CN111193733A - Gateway system based on intranet microservice architecture - Google Patents
Gateway system based on intranet microservice architecture Download PDFInfo
- Publication number
- CN111193733A CN111193733A CN201911375087.XA CN201911375087A CN111193733A CN 111193733 A CN111193733 A CN 111193733A CN 201911375087 A CN201911375087 A CN 201911375087A CN 111193733 A CN111193733 A CN 111193733A
- Authority
- CN
- China
- Prior art keywords
- request
- verification
- gateway system
- service
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The invention relates to a gateway system based on an intranet micro-service framework, which records a request by a log recording module, performs XSS global filter verification on the recorded request by a verification module, performs global cross-domain configuration on the verified request by a configuration module, performs token verification on the configured request by a token verification module, and calls the request to a corresponding micro-service by a service forwarding module by using the intranet micro-service framework to realize a corresponding function. In the XSS verification process, for a normal request initiated in the system, the data can be successfully acquired only by avoiding using keywords in the XSS verification when the request is named and transmitted, and the normal operation of the system cannot be influenced; and meanwhile, the log recording asynchronous request is sent to the log recording microservice processing, so that the time consumption of the request is reduced. The invention records the source information of the request, adds XSS verification, token verification and service forwarding and ensures the efficient and safe operation of the system.
Description
Technical Field
The invention relates to the technical field of digital information transmission, such as telegraph communication, in particular to a gateway system based on an intranet microservice architecture.
Background
Micro service Architecture (Microservice Architecture) is an architectural concept that aims to decouple solutions by decomposing functions into discrete services; since the microservice architecture creates applications around business domain components, these applications can be developed, managed, and iterated independently, using cloud architecture and platform-based deployment, management, and service functions in decentralized components, making product delivery simpler.
With the continuous development of the micro-service gateway architecture, the gateway system is divided into single micro-services according to services, and mainly solves the problems of authority authentication of users, validity verification of requests and the like.
In the prior art, in an intranet environment, a user sends a data request, a gateway system at a back end is used in the intranet environment, the request needs to be verified, service is forwarded, multiple verifications need to be performed, time consumed by the request is correspondingly increased, and the problem of how to ensure safe and efficient operation of the system exists.
Disclosure of Invention
The invention solves the problems in the prior art and provides an optimized gateway system based on an intranet microservice architecture.
The technical scheme adopted by the invention is that a gateway system based on an intranet microservice architecture comprises:
a log recording module for recording the request;
the verification module is used for performing XSS global filter verification on the request recorded by the log recording module;
a configuration module, which is used for carrying out global cross-domain configuration on the verified request;
the token verification module is used for performing token verification on the request configured by the configuration module;
and the service forwarding module calls the request to the corresponding micro-service to realize the corresponding function by utilizing the intranet micro-service architecture.
Preferably, the logging module records source information of the request, time information of the request and browser information.
Preferably, the logging module sends the logged information to the logging microservice and logs to the log.
Preferably, in the verification module, the XSS global filter verification comprises the following steps:
step a.1: reading in configured character string data through a configuration file, and cutting the character string data into arrays;
step a.2: and performing keyword matching on the array, if the matching is successful, determining that the array is suspected XSS attack, returning an access result, and if not, continuously performing global cross-domain verification.
Preferably, in the step a.2, the verification tag corresponding to the keyword includes an sql injection type tag, an Html injection type tag, and a js injection type tag.
Preferably, in the configuration module, the global cross-domain is configured to add a request header supporting cross-domain to a request of the log service and the user information microservice, which are not in the same network segment.
Preferably, the token verification module comprises the following verification steps:
step b.1: acquiring request header information in user request information;
step b.2: taking out the first parameter information named Authorization and replacing the character string Bearer additionally added to the head;
step b.3: obtaining token from the redis cache, if hit, converting the user corresponding to the current request into a specific user object, and performing the next step, otherwise, not performing subsequent verification, and returning prompt information;
step b.4: and taking out token information in the user object to be matched with the input token, entering the next step if the matching is successful, otherwise, failing to verify, ending the request and returning verification information.
Preferably, in the intranet microservice architecture, the gateway system is configured corresponding to a registry.
Preferably, the micro-service corresponding to the registry comprises a log micro-service and a user service micro-service.
Preferably, after the configuration module is configured, the registration center is in butt joint with the log micro-service for information interaction; and after the token verification module successfully verifies the request, the registration center is in butt joint with the user service microservice for information interaction.
The invention relates to an optimized gateway system based on an intranet micro-service framework, which records a request by a log recording module, performs XSS global filter verification on the request recorded by the log recording module by a verification module, performs global cross-domain configuration on the verified request by a configuration module, performs token verification on the configured request by a token verification module, and calls the request to a corresponding micro-service to realize a corresponding function by a service forwarding module by using the intranet micro-service framework.
The XSS verification process in the invention mainly adopts a keyword matching mode, and the request is rejected as long as the request has corresponding keywords, which means that for a normal request initiated in the system, data can be successfully obtained as long as the keywords in the XSS verification are avoided being used during the process of requesting name picking and parameter transmission, and the normal operation of the system is not influenced; and meanwhile, the log recording asynchronous request is sent to the log recording microservice for processing, so that the time consumption of the request is reduced. The invention records the source information of the request, adds XSS verification, token verification and service forwarding and ensures the efficient and safe operation of the system.
Drawings
Fig. 1 is a schematic structural diagram of the present invention, wherein arrows indicate the direction of information transmission;
FIG. 2 is an overall flow chart of the present invention.
Detailed Description
The present invention is described in further detail with reference to the following examples, but the scope of the present invention is not limited thereto.
The invention relates to a gateway system based on an intranet micro-service framework, which is used as an entrance of a plurality of micro-services, and the specific data request is realized by acquiring micro-service information of a registration center and forwarding the micro-service information to the corresponding micro-service.
In the intranet microservice architecture, a gateway system is arranged corresponding to a registration center.
The micro-service corresponding to the registration center comprises log micro-service and user service micro-service.
In the invention, the micro-service architecture classifies the system according to functions into log micro-service, user service micro-service, gateway system and registration center, different micro-service responsibilities are clear, the gateway system is interacted with the registration center information, and the registration center is interacted with the log micro-service and the user service micro-service information.
The gateway system includes:
a log recording module for recording the request;
the verification module is used for performing XSS global filter verification on the request recorded by the log recording module;
a configuration module, which is used for carrying out global cross-domain configuration on the verified request;
the token verification module is used for performing token verification on the request configured by the configuration module;
and the service forwarding module calls the request to the corresponding micro-service to realize the corresponding function by utilizing the intranet micro-service architecture.
And the log recording module records the source information of the request, the time information of the request and the browser information.
And the log recording module sends the recorded information to the log recording microservice and records the information to the log.
In the invention, the source information of the request, the time information of the request and the browser information specifically comprise a URL address of the record request, the type of the request method, request parameters, an operation user, a real name, an organization ID, a menu name to which an access interface belongs, an IP address of the request, a module ID, request starting time, request ending time, request consuming time, agent information, an operating system, an operation browser, log types and the like.
In the invention, no matter whether the request is successful or not, the log recording module sends the recorded information to the log recording microservice and records the information to the log.
In the verification module, verification of the XSS global filter comprises the following steps:
step a.1: reading in configured character string data through a configuration file, and cutting the character string data into arrays;
step a.2: and performing keyword matching on the array, if the matching is successful, determining that the array is suspected XSS attack, returning an access result, and if not, continuously performing global cross-domain verification.
In the step a.2, the verification tags corresponding to the keywords include an sql injection type tag, an Html injection type tag, and a js injection type tag.
In the present invention, the current XSS request is processed only for get requests.
In the invention, in order to reduce the time consumption of system matching as much as possible, the configured character string data is read in through the configuration file and then is cut into arrays, and keyword matching is carried out on the arrays; since XSS is configured in the configuration file of the program, it reads XSS text, which is text composed of sensitive words and separated by commas.
In the invention, as long as the front-end and back-end accesses of the normal system are not in the label defined in the type, the normal requests of the front-end and back-end of the system are not influenced.
In the present invention, the sql injection type tags are "delete", the Html injection type tags are "< script >" and "</script >", and the js injection type tags are "alert" and "eval".
In the configuration module, the global cross-domain configuration is to add a request header supporting cross-domain to a request of a log service and a user information micro-service which are not in the same network segment.
In the present invention, if global cross-domain configuration is not performed, a request for log recording may not be received, so that a log cannot be recorded normally, and generally, a request header allowedOrigins is added: ' is a request to support all cross-domains.
The token verification module comprises the following verification steps:
step b.1: acquiring request header information in user request information;
step b.2: taking out the first parameter information named Authorization and replacing the character string Bearer additionally added to the head;
step b.3: obtaining token from the redis cache, if hit, converting the user corresponding to the current request into a specific user object, and performing the next step, otherwise, not performing subsequent verification, and returning prompt information;
step b.4: and taking out token information in the user object to be matched with the input token, entering the next step if the matching is successful, otherwise, failing to verify, ending the request and returning verification information.
In the invention, token verification is indispensable in a gateway system, only authenticated users can obtain token information, and users who do not pass authentication are denied access to the system.
In the invention, step b.4 means that in order to prevent token forgery, token information in a user is stored in a cache during login, the token information is requested to carry the token of the user to a gateway, and the gateway is further matched with the token, so that the current login user is ensured to be the user after login.
After the configuration module is configured, the registration center is in butt joint with the log micro-service to carry out information interaction; and after the token verification module successfully verifies the request, the registration center is in butt joint with the user service microservice for information interaction.
In the invention, the log microservice can directly forward without token verification, and the specific forwarding can be realized only by the steps for acquiring the user information without subsequent verification.
The working process of the invention is as follows:
step 1: initializing; the log recording module receives the log record of the request;
step 2: judging whether the log record is XSS attack by using a verification module, if so, ending the request, returning 400 error information, and otherwise, carrying out the next step;
and step 3: performing global cross-domain configuration on the verified request information, performing information interaction through the butt joint of the registration center and the log micro-service, and simultaneously performing the next step;
and 4, step 4: performing token verification on the request after the global cross-domain configuration, if the verification fails, ending the request, returning 401 error reporting information, and otherwise, performing the next step;
and 5: and the information interaction is carried out through the butt joint of the registration center and the user service microservice.
The information interaction of step 3 is access of log information, and the information interaction of step 5 includes access of user data, such as user name and real name.
The invention records the request by a log recording module, performs XSS global filter verification on the request recorded by the log recording module by a verification module, performs global cross-domain configuration on the verified request by a configuration module, performs token verification on the configured request by a token verification module, and calls the request to a corresponding micro-service by a service forwarding module by utilizing an intranet micro-service architecture to realize a corresponding function.
The XSS verification process in the invention mainly adopts a keyword matching mode, and the request is rejected as long as the request has corresponding keywords, which means that for a normal request initiated in the system, data can be successfully obtained as long as the keywords in the XSS verification are avoided being used during the process of requesting name picking and parameter transmission, and the normal operation of the system is not influenced; and meanwhile, the log recording asynchronous request is sent to the log recording microservice for processing, so that the time consumption of the request is reduced. The invention records the source information of the request, adds XSS verification, token verification and service forwarding and ensures the efficient and safe operation of the system.
Claims (10)
1. A gateway system based on an intranet microservice architecture is characterized in that: the gateway system includes:
a log recording module for recording the request;
the verification module is used for performing XSS global filter verification on the request recorded by the log recording module;
a configuration module, which is used for carrying out global cross-domain configuration on the verified request;
the token verification module is used for performing token verification on the request configured by the configuration module;
and the service forwarding module calls the request to the corresponding micro-service to realize the corresponding function by utilizing the intranet micro-service architecture.
2. The gateway system according to claim 1, wherein the gateway system comprises: and the log recording module records the source information of the request, the time information of the request and the browser information.
3. The gateway system according to claim 1, wherein the gateway system comprises: and the log recording module sends the recorded information to the log recording microservice and records the information to the log.
4. The gateway system according to claim 1, wherein the gateway system comprises: in the verification module, verification of the XSS global filter comprises the following steps:
step a.1: reading in configured character string data through a configuration file, and cutting the character string data into arrays;
step a.2: and performing keyword matching on the array, if the matching is successful, determining that the array is suspected XSS attack, returning an access result, and if not, continuously performing global cross-domain verification.
5. The gateway system according to claim 4, wherein the gateway system comprises: in the step a.2, the verification tags corresponding to the keywords include an sql injection type tag, an Html injection type tag, and a js injection type tag.
6. The gateway system according to claim 1, wherein the gateway system comprises: in the configuration module, the global cross-domain configuration is to add a request header supporting cross-domain to a request of a log service and a user information micro-service which are not in the same network segment.
7. The gateway system according to claim 1, wherein the gateway system comprises: the token verification module comprises the following verification steps:
step b.1: acquiring request header information in user request information;
step b.2: taking out the first parameter information named Authorization and replacing the character string Bearer additionally added to the head;
step b.3: obtaining token from the redis cache, if hit, converting the user corresponding to the current request into a specific user object, and performing the next step, otherwise, not performing subsequent verification, and returning prompt information;
step b.4: and taking out token information in the user object to be matched with the input token, entering the next step if the matching is successful, otherwise, failing to verify, ending the request and returning verification information.
8. The gateway system according to claim 1, wherein the gateway system comprises: in the intranet microservice architecture, a gateway system is arranged corresponding to a registration center.
9. The gateway system according to claim 8, wherein the gateway system comprises: the micro-service corresponding to the registration center comprises log micro-service and user service micro-service.
10. The gateway system according to claim 9, wherein the gateway system comprises: after the configuration module is configured, the registration center is in butt joint with the log micro-service to carry out information interaction; and after the token verification module successfully verifies the request, the registration center is in butt joint with the user service microservice for information interaction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911375087.XA CN111193733A (en) | 2019-12-27 | 2019-12-27 | Gateway system based on intranet microservice architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911375087.XA CN111193733A (en) | 2019-12-27 | 2019-12-27 | Gateway system based on intranet microservice architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111193733A true CN111193733A (en) | 2020-05-22 |
Family
ID=70710078
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911375087.XA Pending CN111193733A (en) | 2019-12-27 | 2019-12-27 | Gateway system based on intranet microservice architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111193733A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104715A (en) * | 2020-08-31 | 2020-12-18 | 银盛支付服务股份有限公司 | Link tracking method and system based on microservice log |
| CN113037875A (en) * | 2021-05-24 | 2021-06-25 | 武汉众邦银行股份有限公司 | Method for realizing asynchronous gateway in distributed real-time service system |
| CN113472808A (en) * | 2021-07-16 | 2021-10-01 | 浙江大华技术股份有限公司 | Log processing method and device, storage medium and electronic device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| CN108847989A (en) * | 2018-06-29 | 2018-11-20 | 杭州安恒信息技术股份有限公司 | Log processing method, business service system and electronic equipment based on micro services framework |
| CN109565505A (en) * | 2016-08-05 | 2019-04-02 | 甲骨文国际公司 | Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service |
| CN109787844A (en) * | 2019-03-22 | 2019-05-21 | 国网上海市电力公司 | A kind of distribution master station communication fault fast positioning system |
| CN110535904A (en) * | 2019-07-19 | 2019-12-03 | 浪潮电子信息产业股份有限公司 | A kind of asynchronous push method, system and device |
-
2019
- 2019-12-27 CN CN201911375087.XA patent/CN111193733A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| CN109565505A (en) * | 2016-08-05 | 2019-04-02 | 甲骨文国际公司 | Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service |
| CN108847989A (en) * | 2018-06-29 | 2018-11-20 | 杭州安恒信息技术股份有限公司 | Log processing method, business service system and electronic equipment based on micro services framework |
| CN109787844A (en) * | 2019-03-22 | 2019-05-21 | 国网上海市电力公司 | A kind of distribution master station communication fault fast positioning system |
| CN110535904A (en) * | 2019-07-19 | 2019-12-03 | 浪潮电子信息产业股份有限公司 | A kind of asynchronous push method, system and device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104715A (en) * | 2020-08-31 | 2020-12-18 | 银盛支付服务股份有限公司 | Link tracking method and system based on microservice log |
| CN113037875A (en) * | 2021-05-24 | 2021-06-25 | 武汉众邦银行股份有限公司 | Method for realizing asynchronous gateway in distributed real-time service system |
| CN113037875B (en) * | 2021-05-24 | 2021-07-27 | 武汉众邦银行股份有限公司 | Method for realizing asynchronous gateway in distributed real-time service system |
| CN113472808A (en) * | 2021-07-16 | 2021-10-01 | 浙江大华技术股份有限公司 | Log processing method and device, storage medium and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111866769B (en) | Message sending method, device, server and medium | |
| US10911489B1 (en) | Discovering email account compromise through assessments of digital activities | |
| KR100884714B1 (en) | Application layer security method and system | |
| CN111193733A (en) | Gateway system based on intranet microservice architecture | |
| CN103023918B (en) | The mthods, systems and devices logged in are provided for multiple network services are unified | |
| US20140095866A1 (en) | System and method for verification of digital certificates | |
| CN102510370B (en) | Authentication method for accessing files stored on distributed file system and distributed file system | |
| US11470042B2 (en) | Discovering email account compromise through assessments of digital activities | |
| CN101030972A (en) | Electronic information and data tracking system | |
| CN102752300B (en) | Dynamic antitheft link system and dynamic antitheft link method | |
| CN112235265B (en) | System and method for external network to access project progress | |
| CN101529399B (en) | Proxy server and proxy method | |
| WO1998057247A1 (en) | Web-based, biometric authentication system and method | |
| WO2007058732A2 (en) | B2c authentication system and methods | |
| CN112468481A (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| CN101656609A (en) | Single sign-on method, system and device thereof | |
| CN106453414A (en) | Third party login authentication method and system, proxy server and client | |
| CN101345758B (en) | Report normalization processing method, apparatus and system | |
| CN103220307B (en) | Method for subscribing, subscription authorization method and Feeds generation servers | |
| US11663303B2 (en) | Multichannel threat detection for protecting against account compromise | |
| CN110636038A (en) | Account number analysis method, account number analysis device, security gateway and system | |
| CN109889514A (en) | A kind of certification scan method and web application scanning system | |
| CN111245791A (en) | Single sign-on method for realizing management and IT service through reverse proxy | |
| CN112787974B (en) | Gateway, data transmission method and electronic equipment | |
| CN112769863A (en) | Method and device for processing service request message data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200522 |