CN112311788A - Access control method, device, server and medium - Google Patents
Access control method, device, server and medium Download PDFInfo
- Publication number
- CN112311788A CN112311788A CN202011173761.9A CN202011173761A CN112311788A CN 112311788 A CN112311788 A CN 112311788A CN 202011173761 A CN202011173761 A CN 202011173761A CN 112311788 A CN112311788 A CN 112311788A
- Authority
- CN
- China
- Prior art keywords
- application
- access
- access request
- user
- service interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000013475 authorization Methods 0.000 claims abstract description 74
- 238000004891 communication Methods 0.000 claims abstract description 12
- 238000011217 control strategy Methods 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012805 post-processing Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses an access control method, an access control device, a server and a medium. The method is applied to a trusted application program interface proxy device which is respectively in communication connection with an application front end and at least one application rear end, and comprises the following steps: receiving and caching user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server; receiving an access request of an application postposition service interface sent by an application preposition, verifying the access request according to user authentication information and authorization information, and determining the access authority of the access request; and sending the access request with the access right to an application post corresponding to the access request. The technical scheme of the embodiment of the invention solves the network security problem caused by that the dynamic access control is not carried out on the service interface when the application prepositive access application is postpositioned, simplifies the authentication process of the application system and improves the security when the application prepositive access application is postpositioned.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to an access control method, an access control device, a server and a medium.
Background
Currently, the typical internet infrastructure of an enterprise becomes more complex, and one enterprise may operate multiple internal networks. This complexity has surpassed traditional network security policies based on border defense, as there is no single, clearly discernable enterprise border. Furthermore, network security control based on border defense has shown significant shortcomings, as soon as an attacker breaches a border, further lateral attacks will be unimpeded.
In this context, applications are separated into three parts, application pre-positioned, application post-positioned and data service, with the goals of security, trust and compliance. And the application front-end displays a page, and the application rear-end provides service processing logic for the application front-end and calls data service. The application front-back separation design avoids the direct exposure of data service to the application front-back, enhances the protection capability of core data assets, and improves the safety of an application system and data resources.
At present, when a terminal accesses a system with front and back ends separated, access control such as identity authentication and application authority authentication can be performed on a user and an application when the access application is preposed, but access control is rarely performed on a service interface when the application preposed access application is postpositioned, so that network safety problems such as data leakage are caused, and great potential safety hazards exist.
Disclosure of Invention
Embodiments of the present invention provide an access control method, an access control device, a server, and a medium, so as to implement a same access entry, simplify an authentication process of an application system, and improve security when an application pre-access application is post-configured.
In a first aspect, an embodiment of the present invention provides an access control method, which is applied to a trusted application program interface proxy apparatus, where the trusted application program interface proxy apparatus is in communication connection with an application front-end and at least one application back-end respectively, and the method includes:
receiving and caching user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server;
receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request;
and sending the access request with the access authority to an application post corresponding to the access request.
In a second aspect, an embodiment of the present invention further provides an access control apparatus, configured in a trusted application program interface proxy apparatus, where the trusted application program interface proxy apparatus is in communication connection with an application front end and at least one application rear end respectively, and the apparatus includes:
the information receiving module is used for receiving and caching the user authentication information sent by the authentication server and the authorization information between the user and the service interface sent by the authorization server;
the access authority determining module is used for receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information and determining the access authority of the access request;
and the access request sending module is used for sending the access request with the access authority to the application post corresponding to the access request.
In a third aspect, an embodiment of the present invention further provides a server, where the server includes:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement an access control method as provided by any of the embodiments of the invention.
In a fourth aspect, the embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the program, when executed by a processor, implements the access control method provided in any embodiment of the present invention.
The embodiment of the invention is applied to a trusted application program interface agent device which is respectively in communication connection with an application front end and at least one application rear end and receives and caches user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server; receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request; the access request with the access authority is sent to the application post-position corresponding to the access request, so that the network security problem caused by the fact that dynamic access control is not carried out on a service interface when the application pre-position access application is post-positioned after the business system is pre-positioned and separated is solved, the authentication process of the application system is simplified, and the security when the application pre-position access application is post-positioned is improved.
Drawings
Fig. 1 is a flowchart of an access control method according to a first embodiment of the present invention;
FIG. 2 is a schematic deployment diagram of a trusted application program interface proxy apparatus according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a pre-application access application post-processing according to a first embodiment of the present invention;
fig. 4 is a flowchart of an access control method according to a second embodiment of the present invention;
fig. 5 is a block diagram of an access control apparatus according to a third embodiment of the present invention;
fig. 6 is a schematic structural diagram of a server in the fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of an access control method according to an embodiment of the present invention, where this embodiment is applicable to a case where an application front-end accesses an application back-end, and the method is applied to a trusted application program interface proxy device, where the trusted application program interface proxy device is respectively in communication connection with the application front-end and at least one application back-end, and the method may be executed by an access control device, and specifically includes the following steps:
s110, receiving and caching the user authentication information sent by the authentication server and the authorization information between the user and the service interface sent by the authorization server.
Fig. 2 is a schematic diagram of a trusted Application Programming Interface (API) device deployment, in which the trusted API proxy device is respectively connected to an Application front end and at least one Application rear end in a communication manner. The application server generates a user token for verifying the authority of accessing the application post, and returns the user token to the application pre-position. The trusted API agent device receives user authentication information sent by the authentication server and authorization information between the user and the service interface sent by the authorization server, caches the user authentication information and the authorization information, and is used for verifying the rear-end authority of the user to access the application.
S120, receiving an access request of the application post-positioned service interface sent by the application pre-positioned device, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request.
When the application prepositive access application is postpositional, the application prepositive sends the access request to the credible API agent device, and the credible API agent device verifies the access request and determines whether the access request has the access right or not.
Optionally, the access request includes: a user token and an identification of a service interface to be accessed; the verifying the access request according to the user authentication information and the authorization information and determining the access authority of the access request comprise: verifying the user token according to the user authentication information to determine the validity of the user token; and after the user token passes the verification, verifying the identifier of the application post-service interface to be accessed according to the authorization information, and determining the access authority of the user to the service interface to be accessed. And the trusted API agent device verifies the user token according to the cached user authentication information sent by the authentication server, and verifies whether the user information and the token in the user token are expired. And the verification is passed, and the user is proved to have the right to access the application post-positioned. When a plurality of application postings exist, the calling authority of the user to the service interface in the application postings is verified through authorization information between the user and the service interface sent by an authorization server. And when the validity verification of the user token passes and the identification of the service interface to be accessed has the calling authority of the service interface, determining that the access request of the user has the authority of calling the application post-positioned service interface.
As shown in fig. 2, the zero trust service includes a user token authentication service provided by an authentication server, and optionally, verifying the user token according to the user authentication information to determine the validity of the user token includes: when the trusted API agent device caches user authentication information corresponding to the user token, verifying the user token according to the cached user authentication information to determine the validity of the user token; as shown in fig. 3, when the trusted API proxy apparatus does not cache the user authentication information corresponding to the user token, the trusted API proxy apparatus invokes a user authentication server interface through the trusted proxy control service, provides an authentication service, verifies the user token, and determines the validity of the user token. The authentication server sends the user authentication information to the trusted API agent device through a rockmessage Queue (MQ) Message mechanism in the whole life cycle of the user token (including token application, renewal and destruction), and the trusted API agent device caches the user authentication information through Redis. However, when the authentication server fails to send the user authentication information to the trusted API proxy device, the trusted API proxy device cannot receive and cache all the user authentication information in the authentication server. When the user authentication information corresponding to the user token is cached in the trusted API agent device, verifying the user token according to the cached user authentication information and determining the validity of the user token; and when the user authentication information corresponding to the user token is not cached in the trusted API agent device, the trusted API agent device calls a user authentication server interface to verify the user token through the trusted agent control service, and the validity of the user token is continuously determined. The token invalidation directly returns error information and code. Otherwise, continuously verifying whether the user has the authority to call the service interface.
As shown in fig. 2, the zero trust service further includes a service provided by the authorization server for determining the access right of the user to the service interface to be accessed. Optionally, verifying the identifier of the to-be-accessed application post-service interface according to the authorization information, and determining the access right of the user to the to-be-accessed service interface, including: when the trusted API agent device caches authorization information corresponding to the identifier of the service interface to be accessed, determining the access authority of the user to the service interface to be accessed according to the cached authorization information and the identifier of the application postposition service interface to be accessed; as shown in fig. 3, when the trusted API proxy device does not cache the authorization information corresponding to the identifier of the service interface to be accessed, the trusted API proxy device calls an authorization server interface through the trusted API proxy control service, provides an authorization management service, verifies the identifier of the service interface to be accessed through the query authority list, and determines the access authority of the service interface to be accessed by the user. The authorization server sends authorization information corresponding to the identifier of the service interface to be accessed to the trusted API agent device through a rockmessage Queue (ROCKMQ) Message mechanism, and the trusted API agent device stores the authorization information into a Redis cache. However, when the authorization server sends the authorization information to the trusted API proxy device with an error, the trusted API proxy device cannot receive and cache all the authorization information in the authentication server, so when the authorization information corresponding to the identifier of the service interface is not cached in the trusted API proxy device, the trusted API proxy device verifies the identifier of the service interface through the trusted proxy control service call authorization server interface, and continues to determine whether the identifier of the service interface has the authority to call the service interface. The following cases are all considered as the user does not have the authority to call the service interface: the user is deleted, the user and the role with the service interface authority are unmatched, the service interface is deleted, the service interface is deactivated, and the role matched with the user has no service interface authority.
And S130, sending the access request with the access authority to an application post corresponding to the access request.
And when the validity of the user token is verified and the identifier of the service interface is verified to have the right of calling the service interface, determining that the access request has the access right, and sending the access request to the corresponding application post.
Optionally, the access request further includes: an application post-identifier to be accessed; the sending the access request to the application post-location includes: and when the access request is determined to have the access right, sending the access request to a corresponding application post according to the application post identifier to be accessed. The access request also comprises an application post-identifier to be accessed, and when the access request is verified to have the access right, the trusted API agent device sends the access request to the corresponding application post according to the application post-identifier to be accessed.
The trusted API agent device provides the same access entrance for the application preposition to the application postposition, unifies identity authentication and unified authentication, avoids various complicated authentication modes of the application postpositions, simplifies the verification process of the application system, improves the verification efficiency of the access request, and reduces the workload of a construction unit for maintaining the authorization strategy of each application system. The problem that data leakage is easily caused when the application prepositive access application is arranged at the rear position is avoided, and the effect of safety when the application prepositive access application is arranged at the rear position is improved.
The technical scheme of the embodiment is applied to a trusted application program interface proxy device, wherein the trusted application program interface proxy device is respectively in communication connection with an application front end and at least one application rear end, and receives and caches user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server; receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request; the access request with the access authority is sent to the application post-position corresponding to the access request, so that the network security problem caused by the fact that dynamic access control is not carried out on a service interface when the application pre-position access application is post-positioned after the business system is pre-positioned and separated is solved, the authentication process of the application system is simplified, and the security when the application pre-position access application is post-positioned is improved.
Example two
Fig. 4 is a flowchart of an access control method provided in a third embodiment of the present invention, where this embodiment is further optimized based on the previous embodiment, and the access control method further includes: and receiving a flow control strategy, and carrying out flow control on the application post-service interface according to the flow control strategy. Therefore, the access times and the access time of the application post-position are controlled, and the access control of the service interface is further realized.
As shown in fig. 4, the method specifically includes the following steps:
s210, receiving and caching the user authentication information sent by the authentication server and the authorization information between the user and the service interface sent by the authorization server.
S220, receiving an access request of the application post-positioned service interface sent by the application pre-positioned device, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request.
And S230, sending the access request with the access authority to an application post corresponding to the access request.
And S240, receiving a flow control strategy, and performing flow control on the application post-service interface according to the flow control strategy.
As shown in fig. 3, a user sets a traffic control policy through a trusted agent control service page, the trusted agent control service calls a service security policy control service through an interface to issue the traffic control policy to a trusted API agent device, and the trusted API agent device implements traffic control according to the traffic control policy.
Optionally, performing traffic control on the application postposition service interface according to a traffic control policy, including: according to the flow control strategy, the flow control of the application post-service interface is realized through a Gateway component (spring cloud Gateway) and a Sentinel component (spring cloud Sentinel) which are centralized by a tool for quickly constructing a universal mode of the distributed system. The method comprises the steps of obtaining a maximum request number/second and a maximum connection number, wherein the spring cloud Gateway controls access time, and the spring cloud Sentinel controls the maximum request number/second and the maximum connection number.
The technical scheme of the embodiment is applied to a trusted application program interface proxy device, wherein the trusted application program interface proxy device is respectively in communication connection with an application front end and at least one application rear end, and receives and caches user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server; receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request; the method comprises the steps of sending an access request with access authority to an application post-position corresponding to the access request, receiving a flow control strategy, and carrying out flow control on an application post-position service interface according to the flow control strategy, so that the network security problem caused by the fact that dynamic access control is not carried out on the service interface when the application pre-position access application is post-positioned after a business system is separated from the application post-position is solved, the authentication process of the application system is simplified, and the security effect when the application pre-position access application is post-positioned is improved.
EXAMPLE III
Fig. 5 is a schematic structural diagram of an access control apparatus according to a third embodiment of the present invention, where the access control apparatus is configured in a trusted application program interface proxy apparatus, and the trusted application program interface proxy apparatus is respectively connected to an application front end and at least one application rear end in a communication manner, where the apparatus includes: an information receiving module 310, an access right determining module 320, and an access request transmitting module 330.
The information receiving module 310 is configured to receive and cache user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server; an access authority determining module 320, configured to receive an access request of an application postposition service interface sent by the application preposition, verify the access request according to the user authentication information and the authorization information, and determine an access authority of the access request; the access request sending module 330 is configured to send an access request with access right to an application post corresponding to the access request.
Further, the access request includes: a user token and an identification of a service interface to be accessed.
In the technical solution of the above embodiment, the access right determining module 320 includes:
the token validity determining unit is used for verifying the user token according to the user authentication information and determining the validity of the user token;
and the access authority determining unit is used for verifying the identifier of the application postposition service interface to be accessed according to the authorization information after the user token passes the verification, and determining the access authority of the user to the service interface to be accessed.
In the technical solution of the above embodiment, the token validity determining unit is specifically configured to, when the trusted application program interface proxy apparatus caches user authentication information corresponding to a user token, verify the user token according to the cached user authentication information, and determine validity of the user token; and when the trusted application program interface agent device does not cache the user authentication information corresponding to the user token, calling a user authentication server interface to verify the user token and determining the validity of the user token.
In the technical solution of the above embodiment, the access right determining unit is specifically configured to determine, when the trusted application program interface proxy apparatus caches authorization information corresponding to the identifier of the service interface to be accessed, an access right of the service interface to be accessed by the user according to the cached authorization information and the identifier of the application postposition service interface to be accessed; and when the trusted application program interface agent device does not cache the authorization information corresponding to the identifier of the service interface to be accessed, verifying the identifier of the service interface to be accessed by calling an authorization server interface, and determining the access authority of the service interface to be accessed by the user.
In the technical solution of the above embodiment, the access control apparatus further includes:
and the flow control module is used for receiving a flow control strategy and carrying out flow control on the application postposition service interface according to the flow control strategy.
In the technical solution of the above embodiment, the flow management and control module is specifically configured to implement flow management and control on the application post-service interface by quickly constructing the gateway component and the sentry component in the tool set of the general mode of the distributed system according to the flow management and control policy.
Further, the access request further includes: an application post-identifier to be accessed;
in the technical solution of the foregoing embodiment, the access request sending module is specifically configured to send the access request to the corresponding application post according to the application post identifier to be accessed when it is determined that the access request has the access right.
The technical scheme of the embodiment is configured in a trusted application program interface proxy device, wherein the trusted application program interface proxy device is respectively in communication connection with an application front end and at least one application rear end, and receives and caches user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server; receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request; the access request with the access authority is sent to the application post-position corresponding to the access request, so that the network security problem caused by the fact that dynamic access control is not carried out on a service interface when the application pre-position access application is post-positioned after the business system is pre-positioned and separated is solved, the authentication process of the application system is simplified, and the security when the application pre-position access application is post-positioned is improved.
The access control device provided by the embodiment of the invention can execute the access control method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 6 is a block diagram of a server according to a fourth embodiment of the present invention, as shown in fig. 6, the server includes a processor 410, a memory 420, an input device 430, and an output device 440; the number of the processors 410 in the server may be one or more, and one processor 410 is taken as an example in fig. 6; the processor 410, the memory 420, the input device 430 and the output device 440 in the server may be connected by a bus or other means, and fig. 6 illustrates an example of a connection by a bus.
The memory 420 serves as a computer-readable storage medium, and may be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the access control method in the embodiment of the present invention (for example, the information receiving module 310, the access right determining module 320, and the access request transmitting module 330 in the access control apparatus). The processor 410 executes various functional applications of the server and data processing by executing software programs, instructions, and modules stored in the memory 420, that is, implements the above-described access control method.
The memory 420 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 420 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 420 may further include memory located remotely from processor 410, which may be connected to a server over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 430 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the server. The output device 440 may include a display device such as a display screen.
EXAMPLE five
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are used to execute an access control method when executed by a computer processor, and the access control method is applied to a trusted application program interface proxy apparatus, and the trusted application program interface proxy apparatus is respectively connected to an application front end and at least one application back end in a communication manner, where the method includes:
receiving and caching user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server;
receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request;
and sending the access request with the access authority to an application post corresponding to the access request.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the operations of the method described above, and may also perform related operations in the access control method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the above embodiment of the access control device, the included units and modules are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. An access control method applied to a trusted application program interface proxy device, wherein the trusted application program interface proxy device is respectively connected with an application front end and at least one application back end in communication, and the method comprises the following steps:
receiving and caching user authentication information sent by an authentication server and authorization information between a user and a service interface sent by an authorization server;
receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information, and determining the access authority of the access request;
and sending the access request with the access authority to an application post corresponding to the access request.
2. The method of claim 1, wherein the access request comprises: a user token and an identification of a service interface to be accessed; the verifying the access request according to the user authentication information and the authorization information and determining the access authority of the access request comprise:
verifying the user token according to the user authentication information to determine the validity of the user token;
and after the user token passes the verification, verifying the identifier of the application post-service interface to be accessed according to the authorization information, and determining the access authority of the user to the service interface to be accessed.
3. The method of claim 2, wherein verifying the user token according to the user authentication information and determining the validity of the user token comprises:
when the trusted application program interface agent device caches user authentication information corresponding to the user token, verifying the user token according to the cached user authentication information to determine the validity of the user token;
and when the trusted application program interface agent device does not cache the user authentication information corresponding to the user token, calling a user authentication server interface to verify the user token and determining the validity of the user token.
4. The method according to claim 2, wherein the verifying the identifier of the application post-service interface to be accessed according to the authorization information and determining the access authority of the user to the service interface to be accessed comprises:
when the trusted application program interface agent device caches authorization information corresponding to the identifier of the service interface to be accessed, determining the access authority of the user to the service interface to be accessed according to the cached authorization information and the identifier of the application postpositional service interface to be accessed;
and when the trusted application program interface agent device does not cache the authorization information corresponding to the identifier of the service interface to be accessed, verifying the identifier of the service interface to be accessed by calling an authorization server interface, and determining the access authority of the service interface to be accessed by the user.
5. The method of claim 1, further comprising:
and receiving a flow control strategy, and carrying out flow control on the application post-service interface according to the flow control strategy.
6. The method according to claim 5, wherein the traffic control of the application post-service interface according to a traffic control policy comprises:
and according to the flow control strategy, flow control of the application post-service interface is realized through a gateway component and a sentinel component which are centralized by a tool for quickly constructing a general mode of the distributed system.
7. The method of claim 1, wherein the access request further comprises: an application post-identifier to be accessed; the sending the access request to the application post-location includes:
and when the access request is determined to have the access right, sending the access request to a corresponding application post according to the application post identifier to be accessed.
8. An access control device configured to a trusted application program interface proxy device, the trusted application program interface proxy device being communicatively coupled to an application front-end and at least one application back-end, respectively, the device comprising:
the information receiving module is used for receiving and caching the user authentication information sent by the authentication server and the authorization information between the user and the service interface sent by the authorization server;
the access authority determining module is used for receiving an access request of an application postposition service interface sent by the application preposition, verifying the access request according to the user authentication information and the authorization information and determining the access authority of the access request;
and the access request sending module is used for sending the access request with the access authority to the application post corresponding to the access request.
9. A server, characterized in that the server comprises:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the access control method of any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the access control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011173761.9A CN112311788A (en) | 2020-10-28 | 2020-10-28 | Access control method, device, server and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011173761.9A CN112311788A (en) | 2020-10-28 | 2020-10-28 | Access control method, device, server and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112311788A true CN112311788A (en) | 2021-02-02 |
Family
ID=74331593
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011173761.9A Pending CN112311788A (en) | 2020-10-28 | 2020-10-28 | Access control method, device, server and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112311788A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113114635A (en) * | 2021-03-25 | 2021-07-13 | 北京金山云网络技术有限公司 | Authority management method and system |
| CN113111337A (en) * | 2021-03-29 | 2021-07-13 | 青岛海尔科技有限公司 | Method, device and equipment for sharing access control list |
| CN113179253A (en) * | 2021-03-30 | 2021-07-27 | 新华三信息安全技术有限公司 | Method for deploying zero trust network and proxy server |
| CN113239386A (en) * | 2021-06-16 | 2021-08-10 | 中国银行股份有限公司 | API (application program interface) permission control method and device |
| CN113472758A (en) * | 2021-06-21 | 2021-10-01 | 北京沃东天骏信息技术有限公司 | Access control method, device, terminal, connector and storage medium |
| CN113596009A (en) * | 2021-07-23 | 2021-11-02 | 中国联合网络通信集团有限公司 | Zero trust access method, system, zero trust security proxy, terminal and medium |
| CN113938327A (en) * | 2021-12-17 | 2022-01-14 | 亿次网联(杭州)科技有限公司 | VPN service access method and access system, electronic device and storage medium |
| CN114866274A (en) * | 2022-03-18 | 2022-08-05 | 中国建设银行股份有限公司 | Authorization authentication method, device and equipment based on proxy service |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060225132A1 (en) * | 2000-01-24 | 2006-10-05 | Microsoft Corporation | System and Method of Proxy Authentication in a Secured Network |
| CN104994102A (en) * | 2015-07-08 | 2015-10-21 | 浪潮软件股份有限公司 | Enterprise information system authentication and access control method based on reverse proxy |
| CN107948201A (en) * | 2017-12-29 | 2018-04-20 | 平安科技(深圳)有限公司 | The purview certification method and system in Docker mirror images warehouse |
| CN108476216A (en) * | 2016-03-31 | 2018-08-31 | 甲骨文国际公司 | For integrating system and method for the transaction middleware platform with centralized access manager for the single-sign-on in enterprise-level computing environment |
| CN109600399A (en) * | 2019-02-02 | 2019-04-09 | 北京奇安信科技有限公司 | API Access control method and API Access agent apparatus |
| CN109660563A (en) * | 2019-02-02 | 2019-04-19 | 北京奇安信科技有限公司 | A kind of application access control method, system and medium |
| CN111030828A (en) * | 2019-12-19 | 2020-04-17 | 中国电建集团华东勘测设计研究院有限公司 | Authority control method and system under micro-service architecture and access token |
| CN111355713A (en) * | 2020-02-20 | 2020-06-30 | 深信服科技股份有限公司 | Proxy access method, device, proxy gateway and readable storage medium |
| CN111416822A (en) * | 2020-03-20 | 2020-07-14 | 数篷科技(深圳)有限公司 | Method for access control, electronic device and storage medium |
-
2020
- 2020-10-28 CN CN202011173761.9A patent/CN112311788A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060225132A1 (en) * | 2000-01-24 | 2006-10-05 | Microsoft Corporation | System and Method of Proxy Authentication in a Secured Network |
| CN104994102A (en) * | 2015-07-08 | 2015-10-21 | 浪潮软件股份有限公司 | Enterprise information system authentication and access control method based on reverse proxy |
| CN108476216A (en) * | 2016-03-31 | 2018-08-31 | 甲骨文国际公司 | For integrating system and method for the transaction middleware platform with centralized access manager for the single-sign-on in enterprise-level computing environment |
| CN107948201A (en) * | 2017-12-29 | 2018-04-20 | 平安科技(深圳)有限公司 | The purview certification method and system in Docker mirror images warehouse |
| CN109600399A (en) * | 2019-02-02 | 2019-04-09 | 北京奇安信科技有限公司 | API Access control method and API Access agent apparatus |
| CN109660563A (en) * | 2019-02-02 | 2019-04-19 | 北京奇安信科技有限公司 | A kind of application access control method, system and medium |
| CN110311926A (en) * | 2019-02-02 | 2019-10-08 | 奇安信科技集团股份有限公司 | Application access control method, system and medium |
| CN111030828A (en) * | 2019-12-19 | 2020-04-17 | 中国电建集团华东勘测设计研究院有限公司 | Authority control method and system under micro-service architecture and access token |
| CN111355713A (en) * | 2020-02-20 | 2020-06-30 | 深信服科技股份有限公司 | Proxy access method, device, proxy gateway and readable storage medium |
| CN111416822A (en) * | 2020-03-20 | 2020-07-14 | 数篷科技(深圳)有限公司 | Method for access control, electronic device and storage medium |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113114635A (en) * | 2021-03-25 | 2021-07-13 | 北京金山云网络技术有限公司 | Authority management method and system |
| CN113111337A (en) * | 2021-03-29 | 2021-07-13 | 青岛海尔科技有限公司 | Method, device and equipment for sharing access control list |
| CN113179253A (en) * | 2021-03-30 | 2021-07-27 | 新华三信息安全技术有限公司 | Method for deploying zero trust network and proxy server |
| CN113179253B (en) * | 2021-03-30 | 2022-04-01 | 新华三信息安全技术有限公司 | Method for deploying zero trust network and proxy server |
| CN113239386A (en) * | 2021-06-16 | 2021-08-10 | 中国银行股份有限公司 | API (application program interface) permission control method and device |
| CN113472758A (en) * | 2021-06-21 | 2021-10-01 | 北京沃东天骏信息技术有限公司 | Access control method, device, terminal, connector and storage medium |
| CN113596009A (en) * | 2021-07-23 | 2021-11-02 | 中国联合网络通信集团有限公司 | Zero trust access method, system, zero trust security proxy, terminal and medium |
| CN113938327A (en) * | 2021-12-17 | 2022-01-14 | 亿次网联(杭州)科技有限公司 | VPN service access method and access system, electronic device and storage medium |
| CN114866274A (en) * | 2022-03-18 | 2022-08-05 | 中国建设银行股份有限公司 | Authorization authentication method, device and equipment based on proxy service |
| CN114866274B (en) * | 2022-03-18 | 2024-04-26 | 中国建设银行股份有限公司 | Proxy service-based authorization authentication method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112311788A (en) | Access control method, device, server and medium | |
| US10055561B2 (en) | Identity risk score generation and implementation | |
| CN111698228B (en) | System access authority granting method, device, server and storage medium | |
| CN112073400B (en) | Access control method, system, device and computing equipment | |
| CN112333198B (en) | Secure cross-domain login method, system and server | |
| WO2022095730A1 (en) | Service communication method, system and apparatus, and electronic device | |
| US7447755B1 (en) | Method and apparatus for policy management in a network device | |
| CN110727712A (en) | Data processing method and device based on block chain network, electronic equipment and storage medium | |
| Pal et al. | A new trusted and collaborative agent based approach for ensuring cloud security | |
| CN112149105A (en) | Data processing system, method, related device and storage medium | |
| CN112818325A (en) | Method for realizing API gateway independent authentication based on application | |
| CN110445615B (en) | Network request security verification method, device, medium and electronic equipment | |
| CN113271289B (en) | Method, system and computer storage medium for resource authorization and access | |
| CN115996122A (en) | Access control method, device and system | |
| CN112202564A (en) | Transaction transfer method and device, electronic equipment and readable storage medium | |
| CN110309213B (en) | Database access control method, device, system, medium and equipment | |
| CN109740328B (en) | Authority identification method and device, computer equipment and storage medium | |
| CN114866247B (en) | Communication method, device, system, terminal and server | |
| CN112511565B (en) | Request response method and device, computer readable storage medium and electronic equipment | |
| CN113765869B (en) | Login method, login device, server side and storage medium | |
| CN112769731B (en) | Process control method, device, server and storage medium | |
| CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
| CN112422528A (en) | Client login method, device, system, electronic equipment and storage medium | |
| CN112748960A (en) | Process control method and device, electronic equipment and storage medium | |
| CN112104625A (en) | Process access control method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210202 |
|
| RJ01 | Rejection of invention patent application after publication |