CN112866217A - Micro-application access authority control method and device based on token authentication - Google Patents
Micro-application access authority control method and device based on token authentication Download PDFInfo
- Publication number
- CN112866217A CN112866217A CN202110008271.1A CN202110008271A CN112866217A CN 112866217 A CN112866217 A CN 112866217A CN 202110008271 A CN202110008271 A CN 202110008271A CN 112866217 A CN112866217 A CN 112866217A
- Authority
- CN
- China
- Prior art keywords
- micro
- token
- micro application
- authorization
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and a device for controlling micro-application access authority based on token authentication, which are used for controlling the access authorization of micro-applications in a distributed system and comprise a black-and-white list authorization mode: in the mode, the micro application gateway of the service party verifies a black list and a white list of the request party; external token authorization mode: in the mode, the server side micro application gateway verifies the authorization token of the requester; request relationship authorization mode between micro applications: the mode server micro application gateway requests verification of a requester interface process; in any mode, the server side micro application gateway carries a corresponding micro application token after passing the verification to carry out micro application access authorization in the system. Compared with the prior art, the invention does not need to be limited by network isolation, and does not additionally increase transaction loss caused by access authorization verification.
Description
Technical Field
The invention relates to a method for controlling micro-application access authority, in particular to a method and a device for controlling micro-application access authority based on token authentication.
Background
The micro-service with one or more groups of interface method sets under the distributed architecture is called micro-application because the micro-service has different sizes and scales, and the understanding of the micro-service concept by the outside is various and is easy to be confused.
The access authority control of the micro application under the existing distributed architecture comprises two modes: the method comprises the steps that firstly, control is carried out through network isolation, namely a set of distributed architecture application is deployed in a network, authorized access in the network is not needed, and an external request can access the application only through opening the network; and secondly, by means of a secret key encryption mode, aiming at the access request, the requesting party needs to carry out encryption authentication according to the stored secret key, then the secret key is sent to the service party to carry out decryption and identity information verification, and the access can be carried out only after the secret key passes the authentication. Although the network isolation method can limit external access through the network, the network isolation method can be freely accessed in the same network, and the network isolation method can cause a coupling relationship with an underlying network. The key encryption mode requires that encryption is performed when the requesting party is required to send each transaction, and then the service party decrypts and verifies the transaction when receiving the transaction, so that certain loss is caused to the performance of the transaction.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a method and a device for controlling the access authority of a micro application based on token authentication.
The purpose of the invention can be realized by the following technical scheme:
a micro application access authority control method based on token authentication is used for controlling access authorization of micro applications in a distributed system, and comprises the following modes:
black and white list authorization mode: the micro application gateway is used for verifying a black and white list of the requester in a scene that the requester is an IP fixed foreground or non-micro application and the server is a micro application, and receiving an access request in the mode;
external token authorization mode: the micro application gateway is used for verifying the authorization token of the requester in a scene that the requester is a foreground or non-micro application with unfixed IP and the server is a micro application, and the micro application gateway receiving the access request in the mode carries out authorization token verification on the requester;
request relationship authorization mode between micro applications: the micro application gateway used for the requester and the server belongs to the micro application scenes of two different systems, and the micro application gateway receiving the access request verifies the request of the interface process of the requester;
in any mode, the micro application gateway receiving the access request carries a corresponding micro application token to carry out micro application access authorization in the system after passing the verification.
Preferably, the black-and-white list verification specifically comprises: and the micro application gateway receiving the access request acquires the IP of the request party carried in the access request of the request party, and the micro application gateway performs white list verification on the IP of the request party and acquires the authorization of the micro application gateway if the verification is passed.
Preferably, the white list verification method for the IP of the requesting party is as follows: and the micro application gateway verifies whether the IP of the requesting party exists in a white list configured in advance in an external micro application management platform, and if so, the verification is passed.
Preferably, the authentication of the authorization token is specifically: and the micro application gateway receiving the access request acquires the encrypted external authorization token carried in the access request of the requester, decrypts and verifies the external authorization token, and acquires the authorization of the micro application gateway if the external authorization token passes the verification.
Preferably, the external authorization token includes a system level authorization token, a micro application level authorization token, and a micro application interface method level authorization token.
Preferably, the external authorization token is acquired by a request from a request direction to an external micro application administration platform.
Preferably, the micro-application token is read and obtained by a micro-application gateway and a micro-application in each system from a token center.
Preferably, the micro application token is updated regularly.
Preferably, the interface flow request verification specifically includes: the micro application gateway receiving the access request acquires a micro application name and an interface name carried in the access request of a requester, verifies the micro application gateway according to the access relation of a server side interface applied by the requester in an external micro application management platform, and if the verification is passed, the micro application gateway authorization is acquired.
The device comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for calling the computer program to execute the micro-application access authority control method based on the token authentication to realize the access authorization control of micro-applications in a distributed system.
Compared with the prior art, the invention has the following advantages:
the invention has authority control aiming at the micro application access under the distributed architecture, and designs access authority control methods under three modes: the access authority control is realized in a distributed architecture framework without limitation by network isolation, and transaction loss caused by verification of access authorization is not additionally increased.
Drawings
Fig. 1 is a flow chart of a method for controlling access rights of a micro application based on token authentication according to the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. Note that the following description of the embodiments is merely a substantial example, and the present invention is not intended to be limited to the application or the use thereof, and is not limited to the following embodiments.
Example 1
The embodiment provides a micro-application access authority control method based on token authentication, which is used for controlling the access authorization of micro-applications in a distributed system, and comprises the following three modes:
a first mode,
Black and white list authorization mode: the micro application gateway is used for verifying a black and white list of the requester in a scene that the requester is an IP fixed foreground or non-micro application and the server is a micro application, and receiving an access request in the mode;
the black and white list verification specifically comprises the following steps: and the micro application gateway receiving the access request acquires the IP of the request party carried in the access request of the request party, and the micro application gateway performs white list verification on the IP of the request party and acquires the authorization of the micro application gateway if the verification is passed. The way of white list verification to the IP of the requesting party is as follows: and the micro application gateway verifies whether the IP of the requesting party exists in a white list configured in advance in an external micro application management platform, and if so, the verification is passed.
Mode two,
External token authorization mode: the micro application gateway is used for verifying the authorization token of the requester in a scene that the requester is a foreground or non-micro application with unfixed IP and the server is a micro application, and the micro application gateway receiving the access request in the mode carries out authorization token verification on the requester;
the authentication of the authorization token specifically comprises: and the micro application gateway receiving the access request acquires the encrypted external authorization token carried in the access request of the requester, decrypts and verifies the external authorization token, and acquires the authorization of the micro application gateway if the external authorization token passes the verification. The encryption and decryption mode adopts a customized JWT encryption and decryption mode. The external authorization token comprises a system level authorization token, a micro application level authorization token and a micro application interface method level authorization token, and authorizes the whole system, a certain micro application and certain micro application interface sets respectively. And the external authorization token is acquired by a request direction from an external micro application governing platform.
Mode III,
Request relationship authorization mode between micro applications: the micro application gateway used for the requester and the server belongs to the micro application scenes of two different systems, and the micro application gateway receiving the access request verifies the request of the interface process of the requester;
the interface flow request verification specifically comprises the following steps: the micro application gateway receiving the access request acquires a micro application name and an interface name carried in the access request of a requester, verifies the micro application gateway according to the access relation of a server side interface applied by the requester in an external micro application management platform, and if the verification is passed, the micro application gateway authorization is acquired.
In any one of the above modes, the micro application gateway receiving the access request carries a corresponding micro application token after passing the verification to perform micro application access authorization in the system. The micro application token is read and obtained from the token center by the micro application gateway and the micro application in each system, and the micro application token is updated at regular time, so that the micro application gateway and the micro application update at regular time to read the micro application token.
As shown in fig. 1, two service systems are taken as an example to illustrate a specific implementation process of the token authentication-based micro application access right control method of the present invention, including a service system a and a service system B, where the service system a includes a micro application 1 and a micro application 2, and the service system B includes a micro application 3.
An external request (non-micro application) is authorized by configuring a black and white list or is sent to a micro application gateway of a service system A by carrying a JWT encrypted external authorization token, after the micro application gateway of the service system A passes verification, the external request (non-micro application) can be sent to a micro application 1 in the service system by carrying the micro application token of the service system A, after the micro application 1 passes verification, the external request (non-micro application) can be sent to a micro application 2 by carrying the micro application token of the service system A, the micro application 2 applies for an interface of a system B and has a request authority, the request is sent to a system B gateway, and after the system B gateway passes verification request relationship, the external request (non-micro application) carries the system B token and sends the request to the micro application 1 of the system B. Wherein, the marked "1, black and white list/authorization token" in the figure represents a black and white list authorization mode and an external token authorization mode, which mode needs to be determined according to whether the IP of the external browser/terminal is fixed, if the IP is determined, the black and white list authorization mode is adopted, if the IP is not determined, the external token authorization mode is adopted, the marked "4, application request relation" in the figure represents a request relation authorization mode between micro applications, which is used for the access authorization between the micro applications of the service system A and the service system B belonging to different networks, the marked "2, carrying micro application token", "3, carrying micro application token" in the figure means that the micro application token of the service system A is adopted to carry out the access authorization of the micro applications in the system after the micro application gateway authorization is obtained in the service system A, and the marked "5, carrying micro application token" in the figure means that the micro application token of the service system B is adopted after the micro application gateway authorization is obtained in the service system B The micro-application token performs micro-application access authorization within the system.
The invention has authority control aiming at the micro application access under the distributed architecture, and designs access authority control methods under three modes: the access authority control is realized in a distributed architecture framework without limitation by network isolation, and transaction loss caused by verification of access authorization is not additionally increased.
Example 2
The embodiment provides a micro-application access right control device based on token authentication, which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for calling the computer program to execute a micro-application access right control method based on token authentication to realize access authorization control of micro-applications in a distributed system. The method for controlling the access right of the micro application based on token authentication is the same as that in embodiment 1, and is not described in detail in this embodiment.
The above embodiments are merely examples and do not limit the scope of the present invention. These embodiments may be implemented in other various manners, and various omissions, substitutions, and changes may be made without departing from the technical spirit of the present invention.
Claims (10)
1. A micro application access authority control method based on token authentication is used for access authorization control of micro applications in a distributed system, and comprises the following modes:
black and white list authorization mode: the micro application gateway is used for verifying a black and white list of the requester in a scene that the requester is an IP fixed foreground or non-micro application and the server is a micro application, and receiving an access request in the mode;
external token authorization mode: the micro application gateway is used for verifying the authorization token of the requester in a scene that the requester is a foreground or non-micro application with unfixed IP and the server is a micro application, and the micro application gateway receiving the access request in the mode carries out authorization token verification on the requester;
request relationship authorization mode between micro applications: the micro application gateway used for the requester and the server belongs to the micro application scenes of two different systems, and the micro application gateway receiving the access request verifies the request of the interface process of the requester;
in any mode, the micro application gateway receiving the access request carries a corresponding micro application token to carry out micro application access authorization in the system after passing the verification.
2. The method for controlling the access authority of the micro application based on the token authentication as claimed in claim 1, wherein the black and white list verification specifically comprises: and the micro application gateway receiving the access request acquires the IP of the request party carried in the access request of the request party, and the micro application gateway performs white list verification on the IP of the request party and acquires the authorization of the micro application gateway if the verification is passed.
3. The method for controlling the access authority of the micro-application based on the token authentication as claimed in claim 2, wherein the way of performing the white list verification on the IP of the requesting party is as follows: and the micro application gateway verifies whether the IP of the requesting party exists in a white list configured in advance in an external micro application management platform, and if so, the verification is passed.
4. The method for controlling the access authority of the micro-application based on the token authentication as claimed in claim 1, wherein the authentication of the authorization token is specifically as follows: and the micro application gateway receiving the access request acquires the encrypted external authorization token carried in the access request of the requester, decrypts and verifies the external authorization token, and acquires the authorization of the micro application gateway if the external authorization token passes the verification.
5. The method of claim 4, wherein the external authorization token comprises a system level authorization token, a micro application level authorization token, and a micro application interface method level authorization token.
6. The micro-application access right control method based on token authentication as claimed in claim 4, wherein the external authorization token is obtained by a request from a requesting party to an external micro-application administration platform.
7. The method as claimed in claim 1, wherein the micro application token is obtained by reading from a token center by a micro application gateway and a micro application in each system.
8. The method as claimed in claim 7, wherein the micro application token is updated periodically.
9. The method for controlling the access authority of the micro application based on the token authentication as claimed in claim 1, wherein the interface flow request verification specifically comprises: the micro application gateway receiving the access request acquires a micro application name and an interface name carried in the access request of a requester, verifies the micro application gateway according to the access relation of a server side interface applied by the requester in an external micro application management platform, and if the verification is passed, the micro application gateway authorization is acquired.
10. A micro-application access right control device based on token authentication, comprising a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for calling the computer program to execute the micro-application access right control method based on token authentication according to any one of claims 1 to 9 to realize access authorization control of micro-applications in a distributed system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110008271.1A CN112866217B (en) | 2021-01-05 | 2021-01-05 | Micro application access authority control method and device based on token authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110008271.1A CN112866217B (en) | 2021-01-05 | 2021-01-05 | Micro application access authority control method and device based on token authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112866217A true CN112866217A (en) | 2021-05-28 |
| CN112866217B CN112866217B (en) | 2022-12-09 |
Family
ID=76003867
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110008271.1A Active CN112866217B (en) | 2021-01-05 | 2021-01-05 | Micro application access authority control method and device based on token authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112866217B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113382017A (en) * | 2021-06-29 | 2021-09-10 | 深圳壹账通智能科技有限公司 | Permission control method and device based on white list, electronic equipment and storage medium |
| CN113625654A (en) * | 2021-08-13 | 2021-11-09 | 杭州航民达美染整有限公司 | Industrial equipment remote control method and device based on PLC |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107528853A (en) * | 2017-09-12 | 2017-12-29 | 上海艾融软件股份有限公司 | The implementation method of micro services control of authority |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
| US20200272912A1 (en) * | 2019-02-27 | 2020-08-27 | Hcl Technologies Limited | System for allowing a secure access to a microservice |
| CN111786998A (en) * | 2020-06-30 | 2020-10-16 | 成都新潮传媒集团有限公司 | Authority management method and device based on micro-service calling and storage medium |
| CN112039909A (en) * | 2020-09-03 | 2020-12-04 | 平安科技(深圳)有限公司 | Authentication method, device, equipment and storage medium based on unified gateway |
| CN112149079A (en) * | 2020-10-22 | 2020-12-29 | 国网冀北电力有限公司经济技术研究院 | Planning review management platform based on micro-service architecture and user access authorization method |
-
2021
- 2021-01-05 CN CN202110008271.1A patent/CN112866217B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107528853A (en) * | 2017-09-12 | 2017-12-29 | 上海艾融软件股份有限公司 | The implementation method of micro services control of authority |
| US20200272912A1 (en) * | 2019-02-27 | 2020-08-27 | Hcl Technologies Limited | System for allowing a secure access to a microservice |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
| CN111786998A (en) * | 2020-06-30 | 2020-10-16 | 成都新潮传媒集团有限公司 | Authority management method and device based on micro-service calling and storage medium |
| CN112039909A (en) * | 2020-09-03 | 2020-12-04 | 平安科技(深圳)有限公司 | Authentication method, device, equipment and storage medium based on unified gateway |
| CN112149079A (en) * | 2020-10-22 | 2020-12-29 | 国网冀北电力有限公司经济技术研究院 | Planning review management platform based on micro-service architecture and user access authorization method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113382017A (en) * | 2021-06-29 | 2021-09-10 | 深圳壹账通智能科技有限公司 | Permission control method and device based on white list, electronic equipment and storage medium |
| CN113625654A (en) * | 2021-08-13 | 2021-11-09 | 杭州航民达美染整有限公司 | Industrial equipment remote control method and device based on PLC |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112866217B (en) | 2022-12-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111970129B (en) | Data processing method and device based on block chain and readable storage medium | |
| CN110326252B (en) | Secure provisioning and management of devices | |
| US20190312877A1 (en) | Block chain mining method, device, and node apparatus | |
| US11757640B2 (en) | Non-fungible token authentication | |
| KR20200116014A (en) | How to manage sensitive data elements in a blockchain network | |
| US10135611B1 (en) | Delivering a content item from a server to a device | |
| US8918641B2 (en) | Dynamic platform reconfiguration by multi-tenant service providers | |
| US20180041520A1 (en) | Data access method based on cloud computing platform, and user terminal | |
| CN112866217B (en) | Micro application access authority control method and device based on token authentication | |
| KR20160127167A (en) | Multi-factor certificate authority | |
| CN112231692A (en) | Security authentication method, device, equipment and storage medium | |
| CN110598429B (en) | Data encryption storage and reading method, terminal equipment and storage medium | |
| US20200076797A1 (en) | System and data processing method | |
| CN114978635B (en) | Cross-domain authentication method and device, user registration method and device | |
| JP7223067B2 (en) | Methods, apparatus, electronics, computer readable storage media and computer programs for processing user requests | |
| CN104104650A (en) | Data file visit method and terminal equipment | |
| CN115622812A (en) | Digital identity verification method and system based on block chain intelligent contract | |
| CN110493236B (en) | Communication method, computer equipment and storage medium | |
| US11855987B1 (en) | Utilizing distributed ledger for cloud service access control | |
| TWI829218B (en) | De-centralized data authorization control system capable of indirectly transferring read token through third-party service subsystem | |
| JP2022055285A (en) | Mini program package transmission method, apparatus, electronic device, computer readable medium and computer program product | |
| TW202240443A (en) | De-centralized data authorization control system capable of flexibly adjusting data authorization policy | |
| CN114830702A (en) | Method for managing profiles for accessing a communication network | |
| CN114024692A (en) | Signing method, device and system | |
| CN111064695A (en) | Authentication method and authentication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |