CN112104673B - Multimedia resource web access authority authentication method - Google Patents

Multimedia resource web access authority authentication method Download PDF

Info

Publication number
CN112104673B
CN112104673B CN202011259027.4A CN202011259027A CN112104673B CN 112104673 B CN112104673 B CN 112104673B CN 202011259027 A CN202011259027 A CN 202011259027A CN 112104673 B CN112104673 B CN 112104673B
Authority
CN
China
Prior art keywords
token
multimedia resource
access
encryption
application software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011259027.4A
Other languages
Chinese (zh)
Other versions
CN112104673A (en
Inventor
魏利明
李健强
夏南军
仲勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongbo Information Technology Institute Co ltd
Original Assignee
Zhongbo Information Technology Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongbo Information Technology Institute Co ltd filed Critical Zhongbo Information Technology Institute Co ltd
Priority to CN202011259027.4A priority Critical patent/CN112104673B/en
Publication of CN112104673A publication Critical patent/CN112104673A/en
Application granted granted Critical
Publication of CN112104673B publication Critical patent/CN112104673B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention discloses a method for authenticating web access authority of a multimedia resource, which belongs to the technical field of web, and comprises the steps of establishing an independent multimedia resource server cluster based on nginx http, wherein the multimedia resource server cluster and application software are mutually independent, so that the problem that the access authority in the application is controlled and mapped to the multimedia resource access by directly butting with the application is solved, and the technical problem that different people have different access authorities is realized by applying an authentication technology of token verification.

Description

Multimedia resource web access authority authentication method
Technical Field
The invention belongs to the technical field of web, and particularly relates to a multimedia resource web access authority authentication method.
Background
Background art: in many current web site-like applications, multimedia resources need to be accessed and presented through a browser: such as audio, video, pictures, pdf, etc. When accessing these resources, public access needs to be supported, that is, all people can access the resources in the url form, and some of the resources need to be authenticated to be accessible: such as whether it has been purchased, whether access is allowed, etc. The current technical schemes mainly comprise the following steps:
the first scheme is as follows: the multimedia resources are stored to a server where the application is located as static resources, and the video access permission control is realized by means of the permission control of the application. For example, the session mechanism of the browser + the authority table in the database are used to determine the access authority of the user for some web pages, and of course, the method can also be used to control the access of multimedia resources.
Scheme II: the existing commercial video-on-demand multimedia object storage services are purchased, such as the Alice cloud, Tencent cloud, get scenes, and the like. A relatively complete system for requesting access control and security authentication can be obtained.
The third scheme is as follows: and (4) establishing an independent multimedia resource server cluster based on nginx http, and providing services to the outside by using independent bandwidth resources, independent of application. The http access link may be embedded in the web application for access.
The defects and shortcomings of the prior art are as follows:
the above 3 modes have the following disadvantages in practical application:
the first scheme is as follows: and storing the multimedia resources as static resources to a server where the application is positioned.
The implementation mode of the first scheme is really simple, the multimedia resources are directly added into the application, and the access security authentication control can be conveniently carried out by utilizing the self authority and the access control system of the existing web application.
The application and the multimedia resources are strongly bound, distributed deployment cannot be performed, and when each application is distributed to a plurality of nodes for deployment, each node is required to have the resources, otherwise, the access cannot be performed. Not suitable for highly concurrent distributed item clusters.
The request needs to be transferred through the application, and the general application service reads the multimedia resource, returns to the browser with low performance and slow access. The application container itself is not well suited for access processing of large static resources such as video.
Scheme II: purchasing existing commercial video-on-demand and other multimedia object storage services:
the cost is high: multimedia resources occupy a large amount of storage and network traffic consumes a large amount of network traffic, so the cost of using the existing commercial service is high.
Depending on the public network environment, the method is not suitable for some scene applications of internal networks.
The functionality is dependent on the service provider and certain specific business requirement scenarios cannot be implemented.
The third scheme is as follows: building independent multimedia resource server cluster based on nginx or other middleware http, independent of application
And the method cannot be effectively fused with an access security authentication system of the application.
The http-based access is difficult to increase corresponding authority control, and the url can be accessed after being acquired by other people, so that the security is poor.
Disclosure of Invention
The invention aims to provide a multimedia resource web access right authentication method, which solves the technical problem that different people have different access rights by applying an authentication technology of token verification and supporting the mapping of access right control in an application to multimedia resource access by directly butting with the application.
In order to achieve the purpose, the invention adopts the following technical scheme:
a multimedia resource web access authority authentication method comprises the following steps:
step 1: establishing an independent multimedia resource server cluster of the http based on nginx, wherein the multimedia resource server cluster and the application software are mutually independent, and the multimedia resource server cluster provides a server for the client by using independent bandwidth resources;
the multimedia resource server cluster is used for providing multimedia resource services;
step 2: establishing token authentication key storage service based on memory in a multimedia resource server cluster, namely token authentication storage service;
and step 3: the multimedia resource service and the application software share a token generation rule, a token transmission rule and a token verification rule;
and 4, step 4: the application software generates a token by the following method:
step A1: when a user accesses multimedia resources through application software, the application software acquires login information of the current user by using a session technology;
step A2: and inquiring a user authority table by combining a database in a server where the application software is positioned, and judging whether the user can access the multimedia resources: if the judgment is passed, generating a token according to the token generation rule, adding the token into the token authentication storage service, and executing the step A3; otherwise, returning verification failure information, and executing the step A1;
step A3: the application software splices the token to the url of the access provided by the multimedia resource service in a url parameter splicing mode according to the token transmission rule;
and 5: establishing a web file access service based on nginx in a multimedia resource service, and configuring an access address of a resource supporting pictures, videos and audios;
adding token check rules to the multimedia resource access service based on nginx;
step 6: the application software periodically modifies the encryption salt value and the encryption times stored in the authentication key storage service.
Preferably, the multimedia resource server cluster embeds http access links into web applications for access, the application software is deployed in an application server, and the application server and the multimedia resource server cluster are independent from each other.
Preferably, when step 2 is executed, the method specifically includes the following steps:
step B1: storing the token in a memory, giving the token a certain life cycle, and after the life cycle is over, the token is invalid, and simultaneously ensuring that one token can only be used once;
step B2: the agreed encryption salt and the agreed md5 are stored encrypted by the application software to the authentication key storage service.
Preferably, in executing step 3, the Token encryption generation rule is as follows: splicing the user name of the current login user, the current timestamp accurate to millisecond, the token effective time and the salt value which are encrypted by Md5 for 2 times into a character string, and carrying out Md5 encryption for appointed encryption times;
setting an appointed encryption salt value as a salt value, encrypting the appointed number of md5 as an encryption number, setting the name of a current login user as an encryption user name, and setting a current timestamp accurate to millisecond as a timestamp;
the Token delivery rule is as follows: when multimedia resource transmission is requested through HTTP, 5 parameters of the generated token, millisecond-level timestamp, encrypted user name and token effective time are transmitted in request data (request body) of each request together, and the parameters are irrelevant to the transmission sequence;
the Token verification validity rule comprises the following steps:
step C1: splicing the transmitted timestamp + user name + token effective time + salt value into a character string, encrypting the appointed encryption times to generate a token, and judging whether the generated token is equal to the transmitted token: if not, it indicates that token is invalid, go to step C1; otherwise, the token is valid, and step C2 is executed;
step C2: and then judging whether the current time minus the transmitted timestamp is greater than the token effective time: if yes, indicating that the token is expired, executing step C1; otherwise, go to step C3;
step C3: taking the token to a token authentication storage for verification, if the token exists, considering the token to be valid, otherwise, invalid;
step C4: once the token is validated and a validation decision is returned, the token stored for authentication is deleted.
Preferably, when step 5 is executed, adding a token check rule to the nginx-based multimedia resource access service specifically includes the following steps: a
Step D1: analyzing and acquiring parameters transmitted in the url, and if the parameters are missing, determining that no access is available;
step D2: acquiring a salt value and md5 encryption times required by encryption from a video authentication service for token verification;
step D3: and checking whether the token is valid according to an appointed checking rule, if so, allowing access, and if not, returning 403 an error.
The invention relates to a multimedia resource web access authority authentication method, which solves the technical problems that the method is directly butted with an application so as to support the control of access authority in the application to be mapped to the access of the multimedia resource and the authentication technology of token check is applied to realize different access authorities owned by different people The connection state monitoring can adapt to various network environment deployment schemes, and a high-performance multimedia resource access and safe, flexible and autonomous security authentication system is provided.
Drawings
FIG. 1 is a system architecture diagram of the present invention.
Detailed Description
The method for authenticating the web access right of the multimedia resource shown in the figure 1 comprises the following steps:
step 1: establishing an independent multimedia resource server cluster of the http based on nginx, wherein the multimedia resource server cluster and the application software are mutually independent, and the multimedia resource server cluster provides a server for the client by using independent bandwidth resources;
the multimedia resource server cluster is used for providing multimedia resource services;
step 2: establishing token authentication key storage service based on memory in a multimedia resource server cluster, namely token authentication storage service;
the Token is a string of character strings generated by the server and used for a Token requested by the client, after the server logs in for the first time, the server generates a Token and returns the Token to the client, and the client only needs to take the Token to request data before later without taking a user name and a password again.
And step 3: the multimedia resource service and the application software share a token generation rule, a token transmission rule and a token verification rule;
and 4, step 4: the application software generates a token by the following method:
step A1: when a user accesses multimedia resources through application software, the application software acquires login information of the current user by using a session technology;
step A2: and inquiring a user authority table by combining a database in a server where the application software is positioned, and judging whether the user can access the multimedia resources: if the judgment is passed, generating a token according to the token generation rule, adding the token into the token authentication storage service, and executing the step A3; otherwise, returning verification failure information, and executing the step A1;
step A3: the application software splices the token to the url of the access provided by the multimedia resource service in a url parameter splicing mode according to the token transmission rule;
and 5: establishing a web file access service based on nginx in a multimedia resource service, and configuring an access address of a resource supporting pictures, videos and audios;
adding token check rules to the multimedia resource access service based on nginx;
step 6: the application software periodically modifies the encryption salt value and the encryption times stored in the authentication key storage service.
Preferably, the multimedia resource server cluster embeds http access links into web applications for access, the application software is deployed in an application server, and the application server and the multimedia resource server cluster are independent from each other.
Preferably, when step 2 is executed, the method specifically includes the following steps:
step B1: storing the token in a memory, giving the token a certain life cycle, and after the life cycle is over, the token is invalid, and simultaneously ensuring that one token can only be used once;
step B2: the agreed encryption salt and the agreed md5 are stored encrypted by the application software to the authentication key storage service.
Preferably, in executing step 3, the Token encryption generation rule is as follows: splicing the user name of the current login user, the current timestamp accurate to millisecond, the token effective time and the salt value which are encrypted by Md5 for 2 times into a character string, and carrying out Md5 encryption for appointed encryption times;
setting an appointed encryption salt value as a salt value, encrypting the appointed number of md5 as an encryption number, setting the name of a current login user as an encryption user name, and setting a current timestamp accurate to millisecond as a timestamp;
the Token delivery rule is as follows: when multimedia resource transmission is requested through HTTP, 5 parameters of the generated token, millisecond-level timestamp, encrypted user name and token effective time are transmitted in request data (request body) of each request together, and the parameters are irrelevant to the transmission sequence;
the Token verification validity rule comprises the following steps:
step C1: splicing the transmitted timestamp + user name + token effective time + salt value into a character string, encrypting the appointed encryption times to generate a token, and judging whether the generated token is equal to the transmitted token: if not, it indicates that token is invalid, go to step C1; otherwise, the token is valid, and step C2 is executed;
step C2: and then judging whether the current time minus the transmitted timestamp is greater than the token effective time: if yes, indicating that the token is expired, executing step C1; otherwise, go to step C3;
step C3: taking the token to a token authentication storage for verification, if the token exists, considering the token to be valid, otherwise, invalid;
step C4: once the token is validated and a validation decision is returned, the token stored for authentication is deleted.
Preferably, when step 5 is executed, adding a token check rule to the nginx-based multimedia resource access service specifically includes the following steps: a
Step D1: analyzing and acquiring parameters transmitted in the url, and if the parameters are missing, determining that no access is available;
step D2: acquiring a salt value and md5 encryption times required by encryption from a video authentication service for token verification;
step D3: and checking whether the token is valid according to an appointed checking rule, if so, allowing access, and if not, returning 403 an error.
In this embodiment, nginx is adopted as a middleware of a multimedia resource service, and redis is adopted as a middleware of an authorized token storage medium.
In this embodiment, the application software takes java pseudo code as an example, and the multimedia resource service takes nginx-lua script pseudo code as an example (the application software and nginx code are changed into languages and can be replaced as long as logic consistency is ensured), and the specific implementation method is as follows:
step S1: and applying the timed updated salt value and the encryption times to token storage service:
firstly, randomly acquiring the encryption times of md5, wherein the encryption times are randomly generated between 1 and 12 times;
then, salt values are randomly obtained, special characters of the numbers and the letters exist, generated digits can be used as parameters to be transmitted, salt values above 32 digits are suggested to be adopted, and cracking difficulty is increased;
then, acquiring a salt value and the encryption times, writing the salt value and the encryption times into token storage service, storing the salt value and the encryption times in a key-value mapping form, setting expiration time, and permanently storing the salt value and the encryption times; a key-value mapping form, namely (key-value: a storage form of a key value pair, key as a key word directly points to a stored memory address, and value as a value is bound with the key, so that high-performance and high-concurrency read-write operation can be realized);
step S2: the application verifies, generates a token and writes the token to the authorization storage service: and after the salt value is passed through, generating a token according to the encryption rule, writing the token into the authorization service, and taking the token as a key. The timeout time is set to 10 seconds;
step S3: accessing multimedia resources through url by using information carrying token, timestamp and the like, and returning to the resource access url carrying necessary information such as token, timestamp and the like, wherein each parameter is the same as the requirement when the token is generated, so that the token can be correctly verified by multimedia resource service, otherwise, the token is regarded as invalid;
step S4: the multimedia resource nginx server configures the multimedia resource on the server to allow web access, and configures through nginx.conf of the nginx;
step S5: multimedia resources supporting suffixes:
gif|jpg|png|webp|ts|html|js|key|xml|mp3|mp4|m3u8|ts;
the access of the multimedia resources is supported, and the user can directly add a suffix type if the user needs to expand;
the invention carries out basic safety reinforcement configuration: domain name restriction is added, and chain stealing is prevented; the cross-domain limitation is increased, and the application and the multimedia resource service are allowed to be decoupled on the network; inhibiting a dangerous OPTIONS method comprising: a file uploading method PUT; DELETE File method DELETE; copy file method copy; moving file method MOVE; SEARCH file method SEARCH; the retrieve files method PROPFIND;
according to the invention, partial files are compressed by starting the GZIP protocol, so that the network transmission efficiency is improved.
Step S6: multimedia resource service acquisition token stores the salt value and encryption times (lua-based pseudo code) in the service: embedding lua (a C language-based lightweight high-performance scripting language) code in a configuration file of nginx through a lua language-based code block, and executing each time when a request is made;
the specific implementation effect of this embodiment is to perform connection according to an ip and a port of a redis (an open-source high-performance persistent-memory database tool based on a KEY-VALUE format), and simultaneously support setting of a connection password of the redis and selection of a specific database index (the redis can support multiple databases).
After the connection of the database, the salt value and the encryption times are obtained according to the key, so that the token is checked
Step S7: the multimedia resource checks the token, and after the check is passed, the token is deleted: acquiring request parameters in the url, analyzing required parameter information, encrypting by using the same algorithm as that of the acquired salt value and md5 encryption times, comparing, and judging whether the token is overtime and whether the token meets the encryption rule. If the judgment is passed, the request is released, and if the judgment is not passed, error information is returned to the browser and the access is forbidden;
in this embodiment, the complete nginx configuration example is: each request to access a multimedia asset via nginx must execute a lua script to verify the validity of the request. If the application modifies the information such as the encrypted salt value encryption times, the multimedia resource access service based on nginx does not need to be adjusted because each request can be obtained again from the redis-token authorization service.
The invention relates to a multimedia resource web access authority authentication method, which solves the technical problem that the method is directly butted with an application so as to support the access authority control in the application to be mapped to the multimedia resource access, and the authentication technology of token check is applied to realize that different people have different access authorities.
The invention is decoupled from the application, does not influence the installation and deployment of the application, and improves the access performance of the application:
the method is decoupled from the application, and when the method is applied to distributed cluster deployment, the storage position and the access path of multimedia resources do not need to be considered, and the distributed deployment can be realized only by placing the media packages with the codes compiled by the method on a plurality of nodes.
The multimedia resource service provides the application with access through an independent url website, namely all access requests directly occur on the multimedia resource service without being forwarded through the application, so that the application can process more adept database transaction requests, memory calculation requests and high concurrency requests, the multimedia resource service specially provides various types of resource transmission services, and the access performance of the application is effectively improved.
The invention provides simpler installation and deployment, and the multimedia resource access can be realized without purchasing commercial service according to lower configuration requirements:
on a server of any operating system (Linux, windows), nginx multimedia resource access service can be built very quickly, and meanwhile, memory storage services based on redis, memchache and the like can be installed very conveniently and used as token authentication service. It is also very simple to connect the two.
The configuration requirement is not high, the multimedia resource access request supporting high concurrency can be built by using the server or the personal PC, and a better multimedia resource access request can be provided without the help of commercial service.
The invention can use nginx to perform perfect concurrent request control, network transmission control and connection state monitoring:
the number of concurrent connections and requests can be controlled by the Nginx token bucket throttling algorithm to prevent excessive requests from causing access to the multimedia resource service to be blocked.
The connection number and transmission flow of a certain ip can be controlled by the limit _ rate plus the limit _ conn, so that the bandwidth can be fully utilized, and the condition that a single ip occupies too many network bandwidth resources is prevented.
The status information of nginx may be monitored by a-http _ stub _ status _ module.
The invention can be suitable for various network environment deployment schemes:
the method is independent of commercial public network service, namely the method can be built in a local area network, access to multimedia resource service can be provided in an intranet ip mode, the network can be deployed as long as the same is ensured on the physical level, and the method has strong adaptability.
The high-performance multimedia resource access of the invention comprises the following steps:
because the multimedia resources are decoupled from the application, separate bandwidth resources and separate dedicated high-performance reading servers can be allocated, and the access performance can be effectively improved from the hardware level.
And then, a multi-worker process mechanism of nginx is utilized, the cpu core number of the server is fully utilized, and a plurality of processes are started to process the access request at the same time.
If the CPU resource of the server is enough, the size of the multimedia transmission resource is effectively compressed by utilizing the gzip compression protocol, the bandwidth occupation is reduced, and the transmission rate is improved.
The invention relates to a safe, flexible and autonomous safety certification system:
the default proposal adopts a mode of salt value + a plurality of md5 to carry out token encryption, but can also adopt a plurality of encryption modes such as asymmetric encryption, symmetric encryption and the like to carry out generation, as long as the encryption and verification modes of the application and the multimedia resource service are kept consistent, and the encryption mode is very flexible.
The special authentication key storage service is adopted to store the salt value and the encryption times required by encryption and the token information actually generated, and the salt value and the encryption times are generated at random at regular intervals, so that the leakage risk is greatly reduced. Meanwhile, the authentication key storage service is accessed in a mode of limiting an access port and an ip by an intranet firewall and a mode of user name and password verification, so that only application can access the authentication key storage service, and the storage safety is improved.
The adoption of the simple programmed authority control scheme means that an autonomous token generation verification algorithm can be added on the basis of ensuring the encryption security, and the code can also be used for meeting the requirement of specific service required by the user, so that a completely autonomous access authority control system is realized.

Claims (3)

1. A multimedia resource web access authority authentication method is characterized in that: the method comprises the following steps:
step 1: establishing an independent multimedia resource server cluster of the http based on nginx, wherein the multimedia resource server cluster and the application software are mutually independent, and the multimedia resource server cluster provides a server for the client by using independent bandwidth resources;
the multimedia resource server cluster is used for providing multimedia resource services;
the multimedia resource server cluster embeds an http access link into a web application for access, the application software is deployed in an application server, and the application server and the multimedia resource server cluster are independent;
step 2: establishing token authentication key storage service based on memory in a multimedia resource server cluster, namely token authentication storage service;
and step 3: the multimedia resource service and the application software share a token generation rule, a token transmission rule and a token verification rule;
in performing step 3, the token encryption generation rule is as follows: the user name of the current login user, the current timestamp accurate to millisecond, the token effective time and the salt value which are encrypted by md5 for 2 times are spliced into a character string, and md5 encryption of appointed encryption times is carried out;
setting an appointed encryption salt value as a salt value, encrypting the appointed number of md5 as an encryption number, setting the name of a current login user as an encryption user name, and setting a current timestamp accurate to millisecond as a timestamp;
token delivery rules are as follows: when multimedia resource transmission is requested through http, 5 parameters of the generated token, the millisecond-level timestamp, the encrypted user name and the token effective time are transmitted in each requested data, and the parameters are irrelevant to the transmission sequence;
the token checking validity rule comprises the following steps:
step C1: splicing the transmitted timestamp + user name + token effective time + salt value into a character string, encrypting the appointed encryption times to generate a token, and judging whether the generated token is equal to the transmitted token: if not, it indicates that token is invalid, go to step C1; otherwise, the token is valid, and step C2 is executed;
step C2: and then judging whether the current time minus the transmitted timestamp is greater than the token effective time: if yes, indicating that the token is expired, executing step C1; otherwise, go to step C3;
step C3: taking the token to a token authentication storage service for verification, if the token exists, considering the token to be valid, otherwise, invalid;
step C4: deleting the token in the token authentication storage service once the token is verified to be valid and the validity judgment is returned;
and 4, step 4: the application software generates a token by the following method:
step A1: when a user accesses multimedia resources through application software, the application software acquires login information of the current user by using a session technology;
step A2: and inquiring a user authority table by combining a database in a server where the application software is positioned, and judging whether the user can access the multimedia resources: if the judgment is passed, generating a token according to the token generation rule, adding the token into the token authentication storage service, and executing the step A3; otherwise, returning verification failure information, and executing the step A1;
step A3: the application software splices the token to the url of the access provided by the multimedia resource service in a url parameter splicing mode according to the token transmission rule;
and 5: establishing a web file access service based on nginx in a multimedia resource service, and configuring an access address of a resource supporting pictures, videos and audios;
adding token check rules to the multimedia resource access service based on nginx;
step 6: the application software periodically modifies the encryption salt value and the encryption times stored in the authentication key storage service.
2. The method of claim 1, wherein the method comprises: when step 2 is executed, the method specifically comprises the following steps:
step B1: storing the token in a memory, giving the token a certain life cycle, and after the life cycle is over, the token is invalid, and simultaneously ensuring that one token can only be used once;
step B2: the agreed encryption salt and the agreed md5 are stored encrypted by the application software to the authentication key storage service.
3. The method of claim 1, wherein the method comprises: when step 5 is executed, adding a token check rule to the multimedia resource access service based on nginx specifically includes the following steps:
step D1: analyzing and acquiring parameters transmitted in the url, and if the parameters are missing, determining that no access is available;
step D2: acquiring a salt value and md5 encryption times required by encryption from a video authentication service for token verification;
step D3: and checking whether the token is valid according to an appointed checking rule, if so, allowing access, and if not, returning 403 an error.
CN202011259027.4A 2020-11-12 2020-11-12 Multimedia resource web access authority authentication method Active CN112104673B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011259027.4A CN112104673B (en) 2020-11-12 2020-11-12 Multimedia resource web access authority authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011259027.4A CN112104673B (en) 2020-11-12 2020-11-12 Multimedia resource web access authority authentication method

Publications (2)

Publication Number Publication Date
CN112104673A CN112104673A (en) 2020-12-18
CN112104673B true CN112104673B (en) 2021-04-06

Family

ID=73785122

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011259027.4A Active CN112104673B (en) 2020-11-12 2020-11-12 Multimedia resource web access authority authentication method

Country Status (1)

Country Link
CN (1) CN112104673B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113282897A (en) * 2021-06-11 2021-08-20 杭州安恒信息安全技术有限公司 Multi-system account sharing method, device, equipment and medium
CN113364798A (en) * 2021-06-21 2021-09-07 浪潮云信息技术股份公司 Redis-based user access frequency processing device
CN115296847B (en) * 2022-07-06 2024-02-13 杭州涂鸦信息技术有限公司 Flow control method, flow control device, computer equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450990A (en) * 2018-10-19 2019-03-08 深圳点猫科技有限公司 A kind of cloud storage implementation method and electronic equipment based on educational system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103166783A (en) * 2011-12-14 2013-06-19 华为技术有限公司 Resource control method and resource control device
CN104253787A (en) * 2013-06-26 2014-12-31 华为技术有限公司 Service authentication method and system
US10044701B2 (en) * 2016-05-24 2018-08-07 Vantiv, Llc Technologies for token-based authentication and authorization of distributed computing resources
US10230720B2 (en) * 2016-12-12 2019-03-12 Sap Se Authorization code flow for in-browser applications
CN110601832A (en) * 2019-09-27 2019-12-20 中煤航测遥感集团有限公司 Data access method and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450990A (en) * 2018-10-19 2019-03-08 深圳点猫科技有限公司 A kind of cloud storage implementation method and electronic equipment based on educational system

Also Published As

Publication number Publication date
CN112104673A (en) 2020-12-18

Similar Documents

Publication Publication Date Title
CN112104673B (en) Multimedia resource web access authority authentication method
US10484385B2 (en) Accessing an application through application clients and web browsers
CN108200099B (en) Mobile application, personal status relationship management
US7827318B2 (en) User enrollment in an e-community
CN107122674B (en) Access method of oracle database applied to operation and maintenance auditing system
CN101090319B (en) Computer readable recording medium storing control program, communication system and computer data signal embedded in carrier wave
US20180020008A1 (en) Secure asynchronous communications
US20090094372A1 (en) Secret user session managing method and system under web environment, recording medium recorded program executing it
CN112632164B (en) Universal cross-chain programming interface method for realizing trusted authority access
CN102449976A (en) System and method for accessing private digital content
CN101771532A (en) Method, device and system for realizing resource sharing
CN112468481B (en) Single-page and multi-page web application identity integrated authentication method based on CAS
CN108616540B (en) Platform authentication method and system based on cross-platform encryption algorithm and declarative filtering authentication
CN109495486B (en) Single-page Web application integration CAS method based on JWT
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
AU2020333658B2 (en) Identity data object creation and management
WO2022057002A1 (en) Abnormal request processing method and device
US9471533B1 (en) Defenses against use of tainted cache
US8127033B1 (en) Method and apparatus for accessing local computer system resources from a browser
CN112600674A (en) User security authentication method and device for front-end and back-end separation system and storage medium
CN106789987B (en) Method and system for single sign-on of multi-service interconnection APP (application) of mobile terminal
CN107493250B (en) Method, client and server for authenticating webpage request
KR102058283B1 (en) Secure Interoperability Framework between diverse IoT Service Platforms and Apparatus
US7519694B1 (en) Method and a system to dynamically update/reload agent configuration data
CN109450990A (en) A kind of cloud storage implementation method and electronic equipment based on educational system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant