CN111431920A - Security control method and system based on dynamic token - Google Patents
Security control method and system based on dynamic token Download PDFInfo
- Publication number
- CN111431920A CN111431920A CN202010244032.1A CN202010244032A CN111431920A CN 111431920 A CN111431920 A CN 111431920A CN 202010244032 A CN202010244032 A CN 202010244032A CN 111431920 A CN111431920 A CN 111431920A
- Authority
- CN
- China
- Prior art keywords
- token
- client
- dynamic token
- request message
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000013475 authorization Methods 0.000 claims abstract description 59
- 238000004590 computer program Methods 0.000 claims description 16
- 230000003993 interaction Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 17
- 238000004891 communication Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 13
- 235000014510 cooky Nutrition 0.000 description 11
- 238000012545 processing Methods 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 6
- 239000000872 buffer Substances 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000032683 aging Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000007795 chemical reaction product Substances 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The application discloses a security control method and a system based on a dynamic token, wherein the method comprises the following steps: receiving an authentication request message sent by a client, wherein the authentication request message carries user login information; judging whether the client is in an authorization range according to the authentication request message; if the authentication request is in the authorization range, returning an authentication success message to the client; if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client. The application of the dynamic token enhances the information security and simultaneously relieves the pressure of database interaction.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security control method and system based on a dynamic token.
Background
This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
When the client requests data from the server for multiple times, the server needs to query the user name and the password from the database for multiple times and compare the user name and the password to judge whether the user name and the password are correct or not, and make corresponding prompts.
However, this will certainly increase the operating pressure of the server, and whether there is a way to verify whether the user is a previous user is not necessary to query the database to determine whether the user name and password are correct every time the client requests data.
Disclosure of Invention
The embodiment of the application provides a security control method and system based on a dynamic token, which enhance the information security and simultaneously reduce the pressure of database interaction through the application of the dynamic token.
In a first aspect, an embodiment of the present application provides a security control method based on a dynamic token, including:
receiving an authentication request message sent by a client, wherein the authentication request message carries user login information;
judging whether the client is in an authorization range according to the authentication request message;
if the authentication request is in the authorization range, returning an authentication success message to the client;
if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client.
Optionally, the determining, according to the authentication request message, whether the client is within an authorization range includes:
judging whether the authentication request message carries a first dynamic token or not according to the authentication request message;
if not, judging that the client is not in the authorization range;
if the first dynamic token is carried, judging whether the first dynamic token is in the validity period of the dynamic token;
if the client is in the validity period of the dynamic token, judging that the client is in an authorization range;
and if the current time does not fall within the validity period of the dynamic token, sending a first refreshing request to the authentication server, wherein the first refreshing request carries a refreshing token.
Optionally, after the sending the first refresh request to the authentication server, the method further comprises:
receiving a second dynamic token generated by the authentication server according to the refresh token;
replacing the first dynamic token in the authentication request message with the second dynamic token so that the client is within an authorization scope.
Optionally, the generating, by the authentication server, the second dynamic token according to the refresh token includes:
judging whether the refresh token is in the valid period of the refresh token;
if the current time is within the valid period of the refresh token, generating the second dynamic token;
and if the client is not in the valid period of the refresh token, judging that the client is not in the authorization range.
Optionally, the refresh token includes a random sequence of 32-bit or 64-bit characters, numbers and special characters, a time for applying for the refresh token, and a valid lifetime of the refresh token.
In a second aspect, an embodiment of the present application further provides a security control system based on a dynamic token, where the system includes:
the message receiving module is used for receiving an authentication request message sent by a client, wherein the authentication request message carries user login information;
the authority judging module is used for judging whether the client is in an authorization range according to the authentication request message;
the message sending module is used for returning an authentication success message to the client if the client is in the authorization range; the authentication request message is sent to an authentication server if the user login information is not in the authorization range, so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client.
Optionally, the permission determination module is specifically configured to:
judging whether the authentication request message carries a first dynamic token or not according to the authentication request message;
if not, judging that the client is not in the authorization range;
if the first dynamic token is carried, judging whether the first dynamic token is in the validity period of the dynamic token;
if the client is in the validity period of the dynamic token, judging that the client is in an authorization range;
and if the current time does not fall within the validity period of the dynamic token, sending a first refreshing request to the authentication server, wherein the first refreshing request carries a refreshing token.
Optionally, the system further comprises:
the second dynamic token generation module is used for receiving a second dynamic token generated by the authentication server according to the refresh token;
and the second dynamic token replacing module is used for replacing the first dynamic token in the authentication request message with the second dynamic token so as to enable the client to be in an authorization range.
Optionally, the second dynamic token generation module includes:
the valid period judging unit is used for judging whether the refreshing token is in the valid period of the refreshing token;
the generating unit is used for generating the second dynamic token if the second dynamic token is within the valid period of the refresh token;
and the judging unit judges that the client is not in the authorization range if the client is not in the validity period of the refresh token.
Optionally, the refresh token includes a random sequence of 32-bit or 64-bit characters, numbers and special characters, a time for applying for the refresh token, and a valid lifetime of the refresh token.
In a third aspect, an embodiment of the present application further provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the method of any one of the first aspect.
In a fourth aspect, this application further provides a computer-readable storage medium, where a computer program for executing any one of the methods in the first aspect is stored in the computer-readable storage medium.
To sum up, the security control method and system based on the dynamic token provided by the embodiment of the present application receive an authentication request message sent by a client, where the authentication request message carries user login information; judging whether the client is in an authorization range according to the authentication request message; if the authentication request is in the authorization range, returning an authentication success message to the client; if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client. The application of the dynamic token enhances the information security and simultaneously relieves the pressure of database interaction.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a schematic flowchart of a security control method based on a dynamic token provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of an embodiment of user login provided in an embodiment of the present application;
FIG. 3 is a schematic diagram of an embodiment of a user log-out in an embodiment of the present application;
FIG. 4 is a schematic diagram of an embodiment of querying user information provided in an embodiment of the present application;
fig. 5 is a schematic diagram of an embodiment of user information update provided in an embodiment of the present application;
FIG. 6 is a schematic diagram of an embodiment of a token deferral provided in an embodiment of the present application;
fig. 7 is a block diagram of a security control system based on a dynamic token provided in an embodiment of the present application.
Fig. 8 is a schematic structural diagram of a computer device suitable for implementing the security control method based on the dynamic token in the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The principles and spirit of the present application are explained in detail below with reference to several representative embodiments of the present application.
Although the present application provides method operational steps or apparatus configurations as illustrated in the following examples or figures, more or fewer operational steps or modular units may be included in the methods or apparatus based on conventional or non-inventive efforts. In the case of steps or structures which do not logically have the necessary cause and effect relationship, the execution sequence of the steps or the module structure of the apparatus is not limited to the execution sequence or the module structure shown in the embodiment or the drawings of the present application. The described methods or modular structures, when applied in an actual device or end product, may be executed sequentially or in parallel according to embodiments or the methods or modular structures shown in the figures.
In order to maintain the state of a user on a website, such as login, shopping cart and the like, four technologies are provided, namely a hidden form field, UR L rewrite, cookie, session and cookie are used for solving the problem that the HTTP protocol cannot maintain the state, but the session is only stored at the server end and cannot be transmitted in the network, so the session is relatively safe compared with the cookie.
When the Cookie and Session technologies are used, Session synchronization and the like are needed under a distributed architecture, and the complexity of a program is increased. Moreover, under the condition of a plurality of clients, the problem that the user does not support Cookie and the like may exist. Token may be saved directly in the user's page. In addition, in the use of the matching gateway, after the Token is obtained in the middle, only the judgment on whether the Token is correct or not is needed in the gateway, so that the pressure of the backend service in verifying the session in high concurrency is greatly reduced.
Token, as the name implies, is a block Token (temporary Token) that can be understood as a kind of secret number, similar to a spoken number. The Token is produced by the server as a string, and then is kept in duplicate by the client and the server. The Token can avoid a mode of marking user login from the front, a large number of login operations are not needed, the request end only needs to carry the Token to access the server, and the server can perform differentiated response according to whether Token authentication is successful or not.
The advantage of the Token mechanism over the Cookie mechanism and other mechanisms:
1. cross-domain access is supported: cookies do not allow domain-collapse access, which is not present in the Token mechanism, provided that the transmitted user authentication information is transmitted via an HTTP header.
2. Stateless (also: server extensible row): the Token mechanism does not need to store session information at the server, because the Token itself contains information of all login users, only cookie or local media of the client need to store state information.
3. More applicable to CDN, the server can request all the data (such as javascript, HTM L, picture, etc.) of the server through the content delivery network, and the server only needs to provide API.
4. Decoupling, namely, the gateway only needs to call a Token generation interface of the verification service without binding to a specific identity verification scheme. The Token may be generated anywhere, as long as the Token generation call is made when the API is called.
5. The method is more suitable for mobile application, when the client is a native platform (iOS, Android, Windows8 and the like), Cookie is not supported (the Cookie container is required to process), and the Token authentication mechanism is much simpler.
6. CSRF: since it is no longer dependent on cookies, there is no need to consider the prevention of CSRF (cross-site request forgery).
7. Performance: one network round trip time (through database query session information) is much longer than the time spent on Token validation and resolution for one HMACSHA256 calculation.
8. And no special processing is needed for the login page, namely if the Protractor is used for performing work function test, no special processing is needed for the login page.
9. Based on the normalization: the API may employ standardized JSON Web Token (JWT). This standard already exists with several back-end libraries (NET, Ruby, Java, Python, PHP) and several companies' support (e.g., Firebase, Google, Microsoft).
Token better ensures the information and property security of the user and prevents CSRF attack (simply, preventing the number from being stolen). Because the user only needs to input an account number + a password to log in at a trusted website, if the user needs to authenticate when visiting other websites with low third-party level, the user still can select a safe website to log in for authentication, and then the user carries Token to visit the website with low safety factor.
Token is a string of characters, but does not mean that the length is fixed or the format is necessarily the same, because although the JWT specification can be used to generate Token, the manner of generating Token can be customized as well, as long as it is ensured that Token has key (usually, user information main key combination is encrypted into Token string) and value (user detailed information), and then can be normally encrypted and decrypted (also, the encryption and decryption manner can be customized), and generally Token contains enough information (how much and what information is put into it depends on encoding): such as the user id, the time limit, the unique identifier of the token, etc., the token string is obtained by splicing key values (e.g., the user id and the user department id are spliced to be used as the primary key) and encrypting and decrypting the key values, which is exemplified as follows:
fbb91fa4-524f-4e97-8c18-9d5891baea65// token final pattern
Regarding the aging of Token, since Token is a secret number, it is certain that Token will never be used with the same secret number, and it is most reasonable to periodically replace Token, but it is also impossible to set the validity time of Token too short, and it is very poor that expiration of Token will occur and the user re-login experience will be required. The expiration time of Token will not exceed 1 hour, and in order to make the Token time setting not contradictory, a Refresh Token object needs to be introduced here. The two are very similar and are encrypted character strings, and the Refresh Token exists in order to efficiently and quickly Refresh the Token after the Token of the client expires, and reacquires the Token (note that only new Token is acquired), so that the setting of the expiration time of the Refresh Token is loose (1 day, 7 days or even several months). When the Refresh Token object also expires, the user is required to log in again for authentication.
Fig. 1 shows a schematic flowchart of a security control method based on a dynamic password provided in an embodiment of the present application, and as shown in fig. 1, the method includes the following steps:
step 101: and receiving an authentication request message sent by a client, wherein the authentication request message carries user login information.
Step 102: and judging whether the client is in an authorized range according to the authentication request message.
Step 103: and if the authentication request is in the authorization range, returning an authentication success message to the client.
Step 104: if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client.
In some embodiments, step 103 further includes the following steps: judging whether the authentication request message carries a first dynamic token or not according to the authentication request message; if not, judging that the client is not in the authorization range; if the first dynamic token is carried, judging whether the first dynamic token is in the validity period of the dynamic token; if the client is in the validity period of the dynamic token, judging that the client is in an authorization range; and if the current time does not fall within the validity period of the dynamic token, sending a first refreshing request to the authentication server, wherein the first refreshing request carries a refreshing token.
In some embodiments, after said sending the first refresh request to the authentication server, the method further comprises:
receiving a second dynamic token generated by the authentication server according to the refresh token; replacing the first dynamic token in the authentication request message with the second dynamic token so that the client is within an authorization scope.
In some embodiments, the second dynamic token generated by the authentication server from the refresh token comprises:
judging whether the refresh token is in the valid period of the refresh token; if the current time is within the valid period of the refresh token, generating the second dynamic token; and if the client is not in the valid period of the refresh token, judging that the client is not in the authorization range.
In some embodiments, the refresh token includes a random sequence of 32-bit or 64-bit characters, numbers, and special characters, a time of application for the refresh token, and a valid lifetime of the refresh token.
In some embodiments, the user information is stored in the authentication server through a redis cache, generating a dynamic token encryption string for use.
In order to make the method provided by the embodiments of the present application clearer, a brief description of an application scenario and a flowchart description are now made with reference to the drawings.
First, the subject concerned will be briefly described:
subsystem: generally, an external subsystem, i.e., an external application system, is located on the internet, and needs to access the intranet through a unified login page, as compared with an intranet system.
Unifying login pages: the method refers to single sign-on, and each external subsystem uniformly jumps to the single sign-on for sign-on. The method is a uniform interface service for accessing an external network into an internal network.
A gateway: managing and distributing the request to the corresponding backend service.
An authentication server: and performing management service on the token to obtain a background, wherein the background comprises token generation, modification of user information corresponding to the token, token deletion, token delay and the like.
Fig. 2 shows a schematic diagram of a user logging in on a subsystem, which may specifically include the following steps:
step 1: and when the user logs in the subsystem, clicking the login to jump to the unified login interface.
Step 2: and after receiving the login request message, the unified login interface forwards the login request message to the authentication server through the gateway.
And step 3: and the authentication server sends the information carried in the login request message to the gateway.
And 4, step 4: the gateway determines the service type and the interface name according to the information, and sends the related information to the authentication server, so that the authentication server generates a formal token character string after calling the created token interface, takes the formal token character string as a key, and stores the related information as a value in a redis cache.
And 5: the authentication server returns the formal token character string to be forwarded to the unified login interface through the gateway. And finishing the generation of the official token.
In order to ensure the security, if the system is an external subsystem (a system running on the internet), an internal network (an in-line network) system needs to be accessed through a unified login page to obtain a formal token, and then the formal token is used for replacing a temporary token for use in the external subsystem. The expiration date for temporary token use is 10 minutes by default.
The following is a step of replacing the regular token with the temporary token.
Step 6: and the unified login page initiates a temporary token acquisition request message to the gateway, wherein the temporary token acquisition request message carries the formal token parameters.
And 7: and the gateway forwards the temporary token acquisition request message to an authentication server.
And 8: the authentication server calls the authentication interface to exchange the formal token for the temporary token and returns the temporary token to the gateway.
And step 9: and the gateway returns the temporary token to the unified login page.
Step 10: the unified login page returns the temporary token to the subsystem.
Step 11: when the subsystem interacts with other subsystems, a formal token acquisition request is sent to the gateway, and the formal token acquisition request message carries the temporary token, so that the temporary token is called to acquire a user information interface from the gateway to acquire the formal token.
Step 12: the gateway returns the formal token to the subsystem.
Step 13: the subsystem sends a user information acquisition request message to the gateway.
Step 14: the gateway returns the user information to the subsystem.
When the subsystem interacts with other subsystems, the subsystem can carry the temporary token parameter, and the user information interface is obtained to the gateway by calling the temporary token, and then the user information is obtained to the authentication server to carry out user safety verification.
Fig. 3 shows a process of the user logging out of the subsystem, which may specifically include the following processes:
step 1: and the subsystem sends an active logout request message to the unified login page, wherein the active logout request message carries the formal token.
Step 2: and the unified login page sends the message header to the formal token and sends the message header to a gateway.
And step 3: and the gateway transmits the message header to the formal token and forwards the message header to an authentication server.
And 4, step 4: the authentication server returns a token deletion success response message to the gateway.
And 5: and the gateway returns the successful token deleting result to the subsystem and sends the successful feedback message to the authentication server.
Fig. 4 shows a flow of querying user information. The method specifically comprises the following steps:
step 1: and the subsystem sends a user information query request message to the unified login page so as to call a user information interface, wherein the parameter is a formal token.
Step 2: and the unified login page forwards the user information inquiry request message to a gateway.
And step 3: and the gateway forwards the user information inquiry request message to an authentication server so that the authentication server acquires corresponding user information in a redis cache according to the formal token.
And 4, step 4: and the authentication server returns the acquired user information to the gateway.
And 5: and the gateway returns the user information to the unified login page and then returns the user information to the subsystem.
Fig. 5 shows a flow of user information update. The method specifically comprises the following steps:
step 1: the subsystem initiates a request message for updating the user information, the parameter is a formal token, and the user information is a request body. And then jumping to the unified login page.
Step 2: and the unified login interface forwards the user information updating request message to the gateway.
And step 3: the gateway forwards the key to an authentication server, and the authentication server updates the user information according to the key (token transmission) of the official token in the redis cache. And replacing the user information corresponding to the token with the newly transmitted user information.
And 4, step 4: and the authentication server returns the processed updating success result to the gateway so that the gateway returns to the unified login interface.
And 5: and the unified login interface returns the successful updating result to the subsystem.
Fig. 6 shows a flow of token deferral. The method specifically comprises the following steps:
and the subsystem calls a token delay interface at regular time and gives the token delay interface to the gateway through a unified login interface. The gateway forwards the request to the background authentication service.
Step 1: the authentication server sends a token deferral request to the gateway.
Step 2: the gateway checks whether the token exists, if so, the token is given a default time limit extension of ten minutes, and the time limit can be transmitted through the request parameter. If the token does not exist, the token is not processed, and a message of processing failure is returned.
And step 3: the subsystem sends a token refreshing request message to the gateway so that the redis server performs a deferred operation on the token.
And 4, step 4: and the gateway returns the message of success or failure of delay to the unified login interface and then returns the message to the subsystem.
When the client requests data from the server for multiple times, the server provided by the embodiment of the application does not need to query the user name and the password from the database for multiple times and compare the user name and the password like the traditional way, and whether the user name and the password are correct or not is judged. By the dynamic password-based security control method provided by the embodiment of the application, the pressure of database interaction can be greatly reduced, and the performance is improved. The system can automatically log in a single point, only needs to carry a limited token value during transaction, and can automatically perform user identification and verification by the back-end service. The back-end service can interact with the redis cache service through the transmitted token. The information security can be enhanced by token in a limited period, and the automatic invalidation is realized after the validity period is exceeded.
To sum up, in the security control method based on the dynamic token provided in the embodiment of the present application, an authentication request message sent by a client is received, where the authentication request message carries user login information; judging whether the client is in an authorization range according to the authentication request message; if the authentication request is in the authorization range, returning an authentication success message to the client; if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client. The application of the dynamic token enhances the information security and simultaneously relieves the pressure of database interaction.
Based on the same technical concept, an embodiment of the present application further provides a security control system based on a dynamic token, as shown in fig. 7, the system includes:
the message receiving module 701 is configured to receive an authentication request message sent by a client, where the authentication request message carries user login information.
And the permission judging module 702 is configured to judge whether the client is within an authorized range according to the authentication request message.
A message sending module 703, configured to return an authentication success message to the client if the authentication success message is within the authorization range; the authentication request message is sent to an authentication server if the user login information is not in the authorization range, so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client.
In some embodiments, the permission determination module 702 is specifically configured to: judging whether the authentication request message carries a first dynamic token or not according to the authentication request message; if not, judging that the client is not in the authorization range; if the first dynamic token is carried, judging whether the first dynamic token is in the validity period of the dynamic token; if the client is in the validity period of the dynamic token, judging that the client is in an authorization range; and if the current time does not fall within the validity period of the dynamic token, sending a first refreshing request to the authentication server, wherein the first refreshing request carries a refreshing token.
In some embodiments, the system further comprises: the second dynamic token generation module is used for receiving a second dynamic token generated by the authentication server according to the refresh token; and the second dynamic token replacing module is used for replacing the first dynamic token in the authentication request message with the second dynamic token so as to enable the client to be in an authorization range.
In some embodiments, the second dynamic token generation module comprises: the valid period judging unit is used for judging whether the refreshing token is in the valid period of the refreshing token; the generating unit is used for generating the second dynamic token if the second dynamic token is within the valid period of the refresh token; and the judging unit judges that the client is not in the authorization range if the client is not in the validity period of the refresh token.
In some embodiments, the refresh token includes a random sequence of 32-bit or 64-bit characters, numbers, and special characters, a time of application for the refresh token, and a valid lifetime of the refresh token.
From a hardware aspect, the present invention provides an embodiment of an electronic device for implementing all or part of contents in a security control method based on a dynamic token, where the electronic device specifically includes the following contents:
a processor (processor), a memory (memory), a communication Interface (Communications Interface), and a bus; the processor, the memory and the communication interface complete mutual communication through the bus; the communication interface is used for realizing information transmission among related equipment such as a server, a device, a distributed message middleware cluster device, various databases, a user terminal and the like; the electronic device may be a desktop computer, a tablet computer, a mobile terminal, and the like, but the embodiment is not limited thereto. In this embodiment, the electronic device may refer to an embodiment of the dynamic token-based security control method in the embodiment, and the contents thereof are incorporated herein, and repeated descriptions are omitted.
Fig. 8 is a schematic block diagram of a system configuration of an electronic device 9600 according to an embodiment of the present invention. As shown in fig. 8, the electronic device 9600 can include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this FIG. 8 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In one embodiment, the dynamic token based security control functionality may be integrated into central processor 9100. For example, the central processor 9100 may be configured to control as follows:
step 101: and receiving an authentication request message sent by a client, wherein the authentication request message carries user login information.
Step 102: and judging whether the client is in an authorized range according to the authentication request message.
Step 103: and if the authentication request is in the authorization range, returning an authentication success message to the client.
Step 104: if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client.
As can be seen from the above description, in the electronic device provided in the embodiment of the present invention, an authentication request message sent by a client is received, where the authentication request message carries user login information; judging whether the client is in an authorization range according to the authentication request message; if the authentication request is in the authorization range, returning an authentication success message to the client; if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client. The application of the dynamic token enhances the information security and simultaneously relieves the pressure of database interaction.
In another embodiment, the data importing apparatus may be configured separately from the central processor 9100, for example, the data importing apparatus may be a chip connected to the central processor 9100, and the data importing function is implemented by the control of the central processor.
As shown in fig. 8, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 also does not necessarily include all of the components shown in fig. 8; further, the electronic device 9600 may further include components not shown in fig. 8, which may be referred to in the art.
As shown in fig. 8, a central processor 9100, sometimes referred to as a controller or operational control, can include a microprocessor or other processor device and/or logic device, which central processor 9100 receives input and controls the operation of the various components of the electronic device 9600.
The memory 9140 can be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 9100 can execute the program stored in the memory 9140 to realize information storage or processing, or the like.
An input unit 9120 provides input to the cpu 9100, the input unit 9120 is, for example, a key or a touch input device, a power supply 9170 supplies power to the electronic apparatus 9600, a display 9160 displays display objects such as images and characters, and the display may be, for example, an L CD display, but is not limited thereto.
The memory 9140 can be a solid state memory, e.g., Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 9140 could also be some other type of device. Memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 being used for storing application programs and function programs or for executing a flow of operations of the electronic device 9600 by the central processor 9100.
The memory 9140 can also include a data store 9143, the data store 9143 being used to store data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers for the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, contact book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. The communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and receive audio input from the microphone 9132, thereby implementing ordinary telecommunications functions. The audio processor 9130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100, thereby enabling recording locally through the microphone 9132 and enabling locally stored sounds to be played through the speaker 9131.
An embodiment of the present invention further provides a computer-readable storage medium capable of implementing all steps in the dynamic token-based security control method, where the execution subject in the above embodiment may be a server, and the computer-readable storage medium stores thereon a computer program, and when the computer program is executed by a processor, the computer program implements all steps of the dynamic token-based security control method, where the execution subject in the above embodiment is a server or a client.
As can be seen from the above description, in the computer-readable storage medium provided in the embodiments of the present invention, an authentication request message sent by a client is received, where the authentication request message carries user login information; judging whether the client is in an authorization range according to the authentication request message; if the authentication request is in the authorization range, returning an authentication success message to the client; if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client. The application of the dynamic token enhances the information security and simultaneously relieves the pressure of database interaction.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (12)
1. A security control method based on a dynamic token is characterized by comprising the following steps:
receiving an authentication request message sent by a client, wherein the authentication request message carries user login information;
judging whether the client is in an authorization range according to the authentication request message;
if the authentication request is in the authorization range, returning an authentication success message to the client;
if the user login information is not in the authorization range, the authentication request message is sent to an authentication server so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client.
2. The method of claim 1, wherein the determining whether the client is within an authorization scope according to the authentication request message comprises:
judging whether the authentication request message carries a first dynamic token or not according to the authentication request message;
if not, judging that the client is not in the authorization range;
if the first dynamic token is carried, judging whether the first dynamic token is in the validity period of the dynamic token;
if the client is in the validity period of the dynamic token, judging that the client is in an authorization range;
and if the current time does not fall within the validity period of the dynamic token, sending a first refreshing request to the authentication server, wherein the first refreshing request carries a refreshing token.
3. The method of claim 2, wherein after the sending the first refresh request to the authentication server, the method further comprises:
receiving a second dynamic token generated by the authentication server according to the refresh token;
replacing the first dynamic token in the authentication request message with the second dynamic token so that the client is within an authorization scope.
4. The method of claim 3, wherein the second dynamic token generated by the authentication server from the refresh token comprises:
judging whether the refresh token is in the valid period of the refresh token;
if the current time is within the valid period of the refresh token, generating the second dynamic token;
and if the client is not in the valid period of the refresh token, judging that the client is not in the authorization range.
5. The method of any of claims 2 to 4, wherein the refresh token comprises a random sequence of 32-bit or 64-bit characters, numbers and special characters, a time of application for the refresh token, and a valid lifetime of the refresh token.
6. A dynamic token based security control system, the system comprising:
the message receiving module is used for receiving an authentication request message sent by a client, wherein the authentication request message carries user login information;
the authority judging module is used for judging whether the client is in an authorization range according to the authentication request message;
the message sending module is used for returning an authentication success message to the client if the client is in the authorization range; the authentication request message is sent to an authentication server if the user login information is not in the authorization range, so as to obtain a dynamic token corresponding to the user login information; and sending the dynamic token corresponding to the user login information and the authentication success message to the client.
7. The system of claim 6, wherein the permission determination module is specifically configured to:
judging whether the authentication request message carries a first dynamic token or not according to the authentication request message;
if not, judging that the client is not in the authorization range;
if the first dynamic token is carried, judging whether the first dynamic token is in the validity period of the dynamic token;
if the client is in the validity period of the dynamic token, judging that the client is in an authorization range;
and if the current time does not fall within the validity period of the dynamic token, sending a first refreshing request to the authentication server, wherein the first refreshing request carries a refreshing token.
8. The system of claim 7, wherein the system further comprises:
the second dynamic token generation module is used for receiving a second dynamic token generated by the authentication server according to the refresh token;
and the second dynamic token replacing module is used for replacing the first dynamic token in the authentication request message with the second dynamic token so as to enable the client to be in an authorization range.
9. The system of claim 8, wherein the second dynamic token generation module comprises:
the valid period judging unit is used for judging whether the refreshing token is in the valid period of the refreshing token;
the generating unit is used for generating the second dynamic token if the second dynamic token is within the valid period of the refresh token;
and the judging unit judges that the client is not in the authorization range if the client is not in the validity period of the refresh token.
10. The system of any one of claims 7 to 9, wherein the refresh token comprises a random sequence of 32-bit or 64-bit characters, numbers and special characters, a time of application for the refresh token, and a valid lifetime of the refresh token.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 5 when executing the computer program.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010244032.1A CN111431920A (en) | 2020-03-31 | 2020-03-31 | Security control method and system based on dynamic token |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010244032.1A CN111431920A (en) | 2020-03-31 | 2020-03-31 | Security control method and system based on dynamic token |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111431920A true CN111431920A (en) | 2020-07-17 |
Family
ID=71550191
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010244032.1A Pending CN111431920A (en) | 2020-03-31 | 2020-03-31 | Security control method and system based on dynamic token |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111431920A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112565189A (en) * | 2020-11-04 | 2021-03-26 | 国网安徽省电力有限公司信息通信分公司 | Access control system based on cloud computing data security |
| CN112860452A (en) * | 2021-02-02 | 2021-05-28 | 浪潮云信息技术股份公司 | Method, device and computer readable medium for improving response speed of high concurrency condition |
| CN112883357A (en) * | 2021-03-11 | 2021-06-01 | 中科三清科技有限公司 | Stateless login authentication method and device |
| CN113065160A (en) * | 2021-04-12 | 2021-07-02 | 浙江环玛信息科技有限公司 | Intelligent court data transmission method and system |
| CN113946811A (en) * | 2021-10-20 | 2022-01-18 | 工银科技有限公司 | Authentication method and device |
| CN114980115A (en) * | 2021-08-10 | 2022-08-30 | 中移互联网有限公司 | Method and system for message link security control |
| CN116684155A (en) * | 2023-06-10 | 2023-09-01 | 上海宁盾信息科技有限公司 | Login control method, login control device, server and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980925A (en) * | 2015-06-01 | 2015-10-14 | 走遍世界(北京)信息技术有限公司 | Authentication method and authentication device for user request |
| EP2966831A1 (en) * | 2014-07-11 | 2016-01-13 | Ricoh Company, Ltd. | Authentication system, authentication method, program and communication system |
| CN106162574A (en) * | 2015-04-02 | 2016-11-23 | 成都鼎桥通信技术有限公司 | Group system is applied universal retrieval method, server and terminal |
| CN106357799A (en) * | 2016-10-20 | 2017-01-25 | 杭州东方通信软件技术有限公司 | Service bus intermediate system and calling method thereof |
| CN106534175A (en) * | 2016-12-07 | 2017-03-22 | 西安电子科技大学 | Open platform authorization and authentication system and method based on OAuth protocol |
| CN109309683A (en) * | 2018-10-30 | 2019-02-05 | 泰华智慧产业集团股份有限公司 | The method and system of client identity verifying based on token |
| CN110572388A (en) * | 2019-09-05 | 2019-12-13 | 北京宝兰德软件股份有限公司 | method for connecting unified authentication server and unified authentication adapter |
-
2020
- 2020-03-31 CN CN202010244032.1A patent/CN111431920A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2966831A1 (en) * | 2014-07-11 | 2016-01-13 | Ricoh Company, Ltd. | Authentication system, authentication method, program and communication system |
| CN106162574A (en) * | 2015-04-02 | 2016-11-23 | 成都鼎桥通信技术有限公司 | Group system is applied universal retrieval method, server and terminal |
| CN104980925A (en) * | 2015-06-01 | 2015-10-14 | 走遍世界(北京)信息技术有限公司 | Authentication method and authentication device for user request |
| CN106357799A (en) * | 2016-10-20 | 2017-01-25 | 杭州东方通信软件技术有限公司 | Service bus intermediate system and calling method thereof |
| CN106534175A (en) * | 2016-12-07 | 2017-03-22 | 西安电子科技大学 | Open platform authorization and authentication system and method based on OAuth protocol |
| CN109309683A (en) * | 2018-10-30 | 2019-02-05 | 泰华智慧产业集团股份有限公司 | The method and system of client identity verifying based on token |
| CN110572388A (en) * | 2019-09-05 | 2019-12-13 | 北京宝兰德软件股份有限公司 | method for connecting unified authentication server and unified authentication adapter |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112565189A (en) * | 2020-11-04 | 2021-03-26 | 国网安徽省电力有限公司信息通信分公司 | Access control system based on cloud computing data security |
| CN112860452A (en) * | 2021-02-02 | 2021-05-28 | 浪潮云信息技术股份公司 | Method, device and computer readable medium for improving response speed of high concurrency condition |
| CN112883357A (en) * | 2021-03-11 | 2021-06-01 | 中科三清科技有限公司 | Stateless login authentication method and device |
| CN113065160A (en) * | 2021-04-12 | 2021-07-02 | 浙江环玛信息科技有限公司 | Intelligent court data transmission method and system |
| CN114980115A (en) * | 2021-08-10 | 2022-08-30 | 中移互联网有限公司 | Method and system for message link security control |
| CN114980115B (en) * | 2021-08-10 | 2023-09-01 | 中移互联网有限公司 | Message link safety control method and system |
| CN113946811A (en) * | 2021-10-20 | 2022-01-18 | 工银科技有限公司 | Authentication method and device |
| CN116684155A (en) * | 2023-06-10 | 2023-09-01 | 上海宁盾信息科技有限公司 | Login control method, login control device, server and storage medium |
| CN116684155B (en) * | 2023-06-10 | 2024-03-19 | 上海宁盾信息科技有限公司 | Login control method, login control device, server and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111431920A (en) | Security control method and system based on dynamic token | |
| US11610019B2 (en) | Information management method, apparatus, and information management system | |
| US10057251B2 (en) | Provisioning account credentials via a trusted channel | |
| CN111030812A (en) | Token verification method, device, storage medium and server | |
| US11676133B2 (en) | Method and system for mobile cryptocurrency wallet connectivity | |
| JP5429912B2 (en) | Authentication system, authentication server, service providing server, authentication method, and program | |
| US10122697B2 (en) | Native authentication experience with failover | |
| US10250585B1 (en) | Identity migration between organizations | |
| US10757092B2 (en) | Controlling access to personal data | |
| Ferry et al. | Security evaluation of the OAuth 2.0 framework | |
| CN106254319B (en) | Light application login control method and device | |
| US9270666B2 (en) | Verification of user communication addresses | |
| CN110069909B (en) | Method and device for login of third-party system without secret | |
| CN109495486B (en) | Single-page Web application integration CAS method based on JWT | |
| CN112491778A (en) | Authentication method, device, system and medium | |
| CN111881441B (en) | Method for online activation of device, electronic device and storage medium | |
| CN111949959B (en) | Authorization authentication method and device in Oauth protocol | |
| CN113312576A (en) | Page jump method, system and device | |
| CN111182010B (en) | Local service providing method and device | |
| CN103559430A (en) | Application account management method and device based on android system | |
| CN116647345A (en) | Method and device for generating permission token, storage medium and computer equipment | |
| CN111935151B (en) | Cross-domain unified login method and device, electronic equipment and storage medium | |
| US10078747B2 (en) | Resumption of logon across reboots | |
| CN112231674A (en) | Skip verification method and system for URL (Uniform resource locator) address and electronic equipment | |
| CN112417403A (en) | Automatic system authentication and authorization processing method based on GitLab API |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220923 Address after: 25 Financial Street, Xicheng District, Beijing 100033 Applicant after: CHINA CONSTRUCTION BANK Corp. Address before: 25 Financial Street, Xicheng District, Beijing 100033 Applicant before: CHINA CONSTRUCTION BANK Corp. Applicant before: Jianxin Financial Science and Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200717 |
|
| RJ01 | Rejection of invention patent application after publication |