CN111010401A - Token-based network security framework for distributed water resource management support system - Google Patents
Token-based network security framework for distributed water resource management support system Download PDFInfo
- Publication number
- CN111010401A CN111010401A CN201911345904.7A CN201911345904A CN111010401A CN 111010401 A CN111010401 A CN 111010401A CN 201911345904 A CN201911345904 A CN 201911345904A CN 111010401 A CN111010401 A CN 111010401A
- Authority
- CN
- China
- Prior art keywords
- token
- party application
- authentication center
- request
- network security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
Abstract
The invention discloses a token-based network security framework for a distributed water resource management support system, belonging to the field of water conservancy informatization. According to the invention, the unified authentication center is added between the third-party application and the resource server, the unified authentication center adopts a token verification mechanism, only a token legal user can access the resource, and the potential safety hazard existing when the third-party application directly accesses the resource is avoided, so that background resources and data are protected, and the safety of the system is improved. The unified data service is provided, is deployed on the database server and is matched with the unified authentication center, so that the transmission of database information on the network is cancelled, and the safety of the system is improved. The token of the new login is adopted to cover the token of the old login, so that the previous login of the user loses the access authority, only one user is ensured to operate the data at one time, the pain point of difficult authentication during system expansion is solved, and the data disorder caused by simultaneous operation of resources due to repeated login of the user is avoided.
Description
Technical Field
The invention belongs to the field of water conservancy informatization, and particularly relates to a token-based network security framework for a distributed water resource management support system.
Background
With the deep development and utilization of modern water conservancy information resources, the traditional integrated method of the centralized water resource management system is difficult to meet the high-performance and service requirements of a water conservancy professional model. The micro-service system architecture encapsulates the professional models into service resources and provides modular bottom functions for upper-level intelligent applications.
However, as the functions of the water resource management decision support system with the distributed architecture are more and more complex, professional model data of the system background are more and more, and a user directly accessing the professional computing model causes potential safety hazards. The transmission of database information over a network is also risky when a large number of specialized computing models call the database. Meanwhile, the authentication and authorization method based on simple session in the traditional monomer architecture has inevitable defects. sessions need to be stored in server memory and thus cannot be shared across instances. The next time the request is distributed to another instance, a re-login will result.
Disclosure of Invention
Aiming at the defects and the improvement requirements of the prior art, the invention provides a token-based network security framework for a distributed water resource management support system, which aims to avoid the potential safety hazard when a third-party application directly accesses resources and avoid the risk caused by the transmission of database information on a network.
To achieve the above object, according to one aspect of the present invention, there is provided a token-based network security framework for a distributed water resource management support system, the network security framework comprising:
the unified authentication center is used for respectively verifying whether the user information and the third-party application are legal or not according to the request head when the third-party application sends a login request to the resource server, if so, generating a token and returning the token to the third-party application, and otherwise, returning error information to the third-party application; when a token verification request sent by a resource server or a unified data service is received, verifying whether the token is legal or not, if so, returning token legal information to the token, otherwise, returning error information to a third-party application;
the resource server comprises various water conservancy professional model services and is used for analyzing token information in a request header when receiving a token access request sent by a third-party application, sending a token verification request to the unified authentication center if the request does not comprise database operation, and returning the requested resource to the third-party application when receiving token legal information returned by the unified authentication center; if the request of the third-party application comprises database operation, forwarding the request to a unified data service, wherein the forwarded request comprises a token value;
the unified data service is used for receiving a token database operation request sent by the service of the resource server, analyzing token information in a request header, sending a token verification request to the unified authentication center, performing corresponding operations of adding, deleting, modifying and checking on the database when token legal information returned by the unified authentication center is received, and returning data information or an operation result to the resource server.
Preferably, the unified authentication center and the unified data service are deployed on the same physical server as the database service.
Preferably, when other third-party systems or computing programs need to call the resources of the distributed water resource management support system, the unified authentication center allocates a unique identifier to the third-party systems or the computing programs.
Preferably, after intercepting the request, the unified authentication center checks whether the identifier exists in the request header and judges whether the identifier is correct, if so, the unified authentication center judges the user information, otherwise, the unified authentication center returns error information to the third-party application.
Preferably, the unified authentication center compares the user name and the password of the third party application with the user name and the password in the database, if the user name and the password are matched, the token is issued, otherwise, the unified authentication center returns error information to the third party application.
Preferably, the token is generated in a JWT manner, and the generated token is stored in a cache or a database of the unified authentication center.
Preferably, after the user information and the third-party application are legal at the same time and the token is generated, the token currently stored in the unified authentication center is updated by using the generated token before the token is sent to the third-party application.
Preferably, when the unified authentication center verifies whether the token is legal, the correctness and timeliness of the token are verified at the same time.
Preferably, in the distributed water resource management support system, each professional model service of resource management is deployed uniformly, operated in a small-scale service cluster mode, and provided for a third-party application in a service interface mode.
Preferably, the token returned to the user is saved in a local cache of the third party application.
Generally, by the above technical solution conceived by the present invention, the following beneficial effects can be obtained:
(1) aiming at the problem of potential safety hazard caused by directly enabling users to access professional water conservancy model services, the invention provides a token-based network safety framework for a distributed water resource management support system.
(2) Aiming at the risk caused by the fact that the database information is transmitted on the network when the water conservancy professional model calls the database, the invention provides the unified data service which is deployed on the database server and matched with the unified authentication center, so that the transmission of the database information on the network is cancelled, and the safety of the system is improved.
(3) Aiming at the problem of data disorder caused by simultaneous operation of multiple logins on the same or different third-party applications by the same user on resources, the invention adopts the token of new login to cover the token of old login, so that the previous login of the user loses the access authority, only one user is ensured to operate the data at one time, the pain point of difficult authentication during system expansion is solved, and the data disorder caused by simultaneous operation of the resources due to repeated logins of the user is avoided.
(4) Aiming at the problem that the distributed resource system needs to log in repeatedly when requesting resources from different servers because the services are distributed on different servers, the invention has a uniform authentication center, saves token at the user end, and can avoid repeated login when requesting resources from different servers.
Drawings
FIG. 1 is a schematic diagram of a token-based network security framework applicable to a distributed water resource management support system according to an embodiment of the present invention;
fig. 2 is a timing diagram of token login authentication according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in FIG. 1, the present invention provides a token-based network security framework for a distributed water resource management support system, the network security framework comprising:
the unified authentication center is used for respectively verifying whether the user information and the third-party application are legal or not according to the request head when the third-party application sends a login request to the resource server, if so, generating a token and returning the token to the third-party application, and otherwise, returning error information to the third-party application; when a token verification request sent by a resource server or a unified data service is received, verifying whether the token is legal or not, if so, returning token legal information to the token, otherwise, returning error information to a third-party application.
The resource server comprises various water conservancy professional model services and is used for analyzing token information in a request header when receiving a token access request sent by a third-party application, sending a token verification request to the unified authentication center if the request does not comprise database operation, and returning the requested resource to the third-party application when receiving token legal information returned by the unified authentication center; and if the request of the third-party application comprises database operation, forwarding the request to the unified data service, wherein the forwarded request comprises a token value.
The unified data service is used for receiving a token database operation request sent by the service of the resource server, analyzing token information in a request header, sending a token verification request to the unified authentication center, performing corresponding operations of adding, deleting, modifying and checking on the database when token legal information returned by the unified authentication center is received, and returning data information or an operation result to the resource server.
And a layer is isolated between the resource server and the database, so that the read-write operation of the database by the services in the resource server can be avoided, and when the database needs to be replaced, only the unified data service is changed without changing each professional model service.
Preferably, the unified authentication center and the unified data service are deployed on the same physical server as the database service. The data transmission does not need to pass through a network, and the data transmission can be carried out locally, so that the risk of the data in the transmission process is avoided.
Preferably, when other third-party systems or computing programs need to call the resources of the distributed water resource management support system, the unified authentication center allocates a unique identification client _ id to the third-party systems or computing programs. When a third party application requests protected resources, the unique identifier is brought into a request header, and after the unified authentication center intercepts the request, whether the identifier exists in the request header or not is checked and judged to be correct or not is judged, if the identifier is correct, subsequent judgment is carried out, and if the identifier is incorrect, error information is returned.
The third party application will go through a login process before requesting resources. And the third party application sends the user name and the password of the user to the unified authentication center in a ciphertext mode. Preferably, the unified authentication center compares the user name and the password of the third party application with the user name and the password in the database, if the user name and the password are matched, the token is issued, otherwise, the unified authentication center returns error information to the third party application.
Preferably, the token is generated in a jwt (json Web token) manner, and the generated token is stored in a cache or a database of the unified authentication center, so as to facilitate later verification.
Preferably, after the user information and the third-party application are legal at the same time and the token is generated, the token currently stored in the unified authentication center is updated by using the generated token before the token is sent to the third-party application. And if no token is generated in the unified authentication center currently, writing the newly generated token, otherwise, replacing the old token with the newly generated token.
Preferably, when the unified authentication center verifies whether the token is legal, the correctness and timeliness of the token are verified at the same time.
Preferably, in the distributed water resource management support system, each professional model service of resource management is deployed uniformly, operated in a small-scale service cluster mode, and provided for a third-party application in a service interface mode.
Preferably, the token returned to the user is saved in a local cache of the third party application, which may avoid repeated logins.
The following roles exist in the distributed water resource management support system:
resource owner
The actual owner of the water conservancy model service resource owns an entity defining actual access authority or authorization permission, which is usually a water conservancy drainage basin management department, such as a drainage basin water resource department, a ladder center, and the like. And also comprises development departments of other water conservancy professional models which can be accessed into the system subsequently. In the network security middle framework, the resource owner is a flow domain manager and is a scheduling department with flow domain scheduling authority.
Professional dispatcher using water resource management support system
After obtaining the authorization of the flow domain manager (resource owner), the corresponding water conservancy professional model can be requested to obtain a corresponding result. The drainage basin dispatcher can request services through terminals such as a Web site, a PC desktop client or a mobile terminal application, which support REST services.
Resource server
The system is used for storing protected data and service resources of users, such as a short-term optimization part power station 96-point daily plan corresponding table, a medium-term and long-term forecast maximum and minimum value storage table and other watershed related information; and (4) optimizing professional water conservancy calculation models such as a transfer library, a library group simulation and the like. The basin dispatcher (client) requests resources from the resource server through the authorization token, and the resource server processes the access request. The water conservancy professional model is packaged into a service and provides an adjustable interface for the outside, which is equivalent to that protected resources are deployed in a resource server.
Unified authentication center
The owner of the unified authentication center is a related dispatching department of the drainage basin, and whether a dispatcher has the calling authority of a related water conservancy model or data is determined by the related drainage basin functional department. The unified authentication center is a core component of a network security framework and bears the core functions of system login authentication, token issuance and authorization. When an external request water conservancy professional model service interface is received, the external request water conservancy professional model service interface is intercepted by the uniform authentication center, and the token is issued after the identity authentication is passed.
And the third-party application is used for requesting resources to the resource server, storing the token when the token sent by the unified authentication center is received, for example, the token is placed in an internal memory or a client browser LocalStorage, splicing the token value to a request header, and then requesting resources to the resource server again. Terminals such as Web sites, PC desktop clients, or mobile terminal applications that support REST services request services. Each third party application is assigned a unique identification client _ id.
As shown in fig. 2, the token login verification process when the third-party application requests the resource server for the resource is as follows: the basin dispatcher requests login by using the allocated user name and password; the server receives the request to verify the user name and the password; after the verification is successful, the server side can issue a token, the token is in one-to-one correspondence with the user name, and the token can be generally stored in a cache or a database so as to facilitate the later query for verification. Then the token is sent to the client; after receiving the token, the terminal of the drainage basin dispatcher can store the token, for example, the token is placed in a database or a browser LocalStorage; the basin dispatcher needs to bring an issued token when requesting resources to a server every time; and the server receives the request, then verifies the token carried in the client request, and returns the requested data to the basin dispatcher if the verification is successful.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A token-based network security framework for a distributed water resource management support system, the network security framework comprising:
the unified authentication center is used for respectively verifying whether the user information and the third-party application are legal or not according to the request head when the third-party application sends a login request to the resource server, if so, generating a token and returning the token to the third-party application, and otherwise, returning error information to the third-party application; when a token verification request sent by a resource server or a unified data service is received, verifying whether the token is legal or not, if so, returning token legal information to the token, otherwise, returning error information to a third-party application;
the resource server comprises various water conservancy professional model services and is used for analyzing token information in a request header when receiving a token access request sent by a third-party application, sending a token verification request to the unified authentication center if the request does not comprise database operation, and returning the requested resource to the third-party application when receiving token legal information returned by the unified authentication center; if the request of the third-party application comprises database operation, forwarding the request to a unified data service, wherein the forwarded request comprises a token value;
the unified data service is used for receiving a token database operation request sent by the service of the resource server, analyzing token information in a request header, sending a token verification request to the unified authentication center, performing corresponding operations of adding, deleting, modifying and checking on the database when token legal information returned by the unified authentication center is received, and returning data information or an operation result to the resource server.
2. The network security framework of claim 1, wherein the unified authentication center and the unified data service are deployed on a same physical server as the database service.
3. The network security framework of claim 1, wherein the unified authentication center assigns a unique identifier to the third party system or the computing program when the other third party system or the computing program needs to invoke the resource of the distributed water resource management support system.
4. The network security framework of any of claims 1 to 3, wherein after intercepting the request, the unified authentication center checks whether the identifier is in the request header and determines whether it is correct, and if so, performs the user information determination, otherwise, returns an error message to the third party application.
5. The network security framework of any of claims 1 to 4, wherein the unified authentication center compares the username password of the third party application with the username password in the database, and if there is a match, then a token is issued, otherwise, an error message is returned to the third party application.
6. The network security framework of any of claims 1 to 5, wherein the token is generated in a JWT manner, and the generated token is stored in a cache or a database of the unified authentication center.
7. The network security framework of any of claims 1 to 6, wherein after the user information and the third party application are both legitimate and a token is generated, the token currently stored in the unified authentication center is updated with the generated token before the token is sent to the third party application.
8. The network security framework of any of claims 1 to 7, wherein the unified authentication center verifies if the token is legitimate and verifies the correctness and timeliness of the token at the same time.
9. The network security framework of any one of claims 1 to 8, wherein in the distributed water resource management support system, professional model services are uniformly deployed, run in a small-scale service cluster manner, and are provided to third-party applications through a service interface manner.
10. The network security framework of any of claims 1 to 9, wherein the token returned to the user is saved in a local cache of the third party application.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911345904.7A CN111010401A (en) | 2019-12-23 | 2019-12-23 | Token-based network security framework for distributed water resource management support system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911345904.7A CN111010401A (en) | 2019-12-23 | 2019-12-23 | Token-based network security framework for distributed water resource management support system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111010401A true CN111010401A (en) | 2020-04-14 |
Family
ID=70116019
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911345904.7A Pending CN111010401A (en) | 2019-12-23 | 2019-12-23 | Token-based network security framework for distributed water resource management support system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111010401A (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101840537A (en) * | 2010-03-29 | 2010-09-22 | 苏州同程旅游网络科技有限公司 | Travel agency comprehensive business management system |
US8181010B1 (en) * | 2006-04-17 | 2012-05-15 | Oracle America, Inc. | Distributed authentication user interface system |
CN102682043B (en) * | 2011-04-14 | 2013-11-27 | 天脉聚源(北京)传媒科技有限公司 | Method for connecting distributed databases |
CN103595570A (en) * | 2013-11-20 | 2014-02-19 | 中国农业银行股份有限公司广东省分行 | Multi-operation framework front-mounted system, server and service processing method |
CN106998551A (en) * | 2016-01-25 | 2017-08-01 | 中兴通讯股份有限公司 | A kind of method, system, device and the terminal of application access authentication |
CN107483491A (en) * | 2017-09-19 | 2017-12-15 | 山东大学 | The access control method of distributed storage under a kind of cloud environment |
CN110049048A (en) * | 2019-04-22 | 2019-07-23 | 易联众民生(厦门)科技有限公司 | A kind of data access method, equipment and the readable medium of government affairs public service |
-
2019
- 2019-12-23 CN CN201911345904.7A patent/CN111010401A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8181010B1 (en) * | 2006-04-17 | 2012-05-15 | Oracle America, Inc. | Distributed authentication user interface system |
CN101840537A (en) * | 2010-03-29 | 2010-09-22 | 苏州同程旅游网络科技有限公司 | Travel agency comprehensive business management system |
CN102682043B (en) * | 2011-04-14 | 2013-11-27 | 天脉聚源(北京)传媒科技有限公司 | Method for connecting distributed databases |
CN103595570A (en) * | 2013-11-20 | 2014-02-19 | 中国农业银行股份有限公司广东省分行 | Multi-operation framework front-mounted system, server and service processing method |
CN106998551A (en) * | 2016-01-25 | 2017-08-01 | 中兴通讯股份有限公司 | A kind of method, system, device and the terminal of application access authentication |
CN107483491A (en) * | 2017-09-19 | 2017-12-15 | 山东大学 | The access control method of distributed storage under a kind of cloud environment |
CN110049048A (en) * | 2019-04-22 | 2019-07-23 | 易联众民生(厦门)科技有限公司 | A kind of data access method, equipment and the readable medium of government affairs public service |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10055561B2 (en) | Identity risk score generation and implementation | |
CN109413032A (en) | A kind of single-point logging method, computer readable storage medium and gateway | |
CN112597472B (en) | Single sign-on method, device and storage medium | |
CN110401655A (en) | Access control right management system based on user and role | |
CN102082821B (en) | Method and system for safely accessing cross-resource pool resources based on federal center | |
CN103051631A (en) | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system | |
CN110049048B (en) | Data access method, equipment and readable medium for government affair public service | |
CN103259663A (en) | User unified authentication method in cloud computing environment | |
US10817327B2 (en) | Network-accessible volume creation and leasing | |
US20230370265A1 (en) | Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control | |
CN101729541B (en) | Method and system for accessing resources of multi-service platform | |
CN110493308B (en) | Distributed consistency system session method and device, storage medium and server | |
CN107018128B (en) | Third-party application authorization authentication method based on multi-domain collaborative architecture | |
CN113221093B (en) | Single sign-on system, method, equipment and product based on block chain | |
WO2021242454A1 (en) | Secure resource authorization for external identities using remote principal objects | |
CN101908967B (en) | Configuration method and system of Linux virtual server | |
CN107453872A (en) | A kind of unified safety authentication method and system based on Mesos container cloud platforms | |
US20200235935A1 (en) | Data access control for edge devices using a cryptographic hash | |
CN102404351A (en) | LDAP (Lightweight Directory Access Protocol) cloud storage service system | |
KR100639992B1 (en) | Security apparatus for distributing client module and method thereof | |
CN111010401A (en) | Token-based network security framework for distributed water resource management support system | |
KR102247132B1 (en) | Extended Authentication Method for Resource Access Control in a Cloud Environment Composed of Multiple Edge Servers | |
CN112953951B (en) | User login verification and security detection method and system based on domestic CPU | |
CN110310118B (en) | User information verification method, device, equipment and medium based on block chain | |
CN201985895U (en) | Lightweight directory access protocol (LDAP) cloud storage service system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200414 |
|
RJ01 | Rejection of invention patent application after publication |