CN111756753B - Authority verification method and system - Google Patents
Authority verification method and system Download PDFInfo
- Publication number
- CN111756753B CN111756753B CN202010595105.1A CN202010595105A CN111756753B CN 111756753 B CN111756753 B CN 111756753B CN 202010595105 A CN202010595105 A CN 202010595105A CN 111756753 B CN111756753 B CN 111756753B
- Authority
- CN
- China
- Prior art keywords
- token
- client
- resource server
- information
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/08—Insurance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Software Systems (AREA)
- Development Economics (AREA)
- Technology Law (AREA)
- General Business, Economics & Management (AREA)
- Strategic Management (AREA)
- Marketing (AREA)
- Economics (AREA)
- Automation & Control Theory (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a system for verifying authority, wherein the method comprises the following steps: receiving a verification request sent by a resource server; wherein the validation request includes credential information uniquely identifying the resource server; performing identity authentication on the resource server based on the credential information, and acquiring a user name and a login password used for logging in the client under the condition that the identity authentication is passed; performing identity authentication on the client based on the user name and the login password, and acquiring user role information and service line information of the client under the condition that the identity authentication is passed; generating a token corresponding to the resource server based on the user role information, the service line information and the credential information; sending the token to the client for the client to use the token to access the resource server; the invention ensures the safety of the authority verification; in addition, the invention also relates to a block chain technology.
Description
Technical Field
The invention relates to the field of computers, in particular to a permission verification method and a permission verification system.
Background
Generally, one insurance platform can collect a plurality of insurance products for users to select and use, and when the users access different insurance products through the insurance platform, each insurance product system needs to authenticate the users; different insurance product systems use different authority authentication modes, so that authentication intercommunication among insurance product systems has problems and user experience is poor; therefore, how to implement authentication and interworking between various production risk systems becomes a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a permission verification method and a permission verification system, which improve the permission verification efficiency and ensure the safety of permission verification.
According to an aspect of the present invention, there is provided a method for verifying a right, including the steps of:
receiving a verification request sent by a resource server; wherein the validation request is issued when the resource server receives an access request sent by a client that does not include a token, and the validation request includes credential information for uniquely identifying the resource server;
performing identity authentication on the resource server based on the credential information, and acquiring a user name and a login password used for logging in the client under the condition that the identity authentication is passed;
performing identity authentication on the client based on the user name and the login password, and acquiring user role information and service line information of the client under the condition that the identity authentication is passed;
generating a token corresponding to the resource server based on the user role information, the service line information and the credential information;
and sending the token to the client so that the client can use the token to access the resource server.
Optionally, before the receiving the authentication request sent by the resource server, the method further includes:
receiving an application request sent by the resource server; wherein the application request includes ID information of the resource server;
encoding the ID information into credential information using the Base64 algorithm;
and sending the credential information to the resource server.
Optionally, the generating a token corresponding to the resource server based on the user role information, the service line information, and the credential information specifically includes:
generating a JSON character string based on the user role information, the service line information and the credential information;
encoding the JSON character string by using a Base64 algorithm to obtain a payload load of the token;
generating a head of the token by using a preset encryption algorithm;
generating a signature of the token according to the payload load by using a preset algorithm and a preset public key;
the payload, head header, signature are combined to form a token.
Optionally, after the sending the token to the client, the method further includes:
receiving a token logout request sent by the resource server; wherein the token deregistration request is sent when the client logs out of the resource server.
According to another aspect of the present invention, there is also provided a method for verifying a right, including the steps of:
receiving an access request sent by a client, and judging whether the access request contains a token or not;
under the condition that the token is not included, sending a verification request including credential information to an authorization server for the authorization server to perform identity verification on the resource server based on the credential information; wherein the credential information is used to uniquely identify the resource server;
and under the condition that the identity authentication is passed, sending a user name and a login password used for logging in the client to the authorization server so that the authorization server can carry out the identity authentication on the client based on the user name and the login password, and generating a token used when the client accesses the resource server under the condition that the identity authentication is passed.
Optionally, after receiving the access request sent by the client, the method further includes:
if the token is contained, verifying the token and acquiring user role information and service line information contained in the token after the token is successfully verified;
and judging whether the client has the authority to access the resource server or not based on the user role information and the service line information, and if not, sending a message of refusing access to the client.
Optionally, the verifying the token and acquiring the user role information and the service line information included in the token after the token is successfully verified includes:
resolving a signature algorithm from a head header of the token;
calculating an signature based on the payload load of the token according to the signature algorithm and a pre-acquired public key;
and analyzing the signature of the token, comparing the calculated signature with the signature in the token, if the signature is consistent with the signature in the token, successfully verifying the token, and if the signature is inconsistent with the signature in the token, failing to verify the token, and sending an access denial message to the client.
According to another aspect of the present invention, there is also provided an authority verification apparatus, specifically including the following components:
the first receiving module is used for receiving the verification request sent by the resource server; wherein the authentication request is issued when the resource server receives an access request sent by a client that does not contain a token, and the authentication request contains credential information for uniquely identifying the resource server;
the first authentication module is used for performing identity authentication on the resource server based on the credential information and acquiring a user name and a login password used for logging in the client under the condition that the identity authentication is passed;
the second verification module is used for performing identity verification on the client based on the user name and the login password and acquiring user role information and service line information of the client under the condition that the identity verification is passed;
a generating module, configured to generate a token corresponding to the resource server based on the user role information, the service line information, and the credential information;
and the first sending module is used for sending the token to the client so that the client can use the token to access the resource server.
According to another aspect of the present invention, there is also provided an authority verification apparatus, specifically including the following components:
a second receiving module, configured to receive an access request sent by a client, and determine whether the access request includes a token;
a second sending module, configured to send, to an authorization server, a verification request including credential information without including a token, so that the authorization server performs identity verification on the resource server based on the credential information; wherein the credential information is used to uniquely identify the resource server;
and the acquisition module is used for sending the user name and the login password used for logging in the client to the authorization server under the condition that the identity authentication is passed, so that the authorization server can carry out the identity authentication on the client based on the user name and the login password, and a token used when the client accesses the resource server is generated under the condition that the identity authentication is passed.
According to another aspect of the present invention, there is also provided a rights verification system including: the authorization server introduced above and the resource server introduced above.
According to another aspect of the present invention, there is also provided a computer-readable storage medium comprising a stored data area storing data created according to the use of blockchain nodes and a stored program area storing a computer program which, when executed by a processor, implements the steps of the above-described authentication method.
According to the permission verification method and system provided by the invention, the authorization server issues the credential information for the resource server, and when the client accesses the resource server for the first time, the authorization server needs to perform double verification on the credential information of the resource server and the user name and the login password of the client at the same time, so that the safety is ensured; in addition, one client can access different resource servers, and the authorization server issues corresponding tokens for the different resource servers aiming at the client, so that the client can access the corresponding resource servers according to the tokens and bear user role information, service line information and validity period information through the tokens; the method and the device ensure the legality of the token by utilizing the invariability of the token and have higher safety.
Drawings
Various additional advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is an alternative flowchart of a method for verifying a right according to an embodiment;
fig. 2 is an optional flowchart of the method for verifying a right according to the second embodiment;
FIG. 3 is a schematic diagram of an alternative program module of the authorization server provided in the third embodiment;
FIG. 4 is a schematic diagram of an alternative program module of the resource server according to the fourth embodiment;
fig. 5 is a schematic diagram of an optional component structure of the right verification system according to the fifth embodiment;
fig. 6 is an alternative hardware architecture diagram of the computer device according to the sixth embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The embodiment of the invention provides an authority verification method, which is applied to an authorization server at a production risk platform side, and as shown in figure 1, the method specifically comprises the following steps:
step S101: receiving a verification request sent by a resource server; wherein the validation request is issued when the resource server receives an access request sent by a client that does not include a token, and the validation request includes credential information for uniquely identifying the resource server.
In this embodiment, the resource server is a server of any insurance product system integrated on the insurance platform; when the client needs to access the resource server, an access request needs to be sent to the resource server; and the resource server judges whether the access request contains a token, if so, verifies the token, and if not, sends the verification request to the authorization server.
Specifically, before the receiving the authentication request sent by the resource server, the method further includes:
step A1: receiving an application request sent by the resource server; wherein the application request includes ID information of the resource server;
step A2: encoding the ID information into credential information using the Base64 algorithm;
step A3: and sending the credential information to the resource server.
In this embodiment, the authorization server issues corresponding credential information to each resource server in advance, so as to perform identity authentication on the resource server based on the credential information. It should be noted that the authorization server manages the authorization verification of multiple clients and multiple resource servers, and each resource server has corresponding credential information.
Step S102: and performing identity authentication on the resource server based on the credential information, and acquiring a user name and a login password used for logging in the client under the condition that the identity authentication is passed.
Specifically, step S102 includes:
judging whether the credential information exists locally, if so, passing the identity authentication;
and receiving a user name and a login password which are sent by the resource server and used for logging in the client.
Step S103: and performing identity authentication on the client based on the user name and the login password, and acquiring user role information and service line information of the client under the condition that the identity authentication is passed.
Specifically, the obtaining a user name and a login password used for logging in the client, and performing identity authentication on the client based on the user name and the login password includes:
judging whether cookie corresponding to the client exists locally or not, if so, not acquiring the user name and the login password, and verifying the cookie; if not, the user name and the login password are obtained, and the user name and the login password are verified.
In this embodiment, different resource servers can be accessed through one client, and the authorization server configures corresponding tokens for different resource servers for the client, when the authorization server configures a corresponding token for a first resource server accessed by the client, a cookie is configured for the client to uniquely identify the client, and when the client accesses other resource servers, the authorization server does not need to acquire a user name and a login password of the client, and directly verifies the cookie corresponding to the client.
Step S104: generating a token corresponding to the resource server based on the user role information, the line of business information, and the credential information.
It should be noted that, when one client accesses different resource servers, the authorization server may generate a corresponding token for each resource server for the client, so that the client accesses different resource servers according to different tokens. In addition, in this embodiment, the access right of the client is controlled through the user role information and the service line information, and since there are different types of sub-resources in the resource server, in order to improve access security, the access right of the client is controlled through the role and the service line, and a specific role on a specific service line can only access a specific sub-resource in a specific resource server. The user role information is used for representing the user role to which the client belongs currently, such as a common user, a senior user, an administrator and the like, and the service line information is used for representing the service to which the client belongs currently; for example: insurance application business, claim settlement business, consultation business and the like.
Specifically, step S104 includes:
step B1: generating a JSON character string based on the user role information, the service line information and the credential information;
step B2: encoding the JSON character string by using a Base64 algorithm to obtain a payload load of the token;
step B3: generating a head of the token by using a preset encryption algorithm;
step B4: generating a signature of the token according to the payload load by using a preset algorithm and a preset public key;
step B5: the payload, head header, signature are combined to form a token.
Further, step B1 specifically includes:
and acquiring current system time as token creation time, and generating a JSON character string according to the token creation time, user role information, service line information, credential information and preset token effective duration.
In this embodiment, the valid duration of the token is set, for example: and (3) 30 minutes, the token is valid only within the valid time, and otherwise, the token is invalid.
Step S105: and sending the token to the client so that the client can use the token to access the resource server.
Specifically, after step S105, the method further includes:
step C1: receiving a token update request sent by the client;
step C2: acquiring current system time, and regenerating a token based on the current system time;
step C3: and sending the regenerated token to the client.
After the client receives the token sent by the authorization server, starting a timing task to periodically send a token updating request to the authorization server according to the token valid duration; when the timing task is executed, whether the client sends an access request to the resource server by using the token is judged, if yes, a token updating request is sent to the authorization server when the token is invalid, and if not, the token is deleted.
In this embodiment, when the client accesses the resource server, the resource server needs to verify the token provided by the client, and if the client does not provide the token, the authorization server verifies the credential information of the resource server and the user name and the login password of the client, and obtains the user role information and the service line information of the client after the verification is passed, so as to encapsulate the token into a digital token, and send the digital token to the client, so that the token is carried when the client subsequently accesses the resource server.
Further, after the sending the token to the client, the method further includes:
receiving a token logout request sent by the resource server; wherein the token deregistration request is sent when the client logs out of the resource server.
In this embodiment, since the client accesses different resource servers through different tokens, the client can access a plurality of resource servers simultaneously; however, when the client logs out from one resource server, the client is not influenced to use other resource servers, so that unified login and independent log-out are realized.
Example two
The embodiment of the invention provides a permission verification method, which is applied to a resource server and specifically comprises the following steps as shown in figure 2:
step S201: an access request sent by a client is received, and whether a token is included in the access request is judged.
Step S202: under the condition that the token is not included, sending a verification request including credential information to an authorization server for the authorization server to perform identity verification on the resource server based on the credential information; wherein the credential information is used to uniquely identify the resource server.
Specifically, before step S202, the method further includes:
step D1: sending an application request to the authorization server, wherein the application request comprises ID information of the resource server, and the ID information is encoded into credential information by the authorization server by using a Base64 algorithm;
step D2: receiving the credential information sent by the authorization server.
In this embodiment, the authorization server issues corresponding credential information to each resource server in advance, so as to perform identity authentication on the resource server based on the credential information. It should be noted that the authorization server manages the authorization verification of multiple clients and multiple resource servers, and each resource server has corresponding credential information.
Step S203: and under the condition that the identity authentication is passed, sending a user name and a login password used for logging in the client to the authorization server so that the authorization server can carry out the identity authentication on the client based on the user name and the login password, and generating a token used when the client accesses the resource server under the condition that the identity authentication is passed.
Specifically, after receiving the access request sent by the client, the method further includes:
step E1: if the token is contained, verifying the token and acquiring user role information and service line information contained in the token after the token is successfully verified;
step E2: and judging whether the client has the authority to access the resource server or not based on the user role information and the service line information, and if not, sending a message of refusing access to the client.
Further, the verifying the token and acquiring the user role information and the service line information included in the token after the token is successfully verified specifically includes:
step E11: resolving a signature algorithm from a head header of the token;
step E12: calculating an signature based on the payload load of the token according to the signature algorithm and a pre-acquired public key;
step E13: and analyzing the signature of the token, comparing the calculated signature with the signature in the token, if the signature is consistent with the signature in the token, indicating that the token is issued by an authorization server, successfully verifying the token, and if the signature is inconsistent with the signature in the token, failing to verify the token, and sending an access denial message to the client.
Further, in step E13, the method further includes:
and acquiring the current system time, and acquiring token creation time and token valid duration contained in a payload load of the token to judge whether the token is in a valid period, and if not, sending an access refusing message to the client.
EXAMPLE III
An embodiment of the present invention provides an authorization server, as shown in fig. 3, where the authorization server specifically includes the following components:
a first receiving module 301, configured to receive an authentication request sent by a resource server; wherein the validation request is issued when the resource server receives an access request sent by a client that does not include a token, and the validation request includes credential information for uniquely identifying the resource server;
a first authentication module 302, configured to perform authentication on the resource server based on the credential information, and obtain a user name and a login password used for logging in the client when the authentication is passed;
a second authentication module 303, configured to perform authentication on the client based on the user name and the login password, and obtain user role information and service line information of the client when the authentication is passed;
a generating module 304, configured to generate a token corresponding to the resource server based on the user role information, the service line information, and the credential information;
a first sending module 305, configured to send the token to the client, so that the client can use the token to access the resource server.
Specifically, the authorization server further includes:
a credential module for receiving an application request sent by the resource server; wherein the application request includes ID information of the resource server; encoding the ID information into credential information using the Base64 algorithm; and sending the credential information to the resource server.
Further, the generating module 304 is specifically configured to:
generating a JSON character string based on the user role information, the service line information and the credential information; encoding the JSON character string by using a Base64 algorithm to obtain a payload load of the token; generating a head of the token by using a preset encryption algorithm; generating an signature of the token according to the payload load by using a preset algorithm and a preset public key; the payload, head header, signature are combined to form a token.
Further, the first receiving module 301 is further configured to:
receiving a token logout request sent by the resource server; wherein the token deregistration request is sent when the client logs out of the resource server.
Example four
An embodiment of the present invention provides a resource server, and as shown in fig. 4, the resource server specifically includes the following components:
a second receiving module 401, configured to receive an access request sent by a client, and determine whether the access request includes a token;
a second sending module 402, configured to send, without including a token, a verification request including credential information to an authorization server, so that the authorization server performs identity verification on the resource server based on the credential information; wherein the credential information is used to uniquely identify the resource server;
an obtaining module 403, configured to send, to the authorization server, a user name and a login password used for logging in the client when the identity authentication is passed, so that the authorization server performs identity authentication on the client based on the user name and the login password, and generates a token used when the client accesses the resource server when the identity authentication is passed.
Specifically, the resource server further includes:
the analysis module is used for verifying the token under the condition that the token is included and acquiring user role information and service line information included in the token after the token is successfully verified; and judging whether the client has the authority to access the resource server or not based on the user role information and the service line information, and if not, sending a message of refusing access to the client.
Further, the parsing module is specifically configured to:
resolving a signature algorithm from a head header of the token; calculating an signature based on the payload load of the token according to the signature algorithm and a pre-acquired public key; and analyzing the signature of the token, comparing the calculated signature with the signature in the token, if the signature is consistent with the signature in the token, successfully verifying the token, and if the signature is inconsistent with the signature in the token, failing to verify the token, and sending an access denial message to the client.
EXAMPLE five
An embodiment of the present invention provides a right verification system, as shown in fig. 5, where the right verification system includes: the authorization server 501 introduced in the third embodiment and the resource server 502 introduced in the fourth embodiment.
For specific functions that can be realized by the authorization server 501, reference is made to the third embodiment, and details are not repeated here; for specific functions that can be realized by the resource server 502, reference is made to the fourth embodiment, and details are not repeated here.
EXAMPLE six
The embodiment also provides a computer device, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers) capable of executing programs, and the like. As shown in fig. 6, the computer device 60 of the present embodiment includes at least, but is not limited to: a memory 601, a processor 602 communicatively coupled to each other via a system bus. It should be noted that FIG. 6 only shows the computer device 60 having components 601 and 602, but it should be understood that not all of the shown components are required to be implemented, and that more or fewer components can be implemented instead.
In this embodiment, the memory 601 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 601 may be an internal storage unit of the computer device 60, such as a hard disk or a memory of the computer device 60. In other embodiments, the memory 601 may also be an external storage device of the computer device 60, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 60. Of course, the memory 601 may also include both internal and external storage devices for the computer device 60. In this embodiment, the memory 601 is generally used for storing an operating system and various application software installed in the computer device 60, such as program codes of the right verifying apparatus of the second embodiment. Further, the memory 601 may also be used to temporarily store various types of data that have been output or are to be output.
Processor 602 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 602 is typically used to control the overall operation of the computer device 60.
Specifically, in this embodiment, the processor 602 is configured to execute a program of the right verification method stored in the processor 602, and when executed, the program of the right verification method implements the following steps:
receiving a verification request sent by a resource server; wherein the validation request is issued when the resource server receives an access request sent by a client that does not include a token, and the validation request includes credential information for uniquely identifying the resource server;
performing identity authentication on the resource server based on the credential information, and acquiring a user name and a login password used for logging in the client under the condition that the identity authentication is passed;
performing identity authentication on the client based on the user name and the login password, and acquiring user role information and service line information of the client under the condition that the identity authentication is passed;
generating a token corresponding to the resource server based on the user role information, the service line information and the credential information;
and sending the token to the client so that the client can use the token to access the resource server.
The specific embodiment process of the above method steps can be referred to in the first embodiment, and the detailed description of this embodiment is not repeated here.
Further, in this embodiment, the processor 602 is configured to execute a program of the right verification method stored in the processor 602, and when executed, the program of the right verification method may further implement the following steps:
receiving an access request sent by a client, and judging whether the access request contains a token or not;
under the condition that the token is not included, sending a verification request including credential information to an authorization server for the authorization server to perform identity verification on the resource server based on the credential information; wherein the credential information is used to uniquely identify the resource server;
and under the condition that the authentication is passed, sending a user name and a login password used for logging in the client to the authorization server so that the authorization server can carry out the authentication on the client based on the user name and the login password, and generating a token used when the client accesses the resource server under the condition that the authentication is passed.
The specific embodiment process of the above method steps can be referred to in the second embodiment, and the detailed description of this embodiment is not repeated here.
EXAMPLE seven
The present embodiments also provide a computer readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application mall, etc., having stored thereon a computer program that when executed by a processor implements the method steps of:
receiving a verification request sent by a resource server; wherein the validation request is issued when the resource server receives an access request sent by a client that does not include a token, and the validation request includes credential information for uniquely identifying the resource server;
performing identity authentication on the resource server based on the credential information, and acquiring a user name and a login password used for logging in the client under the condition that the identity authentication is passed;
performing identity authentication on the client based on the user name and the login password, and acquiring user role information and service line information of the client under the condition that the identity authentication is passed;
generating a token corresponding to the resource server based on the user role information, the service line information and the credential information;
and sending the token to the client so that the client can use the token to access the resource server.
The specific embodiment process of the above method steps can be referred to in the first embodiment, and the detailed description of this embodiment is not repeated here.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a string of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, which is used for verifying the validity (anti-counterfeiting) of the information and generating a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
The computer program may furthermore, when being executed by a processor, realize the following method steps:
receiving an access request sent by a client, and judging whether the access request contains a token or not;
under the condition that the token is not contained, sending a verification request containing credential information to an authorization server for the authorization server to perform identity verification on the resource server based on the credential information; wherein the credential information is used to uniquely identify the resource server;
and under the condition that the authentication is passed, sending a user name and a login password used for logging in the client to the authorization server so that the authorization server can carry out the authentication on the client based on the user name and the login password, and generating a token used when the client accesses the resource server under the condition that the authentication is passed.
The specific embodiment process of the above method steps can be referred to in the second embodiment, and the detailed description of this embodiment is not repeated here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element identified by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. An authority verification method, applied to an authorization server, the method comprising:
receiving a verification request sent by a resource server; wherein the validation request is issued when the resource server receives an access request sent by a client that does not include a token, and the validation request includes credential information for uniquely identifying the resource server;
performing identity authentication on the resource server based on the credential information, and acquiring a user name and a login password used for logging in the client under the condition that the identity authentication is passed;
performing identity authentication on the client based on the user name and the login password, and acquiring user role information and service line information of the client under the condition that the identity authentication is passed;
generating a token corresponding to the resource server based on the user role information, the service line information and the credential information; the token controls the access authority of the client through user role information and service line information so that a specific user role on a specific service line can only access the specified sub-resources in the specified resource server;
sending the token to the client for the client to use the token to access the resource server;
the authorization server issues corresponding credential information to each resource server in advance for performing identity authentication on the resource servers based on the credential information, and the authorization server generates corresponding tokens for each resource server for the client to access different resource servers according to different tokens.
2. The rights verification method of claim 1, wherein prior to said receiving a verification request sent by a resource server, the method further comprises:
receiving an application request sent by the resource server; wherein the application request includes ID information of the resource server;
encoding the ID information into credential information using the Base64 algorithm;
and sending the credential information to the resource server.
3. The method for right verification according to claim 1, wherein the generating a token corresponding to the resource server based on the user role information, the service line information, and the credential information specifically includes:
generating a JSON character string based on the user role information, the service line information and the credential information;
encoding the JSON character string by using a Base64 algorithm to obtain a payload load of the token;
generating a head of the token by using a preset encryption algorithm;
generating a signature of the token according to the payload load by using a preset algorithm and a preset public key;
the payload, head header, signature are combined to form a token.
4. The privilege verification method according to claim 1, wherein after the sending the token to the client, the method further comprises:
receiving a token logout request sent by the resource server; wherein the token deregistration request is sent when the client logs out of the resource server.
5. A permission verification method is applied to a resource server, and comprises the following steps:
receiving an access request sent by a client, and judging whether the access request contains a token or not;
under the condition that the token is not included, sending a verification request including credential information to an authorization server for the authorization server to perform identity verification on the resource server based on the credential information; wherein the credential information is used to uniquely identify the resource server;
under the condition that the identity authentication is passed, a user name and a login password used for logging in the client are sent to the authorization server, so that the authorization server can carry out identity authentication on the client based on the user name and the login password, and a token used when the client accesses the resource server is generated based on user role information, service line information and credential information of the client under the condition that the identity authentication is passed; the token controls the access authority of the client through user role information and service line information so that a specific user role on a specific service line can only access the specified sub-resources in the specified resource server;
the authorization server issues corresponding credential information to each resource server in advance for performing identity authentication on the resource servers based on the credential information, and the authorization server generates corresponding tokens for each resource server for the client to access different resource servers according to different tokens.
6. The privilege verification method according to claim 5, wherein after the receiving the access request sent by the client, the method further comprises:
if the token is contained, verifying the token and acquiring user role information and service line information contained in the token after the token is successfully verified;
and judging whether the client has the authority to access the resource server or not based on the user role information and the service line information, and if not, sending an access refusing message to the client.
7. The method for right verification according to claim 6, wherein the verifying the token and obtaining the user role information and the service line information included in the token after successful verification specifically comprises:
resolving a signature algorithm from a head header of the token;
calculating a signature based on the payload load of the token according to the signature algorithm and a pre-acquired public key;
and analyzing the signature of the token, comparing the calculated signature with the signature in the token, if the signature is consistent with the signature in the token, successfully verifying the token, and if the signature is inconsistent with the signature in the token, failing to verify the token, and sending an access denial message to the client.
8. An authorization server, characterized in that the authorization server comprises:
the first receiving module is used for receiving the verification request sent by the resource server; wherein the validation request is issued when the resource server receives an access request sent by a client that does not include a token, and the validation request includes credential information for uniquely identifying the resource server;
the first authentication module is used for performing identity authentication on the resource server based on the credential information and acquiring a user name and a login password used for logging in the client under the condition that the identity authentication is passed;
the second verification module is used for performing identity verification on the client based on the user name and the login password and acquiring user role information and service line information of the client under the condition that the identity verification is passed;
a generating module, configured to generate a token corresponding to the resource server based on the user role information, the service line information, and the credential information; the token controls the access authority of the client through user role information and service line information so that a specific user role on a specific service line can only access the specified sub-resources in the specified resource server;
the first sending module is used for sending the token to the client so that the client can use the token to access the resource server;
the authorization server issues corresponding credential information to each resource server in advance for performing identity authentication on the resource servers based on the credential information, and the authorization server generates corresponding tokens for each resource server for the client to access different resource servers according to different tokens.
9. A resource server, characterized in that the resource server comprises:
the second receiving module is used for receiving the access request sent by the client and judging whether the access request contains a token or not;
a second sending module, configured to send, to an authorization server, a verification request including credential information without including a token, so that the authorization server performs identity verification on the resource server based on the credential information; wherein the credential information is used to uniquely identify the resource server;
the acquisition module is used for sending a user name and a login password used for logging in the client to the authorization server under the condition that the identity authentication is passed, so that the authorization server can carry out identity authentication on the client based on the user name and the login password, and a token used when the client accesses the resource server is generated based on user role information, service line information and credential information of the client under the condition that the identity authentication is passed; the token controls the access authority of the client through user role information and service line information so that a specific user role on a specific service line can only access the specified sub-resources in the specified resource server;
the authorization server issues corresponding credential information to each resource server in advance for performing identity authentication on the resource servers based on the credential information, and the authorization server generates corresponding tokens for each resource server for the client to access different resource servers according to different tokens.
10. A rights verification system, comprising: an authorization server as claimed in claim 8 and a resource server as claimed in claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010595105.1A CN111756753B (en) | 2020-06-28 | 2020-06-28 | Authority verification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010595105.1A CN111756753B (en) | 2020-06-28 | 2020-06-28 | Authority verification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111756753A CN111756753A (en) | 2020-10-09 |
| CN111756753B true CN111756753B (en) | 2022-09-23 |
Family
ID=72677428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010595105.1A Active CN111756753B (en) | 2020-06-28 | 2020-06-28 | Authority verification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111756753B (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615815B (en) * | 2020-11-26 | 2023-04-07 | 中国人民解放军战略支援部队信息工程大学 | User authority management method based on token |
| CN112671720B (en) * | 2020-12-10 | 2022-05-13 | 苏州浪潮智能科技有限公司 | Token construction method, device and equipment for cloud platform resource access control |
| CN112580003B (en) * | 2020-12-23 | 2024-03-26 | 深圳市捷顺科技实业股份有限公司 | Permission control method and server based on BS architecture |
| CN112612770B (en) * | 2020-12-28 | 2024-05-14 | 深圳市科创思科技有限公司 | Distributed file uploading method and system |
| CN112699404A (en) * | 2020-12-29 | 2021-04-23 | 平安普惠企业管理有限公司 | Method, device and equipment for verifying authority and storage medium |
| CN113067797B (en) * | 2021-02-01 | 2023-04-07 | 上海金融期货信息技术有限公司 | Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area |
| CN112836204A (en) * | 2021-02-03 | 2021-05-25 | 中国人民财产保险股份有限公司 | Token updating method and device |
| CN113051611B (en) * | 2021-03-15 | 2022-04-29 | 上海商汤智能科技有限公司 | Authority control method of online file and related product |
| CN112953965B (en) * | 2021-03-18 | 2022-11-01 | 杭州网易云音乐科技有限公司 | Client login method and system, client, medium and computing device |
| CN113391858A (en) * | 2021-07-12 | 2021-09-14 | 苏州达家迎信息技术有限公司 | Page loading method and device in client, computer equipment and medium |
| CN113742749B (en) * | 2021-09-10 | 2024-03-29 | 广州市奥威亚电子科技有限公司 | Platform user authority management method, device, equipment and storage medium |
| CN114039748A (en) * | 2021-10-25 | 2022-02-11 | 中广核工程有限公司 | Identity authentication method, system, computer device and storage medium |
| CN114117551B (en) * | 2021-11-26 | 2022-12-27 | 深圳前海微众银行股份有限公司 | Access verification method and device |
| CN114189384B (en) * | 2021-12-14 | 2024-04-02 | 中国建设银行股份有限公司 | Service processing method, device, equipment and storage medium |
| CN114338196A (en) * | 2021-12-30 | 2022-04-12 | 湖南快乐阳光互动娱乐传媒有限公司 | User identity authentication method and device |
| CN114500078A (en) * | 2022-02-14 | 2022-05-13 | 北京高途云集教育科技有限公司 | Authorization management method and device, computer equipment and storage medium |
| CN114666124B (en) * | 2022-03-22 | 2023-06-16 | 通号智慧城市研究设计院有限公司 | Business system login method, login device, electronic equipment and storage medium |
| CN115473668A (en) * | 2022-07-25 | 2022-12-13 | 武汉众邦银行股份有限公司 | Data verification method and device |
| CN115277207A (en) * | 2022-07-28 | 2022-11-01 | 联想(北京)有限公司 | Access control method and electronic equipment |
| CN115935318B (en) * | 2022-12-27 | 2024-02-13 | 北京深盾科技股份有限公司 | Information processing method, device, server, client and storage medium |
| CN117493362B (en) * | 2023-11-10 | 2024-05-24 | 中国人民解放军陆军勤务学院 | Data interaction verification method for distributed system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105959267A (en) * | 2016-04-25 | 2016-09-21 | 北京九州云腾科技有限公司 | Primary token acquiring method of single sign on technology, single sign on method, and single sign on system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7174383B1 (en) * | 2001-08-31 | 2007-02-06 | Oracle International Corp. | Method and apparatus to facilitate single sign-on services in a hosting environment |
| CN106209749B (en) * | 2015-05-08 | 2020-09-25 | 阿里巴巴集团控股有限公司 | Single sign-on method and device, and related equipment and application processing method and device |
| CN105897668A (en) * | 2015-10-22 | 2016-08-24 | 乐视致新电子科技(天津)有限公司 | Third party account authorization method, device, server and system |
| CN108200050B (en) * | 2017-12-29 | 2022-07-01 | 重庆金融资产交易所有限责任公司 | Single sign-on server, method and computer readable storage medium |
| CN109150910A (en) * | 2018-10-11 | 2019-01-04 | 平安科技(深圳)有限公司 | Log in token generation and verification method, device and storage medium |
| CN111193725B (en) * | 2019-12-20 | 2022-04-05 | 北京淇瑀信息科技有限公司 | Configuration-based combined login method and device and computer equipment |
-
2020
- 2020-06-28 CN CN202010595105.1A patent/CN111756753B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105959267A (en) * | 2016-04-25 | 2016-09-21 | 北京九州云腾科技有限公司 | Primary token acquiring method of single sign on technology, single sign on method, and single sign on system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111756753A (en) | 2020-10-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111756753B (en) | Authority verification method and system | |
| JP7093428B2 (en) | Digital certificate management methods, devices, computer devices and computer programs | |
| US9766914B2 (en) | System and methods for remote maintenance in an electronic network with multiple clients | |
| JP4746266B2 (en) | Method and system for authenticating a user for a sub-location in a network location | |
| CN111353903B (en) | Network identity protection method and device, electronic equipment and storage medium | |
| CN102457509B (en) | Cloud computing resources safety access method, Apparatus and system | |
| CN111343168B (en) | Identity authentication method and device, computer equipment and readable storage medium | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| CN110177124B (en) | Identity authentication method based on block chain and related equipment | |
| CN111818088A (en) | Authorization mode management method and device, computer equipment and readable storage medium | |
| CN105162775A (en) | Logging method and device of virtual machine | |
| US11924211B2 (en) | Computerized device and method for authenticating a user | |
| CN110661779B (en) | Block chain network-based electronic certificate management method, system, device and medium | |
| CN105162774A (en) | Virtual machine login method and device used for terminal | |
| CN111880919A (en) | Data scheduling method, system and computer equipment | |
| CN102694776A (en) | Authentication system and method based on dependable computing | |
| CN114510701A (en) | Single sign-on method, device, equipment and storage medium | |
| CN106529216B (en) | Software authorization system and software authorization method based on public storage platform | |
| CN112565293A (en) | Information security management method and device, computer equipment and readable storage medium | |
| CN115208669B (en) | Distributed identity authentication method and system based on blockchain technology | |
| CN111404946A (en) | Browser-based account authentication method and server | |
| CN109992976B (en) | Access credential verification method, device, computer equipment and storage medium | |
| CN113923203A (en) | Network request checking method, device, equipment and storage medium | |
| CN114238913A (en) | Digital certificate verification method and device, computer equipment and storage medium | |
| KR101066729B1 (en) | Methods and systems for authentication of a user for sub-locations of a network location |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |