identification code of a business application end and an identification code of a first cloud service; performing encryption on the first user information using a first key; and sending the encrypted first user information to the service application, so that the service application sends an access request to the first cloud service by using the encrypted first user information.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method for assembling cloud service in a user-defined mode and a related device.
Background
In the existing cloud computing development process, a cloud computing service provider generally needs a service party to provide a server, completes authentication of cloud computing capacity at the server side, and then communicates with a cloud computing manufacturer through a service application front end.
This leads to the following problems:
1. before the business party communicates with the cloud service, authentication needs to be completed through a central server of the business party, and when the central server fails, the business application cannot be normally executed;
2. currently, many companies have high working coupling degrees in the cloud, such as: user data management, flow management, message pushing, real-time message broadcasting and the like, because the coupling degree between the functional modules is high and no decoupling unified scheme exists at present, when business application is developed, the required functional modules need to be developed repeatedly, and a great deal of waste of service capacity and manpower is caused.
Disclosure of Invention
The embodiment of the invention provides a method and a related device for assembling cloud services in a user-defined mode, which are used for providing the user-defined cloud services for business applications through a plurality of decoupled cloud services, and authentication signature services are provided by a third party, so that the front-end business applications can complete business development by purchasing the cloud services provided by a service provider, the ecology of the cloud services is promoted, and the repeatability of the business development is avoided.
The first aspect of the embodiment of the present application provides a method for assembling cloud services in a user-defined manner, which is applied to one side of an authentication signature service, and includes:
receiving first user information sent by a business application, wherein the first user information at least comprises the type of the business application, a unique identification code of a business application end and an identification code of a first cloud service;
performing encryption on the first user information using a first key;
and sending the encrypted first user information to the service application, so that the service application sends an access request to a first cloud service by using the encrypted first user information.
Preferably, when the service application is not compatible with the authentication signature service, the method further comprises:
the authentication signature service receives second user information of the service application through an adapter;
sending the second user information to an authentication server of the service application for verification through the adapter;
and if the verification is passed, generating the first user information by the adapter according to the second user information according to a preset mapping rule.
Preferably, the encryption mechanism is a JWT mechanism and the encryption algorithm is an RSA encryption algorithm.
Preferably, after sending the encrypted first user information to the service application, the method further includes:
receiving a second key request sent by the business application, so that the business application sends an access request to the first cloud service through a second key, wherein the second key enables the first cloud service not to obtain the first user information;
and replacing the encrypted first user information with the second key according to the second key request.
Preferably, the method further comprises:
and executing local storage on decryption keys corresponding to the first key and the second key.
A second aspect of the present application provides a method for assembling cloud services in a user-defined manner, where the method is applied to a first cloud service side, and includes:
receiving an access request sent by the service application, wherein the access request is encrypted by the authentication signature service;
obtaining a decryption key from the authentication signing service;
verifying the access request by using the decryption key;
and if the verification is passed, allowing the business application to access the first cloud service.
Preferably, the encryption mechanism is a JWT mechanism and the encryption algorithm is an RSA encryption algorithm.
Preferably, when the encrypted information included in the access request is the first user information encrypted by using a private key in the RSA encryption algorithm, the decryption key is a public key corresponding to the private key.
Preferably, when the encryption information included in the access request is a second key, the decryption key is a decryption key corresponding to the second key.
Preferably, the authentication signature service is integrated on a server corresponding to the cloud service;
or the like, or a combination thereof,
the authentication signature service is arranged on an independent server.
Preferably, the service application includes a client application and a server application;
when the business application is the client application, the allowing the business application to access the first cloud service includes:
allowing the client application to access the first cloud service, and performing data interaction with the first cloud service through a client;
when the business application is the server-side application, the allowing the business application to access the first cloud service includes:
and allowing the server side application to access the first cloud service, and performing data interaction with the first cloud service through an application server.
A third aspect of the present embodiment provides a method for assembling a cloud service in a user-defined manner, where the method is applied to business applications, and the method includes:
sending first user information to an authentication and signing service, so that the first user information is encrypted by the authentication and signing service, wherein the first user information at least comprises the type of a service application, a unique identification code of the service application and an identification code of a first cloud service;
receiving encrypted first user information, and sending an access request to a first cloud service by using the encrypted first user information, so that the first cloud service acquires a decryption key from the authentication and signature service and verifies the access request;
and if the verification is passed, accessing the first cloud service.
Preferably, when the service application is not compatible with the authentication signature service, the method further comprises:
sending second user information of the service application to the authentication signature service through an adapter, so that the authentication signature service sends the second user information to an authentication server of the service application for verification;
and if the verification is passed, receiving the first user information through the adapter, wherein the first user information is formed by mapping the second user information through the adapter according to a preset mapping rule.
Preferably, the encryption mechanism is a JWT mechanism and the encryption algorithm is an RSA encryption algorithm.
Preferably, after the receiving the encrypted first user information and before the sending the access request to the first cloud service by using the encrypted first user information, the method further includes:
sending a second key request to the authentication signature service;
and receiving a second secret key sent by the authentication signature service, wherein the second secret key is formed by replacing the encrypted first user information by the authentication signature service.
Preferably, when the encrypted information included in the access request is the first user information encrypted by using a private key in the RSA encryption algorithm, the decryption key is a public key corresponding to the private key.
Preferably, when the encryption information included in the access request is a second key, the decryption key is a decryption key corresponding to the second key.
Preferably, the service application includes a client application and a server application;
when the business application is the client application, the accessing the first cloud service comprises:
the client application is accessed to the first cloud service, and data interaction is carried out between the client application and the first cloud service;
when the business application is the server-side application, the accessing the first cloud service includes:
the server side application is accessed to the first cloud service, and data interaction is carried out between the server side application and the first cloud service.
A fourth aspect of the embodiments of the present application provides a system for custom assembling a cloud service, including an authentication signature service provided in the first aspect of the embodiments of the present application, a first cloud service provided in the second aspect of the embodiments of the present application, and a service application provided in the third aspect of the embodiments of the present application.
An embodiment of the present application further provides a computer apparatus, which includes a processor, and when the processor executes a computer program stored on a memory, the processor is configured to implement the method for custom assembling a cloud service provided in the first aspect, the second aspect, or the third aspect of the embodiment of the present application.
Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, where the computer program is used, when executed by a processor, to implement the method for custom-assembling a cloud service provided in the first aspect, the second aspect, or the third aspect of the embodiments of the present application.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the application, the authentication signature service is used for providing the self-defined cloud service for the business application through a plurality of decoupled cloud services, and the authentication signature service is provided by a third party, so that on one hand, the authentication of the business application party can be completed through the authentication signature service provided by the third party, thereby avoiding business paralysis caused by the failure of the authentication server of the business party center, and improving the flexibility of the authentication signature service; on the other hand, the front-end business application can complete the business development by purchasing the cloud service provided by the service provider, thereby improving the ecology of the cloud service and avoiding the repeatability of the business development.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a method for custom assembling a cloud service in an embodiment of the present application;
FIG. 2 is a schematic diagram of another embodiment of a method for custom assembling a cloud service in an embodiment of the present application;
fig. 3A is a schematic diagram of a first user information interface provided by a service application when the service application is a server-side application in the embodiment of the present application;
fig. 3B is another schematic diagram of a first user information interface provided by a service application when the service application is a server-side application in the embodiment of the present application;
fig. 4 is a schematic diagram of a first user information interface provided by a service application when the service application is a client application in the embodiment of the present application;
fig. 5 is a schematic interface diagram illustrating conversion of second user information of a service application into first user information when the service application is incompatible with an authentication signature service in the embodiment of the present application;
FIG. 6 is a schematic diagram of another embodiment of a method for custom assembling a cloud service in an embodiment of the present application;
FIG. 7 is a schematic diagram of another embodiment of a method for custom assembling a cloud service in an embodiment of the present application;
FIG. 8 is a schematic diagram of another embodiment of a method for custom assembling a cloud service in an embodiment of the present application;
FIG. 9 is a schematic diagram of another embodiment of a method for custom assembling a cloud service in an embodiment of the present application;
fig. 10 is a schematic diagram of another embodiment of a method for custom assembling a cloud service in an embodiment of the present application.
Detailed Description
The embodiment of the invention provides a method and a related device for assembling cloud services in a user-defined mode, which are used for providing the user-defined cloud services for business applications through a plurality of decoupled cloud services, and authentication signature services are provided by a third party, so that the front-end business applications can complete business development by purchasing the cloud services provided by a service provider, the ecology of the cloud services is promoted, and the repeatability of the business development is avoided.
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In order to implement custom assembly of the cloud service, the embodiment enables the front-end service application to complete the development of the service by purchasing the cloud service provided by the service manufacturer by providing a plurality of decoupled cloud services, and the decoupled cloud service can improve the ecotype of the cloud service and avoid the repeated development of the service.
For convenience of understanding, terms of art in the present embodiment are explained below:
the service application end: the service application side refers to a user application side or a server side. For example: the user side includes: browser applications, cell phone APPs, and the like. The server side comprises a specific business service or a back-end program of other cloud computing services.
Serverless is an architecture scheme for Serverless applications. The scheme can enable common front-end services to complete the development of the services by directly purchasing the services of the service provider without self-establishing the server. The service facing the back end or some special service is carried out through a cloud function.
OIDC: all called OpenIDConnect. The digital identity recognition framework is a digital identity recognition framework which takes a user as a center and has openness and decentralization. Details are as follows: net, openid
The RSA algorithm: is an asymmetric encryption algorithm. RSA is widely used in public key cryptography and electronic commerce
JWT: JSONWebToken (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transfer information between parties as JSON objects.
For convenience of understanding, the following describes a method for custom assembling cloud services in the embodiment of the present application, in this embodiment, the multiple cloud services are disposed on multiple servers, and the authentication signature service is also independent of the service application, and is disposed on an independent server, or is integrated on a server of the cloud service, that is, a service application party can authenticate cloud computing capability through a third-party authentication signature service, purchase a desired cloud service from a third party, implement custom assembling of the cloud service, and complete development of a front-end service, which not only promotes ecology of the cloud service, but also avoids repeated development of the service.
Specifically, referring to fig. 1, in the embodiment of the present application, a method for custom assembling a cloud service in the embodiment of the present application is described from the perspective of an authentication and signature service, and an embodiment of the method for custom assembling a cloud service in the embodiment of the present application includes:
101. receiving first user information sent by a business application, wherein the first user information at least comprises the type of the business application, a unique identification code of a business application end and an identification code of a first cloud service;
it is easy to understand that when a business application needs to access a cloud service, user information generally needs to be authenticated, so that on one hand, whether the business application has the authority of accessing the cloud service can be judged, and on the other hand, what type of the business application accesses the cloud service and what type of the cloud service is accessed can be judged.
Therefore, the first user information in this embodiment at least includes the type of the service application, the unique identifier of the service application end, and the identifier of the first cloud service; specifically, the types of the service applications include a client application or a server application, for example, a wechat belongs to the client application, that is, data interaction is performed between the client and the cloud service, while the service applications in the security vulnerability monitoring class belong to the server application, because the security vulnerability mainly exists at the server side, data interaction needs to be performed between the server and the cloud service.
The unique identification code of the service application end is mainly identity information of the service application end, and is used for authenticating the service application end, specifically, when the service application is a client application, the unique identification code of the service application end can be a client ID, such as a telephone number of a user, identity card information of the user, and the like, and when the service application is a server application, the unique identification code of the service application end is a client ID of a server, namely a server ID corresponding to the application; the identification code of the first cloud service is mainly used for identifying which type of cloud service the business application needs to access.
102. Performing encryption on the first user information using a first key;
after receiving the first user information sent by the service application, the authentication and signature service encrypts the first user information by using the first key, in this embodiment, the preferred encryption mechanism is a JWT mechanism, and the preferred encryption algorithm is an RSA encryption algorithm, so that the encryption process for the first user information can be understood as a process of signing the first user information by using a private key in the RSA algorithm.
When the encryption algorithm is the RSA encryption algorithm, the RSA algorithm generates a key pair at regular time, the authentication signature service signs the first user information by using a private key of the newly generated key pair, performs local storage on a public key of the key pair, and then publishes the first user information through a public key exposure service, such as the public key is published through an http protocol.
103. And sending the encrypted first user information to the service application, so that the service application sends an access request to the first cloud service by using the encrypted first user information.
After the authentication signature service completes encryption of the first user information (namely, after the authentication signature service completes signature of the first user information by using a JWT mechanism), the encrypted first user information is sent to the service application, so that the service application sends an access request to the first cloud service by using the encrypted first user information for accessing the first cloud service.
In the embodiment of the application, the authentication signature service is used for providing the self-defined cloud service for the business application through a plurality of decoupled cloud services, and the authentication signature service is provided by a third party, so that on one hand, the authentication of the business application party can be completed through the authentication signature service provided by the third party, thereby avoiding business paralysis caused by the failure of the authentication server of the business party center, and improving the flexibility of the authentication signature service; on the other hand, the front-end business application can complete the business development by purchasing the cloud service provided by the service provider, thereby improving the ecological property of the cloud service and avoiding the repeatability of the business development.
Based on the embodiment described in fig. 1, when the service application of the user is incompatible with the authentication and signature service in this embodiment, that is, the authentication information provided by the previous service application of the user is different from the authentication information required in this embodiment, the service application may access the authentication and signature service in this embodiment through the adapter, so as to implement seamless docking between the service application and the authentication and signature service in this embodiment.
Specifically, the following describes a workflow of accessing an authentication and signing service by a service application through an adapter in this embodiment, referring to fig. 2, another embodiment of the method for custom assembling a cloud service in this embodiment of the present application includes:
201. the authentication signature service receives second user information of the service application through an adapter;
when the service application is incompatible with the authentication and signature service, the authentication and signature service in this embodiment may receive second user information of the service application through the adapter, where specifically, the second user information may be a user name and a password.
202. Sending the second user information to an authentication server of the service application through the adapter for verification, if the verification is successful, executing step 203, and if the verification is failed, executing step 204;
when the authentication signature service receives the second user information through the adapter, the second user information sending service is verified by applying the original authentication server, if the verification is successful, the step 203 is executed, and if the verification is failed, the step 204 is executed.
203. Generating the first user information by the adapter according to the second user information according to a preset mapping rule;
and if the verification is successful, generating the first user information from the second user information according to a preset mapping rule so as to realize the encryption of the first user information.
Specifically, in the authentication signature service in this embodiment, the encryption of the first user information is completed through a JWT mechanism, that is, a private key in an RSA algorithm is used to perform a signature on the first user information, and the JWT is composed of three parts, namely, a Header, a payload, and a signature, where the second part of the payload stores the first user information, and the payload in this embodiment includes several customized parameters: iss, aud, sub, group and scope, wherein the iss parameter is the storage address of a public key in RAS algorithm, the aud is the client _ ID of the server terminal access terminal, the sub is the unique identification code of the service application terminal, when the service application is the client terminal application, the sub is the ID of the client terminal, and when the service application is the server terminal application, the sub is normally empty, the group is the role or authority information of the user, for example, the user is vip or administrator, and when the service application is the server terminal application, the group is normally empty; and scope is a cloud service identification code that the business application needs to access, so as to identify the cloud service type that the business application needs.
When the service application is incompatible with the authentication and signature service in this embodiment, second user information of the service application, such as a user name and a password, may be sent to an original authentication server of the service for authentication, and after the authentication is passed, first user information corresponding to the second user information may be obtained, and the second user information may be converted into the first user information in this embodiment according to a preset mapping rule, so that the authentication and signature service performs encryption on the first user information.
Specifically, the second user information may be mapped to the first user information according to the mapping rule in table 1:
TABLE 1
It should be noted that table 1 is only an example of the mapping rule, and does not set any limit to the mapping rule itself.
In order to more intuitively represent first user information provided by a service application when the service application executes an authentication signature service, fig. 3A and 3B show a first user information interface diagram provided by the service application when the service application is a server-side application, fig. 4 shows a first user information interface diagram provided by the service application when the service application is a client-side application, and fig. 5 is an interface diagram for converting second user information of the service application into first user information when the service application is incompatible with the authentication signature service.
The signature verification scheme shown in fig. 3A is a public key address for manually configuring an RSA algorithm, the signature verification scheme shown in fig. 3B is a Token address (i.e., a public key address) for automatically generating the oid in the JWT mechanism, and the Token in fig. 5 can refresh options after the Token expires, mainly after the original authentication mode is generated into the oid server, refreshToken is automatically generated when Token is generated, and refreshen is allowed to be used for self-refreshing after the Token expires.
In addition, in this embodiment, when mapping the second user information to the first user information, not only the generation of the oid server through the existing authentication method is supported, but also the generation of the user side or the server side oid server according to the user name and the password is supported.
Specifically, the existing authentication mode is used for generating an OIDCServer, a new authentication address is generated by using the existing authentication service address of a service party, the specific process is that the original authentication information of the service application is transmitted into an adapter, the adapter transmits the original authentication information to an authentication server of the service party, and after the verification is completed, the original authentication address is used for generating a corresponding token of the OIDC; and generating the user side or the server side OIDCServer according to the user name and the password, namely sending the user name and the password of the user to the original service authentication server to finish authentication, and if the authentication is successful, generating token of OIDC, wherein the user name and the password may comprise two types: the user name and the password of the real user, and the generated token is the user token; and the generated token is the server token.
As shown in fig. 3A, 3B, fig. 4, and fig. 5, the cloud service in this embodiment may directly access the required cloud service after the third-party authentication and signature service authorizes and signs the first user information, that is, the front-end application may complete the development of the service by purchasing the cloud service provided by the service provider, thereby improving the ecology of the cloud service, and avoiding the repeatability of the service development.
204. Other processes are performed.
If the authentication server of the service application fails to authenticate the second user information, other processes are executed, which is not limited in this respect.
In this embodiment, when the service application is incompatible with the authentication and signature service, the service application is accessed to the authentication and signature service through the adapter, so that the compatibility of the authentication and signature service with the service application in this embodiment is improved.
Based on the embodiment described in fig. 1, in order to avoid that when the service application sends an access request to the first cloud service by using the encrypted first user information, the first cloud service obtains a unique identification code (such as a client ID or a client _ ID of the server) of the service application end in the first user information to simulate a user behavior, in this embodiment, after sending the encrypted first user information to the service application, the following steps may also be performed to ensure the security of the first user information, specifically please refer to fig. 6, another embodiment of the method for custom assembling the cloud service in the embodiment of the present application includes:
601. receiving a second key request sent by the business application so that the business application sends an access request to the first cloud service through a second key, wherein the second key enables the first cloud service not to obtain the first user information;
in order to avoid the situation that the business application sends an access request to the first cloud service by using the encrypted first user information, the leakage of the unique identification code of the business application end in the first user information is caused, the first cloud service simulates the behavior of the business application end, and the safety risk is caused.
In this embodiment, after sending the encrypted first user information to the service application, the second key request sent by the service application is received, so that the service application sends the access request to the first cloud service through the second key, where the second key makes the first cloud service unable to obtain the first user information.
602. And replacing the encrypted first user information with the second key according to the second key request.
And after receiving the second key request, the authentication signature service changes the encrypted first user information into a second key, so that the service application sends an access request to the first cloud service through the second key, and the first user information is prevented from being leaked.
In this embodiment, to avoid the leakage of the first user information, the encrypted first user information in the access request is replaced with the second key, and the second key makes the first cloud service unable to obtain the first user information, so that the security of the first user information is ensured.
Referring to fig. 7, another embodiment of the method for customizing the cloud service in the embodiment of the present application includes:
701. receiving an access request sent by the service application, wherein the access request is encrypted by the authentication signature service;
after the business application sends the access request to the first cloud service, the first cloud service may receive the access request, and then step 702 is performed.
As can be seen from the embodiment described in fig. 1, the access request is encrypted by the authentication and signature service, and the preferred encryption mechanism is the JWT mechanism and the encryption algorithm is the RSA algorithm.
702. Obtaining a decryption key from the authentication signing service;
since the authentication and signature service encrypts the access request, stores the decryption key in the local, and publishes the decryption key through the exposure service, the first cloud service obtains the decryption key from the authentication and signature service after receiving the access request sent by the service application, so as to verify the access request.
703. Verifying the access request by using the decryption key, if the verification is successful, executing step 704, and if the verification is failed, executing step 705;
after obtaining the decryption key from the authentication and signature service, the first cloud service verifies the access request by using the decryption key, if the verification is successful, step 704 is executed, and if the verification is failed, step 705 is executed.
704. And allowing the business application to access the first cloud service.
And when the access request of the first cloud service to the business application is successfully verified, allowing the business application to access the first cloud service so as to obtain the cloud computing function required by the business application.
705. Other processes are performed.
If the verification of the access request of the first cloud service to the service application fails, executing other processes, such as rejecting the service application to access the first cloud service, or reminding the service application to re-execute authentication, and the like, which is not limited herein.
In the embodiment of the application, the cloud service assembled by the user-defined service is described from the first cloud service side, and only after the access request of the service request is verified successfully, the service application is allowed to access the first cloud service, so that the safety of the first cloud service is improved.
Based on the embodiment described in fig. 7, it is easily understood that, if the encrypted information in the access request in step 701 is the first user information encrypted by the private key in the RSA algorithm, the decryption key in step 702 is the public key locally stored by the authentication signature service; if the encrypted information in the access request in step 702 is the second key, the decryption key in step 702 is the decryption key corresponding to the second key and locally stored by the authentication and signature service.
Further, the service application in this embodiment includes a service application at a client (such as a wechat application) and a client application at a server (such as security vulnerability detection), and when the service application is the client application, the service application performs data interaction with the first cloud service through the client, and when the service application is the server application, the service application performs data interaction with the first cloud service through the server.
In the above, the cloud service assembled by the user-defined in this embodiment is described from the first cloud service side, and in the following, the cloud service assembled by the user-defined in this embodiment is described from the business application side, referring to fig. 8, another embodiment of the method for the cloud service assembled by the user-defined in this embodiment of the present application includes:
801. sending first user information to an authentication signature service, so that the authentication signature service encrypts the first user information, wherein the first user information at least comprises the type of a business application, a unique identification code of the business application and an identification code of a first cloud service;
it is easy to understand that when a business application needs to access a cloud service, user information generally needs to be authenticated, so that on one hand, whether the business application has the authority of accessing the cloud service can be judged, and on the other hand, what type of the business application accesses the cloud service and what type of the cloud service is accessed can be judged.
Therefore, the first user information in this embodiment at least includes the type of the service application, the unique identifier of the service application end, and the identifier of the first cloud service; specifically, the types of the service applications include a client application or a server application, for example, wechat belongs to the client application, that is, data interaction is performed between the client and the cloud service, while the service applications in the security vulnerability monitoring class belong to the server application, because the security vulnerability mainly exists on the server side, data interaction needs to be performed between the server and the cloud service.
The unique identification code of the service application end is mainly identity information of the service application end, and is used for authenticating the service application end, specifically, when the service application is a client application, the unique identification code of the service application end can be a client ID, such as a telephone number of a user, identity card information of the user, and the like, and when the service application is a server application, the unique identification code of the service application end is a client ID of a server, namely a server ID corresponding to the application; the identification code of the first cloud service is mainly used for identifying which type of cloud service the business application needs to access.
After receiving the first user information sent by the service application, the authentication and signature service encrypts the first user information by using the first key, in this embodiment, the preferred encryption mechanism is a JWT mechanism, and the preferred encryption algorithm is an RSA encryption algorithm, so that the encryption process for the first user information can be understood as a process of signing the first user information by using a private key in the RSA algorithm.
When the encryption algorithm is the RSA encryption algorithm, the RSA algorithm generates a key pair at regular time, the authentication signature service signs the first user information by using a private key of the newly generated key pair, performs local storage on a public key of the key pair, and then publishes the first user information through a public key exposure service, such as the public key is published through an http protocol.
802. Receiving encrypted first user information, sending an access request to a first cloud service by using the encrypted first user information, enabling the first cloud service to acquire a decryption key from the authentication and signature service, verifying the access request, and if the verification is passed, executing a step 803, otherwise, executing a step 804;
after receiving the first user information, the service application sends an access request to the first cloud service by using the encrypted first user information, so that the first cloud service acquires a decryption key from the authentication and signature service and verifies the access request, if the verification is passed, the step 803 is executed, otherwise, the step 804 is executed;
optionally, when the encryption algorithm is an RSA encryption algorithm, the decryption key obtained by the first cloud service from the authentication and signature service is a public key corresponding to the encryption private key.
803. Accessing the first cloud service;
and when the first cloud service passes the verification of the first user information, allowing the business application to access the first cloud service and using the application resources on the cloud service.
804. Other processes are performed.
When the first cloud service does not verify the first user information, the service application may be denied access to the first cloud service, or prompt information may be sent to the first cloud service, and the like, which is not specifically limited herein.
In the embodiment of the application, the authentication signature service is used for providing the self-defined cloud service for the business application through a plurality of decoupled cloud services, and the authentication signature service is provided by a third party, so that on one hand, the authentication of the business application party can be completed through the authentication signature service provided by the third party, thereby avoiding business paralysis caused by the failure of the authentication server of the business party center, and improving the flexibility of the authentication signature service; on the other hand, the front-end business application can complete the business development by purchasing the cloud service provided by the service provider, thereby improving the ecological property of the cloud service and avoiding the repeatability of the business development.
Based on the embodiment described in fig. 8, when the service application of the user is incompatible with the authentication and signature service in this embodiment, that is, the authentication information provided by the previous service application of the user is different from the authentication information required in this embodiment, the service application may access the authentication and signature service in this embodiment through the adapter, so as to implement seamless docking between the service application and the authentication and signature service in this embodiment.
Specifically, the following describes a workflow of accessing, by a service application, an authentication signature service through an adapter in this embodiment, with reference to fig. 9, another embodiment of a method for custom assembling a cloud service in this embodiment of the present application includes:
901. sending second user information of the service application to the authentication signature service through an adapter, so that the authentication signature service sends the second user information to an authentication server of the service application for verification, if the verification is passed, executing a step 902, otherwise, executing a step 903;
when the service application is not compatible with the authentication and signature service, the service application in this embodiment may send second user information to the authentication and signature service through the adapter, specifically, the second user information may be a user name and a password, so that the authentication and signature service sends the second user information to an authentication server of the service application for verification, if the verification passes, step 902 is executed, otherwise, step 903 is executed.
902. If the verification is passed, receiving the first user information through the adapter, wherein the first user information is formed by mapping the second user information through the adapter according to a preset mapping rule;
and if the verification is passed, receiving first user information through the adapter, wherein the first user information is formed by mapping second user information by the adapter according to a preset mapping rule.
For specific mapping rules, see table 1, which is not described herein again.
903. If the verification fails, other processes are executed.
If the verification does not pass, other procedures are executed, which is not limited herein.
In this embodiment, when the service application is incompatible with the authentication and signature service, the service application is accessed into the authentication and signature service through the adapter, so that the compatibility of the authentication and signature service with the service application in this embodiment is improved.
Based on the embodiment described in fig. 9, in order to avoid that the first cloud service obtains the unique identification code (such as the client ID or the client _ ID of the server) of the service application end in the first user information to simulate the user behavior when the service application sends the access request to the first cloud service by using the encrypted first user information, after receiving the encrypted first user information, in this embodiment, the following steps may also be performed to ensure the security of the first user information, specifically refer to fig. 10, another embodiment of the method for custom assembling the cloud service in the embodiment of the present application includes:
1001. sending a second key request to the authentication signature service;
in order to avoid the situation that the business application sends an access request to the first cloud service by using the encrypted first user information, so that the leakage of the unique identification code of the business application end in the first user information is caused, the first cloud service simulates the behavior of the business application end, and the safety risk is caused.
In this embodiment, after receiving the encrypted first user information, the second key request may be sent to the authentication and signing service, so that the service application sends the access request to the first cloud service through the second key, where the second key makes the first cloud service unable to obtain the first user information.
1002. And receiving a second secret key sent by the authentication signature service, wherein the second secret key is formed by replacing the encrypted first user information by the authentication signature service.
And after receiving the second key request, the authentication signature service changes the encrypted first user information into a second key, so that the service application sends an access request to the first cloud service through the second key after receiving the second key, and the first user information is prevented from being leaked.
In this embodiment, to avoid the leakage of the first user information, the encrypted first user information in the access request is replaced with the second key, and the second key makes the first cloud service unable to obtain the first user information, so that the security of the first user information is ensured.
Further, the service application in this embodiment includes a service application at a client (such as a wechat application) and a client application at a server (such as security vulnerability detection), and when the service application is the client application, the service application performs data interaction with the first cloud service through the client, and when the service application is the server application, the service application performs data interaction with the first cloud service through the server.
An embodiment of the present application further provides a system for custom assembling a cloud service, including the authentication and signature service described in fig. 1 to 6, the first cloud service described in fig. 7, and the business application described in fig. 8 to 10, where the business application interacts with the authentication and signature service and the first cloud service to implement custom assembling of the cloud service, and an interaction flow among the above three may refer to the description of the method for custom assembling a cloud service described in fig. 1 to 10, which is not described herein again.
The cloud service assembled by self-definition in the embodiment is described above, and a computer device in the embodiment is described below from the perspective of hardware processing, where the computer device is a node forming a CDN network, and the computer device is used to implement a function on the side of an authentication signature service, and an embodiment of the computer device in the embodiment of the present invention includes:
a processor and a memory;
the memory is used for storing the computer program, and the processor is used for realizing the following steps when executing the computer program stored in the memory:
receiving first user information sent by a business application, wherein the first user information at least comprises the type of the business application, a unique identification code of a business application end and an identification code of a first cloud service;
performing encryption on the first user information using a first key;
and sending the encrypted first user information to the service application, so that the service application sends an access request to the first cloud service by using the encrypted first user information.
In some embodiments of the present invention, the processor may be further configured to implement the following steps:
the authentication signature service receives second user information of the service application through an adapter;
sending the second user information to an authentication server of the service application for verification through the adapter;
and if the verification is passed, generating the first user information by the adapter according to the second user information according to a preset mapping rule.
In some embodiments of the present invention, the processor may be further configured to:
receiving a second key request sent by the business application, so that the business application sends an access request to the first cloud service through a second key, wherein the second key enables the first cloud service not to obtain the first user information;
and replacing the encrypted first user information with the second key according to the second key request.
In some embodiments of the present invention, the processor may be further configured to:
and executing local storage on the decryption keys corresponding to the first key and the second key.
The computer device is used for realizing the function of a first cloud service side, the computer device is a node forming a CDN network, and another embodiment of the computer device in the embodiment of the invention comprises the following steps:
receiving an access request sent by the service application, wherein the access request is encrypted by the authentication signature service;
obtaining a decryption key from the authentication signing service;
verifying the access request by using the decryption key;
and if the verification is passed, allowing the business application to access the first cloud service.
In some embodiments of the present invention, the processor may be further configured to:
allowing the client application to access the first cloud service, and performing data interaction with the first cloud service through a client;
in some embodiments of the present invention, the processor may be further configured to:
and allowing the server side application to access the first cloud service, and performing data interaction with the first cloud service through an application server.
The computer device is used for realizing the function of a service application side, the computer device is a node forming a CDN network, and another embodiment of the computer device in the embodiment of the invention comprises the following steps:
sending first user information to an authentication signature service, so that the authentication signature service encrypts the first user information, wherein the first user information at least comprises the type of a business application, a unique identification code of the business application and an identification code of a first cloud service;
receiving encrypted first user information, and sending an access request to a first cloud service by using the encrypted first user information, so that the first cloud service acquires a decryption key from the authentication and signature service and verifies the access request;
and if the verification is passed, accessing the first cloud service.
In some embodiments of the present invention, the processor may be further configured to:
sending second user information of the service application to the authentication signature service through an adapter, so that the authentication signature service sends the second user information to an authentication server of the service application for verification;
and if the verification is passed, receiving the first user information through the adapter, wherein the first user information is formed by mapping the second user information through the adapter according to a preset mapping rule.
In some embodiments of the present invention, the processor may be further configured to:
sending a second key request to the authentication signature service;
and receiving a second secret key sent by the authentication and signing service, wherein the second secret key is formed by replacing the encrypted first user information by the authentication and signing service.
When the service application is the client application, in some embodiments of the present invention, the processor may be further configured to implement the following steps:
performing data interaction with the first cloud service through a client;
when the service application is the server-side application, in some embodiments of the present invention, the processor may be further configured to implement the following steps:
and performing data interaction with the first cloud service through a server.
It can be understood that, no matter on the side of the authentication signature service, the side of the first cloud service, or the side of the service application, when the processor in the computer device described above executes the computer program, the functions of each unit in each device embodiment described above may also be implemented, and details are not described here. Illustratively, the computer program may be partitioned into one or more modules/units that are stored in the memory and executed by the processor to implement the invention. The one or more modules/units may be a series of computer program instruction segments capable of performing a specific function, which are used for describing an execution process of the computer program in the authentication signature service/first cloud service. For example, the computer program may be divided into units in the authentication signature service described above, which may implement specific functions as described above in the description of the corresponding authentication signature service.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing equipment. The computer device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the processor, memory are merely examples of a computer apparatus and are not meant to be limiting, and that more or fewer components may be included, or certain components may be combined, or different components may be included, for example, the computer apparatus may also include input output devices, network access devices, buses, etc.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the processor being the control center of the computer apparatus, various interfaces and lines connecting the various parts of the overall computer apparatus.
The memory may be used to store the computer programs and/or modules, and the processor may implement various functions of the computer device by running or executing the computer programs and/or modules stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the terminal, and the like. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The present invention also provides a computer-readable storage medium for implementing the functions on the side of the authenticated signing service, having stored thereon a computer program which, when executed by a processor, the processor is operable to perform the steps of:
receiving first user information sent by a business application, wherein the first user information at least comprises the type of the business application, a unique identification code of a business application end and an identification code of a first cloud service;
performing encryption on the first user information using a first key;
and sending the encrypted first user information to the service application, so that the service application sends an access request to the first cloud service by using the encrypted first user information.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
the authentication signature service receives second user information of the service application through an adapter;
sending the second user information to an authentication server of the service application for verification through the adapter;
and if the verification is passed, generating the first user information by the adapter according to the second user information according to a preset mapping rule.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
receiving a second key request sent by the business application, so that the business application sends an access request to the first cloud service through a second key, wherein the second key enables the first cloud service not to obtain the first user information;
and replacing the encrypted first user information with the second key according to the second key request.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
and executing local storage on the decryption keys corresponding to the first key and the second key.
The present invention also provides another computer-readable storage medium for implementing the function on the first cloud service side, on which a computer program is stored, and when the computer program is executed by a processor, the processor may be configured to perform the steps of:
receiving an access request sent by the service application, wherein the access request is encrypted by the authentication signature service;
obtaining a decryption key from the authentication signing service;
verifying the access request by using the decryption key;
and if the verification is passed, allowing the business application to access the first cloud service.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
allowing the client application to access the first cloud service, and performing data interaction with the first cloud service through a client;
in some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
and allowing the server side application to access the first cloud service, and performing data interaction with the first cloud service through an application server.
The present invention also provides another computer-readable storage medium for implementing a service application side function, on which a computer program is stored, wherein when the computer program is executed by a processor, the processor is operable to execute the following steps:
sending first user information to an authentication signature service, so that the authentication signature service encrypts the first user information, wherein the first user information at least comprises the type of a business application, a unique identification code of the business application and an identification code of a first cloud service;
receiving encrypted first user information, and sending an access request to a first cloud service by using the encrypted first user information, so that the first cloud service acquires a decryption key from the authentication and signature service and verifies the access request;
and if the verification is passed, accessing the first cloud service.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
sending second user information of the service application to the authentication signature service through an adapter, so that the authentication signature service sends the second user information to an authentication server of the service application for verification;
and if the verification is passed, receiving the first user information through the adapter, wherein the first user information is formed by mapping the second user information through the adapter according to a preset mapping rule.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
sending a second key request to the authentication signature service;
and receiving a second secret key sent by the authentication signature service, wherein the second secret key is formed by replacing the encrypted first user information by the authentication signature service.
When the service application is the client application, in some embodiments of the present invention, the processor may be specifically configured to execute the following steps when the computer program stored in the computer-readable storage medium is executed by the processor:
performing data interaction with the first cloud service through a client;
when the service application is the server-side application, in some embodiments of the present invention, when the computer program stored in the computer-readable storage medium is executed by a processor, the processor may be specifically configured to perform the following steps:
and performing data interaction with the first cloud service through a server.
It will be appreciated that the integrated units, if implemented as software functional units and sold or used as a stand-alone product, may be stored in a corresponding one of the computer readable storage media. Based on such understanding, all or part of the flow of the method according to the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium and used by a processor to implement the steps of the above embodiments of the method. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U.S. disk, removable hard disk, magnetic diskette, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), electrical carrier wave signal, telecommunications signal, and software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (19)
1. A method for assembling cloud services in a user-defined manner is characterized in that a plurality of cloud services are respectively and independently arranged on a plurality of servers, an authentication signature service is independent of business application, and the method is applied to the authentication signature service and comprises the following steps:
receiving first user information sent by a business application, wherein the first user information at least comprises the type of the business application, a unique identification code of a business application end and an identification code of a first cloud service;
performing encryption on the first user information using a first key;
sending the encrypted first user information to the service application, so that the service application sends an access request to a first cloud service by using the encrypted first user information;
when the business application is not compatible with the authentication signature service, the method further comprises:
the authentication signature service receives second user information of the service application through an adapter;
the authentication signature service sends the second user information to an authentication server of the service application through the adapter for verification;
and if the verification is passed, mapping the second user information into the first user information according to a preset mapping rule through the adapter.
2. The method of claim 1, wherein the encryption mechanism is a JWT mechanism and the encryption algorithm is an RSA encryption algorithm.
3. The method according to claim 1 or 2, wherein after sending the encrypted first user information to the service application, the method further comprises:
receiving a second key request sent by the business application, so that the business application sends an access request to the first cloud service through a second key, wherein the second key enables the first cloud service not to obtain the first user information;
and replacing the encrypted first user information with the second key according to the second key request.
4. The method of claim 3, further comprising:
and executing local storage on the decryption keys corresponding to the first key and the second key.
5. A method for assembling cloud services in a user-defined manner is characterized in that a plurality of cloud services are respectively and independently arranged on a plurality of servers, an authentication signature service is independent of business application, the method is applied to a first cloud service, and the method comprises the following steps:
receiving an access request sent by the service application, wherein the access request is encrypted by the authentication signature service, the access request is sent by the service application by using encrypted first user information, and the encrypted first user information used by the service application is sent by the authentication signature service after encrypting the first user information received from the service application;
obtaining a decryption key from the authentication signing service;
verifying the access request by using the decryption key;
if the verification is passed, allowing the business application to access the first cloud service;
when the service application is incompatible with the authentication signature service, the authentication signature service receives second user information of the service application through an adapter, and the authentication signature service sends the second user information to an authentication server of the service application through the adapter for verification; and if the verification is successful, mapping the second user information into the first user information according to a preset mapping rule through the adapter.
6. The method of claim 5 wherein the encryption mechanism is a JWT mechanism and the encryption algorithm is an RSA encryption algorithm.
7. The method according to claim 6, wherein when the encrypted information included in the access request is the first user information encrypted by using a private key in the RSA encryption algorithm, the decryption key is a public key corresponding to the private key.
8. The method according to claim 6, wherein when the encrypted information included in the access request is a second key, the decryption key is a decryption key corresponding to the second key, and the second key is obtained by replacing the encrypted first user information with an authentication and signing service.
9. The method according to claim 5, wherein the authentication signature service is integrated on a server corresponding to the cloud service;
or the like, or, alternatively,
the authentication signature service is arranged on an independent server.
10. The method of any of claims 5 to 9, wherein the business application comprises a client-side application and a server-side application;
when the business application is the client application, the allowing the business application to access the first cloud service includes:
allowing the client application to access the first cloud service, and performing data interaction with the first cloud service through a client;
when the business application is the server-side application, the allowing the business application to access the first cloud service includes:
and allowing the server side application to access the first cloud service, and performing data interaction with the first cloud service through a server.
11. A method for assembling cloud services in a user-defined manner is characterized in that a plurality of cloud services are respectively and independently arranged on a plurality of servers, an authentication signature service is independent of business applications, the method is applied to the business applications, and the method comprises the following steps:
sending first user information to an authentication signature service, so that the authentication signature service encrypts the first user information, wherein the first user information at least comprises the type of a business application, a unique identification code of the business application and an identification code of a first cloud service;
receiving encrypted first user information, and sending an access request to a first cloud service by using the encrypted first user information, so that the first cloud service acquires a decryption key from the authentication and signature service and verifies the access request;
if the verification is passed, accessing the first cloud service;
when the business application is not compatible with the authentication signature service, the method further comprises:
sending second user information of the service application to the authentication signature service through an adapter, so that the authentication signature service sends the second user information to an authentication server of the service application for verification;
and if the verification is passed, receiving the first user information through the adapter, wherein the first user information is formed by mapping the second user information through the adapter according to a preset mapping rule.
12. The method of claim 11 wherein the encryption mechanism is a JWT mechanism and the encryption algorithm is an RSA encryption algorithm.
13. The method according to claim 11 or 12, wherein after the receiving the encrypted first user information and before the sending the access request to the first cloud service by using the encrypted first user information, the method further comprises:
sending a second key request to the authentication signature service;
and receiving a second secret key sent by the authentication and signing service, wherein the second secret key is formed by replacing the encrypted first user information by the authentication and signing service.
14. The method according to claim 12, wherein when the encrypted information included in the access request is the first user information encrypted by using a private key in the RSA encryption algorithm, the decryption key is a public key corresponding to the private key.
15. The method according to claim 13, wherein when the encryption information included in the access request is a second key, the decryption key is a decryption key corresponding to the second key.
16. The method of claim 11, wherein the business application comprises a client-side application and a server-side application;
when the business application is the client application, the accessing the first cloud service comprises:
the client application is accessed to the first cloud service, and data interaction is carried out between the client application and the first cloud service;
when the business application is the server-side application, the accessing the first cloud service includes:
the server side application is accessed to the first cloud service, and data interaction is carried out between the server side application and the first cloud service.
17. A system for custom assembling cloud services, comprising: computer apparatus for the method of any one of claims 1 to 4, computer apparatus for the method of any one of claims 5 to 10, and computer apparatus for the method of any one of claims 11 to 16.
18. A computer arrangement comprising a processor and a memory, wherein the processor, when executing a computer program stored on the memory, is configured to implement a method of custom assembling a cloud service as claimed in any of claims 1 to 4 or any of claims 5 to 10, or any of claims 11 to 16.
19. A computer readable storage medium having stored thereon a computer program for implementing a method of custom assembling a cloud service according to any of claims 1 to 4 or any of claims 5 to 10, or any of claims 11 to 16 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910877062.3A CN110602218B (en) | 2019-09-17 | 2019-09-17 | Method and related device for assembling cloud service in user-defined manner |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910877062.3A CN110602218B (en) | 2019-09-17 | 2019-09-17 | Method and related device for assembling cloud service in user-defined manner |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110602218A CN110602218A (en) | 2019-12-20 |
| CN110602218B true CN110602218B (en) | 2023-02-14 |
Family
ID=68860255
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910877062.3A Active CN110602218B (en) | 2019-09-17 | 2019-09-17 | Method and related device for assembling cloud service in user-defined manner |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110602218B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111460475B (en) * | 2020-03-27 | 2023-04-25 | 公安部第三研究所 | Method for implementing de-identification processing of data object main body based on cloud service |
| CN113158218A (en) * | 2021-05-21 | 2021-07-23 | 上海幻电信息科技有限公司 | Data encryption method and device and data decryption method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102347957A (en) * | 2011-11-18 | 2012-02-08 | 王鑫 | Cloud network admission identifying system and admission identifying technology |
| CN102369714A (en) * | 2011-08-31 | 2012-03-07 | 华为技术有限公司 | Method of cloud terminal accessing cloud server in cloud computing system and cloud computing system |
| CN102769631A (en) * | 2012-07-31 | 2012-11-07 | 华为技术有限公司 | Method, system and access equipment for accessing Cloud server |
| US10158486B1 (en) * | 2016-08-09 | 2018-12-18 | Cisco Technology, Inc. | Synchronization of key management services with cloud services |
-
2019
- 2019-09-17 CN CN201910877062.3A patent/CN110602218B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102369714A (en) * | 2011-08-31 | 2012-03-07 | 华为技术有限公司 | Method of cloud terminal accessing cloud server in cloud computing system and cloud computing system |
| CN102347957A (en) * | 2011-11-18 | 2012-02-08 | 王鑫 | Cloud network admission identifying system and admission identifying technology |
| CN102769631A (en) * | 2012-07-31 | 2012-11-07 | 华为技术有限公司 | Method, system and access equipment for accessing Cloud server |
| US10158486B1 (en) * | 2016-08-09 | 2018-12-18 | Cisco Technology, Inc. | Synchronization of key management services with cloud services |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110602218A (en) | 2019-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lim et al. | Blockchain technology the identity management and authentication service disruptor: a survey | |
| CN108965230B (en) | Secure communication method, system and terminal equipment | |
| US9838205B2 (en) | Network authentication method for secure electronic transactions | |
| US9231925B1 (en) | Network authentication method for secure electronic transactions | |
| CN108234115B (en) | Information security verification method, device and system | |
| CN113095749A (en) | Logistics information transmission method, system and device based on block chain | |
| CA3144715A1 (en) | Systems and methods for permissioned blockchain infrastructure with fine-grained access control and confidentiality-preserving publish/subscribe messaging | |
| CN110601816B (en) | Lightweight node control method and device in block chain system | |
| CN106452772B (en) | Terminal authentication method and device | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| US11716206B2 (en) | Certificate based security using post quantum cryptography | |
| CN109660534B (en) | Multi-merchant-based security authentication method and device, electronic equipment and storage medium | |
| CN109635572A (en) | A kind of contract signing method, apparatus and terminal device based on block chain | |
| CN109815659A (en) | Safety certifying method, device, electronic equipment and storage medium based on WEB project | |
| CN111460457A (en) | Real estate property registration supervision method, device, electronic equipment and storage medium | |
| CN110602218B (en) | Method and related device for assembling cloud service in user-defined manner | |
| CN114519206B (en) | Method for anonymously signing electronic contract and signature system | |
| CN117561508A (en) | Cross-session issuance of verifiable credentials | |
| US11689375B2 (en) | Data in transit protection with exclusive control of keys and certificates across heterogeneous distributed computing environments | |
| US20220286291A1 (en) | Secure environment for cryptographic key generation | |
| CN115022012B (en) | Data transmission method, device, system, equipment and storage medium | |
| CN115409511A (en) | Personal information protection system based on block chain | |
| CN111769956B (en) | Service processing method, device, equipment and medium | |
| CN109981666A (en) | A kind of cut-in method, access system and access server | |
| CN110189184B (en) | Electronic invoice storage method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |