CN110958237A - Authority verification method and device - Google Patents
Authority verification method and device Download PDFInfo
- Publication number
- CN110958237A CN110958237A CN201911170896.7A CN201911170896A CN110958237A CN 110958237 A CN110958237 A CN 110958237A CN 201911170896 A CN201911170896 A CN 201911170896A CN 110958237 A CN110958237 A CN 110958237A
- Authority
- CN
- China
- Prior art keywords
- resource request
- service system
- bill
- resource
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for authority verification, and relates to the technical field of computers. The method comprises the following steps: intercepting a resource request sent to a service system by a user, and acquiring a bill carried in the resource request; under the condition that the bill authentication is confirmed to pass, acquiring current resource positioning information corresponding to the resource request according to the bill, and acquiring resource positioning information of the service system in a database; and after the current resource positioning information and the resource positioning information of the service system are authenticated, adding the user identification of the user into the resource request, and forwarding the resource request added with the user identification to the service system. The method can completely decouple the service system and the authentication service, greatly reduces the maintenance cost of the later service system, and simultaneously reduces the development cost of the existing service system for connecting the unified authority.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for authority verification.
Background
In the current unified authority management system, there are authentication and authorization services, and when a user accesses a system resource, the resource request needs to be subjected to authority verification to control the authority of the user to access the resource. In the prior art, most of authority management systems implement access control of a service system by actively calling authentication service through the service system. The service system is only downstream services which only need to pay attention to own services.
Specifically, all current rights management systems need to integrate an authentication client in each service system, that is, maintain a set of codes for invoking the authentication service, which results in coupling the subsystem with the authentication service. When the client calling logic changes, each service system needs to be updated, so that the later maintenance cost of the system is increased, and in addition, when the authority management system is in butt joint with the existing service system, the codes of the service systems need to be changed, so that the code amount is increased.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for checking an authority, which can completely decouple a service system from an authentication service, thereby greatly reducing the maintenance cost of the later service system, and also reducing the development cost of the existing service system for interfacing with a unified authority.
To achieve the above object, according to an aspect of an embodiment of the present invention, a method for rights checking is provided.
The method for verifying the authority of the embodiment of the invention comprises the following steps: intercepting a resource request sent to a service system by a user, and acquiring a bill carried in the resource request; under the condition that the bill authentication is confirmed to pass, acquiring current resource positioning information corresponding to the resource request according to the bill, and acquiring resource positioning information of the service system in a database; and after the current resource positioning information and the resource positioning information of the service system are authenticated, adding the user identification of the user into the resource request, and forwarding the resource request added with the user identification to the service system.
Optionally, the step of acquiring the ticket carried in the resource request includes: judging whether the resource request carries a bill or not; if yes, acquiring a bill carried in the resource request; otherwise, the front end is jumped to a login page, so that a new bill is generated after the user successfully logs in through the login page.
Optionally, after acquiring the ticket carried in the resource request, the method further includes: and under the condition of confirming that the bill authentication is not passed, skipping the front end to the login page, so that a new bill is generated after the user successfully logs in through the login page.
Optionally, after the user successfully logs in through the login page and generates a new ticket, the method further includes: and putting the new bill into a redis cache, storing the new bill into a cookie responding to the resource request, and returning the new bill to the front end, so that the new bill in the cookie is carried when the resource request is initiated again through the front end.
Optionally, the step of forwarding the resource request added with the user identifier to the service system includes: and determining the route of the service system, and forwarding the resource request added with the user identifier to the service system according to the route.
To achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an apparatus for rights checking.
The device for verifying the authority of the embodiment of the invention comprises:
the first acquisition module is used for intercepting a resource request sent to a service system by a user and acquiring a bill carried in the resource request;
the second acquisition module is used for acquiring the current resource positioning information corresponding to the resource request according to the bill and acquiring the resource positioning information of the service system in a database under the condition that the bill authentication is confirmed to pass;
and the forwarding module is used for adding the user identifier of the user into the resource request after the current resource positioning information and the resource positioning information of the service system are authenticated, and forwarding the resource request added with the user identifier to the service system.
Optionally, the first obtaining module is further configured to determine whether the resource request carries a ticket; if yes, acquiring a bill carried in the resource request; otherwise, the front end is jumped to a login page, so that a new bill is generated after the user successfully logs in through the login page.
Optionally, the first obtaining module is further configured to skip the front end to the login page under the condition that the ticket authentication is determined not to pass, so that a new ticket is generated after the user successfully logs in through the login page.
Optionally, the first obtaining module is further configured to place the new ticket into a redis cache, and store the new ticket into a cookie of a resource request response and return the cookie back to the front end, so that the new ticket in the cookie is carried when the resource request is initiated again by the front end.
Optionally, the forwarding module is further configured to determine a route of the service system, and forward the resource request added with the user identifier to the service system according to the route.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an electronic apparatus.
The electronic device of the embodiment of the invention comprises: one or more processors; a storage device, configured to store one or more programs, which when executed by the one or more processors, cause the one or more processors to implement the method of rights checking of any of the above.
To achieve the above object, according to a further aspect of the embodiments of the present invention, there is provided a computer readable medium having a computer program stored thereon, wherein the program is configured to implement the method of rights checking of any one of the above when executed by a processor.
One embodiment of the above invention has the following advantages or benefits: the coupling between the service system and the authentication service is reduced by adopting a gateway preposed authentication mode, all resource requests for accessing the service system are firstly intercepted uniformly for verification, and are then forwarded to the service system after the verification is passed. Moreover, the request forwarded to the service system has added the user identifier, so that the service system can directly pass the request after receiving the resource request for adding the user identifier. Therefore, the service system only needs to pay attention to the service logic of the service system, does not need to pay attention to authentication and authorization logic, and completely decouples the service system from the authentication and authorization service, so that the maintenance cost of the service system in the later period is greatly reduced, and the development cost of the existing service system for connecting the unified authority is also reduced.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of a main flow of a method of rights checking according to an embodiment of the invention;
FIG. 2 is a schematic diagram of a method of rights checking according to an embodiment of the invention;
FIG. 3 is a schematic diagram of the main modules of an apparatus for rights verification according to an embodiment of the present invention;
FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 5 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a main flow of a method for checking a right according to an embodiment of the present invention, and as shown in fig. 1, the method for checking a right according to the embodiment of the present invention mainly includes:
step S101: intercepting a resource request sent to a service system by a user, and acquiring a bill carried in the resource request.
Step S102: and under the condition that the bill authentication is confirmed to pass, acquiring current resource positioning information corresponding to the resource request according to the bill, and acquiring the resource positioning information of the service system in the database.
Step S103: and after the current resource positioning information and the resource positioning information of the service system are authenticated, adding the user identifier of the user into the resource request, and forwarding the resource request added with the user identifier to the service system.
In the prior art, authentication and authorization are realized by separate services in a unified manner, a service system needs to actively call the authentication and authorization service to check the identity of a client user and to access a specified resource, namely, each request arrives at the service system first, the service system calls the authentication and authorization service according to the request, and then the authentication and authorization service judges whether the current request is legal or not. The authentication service returns an authentication result to the service system, and the service system determines whether to release the current request according to the authentication result. Therefore, the service system must integrate and call the code of the authentication service to realize the unified authentication and authorization of the authority.
For the problems in the prior art, the embodiment of the present invention adopts a gateway pre-authentication manner to reduce the coupling between the service system and the authentication service, and all resource requests accessing the service system are first uniformly intercepted to check, and are then forwarded to the service system after the check is passed. Moreover, the request forwarded to the service system has added the user identifier, so that the service system can directly pass the request after receiving the resource request for adding the user identifier. Therefore, the service system only needs to pay attention to the service logic of the service system, does not need to pay attention to authentication and authorization logic, and completely decouples the service system from the authentication and authorization service, so that the maintenance cost of the service system in the later period is greatly reduced, and the development cost of the existing service system for connecting the unified authority is also reduced.
Preferably, in the process of acquiring the ticket carried in the resource request, it is determined whether the ticket is carried in the resource request. If yes, acquiring a bill carried in the resource request; otherwise, the front end is jumped to the login page, so that a new bill is generated after the user successfully logs in through the login page.
Preferably, after acquiring the ticket carried in the resource request, under the condition that the ticket authentication is not passed, the front end is jumped to the login page, so that a new ticket is generated after the user successfully logs in through the login page.
Preferably, after the user successfully logs in through the login page and generates a new ticket, the new ticket is put into the redis cache, and the new ticket is stored into the cookie responding to the resource request and returned to the front end, so that the new ticket in the cookie is carried when the resource request is initiated again through the front end. In the embodiment of the invention, the CAS protocol can be used as the single sign-on of the system during the single sign-on. The method has the advantages that the existing open source solution is used, certain code amount can be reduced, and development efficiency is improved, but the defect is obvious, and the CAS authentication process is that a CAS client carries a token to authenticate the CAS Server, which is contrary to the design concept that the preposed gateway performs unified authentication and authorization on all subsystem requests. In other embodiments, single sign-on is also implemented using the manner of redis cache token. Specifically, when a user logs in, the system generates a token through jwt, stores the token in a cache (an expiration time can also be set), stores the token in a cookie for requesting response, returns the cookie to the browser, carries the token in the cookie when the browser initiates a request later, takes the token by the gateway, accesses the redis to check whether the token exists, if so, proves that the current user is in a login state, and otherwise, does not log in.
Preferably, in the process of forwarding the resource request added with the user identifier to the service system, a route of the service system is determined, and the resource request added with the user identifier is forwarded to the service system according to the route. In the embodiment of the invention, the verified resource request is directly transmitted to the service system through the determined path, so that the service system can directly pass the request after receiving the resource request added with the user identifier. The authentication service is not required to be actively called by the service system, and the logic interaction with the service system component is simplified. Therefore, the service system only needs to pay attention to the service logic of the service system, and does not need to pay attention to authentication and authorization logic, so that the service system and the authentication and authorization service are thoroughly decoupled.
Fig. 2 is a schematic diagram of a method of rights checking according to an embodiment of the present invention. In the embodiment of the present invention, the method for checking the permission of the embodiment of the present invention is implemented by a gateway service (front gateway), where a subsystem in the embodiment of the present invention is any business system, and a user is not a specific individual, and is any one or several operators (or may be an operation device) that send a resource request through a front end. As shown in fig. 2, when the user accesses the subsystem through the browser, the following processing is performed:
step 1: the browser sends the request to the gateway serving GW-Server. The gateway service is a single point of access that can act as a proxy for multiple services. In the embodiment of the present invention, the GW-Server is an entry for all requests, in the embodiment of the present invention, a service passing authentication forwards a request to a corresponding subsystem according to a first-level path of a url (uniform resource locator) (the url of each subsystem is distinguished by the url first-level path), and each subsystem only concerns its own service and does not care about the existence of a gateway.
Step 2: and the GW-Server acquires the ticket token in the cookie. In the step, judging whether the token exists, if so, executing step 4 to check the token; if token does not exist, an error code is returned, and the front end jumps to the login page, and executes step 3 to log in. Cookies, and sometimes their complex forms. The type is "cookie", which is data (usually encrypted) that some websites store on the user's local terminal for Session tracking purposes to identify the user's identity, and is information that is temporarily or permanently stored by the user's client computer.
And step 3: and inputting a user name and a password by a user, logging in and verifying by the authentication service, generating a token after passing the authentication, responding to the set Cookie, caching user information, and returning an error code if the authentication fails.
And 4, step 4: the token is verified. Specifically, if token authentication passes, step 5 is executed; and if the token authentication is not passed, jumping to a login page and executing the step 3.
And 5: the gateway acquires the subsystem resource information of the current user information and authenticates. After the authentication is passed, the request head adds the user identification, and the gateway forwards the request to the subsystem through the dynamic routing table. And when the authentication is not passed, returning error information. In this step, the subsystem resource information is interface url information (resource location information) corresponding to the subsystem. Before the deployment of the gateway service, all the resource positioning information of the subsystem is stored in a database, and when a user logs in, an interface url which can be accessed by the current user, namely the current resource positioning information, is acquired and can be stored in a cache. Therefore, each time the interface of the subsystem is accessed, the gateway acquires the accessible resource positioning information of the subsystem from the cache according to the token, and compares the resource positioning information with the current resource positioning information to perform authentication. And, in the embodiment of the present invention, the user information may be userId (user unique id).
In the embodiment of the invention, the coupling between the service system and the authentication service is reduced by adopting the gateway preposed authentication mode, all resource requests for accessing the service system are firstly intercepted uniformly for verification, and are forwarded to the service system after the verification is passed. Moreover, the request forwarded to the service system has added the user identifier, so that the service system can directly pass the request after receiving the resource request for adding the user identifier. Therefore, the service system only needs to pay attention to the service logic of the service system, does not need to pay attention to authentication and authorization logic, and completely decouples the service system from the authentication and authorization service, so that the maintenance cost of the service system in the later period is greatly reduced, and the development cost of the existing service system for connecting the unified authority is also reduced.
Fig. 3 is a schematic diagram of main modules of an apparatus for rights checking according to an embodiment of the present invention, and as shown in fig. 3, an apparatus 300 for rights checking according to an embodiment of the present invention includes a first obtaining module 301, a second obtaining module 302, and a forwarding module 303.
The first obtaining module 301 is configured to intercept a resource request sent by a user to a service system, and obtain a ticket carried in the resource request. The first obtaining module is further used for judging whether the resource request carries a bill or not; if yes, acquiring a bill carried in the resource request; otherwise, the front end is jumped to the login page, so that a new bill is generated after the user successfully logs in through the login page. The first obtaining module is further used for skipping the front end to the login page under the condition that the bill authentication is not confirmed to pass, so that a new bill is generated after the user successfully logs in through the login page. The first obtaining module is further configured to place a new ticket into the redis cache, and store the new ticket into a cookie responded by the resource request and return the cookie to the front end, so that the resource request is initiated again by the front end while the new ticket in the cookie is carried.
The second obtaining module 302 is configured to, when it is determined that the ticket authentication passes, obtain current resource location information corresponding to the resource request according to the ticket, and obtain resource location information of the service system in the database.
The forwarding module 303 is configured to add the user identifier of the user to the resource request after the current resource location information and the resource location information of the service system are authenticated, and forward the resource request with the user identifier added to the service system. The forwarding module is further configured to determine a route of the service system, and forward the resource request with the user identifier added to the service system according to the route.
In the embodiment of the invention, the coupling between the service system and the authentication service is reduced by adopting the gateway preposed authentication mode, all resource requests for accessing the service system are firstly intercepted uniformly for verification, and are forwarded to the service system after the verification is passed. Moreover, the request forwarded to the service system has added the user identifier, so that the service system can directly pass the request after receiving the resource request for adding the user identifier. Therefore, the service system only needs to pay attention to the service logic of the service system, does not need to pay attention to authentication and authorization logic, and completely decouples the service system from the authentication and authorization service, so that the maintenance cost of the service system in the later period is greatly reduced, and the development cost of the existing service system for connecting the unified authority is also reduced.
Fig. 4 shows an exemplary system architecture 400 of a device to which the method for rights checking or the device for rights checking of an embodiment of the present invention may be applied.
As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405. The network 404 serves as a medium for providing communication links between the terminal devices 401, 402, 403 and the server 405. Network 404 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 401, 402, 403 to interact with a server 405 over a network 404 to receive or send messages or the like. The terminal devices 401, 402, 403 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 401, 402, 403 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 405 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 401, 402, 403. The background management server can analyze and process the received data such as the product information inquiry resource request and feed back the processing result to the terminal equipment.
It should be noted that the method for checking the right provided by the embodiment of the present invention is generally executed by the server 405, and accordingly, the device for checking the right is generally disposed in the server 405.
It should be understood that the number of terminal devices, networks, and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 5, shown is a block diagram of a computer system 500 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU)501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the system 500 are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 501.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a first acquisition module, a second acquisition module, and a forwarding module. The names of these modules do not form a limitation on the module itself in some cases, for example, the first acquiring module may also be described as "a module for intercepting a resource request sent by a user to a service system and acquiring a ticket carried in the resource request".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: intercepting a resource request sent to a service system by a user, and acquiring a bill carried in the resource request; and under the condition that the bill authentication is confirmed to pass, acquiring current resource positioning information corresponding to the resource request according to the bill, acquiring resource positioning information of the service system in the database, adding the user identifier of the user into the resource request after the current resource positioning information and the resource positioning information of the service system pass the authentication, and forwarding the resource request added with the user identifier to the service system.
In the embodiment of the invention, the coupling between the service system and the authentication service is reduced by adopting the gateway preposed authentication mode, all resource requests for accessing the service system are firstly intercepted uniformly for verification, and are forwarded to the service system after the verification is passed. Moreover, the request forwarded to the service system has added the user identifier, so that the service system can directly pass the request after receiving the resource request for adding the user identifier. Therefore, the service system only needs to pay attention to the service logic of the service system, does not need to pay attention to authentication and authorization logic, and completely decouples the service system from the authentication and authorization service, so that the maintenance cost of the service system in the later period is greatly reduced, and the development cost of the existing service system for connecting the unified authority is also reduced.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of rights checking, comprising:
intercepting a resource request sent to a service system by a user, and acquiring a bill carried in the resource request;
under the condition that the bill authentication is confirmed to pass, acquiring current resource positioning information corresponding to the resource request according to the bill, and acquiring resource positioning information of the service system in a database;
and after the current resource positioning information and the resource positioning information of the service system are authenticated, adding the user identification of the user into the resource request, and forwarding the resource request added with the user identification to the service system.
2. The method of claim 1, wherein the step of obtaining the ticket carried in the resource request comprises:
judging whether the resource request carries a bill or not;
if yes, acquiring a bill carried in the resource request; otherwise, the front end is jumped to a login page, so that a new bill is generated after the user successfully logs in through the login page.
3. The method of claim 2, further comprising, after obtaining the ticket carried in the resource request:
and under the condition of confirming that the bill authentication is not passed, skipping the front end to the login page, so that a new bill is generated after the user successfully logs in through the login page.
4. The method of claim 2, further comprising, after the user successfully logs in through the login page and generates a new ticket:
and putting the new bill into a redis cache, storing the new bill into a cookie responding to the resource request, and returning the new bill to the front end, so that the new bill in the cookie is carried when the resource request is initiated again through the front end.
5. An apparatus for rights verification, comprising:
the first acquisition module is used for intercepting a resource request sent to a service system by a user and acquiring a bill carried in the resource request;
the second acquisition module is used for acquiring the current resource positioning information corresponding to the resource request according to the bill and acquiring the resource positioning information of the service system in a database under the condition that the bill authentication is confirmed to pass;
and the forwarding module is used for adding the user identifier of the user into the resource request after the current resource positioning information and the resource positioning information of the service system are authenticated, and forwarding the resource request added with the user identifier to the service system.
6. The apparatus of claim 5, wherein the first obtaining module is further configured to determine whether the resource request carries a ticket; if yes, acquiring a bill carried in the resource request; otherwise, the front end is jumped to a login page, so that a new bill is generated after the user successfully logs in through the login page.
7. The apparatus of claim 6, wherein the first obtaining module is further configured to jump to the login page from the front end if the ticket authentication is not confirmed, so that a new ticket is generated after the user successfully logs in through the login page.
8. The apparatus of claim 6, wherein the first obtaining module is further configured to place the new ticket in a redis cache and store the new ticket in a cookie of a resource request response and return the new ticket to the front end, so that the new ticket in the cookie is carried when the resource request is initiated again by the front end.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 14.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911170896.7A CN110958237A (en) | 2019-11-26 | 2019-11-26 | Authority verification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911170896.7A CN110958237A (en) | 2019-11-26 | 2019-11-26 | Authority verification method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110958237A true CN110958237A (en) | 2020-04-03 |
Family
ID=69978399
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911170896.7A Pending CN110958237A (en) | 2019-11-26 | 2019-11-26 | Authority verification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110958237A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111625301A (en) * | 2020-05-25 | 2020-09-04 | 泰康保险集团股份有限公司 | Idempotent processing method, apparatus, device and storage medium |
| CN112055024A (en) * | 2020-09-09 | 2020-12-08 | 深圳市欢太科技有限公司 | Authority verification method and device, storage medium and electronic equipment |
| CN112468481A (en) * | 2020-11-23 | 2021-03-09 | 西安西热电站信息技术有限公司 | Single-page and multi-page web application identity integrated authentication method based on CAS |
| CN112685726A (en) * | 2021-01-20 | 2021-04-20 | 浪潮云信息技术股份公司 | Single-point authentication method based on KEYCLOAK |
| CN113204371A (en) * | 2021-05-28 | 2021-08-03 | 金蝶软件(中国)有限公司 | Access control method, related device and storage medium |
| CN113239377A (en) * | 2021-05-14 | 2021-08-10 | 北京百度网讯科技有限公司 | Authority control method, device, equipment and storage medium |
| CN113343150A (en) * | 2021-06-24 | 2021-09-03 | 平安普惠企业管理有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN114095263A (en) * | 2021-11-24 | 2022-02-25 | 上海派拉软件股份有限公司 | Communication method, device and system |
| CN114448703A (en) * | 2022-01-29 | 2022-05-06 | 北京百度网讯科技有限公司 | Request processing method and device, electronic equipment and storage medium |
| CN115102766A (en) * | 2022-06-24 | 2022-09-23 | 中电云数智科技有限公司 | User authority verification and access system and method |
| CN115250198A (en) * | 2022-07-04 | 2022-10-28 | 四川盘谷智慧医疗科技有限公司 | Information system and single sign-on integration method suitable for group type enterprises |
| CN115720171A (en) * | 2022-11-30 | 2023-02-28 | 国网山东省电力公司信息通信公司 | Safe intelligent gateway system and data transmission method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108512784A (en) * | 2018-06-21 | 2018-09-07 | 珠海宏桥高科技有限公司 | Authentication method based on gateway routing forwarding |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109039880A (en) * | 2018-09-05 | 2018-12-18 | 四川长虹电器股份有限公司 | A method of simple authentication authorization is realized using API gateway |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
-
2019
- 2019-11-26 CN CN201911170896.7A patent/CN110958237A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108512784A (en) * | 2018-06-21 | 2018-09-07 | 珠海宏桥高科技有限公司 | Authentication method based on gateway routing forwarding |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109039880A (en) * | 2018-09-05 | 2018-12-18 | 四川长虹电器股份有限公司 | A method of simple authentication authorization is realized using API gateway |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111625301A (en) * | 2020-05-25 | 2020-09-04 | 泰康保险集团股份有限公司 | Idempotent processing method, apparatus, device and storage medium |
| CN112055024B (en) * | 2020-09-09 | 2023-08-22 | 深圳市欢太科技有限公司 | Authority verification method and device, storage medium and electronic equipment |
| CN112055024A (en) * | 2020-09-09 | 2020-12-08 | 深圳市欢太科技有限公司 | Authority verification method and device, storage medium and electronic equipment |
| CN112468481A (en) * | 2020-11-23 | 2021-03-09 | 西安西热电站信息技术有限公司 | Single-page and multi-page web application identity integrated authentication method based on CAS |
| CN112685726A (en) * | 2021-01-20 | 2021-04-20 | 浪潮云信息技术股份公司 | Single-point authentication method based on KEYCLOAK |
| CN113239377A (en) * | 2021-05-14 | 2021-08-10 | 北京百度网讯科技有限公司 | Authority control method, device, equipment and storage medium |
| CN113239377B (en) * | 2021-05-14 | 2024-05-17 | 北京百度网讯科技有限公司 | Authority control method, device, equipment and storage medium |
| CN113204371A (en) * | 2021-05-28 | 2021-08-03 | 金蝶软件(中国)有限公司 | Access control method, related device and storage medium |
| CN113204371B (en) * | 2021-05-28 | 2023-09-19 | 金蝶软件(中国)有限公司 | Access control method, related device and storage medium |
| CN113343150A (en) * | 2021-06-24 | 2021-09-03 | 平安普惠企业管理有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN114095263A (en) * | 2021-11-24 | 2022-02-25 | 上海派拉软件股份有限公司 | Communication method, device and system |
| CN114448703A (en) * | 2022-01-29 | 2022-05-06 | 北京百度网讯科技有限公司 | Request processing method and device, electronic equipment and storage medium |
| CN114448703B (en) * | 2022-01-29 | 2023-11-17 | 北京百度网讯科技有限公司 | Request processing method, request processing device, electronic equipment and storage medium |
| CN115102766A (en) * | 2022-06-24 | 2022-09-23 | 中电云数智科技有限公司 | User authority verification and access system and method |
| CN115250198A (en) * | 2022-07-04 | 2022-10-28 | 四川盘谷智慧医疗科技有限公司 | Information system and single sign-on integration method suitable for group type enterprises |
| CN115720171A (en) * | 2022-11-30 | 2023-02-28 | 国网山东省电力公司信息通信公司 | Safe intelligent gateway system and data transmission method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110958237A (en) | Authority verification method and device | |
| CN111783067B (en) | Automatic login method and device between multiple network stations | |
| CN104735066B (en) | A kind of single-point logging method of object web page application, device and system | |
| CN109218368B (en) | Method, device, electronic equipment and readable medium for realizing Http reverse proxy | |
| CN111062024B (en) | Application login method and device | |
| CN109347855B (en) | Data access method, device, system, electronic design and computer readable medium | |
| CN109756337B (en) | Secure access method and device for service interface | |
| CN112583834B (en) | Method and device for single sign-on through gateway | |
| CN112491776B (en) | Security authentication method and related equipment | |
| CN112887284B (en) | Access authentication method and device, electronic equipment and readable medium | |
| CN112491778A (en) | Authentication method, device, system and medium | |
| CN109450890B (en) | Single sign-on method and device | |
| US9210155B2 (en) | System and method of extending a host website | |
| CN113922982A (en) | Login method, electronic device and computer-readable storage medium | |
| CN114049122A (en) | Service processing method and system | |
| CN114584381A (en) | Security authentication method and device based on gateway, electronic equipment and storage medium | |
| CN111190664A (en) | Method and system for generating page | |
| CN112905990A (en) | Access method, client, server and access system | |
| CN113055186B (en) | Cross-system service processing method, device and system | |
| CN113765876B (en) | Report processing software access method and device | |
| CN115001840A (en) | Agent-based authentication method, system and computer storage medium | |
| CN114417318A (en) | Third-party page jumping method and device and electronic equipment | |
| CN113271300A (en) | Authentication system and method | |
| CN112272211A (en) | Service request processing method, device and system | |
| CN115834252B (en) | Service access method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 215123 building 14, Tengfei Innovation Park, 388 Xinping street, Suzhou Industrial Park, Suzhou City, Jiangsu Province Applicant after: Sipic Technology Co.,Ltd. Address before: 215123 building 14, Tengfei Innovation Park, 388 Xinping street, Suzhou Industrial Park, Suzhou City, Jiangsu Province Applicant before: AI SPEECH Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200403 |