CN111770068B - Consistency authentication method based on optimal link selection - Google Patents
Consistency authentication method based on optimal link selection Download PDFInfo
- Publication number
- CN111770068B CN111770068B CN202010543485.4A CN202010543485A CN111770068B CN 111770068 B CN111770068 B CN 111770068B CN 202010543485 A CN202010543485 A CN 202010543485A CN 111770068 B CN111770068 B CN 111770068B
- Authority
- CN
- China
- Prior art keywords
- service
- token
- user
- client
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1004—Server selection for load balancing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The consistency authentication method based on the optimal link selection comprises the following steps: the client sends a user name, a password and an access service A, an authentication center verifies the validity of the user, verifies the validity, generates a unique token for the authentication of the user at this time, extracts an access address of the access service A and responds to the client; the authentication center records a token corresponding to the user name and an access address for accessing the service A to a cache pool; the client side obtains the token and the access address of the access service A, calculates the secret key and accesses the access address of the access service A by carrying the user name and the secret key; a service receives a user request, verifies whether a request head carries a user name and a secret key, if so, the service judges whether token information of the user exists in a local cache, if not, the service obtains a token of the requesting user by calling an authentication center and caches the token locally, if so, the service obtains a user token cached locally through the user name transmitted by a client, calculates the secret key comparison, and responds to the client request, wherein the secret key is consistent.
Description
Technical Field
The invention relates to a consistency authentication method based on optimal link selection, which can be applied to a mobile app end or a pc webpage end and is used for selecting an optimal link address for a client to access according to the network environment of the client and the machine load condition of a service end when the server end is accessed; the unique token supporting the one-time authentication of the center is applied to the authentication of the multi-application service end, and the multi-service consistency of the authentication token is realized.
Background
In the prior art, a fixed key or nginx is generally adopted to forward each service request; and after the gateway verifies the secret key, forwarding the request to the server to obtain the service data.
The server side adopts an interface authentication of identity authentication, returns a user token with timeliness to the client side after the identity authentication is legal, the token contains legal information of the user, and the client side needs to carry the user token when requesting service each time. Under the condition of aiming at multi-application service, a common server side adopts a nginx reverse proxy to carry out load balancing and forwards a user request.
When the client carries the user token to access the service, nginx forwards the request of the user and the user token to the specified service, and the current service verifies the validity by checking the user token, thereby judging whether to respond the request of the client or refuse to access.
The prior art has the defects that: 1. nginx makes service request forwarding, and real-time weight cannot be guaranteed; 2. the token is fixed to cause leakage, and finally, the service data is leaked; 3. when the service fails, the nginx configuration file needs to be modified.
Disclosure of Invention
Aiming at the problems and the defects in the prior art, the invention provides a consistency authentication method based on optimal link selection.
The invention solves the technical problems through the following technical scheme:
the invention provides a consistency authentication method based on optimal link selection, which is characterized by comprising the following steps:
s1, a client sends a user name, a password and an access service identifier A to an authentication center, the authentication center verifies the validity of the user, the step S2 is entered for the verification of the validity, and the illegal response of the client is verified;
s2, the authentication center generates a unique token of the current authentication of the user, extracts an access address of the access service A and responds to the client, wherein the access address comprises a main address and a standby address;
s3, the authentication center records a token corresponding to the user name and an access address of the access service A to a cache pool for other service verification;
s4, the client side obtains the token and the access address of the access service A, calculates the secret key through a secret key algorithm, and accesses the access address of the access service A by carrying the user name and the secret key;
s5, a service in the service cluster receives a user request, whether a request head carries a user name and a secret key is verified, if yes, the step S6 is carried out, and otherwise, the client illegal request is not responded;
s6, the service judges whether the token information of the user exists in the local cache, if not, the step S7 is carried out, and if so, the step S8 is carried out;
s7, the service acquires a token of the requesting user by calling an authentication center, locally caches the token, and enters a step S8, if the token does not exist, the service responds that the user is not authenticated, and refuses to request service data;
and S8, the service acquires the locally cached user token through the user name transmitted by the client, calculates the comparison of the secret keys, and responds to the client request if the secret keys are consistent and the inconsistent response request is illegal.
Preferably, the client accesses the primary address of the service, and automatically switches the standby address in response to timeout; the client accesses the standby address of the service, and the service response client needs to re-authenticate when the response is overtime.
Preferably, when entering the backup address of the client accessing the service, the authentication center proposes the failed master/slave machine, and re-screens the optimal service access address.
Preferably, after step S8, re-entering step S1 for re-authentication, and the authentication center guarantees the validity period of the token by extending the cache lease period for the user authenticated in the cache.
Preferably, the lease of the cache user token of each service in the service cluster is set to be of fixed effectiveness, so that the local token is passively synchronized with the central token.
On the basis of the common knowledge in the field, the above preferred conditions can be combined randomly to obtain the preferred embodiments of the invention.
The positive progress effects of the invention are as follows:
1. the authentication center supports the access of a PC terminal and a mobile terminal service multi-platform;
2. the authentication center adopts multi-network load balancing to ensure the optimal access of various network links of the user;
3. the authentication center adopts an efficient caching technology to ensure high-concurrency authentication and response;
4. the authentication center controls the state of the cluster host, screens the optimal and suboptimal host of the cluster service, and ensures the optimal link main-standby service of the user service;
5. the authentication center services a key to add or replace the service cluster host to realize seamless parallel expansion and switching;
6. the authentication center has unique authentication token, ensures the consistency of the multi-service support token and reduces the center authentication pressure.
Drawings
Fig. 1 is a flowchart of a consistency authentication method based on optimal link selection according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
Example 1
As shown in fig. 1, the present embodiment provides a consistency authentication method based on optimal link selection, which includes the following steps:
s1, the client sends a user name, a password and an access service identifier A to an authentication center, the authentication center verifies the validity of the user, the step S2 is entered after the user is verified to be valid, and the client is responded by the verification that the client is not legal.
S2, the authentication center generates a unique token of the current authentication of the user, extracts an access address (master/backup) of the access service A through an algorithm and responds to the client, wherein the access address comprises a master address and a backup address.
And S3, the authentication center records the token corresponding to the user name and the access address for accessing the service A to a cache pool for other service verification.
And S4, the client side obtains the token and the access address of the access service A, calculates the secret key through a secret key algorithm (the user name, the token, the random code and the request time), and accesses the access address of the access service A by carrying the user name and the secret key.
And S5, the service A receives the user request, verifies whether the request head carries a user name and a secret key, if so, the step S6 is carried out, and otherwise, the illegal request of the client is not responded.
And S6, the service A judges whether the token information of the user exists in the local cache, if not, the step S7 is carried out, and if so, the step S8 is carried out.
S7, the service A acquires the token of the requesting user by calling the authentication center, locally caches the token, and enters the step S8, if the token does not exist, the service A responds that the user is not authenticated, and refuses to request the service data.
And S8, the service A acquires the locally cached user token through the user name transmitted by the client, calculates the comparison of the secret keys, and responds to the client request if the secret keys are consistent and the inconsistent response request is illegal.
The exception handling process comprises the following steps:
1) The client accesses the main address of the service A, and automatically switches the standby address when the response is overtime, and the standby address completes the operation of the steps;
2) The client accesses the standby address of the service A, and if the response is overtime, the service A responds that the client needs to authenticate again.
3) When the step 2) is entered, the authentication center provides the fault main and standby machines, and the optimal service access address is screened again.
Example 2
In this embodiment, based on embodiment 1, if a service B is requested, steps S1 to S4 in this embodiment are the same as steps S1 to S4 in embodiment 1, and the following steps are:
s5', the service B receives the user request, verifies whether the request head carries the user name and the secret key, if so, the step S6' is carried out, and otherwise, the illegal request of the client is not responded.
S6' and the service B judge whether the token information of the user exists in the local cache, if the token information does not exist in the step S7', the step S8' is executed.
S7', the service B obtains the token of the requesting user by calling the authentication center, caches the token locally, and enters the step S8', if the token does not exist, the service B responds that the user is not authenticated, and refuses to request the service data.
And S8', the service B obtains the locally cached user token through the user name transmitted by the client, calculates the comparison of the secret keys, and responds to the client request if the secret keys are consistent and the inconsistent response request is illegal.
Example 3
Step S1 is re-entered for re-authentication after step S8 of embodiment 1, and the authentication center adopts a mode of prolonging the cache lease period to ensure the token validity period for the user authenticated in the cache; the lease of the cache user token of the service A and the service B is set to be fixed in effectiveness, so that the local token is passively synchronized with the central token.
In summary, 1, the Nginx central service uses the domain name + multi-gateway service as load balancing, and is configured to receive the verification request, verify and check the cluster services, and report the information about the state (number of connections, number of loads, CPU, memory, etc.) of the machine.
2. The machine of each service cluster can independently run services, deploy an API (application programming interface) and a buffer, and independently provide user services without depending on a central network once the token registration is successful; when the server fails and the client uses the standby address for access and cannot access, the client can authenticate and acquire a new service address in the secondary request center, so that the user access is guaranteed, and the service is uninterrupted.
3. The machines of each service cluster are switched, and only the service address needs to be manually changed into the latest address in the central service.
4. When the client PC or the mobile APP sends user verification information and a requested service identifier, the Nginx service center receives the user request, then checks the user information in the database, and calculates unique token information.
5. And the Nginx service center calculates the current optimal 2 lines according to the service identification, and returns the current optimal 2 lines as the main service address, the standby service address and the token information to the client.
6. And the Nginx service center records the token and the main/standby service address of the client to a cache service for reservation, sets timeliness and automatically clears overtime.
7. And the client accesses the optimal service address by using the token returned by the center to extract the service data.
8. When a client accesses service for the first time, a service host actively checks the registration condition of a token to a central service, the check is finished, the token is locally registered to a buffer, and the timeliness is set; and ensuring that subsequent verification is not carried out towards the center.
9. The service host receives the client request again, directly and locally checks the token, completes verification and responds to the client request.
10. When the service local token fails, the client performs central verification according to the location of the server 4 to complete registration and request response.
While specific embodiments of the invention have been described above, it will be appreciated by those skilled in the art that these are by way of example only, and that the scope of the invention is defined by the appended claims. Various changes and modifications to these embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention, and these changes and modifications are within the scope of the invention.
Claims (1)
1. A consistency authentication method based on optimal link selection is characterized by comprising the following steps:
s1, a client sends a user name, a password and an access service identifier A to an authentication center, the authentication center verifies the validity of the user, the step S2 is entered for the verification of the validity, and the illegal response of the client is verified;
s2, the authentication center generates a unique token of the current authentication of the user, extracts an access address of the access service A and responds to the client, wherein the access address comprises a main address and a standby address;
s3, the authentication center records a token corresponding to the user name and an access address of the access service A to a cache pool for other service verification;
s4, the client side obtains the token and the access address of the access service A, calculates the secret key through a secret key algorithm, and accesses the access address of the access service A by carrying the user name and the secret key;
s5, a service in the service cluster receives a user request, whether a request head carries a user name and a secret key is verified, if yes, the step S6 is carried out, and otherwise, the client illegal request is not responded;
s6, the service judges whether token information of the user exists in a local cache, if not, the step S7 is carried out, and if yes, the step S8 is carried out;
s7, the service acquires a token of the requesting user by calling an authentication center, locally caches the token, and enters a step S8, if the token does not exist, the service responds that the user is not authenticated, and refuses to request service data;
s8, the service acquires a locally cached user token through a user name transmitted by the client, calculates key comparison, and responds to the client request if the key is consistent and the inconsistent response request is illegal;
the step S2 comprises the following steps: the client accesses the main address of the service, and the client automatically switches the standby address in response to overtime; the client accesses the standby address of the service, if the response is overtime, the service response client needs to authenticate again, namely when the client accesses the standby address of the service, the authentication center provides a failed main machine and a standby machine, and the optimal service access address is screened again;
step S1 is entered again to re-authenticate after step S8, and the authentication center adopts a mode of prolonging the cache lease period to ensure the token validity period aiming at the user authenticated in the cache;
the cache user token lease of each service in the service cluster is set to be of fixed effectiveness, so that the local token is passively synchronized with the central token.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010543485.4A CN111770068B (en) | 2020-06-15 | 2020-06-15 | Consistency authentication method based on optimal link selection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010543485.4A CN111770068B (en) | 2020-06-15 | 2020-06-15 | Consistency authentication method based on optimal link selection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111770068A CN111770068A (en) | 2020-10-13 |
| CN111770068B true CN111770068B (en) | 2022-12-30 |
Family
ID=72721109
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010543485.4A Active CN111770068B (en) | 2020-06-15 | 2020-06-15 | Consistency authentication method based on optimal link selection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111770068B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760127B (en) * | 2022-04-08 | 2023-10-03 | 多点生活(成都)科技有限公司 | Multi-interface authentication access method based on zero codes |
| CN117040746B (en) * | 2023-10-10 | 2024-02-27 | 联通在线信息科技有限公司 | CDN client encryption anti-theft chain implementation method and electronic equipment |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101931533B (en) * | 2010-08-23 | 2014-09-10 | 中兴通讯股份有限公司 | Authentication method, device and system |
| CN102082733B (en) * | 2011-02-25 | 2013-06-26 | 杭州华三通信技术有限公司 | Portal system and access method thereof |
| US9276933B2 (en) * | 2013-12-20 | 2016-03-01 | Sharp Laboratories Of America, Inc. | Security token caching in centralized authentication systems |
| CN104320487B (en) * | 2014-11-11 | 2018-03-20 | 网宿科技股份有限公司 | The HTTP scheduling system and method for content distributing network |
| CN106162574B (en) * | 2015-04-02 | 2020-08-04 | 成都鼎桥通信技术有限公司 | Unified authentication method for applications in cluster system, server and terminal |
| CN106656959B (en) * | 2016-09-28 | 2020-07-28 | 腾讯科技(深圳)有限公司 | Access request regulation and control method and device |
| CN108650262B (en) * | 2018-05-09 | 2020-12-01 | 聚龙股份有限公司 | Cloud platform expansion method and system based on micro-service architecture |
| CN110474797B (en) * | 2019-07-25 | 2022-07-26 | 北京旷视科技有限公司 | API service system, and method and device for switching between main and standby |
| CN110855672A (en) * | 2019-11-15 | 2020-02-28 | 无锡家校邦网络科技有限公司 | JWT-based authorization method capable of being manually cancelled |
-
2020
- 2020-06-15 CN CN202010543485.4A patent/CN111770068B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111770068A (en) | 2020-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| US10666661B2 (en) | Authorization processing method and device | |
| JP4880699B2 (en) | Method, system, and apparatus for protecting a service account | |
| JP4195450B2 (en) | Single sign-on method for packet radio network users roaming multi-country operator networks | |
| CN101335626B (en) | Multi-stage authentication method and multi-stage authentication system | |
| CN101262500B (en) | Method, access controller and WEB authentication server for pushing login page | |
| KR102001544B1 (en) | Apparatus and method to enable a user authentication in a communication system | |
| CN111770068B (en) | Consistency authentication method based on optimal link selection | |
| CN102739664B (en) | Improve the method and apparatus of safety of network ID authentication | |
| KR102544113B1 (en) | Authentication method of network function in 5g core system | |
| WO2020083288A1 (en) | Safety defense method and apparatus for dns server, and communication device and storage medium | |
| CN110944319B (en) | 5G communication identity verification method, equipment and storage medium | |
| EP2534889A1 (en) | Method and apparatus for redirecting data traffic | |
| CN102970308A (en) | User authentication method and server | |
| KR20110103461A (en) | Method and system for authentication of network nodes of a peer-to-peer network | |
| US11700562B1 (en) | Seamless Wi-Fi roaming authorization | |
| JP2016167238A (en) | Radio communication terminal authentication control device, radio communication terminal authentication control system, radio communication terminal authentication control method and program | |
| JP6503420B2 (en) | Wireless communication terminal authentication control device, wireless communication terminal authentication control system, wireless communication terminal authentication control method, and program | |
| CN115361685A (en) | End-to-end roaming authentication method and system | |
| JP2003318939A (en) | Communication system and control method thereof | |
| WO2009046758A1 (en) | Method, apparatuses and computer programs for linking information of a user between servers providing authentication assertions | |
| CN106790176A (en) | A kind of method and system for accessing network | |
| KR20100072973A (en) | Method of access authentication based on policy for wireless network access service | |
| KR100821168B1 (en) | Method for authenticating using authentication vector in switching device and the switching device thereof | |
| KR100461538B1 (en) | Method of Dynamic IP Address allocation/release on Diameter Server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |