CN112511565B

CN112511565B - Request response method and device, computer readable storage medium and electronic equipment

Info

Publication number: CN112511565B
Application number: CN202110122645.2A
Authority: CN
Inventors: 吴岳廷
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-01-29
Filing date: 2021-01-29
Publication date: 2021-05-11
Anticipated expiration: 2041-01-29
Also published as: CN112511565A

Abstract

The application provides a request response method, a request response device, a computer readable storage medium and an electronic device; relates to the technical field of computers; the method comprises the following steps: generating a certificate request corresponding to the network request and sending the certificate request to the terminal equipment; receiving a certificate response result fed back by the terminal equipment in real time through the created at least one data receiving pipeline, and extracting the certificate response result and comparing the certificate response result with the unique identifier when the certificate response result is monitored to reach a buffer area; and if the comparison is consistent, the network request is forwarded to the server after the access gateway verifies the certificate information. Therefore, by implementing the embodiment of the application, the certificate request can be marked through the unique identifier and the data is received by using the pipeline and the buffer area, the next read-write operation is not required to be executed after the read-write operation is finished every time, so that the terminal equipment can process the certificate request and asynchronously respond the certificate request in parallel, and the subsequent response efficiency to the request is improved.

Description

Request response method and device, computer readable storage medium and electronic equipment

Technical Field

The present application relates to the field of computer technologies, and in particular, to a request response method, a request response device, a computer-readable storage medium, and an electronic device.

Background

A Transmission Control Protocol (TCP), which is used to provide byte stream services and specifically includes dividing data into data packets with a message segment as a unit and transmitting the data packets to a receiver. Generally, a client component of a server establishes a long link with a requester component through TCP, one TCP connection may generally allow the requester to initiate multiple requests, and the requester may sequentially obtain response results corresponding to the multiple requests through serial responses of the server to the multiple requests.

In order to ensure the security of the request response, it is generally necessary to apply for a credential for a network request initiated by an access subject, so that when a client forwards the network request through an access gateway, the access gateway can verify the validity of the network request according to the credential, and further forward the network request to a server under the condition that the network request is legal, so that the server responds to the network request.

However, when the number of received requests increases, generally, only a plurality of requests can be processed in series based on the request processing method to obtain the credentials of each request in turn, which easily affects the response efficiency of the requests.

It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present application and therefore may include information that does not constitute prior art known to a person of ordinary skill in the art.

Disclosure of Invention

The application aims to provide a request response method, a request response device, a computer readable storage medium and an electronic device, which can mark a certificate request through a unique identifier and receive data by using a data receiving pipeline and a buffer area, do not need to wait for the completion of the next read-write operation after each read-write operation, can realize data processing in a non-blocking mode, enable terminal devices to process the certificate request in parallel, and can realize asynchronous response to the certificate request so as to improve the subsequent response efficiency to the request.

Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.

According to an aspect of the present application, there is provided a request response method including:

generating a certificate request corresponding to the network request, and sending the certificate request to the terminal equipment; the certificate request comprises a unique identifier corresponding to the network request;

receiving a certificate response result fed back by the terminal equipment in real time through the created at least one data receiving pipeline, and extracting the certificate response result and comparing the certificate response result with the unique identifier when the certificate response result is monitored to reach a buffer area; wherein the buffer area corresponds to the data receiving pipeline;

if the comparison result shows that the certificate response result is matched with the unique identifier, extracting the certificate information in the certificate response result;

sending the credential information and the network request to an access gateway, so that the access gateway forwards the network request to a server when verifying that the credential information is legal;

and receiving a request response result fed back by the server according to the network request.

In an exemplary embodiment of the present application, generating a credential request corresponding to a network request includes:

generating a unique identifier and acquiring a network parameter corresponding to the network request;

generating a certificate request according to the unique identifier and the network parameters;

the network parameter includes at least one of a process code, a source domain name, a source port, a destination domain name, a destination port and a protocol type of the network request.

In an exemplary embodiment of the present application, after sending the credential request to the terminal device, the method further includes:

the terminal equipment acquires a process parameter corresponding to the process code;

the terminal equipment generates a data acquisition request according to the process parameters and the certificate request and sends the data acquisition request to the target server so that the target server responds to the data acquisition request to generate certificate information;

the terminal equipment receives the certificate information fed back by the target server;

the terminal device generates a credential response result containing the credential information.

In an exemplary embodiment of the present application, before the access gateway forwards the network request to the server when verifying that the credential information is valid, the method further includes:

the access gateway generates an authentication request containing the credential information;

and the access gateway sends the verification request to the target server so that the target server verifies the validity of the credential information and feeds back a verification result to the access gateway.

In an exemplary embodiment of the present application, comparing the credential response result with the unique identifier includes:

parsing the credential response result into a byte stream;

intercepting summary information in the byte stream according to a preset summary length;

extracting an identifier in the abstract information, and comparing the identifier with the unique identifier;

and if the comparison result shows that the identification is consistent with the unique identification, judging that the identification is matched with the unique identification.

In an exemplary embodiment of the present application, extracting credential information in the credential response result includes:

intercepting response content in the voucher response result according to the information which is used for expressing the length of the content in the abstract information;

credential information is extracted from the response content.

In an exemplary embodiment of the present application, the method further includes:

the terminal equipment determines an absolute path of an access process for initiating a network request according to the process code;

if the absolute path is detected to have validity, the terminal equipment establishes connection with the proxy client so as to receive a certificate request sent by the proxy client.

In an exemplary embodiment of the present application, before generating the credential request corresponding to the network request, the method further includes:

after receiving the network request, detecting whether pre-stored credential information matched with the network parameters exists in the cache or not according to the network parameters;

and if not, executing to generate a credential request corresponding to the network request.

In an exemplary embodiment of the present application, if there is pre-stored credential information in the cache, the method further includes:

carrying out validity verification on the certificate code in the pre-stored certificate information according to the certificate upper limit use times and the certificate valid time in the pre-stored certificate information;

and if the certificate code has validity, sending a network request to the server and receiving a request response result fed back by the server according to the network request.

In an exemplary embodiment of the present application, the verifying the validity of the credential code in the pre-stored credential information according to the upper limit usage number of the credential in the pre-stored credential information and the credential valid time includes:

detecting whether the used times of the certificate codes exceed the upper limit of the certificate use times and detecting whether the current time exceeds the valid time of the certificate;

and if the used times do not exceed the upper limit of the certificate and the current time does not exceed the valid time of the certificate, judging that the certificate code is legal.

In an exemplary embodiment of the present application, before receiving, in real time, a credential response result fed back by a terminal device through the created at least one data receiving pipe, the method further includes:

creating a buffer and at least one data pipe matching the unique identifier;

and writing the certificate request into a buffer so that the event processing process triggers a data pipeline with load lower than a threshold value in at least one data pipeline to read the request data of the certificate request from the buffer and send the request data to the terminal equipment.

In an exemplary embodiment of the present application, the receiving, in real time, a credential response result fed back by a terminal device through the created at least one data receiving pipe includes:

and receiving a certificate response result fed back by the terminal equipment in real time through a data pipeline with the load lower than the threshold value, and writing the certificate response result into a buffer area.

According to an aspect of the present application, there is provided a request response apparatus including: the device comprises a request generating unit, an information extracting unit, a request sending unit and a response result receiving unit, wherein:

the request generating unit is used for generating a certificate request corresponding to the network request and sending the certificate request to the terminal equipment; the certificate request comprises a unique identifier corresponding to the network request;

the data processing unit is used for receiving the certificate response result fed back by the terminal equipment in real time through the created at least one data receiving pipeline, and when the fact that the certificate response result reaches the buffer area is monitored, the certificate response result is extracted and compared with the unique identifier; wherein the buffer area corresponds to the data receiving pipeline;

the information extraction unit is used for extracting the certificate information in the certificate response result when the comparison result shows that the certificate response result is matched with the unique identifier;

the request sending unit is used for sending the certificate information and the network request to the access gateway so that the access gateway forwards the network request to the server when verifying that the certificate information is legal;

and the response result receiving unit is used for receiving a request response result fed back by the server aiming at the network request.

In an exemplary embodiment of the present application, the request generating unit generates a credential request corresponding to the network request, including:

In an exemplary embodiment of the application, after the request generating unit sends the credential request to the terminal device, the apparatus further includes:

In an exemplary embodiment of the present application, before the access gateway forwards the network request to the server when verifying that the credential information is valid, the apparatus further includes:

In an exemplary embodiment of the present application, the data processing unit extracting the credential response result and comparing the credential response result with the unique identifier includes:

parsing the credential response result into a byte stream;

and when the comparison result shows that the identification is consistent with the unique identification, judging that the identification is matched with the unique identification.

In an exemplary embodiment of the present application, the extracting the credential information in the credential response result by the information extracting unit includes:

credential information is extracted from the response content.

In an exemplary embodiment of the present application, the apparatus further includes:

the information detection unit is used for detecting whether pre-stored certificate information matched with the network parameters exists in the cache according to the network parameters before the request generation unit generates the certificate request corresponding to the network request and after the network request is received;

and the request generating unit is specifically configured to generate a credential request corresponding to the network request when the information detecting unit detects that the pre-stored credential information does not exist in the cache.

In an exemplary embodiment of the present application, if there is pre-stored credential information in the cache, the apparatus further includes:

the legality verifying unit is used for verifying the legality of the certificate code in the pre-stored certificate information according to the upper limit using times of the certificate in the pre-stored certificate information and the validity time of the certificate;

and the request sending unit is also used for sending a network request to the server and receiving a request response result fed back by the server aiming at the network request when the validity verifying unit verifies that the certificate code has validity.

In an exemplary embodiment of the present application, the legality verifying unit performs legality verification on the credential code in the pre-stored credential information according to the credential upper limit usage number and the credential valid time in the pre-stored credential information, including:

the creating unit is used for creating a buffer area matched with the unique identifier and at least one data pipeline before the data processing unit receives the certificate response result fed back by the terminal equipment in real time through the created at least one data receiving pipeline;

and the data processing unit is further used for writing the certificate request into the buffer so that the event processing process triggers the data pipeline with the load lower than the threshold value in the at least one data pipeline to read the request data of the certificate request from the buffer and send the request data to the terminal equipment.

In an exemplary embodiment of the present application, the data processing unit receives, in real time, a credential response result fed back by the terminal device through the created at least one data receiving pipe, and includes:

According to an aspect of the present application, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of any one of the above via execution of the executable instructions.

According to an aspect of the application, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, is adapted to carry out the method of any of the above.

According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations described above.

The exemplary embodiments of the present application may have some or all of the following advantages:

in the request response method provided by an example embodiment of the present application, a credential request corresponding to a network request may be generated, and the credential request may be sent to a terminal device; the certificate request comprises a unique identifier corresponding to the network request; receiving a certificate response result fed back by the terminal equipment in real time through the created at least one data receiving pipeline, and extracting the certificate response result and comparing the certificate response result with the unique identifier when the certificate response result is monitored to reach a buffer area; wherein the buffer area corresponds to the data receiving pipeline; if the comparison result shows that the certificate response result is matched with the unique identifier, extracting the certificate information in the certificate response result; sending the credential information and the network request to an access gateway, so that the access gateway forwards the network request to a server when verifying that the credential information is legal; and receiving a request response result fed back by the server according to the network request. According to the technical description, on one hand, the certificate request can be marked through the unique identifier and the data receiving pipeline and the buffer area are used for receiving data, the next read-write operation is not required to be executed after the read-write operation is finished every time, data processing in a non-blocking mode can be achieved, the terminal equipment can process the certificate request in parallel, asynchronous response to the certificate request can be achieved, and the follow-up response efficiency to the request is improved. In yet another aspect of the present application, a request for credential information corresponding to a network request may be applied, and a security response to the request may be implemented through validity verification of the credential information.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.

Fig. 1 is a schematic diagram illustrating an exemplary system architecture to which a request response method and a request response apparatus according to an embodiment of the present application may be applied.

FIG. 2 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.

Fig. 3 schematically shows a flow chart of a request response method according to an embodiment of the application.

Fig. 4 schematically shows an interaction diagram of a terminal device and a proxy client according to an embodiment of the present application.

Fig. 5 schematically shows an interaction diagram of a terminal device and a proxy client according to another embodiment of the present application.

Fig. 6 schematically shows a flow diagram of requesting credential information in an embodiment in accordance with the present application.

FIG. 7 schematically shows a flow diagram for responding to a credential request according to one embodiment of the present application.

Fig. 8 schematically shows an interaction diagram of an access subject and an access object according to an embodiment of the present application.

Fig. 9 schematically shows an architecture diagram for implementing a request response method according to an embodiment of the present application.

FIG. 10 schematically shows a flow diagram of a request response method according to one embodiment of the present application.

Fig. 11 schematically shows a block diagram of a request responding apparatus in an embodiment according to the present application.

FIGS. 12-17 schematically illustrate user interface diagrams of a terminal device according to an embodiment of the application.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the subject matter of the present application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present application.

Furthermore, the drawings are merely schematic illustrations of the present application and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

Fig. 1 is a schematic diagram illustrating a system architecture of an exemplary application environment to which a request response method and a request response device according to an embodiment of the present application may be applied.

As shown in fig. 1, system architecture 100 may include one or more of

end devices

101, 102, 103, a network 104, and a server cluster 105. The network 104 serves to provide a medium of communication links between the

terminal devices

101, 102, 103 and the server cluster 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few. The

terminal devices

101, 102, 103 may be various electronic devices having a display screen, including but not limited to desktop computers, portable computers, smart phones, tablet computers, and the like. It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. In addition, the server cluster 105 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, a big data and artificial intelligence platform, and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.

It should be noted that the cloud server described above may provide basic cloud computing services by using cloud technology. Cloud technology refers to a hosting technology for unifying serial resources such as hardware, software, network and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.

Cloud storage (cloud storage) included in basic cloud computing service is a new concept extended and developed on the cloud computing concept, and a distributed cloud storage system (hereinafter referred to as a storage system) refers to a storage system which integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network through functions of cluster application, grid technology, distributed storage file systems and the like to cooperatively work through application software or application interfaces and provides data storage and service access functions to the outside. At present, a storage method of a storage system is as follows: logical volumes are created, and when created, each logical volume is allocated physical storage space, which may be the disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as data identification (ID, ID entry), the file system writes each object into a physical storage space of the logical volume, and the file system records storage location information of each object, so that when the client requests to access the data, the file system can allow the client to access the data according to the storage location information of each object. The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided in advance into stripes according to a group of capacity measures of objects stored in a logical volume (the measures often have a large margin with respect to the capacity of the actual objects to be stored) and Redundant Array of Independent Disks (RAID), and one logical volume can be understood as one stripe, thereby allocating physical storage space to the logical volume.

The request response method provided by the embodiment of the present application may be executed by any server in the

terminal devices

101, 102, and 103 or the server cluster 105. Accordingly, the request response means are typically provided in the servers or

terminal devices

101, 102, 103 of the server cluster 105. For example, in an exemplary embodiment, any server in the server cluster 105 may generate a credential request corresponding to the network request and send the credential request to the

terminal device

101, 102, or 103; the certificate request comprises a unique identifier corresponding to the network request; when receiving a credential response result matched with the unique identifier fed back by the

terminal device

101, 102 or 103, extracting credential information in the credential response result; sending the credential information and the network request to an access gateway, so that the access gateway forwards the network request to a server when verifying that the credential information is legal; and receiving a request response result fed back by the server according to the network request.

It should be noted that the computer system 200 of the electronic device shown in fig. 2 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.

As shown in fig. 2, the computer system 200 includes a Central Processing Unit (CPU) 201 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 202 or a program loaded from a storage section 208 into a Random Access Memory (RAM) 203. In the RAM 203, various programs and data necessary for system operation are also stored. The CPU 201, ROM 202, and RAM 203 are connected to each other via a bus 204. An input/output (I/O) interface 205 is also connected to bus 204.

The following components are connected to the I/O interface 205: an input portion 206 including a keyboard, a mouse, and the like; an output section 207 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 208 including a hard disk and the like; and a communication section 209 including a network interface card such as a LAN card, a modem, or the like. The communication section 209 performs communication processing via a network such as the internet. A drive 210 is also connected to the I/O interface 205 as needed. A removable medium 211, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is mounted on the drive 210 as necessary, so that a computer program read out therefrom is installed into the storage section 208 as necessary.

In particular, according to embodiments of the present application, the processes described below with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 209 and/or installed from the removable medium 211. The computer program, when executed by a Central Processing Unit (CPU) 201, performs various functions defined in the methods and apparatus of the present application.

Generally, after receiving a network request sent by a service requester component, a service provider component continuously executes a single step of "receiving a byte stream, parsing the byte stream, sending a response result, and continuing to receive the byte stream". This scheme is generally able to handle requests and respond in a timely manner, with a small number of requests. However, if the number of requests is large, the response is liable to be out of time, and the later-initiated network request has longer response time, which is liable to cause problems of unstable system and poor availability.

In view of the above, the present exemplary embodiment provides a request response method. Referring to fig. 3, fig. 3 schematically illustrates a flow chart of a request response method according to an embodiment of the present application. As shown in fig. 3, the request response method may include the following steps S310 to S350:

step S310: generating a certificate request corresponding to the network request, and sending the certificate request to the terminal equipment; the credential request includes a unique identifier corresponding to the network request.

Step S320: receiving a certificate response result fed back by the terminal equipment in real time through the created at least one data receiving pipeline, and extracting the certificate response result and comparing the certificate response result with the unique identifier when the certificate response result is monitored to reach a buffer area; wherein the buffer corresponds to the data receiving pipe.

Step S330: and when the comparison result shows that the certificate response result is matched with the unique identifier, extracting the certificate information in the certificate response result.

Step S340: and sending the credential information and the network request to the access gateway so that the access gateway forwards the network request to the server when verifying that the credential information is legal.

Step S350: and receiving a request response result fed back by the server according to the network request.

By implementing the method shown in fig. 3, the credential request can be marked by the unique identifier and the data receiving pipeline and the buffer area are used for receiving data, and the next read-write operation is not required to be executed after the read-write operation is completed each time, so that data processing in a non-blocking mode can be realized, the terminal device can process the credential request in parallel, and asynchronous response to the credential request can be realized, so as to improve the subsequent response efficiency to the request. In addition, the corresponding certificate information can be applied for the network request, and the security response to the request is realized through the validity verification of the certificate information.

The steps S310 to S350 may be executed by a proxy client, and a target client is installed on the terminal device, where the target client corresponds to a target server, and the target server and the target client both belong to a network security provider. The agent client can also be installed in the terminal device, and the communication between the agent client and the target client can be established through a TCP protocol.

The above steps of the present exemplary embodiment will be described in more detail below.

In step S310, a credential request corresponding to the network request is generated, and the credential request is sent to the terminal device; the credential request includes a unique identifier corresponding to the network request.

Specifically, the unique identifier (PackageUID) corresponding to the network request may be represented by a character string. The network request may be a hypertext transfer protocol (HTTP) request, and the network request is used for adding (PUT), Deleting (DELETE), changing (POST), searching (GET), and the like, of data in the server.

Further, the network request may be initiated by the accessing principal through a trusted application; the access subject (i.e. the party initiating the access) may be a person/device/application accessing the intranet business resources, and what corresponds to the access subject is an access object; the access object (i.e., the accessed party) can be an intranet business resource; the trusted application can be an application granted by the management terminal, and the trusted application can also be an application carrier for the terminal to access the internal service system.

Wherein, the configuration field of the trusted application may include: process name, application name, operating system, vendor, signature, censorship result, version, Message Digest Algorithm version 5 (MD 5), and secure hash Algorithm (sha 256). It should be noted that MD5 is a Hash algorithm, and is used for mapping data of any length into data of 128 bits; sha256 is an encryption algorithm for mapping data of an arbitrary length into 256 bits of data.

For example, the configuration information corresponding to the above-mentioned configuration field can be shown in the following table.

As an alternative embodiment, generating a credential request corresponding to a network request includes: generating a unique identifier and acquiring a network parameter corresponding to the network request; generating a certificate request according to the unique identifier and the network parameters; the network parameter includes at least one of a process code, a source domain name, a source port, a destination domain name, a destination port and a protocol type of the network request.

Specifically, the voucher request can be composed of abstract information (header) and request content (body), and a data packet in the form of header combined with body is adopted, so that the protocol can be conveniently expanded; the request content may be encrypted content (CipherBody), among others. For example, the data packet of the credential request may be represented as the following table.

The protocol version can be a version of a bill communication protocol, the voucher information applied by the voucher request can be specifically represented as bill information, and the voucher request meets the bill communication protocol. Correspondingly, the credential response result fed back by the terminal device corresponding to the credential request may also be composed of summary information (header) and response content (body); the request content may be encrypted content (CipherBody), among others. For example, the data packet of the credential response result may be represented as the following table.

It should be noted that, in the prior art, the communication protocol is usually of a fixed length, the request and the response generally use preset fixed-length data, the end bit of the data block of the original text of the request is padded to 255 bits by "\ 0" and encrypted, and the length of the encrypted data block is 256 bits. However, the protocol in this method is not easily expanded because a large number of dummy characters are filled in, and thus waste of traffic is easily caused. Moreover, for the protocol in this manner, the client generally determines a request according to the length of the data packet, so that the client can only process the request serially, which easily causes the problem of low response efficiency, and when processing a large number of network requests, the problem of untimely response is easily caused.

Based on the communication protocol shown in the table, the optimized protocol of the present application may include fixed-length summary information and specific content, where the summary information includes a unique identifier of a network request. The client can position the response content only by determining the body length in the digest information with the fixed length, the digest information with the fixed length is smaller than the length of the whole data packet in the prior art, and the client can process the request in parallel according to the unique identifier based on the representation of the unique identifier to the network request, thereby avoiding the time delay caused by single step execution sequential response and blocking the analysis of the subsequent byte stream.

Referring to fig. 4, fig. 4 schematically illustrates an interaction diagram of a target client and a proxy client according to an embodiment of the present application. As shown in fig. 4, the proxy client 420 may generate credential requests A, B, C, D and … … according to unique identifiers (e.g., Package1, Package2, … …, and Package, n is a positive integer) respectively corresponding to the network requests, and send the credential requests A, B, C, D and … … to the target client 410 in the order of a-B-C-D- … …; a, B, C, D and … … correspond to Package1, Package2, Package … … and Package in a one-to-one mode. Further, target client 410 may perform parallel processing on A-B-C-D- … … to obtain credential response results corresponding to A-B-C-D- … …, respectively. The target client 410 may perform asynchronous out-of-order responses based on the credential response results corresponding to a-B-C-D- … …, respectively. For example, the order of the credential requests corresponding to the credential response results received by the proxy client 420 may be D-a-B-C- … …, and the present embodiment does not limit the order of the credential requests corresponding to the credential response results received by the proxy client 420.

On the basis of fig. 4, please refer to fig. 5, and fig. 5 schematically illustrates an interaction diagram of a target client and a proxy client according to another embodiment of the present application. As shown in fig. 5, the following steps are performed for any of the network requests in fig. 4 (i.e., A, B, C or D, … …):

proxy client 520 (equivalent to proxy client 420 described above) may generate a credential request by including a network parameter of at least one of a process code, a source domain name, a source port, a destination domain name, a destination port, and a protocol type of the originating network request and a unique identifier representing the network request, and send the credential request to target client 510 (equivalent to target client 410 described above) to apply for credential information corresponding to the network request. Further, the target client 510 receiving the credential request may apply for the credential information from the target server and feed back a request response result containing the credential information and the unique identifier to the proxy client 520.

Therefore, by implementing the alternative embodiment, the proxy client can conveniently initiate multiple requests in one connection through the unique identifiers for associating the requests and the responses, the requests and the responses are allowed to be performed concurrently, asynchronous out-of-order responses are allowed, and the response efficiency of network requests is improved.

As an alternative embodiment, the method further includes: the terminal equipment determines an absolute path of an access process for initiating a network request according to the process code; if the absolute path is detected to have validity, the terminal equipment establishes connection with the proxy client so as to receive a certificate request sent by the proxy client.

The above steps may also be executed by a target client installed on the terminal device. The steps performed by the terminal device after the above steps may also be performed by the target client.

The absolute path is an absolute position in the directory, and is a target position that can be directly reached, and the absolute path is usually a path from a drive letter. In addition, before the terminal device determines the absolute path of the access process for initiating the network request according to the process code, the method may further include: the terminal equipment acquires a process code of the access process from the credit application according to a source address and a source port of the access process; the access process may be a process of a trusted application. In addition, after the terminal device determines an absolute path of an access procedure for initiating a network request according to a procedure code (PID), the method may further include: the terminal equipment detects whether the absolute path is in a pre-stored installation directory or not, if so, the legality of the signature information in the network parameters and the security of a target interface are verified, and if the legality of the signature information exists and the security of an interface which requests access exists, the legality of the absolute path is judged and a certificate request is rejected; wherein one or more absolute paths may be included in the installation directory.

Therefore, the implementation of the optional embodiment can ensure the safety of communication connection establishment between the clients.

As an optional embodiment, before generating the credential request corresponding to the network request, the method further includes: after receiving the network request, detecting whether pre-stored credential information matched with the network parameters exists in the cache or not according to the network parameters; and if not, executing to generate a credential request corresponding to the network request.

Specifically, the number of the pre-stored credential information may be one or more, and the embodiment of the present application is not limited. The method for detecting whether the pre-stored credential information matched with the network parameter exists in the cache according to the network parameter may be: whether pre-stored credential information capable of matching at least one of a process code, a source domain name, a source port, a destination domain name, a destination port and a protocol type in network parameters exists in the cache or not is detected, and if yes, the pre-stored credential information is called as credential information corresponding to the network request.

Referring to fig. 6, fig. 6 schematically illustrates a flowchart of requesting credential information according to an embodiment of the present application. As shown in fig. 6, includes:

step S610: traffic hijacking. Specifically, the proxy client may hijack traffic of a network request for the access object initiated by the access principal through the trusted application.

Step S620: request source backtracking. Specifically, the proxy client may obtain a network parameter corresponding to the network request, where the network parameter includes at least one of a process code, a source domain name, a source port, a destination domain name, a destination port, and a protocol type of the network request.

Step S630: and initiating a bill application. Specifically, the proxy client may generate a unique identifier corresponding to the network request, and generate the credential request according to the unique identifier and the network parameter.

Step S640: the request is encrypted. Specifically, the proxy client may encrypt the credential request and send it to the target client; the credential request also includes a network parameter of at least one of a process code, a source domain name, a source port, a destination domain name, a destination port, and a protocol type of the originating network request.

S650: and (6) caching the bills. Specifically, the target client may obtain a process parameter corresponding to the process code, generate a data obtaining request according to the process parameter and the credential request, and send the data obtaining request to the target server, so that the target server generates credential information in response to the data obtaining request. Furthermore, the target client can receive the credential information fed back by the target server, generate a credential response result containing the credential information and feed back the credential response result to the proxy client, so that the proxy client caches the credential information in the credential response result for calling.

Referring to fig. 7, fig. 7 schematically illustrates a flow diagram for responding to a credential request according to one embodiment of the present application. As shown in fig. 7, includes:

step S710: and (6) process checking. Specifically, after the target client receives the credential request sent by the proxy client, it may detect whether the process initiating the network request is a legitimate process according to the process parameter.

Step S720: and (6) searching the strategy. Specifically, after detecting that the process is legal, the target client acquires the characteristic information of the access process and determines an access control policy matched with the characteristic information.

Step S730: and generating a receipt. Specifically, if the access control policy is proxy access, the target client requests credential information from the target server and generates a credential response result including the credential information.

Step S740: and (5) encrypting back the packet. Specifically, the target client encrypts the credential response result back to the proxy client.

Therefore, by implementing the optional embodiment, the situation that the credential information needs to be repeatedly requested from the terminal device when the same process accesses the same target address and the same target port can be avoided, and the utilization rate of the network resources can be improved by repeatedly using the pre-stored credential information in the cache within the upper limit use times and the valid time of the credential.

As an alternative embodiment, if there is pre-stored credential information in the cache, the method further includes: carrying out validity verification on the certificate code in the pre-stored certificate information according to the certificate upper limit use times and the certificate valid time in the pre-stored certificate information; and if the certificate code has validity, sending a network request to the server and receiving a request response result fed back by the server according to the network request.

Specifically, the sending of the network request to the server and the receiving of the request response result fed back by the server for the network request include: and sending a network request to at least one server in the server cluster and receiving a request response result fed back by the at least one server for the network request.

As an optional embodiment, the validity verification of the credential code in the pre-stored credential information according to the upper limit usage number of the credential in the pre-stored credential information and the credential valid time includes: detecting whether the used times of the certificate codes exceed the upper limit of the certificate use times and detecting whether the current time exceeds the valid time of the certificate; and if the used times do not exceed the upper limit of the certificate and the current time does not exceed the valid time of the certificate, judging that the certificate code is legal.

Specifically, the upper limit number of times of use may be represented by a positive integer of 1 or more, and the credential validity time may be in units of seconds/minutes/hours/days. Wherein, whether the used times of the certificate code exceeds the certificate upper limit use times and whether the current time exceeds the certificate valid time is detected, including: obtaining the used times of the certificate code and whether the used times exceed the upper limit used times (such as 3 times) of the certificate, and detecting whether the current time (such as 1 month and 1 day 00: 00: 00: 00 in 2020) exceeds the effective time of the certificate (such as 12 months and 31 days 00: 00: 00 in 2019 and 1 month and 2 days 00: 00: 00 in 2020). Optionally, the credential validity time may also be represented by a remaining time duration (e.g., 20 s).

Therefore, by implementing the optional embodiment, the utilization efficiency of the credential information within the upper limit use times and the credential effective time can be improved, and the utilization rate of the network resources is further improved.

In step S320, receiving a credential response result fed back by the terminal device in real time through the created at least one data receiving pipeline, and when it is monitored that the credential response result reaches the buffer, extracting the credential response result and comparing the credential response result with the unique identifier; wherein the buffer corresponds to the data receiving pipe.

As an optional embodiment, before receiving, in real time, a credential response result fed back by the terminal device through the created at least one data receiving pipe, the method further includes: creating a buffer and at least one data pipe matching the unique identifier; and writing the certificate request into a buffer so that the event processing process triggers a data pipeline with load lower than a threshold value in at least one data pipeline to read the request data of the certificate request from the buffer and send the request data to the terminal equipment.

Specifically, the buffer may be created by an array or an STL container, and the pipeline may provide the terminal device with a function of reading data from a network or a file and a function of writing data to the network or the file through the buffer; the data pipe may be a pre-divided buffer area, and the size of the buffer area may be 1024 bytes.

In addition, at least one data pipeline can be used for performing read operation/write operation, so that other read-write logics can be processed conveniently without waiting for write completion when a thread requests to write data into the pipeline, and the influence on efficiency due to blocking is avoided; and when the read data reaches the buffer area, the thread is informed to execute the read operation, and before the data reaches the buffer area, the thread can also process other read-write logic, so that the processing efficiency when a plurality of requests are processed simultaneously is improved.

In addition, after creating the buffer and the at least one data pipe matching the unique identifier, the method may further include: at least one data pipe is registered with the event handling process so that the at least one data pipe can be invoked by the event handling process. The event processing process is used for monitoring events of a plurality of pipelines such as connection opening and data arrival, and a single thread can monitor a plurality of data channels simultaneously.

In addition, after the event processing process triggers the data pipe with the load lower than the threshold value in the at least one data pipe to read the request data of the credential request from the buffer, the method may further include: the request data is marked and the request data of the buffer area is deleted, so that the occupation of the read data on the buffer area is reduced, the utilization rate of storage resources is improved, and meanwhile, the request data can be positioned through the marking of the request data.

Therefore, by implementing the optional embodiment, a plurality of pipelines can be managed through a small number of threads, and the processing efficiency when a plurality of requests are processed simultaneously is improved. In addition, when a plurality of pipelines are started simultaneously, data can be received through the data pipelines with the loads lower than the threshold value, so that the loads of the pipelines are balanced, and the processing efficiency of requests is improved.

As an optional embodiment, after sending the credential request to the terminal device, the method further includes: the terminal equipment acquires a process parameter corresponding to the process code; the terminal equipment generates a data acquisition request according to the process parameters and the certificate request and sends the data acquisition request to the target server so that the target server responds to the data acquisition request to generate certificate information; the terminal equipment receives the certificate information fed back by the target server; the terminal device generates a credential response result containing the credential information.

Specifically, the process parameters corresponding to the process code (PID) may include: MD5 of the process, process path, time of most recent modification of the process, copyright information and signature information, etc. In addition, the request parameters corresponding to the credential request may include: at least one of a source domain name (or source IP), a source port, a destination domain name (or destination IP), and a destination port; wherein, IP is an abbreviation of Internet Protocol (Internet Protocol), is a network layer Protocol in a TCP/IP system, and is used for realizing interconnection and intercommunication of large-scale and heterogeneous networks. Based on this, the terminal device generates a data acquisition request according to the process parameters and the credential request, including: and the terminal equipment generates a data acquisition request according to the process parameters and the request parameters.

In addition, before the target server responds to the data acquisition request to generate the credential information, the method may further include the following steps: the target server detects whether the process initiating the network request is a legal process according to the process parameters, detects whether equipment for installing the process is legal equipment according to equipment information (such as equipment ID) in the certificate request, and verifies the legality of the user according to user information (such as user ID) in the certificate request; and if the process, the equipment and the user have legality, executing the data acquisition request generated according to the process parameters and the certificate request. The device information is used for describing a device for installing the target client, and the user information is used for describing a user for logging in the target client.

The method for detecting whether the process initiating the network request is a legal process according to the process parameters comprises the following steps: detecting whether a process code corresponding to the process initiating the network request belongs to a pre-stored code set, and if so, judging that the process has legality. In addition, detecting whether the equipment of the installation process is legal equipment or not according to the equipment information in the certificate request comprises the following steps: and detecting whether the equipment information in the certificate request belongs to pre-stored equipment information, and if so, judging that the equipment is legal. In addition, verifying the validity of the user according to the user information in the credential request includes: and detecting whether the user information in the certificate request belongs to pre-stored user information, and if so, judging that the user has validity.

And further, if any one of the process, the equipment and the user is detected to be illegal, sending a feedback result for indicating that the request is illegal to the terminal equipment so that the terminal equipment determines the authority corresponding to the network request, if the authority is a first-class authority, directly sending the network request to the server, and if the authority is a second-class authority, disconnecting the connection with the proxy client.

It can be seen that implementing this alternative embodiment, credential information can be generated by the server to secure the response to the network request.

In step S330, upon receiving the credential response result matching the unique identifier fed back by the terminal device, the credential information in the credential response result is extracted.

The credential information may include a credential code, a credential upper limit usage number, and a credential valid time, where the credential code may also be referred to as a ticket.

As an alternative embodiment, the comparing the extracted credential response result with the unique identifier includes: parsing the credential response result into a byte stream; intercepting summary information in the byte stream according to a preset summary length; extracting an identifier in the abstract information, and comparing the identifier with the unique identifier; and if the comparison result shows that the identification is consistent with the unique identification, judging that the identification is matched with the unique identification.

Specifically, the identifier and the unique identifier in the summary information may both be packageUIDs.

Therefore, by implementing the alternative embodiment, the parallel processing of the credential requests and the asynchronous response of the credential requests can be realized through the one-to-one correspondence between the unique identifiers and the identifiers in the summary information, so as to improve the subsequent response efficiency to the requests.

As an alternative embodiment, extracting the credential information in the credential response result includes: intercepting response content in the voucher response result according to the information which is used for expressing the length of the content in the abstract information; credential information is extracted from the response content.

Specifically, the information indicating the Length of the content may be a response body Length (Length), and the response content may be response body data (RspBody).

It can be seen that implementing this alternative embodiment, the credential requests can be processed in parallel and can be responded to asynchronously, so as to improve the efficiency of subsequent responses to requests.

In step S340, the credential information and the network request are sent to the access gateway, so that the access gateway forwards the network request to the server when verifying that the credential information is valid.

Specifically, the access gateway is used to authenticate, authorize, and forward network requests for access to the object. The way of sending the credential information and the network request to the access gateway may be: and sending an access request to the access gateway, wherein the access request comprises the credential information and the network request. Additionally, a server may be any server in a cluster of servers. Based on this, the above method may further include: the access gateway parses the access request to obtain credential information.

As an optional embodiment, before the access gateway forwards the network request to the server when verifying that the credential information is valid, the method further includes: the access gateway generates an authentication request containing the credential information; and the access gateway sends the verification request to the target server so that the target server verifies the validity of the credential information and feeds back a verification result to the access gateway.

Specifically, the way for the target server to verify the validity of the credential information may be: verifying whether the voucher information is pre-stored voucher information or not through a voucher center; if yes, judging that the certificate information is legal; if not, a result for representing that the credential information is illegal is fed back to the access gateway, so that the access gateway is disconnected from the proxy client, and the proxy client can directly initiate network access to the server to realize intelligent connection with the server.

Therefore, the implementation of the alternative embodiment can ensure the security when responding to the request through the validity verification of the credential information.

In step S350, a request response result fed back by the server for the network request is received.

As an optional embodiment, the receiving, in real time, the credential response result fed back by the terminal device through the created at least one data receiving pipe includes: and receiving a certificate response result fed back by the terminal equipment in real time through a data pipeline with the load lower than the threshold value, and writing the certificate response result into a buffer area.

Specifically, after reading the credential response result from the buffer, the method may further include: the credential response result in the buffer is deleted.

Therefore, the implementation of the alternative embodiment can reduce the occupation of the read data to the buffer area, so as to improve the utilization rate of the storage resource.

Referring to fig. 8, fig. 8 schematically illustrates an interaction diagram of an access subject and an access object according to an embodiment of the present application. As shown in fig. 8, the interaction diagram may include: an access subject 810, a zero trust network security provider 820, an entry 830, and an access object 840; the zero trust network security provider 820 includes a target server 821 and a target client 822, and the portal 830 includes a proxy client 831 and an access gateway 832.

In particular, the access principal 810 can send a network request to the zero trust network security provider 820. Before the target client 822 receives the network request, the proxy client 831 may hijack the network request, generate a unique identifier (PackageUID) corresponding to the network request, acquire a network parameter corresponding to the network request, generate a credential request according to the unique identifier and the network parameter, and further send the credential request to the target client 822.

After receiving the credential request, target client 822 may request credential information from target server 821 and generate a request response result containing credential information fed back by target server 821, and send the request response result to proxy client 831. Because the target client 822 can perform asynchronous out-of-order response on the received credential request, after receiving the request response result fed back by the target client 822, the proxy client 831 can receive the credential response result fed back by the target client in real time through the created at least one data receiving pipeline, when it is monitored that the credential response result reaches the buffer, compare whether the PackageUID in the request response result is consistent with the PackageUID in the network request, if not, determine that the received request response result is not the response result for the network request, if so, determine that the received request response result is the response result for the network request, and send the credential information in the request response result and the network request to the access gateway 832.

Further, the access gateway 832 may send the authentication request to the target server 821 by generating an authentication request containing the credential information, so that the target server 821 verifies the validity of the credential information and feeds back the authentication result to the access gateway 832, and the access gateway 832 may forward the network request to the server of the access object 840 when verifying that the credential information is valid.

Further, the server accessing the object 840 may respond to the network request and feed back to the proxy client 831 through the access gateway 832. The way in which the proxy client 831 receives the response result of the server accessing the object 840 may be: and receiving a credential response result matched with the unique identifier fed back by the target client through the data pipeline with the load lower than the threshold value, writing the credential response result into a buffer area, and reading the credential response result from the buffer area.

It should be noted that the zero-trust network security provider (iOA) may be a network access management and control system, may confirm the legal identity of the current user through multiple authentication methods (e.g., two-dimensional code scanning authentication, token two-factor authentication, local identity authentication, domain identity authentication, etc.), further integrate terminal management and control function modules such as virus checking and killing, compliance protection, security reinforcement, data leakage prevention, etc., further include a unique access link encryption/decryption gateway, may specify WEB or application program traffic layer by layer for a terminal, support access control management, single link request authorization, and block illegal access and network risk in time.

Referring to fig. 9 on the basis of fig. 8, fig. 9 schematically shows an architecture diagram for implementing a request response method according to an embodiment of the present application. As shown in fig. 9, an architecture diagram for implementing the request response method may include: user device 910, target server 920, access gateway 930, server cluster 940, and cloud service 950; the server cluster 940 includes a server 1941, servers 2942 and … …, and a server n 943, where n is a positive integer. The trusted application 912, the target client 911 and the proxy client 913 may be installed in the user device 910, and the target server 920 may include a delivery service 921, a policy center 922 and a ticket center 923.

Specifically, when the access subject initiates a network request for the access object through the trust application 912 in the user equipment 910, the proxy client 913 may hijack the network request that originally needs to enter the physical network card into the virtual network card through the TUN/TAP driver, and parse the network request into a byte stream to obtain the network parameters corresponding to the network request; the TUN/TAP driver is used for realizing the function of a virtual network card, the TUN represents virtual point-to-point equipment, and the TAP represents virtual Ethernet equipment. Further, the proxy client 913 may generate a unique identifier corresponding to the network request, generate a credential request according to the unique identifier and the network parameter, and send the credential request to the target client 911.

Further, the target client 911 may determine an absolute path of an access process for initiating the network request according to the process code acquired from the trust application 912, and if it is detected that the absolute path is legal, the target client 911 establishes a connection with the proxy client 913 and detects whether data corresponding to the network request exists in the cache through a thread, and if so, the cache is hit as a response result; if not, acquiring the characteristic information of the access process. Further, the feature information is sent to the target server 920, so that a policy center 922 in the target server 920 queries an access control policy matched with the feature information and feeds a query result back to the target client 911, so that the target client 911 processes a network request according to the query result; the access control policy may include proxy access and direct access, the proxy access is used to indicate a request response mode with stronger security by using a proxy client, the direct access is used to indicate a request response mode with weaker security directly to a server, and the feature information may include information of each field corresponding to the access process. And acquiring a process parameter corresponding to the process code, generating a data acquisition request according to the process parameter and the credential request, and sending the data acquisition request to the target server 920, so that the target server 920 generates credential information in response to the data acquisition request and feeds the credential information back to the target client 911.

Furthermore, the target client 911 may receive the credential information fed back by the target server 920, generate a credential response result including the credential information, and send the credential response result to the proxy client 913, the proxy client 913 may receive the credential response result fed back by the target client in real time through the created at least one data receiving pipeline, when it is monitored that the credential response result reaches the buffer area, parse the credential response result into a byte stream, intercept the digest information in the byte stream according to the preset digest length, extract the PackageUID in the digest information, compare the PackageUID with the unique identifier, if the identifier is consistent with the unique identifier, intercept the response content in the credential response result according to the information used for representing the content length in the digest information, and extract the credential information from the response content.

Furthermore, the proxy client 913 may further send the credential information and the network request to the access gateway 930, so that the access gateway 930 generates a verification request containing the credential information, sends the verification request to the target server 920, so that the target server 920 verifies the validity of the credential information through the ticket center 923 and feeds back the verification result to the access gateway 930, and the access gateway 930 forwards the network request to any server in the server cluster 940 when verifying that the credential information is valid.

The bill center 923 is used for pre-storing one or more pieces of credential information and generating the credential information; the submission service 921 is configured to send the process code to the cloud service 950 for verifying the validity of the new process when the process code is detected for the first time, so that the cloud service 950 verifies the security and validity of the process, and if the cloud service 950 detects a malicious process, the target client 911 may be triggered to execute an asynchronous blocking operation to ensure the security when a network request is responded.

In turn, the access gateway 930 may receive the server-fed response result to the network request and forward the response result to the proxy client 913. Optionally, the proxy client 913 may present the response result in the user interface, for example, if the network request is used to add a meeting record, the response result presented in the user interface may indicate that the addition is successful.

Based on the architectures shown in fig. 8 and fig. 9, it can be understood that the embodiment of the present application can be applied to remote office work, remote approval, remote development, remote operation and maintenance, non-office work site login server, and other scenarios, and can conveniently and safely access data of an access object (e.g., enterprise resource), so that borderless work can be implemented. Based on the application scenario of the embodiment of the application, the target client may also be referred to as an iOA client, which is installed on the employee work device and is responsible for verifying the legal identity/trusted identity of the employee, verifying the validity of the work device, and verifying the validity of the application software that initiates the network request; the target server, which may be referred to as iOA server, is used for scheduling traffic flow through the policy control engine, and performing validity verification according to the granularity of the user-device-trust application.

Specifically, the iOA server may include an identity verification module, a device trust module, and an application detection module; the identity authentication module is used for authenticating the validity of the user according to the user information (such as a user ID) in the certificate request; the device trusted module is used for detecting whether the device in the installation process is a legal device or not according to the device information (such as a device ID) in the credential request, detecting whether the current state of the device is in a safe state or not, and detecting whether the hardware information of the device conforms to a preset rule or not; the application detection module is used for detecting whether the process initiating the network request is a legal process according to the process parameters, detecting whether the process has a bug, and detecting whether the process carries Trojan horse virus.

It can be seen that, in the architecture shown in fig. 9, the credential request can be marked by the unique identifier and data reception is performed by using the data reception pipeline and the buffer, and it is not necessary to wait for the next read-write operation to be performed after the read-write operation is completed each time, so that data processing in a non-blocking mode can be realized, the target client can process the credential request in parallel, and an asynchronous response to the credential request can be realized, so as to improve the subsequent response efficiency to the request. In addition, the corresponding certificate information can be applied for the network request, and the security response to the request is realized through the validity verification of the certificate information.

Referring to fig. 10, fig. 10 schematically illustrates a flow chart of a request response method according to an embodiment of the present application. As shown in fig. 10, the request response method includes: step S1000 to step S1022.

Step S1000: the proxy client detects whether pre-stored certificate information matched with the network parameters exists in the cache or not according to the network parameters; if yes, step S1002 is executed, and if no, step S1004 is executed.

Step S1002: and if the used times do not exceed the upper limit of the use times of the certificates in the pre-stored certificate information and the current time does not exceed the certificate valid time in the pre-stored certificate information, the proxy client sends a network request to the server and receives a request response result fed back by the server for the network request.

Step S1004: the proxy client hijacks a network request aiming at the access object, which is initiated by the access subject through the trust application.

Step S1006: the proxy client generates a unique identifier corresponding to the network request, acquires a network parameter corresponding to the network request, and generates a certificate request according to the unique identifier and the network parameter; the network parameter includes at least one of a process code, a source domain name, a source port, a destination domain name, a destination port and a protocol type of the network request.

Step S1008: the target client determines an absolute path of an access process for initiating the network request according to the process code; and if the absolute path is detected to have legality, the target client establishes connection with the proxy client.

Step S1010: the proxy client creates a buffer area matched with the unique identification and at least one data pipeline, writes the certificate request into the buffer area, so that the event processing process triggers the data pipeline with the load lower than the threshold value in the at least one data pipeline to read the request data of the certificate request from the buffer area and send the request data to the target client.

Step S1012: the target client acquires the process parameters corresponding to the process codes, generates a data acquisition request according to the process parameters and the certificate request and sends the data acquisition request to the target server, so that the target server responds to the data acquisition request to generate the certificate information.

Step S1014: and the target client receives the credential information fed back by the target server and generates a credential response result containing the credential information.

Step S1016: and the proxy client analyzes the certificate response result into a byte stream, intercepts abstract information in the byte stream according to the preset abstract length and extracts the identification in the abstract information.

Step S1018: and the proxy client compares the identifier with the unique identifier, and if the identifier is consistent with the unique identifier, the proxy client intercepts response content in the certificate response result according to the information used for expressing the content length in the abstract information and extracts the certificate information from the response content.

Step S1020: the proxy client sends the credential information and the network request to the access gateway, the access gateway generates a verification request containing the credential information, and sends the verification request to the target server, so that the target server verifies the validity of the credential information and feeds back a verification result to the access gateway, and the access gateway forwards the network request to the server when verifying that the credential information is valid.

Step S1022: and the proxy client receives the certificate response result matched with the unique identifier fed back by the target client through the data pipeline with the load lower than the threshold value, writes the certificate response result into the buffer area, and reads the certificate response result from the buffer area.

It should be noted that steps S1000 to S1022 correspond to the steps and embodiments shown in fig. 3, and for the specific implementation of steps S1000 to S1022, please refer to the steps and embodiments shown in fig. 3, which are not described herein again.

It can be seen that, by implementing the method shown in fig. 10, the credential request can be marked by the unique identifier and data reception is performed by using the data reception pipeline and the buffer, and it is not necessary to wait for the next read-write operation to be performed after the read-write operation is completed each time, so that data processing in a non-blocking mode can be implemented, and the target client can process the credential request in parallel and can implement asynchronous response to the credential request, so as to improve the subsequent response efficiency to the request. In addition, the corresponding certificate information can be applied for the network request, and the security response to the request is realized through the validity verification of the certificate information.

Further, in the present exemplary embodiment, a request response device is also provided. Referring to fig. 11, the request response apparatus 1100 may include: a request generation unit 1101, a data processing unit 1102, an information extraction unit 1103, a request transmission unit 1104, and a response result reception unit 1105, where:

a request generation unit 1101 configured to generate a credential request corresponding to the network request and send the credential request to the terminal device; the certificate request comprises a unique identifier corresponding to the network request;

the data processing unit 1102 is configured to receive a credential response result fed back by the terminal device in real time through the created at least one data receiving pipeline, and when it is monitored that the credential response result reaches the buffer, extract the credential response result and compare the credential response result with the unique identifier; wherein the buffer area corresponds to the data receiving pipeline;

an information extraction unit 1103, configured to, when receiving a credential response result matching the unique identifier fed back by the terminal device, extract credential information in the credential response result;

a request sending unit 1104, configured to send the credential information and the network request to the access gateway, so that the access gateway forwards the network request to the server when verifying that the credential information is valid;

a response result receiving unit 1105, configured to receive a request response result that the server feeds back to the network request.

It can be seen that, with the implementation of the apparatus shown in fig. 11, the credential request can be marked by the unique identifier and data reception can be performed by using the data reception pipeline and the buffer, and it is not necessary to wait for the next read-write operation to be performed after the read-write operation is completed each time, so that data processing in a non-blocking mode can be implemented, and the terminal device can process the credential request in parallel and can implement asynchronous response to the credential request, so as to improve the subsequent response efficiency to the request. In addition, the corresponding certificate information can be applied for the network request, and the security response to the request is realized through the validity verification of the certificate information.

In an exemplary embodiment of the present application, the request generating unit 1101 generates a credential request corresponding to a network request, including:

In an exemplary embodiment of the present application, after the request generating unit 1101 sends the credential request to the terminal device, the apparatus further includes:

In an exemplary embodiment of the present application, the data processing unit 1102 extracts the credential response result and compares the credential response result with the unique identifier, including:

parsing the credential response result into a byte stream;

In an exemplary embodiment of the present application, the information extracting unit 1103 extracts credential information in the credential response result, including:

credential information is extracted from the response content.

an information detection unit (not shown) for detecting whether pre-stored credential information matching the network parameters exists in the cache according to the network parameters before the request generation unit 1101 generates a credential request corresponding to the network request and after the network request is received;

the request generating unit 1101 is specifically configured to generate a credential request corresponding to the network request when the information detecting unit detects that there is no pre-stored credential information in the cache.

a validity verifying unit (not shown) for verifying the validity of the certificate code in the pre-stored certificate information according to the upper limit usage number of the certificate in the pre-stored certificate information and the validity time of the certificate;

and the request sending unit 1104 is further configured to send a network request to the server and receive a request response result fed back by the server for the network request when the validity verifying unit verifies that the credential code is valid.

a creating unit (not shown) for creating a buffer and at least one data pipe matching the unique identifier before the data processing unit 1102 receives the credential response result fed back by the terminal device in real time through the created at least one data receiving pipe;

the data processing unit 1102 is further configured to write the credential request into the buffer, so that the event processing process triggers a data pipe with a load lower than a threshold value in the at least one data pipe to read the request data of the credential request from the buffer and send the request data to the terminal device.

In an exemplary embodiment of the present application, the data processing unit 1102 receives, in real time, the credential response result fed back by the terminal device through the created at least one data receiving pipeline, and includes:

It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.

For details that are not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the request response method described above for the details that are not disclosed in the embodiments of the apparatus of the present application, because each functional module of the request response apparatus of the exemplary embodiment of the present application corresponds to a step of the exemplary embodiment of the request response method described above.

Referring to fig. 12-17, fig. 12-17 schematically illustrate a user interface of a terminal device according to an embodiment of the present application. Specifically, as shown in fig. 12, a user may configure a trusted application and group the configured trusted application through the user interface shown in fig. 12, and may also configure an access object (e.g., a business system), which is not limited in the embodiment of the present application. Furthermore, as shown in fig. 13, for a specific service system configuration mode, an interface 1301 or an interface 1302 may be presented, where the interface 1301 includes a configuration region for a service system address, a category, an IP, and a port, and the interface 1301 includes a configuration region for a service system address, a category, a domain name, and a port, and a user may perform specific configuration on a service system through the interface 1301 or the interface 1302. Further, as shown in fig. 14, the same user may create multiple usernames, and different usernames may correspond to different trusted application and business system configurations. Furthermore, as shown in fig. 15, after the user completes configuration of the trusted application and the service system, the user may enter a user interface for displaying a login entry, where the user interface may display a two-dimensional code for login, and the user may log in a registered account by scanning the two-dimensional code. Furthermore, as shown in fig. 16, after the user successfully logs in, a popup window shown in fig. 16 may pop up in the user interface shown in fig. 15 to prompt the user to protect files, components, and data in real time, so that security of initiating a network request by the user in the current environment may be guaranteed. Furthermore, as shown in fig. 17, after the user successfully logs in, a popup window as shown in fig. 17 may also pop up in the user interface shown in fig. 15 to show the current trusted application, and if all applications are trusted applications, "any application" may be output to indicate that all applications are trusted applications. In addition, all the client interfaces shown in fig. 12 to 17 are user interfaces of a zero trust network security provider (iOA), and iOA is a zero trust network data management system.

As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.

It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units described in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.

Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A request response method, comprising:

receiving a certificate response result fed back by the terminal equipment in real time through at least one created data receiving pipeline, and extracting the certificate response result and comparing the certificate response result with the unique identifier when monitoring that the certificate response result reaches a buffer area; wherein the buffer corresponds to the data receiving pipe;

and receiving a request response result fed back by the server aiming at the network request.

2. The method of claim 1, wherein generating a credential request corresponding to a network request comprises:

generating the unique identifier and acquiring a network parameter corresponding to the network request;

generating the certificate request according to the unique identifier and the network parameters;

the network parameter includes at least one of a process code, a source domain name, a source port, a destination domain name, a destination port, and a protocol type of the process that initiated the network request.

3. The method of claim 2, wherein after sending the credential request to a terminal device, the method further comprises:

the terminal equipment generates a data acquisition request according to the process parameters and the certificate request and sends the data acquisition request to a target server, so that the target server responds to the data acquisition request to generate the certificate information;

the terminal equipment receives the credential information fed back by the target server;

and the terminal equipment generates a certificate response result containing the certificate information.

4. The method of claim 1, wherein the access gateway forwards the network request to a server upon verifying that the credential information is valid, the method further comprising:

the access gateway generating an authentication request containing the credential information;

and the access gateway sends the verification request to a target server so that the target server verifies the validity of the credential information and feeds back a verification result to the access gateway.

5. The method of claim 1, wherein extracting the credential response result and comparing the credential response result with the unique identifier comprises:

parsing the credential response result into a byte stream;

6. The method of claim 5, wherein extracting credential information from the credential response result comprises:

the credential information is extracted from the response content.

7. The method of claim 2, further comprising:

the terminal equipment determines an absolute path of an access process for initiating the network request according to the process code;

and if the absolute path is detected to have legality, the terminal equipment establishes connection with the proxy client so as to receive the certificate request sent by the proxy client.

8. The method of claim 2, wherein prior to generating the credential request corresponding to the network request, the method further comprises:

after the network request is received, whether pre-stored credential information matched with the network parameters exists in a cache or not is detected according to the network parameters;

and if not, executing the credential request corresponding to the network request.

9. The method of claim 8, wherein if the pre-stored credential information is present in the cache, the method further comprises:

and if the credential code is legal, sending the network request to the server and receiving a request response result fed back by the server aiming at the network request.

10. The method of claim 9, wherein performing validity verification on the credential code in the pre-stored credential information according to the credential upper limit usage number and the credential valid time in the pre-stored credential information comprises:

detecting whether the used times of the certificate codes exceed the certificate upper limit use times and detecting whether the current time exceeds the certificate valid time;

and if the used times do not exceed the upper limit of the use times of the certificate and the current time does not exceed the valid time of the certificate, judging that the certificate code is legal.

11. The method according to claim 1, wherein before receiving the credential response result fed back by the terminal device in real time through the created at least one data receiving pipe, the method further comprises:

creating the buffer and the at least one data receiving pipe that match the unique identification;

and writing the credential request into the buffer area, so that an event processing process triggers a data receiving pipeline with load lower than a threshold value in the at least one data receiving pipeline to read the request data of the credential request from the buffer area and send the request data to the terminal equipment.

12. The method according to claim 11, wherein receiving the credential response result fed back by the terminal device in real time through the created at least one data receiving pipe comprises:

and receiving a credential response result fed back by the terminal equipment in real time through the data receiving pipeline with the load lower than the threshold value and writing the credential response result into the buffer area.

13. A request response device, comprising:

the request generation unit is used for generating a certificate request corresponding to the network request and sending the certificate request to the terminal equipment; the certificate request comprises a unique identifier corresponding to the network request;

the information extraction unit is used for extracting the certificate information in the certificate response result when the certificate response result matched with the unique identifier fed back by the terminal equipment is received;

a request sending unit, configured to send the credential information and the network request to an access gateway, so that the access gateway forwards the network request to a server when verifying that the credential information is valid;

14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1-12.

15. An electronic device, comprising:

a processor; and

a memory for storing executable instructions of the processor;

wherein the processor is configured to perform the method of any of claims 1-12 via execution of the executable instructions.