CN110650112A - Universal authentication method and device and cloud service network system - Google Patents
Universal authentication method and device and cloud service network system Download PDFInfo
- Publication number
- CN110650112A CN110650112A CN201810679837.1A CN201810679837A CN110650112A CN 110650112 A CN110650112 A CN 110650112A CN 201810679837 A CN201810679837 A CN 201810679837A CN 110650112 A CN110650112 A CN 110650112A
- Authority
- CN
- China
- Prior art keywords
- authentication
- access request
- authentication result
- source station
- universal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention discloses a universal authentication method, a universal authentication device and a cloud service network system. The disclosed universal authentication method comprises the following steps: receiving access requests for resources of different source stations and/or different types of services of the same source station; authenticating the access request by using authentication algorithms corresponding to different types of services of different source stations and/or the same source station to obtain an original authentication result; and converting the original authentication result and outputting a general authentication result, wherein the general authentication result comprises access request identifiers which are in one-to-one correspondence with the access requests and authentication flag bits used for indicating whether the authentication is passed or not. The technical scheme disclosed can carry out general authentication on access requests of different formats, unifies the operation that the server side of the cloud service network determines that the client side has the right to access resources and provide the resources, and saves the cost of subsequent upgrading and development.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a universal authentication method, a universal authentication device and a cloud service network system.
Background
With the development of multimedia technology and the rapid increase of short video, music and picture flow, some illegal third-party websites or mobile terminal apps illegally obtain access rights of some unauthorized resources in a stealing link mode, and huge economic loss is caused to source station customers.
Therefore, most source station clients and service providers require authentication of client requests to avoid illegal access to resources. The prior art generally adopts the following three schemes:
1) and performing anti-theft link verification on the client request at the cloud service network node, and verifying information such as refer, token and the like in the request to judge whether the link is stolen. The authentication mode is easy to be cracked, and the actual effect is not good.
2) The client requests authentication of the site directly back to the source station client (i.e., the client source station). This approach tends to put some access pressure on the source station and even cause the source station to crash.
3) And (3) erecting an authentication service (device) at a cloud service network node, and reducing the pressure of a source station by forwarding a client request and caching a source authentication result. The method is adopted by most cloud service network manufacturers at present, and the method can help the source station to relieve authentication pressure.
However, when the third method is used, since the format requirements and algorithms for the authentication requests of each source station client may be different, cache service software (i.e., devices or modules) (e.g., service software (i.e., devices or modules) for web page caching, service software (i.e., devices or modules) for streaming media caching, etc.) of the cloud service network node needs to interface different authentication algorithm implementations with different source station clients, for example, if the cache service software (i.e., devices or modules) of the cloud service network node needs to process and interface the authentication request formats of multiple source station clients, parameter construction logic for simultaneously implementing authentication requests of different formats for different source station clients is needed, which causes a certain redundancy to resources. In addition, each time a different format authentication request is added for a source station client, a code modification and service upgrade is required for the cache service software (i.e., device or module).
More specifically, when the third method is used, most cloud service providers use an authentication method that builds an authentication server, and if the content of the authentication request is in a plain requirement, only the URL of the resource requested by the client needs to be transmitted, and a corresponding mapping relationship cache can be performed on the authentication server according to the URL requested by the client and the authentication result (possibly, a request unique ID, i.e., an access request identifier, generated by matching the client IP and the client is also needed). The same URL request can hit the authentication result cache and the result is directly returned by the authentication server. Otherwise, the authentication is returned to the client source station. If the source station client has a requirement on the format of the authentication request, cache service software (i.e., a device or a module) is required to extract parameters and construct a request according to a certain rule according to the requirement of the source station client, and then the request is sent back to the client source station for authentication (the client may request to query a string by requesting a URL or in a JSON format, etc.). Under the scene, different clients need to be continuously added with code logic without reusability in the cache service when being docked, and meanwhile, the online service needs to be upgraded. When the cache service software (i.e., the device or the module) of the cloud service network node needs to perform the authentication service with the authentication software (i.e., the device or the module) of the plurality of source station clients, the cache service software (i.e., the device or the module) of the cloud service network node also needs to be additionally developed and upgraded correspondingly, which causes a lot of waste in time and cost and risks caused by upgrading the service.
In order to solve the above problems, a new technical solution needs to be proposed.
Disclosure of Invention
The general authentication method according to the present invention comprises:
receiving access requests for resources of different source stations and/or different types of services of the same source station;
authenticating the access request by using authentication algorithms corresponding to different types of services of different source stations and/or the same source station to obtain an original authentication result;
converting the original authentication result, outputting a general authentication result,
the general authentication result comprises access request identifiers corresponding to the access requests one by one and authentication flag bits used for indicating whether the authentication is passed or not.
According to the universal authentication method of the present invention, the converting the original authentication result comprises:
and matching the original authentication result with a preset general authentication result template, extracting a non-general authentication result part in the original authentication result, and converting the non-general authentication result into a uniform authentication mark bit.
The general authentication method according to the present invention further comprises:
storing the general authentication result;
based on the stored general authentication result, the access request identification is used as a key word, the authentication flag bit aiming at the access request is obtained by searching,
the access request identification corresponds to the authentication zone bit one by one.
The general authentication method according to the present invention further comprises:
when the authentication is determined to pass based on the authentication zone bit, determining that the access request is legal, releasing the access request, and when the authentication is determined not to pass based on the authentication zone bit, determining that the access request is illegal, and rejecting the access request; and/or
The access request is released before the access request is authenticated, when the authentication is determined to pass based on the authentication zone bit, the access request is determined to be legal, the access request is not interrupted, when the authentication is determined not to pass based on the authentication zone bit, the access request is determined to be illegal, and the response to the access request is stopped.
The general authentication method according to the present invention further comprises:
receiving a new format access request for a new source station and/or a new different type of service for the same source station;
the authentication algorithm is extended to support authentication for new formats of access requests.
The universal authentication method according to the present invention, wherein the extended authentication algorithm comprises:
analyzing the authentication rules of new different types of services of a new source station and/or the same source station, confirming the parameter part of the authentication logic to be changed, performing modular programming on the parameter part, updating the universal internal interactive interface of the new different types of services of the new source station and/or the same source station, and loading the changed authentication logic in a hot updating mode, thereby realizing a new authentication algorithm for the authentication services.
The general authentication device according to the present invention comprises:
the extensible access request receiving module is used for receiving access requests aiming at different source stations and/or resources of different types of services of the same source station;
the extensible authentication result calculation module is used for authenticating the access request by using authentication algorithms corresponding to different types of services of different source stations and/or the same source station to obtain an original authentication result;
a general authentication result conversion module for converting the original authentication result and outputting a general authentication result,
the general authentication result comprises access request identifiers corresponding to the access requests one by one and authentication flag bits used for indicating whether the authentication is passed or not.
According to the universal authentication device of the present invention, the universal authentication result conversion module is further configured to:
and matching the original authentication result with a preset general authentication result template, extracting a non-general authentication result part in the original authentication result, and converting the non-general authentication result into a uniform authentication mark bit.
The general authentication device according to the present invention further comprises:
the authentication result storage module is used for storing a general authentication result;
an authentication result searching module for obtaining the authentication flag bit aiming at the access request by searching based on the stored general authentication result and taking the access request mark as a key word,
the access request identification corresponds to the authentication zone bit one by one.
The general authentication device according to the present invention further comprises:
the synchronous authentication control module is used for determining that the access request is legal when the authentication is passed based on the authentication zone bit, releasing the access request, determining that the access request is illegal when the authentication is not passed based on the authentication zone bit, and rejecting the access request; and/or
And the asynchronous authentication control module is used for releasing the access request before authenticating the access request, determining that the access request is legal when the authentication is determined to pass based on the authentication zone bit, not interrupting the access request, determining that the access request is illegal when the authentication is determined not to pass based on the authentication zone bit, and stopping responding to the access request.
According to the universal authentication device of the present invention, the extendable access request receiving module is further configured to: receiving a new format access request for a new source station and/or a new different type of service for the same source station; the extensible authentication result calculation module is further configured to: the authentication algorithm is extended to support authentication for new formats of access requests.
According to the universal authentication device of the present invention, the extensible authentication result calculating module is further configured to:
analyzing the authentication rules of new different types of services of a new source station and/or the same source station, confirming the parameter part of the authentication logic to be changed, performing modular programming on the parameter part, updating the universal internal interactive interface of the new different types of services of the new source station and/or the same source station, and loading the changed authentication logic in a hot updating mode, thereby realizing a new authentication algorithm for the authentication services.
The cloud service network system according to the present invention includes:
a source station;
a cloud service network node comprising a generic authentication device as described above;
the user's client side is connected to the client side,
wherein the universal authentication means is distributed or centralized.
According to the technical scheme of the invention, the access requests with different formats can be subjected to universal authentication, the operation that the server side of the cloud service network determines that the client side has the right to access the resources and provide the resources is unified, and the cost for subsequent upgrading and development is saved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention. In the drawings, like reference numerals are used to indicate like elements. The drawings in the following description are directed to some, but not all embodiments of the invention. For a person skilled in the art, other figures can be derived from these figures without inventive effort.
Fig. 1 shows schematically a flow chart of a generic authentication method according to the present invention.
Fig. 2 shows schematically a block diagram of a generic authentication device according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. It should be noted that the embodiments and features of the embodiments of the present invention may be arbitrarily combined with each other without conflict.
Fig. 1 shows schematically a flow chart of a generic authentication method according to the present invention.
As shown in the solid line box of fig. 1, the general authentication method according to the present invention includes:
step S102: receiving access requests for resources of different source stations and/or different types of services of the same source station;
step S104: authenticating the access request by using authentication algorithms corresponding to different types of services of different source stations and/or the same source station to obtain an original authentication result;
step S106: converting the original authentication result, outputting a general authentication result,
the general authentication result comprises access request identifiers corresponding to the access requests one by one and authentication flag bits used for indicating whether the authentication is passed or not.
For example, consider that the authentication algorithms (and interfaces) of the same source station client are generally consistent for different services or clients. Therefore, in a general case, the above-described general authentication method can be applied to different (client) source stations a and B, each of which can provide a web browsing service and a streaming service.
However, it is contemplated that the same source client may also employ different authentication algorithms (and/or interfaces) for its different services. Thus, and/or in special cases, the above-described generic authentication method may also be applied to different types of services 1 (e.g. web browsing services) and 2 (e.g. streaming media caching services) of the same (customer) source station a (or source station B).
In addition, since individual services may require relatively independent authentication algorithms, it is contemplated by those skilled in the art that each source client may employ different authentication methods for the web browsing service and the streaming media service (including the case of using more additional input parameters, for example, in addition to the original access request address (URL), the live broadcast service in the streaming media service may also use the external link URL in the swf as an additional input parameter for authentication).
For example, the authentication flag bit is an integer or boolean variable, and 1 indicates that the authentication is passed, and 0 indicates that the authentication is not passed. The output format of the authentication result is unified, and the storage space of the authentication result is saved.
By the above scheme, the implementation of the authentication algorithm can be separated (for example, the authentication algorithm can be implemented by the extensible authentication result calculation module 203 in the general authentication apparatus described below, and the interaction between the general authentication result conversion module 205 and the access address providing module is performed through a simple interface).
Optionally, "converting the original authentication result" in step S106 includes:
and matching the original authentication result with a preset general authentication result template, extracting a non-general authentication result part in the original authentication result, and converting the non-general authentication result into a uniform authentication mark bit.
Optionally, as shown in the dashed box of fig. 1, the general authentication method according to the present invention further includes:
step 108: storing the general authentication result;
step 110: based on the stored general authentication result, the access request identification is used as a key word, the authentication flag bit aiming at the access request is obtained by searching,
the access request identification corresponds to the authentication zone bit one by one.
For example, the corresponding cache can be made according to the request URL and the authentication flag bit. That is, the access request identification may be a request URL.
For example, the user may configure a storage time for storing (e.g., caching) the generic authentication results. When the storage time is exceeded, the generic authentication result that has been stored (e.g., cached) is deleted.
Optionally, as shown in the dashed box of fig. 1, the general authentication method according to the present invention further includes:
step 112: when the authentication is determined to pass based on the authentication zone bit, determining that the access request is legal, releasing the access request, and when the authentication is determined not to pass based on the authentication zone bit, determining that the access request is illegal, and rejecting the access request; and/or
Step 114: the access request is released before the access request is authenticated, when the authentication is determined to pass based on the authentication zone bit, the access request is determined to be legal, the access request is not interrupted, when the authentication is determined not to pass based on the authentication zone bit, the access request is determined to be illegal, and the response to the access request is stopped.
For example, to provide accelerated services, access addresses of resources in cloud services network nodes may be preferentially provided (in the case of cached source site resources).
For example, providing acceleration service based on the above-described access address may be cache service software (i.e., a device or module), streaming media service software (i.e., a device or module), or proxy service software (i.e., a device or module).
For example, the various service software (i.e., devices or modules) may use an http api interface to obtain the access address, and the relevant request parameters may be carried by the request query or the request body.
For example, corresponding to the step 112, if the synchronization authentication is performed, the authentication is preferentially performed, and after the authentication is determined to pass, the various service software (i.e., the device or the module) provides the resource address of the client source station (corresponding to the case that the source station resource is not cached by the cloud service network node) to the client and caches the content of the response of the client source station, or directly provides the resource address of the cloud service network node (corresponding to the case that the source station resource is cached by the cloud service network node) to the client to respond to the access request of the client. Otherwise, the access request of the client is refused. Corresponding to the step 114, if the authentication is asynchronous, the resource content is responded to first, and then whether to interrupt the response is determined according to the authentication result.
That is, the above technical solution including step 112 and/or step 114 can simply determine whether the access request from the client is authenticated by reading the authentication flag bit (i.e., no specific authentication algorithm needs to be included in the above various service software (i.e., devices or modules)), thereby simplifying the interface parameters.
Optionally, as shown in the dashed box of fig. 1, the general authentication method according to the present invention further includes:
step 116: receiving a new format access request for a new source station and/or a new different type of service for the same source station;
step 118: the authentication algorithm is extended to support authentication for new formats of access requests.
Optionally, the "extended authentication algorithm" in step 118 includes:
analyzing the authentication rules of new different types of services of a new source station and/or the same source station, confirming the parameter part of the authentication logic to be changed, performing modular programming on the parameter part, updating the universal internal interactive interface of the new different types of services of the new source station and/or the same source station, and loading the changed authentication logic in a hot updating mode, thereby realizing a new authentication algorithm for the authentication services.
For example, more specifically, the extended authentication algorithm includes:
1. analyzing new source station or authentication rules of different types of services of the source station, connecting an interface of the source station, and determining a parameter part needing to change authentication logic;
2. compiling the authentication logic through modular programming to complete the updating of a universal internal interactive interface;
3. and the new authentication logic is loaded into the authentication service through a dynamic library and other hot updating modes to form a new authentication service, the upgrading is completed while the online authentication service is not influenced, and the authentication requirements of new customers are supported.
For example, when a 3 rd source client C (i.e., a new source client) is added and the authentication method or input parameters used by the source client C are different from those used by the source client a and the source client B, the above-described technical solution needs to be expanded through steps 116 and 118.
By the above-described technical solution including steps 116 and 118, the requirement for authentication of the newly added source station client can be quickly developed and brought online without changing the service software (i.e., device or module) on the line (e.g., the service software (i.e., device or module) corresponding to or including the access address providing module described below).
That is, when a new source site client joins the cloud service network, it needs to be expanded through steps 116 and 118. The various service software (i.e., devices or modules) described above need only configure the authentication switch for the domain name of the corresponding source site customer. The main authentication logic (i.e. reception of access requests in new format, authentication algorithms) is added to the authentication service (i.e. corresponding to the extensible access request reception module 201 and the extensible authentication result calculation module 203 described below). The authentication service supports hot upgrade and loads the authentication logic (module) corresponding to the source station client. The authentication requirements of new source station clients can be supported without affecting the online source station users.
Optionally, the access request includes at least one of: the URL requesting access, the IP address of the client originating the access request.
For example, for resource access requests of some source station clients, the specific authentication algorithm employed requires that the client IP be included in the input parameters (i.e., the client IP needs to be authenticated).
Fig. 2 schematically shows a block schematic of a generic authentication device 200 according to the present invention.
As shown in the solid line box of fig. 2, the general authentication apparatus 200 according to the present invention includes:
an extensible access request receiving module 201, configured to receive access requests for resources of different source stations and/or different types of services of the same source station;
the extensible authentication result calculation module 203 is used for authenticating the access request by using authentication algorithms corresponding to different types of services of different source stations and/or the same source station to obtain an original authentication result;
a general authentication result converting module 205, for converting the original authentication result, outputting a general authentication result,
the general authentication result comprises access request identifiers corresponding to the access requests one by one and authentication flag bits used for indicating whether the authentication is passed or not.
Optionally, the general authentication result conversion module 205 is further configured to:
and matching the original authentication result with a preset general authentication result template, extracting a non-general authentication result part in the original authentication result, and converting the non-general authentication result into a uniform authentication mark bit.
Optionally, as shown in the dashed box of fig. 2, the universal authentication apparatus 200 according to the present invention may further include:
an authentication result storage module 207 for storing a general authentication result;
an authentication result searching module 209, configured to obtain an authentication flag bit for the access request by searching based on the stored general authentication result and using the access request identifier as a key word,
the access request identification corresponds to the authentication zone bit one by one.
Optionally, as shown in the dashed box of fig. 2, the universal authentication apparatus 200 according to the present invention may further include:
the synchronous authentication control module 211 is configured to determine that the access request is legal and the access request is released when the authentication is determined to pass based on the authentication flag bit, and determine that the access request is illegal and deny the access request when the authentication is determined not to pass based on the authentication flag bit; and/or
The asynchronous authentication control module 213 is configured to release the access request before authenticating the access request, determine that the access request is legitimate when the authentication is determined to pass based on the authentication flag bit, not interrupt the access request, and determine that the access request is illegal when the authentication is determined to not pass based on the authentication flag bit, and stop responding to the access request.
Optionally, the extensible access request receiving module 201 is further configured to: receiving a new format access request for a new source station and/or a new different type of service for the same source station; the extensible authentication result calculation module 203 is further configured to: the authentication algorithm is extended to support authentication for new formats of access requests.
Optionally, the extensible authentication result calculating module 203 is further configured to:
analyzing the authentication rules of new different types of services of a new source station and/or the same source station, confirming the parameter part of the authentication logic to be changed, performing modular programming on the parameter part, updating the universal internal interactive interface of the new different types of services of the new source station and/or the same source station, and loading the changed authentication logic in a hot updating mode, thereby realizing a new authentication algorithm for the authentication services.
Alternatively, the universal authentication device 200 according to the present invention may be distributed or centralized.
That is, the above-described universal authentication device 200 may be one device among a plurality of devices distributed (i.e., distributed) in a part of the cloud service network node(s). The universal authentication device 200 may also be a device located in a cloud service network node or elsewhere in the network (i.e., centralized).
Based on the general authentication method and device, the invention also provides a cloud service network system, which comprises:
a source station;
a cloud service network node comprising the universal authentication apparatus 200 as described above;
the user's client side is connected to the client side,
wherein the universal authentication device 200 is distributed or centralized.
In order to make the technical solution according to the present invention more clearly understood by those skilled in the art, the following describes relevant operation steps in conjunction with an example cloud service network system.
An example cloud services network system includes: a site used by a source client a (i.e., client source a) and a site used by a source client B (i.e., client source B); a cloud service network node comprising the universal authentication device 200 as described above; and (4) a user client.
Operations related to an example cloud services network system include the steps of:
s1: and the user client app or the browser initiates a resource request to the cloud service network node through the dns resolution.
S2: different service software (i.e., devices or modules) of the cloud service network node (service software (i.e., device or module) a of source station client a, service software (i.e., device or module) B of source station client B) receives the request from S1, such as a picture request or a streaming media live request.
S3: service software (i.e., a device or a module) a or service software (i.e., a device or a module) B of the cloud service network node initiates an authentication request (see whether to bring the client IP information or not as needed) to an authentication server (i.e., the universal authentication device 200) (corresponding to the access request in step S102 in the above-mentioned universal authentication method, it is assumed in the present invention that each access request needs to be authenticated), the authentication service here may be distributed or centralized, the distributed cache result is valid corresponding to a certain cloud service network node server, and the centralized cache result is valid for requests of all servers of the cloud service network.
For example, the authentication service may be deployed in a distributed or centralized manner according to application scenarios such as the number of requests and the deployment cost. If the number of requests of each network node is large, a centralized deployment mode can effectively control the number of requests of back source authentication, the hit rate of authentication requests of the whole network is improved, but great pressure is necessarily caused to the central authentication service at the same time, and at this time, the centralized deployment mode can be adopted for deployment (for example, deployment according to the nodes or even deployment according to a single machine), the pressure of the authentication service is reduced, and thus, the application range of the authentication response cache is limited to a small cluster. The authentication request back to the client source station will increase considerably. The actual deployment mode is determined according to the application scene.
S4: the authentication service checks whether the local has an authentication result cache corresponding to the URL, if so, the step S5 is performed if not (corresponding to the step 110 in the general authentication method, implicitly including the step 108 in the general authentication method).
S5: the authentication service encapsulates the request content according to the authentication request format required by the client and initiates an authentication request to the client source station a/B (optionally corresponding to prior art steps).
S6: the authentication service takes the authentication response of the client source station and determines whether to cache the authentication result and sets the corresponding cache expiration time according to the configuration.
S7: the authentication service responds the authentication result to the service software (i.e., device or module) a/B, where the response contents may respond to 0 or 1 according to whether the authentication is passed or not, since the inside is interacted through a simplified interface (corresponding to step S104 in the above-described general authentication method).
S8: the service software (i.e., device or module) a/B checks whether asynchronous authentication or synchronous authentication is configured, preferentially responds to the resource content if asynchronous authentication is performed, and then determines whether to interrupt the response according to the authentication result (corresponding to the step 114), and waits for the authentication result of the authentication service response to respond to the resource if synchronous authentication is performed (corresponding to the step 112).
S9: the cloud service network node responds the content to the client app or browser.
According to the technical scheme of the invention, the method has the following advantages:
1. the technical scheme of performing general authentication on access requests of different formats is provided, the operation of determining that a client has the right to access resources and providing resource access addresses by a server (namely, the general authentication device 200 in a cloud service network node) of a cloud service network is unified, and the cost of performing subsequent upgrading and development is saved.
2. For cloud service network nodes, the authentication service logic can be unified, the new requirement docking speed is improved, and the problem of low efficiency caused by repeated development of the authentication logic by multiple components is solved. And the risk caused by online upgrading operation of multiple components for meeting new authentication requirements is reduced.
3. For the source station client website, the load pressure caused by the source returning authentication can be effectively reduced, because part of the authentication requests can directly hit the authentication cache through the authentication service of the cloud service network (i.e., the extensible access request receiving module 201 and the extensible authentication result calculating module 203 described above).
4. For an end user (namely, a client), since the authentication can be performed at the cloud service network node, the authentication speed of the end user can be improved to a certain extent, the authentication is basically unaware, and the client of the end user can be compatible with the scheme of the invention without any change.
5. When a plurality of services (such as streaming media acceleration and HTTP acceleration) are provided on a cloud service network node, authentication services (i.e., corresponding to the extensible access request receiving module 201 and the extensible authentication result calculating module 203 described above) under the plurality of services are extracted and unified.
6. When new authentication requirements are caused by adding new source station clients, only new authentication logic needs to be added to the unified authentication service, and the authentication service is not required to be reconstructed for all service components.
7. The distributed and centralized authentication service can be adopted, namely, multiple nodes all deploy the authentication service or a single node or a few nodes deploy the authentication service, and the service scenes when the access requests are different can be dealt with.
8. The authentication result can be cached in the cloud service network node without source return authentication.
The above-described aspects may be implemented individually or in various combinations, and such variations are within the scope of the present invention.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units referred to in the above description does not necessarily correspond to the division of physical components. For example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Finally, it should be noted that: the above examples are only for illustrating the technical solutions of the present invention, and are not limited thereto. Although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: modifications of the technical solutions described in the embodiments or equivalent replacements of some technical features may still be made. And such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (13)
1. A universal authentication method, comprising:
receiving access requests for resources of different source stations and/or different types of services of the same source station;
authenticating the access request by using an authentication algorithm corresponding to different types of services of different source stations and/or the same source station to obtain an original authentication result;
converting the original authentication result, outputting a general authentication result,
the general authentication result comprises access request identifications corresponding to the access requests one by one and authentication flag bits used for indicating whether authentication is passed or not.
2. The universal authentication method as claimed in claim 1, wherein said converting the original authentication result comprises:
and matching the original authentication result with a preset general authentication result template, extracting a non-general authentication result part in the original authentication result, and converting the non-general authentication result into a uniform authentication mark bit.
3. The universal authentication method as claimed in claim 1 or 2, further comprising:
storing the general authentication result;
based on the stored general authentication result, the access request identification is used as a key word, the authentication zone bit aiming at the access request is obtained by searching,
and the access request identification corresponds to the authentication zone bit one by one.
4. The universal authentication method as claimed in claim 1 or 2, further comprising:
when the authentication is determined to pass based on the authentication zone bit, the access request is determined to be legal, the access request is released, when the authentication is determined not to pass based on the authentication zone bit, the access request is determined to be illegal, and the access request is rejected; and/or
And before the access request is authenticated, the access request is released, when the authentication is determined to pass based on the authentication zone bit, the access request is determined to be legal, the access request is not interrupted, when the authentication is determined not to pass based on the authentication zone bit, the access request is determined to be illegal, and the response to the access request is stopped.
5. The universal authentication method as claimed in claim 1 or 2, further comprising:
receiving a new format access request for a new source station and/or a new different type of service for the same source station;
extending an authentication algorithm to support authentication for the new format access request.
6. The universal authentication method as claimed in claim 5, wherein said extended authentication algorithm comprises:
analyzing the authentication rules of the new source station and/or the new different types of services of the same source station, confirming the parameter part of the authentication logic to be changed, performing modular programming on the parameter part, updating the universal internal interactive interface of the new source station and/or the new different types of services of the same source station, and loading the changed authentication logic in a hot updating mode, thereby realizing a new authentication algorithm for the authentication services.
7. A universal authentication apparatus, comprising:
the extensible access request receiving module is used for receiving access requests aiming at different source stations and/or resources of different types of services of the same source station;
the extensible authentication result calculation module is used for authenticating the access request by using an authentication algorithm corresponding to different types of services of different source stations and/or the same source station to obtain an original authentication result;
a general authentication result conversion module for converting the original authentication result and outputting a general authentication result,
the general authentication result comprises access request identifications corresponding to the access requests one by one and authentication flag bits used for indicating whether authentication is passed or not.
8. The universal authentication device as claimed in claim 6, wherein said universal authentication result conversion module is further configured to:
and matching the original authentication result with a preset general authentication result template, extracting a non-general authentication result part in the original authentication result, and converting the non-general authentication result into a uniform authentication mark bit.
9. The universal authentication device as claimed in claim 7 or 8, further comprising:
the authentication result storage module is used for storing the general authentication result;
an authentication result searching module, configured to obtain an authentication flag bit for the access request through searching based on the stored general authentication result and using the access request identifier as a keyword,
and the access request identification corresponds to the authentication zone bit one by one.
10. The universal authentication device as claimed in claim 7 or 8, further comprising:
the synchronous authentication control module is used for determining that the access request is legal when the authentication is determined to pass based on the authentication zone bit, releasing the access request, determining that the access request is illegal when the authentication is determined not to pass based on the authentication zone bit, and rejecting the access request; and/or
And the asynchronous authentication control module is used for releasing the access request before authenticating the access request, determining that the access request is legal when the authentication is determined to pass based on the authentication zone bit, not interrupting the access request, determining that the access request is illegal when the authentication is determined not to pass based on the authentication zone bit, and stopping responding to the access request.
11. The universal authentication device as claimed in claim 6 or 7, wherein said extensible access request receiving module is further configured to: receiving a new format access request for a new source station and/or a new different type of service for the same source station; the extensible authentication result calculation module is further configured to: extending an authentication algorithm to support authentication for the new format access request.
12. The universal authentication device of claim 11, wherein the extensible authentication result calculation module is further configured to:
analyzing the authentication rules of the new source station and/or the new different types of services of the same source station, confirming the parameter part of the authentication logic to be changed, performing modular programming on the parameter part, updating the universal internal interactive interface of the new source station and/or the new different types of services of the same source station, and loading the changed authentication logic in a hot updating mode, thereby realizing a new authentication algorithm for the authentication services.
13. A cloud service network system, comprising:
a source station;
a cloud services network node comprising the universal authentication apparatus of claims 7-12;
the user's client side is connected to the client side,
wherein the universal authentication means is distributed or centralized.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010061961.9A CN111277592B (en) | 2018-06-27 | 2018-06-27 | Authentication method, authentication device, storage medium and computer equipment |
| CN201810679837.1A CN110650112B (en) | 2018-06-27 | 2018-06-27 | Universal authentication method and device and cloud service network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810679837.1A CN110650112B (en) | 2018-06-27 | 2018-06-27 | Universal authentication method and device and cloud service network system |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010061961.9A Division CN111277592B (en) | 2018-06-27 | 2018-06-27 | Authentication method, authentication device, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110650112A true CN110650112A (en) | 2020-01-03 |
| CN110650112B CN110650112B (en) | 2022-05-20 |
Family
ID=68988768
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010061961.9A Active CN111277592B (en) | 2018-06-27 | 2018-06-27 | Authentication method, authentication device, storage medium and computer equipment |
| CN201810679837.1A Active CN110650112B (en) | 2018-06-27 | 2018-06-27 | Universal authentication method and device and cloud service network system |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010061961.9A Active CN111277592B (en) | 2018-06-27 | 2018-06-27 | Authentication method, authentication device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN111277592B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112995165A (en) * | 2021-02-10 | 2021-06-18 | 北京金山云网络技术有限公司 | Resource access authentication method and device, storage medium and electronic equipment |
| CN110650112B (en) * | 2018-06-27 | 2022-05-20 | 贵州白山云科技股份有限公司 | Universal authentication method and device and cloud service network system |
| CN114760127A (en) * | 2022-04-08 | 2022-07-15 | 多点生活(成都)科技有限公司 | Multi-interface authentication access method based on zero code |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866221B (en) * | 2021-01-11 | 2023-04-07 | 中国邮政储蓄银行股份有限公司 | Authentication method, authentication system, computer-readable storage medium, and processor |
| CN114500067A (en) * | 2022-02-09 | 2022-05-13 | 厦门元屿安科技有限公司 | Asynchronous attack anti-theft chain method and system based on CDN edge computing network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100235856A1 (en) * | 2007-12-13 | 2010-09-16 | Hui Huang | Method, system, and device for realizing internet protocol television service |
| CN101873213A (en) * | 2009-04-27 | 2010-10-27 | 中国网通集团宽带业务应用国家工程实验室有限公司 | End-to-end authentication method and system as well as business end intelligent card |
| CN105872956A (en) * | 2016-05-03 | 2016-08-17 | 深圳市云际通科技有限公司 | System and method for remote authentication application based on bluetooth subscriber identification module (SIM) |
| CN106657034A (en) * | 2016-12-02 | 2017-05-10 | 中国联合网络通信集团有限公司 | Service authentication method and authentication capability opening server |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2524536A1 (en) * | 2005-10-26 | 2007-04-26 | Bce Inc | Method, system and apparatus for controlling the establishment of a data connection from an originating data device |
| CN103905192B (en) * | 2012-12-26 | 2018-10-12 | 锐迪科(重庆)微电子科技有限公司 | A kind of encrypted authentication method, apparatus and system |
| CN104580136A (en) * | 2014-09-10 | 2015-04-29 | 中电科技(北京)有限公司 | UEFI-based long-distance identity authentication system and method |
| CN105357190B (en) * | 2015-10-26 | 2018-12-07 | 网宿科技股份有限公司 | The method and system of access request authentication |
| JP6682254B2 (en) * | 2015-12-08 | 2020-04-15 | キヤノン株式会社 | Authentication cooperation system, authentication cooperation method, authorization server and program |
| CN106815099B (en) * | 2017-01-19 | 2020-09-18 | 腾讯科技(深圳)有限公司 | Authentication system and method |
| CN111277592B (en) * | 2018-06-27 | 2022-06-10 | 贵州白山云科技股份有限公司 | Authentication method, authentication device, storage medium and computer equipment |
-
2018
- 2018-06-27 CN CN202010061961.9A patent/CN111277592B/en active Active
- 2018-06-27 CN CN201810679837.1A patent/CN110650112B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100235856A1 (en) * | 2007-12-13 | 2010-09-16 | Hui Huang | Method, system, and device for realizing internet protocol television service |
| CN101873213A (en) * | 2009-04-27 | 2010-10-27 | 中国网通集团宽带业务应用国家工程实验室有限公司 | End-to-end authentication method and system as well as business end intelligent card |
| CN105872956A (en) * | 2016-05-03 | 2016-08-17 | 深圳市云际通科技有限公司 | System and method for remote authentication application based on bluetooth subscriber identification module (SIM) |
| CN106657034A (en) * | 2016-12-02 | 2017-05-10 | 中国联合网络通信集团有限公司 | Service authentication method and authentication capability opening server |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110650112B (en) * | 2018-06-27 | 2022-05-20 | 贵州白山云科技股份有限公司 | Universal authentication method and device and cloud service network system |
| CN112995165A (en) * | 2021-02-10 | 2021-06-18 | 北京金山云网络技术有限公司 | Resource access authentication method and device, storage medium and electronic equipment |
| CN112995165B (en) * | 2021-02-10 | 2023-04-14 | 北京金山云网络技术有限公司 | Resource access authentication method and device, storage medium and electronic equipment |
| CN114760127A (en) * | 2022-04-08 | 2022-07-15 | 多点生活(成都)科技有限公司 | Multi-interface authentication access method based on zero code |
| CN114760127B (en) * | 2022-04-08 | 2023-10-03 | 多点生活(成都)科技有限公司 | Multi-interface authentication access method based on zero codes |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111277592A (en) | 2020-06-12 |
| CN110650112B (en) | 2022-05-20 |
| CN111277592B (en) | 2022-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110650112B (en) | Universal authentication method and device and cloud service network system | |
| US10033818B2 (en) | Using listen ranges to deliver content to electronic devices from local caching servers | |
| CN107690800B (en) | Managing dynamic IP address allocation | |
| KR101962156B1 (en) | Authorization processing method and apparatus | |
| CN106375270B (en) | Token generation and authentication method and authentication server | |
| CN112131021B (en) | Access request processing method and device | |
| CN114025021B (en) | Communication method, system, medium and electronic equipment crossing Kubernetes cluster | |
| US20180026940A1 (en) | Updating address mapping for local and network resources | |
| US20210097476A1 (en) | Container Management Method, Apparatus, and Device | |
| CN111400777B (en) | Network storage system, user authentication method, device and equipment | |
| AU2020333658B2 (en) | Identity data object creation and management | |
| CN113037761B (en) | Login request verification method and device, storage medium and electronic equipment | |
| CN112667601A (en) | Block chain identifier management method, terminal device and computer-readable storage medium | |
| CN108055299B (en) | Portal page pushing method, network access server and Portal authentication system | |
| KR20230043919A (en) | service request processing | |
| US8996607B1 (en) | Identity-based casting of network addresses | |
| US11281804B1 (en) | Protecting data integrity in a content distribution network | |
| WO2017096886A1 (en) | Content pushing method, apparatus and system | |
| WO2023273693A1 (en) | Dynamic loading method and apparatus for signature algorithm, and device and storage medium | |
| CN110839077A (en) | File request processing method, request feedback information processing method and related components | |
| CN113784354B (en) | Request conversion method and device based on gateway | |
| CN113285920B (en) | Service access method, device, equipment and storage medium | |
| US9823944B2 (en) | Deployment control device and deployment control method for deploying virtual machine for allowing access | |
| CN115801686A (en) | Service request processing method, device, equipment and storage medium | |
| WO2018188073A1 (en) | Content deployment method and distribution controller |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |