CN112039909B - Authentication method, device, equipment and storage medium based on unified gateway - Google Patents
Authentication method, device, equipment and storage medium based on unified gateway Download PDFInfo
- Publication number
- CN112039909B CN112039909B CN202010919918.1A CN202010919918A CN112039909B CN 112039909 B CN112039909 B CN 112039909B CN 202010919918 A CN202010919918 A CN 202010919918A CN 112039909 B CN112039909 B CN 112039909B
- Authority
- CN
- China
- Prior art keywords
- authentication
- access
- access request
- unified gateway
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention relates to gateway control and provides a method, a device, equipment and a medium for authentication based on a unified gateway. According to the method, whether the user corresponding to the current access client is a login user or not is judged, so that different authentication modes can be adopted for the login user and the login user; by integrating the authentication service and the authority service in the unified gateway and configuring the unlimited types of target micro services and the unified gateway in the same configuration center, the information interaction barriers between the micro services of different types and the unified gateway are broken through; the second access request containing the access token is generated after the current access request passes the authentication, and then the second access request is authenticated based on the unified gateway so as to filter the second access request which fails in authentication, thereby realizing the authentication and the authentication of the access requests corresponding to different types of micro services based on the unified gateway. In addition, the invention also relates to a block chain technology, and the access token can be stored in the block chain.
Description
Technical Field
The invention relates to the technical field of safety protection, in particular to a method, a device and equipment for authentication based on a unified gateway and a computer readable storage medium.
Background
Microservice is a software development technique for structuring applications as a set of loosely coupled services. After the micro-service architecture is adopted, the service application is split into a plurality of micro-service components with fine granularity from the original monomer structure, access among the micro-service components can be directly released, but the micro-service accessed by an external channel cannot be directly released, the channel request needs to be authenticated and then released, a unified authentication function is provided on the micro-service gateway, each service micro-component can be concentrated in the service core function, and the authentication and authentication process of a service system can be realized in centralized control.
For example, a spring cloud micro-service framework provides a Zuul-API gateway, Zuul externally realizes return control of an external request through a Zuul filter interceptor, internally provides a uniform access entrance for a service micro-service interface through routinglibbon, Zuul can be used as a carrier for realizing micro-service authentication and authorization, but the provision of uniform authentication and authorization still needs design optimization on the basis of the Zuul, a conventional micro-service gateway does not have a uniform authentication and authorization mechanism, and can only provide the same type of service for a single system or application, thereby causing the technical problem of type limitation of the authentication and authorization of the existing micro-service gateway.
Disclosure of Invention
The invention mainly aims to provide a method, a device and equipment for authentication and authorization based on a unified gateway and a computer readable storage medium, aiming at solving the technical problem of type limitation of the existing authentication and authorization of a micro service gateway.
In order to achieve the above object, the present invention provides an authentication method based on a unified gateway, which comprises the following steps:
when a first access request of a client to unlimited types of target micro-services is received, obtaining identity information and a current domain name of the client based on the first access request;
when a user corresponding to a client is detected to be a login user, judging whether the identity information meets a preset authentication requirement or not based on a unified gateway integrated with an authentication service and an authority service, wherein the unified gateway and the target micro service are configured in the same configuration center;
if the identity information meets the authentication requirement, generating an access token according to the current domain name and sending the access token to the client so that the client can send a second access request with the access token;
and judging whether the second access request has the access right of the target micro service based on the unified gateway, and filtering the second access request based on the unified gateway when the second access request does not have the access right of the target micro service.
Optionally, the step of determining, based on the unified gateway, whether the second access request has the access right of the target micro service, and when the second access request does not have the access right of the target micro service, filtering, based on the unified gateway, the second access request includes:
verifying the access token according to an encryption private key prestored in the unified gateway;
when the verification is not passed, judging whether the access token needs to be updated or not;
and if the access token does not need to be updated, judging that the second access request does not have the access authority of the target micro service, and filtering the second access request based on the unified gateway.
Optionally, after the step of determining whether the access token needs to be updated, the method further includes:
if the access token needs to be updated, generating a return message containing an updated access token, and adding a token updating mark at the head of the return message;
and sending the return message added with the token updating mark to the client, so that the client updates the access token in the local cache based on the updating access token and the token updating mark in the return message added with the access token updating mark.
Optionally, after the step of obtaining the identity information and the current domain name of the client based on the first access request when the first access request of the client to the unlimited type of target microservice is received, the method further includes:
judging whether a user corresponding to the client is a login user or not;
if the user corresponding to the client is not the login user, performing dynamic password authentication on the client, and generating an application token when the client passes the dynamic password authentication;
and sending the association of the application token and the first access request to the unified gateway so as to perform interface authentication on the first access request through the application token based on the unified gateway.
Optionally, the step of sending the application token and the first access request to the unified gateway in an associated manner, so as to perform interface authentication on the first access request based on the unified gateway through the application token includes:
the application token and the first access request are sent to the unified gateway in a correlation mode, and whether a target micro service exists in an accessible micro service list corresponding to the application token or not is judged based on the unified gateway;
if so, judging that the first access request passes through interface authentication, and sending the first access request to a service interface of the target micro service;
if not, the first access request is judged not to pass through the interface authentication, and the first access request is filtered based on the unified gateway.
Optionally, after the step of performing dynamic password authentication on the client if the user corresponding to the client is not a login user, the method further includes:
when the client side continuously fails the dynamic password authentication within a preset time period and exceeds a preset number of times, adding the IP address corresponding to the client side to an IP blacklist prestored in the same configuration center so as to update the IP address blacklist;
and pushing the updated IP blacklist to the unified gateway so as to perform access control based on the unified gateway in combination with the updated IP blacklist, wherein the updated IP blacklist is stored in a block chain.
Optionally, the identity information comprises fingerprint authentication information,
when the user corresponding to the client is detected to be a login user, the step of judging whether the identity information meets the preset authentication requirement based on the unified gateway integrated with the authentication service and the authority service comprises the following steps:
when detecting that the user corresponding to the client is a login user, acquiring fingerprint authentication information carried by the client according to the access request, and judging whether the fingerprint authentication information is legal or not;
if the fingerprint authentication information is legal, judging that the identity information meets a preset authentication requirement;
and if the fingerprint authentication information is illegal, judging that the identity information does not meet the preset authentication requirement.
In addition, in order to achieve the above object, the present invention further provides an authentication device based on a unified gateway, including:
the information acquisition module is used for acquiring the identity information and the current domain name of the client based on a first access request of the client to unlimited types of target micro services when the first access request is received;
the gateway authentication module is used for judging whether the identity information meets a preset authentication requirement or not based on a unified gateway integrated with authentication service and authority service when detecting that a user corresponding to the client is a login user, wherein the unified gateway and the target micro service are configured in the same configuration center;
the token generation module is used for generating an access token according to the current domain name and sending the access token to the client side if the identity information meets the authentication requirement so that the client side can send out a second access request with the access token;
and the request filtering module is used for judging whether the second access request has the access right of the target micro service based on the unified gateway, and filtering the second access request based on the unified gateway when the second access request does not have the access right of the target micro service.
Optionally, the request filtering module includes:
the token checking unit is used for checking the access token according to an encryption private key prestored in the unified gateway;
the updating judgment unit is used for judging whether the access token needs to be updated or not when the verification is not passed;
and the second filtering unit is used for judging that the second access request does not have the access authority of the target micro service if the access token does not need to be updated, and filtering the second access request based on the unified gateway.
Optionally, the request filtering module further includes:
the token updating unit is used for generating a return message containing an updated access token if the access token needs to be updated, and adding a token updating mark at the head of the return message;
and the cache updating unit is used for sending the return message added with the token updating mark to the client so that the client can update the access token in the local cache based on the updating access token and the token updating mark in the return message added with the access token updating mark.
Optionally, the authentication and authorization apparatus based on the unified gateway further includes:
the login judgment module is used for judging whether the user corresponding to the client is a login user;
the password authentication module is used for performing dynamic password authentication on the client if the user corresponding to the client is not a login user, and generating an application token when the client passes the dynamic password authentication;
and the interface authentication module is used for sending the association between the application token and the first access request to the unified gateway so as to perform interface authentication on the first access request through the application token based on the unified gateway.
Optionally, the interface authentication module includes:
the list judgment unit is used for sending the association between the application token and the first access request to the unified gateway and judging whether a target micro service exists in an accessible micro service list corresponding to the application token based on the unified gateway;
the list judging unit is used for judging that the first access request passes through interface authentication if the first access request passes through the interface authentication, and sending the first access request to a service interface of the target micro service; if not, the first access request is judged not to pass through the interface authentication, and the first access request is filtered based on the unified gateway.
Optionally, the password authentication module further includes:
the list updating unit is used for adding the IP address corresponding to the client to an IP blacklist prestored in the same configuration center when the client continuously fails the dynamic password authentication within a preset time period and exceeds a preset number of times so as to update the IP address blacklist;
and the access control unit is used for pushing the updated IP blacklist to the unified gateway so as to perform access control based on the unified gateway and the updated IP blacklist, wherein the updated IP blacklist is stored in the block chain.
Optionally, the identity information comprises fingerprint authentication information,
the gateway authentication module includes:
the legal judging unit is used for acquiring the fingerprint authentication information carried by the client according to the access request and judging whether the fingerprint authentication information is legal or not when detecting that the user corresponding to the client is a login user;
the authentication success unit is used for judging that the identity information meets the preset authentication requirement if the fingerprint authentication information is legal;
and the authentication failure unit is used for judging that the identity information does not meet the preset authentication requirement if the fingerprint authentication information is illegal.
In addition, in order to achieve the above object, the present invention further provides a unified gateway based authentication and authorization device, where the unified gateway based authentication and authorization device includes a processor, a memory, and a unified gateway based authentication and authorization program stored on the memory and executable by the processor, where when the unified gateway based authentication and authorization program is executed by the processor, the steps of the unified gateway based authentication and authorization method as described above are implemented.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium, which stores a unified gateway based authentication and authorization program, wherein when the unified gateway based authentication and authorization program is executed by a processor, the steps of the unified gateway based authentication and authorization method as described above are implemented.
The invention provides an authentication method, an authentication device, authentication equipment and a computer readable storage medium based on a unified gateway, wherein the authentication method based on the unified gateway can adopt different authentication modes for a login user and a login user by judging whether the user corresponding to a current access client is the login user or not; by integrating the authentication service and the authority service in the unified gateway and configuring the unlimited types of target micro services and the unified gateway in the same configuration center, information interaction barriers between different types of micro services and the unified gateway are broken through, and the micro services can authenticate and authenticate the access request by means of the unified gateway after being configured in the configuration center which is the same as the unified gateway; the second access request containing the access token is generated after the current access request passes the authentication, and then the second access request is authenticated based on the unified gateway so as to filter the second access request which is not authenticated, so that the authentication and the authentication of the access requests corresponding to different types of micro services based on the unified gateway are realized, and the technical problem of type limitation of the authentication of the existing micro service gateway is solved.
Drawings
Fig. 1 is a schematic diagram of a hardware structure of a unified gateway based authentication and authorization device according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a first embodiment of the authentication and authorization method based on a unified gateway according to the present invention;
fig. 3 is a functional block diagram of the authentication device based on the unified gateway according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The authentication method based on the unified gateway is mainly applied to authentication equipment based on the unified gateway, and the authentication equipment based on the unified gateway can be equipment with display and processing functions, such as a PC (personal computer), a portable computer, a mobile terminal and the like.
Referring to fig. 1, fig. 1 is a schematic diagram of a hardware structure of a certification and authentication device based on a unified gateway according to an embodiment of the present invention. In this embodiment of the present invention, the authentication and authorization apparatus based on the unified gateway may include a processor 1001 (e.g., a CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. The communication bus 1002 is used for realizing connection communication among the components; the user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard); the network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface); the memory 1005 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as a disk memory, and the memory 1005 may optionally be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the hardware configuration shown in fig. 1 does not constitute a limitation of the unified gateway based authentication and authorization apparatus and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
With continued reference to fig. 1, the memory 1005 of fig. 1, which is a computer-readable storage medium, may include an operating system, a network communication module, and a unified gateway-based authentication and authorization program.
In fig. 1, the network communication module is mainly used for connecting to a server and performing data communication with the server; the processor 1001 may call the authentication and authorization program based on the unified gateway stored in the memory 1005, and execute the authentication and authorization method based on the unified gateway according to the embodiment of the present invention.
Based on the hardware structure, the invention provides various embodiments of the authentication method based on the unified gateway.
Microservice is a software development technique for structuring applications as a set of loosely coupled services. After the micro-service architecture is adopted, the service application is split into a plurality of micro-service components with fine granularity from the original monomer structure, access among the micro-service components can be directly released, but the micro-service accessed by an external channel cannot be directly released, the channel request needs to be authenticated and then released, a unified authentication function is provided on the micro-service gateway, each service micro-component can be concentrated in the service core function, and the authentication and authentication process of a service system can be realized in centralized control.
For example, a spring cloud micro-service framework provides a Zuul-API gateway, Zuul externally realizes return control of an external request through a Zuul filter interceptor, internally provides a uniform access entrance for a service micro-service interface through routinglibbon, Zuul can be used as a realization carrier of micro-service authentication and authorization, but the provision of uniform authentication and authorization still needs design optimization on the basis of the Zuul, a conventional micro-service gateway does not have a uniform authentication and authorization mechanism, and can only provide the same type of service for a single system or application, so that the development, operation and maintenance costs are high, and the technical problem of type limitation of the authentication and authorization of the existing micro-service gateway is caused.
In order to solve the problems, the invention provides an authentication method based on a unified gateway, namely, whether a user corresponding to a current access client is a login user is judged firstly, so that different authentication modes can be adopted for the login user and the login user; by integrating the authentication service and the authority service in the unified gateway and configuring the unlimited types of target micro services and the unified gateway in the same configuration center, information interaction barriers between different types of micro services and the unified gateway are broken through, and the micro services can authenticate and authenticate the access request by means of the unified gateway after being configured in the configuration center which is the same as the unified gateway; the second access request containing the access token is generated after the current access request passes the authentication, and then the second access request is authenticated based on the unified gateway so as to filter the second access request which is not authenticated, so that the authentication and the authentication of the access requests corresponding to different types of micro services based on the unified gateway are realized, and the technical problem of type limitation of the authentication of the existing micro service gateway is solved.
Referring to fig. 2, fig. 2 is a schematic flowchart of a first embodiment of the authentication and authorization method based on the unified gateway according to the present invention.
The first embodiment of the present invention provides a unified gateway-based authentication method, which includes the following steps:
step S10, when a first access request of a client to an unlimited type of target micro-service is received, obtaining identity information and a current domain name of the client based on the first access request;
in this embodiment, the method is applied to a system (hereinafter referred to as a system) including a unified gateway, a target microservice, and a client. The first access request is a micro-service access request sent by the client when the client is not authenticated and an access token is not obtained yet. The identity information may include one or any combination of a user name, a password, fingerprint authentication information, voiceprint authentication information, iris authentication information, and the like of a user corresponding to the client. And the current domain name is a network domain mapped by the IP address of the current client. The micro service refers to a plurality of micro service components with fine granularity, which are split from an original monomer structure by using a micro service architecture, of a service application, a target micro service can be one or more micro services, and the type of the micro service is not limited and can be any type. It should be noted that, before step S10, the microservices accessing the unified gateway need to be registered in the same registry, and there may be microservices directly accessible without restricting the authority and microservices requiring setting the access authority in the business microservices. For the microservice which needs to set the access right, data initialization is needed after the microservice finishes registration. And initializing menu information, domain name information, Uniform Resource Locator (URL) and the like of the micro service through the authority public service. The management granularity of the authority is an interface access path of the micro service, and the authority service provides a query interface of the path which can be accessed by a user under a certain domain name. And the unified gateway acquires the related authority data through the query interface when authenticating.
Step S20, when detecting that the user corresponding to the client is a login user, judging whether the identity information meets the preset authentication requirement based on a unified gateway integrated with authentication service and authority service, wherein the unified gateway and the target micro service are configured in the same configuration center;
in this embodiment, the authentication service is configured to uniformly host user names and passwords of all business systems, and the authentication service provides a password verification interface for all business system users, and when the unified gateway authenticates an access request of a current client to a target microservice, authentication credential information, such as a user name, password information, fingerprint authentication information, and the like of a business system user, which are previously stored, is obtained through the password verification interface. According to the pre-stored authentication credential information, such as a user name and a password, the unified gateway can judge whether the current user name in the current access request is in the pre-stored user name, if yes, whether the current user name is matched with the password is continuously judged, if yes, the unified gateway can judge that the current identity information meets the preset authentication requirement, and then the current access request can be judged to pass the authentication, and the next authentication operation can be entered; if the current user name is not in the pre-stored service system user list or the current user name is not matched with the password, the unified gateway can judge that the current identity information does not meet the preset authentication requirement, further judge that the current access request does not pass the authentication, and at the moment, prompt information of authentication failure can be sent to the client.
It should be noted that the microservice accessing the unified gateway and the unified gateway have been previously configured in the same configuration center. The configuration center can configure information such as the states of some function switches of the microservice, and can also configure information such as the overtime time and the release address of the access request of the unified gateway. When the micro-service detects that the user changes the configuration information, the change information of the configuration information can be pushed to the configuration center in real time, and the configuration center pushes the change information to the unified gateway, so that the change information can take effect.
Step S30, if the identity information meets the authentication requirement, generating an access token according to the current domain name and sending the access token to the client, so that the client can send out a second access request with the access token;
step S40, determining whether the second access request has the access right of the target microservice based on the unified gateway, and filtering the second access request based on the unified gateway when the second access request does not have the access right of the target microservice.
In this embodiment, the second access request is a microservice access request carrying an access token and sent by the client again after the first access request passes the authentication. It should be noted that, when the identity information corresponding to the client meets the authentication requirement, the system invokes the permission service to dynamically generate the access token with the encrypted signature according to the current domain name and in combination with the security policy. The system checks the access token according to an encryption private key prestored in the unified gateway, and judges whether the access token needs to be updated or not when the condition that the check is not passed is detected. And if the access token does not need to be updated, the system judges that the second access request does not have the access authority of the target micro service, and filters the second access request based on the unified gateway so as to intercept the current access request to the target micro service.
In addition, if the system passes the verification of the access token, the system acquires the current domain name information based on the unified gateway, acquires the accessible path information corresponding to the current domain name through the query interface of the authority service integrated in the unified gateway, and further matches the accessible path information with the interface access path of the target micro-service. If the client side is matched with the target microservice, the system judges that the current client side can access the target microservice; if not, the system judges that the current client cannot access the target micro service, the unified gateway filters the access request based on a filter mechanism at the moment, and sends prompt information of authentication failure to the client.
It should be noted that the unified gateway is also integrated with a redis service, and specifies the session expiration time for generating session information successfully passing the authentication request, and stores the session expiration time in the redis storage, and performs session check on the authentication service micro-service interface request. The unified gateway can also intensively perform current limiting and IP blacklist question-asking control on the business microservice, a current limiting strategy and an IP blacklist can be pushed to the gateway after being set through a configuration center interface, and the gateway also uses a filter mechanism to realize access control on a request. For example, the current throttling policy limits the upper limit of the number of access requests that the unified gateway can simultaneously process to 1000, and if a 1001 st access request to a certain microservice is received at a certain time, the unified gateway filters the 1001 st access request by using a filter mechanism.
In this embodiment, when a first access request of a client to an unlimited type of target micro-service is received, identity information and a current domain name of the client are obtained based on the first access request; when a user corresponding to a client is detected to be a login user, judging whether the identity information meets a preset authentication requirement or not based on a unified gateway integrated with an authentication service and an authority service, wherein the unified gateway and the target micro service are configured in the same configuration center; if the identity information meets the authentication requirement, generating an access token according to the current domain name and sending the access token to the client so that the client can send a second access request with the access token; and judging whether the second access request has the access right of the target micro service based on the unified gateway, and filtering the second access request based on the unified gateway when the second access request does not have the access right of the target micro service. By the method, whether the user corresponding to the current access client is the login user or not is judged, so that different authentication modes can be adopted for the login user and the login user; by integrating the authentication service and the authority service in the unified gateway and configuring the unlimited types of target micro services and the unified gateway in the same configuration center, information interaction barriers between different types of micro services and the unified gateway are broken through, and the micro services can authenticate and authenticate the access request by means of the unified gateway after being configured in the configuration center which is the same as the unified gateway; the second access request containing the access token is generated after the current access request passes the authentication, and then the second access request is authenticated based on the unified gateway so as to filter the second access request which is not authenticated, so that the authentication and the authentication of the access requests corresponding to different types of micro services based on the unified gateway are realized, and the technical problem of type limitation of the authentication of the existing micro service gateway is solved.
Further, based on the first embodiment shown in fig. 2, a second embodiment of the authentication and authorization method based on the unified gateway is provided. In this embodiment, step S40 includes:
verifying the access token according to an encryption private key prestored in the unified gateway;
when the verification is not passed, judging whether the access token needs to be updated or not;
and if the access token does not need to be updated, judging that the second access request does not have the access authority of the target micro service, and filtering the second access request based on the unified gateway.
In this embodiment, the access token consists of three parts: header information, message body, and signature. The header specifies the signature algorithm used by the token, and the message body contains authorization information such as the visitor's credentials. Because client data can be tampered, the framework adopts a key signature technology to verify the effectiveness of the token and prevent malicious attacks, the framework provides a signature algorithm based on a state secret SM3 and an SM2 encryption algorithm implementation, in order to avoid CSRF and XSS attacks and avoid performance loss of frequently updated tokens, the framework can regularly monitor the validity period of the token and inform the client when the first access request is carried out after the token is over, and the client applies for a new access token by refreshing the token to ensure the effectiveness of security service access control.
After receiving a second access request with an access token sent by the client, the unified gateway directly checks the token according to a pre-agreed encryption key, if the verification is passed, the access token is confirmed to be valid, the request is normally processed and a response is returned, otherwise, a response message for forbidding access is returned, and meanwhile, whether the validity period of the access token in the Redis cluster is expired is compared. And if so, further judging whether the access token needs to be updated. If the unified gateway detects that the current access token does not need to be updated, the unified gateway judges that the second access request does not have the access authority of the target micro-service, and intercepts the second access request, namely refuses the current client to access the target micro-service.
Further, after the step of determining whether the access token needs to be updated, the method further includes:
if the access token needs to be updated, generating a return message containing an updated access token, and adding a token updating mark at the head of the return message;
and sending the return message added with the token updating mark to the client, so that the client can update the access token in the local cache based on the updating access token and the token updating mark in the return message added with the access token updating mark.
In this embodiment, if the unified gateway detects that the access token needs to be updated, a refresh token is generated and added to the return message for returning, and an access token update flag is added to the header of the return message, where the flag may indicate update time information. And after the client acquires the return message, updating the access token in the local client cache according to the access token update mark and the refresh token in the return message.
Further, the identity information includes fingerprint authentication information, and step S20 includes:
when detecting that the user corresponding to the client is a login user, acquiring fingerprint authentication information carried by the client according to the access request, and judging whether the fingerprint authentication information is legal or not;
if the fingerprint authentication information is legal, judging that the identity information meets a preset authentication requirement;
and if the fingerprint authentication information is illegal, judging that the identity information does not meet the preset authentication requirement.
In this embodiment, the system is further provided with an authenticated fingerprint information fast cache service for verifying the validity status of the authenticated fingerprint information. The unified gateway reads and analyzes the Authentication header information in the received first access request of the client, calls the Authentication fingerprint information fast cache service, and inquires the existing record in the validity period so as to judge whether the fingerprint Authentication information is legal or not. If the unified gateway calls the authentication fingerprint information fast cache service, inquiring the fingerprint authentication information ID into the fast cache service, judging that the fingerprint authentication information is illegal if the inquiry result is that no record is recorded or the fingerprint authentication information is not in the validity period, and returning login port information and login-free mark information to the client; if the unified gateway calls the authentication fingerprint information fast cache service and then judges that the fingerprint authentication information is illegal, the client can submit the authentication information to the unified gateway for further authentication operation.
Furthermore, the updating mechanism of the access token is set for the login user, so that the passing condition of the login user for accessing the target non-service is strengthened, and the access management of the micro-service is strengthened; the validity of the fingerprint authentication information of the access client is judged by verifying the fingerprint authentication information of the access client, so that the identity authentication of the login user is quickly and accurately realized.
Further, based on the first embodiment shown in fig. 2, a third embodiment of the authentication and authorization method based on the unified gateway is provided. In this embodiment, after step S10, the method further includes:
judging whether a user corresponding to the client is a login user or not;
if the user corresponding to the client is not the login user, performing dynamic password authentication on the client, and generating an application token when the client passes the dynamic password authentication;
and sending the association of the application token and the first access request to the unified gateway so as to perform interface authentication on the first access request through the application token based on the unified gateway.
In this embodiment, for an unregistered logged-in access user, security verification is performed in a dynamic password authentication manner. Dynamic passwords are based on a special algorithm that generates an unpredictable combination of random numbers, each of which can only be used once. The dynamic password technology can be synchronous password technology or asynchronous password technology. When the system judges that the user corresponding to the client sending the access request is a non-login user, the system randomly generates a digital combination according to the dynamic password technology. For example, when the current client is a mobile phone, a verification code is sent to the current client, and whether the user inputs the verification code into the corresponding position of the page within a specified time limit is judged. When the system detects that the user inputs the verification code into the corresponding position of the page within the specified time limit, the system can judge that the current client passes the dynamic password authentication, generate an application token for the non-login user to access the micro-service, and send the application token and the corresponding first access request to the unified gateway. It is authenticated by the unified gateway. If the client side does not pass the dynamic password authentication, for example, the user does not input the verification code into the corresponding position of the page within the specified time limit, the unified gateway filters the current first access request.
Further, the step of sending the application token and the first access request association to the unified gateway, so as to perform interface authentication on the first access request through the application token based on the unified gateway includes:
the application token and the first access request are sent to the unified gateway in a correlation mode, and whether a target micro service exists in an accessible micro service list corresponding to the application token or not is judged based on the unified gateway;
if so, judging that the first access request passes through interface authentication, and sending the first access request to a service interface of the target micro service;
if not, the first access request is judged not to pass through the interface authentication, and the first access request is filtered based on the unified gateway.
In this embodiment, the system associates the application token with the first access request and sends the application token and the first access request together to the unified gateway. The unified gateway judges whether a target micro service exists in an accessible micro service list corresponding to the application token; if the target micro service exists in the accessible micro service list, the unified gateway judges that the first access request passes through interface authentication, and sends the first access request to a service interface of the target micro service so that a client can access the target micro service conveniently; if the target micro service does not exist in the accessible micro service list, the unified gateway judges that the first access request does not pass through the interface authentication, and then the first access request is filtered.
Specifically, the system can open access authority of some general micro-services to the non-login user, and if the target micro-service to be accessed by the non-login user currently belongs to the general micro-service, the target micro-service can be authenticated and passed, so that the non-login user is allowed to access; if the target micro service to be accessed by the non-login user currently does not belong to the general micro service, the authentication fails, and the current access request of the non-login user is filtered.
Further, after the step of performing dynamic password authentication on the client if the user corresponding to the client is not a login user, the method further includes:
when the client side does not pass the dynamic password authentication continuously within a preset time period and exceeds a preset number of times, adding the IP address corresponding to the client side to an IP blacklist prestored in the same configuration center so as to update the IP address blacklist;
and pushing the updated IP blacklist to the unified gateway so as to perform access control based on the unified gateway in combination with the updated IP blacklist, wherein the updated IP blacklist is stored in a block chain.
In this embodiment, the unified gateway also performs centralized access control on the flow limitation and the IP blacklist for the service microservice, the system further includes a configuration center, the flow limitation policy and the IP blacklist are pushed to the unified gateway after being set through a configuration center interface, and the unified gateway also uses a filter mechanism to realize access control on the request. The entry condition meeting the IP blacklist can be set to be that the user corresponding to the current client is a non-login user and continuously fails the dynamic password authentication within a preset time period and exceeds a preset number of times. The preset time period and the preset times can be flexibly set according to actual requirements, and this embodiment is not specifically limited to this. In addition, for the setting of the current throttling policy, for example, the current throttling policy limits the upper limit of the number of access requests that the unified gateway can simultaneously process to 1000, and if a 1001 st access request for a certain micro service is received at a certain time, the unified gateway filters the 1001 st access request by using a filter mechanism. It should be emphasized that, in order to further ensure the privacy and security of the updated IP blacklist, the updated IP blacklist may also be stored in a node of a block chain.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
Further, by setting dynamic password authentication aiming at the micro service accessed by the non-login user, an accessible entrance is provided for the non-login user; by further judging the access qualification of the non-login user authenticated by the dynamic password, the general micro service can be specifically incorporated into an accessible list of the non-login user, so that the non-login user authenticated by the dynamic password can normally access the general micro service and cannot randomly access part of the micro service with higher security level; by setting the IP blacklist and setting the unified gateway to carry out access limitation based on the IP blacklist, the safety and the rationality of micro-service access control are enhanced.
In addition, as shown in fig. 3, to achieve the above object, the present invention further provides an authentication device based on a unified gateway, including:
the information acquisition module 10 is configured to, when receiving a first access request of a client for an unlimited type of target microservice, obtain identity information and a current domain name of the client based on the first access request;
the gateway authentication module 20 is configured to, when it is detected that a user corresponding to the client is a login user, determine whether the identity information meets a preset authentication requirement based on a unified gateway integrated with an authentication service and an authorization service, where the unified gateway and the target micro service are configured in the same configuration center;
the token generation module 30 is configured to generate an access token according to the current domain name and send the access token to the client if the identity information meets the authentication requirement, so that the client sends a second access request with the access token;
and the request filtering module 40 is configured to determine whether the second access request has the access right of the target micro service based on the unified gateway, and filter the second access request based on the unified gateway when the second access request does not have the access right of the target micro service.
Optionally, the request filtering module 40 includes:
the token checking unit is used for checking the access token according to an encryption private key prestored in the unified gateway;
the updating judgment unit is used for judging whether the access token needs to be updated or not when the verification is not passed;
and the second filtering unit is used for judging that the second access request does not have the access authority of the target micro service if the access token does not need to be updated, and filtering the second access request based on the unified gateway.
Optionally, the request filtering module 40 further includes:
the token updating unit is used for generating a return message containing an updated access token if the access token needs to be updated, and adding a token updating mark at the head of the return message;
and the cache updating unit is used for sending the return message added with the token updating mark to the client so that the client can update the access token in the local cache based on the updating access token and the token updating mark in the return message added with the access token updating mark.
Optionally, the authentication and authorization apparatus based on the unified gateway further includes:
the login judgment module is used for judging whether the user corresponding to the client is a login user;
the password authentication module is used for performing dynamic password authentication on the client if the user corresponding to the client is not a login user, and generating an application token when the client passes the dynamic password authentication;
and the interface authentication module is used for sending the association between the application token and the first access request to the unified gateway so as to perform interface authentication on the first access request through the application token based on the unified gateway.
Optionally, the interface authentication module includes:
the list judging unit is used for sending the association between the application token and the first access request to the unified gateway and judging whether a target micro service exists in an accessible micro service list corresponding to the application token or not based on the unified gateway;
the list judging unit is used for judging that the first access request passes interface authentication if the first access request passes the interface authentication and sending the first access request to a service interface of the target micro service; if not, the first access request is judged not to pass through the interface authentication, and the first access request is filtered based on the unified gateway.
Optionally, the password authentication module further includes:
the list updating unit is used for adding the IP address corresponding to the client to an IP blacklist prestored in the same configuration center when the client continuously fails the dynamic password authentication within a preset time period and exceeds a preset number of times so as to update the IP address blacklist;
and the access control unit is used for pushing the updated IP blacklist to the unified gateway so as to perform access control based on the unified gateway and the updated IP blacklist, wherein the updated IP blacklist is stored in the block chain.
Optionally, the identity information comprises fingerprint authentication information,
the gateway authentication module 20 includes:
the legality judging unit is used for acquiring fingerprint authentication information carried by the client according to the access request and judging whether the fingerprint authentication information is legal or not when the fact that the user corresponding to the client is a login user is detected;
the authentication success unit is used for judging that the identity information meets the preset authentication requirement if the fingerprint authentication information is legal;
and the authentication failure unit is used for judging that the identity information does not meet the preset authentication requirement if the fingerprint authentication information is illegal.
The invention also provides authentication equipment based on the unified gateway.
The authentication and authorization equipment based on the unified gateway comprises a processor, a memory and an authentication and authorization program based on the unified gateway, wherein the authentication and authorization program based on the unified gateway is stored on the memory and can run on the processor, and when the authentication and authorization program based on the unified gateway is executed by the processor, the steps of the authentication and authorization method based on the unified gateway are realized.
The method implemented when the authentication and authorization program based on the unified gateway is executed may refer to each embodiment of the authentication and authorization method based on the unified gateway of the present invention, and will not be described herein again.
In addition, the embodiment of the invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention stores the authentication and authorization program based on the unified gateway, wherein when the authentication and authorization program based on the unified gateway is executed by the processor, the steps of the authentication and authorization method based on the unified gateway as described above are implemented.
The method implemented when the authentication and authorization program based on the unified gateway is executed may refer to each embodiment of the authentication and authorization method based on the unified gateway of the present invention, and will not be described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. The authentication method based on the unified gateway is characterized by comprising the following steps:
when a first access request of a client to unlimited types of target micro-services is received, obtaining identity information and a current domain name of the client based on the first access request;
when a user corresponding to a client is detected to be a login user, judging whether the identity information meets a preset authentication requirement or not based on a unified gateway integrated with an authentication service and an authority service, wherein the unified gateway and the target micro service are configured in the same configuration center;
if the identity information meets the authentication requirement, generating an access token carrying the encrypted signature according to the current domain name and sending the access token to the client so that the client can send a second access request of the access token carrying the encrypted signature;
and judging whether the second access request has the access right of the target micro service based on the unified gateway, and filtering the second access request based on the unified gateway when the second access request does not have the access right of the target micro service.
2. The unified gateway-based authentication and authorization method according to claim 1, wherein the step of determining whether the second access request has the access right of the target micro-service based on the unified gateway, and filtering the second access request based on the unified gateway when the second access request does not have the access right of the target micro-service comprises:
verifying the access token according to an encryption private key prestored in the unified gateway;
when the verification is not passed, judging whether the access token needs to be updated or not;
and if the access token does not need to be updated, judging that the second access request does not have the access authority of the target micro service, and filtering the second access request based on the unified gateway.
3. The unified gateway based authentication and authorization method according to claim 2, wherein after the step of determining whether the access token needs to be updated, the method further comprises:
if the access token needs to be updated, generating a return message containing an updated access token, and adding a token updating mark at the head of the return message;
and sending the return message added with the token updating mark to the client, so that the client can update the access token in the local cache based on the updating access token and the token updating mark in the return message added with the token updating mark.
4. The unified gateway-based authentication and authorization method according to claim 1, wherein after the step of obtaining the identity information and the current domain name of the client based on the first access request when receiving the first access request of the client to the unlimited type of target micro-services, the method further comprises:
judging whether a user corresponding to the client is a login user or not;
if the user corresponding to the client is not the login user, performing dynamic password authentication on the client, and generating an application token when the client passes the dynamic password authentication;
and sending the association of the application token and the first access request to the unified gateway so as to perform interface authentication on the first access request through the application token based on the unified gateway.
5. The unified gateway based authentication and authorization method according to claim 4, wherein the step of sending the application token and the first access request association to the unified gateway for interface authentication of the first access request based on the unified gateway through the application token comprises:
the application token and the first access request are sent to the unified gateway in a correlation mode, and whether a target micro service exists in an accessible micro service list corresponding to the application token or not is judged based on the unified gateway;
if so, judging that the first access request passes through interface authentication, and sending the first access request to a service interface of the target micro service;
if not, the first access request is judged not to pass through the interface authentication, and the first access request is filtered based on the unified gateway.
6. The unified gateway-based authentication method according to claim 4, wherein after the step of performing dynamic password authentication on the client if the user corresponding to the client is not a login user, the method further comprises:
when the client side does not pass the dynamic password authentication continuously within a preset time period and exceeds a preset number of times, adding the IP address corresponding to the client side to an IP blacklist prestored in the same configuration center so as to update the IP blacklist;
and pushing the updated IP blacklist to the unified gateway so as to perform access control based on the unified gateway in combination with the updated IP blacklist, wherein the updated IP blacklist is stored in a block chain.
7. The unified gateway based authentication and authorization method according to any of claims 1-6, characterized in that the identity information comprises fingerprint authentication information,
when the user corresponding to the client is detected to be a login user, the step of judging whether the identity information meets the preset authentication requirement based on the unified gateway integrated with the authentication service and the authority service comprises the following steps:
when detecting that the user corresponding to the client is a login user, acquiring fingerprint authentication information carried by the client according to the first access request, and judging whether the fingerprint authentication information is legal or not;
if the fingerprint authentication information is legal, judging that the identity information meets a preset authentication requirement;
and if the fingerprint authentication information is illegal, judging that the identity information does not meet the preset authentication requirement.
8. The authentication device based on the unified gateway is characterized by comprising the following components:
the information acquisition module is used for acquiring the identity information and the current domain name of the client based on a first access request of the client to unlimited types of target micro-services when the first access request is received;
the gateway authentication module is used for judging whether the identity information meets a preset authentication requirement or not based on a unified gateway integrated with authentication service and authority service when detecting that a user corresponding to the client is a login user, wherein the unified gateway and the target micro service are configured in the same configuration center;
the token generation module is used for generating an access token carrying the encrypted signature according to the current domain name and sending the access token to the client side if the identity information meets the authentication requirement, so that the client side can send a second access request of the access token carrying the encrypted signature;
and the request filtering module is used for judging whether the second access request has the access right of the target micro service based on the unified gateway, and filtering the second access request based on the unified gateway when the second access request does not have the access right of the target micro service.
9. A unification gateway based authentication and authorization device, characterized in that, the unification gateway based authentication and authorization device comprises a processor, a memory, and a unification gateway based authentication and authorization program stored on the memory and executable by the processor, wherein when the unification gateway based authentication and authorization program is executed by the processor, the steps of the unification gateway based authentication and authorization method according to any one of claims 1 to 7 are realized.
10. A computer-readable storage medium, wherein the computer-readable storage medium stores thereon a unified gateway-based authentication and authorization program, wherein the unified gateway-based authentication and authorization program, when executed by a processor, implements the steps of the unified gateway-based authentication and authorization method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010919918.1A CN112039909B (en) | 2020-09-03 | 2020-09-03 | Authentication method, device, equipment and storage medium based on unified gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010919918.1A CN112039909B (en) | 2020-09-03 | 2020-09-03 | Authentication method, device, equipment and storage medium based on unified gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112039909A CN112039909A (en) | 2020-12-04 |
| CN112039909B true CN112039909B (en) | 2022-07-12 |
Family
ID=73590541
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010919918.1A Active CN112039909B (en) | 2020-09-03 | 2020-09-03 | Authentication method, device, equipment and storage medium based on unified gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112039909B (en) |
Families Citing this family (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112507320A (en) * | 2020-12-10 | 2021-03-16 | 东莞市盟大塑化科技有限公司 | Access control method, device, system, electronic equipment and storage medium |
| CN112615849B (en) * | 2020-12-15 | 2022-04-26 | 平安科技(深圳)有限公司 | Micro-service access method, device, equipment and storage medium |
| CN112559010B (en) * | 2020-12-22 | 2022-06-21 | 福州数据技术研究院有限公司 | Multi-application system data isolation implementation method and system based on micro-service |
| CN112866761A (en) * | 2020-12-31 | 2021-05-28 | 武汉兴图新科电子股份有限公司 | Distributed system user unified authentication technology applied to cloud video fusion platform |
| CN112866217B (en) * | 2021-01-05 | 2022-12-09 | 交通银行股份有限公司 | Micro application access authority control method and device based on token authentication |
| CN112788031B (en) * | 2021-01-11 | 2023-06-16 | 百果园技术(新加坡)有限公司 | Micro-service interface authentication system, method and device based on Envoy architecture |
| CN113067797B (en) * | 2021-02-01 | 2023-04-07 | 上海金融期货信息技术有限公司 | Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area |
| CN113055367B (en) * | 2021-03-08 | 2022-12-27 | 浪潮云信息技术股份公司 | Method and system for realizing micro-service gateway authentication |
| CN114598490B (en) * | 2021-04-09 | 2024-03-29 | 亚信科技(南京)有限公司 | Method, device, equipment and storage medium for redirecting page based on API gateway |
| CN113225394B (en) * | 2021-04-30 | 2022-07-15 | 中核武汉核电运行技术股份有限公司 | API gateway management system based on container cluster |
| CN113301028B (en) * | 2021-05-13 | 2023-04-14 | 广东电网有限责任公司广州供电局 | Gateway protection method and data labeling method |
| CN113422686B (en) * | 2021-06-24 | 2022-09-27 | 平安国际智慧城市科技股份有限公司 | Gateway layer authentication method, system, electronic device and storage medium |
| CN113691534B (en) * | 2021-08-24 | 2023-02-17 | 厦门熵基科技有限公司 | Identity authentication charging system and method |
| CN114124430B (en) * | 2021-08-31 | 2024-03-01 | 青岛海尔科技有限公司 | Token replacement method, device and storage medium |
| CN113472545B (en) * | 2021-08-31 | 2022-02-01 | 阿里云计算有限公司 | Equipment network access method, device, equipment, storage medium and communication system |
| CN113923020A (en) * | 2021-10-09 | 2022-01-11 | 天翼物联科技有限公司 | Micro-service authentication method, device and equipment of SaaS multi-tenant architecture |
| CN114615071B (en) * | 2022-03-21 | 2023-06-06 | 重庆长安汽车股份有限公司 | Method for unified authentication of RESTful API under micro-service architecture |
| CN114614993B (en) * | 2022-03-22 | 2024-02-06 | 平安证券股份有限公司 | System interaction method and device, electronic equipment and storage medium |
| CN114745185A (en) * | 2022-04-18 | 2022-07-12 | 阿里巴巴(中国)有限公司 | Cluster access method and device |
| CN114745196B (en) * | 2022-04-27 | 2024-01-02 | 广域铭岛数字科技有限公司 | Interface testing method, system, electronic device and readable storage medium |
| CN115174142B (en) * | 2022-05-27 | 2024-01-12 | 深圳市世强元件网络有限公司 | Gateway unified authentication management method, device, storage medium and computer |
| CN115208674A (en) * | 2022-07-18 | 2022-10-18 | 神州数码融信软件有限公司 | Decentralized global current limiting method and system |
| CN115277207A (en) * | 2022-07-28 | 2022-11-01 | 联想(北京)有限公司 | Access control method and electronic equipment |
| CN115242546A (en) * | 2022-09-15 | 2022-10-25 | 浙江中控技术股份有限公司 | Industrial control system access control method based on zero trust architecture |
| CN115834207A (en) * | 2022-11-23 | 2023-03-21 | 紫光云技术有限公司 | Method for realizing cross-application integration based on gateway |
| CN115801472B (en) * | 2023-02-10 | 2023-05-09 | 武汉市幸运坐标信息技术有限公司 | Authority management method and system based on authentication gateway |
| CN117155713B (en) * | 2023-10-31 | 2024-02-23 | 北京持安科技有限公司 | Multi-authentication source authentication and authorization method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107528853A (en) * | 2017-09-12 | 2017-12-29 | 上海艾融软件股份有限公司 | The implementation method of micro services control of authority |
| CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
| CN113923020A (en) * | 2021-10-09 | 2022-01-11 | 天翼物联科技有限公司 | Micro-service authentication method, device and equipment of SaaS multi-tenant architecture |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8973118B2 (en) * | 2011-12-14 | 2015-03-03 | Cellco Partnership | Token based security protocol for managing access to web services |
-
2020
- 2020-09-03 CN CN202010919918.1A patent/CN112039909B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107528853A (en) * | 2017-09-12 | 2017-12-29 | 上海艾融软件股份有限公司 | The implementation method of micro services control of authority |
| CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
| CN113923020A (en) * | 2021-10-09 | 2022-01-11 | 天翼物联科技有限公司 | Micro-service authentication method, device and equipment of SaaS multi-tenant architecture |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112039909A (en) | 2020-12-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112039909B (en) | Authentication method, device, equipment and storage medium based on unified gateway | |
| US20210314312A1 (en) | System and method for transferring device identifying information | |
| US10764264B2 (en) | Technique for authenticating network users | |
| US9398050B2 (en) | Dynamically configured connection to a trust broker | |
| US7475252B2 (en) | System, method and program to filter out login attempts by unauthorized entities | |
| CA3035817A1 (en) | System and method for decentralized authentication using a distributed transaction-based state machine | |
| EP2404428B1 (en) | A system and method for providing security in browser-based access to smart cards | |
| EP1914658B1 (en) | Identity controlled data center | |
| CN110149328B (en) | Interface authentication method, device, equipment and computer readable storage medium | |
| EP1205057A2 (en) | Security architecture with environment sensitive credentials | |
| KR20130085472A (en) | Security system for cloud computing service | |
| US20180139205A1 (en) | System and method for transparent multi-factor authentication and security posture checking | |
| CN100512107C (en) | Security identification method | |
| JP2016521029A (en) | Network system comprising security management server and home network, and method for including a device in the network system | |
| CN114301617A (en) | Identity authentication method and device for multi-cloud application gateway, computer equipment and medium | |
| KR20220167366A (en) | Cross authentication method and system between online service server and client | |
| KR102372503B1 (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| CN104052829A (en) | Adaptive name resolution | |
| KR20090054774A (en) | Method of integrated security management in distribution network | |
| CN116545633A (en) | High-security API calling method | |
| KR20070009490A (en) | System and method for authenticating a user based on the internet protocol address | |
| US7631344B2 (en) | Distributed authentication framework stack | |
| KR101473719B1 (en) | Intelligent login authentication system and method thereof | |
| KR102558821B1 (en) | System for authenticating user and device totally and method thereof | |
| Pashalidis et al. | Using GSM/UMTS for single sign-on |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |