CN110784457B - Service access method and device - Google Patents

Service access method and device Download PDF

Info

Publication number
CN110784457B
CN110784457B CN201910989877.0A CN201910989877A CN110784457B CN 110784457 B CN110784457 B CN 110784457B CN 201910989877 A CN201910989877 A CN 201910989877A CN 110784457 B CN110784457 B CN 110784457B
Authority
CN
China
Prior art keywords
target
token
access token
client
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910989877.0A
Other languages
Chinese (zh)
Other versions
CN110784457A (en
Inventor
庞飞川
张宇
姚明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ccx Credit Technology Co ltd
Original Assignee
Ccx Credit Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ccx Credit Technology Co ltd filed Critical Ccx Credit Technology Co ltd
Priority to CN201910989877.0A priority Critical patent/CN110784457B/en
Publication of CN110784457A publication Critical patent/CN110784457A/en
Application granted granted Critical
Publication of CN110784457B publication Critical patent/CN110784457B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a service access method and a device, which are used for receiving a service access request sent by a client, wherein the service access request comprises a target access token and a target resource; determining a target session corresponding to the target access token according to a pre-stored corresponding relationship between the access token and the session, wherein the session comprises authority information; judging whether the target session has authority information for accessing the target resource; and if so, allocating target resources for the client. By applying the technical scheme provided by the embodiment of the invention, network resources can be saved, the occupied storage space of the client side can be reduced and the flexible modification of the session information can be realized in a front-end and back-end separation mode.

Description

Service access method and device
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a service access method and apparatus.
Background
Currently, a computer system adopts a form of "server service processing + client page template", and rights management of the computer system in this form usually adopts a cookie-session authentication mechanism, that is, session information is stored in a server, and the session information includes a role and rights of a user. After the client logs in successfully, the server generates a session identifier for the client and returns the session identifier to the client, and the client stores the session identifier in the cookie. When a client requests to access a certain resource of the server, the client sends the session identifier to the server. The server finds out the corresponding session information according to the session identification, and checks whether the client has the authority to request the resource or not according to the role and the authority of the user in the session information. If the client has the right, the server allows the request of the resource to be continued. And if the client has no authority, the server controls the client page to jump to a login page or an error page.
The cookie-session authentication mechanism has certain defects: the coupling of the client and the server is too strong, when the client needs to change one page, the client needs to change the page together with the server, so that service interruption is caused, and user access is influenced.
Nowadays, a front-end and back-end separation mode starts to be developed, the front end performs page display, and the back end processes business logic. The above-described cookie-session authentication mechanism is not applicable to the front-end and back-end split mode. For a computer system in a front-end and back-end separation mode, a permission management mode adopting a JWT (JSON Web Token, JSON network Token) authentication mechanism is provided. JWT consists of three parts: header information, a message body, and a signature, the header information specifying a signature algorithm used by the JWT; the message body contains the contents of the expiration time of the JWT, the role and the authority information of the user, and the like; the signature is to verify whether the message body data has been altered. The JWT authentication mechanism places the session information entirely in the message body of the JWT. And after the client logs in successfully, the server returns the JWT to the client, the client calculates the message body again according to a signature algorithm in the header information to obtain a signature, if the obtained signature is consistent with the signature in the JWT, the JWT is not tampered, and if the obtained signature is inconsistent with the signature in the JWT, the JWT is tampered. The client can take the JWT every time when accessing, and the server checks whether the client has the right to request the resource according to the user role and the right information contained in the message body in the JWT.
However, the above JWT authentication mechanism has certain disadvantages: since the session information is all put in the JWT and transmitted between the server and the client, the network resource is wasted; the session information can be stored in the client, which occupies a large storage space of the client; the server no longer saves session information, so even knowing that the JWT is tampered with, it cannot be immediately invalidated, occupying unnecessary resources; and the server no longer stores the session information, so that the JWT cannot change the session information once the server is issued, and after the user permission information is changed, the JWT cannot be updated with the session information, and only the JWT can be waited for overdue.
Disclosure of Invention
Embodiments of the present invention provide a service access method and apparatus, so as to save network resources, reduce occupied storage space of a client, and implement flexible modification of session information in a front-end and back-end separation mode. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a service access method, which is applied to a server and includes:
receiving a service access request sent by a client, wherein the service access request comprises a target access token and a target resource;
determining a target session corresponding to the target access token according to a pre-stored corresponding relationship between the access token and the session, wherein the session comprises authority information;
judging whether the target session has authority information for accessing the target resource;
and if so, allocating the target resource for the client.
Optionally, after receiving the service access request, the method further includes:
detecting whether the current time reaches the pre-stored expiration time of the target access token;
and if not, executing the step of determining the target session corresponding to the target access token according to the pre-stored corresponding relationship between the access token and the session.
Optionally, the server stores a corresponding relationship between the target access token and the target refresh token; the method further comprises the following steps:
if the pre-stored expiration time of the target access token is reached, sending a token refreshing instruction to the client;
receiving a token refreshing request sent by the client according to the token refreshing instruction, wherein the token refreshing request comprises a target refreshing token;
generating a new target access token according to the target refreshing token;
according to the corresponding relation between the target access token and the target refreshing token, modifying the corresponding relation between the target access token and the target session which is stored in advance into the corresponding relation between the new target access token and the target session, and modifying the corresponding relation between the target access token and the target refreshing token into the corresponding relation between the new target access token and the target refreshing token;
and sending the new target access token to the client.
Optionally, the step of generating a new target access token according to the target refresh token includes:
detecting whether the current time reaches the pre-stored expiration time of the target refresh token;
and if not, generating the new target access token.
Optionally, before receiving the service access request, the method further includes:
receiving a login request sent by the client;
establishing connection with the client according to the login request;
generating a target access token and a target refresh token;
and carrying the target access token and the target refreshing token in a login response and feeding back the login response to the client.
In a second aspect, an embodiment of the present invention further provides a service access apparatus, which is applied to a server, and includes:
the first receiving unit is used for receiving a service access request sent by a client, wherein the service access request comprises a target access token and a target resource;
the system comprises a determining unit, a processing unit and a processing unit, wherein the determining unit is used for determining a target session corresponding to a target access token according to a pre-stored corresponding relationship between the access token and the session, and the session comprises authority information;
the judging unit is used for judging whether the target session has the authority information for accessing the target resource;
and the allocation unit is used for allocating the target resource to the client if the judgment result of the judgment unit is positive.
Optionally, the apparatus further comprises:
the detection unit is used for detecting whether the current time reaches the pre-stored expiration time of the target access token after receiving the service access request;
the determining unit is specifically configured to determine, if the detection result of the detecting unit is negative, a target session corresponding to the target access token according to a pre-stored correspondence between the access token and the session.
Optionally, the server stores a corresponding relationship between the target access token and the target refresh token; the device further comprises:
the first sending unit is used for sending a token refreshing instruction to the client side if the pre-stored expiration time of the target access token is reached;
a second receiving unit, configured to receive a token refresh request sent by the client according to the token refresh instruction, where the token refresh request includes a target refresh token;
the first generation unit is used for generating a new target access token according to the target refreshing token;
a modification unit, configured to modify, according to a correspondence between the target access token and the target refresh token, a correspondence between the target access token and the target session, which is stored in advance, to a correspondence between the new target access token and the target session, and modify a correspondence between the target access token and the target refresh token to a correspondence between the new target access token and the target refresh token;
and the second sending unit is used for sending the new target access token to the client.
Optionally, the first generating unit is specifically configured to:
detecting whether the current time reaches the pre-stored expiration time of the target refresh token; and if not, generating the new target access token.
Optionally, the apparatus further comprises:
a third receiving unit, configured to receive a login request sent by the client;
the establishing unit is used for establishing connection with the client according to the login request;
a second generating unit for generating a target access token and a target refresh token;
and the feedback unit is used for carrying the target access token and the target refreshing token in the login response and feeding back the login response to the client.
In a third aspect, an embodiment of the present invention further provides a server, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete mutual communication through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing the steps of any service access method when the program stored in the memory is executed.
In a fourth aspect, an embodiment of the present invention further provides a readable storage medium, where a computer program is stored in the readable storage medium, and the computer program, when executed by a processor, implements the steps of any of the service access methods.
According to the service access method and device provided by the embodiment of the invention, the session information is stored in the server, and the client only needs to send the access token corresponding to the session information, so that network resources are saved. In addition, the session information is not stored in the client, so that the occupied storage space of the client is reduced. And thirdly, the server stores the session information, and when the role and the authority information of the user are changed or tampered, the server can flexibly modify the role and the authority information of the user in the session information.
Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a first flowchart of a service access method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating an access rights model according to an embodiment of the present invention;
fig. 3 is a second flowchart of a service access method according to an embodiment of the present invention;
fig. 4 is a third flowchart of a service access method according to an embodiment of the present invention;
FIG. 5 is a flowchart of a target refresh token refreshing a target access token according to an embodiment of the present invention;
fig. 6 is a structural diagram of a service access device according to an embodiment of the present invention;
fig. 7 is a structural diagram of a service access system according to an embodiment of the present invention;
fig. 8 is a signaling diagram of a service access method according to an embodiment of the present invention;
fig. 9 is a structural diagram of a server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to solve the above problems in the prior art, embodiments of the present invention disclose a service access method and apparatus, which are described in detail below.
As shown in fig. 1, fig. 1 is a first flowchart of a service access method according to an embodiment of the present invention. The service access method is applied to a server and comprises the following steps.
Step 101, receiving a service access request sent by a client, where the service access request includes a target access token and a target resource.
The target resource is a resource which the client requests to access. The target resource may be a traffic interface. The target access token is an access token distributed to the client by the server. When accessing the resources provided by the server, the client sends a service access request comprising a target access token and the target resources to the server. And the server receives a service access request sent by the client.
In this embodiment of the present invention, the service Access request may further include information such as a Media Access Control (MAC) address and an Internet Protocol (IP) address of the client. This is not particularly limited.
And 102, determining a target session corresponding to the target access token according to a pre-stored corresponding relationship between the access token and the session, wherein the session comprises authority information.
The server side stores the corresponding relation between the access token and the session in advance, and the session comprises authority information. The authority information may include a user role and an authority corresponding to the user role. In the embodiment of the invention, the access tokens and the users are in one-to-one correspondence. As shown in fig. 2, fig. 2 is a schematic diagram of an access authority model according to an embodiment of the present invention. In FIG. 2, access-id1, access-id2, and access-id3 are access tokens. Taking the access-id1 as an example, the access-id1 corresponds to the user 1, the user 1 corresponds to the role 1 and the role 2, the role 1 corresponds to the authority 1 and the authority 2, and the role 2 corresponds to the authority 1, the authority 2 and the authority 3.
In one embodiment, the server side stores the corresponding relationship between the access token and the session in advance, and also stores the corresponding relationship between the access token and the session token, and the session token may be an identifier for distinguishing the session, so that the server side can determine the session token through the target access token, and then determine the target session according to the session token.
For example, the server tries to obtain a target access token from a service access request of the client, and if the target access token cannot be obtained, it indicates that the user sends the service access request for the first time, that is, the server does not store a target session of the user yet, so the server allocates a session token for the user, creates a corresponding relationship between the target access token and the session, and sends the target access token to the client; if all tokens and information corresponding to the tokens are stored in a Token database (such as TokenDAO) after the target Access Token is acquired, continuing to try to acquire Token information (such as single Access Token) corresponding to the target Access Token from the TokenDAO, wherein the single Access Token may include expiration time and current time of the target Access Token, and if the single Access Token is not acquired or the single Access Token is expired, feeding back an error prompt to the client; if the single Access Token is acquired and the single Access Token is not expired, taking out the session Token associated with the target Access Token from the single Access Token, and acquiring the target session from a session database (such as Session DAO) according to the session Token.
Step 103, judging whether the target session has the authority information for accessing the target resource. If so, go to step 104.
The client side needs to have corresponding authority information when accessing the target resource, and the server side judges whether the authority information of the client side accessing the target resource exists in the target session or not. If so, go to step 104.
Taking fig. 2 as an example, when the user 1 wants to access a target resource, the server determines whether the rights owned by the user 1 acting as the role 1 and the rights owned by the user 1 acting as the role 2 in the target session include the rights to access the target resource. If so, if the permission 1 is the permission to access the target resource, step 104 is executed.
In one embodiment, if the target session does not have the authority information for accessing the target resource, the server sends access failure feedback information to the client.
Taking fig. 2 as an example, when the user 1 wants to access a target resource, the server determines whether the rights owned by the user 1 acting as the role 1 and the rights owned by the user 1 acting as the role 2 in the target session include the rights capable of accessing the target resource. And if not, the server side sends an access failure feedback message to the client side.
And 104, distributing target resources to the client.
When the target session has the authority information for accessing the target resource, the server allocates the target resource for the client according to the service access request sent by the client, so that the client can continuously execute the service logic.
According to the service access method provided by the embodiment of the invention, the session information is stored in the server, and the client only needs to send the access token corresponding to the session information, so that network resources are saved. In addition, the session information is not stored in the client, so that the occupied storage space of the client is reduced. And thirdly, the server stores the session information, and when the role and the authority information of the user are changed or tampered, the server can flexibly modify the role and the authority information of the user in the session information.
In one embodiment, the embodiment of the invention also provides a service access method. As shown in fig. 3, fig. 3 is a second flowchart of a service access method according to an embodiment of the present invention. The service access method is applied to a server and can comprise the following steps.
Step 301, receiving a service access request sent by a client, where the service access request includes a target access token and a target resource. Step 301 is the same as step 101.
Step 302, detecting whether the current time reaches the expiration time of the pre-stored target access token. If not, go to step 303.
The server stores the expiration time of the target access token in advance. After receiving the service access request, the server acquires a target access token from the service access request, and detects whether the current time reaches the expiration time of the pre-stored target access token. If not, go to step 303.
In the embodiment of the present invention, the expiration time may be a specific time. For example, the server pre-stores the access token 1 with an expiration time of 10: 05. After acquiring the service access request carrying the access token 1, the server detects whether the current time reaches 10: 05. If yes, if the current time is 10:06, the current time is determined to reach the expiration time of the access token 1. If not, if the current time is 10:04, determining that the current time does not reach the expiration time of the access token 1, and executing step 303.
In the embodiment of the present invention, the expiration time may be a storage duration. For example, when storing the access token 1, the server sets a timer 1 for the access token 1. After acquiring the service access request carrying the access token 1, the server detects whether the timer 1 is overtime. If so, it is determined that the current time reaches the expiration time of the access token 1. If not, determining that the current time does not reach the expiration time of the access token 1, and executing step 303.
In the embodiment of the present invention, the expiration time of the access token may also be represented in other manners, which is not specifically limited.
Step 303, determining a target session corresponding to the target access token according to a pre-stored correspondence between the access token and the session, where the session includes the authority information. Step 303 is the same as step 102.
Step 304, judging whether the target session has the authority information for accessing the target resource. If so, go to step 305. Step 304 is the same as step 103.
Step 305, target resources are allocated for the client. Step 305 is the same as step 104.
In the embodiment of the invention, the expiration time of the target access token is stored in advance. And the manager can flexibly control the client to access the server by controlling the expiration time of the target access token. For example, when a certain client is at risk, a manager modifies the expiration time of the target access token to any time before the current time, or sets a timer corresponding to the expiration time of the target access token to be overtime, so that the target access token is expired, the client is prohibited from accessing the server, and the client is forced to be offline.
In one embodiment, the embodiment of the invention also provides a service access method. As shown in fig. 4, fig. 4 is a third flowchart of a service access method provided by the embodiment of the present invention, where the service access method is applied to a server and may include the following steps.
Step 401, receiving a service access request sent by a client, where the service access request includes a target access token and a target resource. Step 401 is the same as step 101.
Step 402, detecting whether the current time reaches the expiration time of the pre-stored target access token. If not, go to step 403. If yes, go to step 406.
And 403, determining a target session corresponding to the target access token according to the corresponding relationship between the pre-stored access token and the session, wherein the session comprises authority information. Step 403 is the same as step 102.
Step 404, determine whether the target session has the right information to access the target resource. If so, go to step 405. Step 404 is the same as step 103.
Step 405, allocating target resources for the client. Step 305 is the same as step 104.
Step 406, a token refresh indication is sent to the client.
The service end stores the expiration time of the target access token in advance, for example, 5 minutes, and after receiving the service access request, the service end detects whether the current time reaches the expiration time of the target access token stored in advance, for example, if the current time is 5 minutes and 30 seconds, the expiration time of the target access token stored in advance is reached, and sends a token refresh instruction to the client, where the token refresh instruction may be prompt information of an access error.
Step 407, receiving a token refresh request sent by the client according to the token refresh instruction, where the token refresh request includes a target refresh token.
After the server side sends a token refreshing instruction to the client side, the client side sends a token refreshing request to the server side according to the token refreshing instruction, the server side receives the token refreshing request, and the token refreshing request comprises a target refreshing token.
And step 408, generating a corresponding new target access token according to the target refreshing token.
And the server side generates a new target access token according to the target refreshing token sent by the client side.
Step 409, according to the corresponding relation between the target access token and the target refresh token, modifying the corresponding relation between the target access token and the target session stored in advance into the corresponding relation between the new target access token and the target session, and modifying the corresponding relation between the target access token and the target refresh token into the corresponding relation between the new target access token and the target refresh token.
And the server replaces the target access token with a new target access token, so that the corresponding relation between the pre-stored target access token and the target session is modified into the corresponding relation between the new target access token and the target session, and the corresponding relation between the target access token and the target refresh token is modified into the corresponding relation between the new target access token and the target refresh token.
The new target access token is sent to the client, step 410.
The server sends the new target access token to the client, and the client can send a service access request carrying the new target access token to the server to acquire the target resource.
As shown in fig. 5, fig. 5 is a flowchart of refreshing a target access token by a target refresh token according to an embodiment of the present invention. Storing all tokens and information corresponding to the tokens in a Token database (such as TokenDAO), acquiring Token information (such as Simple Refresh Token) corresponding to Refresh-id from TokenDAO by a client carrying a target Refresh Token (such as Refresh-id), wherein Simple Refresh Token comprises expiration time and current time of Refresh-id and basic information of a user, feeding back an error prompt to the client if the Token information does not reach or the Simple Refresh Token has expired, judging whether the current user logs in if the current user acquires Simple Refresh Token, if so, generating a new target access Token, if not, finishing logging in according to the basic information of the user in the Simple Refresh Token, regenerating a new target access Token, and modifying the corresponding relationship between the target access Token and the target session in TokenDAO into the new target access Token and the corresponding relationship between the target session, and the new Token and the corresponding relationship between the target access Token and the target session, and modifying the corresponding relationship between the target access Token and the new target Refresh-id into the new target access Token and the corresponding relationship between the target Refresh-id And returning a new target access token to the client according to the corresponding relation.
In one embodiment, the server pre-stores the expiration time of the target refresh token. When a token refreshing request sent by a client is received, whether the current time reaches the expiration time of a target refreshing token stored in advance is detected. If not, a new target access token is generated. And if so, sending error feedback information to the client. In the embodiment of the present invention, whether the current time reaches the expiration time of the pre-stored target refresh token may specifically refer to the description of the step of detecting whether the current time reaches the expiration time of the pre-stored target access token.
In one embodiment, before receiving a service access request, a server receives a login request sent by a client; and establishing connection with the client according to the login request. If the connection is successful, namely the client successfully logs in the server, generating a target access token and a target refreshing token; and carrying the target access token and the target refreshing token in the login response and feeding back the login response to the client. And if the connection fails, namely the client fails to log in the server, feeding back the prompt information of the login failure to the client in a login response.
According to the service access method provided by the embodiment of the invention, the session information is stored in the server, and the client only needs to send the access token corresponding to the session information, so that network resources are saved. In addition, the session information is not stored in the client, so that the occupied storage space of the client is reduced. And thirdly, the server stores the session information, and when the role and the authority information of the user are changed or tampered, the server can flexibly modify the role and the authority information of the user in the session information.
Corresponding to the embodiment of the service access method, the embodiment of the invention also provides a service access device. As shown in fig. 6, fig. 6 is a structural diagram of a service access device according to an embodiment of the present invention. The device comprises:
a first receiving unit 601, configured to receive a service access request sent by a client, where the service access request includes a target access token and a target resource;
a determining unit 602, configured to determine, according to a pre-stored correspondence between an access token and a session, a target session corresponding to the target access token, where the session includes authority information;
a determining unit 603, configured to determine whether permission information for accessing the target resource exists in the target session;
an allocating unit 604, configured to allocate the target resource to the client if the determination result of the determining unit is yes.
In an embodiment, the service access apparatus provided in the embodiment of the present invention may further include:
the detection unit is used for detecting whether the current time reaches the expiration time of a pre-stored target access token or not after receiving the service access request;
and the determining unit is specifically used for determining the target session corresponding to the target access token according to the pre-stored corresponding relationship between the access token and the session if the detection result of the detecting unit is negative.
In an embodiment, the service end stores a corresponding relationship between the target access token and the target refresh token, and the service access device provided in the embodiment of the present invention may further include:
the first sending unit is used for sending a token refreshing instruction to the client if the pre-stored expiration time of the target access token is reached;
the second receiving unit is used for receiving a token refreshing request sent by the client according to the token refreshing instruction, wherein the token refreshing request comprises a target refreshing token;
the first generation unit is used for generating a new target access token according to the target refreshing token;
the modification unit is used for modifying the pre-stored corresponding relation between the target access token and the target session into the corresponding relation between the new target access token and the target session according to the corresponding relation between the target access token and the target refresh token, and modifying the corresponding relation between the target access token and the target refresh token into the corresponding relation between the new target access token and the target refresh token;
and the second sending unit is used for sending the new target access token to the client.
In an embodiment, the first generating unit is specifically configured to:
detecting whether the current time reaches the pre-stored expiration time of the target refresh token; if not, generating a new target access token.
In an embodiment, the service access apparatus provided in the embodiment of the present invention may further include:
the third receiving unit is used for receiving the login request sent by the client;
the establishing unit is used for establishing connection with the client according to the login request;
a second generating unit for generating a target access token and a target refresh token;
and the feedback unit is used for carrying the target access token and the target refreshing token in the login response and feeding back the login response to the client.
The service access device provided by the embodiment of the invention stores the session information in the server, and the client only needs to send the access token corresponding to the session information, so that network resources are saved. In addition, the session information is not stored in the client, so that the occupied storage space of the client is reduced. And thirdly, the server stores the session information, and when the role and the authority information of the user are changed or tampered, the server can flexibly modify the role and the authority information of the user in the session information.
Corresponding to the embodiment of the service access method, the embodiment of the invention also provides a service access system. As shown in fig. 7, fig. 7 is a structural diagram of a service access system according to an embodiment of the present invention. The service access system comprises: a client 701 and a server 702.
A client 701, configured to send a service access request to a server 702, where the service access request includes a target access token and a target resource;
a server 702, configured to receive a service access request sent by a client 701; determining a target session corresponding to the target access token according to a pre-stored corresponding relationship between the access token and the session, wherein the session comprises authority information; judging whether authority information for accessing the target resource exists in the target session or not; and if so, allocating the target resource for the client.
According to the service access system provided by the embodiment of the invention, the session information is stored in the server, and the client only needs to send the access token corresponding to the session information, so that network resources are saved. In addition, the session information is not stored in the client, so that the occupied storage space of the client is reduced. And thirdly, the server stores the session information, and when the role and the authority information of the user are changed or tampered, the server can flexibly modify the role and the authority information of the user in the session information.
Based on the service access system, the service access method provided by the embodiment of the present invention is described with reference to the service access signaling diagram shown in fig. 8.
Step 801, receiving a service access request sent by a client, wherein the service access request comprises information such as a target access token and a target resource;
step 802, detecting whether the current time reaches the expiration time of the target access token; if not, go to step 803; if yes, go to step 807;
step 803, according to the corresponding relationship between the pre-stored access token and the session, determining a target session corresponding to the target access token, wherein the session includes authority information;
step 804, judging whether the target session has authority information for accessing the target resource; if not, go to step 805; if yes, go to step 806;
step 805, sending access failure feedback to the client;
step 806, allocating target resources for the client;
step 807, sending a token refresh indication to the client;
step 808, receiving a token refreshing request sent by the client according to the token refreshing instruction, wherein the token refreshing request comprises a target refreshing token;
step 809, detecting whether the target refresh token is expired; if yes, go to step 805; if the detection result is negative, go to step 810;
step 810, generating a corresponding new target access token according to the target refresh token, modifying the corresponding relation between the pre-stored target access token and the target refresh token into the corresponding relation between the new target access token and the target session, and modifying the corresponding relation between the target access token and the target refresh token into the corresponding relation between the new target access token and the target refresh token;
step 811 sends the new target access token to the client.
The description of the step 801 and 811 section is relatively simple and reference may be made to the description of the fig. 1-5 section above.
Corresponding to the embodiment of the service access method, the embodiment of the present invention further provides a server, as shown in fig. 9, including a processor 901, a communication interface 902, a memory 903 and a communication bus 904, where the processor 901, the communication interface 902, and the memory 903 complete mutual communication through the communication bus 904,
a memory 903 for storing computer programs;
the processor 901 is configured to implement the following steps when executing the program stored in the memory 903:
receiving a service access request sent by a client, wherein the service access request comprises a target access token and a target resource;
determining a target session corresponding to the target access token according to a pre-stored corresponding relationship between the access token and the session, wherein the session comprises authority information;
judging whether the target session has authority information for accessing the target resource;
and if so, allocating the target resource for the client.
According to the server provided by the embodiment of the invention, the session information is stored in the server, and the client only needs to send the access token corresponding to the session information, so that network resources are saved. In addition, the session information is not stored in the client, so that the occupied storage space of the client is reduced. And thirdly, the server stores the session information, and when the role and the authority information of the user are changed or tampered, the server can flexibly modify the role and the authority information of the user in the session information.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM), and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a network Processor (Ne word Processor, NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In a further embodiment provided by the present invention, a readable storage medium is further provided, where a computer program is stored, and the computer program is executed by a processor to implement the service access method in any one of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. Especially, for the embodiments of the apparatus, the system, the server and the readable storage medium, since they are substantially similar to the embodiments of the method, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the method.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (6)

1. A service access method is applied to a server side and comprises the following steps:
receiving a service access request sent by a client, wherein the service access request comprises a target access token and a target resource;
determining a target session corresponding to the target access token according to a pre-stored corresponding relationship between the access token and the session, wherein the session comprises authority information;
judging whether the target session has authority information for accessing the target resource;
if so, allocating the target resource for the client;
after receiving the service access request, the method further comprises:
detecting whether the current time reaches the pre-stored expiration time of the target access token;
if not, executing the step of determining the target session corresponding to the target access token according to the pre-stored corresponding relationship between the access token and the session;
the server stores the corresponding relation between the target access token and the target refreshing token; the method further comprises the following steps:
if the pre-stored expiration time of the target access token is reached, sending a token refreshing instruction to the client;
receiving a token refreshing request sent by the client according to the token refreshing instruction, wherein the token refreshing request comprises a target refreshing token;
generating a new target access token according to the target refreshing token;
according to the corresponding relation between the target access token and the target refreshing token, modifying the corresponding relation between the target access token and the target session which is stored in advance into the corresponding relation between the new target access token and the target session, and modifying the corresponding relation between the target access token and the target refreshing token into the corresponding relation between the new target access token and the target refreshing token;
sending the new target access token to the client;
before receiving the service access request, the method further comprises:
receiving a login request sent by the client;
establishing connection with the client according to the login request;
generating a target access token and a target refresh token;
and carrying the target access token and the target refreshing token in a login response and feeding back the login response to the client.
2. The method of claim 1, wherein the step of generating a new target access token based on the target refresh token comprises:
detecting whether the current time reaches the pre-stored expiration time of the target refresh token;
and if not, generating the new target access token.
3. A service access device, applied to a server, comprising:
the first receiving unit is used for receiving a service access request sent by a client, wherein the service access request comprises a target access token and a target resource;
the system comprises a determining unit, a processing unit and a processing unit, wherein the determining unit is used for determining a target session corresponding to a target access token according to a pre-stored corresponding relationship between the access token and the session, and the session comprises authority information;
the judging unit is used for judging whether the target session has the authority information for accessing the target resource;
the allocation unit is used for allocating the target resource to the client if the judgment result of the judgment unit is positive;
the detection unit is used for detecting whether the current time reaches the pre-stored expiration time of the target access token after receiving the service access request;
the determining unit is specifically configured to determine, if the detection result of the detecting unit is negative, a target session corresponding to the target access token according to a pre-stored correspondence between the access token and the session;
the server stores the corresponding relation between the target access token and the target refreshing token; the device further comprises:
the first sending unit is used for sending a token refreshing instruction to the client side if the pre-stored expiration time of the target access token is reached;
a second receiving unit, configured to receive a token refresh request sent by the client according to the token refresh instruction, where the token refresh request includes a target refresh token;
the first generation unit is used for generating a new target access token according to the target refreshing token;
a modification unit, configured to modify, according to a correspondence between the target access token and the target refresh token, a correspondence between the target access token and the target session, which is stored in advance, to a correspondence between the new target access token and the target session, and modify a correspondence between the target access token and the target refresh token to a correspondence between the new target access token and the target refresh token;
a second sending unit, configured to send the new target access token to the client;
a third receiving unit, configured to receive a login request sent by the client;
the establishing unit is used for establishing connection with the client according to the login request;
a second generating unit for generating a target access token and a target refresh token;
and the feedback unit is used for feeding back the target access token and the target refresh token carried in the login response to the client.
4. The apparatus according to claim 3, wherein the first generating unit is specifically configured to:
detecting whether the current time reaches the pre-stored expiration time of the target refresh token; and if not, generating the new target access token.
5. The server is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing the communication among the processors and the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of claim 1 or 2 when executing a program stored in the memory.
6. A readable storage medium, characterized in that a computer program is stored in the readable storage medium, which computer program, when being executed by a processor, carries out the method steps of claim 1 or 2.
CN201910989877.0A 2019-10-17 2019-10-17 Service access method and device Active CN110784457B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910989877.0A CN110784457B (en) 2019-10-17 2019-10-17 Service access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910989877.0A CN110784457B (en) 2019-10-17 2019-10-17 Service access method and device

Publications (2)

Publication Number Publication Date
CN110784457A CN110784457A (en) 2020-02-11
CN110784457B true CN110784457B (en) 2022-08-19

Family

ID=69385878

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910989877.0A Active CN110784457B (en) 2019-10-17 2019-10-17 Service access method and device

Country Status (1)

Country Link
CN (1) CN110784457B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187931A (en) * 2020-09-29 2021-01-05 中国平安财产保险股份有限公司 Session management method, device, computer equipment and storage medium
CN112491931B (en) * 2020-12-17 2023-04-07 武汉卓尔信息科技有限公司 JWT (just noticeable WT) -based current limiting method and device for user authentication
CN114844636A (en) * 2022-05-19 2022-08-02 青岛海尔科技有限公司 Method and device for updating access token, storage medium and electronic device
CN115001714B (en) * 2022-07-15 2024-03-19 中国电信股份有限公司 Resource access method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106295394A (en) * 2016-07-22 2017-01-04 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and method of work
CN107026847A (en) * 2017-02-09 2017-08-08 阿里巴巴集团控股有限公司 One kind trusts login method, server and system
CN109617926A (en) * 2019-01-28 2019-04-12 广东淘家科技有限公司 Control method, device and the storage medium of service authority

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106295394A (en) * 2016-07-22 2017-01-04 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and method of work
CN107026847A (en) * 2017-02-09 2017-08-08 阿里巴巴集团控股有限公司 One kind trusts login method, server and system
CN109617926A (en) * 2019-01-28 2019-04-12 广东淘家科技有限公司 Control method, device and the storage medium of service authority

Also Published As

Publication number Publication date
CN110784457A (en) 2020-02-11

Similar Documents

Publication Publication Date Title
CN110784457B (en) Service access method and device
CN109587133B (en) Single sign-on system and method
WO2020233059A1 (en) Login processing method based on data processing and related apparatus
US11288253B2 (en) Allocation method and device for a distributed lock
US10586027B2 (en) Method, device and system for sharing cross-platform account resources
AU2017215589B2 (en) Electronic payment service processing method and device, and electronic payment method and device
CN112291178A (en) Service providing method and device and electronic equipment
US20080022281A1 (en) Trusted communications with child processes
US20210320923A1 (en) Method and apparatus for revoking authorization of api invoker
US10225871B2 (en) Method and system for hosting network access point
US20150373026A1 (en) Permission management method, device and system for cloud platform service
US9052861B1 (en) Secure connections between a proxy server and a base station device
JP4753953B2 (en) Software execution management apparatus, method and program thereof
CN106254528B (en) Resource downloading method and caching device
US20170149791A1 (en) System and method for accessing a service
US9154497B1 (en) Maintaining accountability of a shared password among multiple users
WO2022105365A1 (en) Device control method and system, electronic device, and storage medium
CN108092777B (en) Method and device for supervising digital certificate
KR102567900B1 (en) Method and Apparatus for Ensuring Continuous Device Operational Stability in Cloud Degraded Mode
US20220239638A1 (en) Method and device for registration and login, and computer-readable storage medium
US9935931B2 (en) Authorizing user access to resource by determining whether other, authorized users have indicated that the user should be permitted access
CN110933199B (en) Address allocation method and device
CN107547345B (en) VXLAN dynamic access method, device, equipment and medium
CN113051035A (en) Remote control method, device and system and host machine
CN113407983A (en) Security policy issuing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant