CN112910915A - Trusted connection authentication method, device, equipment and computer readable storage medium - Google Patents
Trusted connection authentication method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN112910915A CN112910915A CN202110195720.8A CN202110195720A CN112910915A CN 112910915 A CN112910915 A CN 112910915A CN 202110195720 A CN202110195720 A CN 202110195720A CN 112910915 A CN112910915 A CN 112910915A
- Authority
- CN
- China
- Prior art keywords
- service
- message data
- access token
- token
- application server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012795 verification Methods 0.000 claims abstract description 18
- 238000004590 computer program Methods 0.000 claims description 7
- 230000000694 effects Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 4
- 230000009191 jumping Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
Abstract
Embodiments of the present disclosure provide trusted connection authentication methods, apparatuses, devices, and computer-readable storage media. The method comprises the steps that an application client sends message data to an application server; the proxy service intercepts the message data, adds an access token into the message data and forwards the message data to the application server; wherein the proxy service is deployed on a client side; the gateway service intercepts the message data sent to the application server side, and takes out an access token from the intercepted message data and checks the access token; if the verification is passed, the intercepted message data is sent to an application server; wherein the gateway service is deployed on a service side. In this way, the message frame not carrying the correct token is discarded, and the effect presented to the client is that the service address and the port do not exist. Therefore, an attacker can not judge whether the service exists or not, so that the attacker can not launch the attack, and the purpose of protecting the service is achieved.
Description
Technical Field
Embodiments of the present disclosure relate generally to the field of network security and, more particularly, to trusted connection authentication methods, apparatuses, devices, and computer-readable storage media.
Background
Authentication of a client and a server during a trusted connection of a TCP (Transmission Control Protocol) channel generally takes a user identity as a main authentication means, and the authentication mode is generally based on an account number password or a digital certificate. Before trusted access, a service port of a server can be in an open state all the time, after a client and the server are connected, authentication information is sent to the server for authentication, resources can be accessed after the authentication is passed, and the connection is disconnected if the authentication is not passed.
In the conventional mode, the service port is always exposed, and an attacker can scan the port to launch an attack on the port, such as a DDOS (Distributed denial of service attack) attack, which is the most common attack, and thus a user cannot normally access resources.
In addition, in the currently popular Web (World Wide Web) API (Application Programming Interface) mode based on the HTTP (Hyper Text Transfer Protocol mid-day translation) Protocol, an access token is usually placed in each Protocol message for authentication by the server. Therefore, an attacker can forge or counterfeit the identity to acquire resources, typically, a crawler-type program acquires a large amount of resources from a server, so that a large amount of server resources are occupied, and the resource access of a normal user is influenced.
Disclosure of Invention
According to an embodiment of the present disclosure, a trusted connection authentication scheme is provided.
In a first aspect of the disclosure, a trusted connection authentication method is provided. The method comprises the following steps: the application client sends message data to the application server; the proxy service intercepts the message data, adds an access token into the message data and forwards the message data to the application server; wherein the proxy service is deployed on a client side; the gateway service intercepts the message data sent to the application server side, and takes out an access token from the intercepted message data and checks the access token; if the verification is passed, the intercepted message data is sent to an application server; wherein the gateway service is deployed on a service side.
The foregoing aspects and any possible implementations further provide an implementation, where the access token is generated by an authentication service according to a token acquisition request sent by the proxy service and is sent to the proxy service.
As described in the foregoing aspect and any possible implementation manner, a further implementation manner is provided, in which intercepting the packet data by the proxy service, adding an access token to the packet data, and forwarding the packet data to the application server includes: determining the corresponding service of the intercepted message data; judging whether an access token of the corresponding service is cached locally; if so, adding the access token into the message data and then forwarding the message data to the application server; if not, sending a token acquisition request to the authentication service so that the authentication service generates an access token according to the token acquisition request and sends the access token to the proxy service.
The above-described aspects and any possible implementations further provide an implementation in which the token acquisition request includes identity information; and the authentication service performs login authentication according to the identity information included in the token acquisition request.
The above-described aspects and any possible implementation further provide an implementation in which the authentication service sends the access token to the gateway service while/before/after issuing the access token to the proxy service; the gateway service verifying the access token comprises: and judging whether the access token corresponding to the access token and issued by the authentication service is stored locally, and if so, checking to pass.
The above-described aspect and any possible implementation manner further provide an implementation manner, where the access token includes a device identifier and an authentication manner of the application client, and is unique.
The above aspects and any possible implementation manners further provide an implementation manner, where the message data is a TCP message; adding an access token to the message data includes: and adding the access token into an optional field of the TCP message.
In a second aspect of the disclosure, a trusted connection authentication apparatus is provided. The device comprises an agent service, a service server and a service server, wherein the agent service is used for intercepting message data sent by an application client, adding an access token into the message data and then sending the access token to the application server; the gateway service is used for intercepting the message data sent to the application server, taking out the access token from the intercepted message data and verifying the access token; and if the verification is passed, sending the intercepted message data to the application server.
In a third aspect of the disclosure, an electronic device is provided. The electronic device includes: a memory having a computer program stored thereon and a processor implementing the method as described above when executing the program.
In a fourth aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the method as according to the first and/or second aspect of the present disclosure.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, like or similar reference characters designate like or similar elements, and wherein:
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented;
FIG. 2 is a schematic diagram illustrating a method of interaction between the application client, proxy service, authentication service, gateway service, and application server shown in FIG. 1;
FIG. 3 shows a block diagram of a trusted connection authentication apparatus according to an embodiment of the present disclosure;
FIG. 4 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In the disclosure, by establishing a unified authentication service, a gateway service is deployed in an application server side, and a proxy service is deployed in an application client side; the proxy service firstly authenticates on the authentication service side, after the authentication passes, the authentication service sends the access token to the proxy service below, and sends the access token to the gateway service at the same time/before/after; the method comprises the steps that a proxy service intercepts message data sent by an application client and adds an access token into the message data, specifically, the access token is put into a TCP frame header and then sent to the application server; the gateway service intercepts message data sent to an application server, takes out an access token from the intercepted message data, and verifies the access token, specifically, takes out the token from a header of a received TCP frame for verification; and the gateway service sends the passed message data to the application service end, and discards the message data which is not passed the verification.
FIG. 1 illustrates a schematic diagram of an exemplary operating environment 100 in which embodiments of the present disclosure can be implemented. Included in the runtime environment 100 are an application client 102, a proxy service 104, an authentication service 106, a gateway service 108, and an application server 110.
FIG. 2 shows a schematic diagram of a method 200 of interaction between the application client 102, the proxy service 104, the authentication service 106, the gateway service 108, and the application server 110 shown in FIG. 1.
At block 202, the application client 102 sends message data to the application server 110;
in some embodiments, the message data is a request sent to the application server 110 for receiving a response from the application server 110, and the message data may be an HTTP message, which includes a command and a URL and is transmitted in the form of a TCP message frame.
At block 204, the proxy service 104 intercepts the message data;
in some embodiments, the proxy service 104 is deployed on the application side for intercepting message data sent by the application client 102.
At block 206, the proxy service 104 identifies an application service corresponding to the packet according to the packet data, and determines whether the local cache has an access token corresponding to the service; if so, jumping to block 208; if not, jump to block 218;
in some embodiments, the access token is generated by the authentication service 106 according to the token obtaining request sent by the proxy service 104 and is issued to the issuing of the proxy service 104, and different access tokens may be provided for different application services.
In block 208, the proxy service 104 places the access token in the Options field Options of the TCP packet frame, reassembles the packet, and sends the reassembled packet to the application server 110;
in some embodiments, optional fields Options exist in the TCP packet, and a 4-byte alignment mode is adopted, and the maximum length is 40 bytes. An access token may be placed in the optional fields Options without affecting other fields of the TCP packet.
In some embodiments, some protocols or applications may use optional field Options, and the original data in the optional field Options needs to be preserved when an access token is placed in the optional field Options, so as to avoid affecting the protocol or application.
In some embodiments, an access token may also be added to the context of the message field.
At block 210, the gateway service 108 intercepts the message data sent to the application server 110;
in some embodiments, the gateway service 108 is deployed on the service side.
At block 212, the gateway service 108 retrieves an access token from the message data; verifying the access token; if the check is passed, jumping to block 214, if the check is failed, jumping to block 216;
in some embodiments, the gateway service 108 determines a corresponding service for the intercepted message data; judging whether the access token of the corresponding service is cached locally, if so, passing the verification, and if not, failing the verification; the access token is sent to the gateway service 108 by the authentication service 106 at the same time, before, or after the access token is sent to the proxy service 104.
In some embodiments, the gateway service 108 sends the access token to the authentication service 106 for verification; the authentication service 106 determines whether the application client 102 is an accessible client according to the access token, and sends the determination result to the gateway service 108.
At block 214, the gateway service 108 sends the message to the application server 110;
at block 216, gateway service 108 discards the message;
at block 218, the proxy service 104 sends a token acquisition request to the authentication service 106;
in some embodiments, the token acquisition request may include identity information configured by the proxy service 104 for the authentication service 106 to perform login authentication; the proxy service 104 acquires identity information configured by a local proxy and sends a token acquisition request including the identity information to the authentication service 106; the identity information is a device identifier of the application client 110, or an ID of a user logging in the application client 110.
In some embodiments, the token acquisition request may include a pre-generated signature, and may also include a request timestamp and a device identification of the application client 110. The device identifier may be a UUID (device number, which may uniquely identify the device).
At block 220, the authentication service 106 generates an access token according to the token acquisition request, and issues the token to the proxy service 104, before/while/after sending the access token to the corresponding gateway service 108.
In some embodiments, the authentication service 106 may be a separately deployed software program/a software and hardware integrated device.
In some embodiments, before the authentication service 106 generates the access token according to the token obtaining request, the method may further include: the authentication service 106 verifies the token obtaining request sent by the proxy service 104 requesting the token according to a preset verification rule, and determines that the token obtaining request passes verification. The preset check rule may include checking validity and validity of the token acquisition request.
In some embodiments, the authentication service 106 checks the token obtaining request sent by the proxy service 104 requesting the token according to a preset check rule, and determining that the token obtaining request check passes may include: determining whether there is a storage record of the identity information, such as a device identifier of the application client 110 or an ID of a user logging in the application client 110; and if so, judging that the token acquisition request is valid.
In some embodiments, the authentication service 106 checks the token obtaining request sent by the proxy service 104 requesting the token according to a preset check rule, and determining that the token obtaining request check passes may include: verifying the validity of the token obtaining request, for example, analyzing the verification in the token obtaining request, if the analysis is successful, the token obtaining request is legal, otherwise, the token obtaining request is illegal; if the token obtaining request is legal, the validity of the token obtaining request is continuously checked, for example, whether an associated storage record of a request timestamp of the proxy service 104 requesting the token and the device identifier exists is judged, if not, the token obtaining request is judged to be invalid, if so, whether the request timestamp is expired is judged, if so, the token obtaining request is judged to be invalid, and if not, the token obtaining request is judged to be valid.
In some embodiments, the access token includes the device identification and authentication of the application client 110, and is unique. The authentication service 106 may analyze the authentication token uploaded by the gateway service 108, analyze the device identifier and the authentication method from the authentication token, verify the analyzed ID and the authentication method, and authenticate according to the verification result.
According to the embodiment of the disclosure, the following technical effects are achieved:
the invention utilizes optional field Options of TCP message frames to put the access token into the TCP message frames, and the message frames which do not carry correct tokens are discarded, thus showing the effect to the client side that the service address and the port do not exist. Therefore, an attacker can not judge whether the service exists or not, so that the attacker can not launch the attack, and the purpose of protecting the service is achieved. Even if the authentication service is attacked, the user who passes the authentication can still normally access the service resource without being affected.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 3 shows a block diagram of a trusted connection authentication apparatus 300 according to an embodiment of the present disclosure. As shown in fig. 3, the apparatus 300 includes:
the proxy service 302 is used for intercepting message data sent by the application client, adding an access token into the message data and then sending the message data to the application server;
the gateway service 304 is used for intercepting the message data sent to the application server, taking out an access token from the intercepted message data, and verifying the access token; and if the verification is passed, sending the intercepted message data to the application server.
In some embodiments, the authentication service 306 is further included, and is configured to generate an access token for the proxy service 302 according to the token obtaining request issued by the proxy service. The gateway service 304 determines whether the access token corresponding to the access token and issued by the authentication service 306 is stored locally, if so, the verification is passed, and if not, the verification is failed.
In some embodiments, gateway service 304 sends the access token to authentication service 306 for verification.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
FIG. 4 shows a schematic block diagram of an electronic device 400 that may be used to implement embodiments of the present disclosure. The device 400 may be used to implement at least one of the client 102, proxy service 104, authentication service 106, gateway service 108, and application service 110 of fig. 1. As shown, the device 400 includes a CPU401 that can perform various appropriate actions and processes according to computer program instructions stored in a ROM402 or loaded from a storage unit 408 into a RAM 403. In the RAM403, various programs and data required for the operation of the device 400 can also be stored. The CPU401, ROM402, and RAM403 are connected to each other via a bus 404. An I/O interface 405 is also connected to bus 404.
A number of components in device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, or the like; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408 such as a magnetic disk, optical disk, or the like; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a RAM, a ROM, an EPROM, an optical fiber, a CD-ROM, an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (10)
1. A trusted connection authentication method, comprising:
the application client sends message data to the application server;
the proxy service intercepts the message data, adds an access token into the message data and forwards the message data to the application server; wherein the proxy service is deployed on a client side;
the gateway service intercepts the message data sent to the application server side, and takes out an access token from the intercepted message data and checks the access token; if the verification is passed, the intercepted message data is sent to an application server; wherein the gateway service is deployed on a service side.
2. The method of claim 1,
the access token is generated by the authentication service according to the token acquisition request sent by the proxy service and is issued to the proxy service.
3. The method of claim 2, wherein the intercepting of the message data by the proxy service and the forwarding of the access token to the application server after the access token is added to the message data comprises:
determining the corresponding service of the intercepted message data;
judging whether an access token of the corresponding service is cached locally; if so, adding the access token into the message data and then forwarding the message data to the application server; if not, sending a token acquisition request to the authentication service so that the authentication service generates an access token according to the token acquisition request and sends the access token to the proxy service.
4. The method of claim 2,
the token acquisition request comprises identity information;
and the authentication service performs login authentication according to the identity information included in the token acquisition request.
5. The method of claim 2,
the authentication service sends the access token to the gateway service at the same time, before or after the access token is sent to the proxy service;
the gateway service verifying the access token comprises: and judging whether the access token corresponding to the access token and issued by the authentication service is stored locally, and if so, checking to pass.
6. The method of claim 2,
the access token comprises a device identification and an authentication mode of the application client; and has uniqueness.
7. The method of claim 1,
the message data is a TCP message;
adding an access token to the message data includes: and adding the access token into an optional field of the TCP message.
8. A trusted connection authentication apparatus, comprising:
the proxy service is used for intercepting the message data sent by the application client, adding the access token into the message data and then sending the message data to the application server;
the gateway service is used for intercepting the message data sent to the application server, taking out the access token from the intercepted message data and verifying the access token; and if the verification is passed, sending the intercepted message data to the application server.
9. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program, wherein the processor, when executing the program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110195720.8A CN112910915A (en) | 2021-02-19 | 2021-02-19 | Trusted connection authentication method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110195720.8A CN112910915A (en) | 2021-02-19 | 2021-02-19 | Trusted connection authentication method, device, equipment and computer readable storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112910915A true CN112910915A (en) | 2021-06-04 |
Family
ID=76124271
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110195720.8A Pending CN112910915A (en) | 2021-02-19 | 2021-02-19 | Trusted connection authentication method, device, equipment and computer readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112910915A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113810468A (en) * | 2021-08-13 | 2021-12-17 | 济南浪潮数据技术有限公司 | Method, system, device and storage medium for distributing request by gateway under K8s architecture |
WO2024065648A1 (en) * | 2022-09-30 | 2024-04-04 | Apple Inc. | Consent-based exposure of ue-related information to application function |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
CN106302546A (en) * | 2016-10-18 | 2017-01-04 | 青岛海信电器股份有限公司 | The method and apparatus realizing server access |
US20180034858A1 (en) * | 2016-07-27 | 2018-02-01 | BanyanOps, Inc. | Transparently enhanced authentication and authorization between networked services |
US20190182250A1 (en) * | 2017-12-07 | 2019-06-13 | Symantec Corporation | Http proxy authentication using custom headers |
CN111935078A (en) * | 2020-06-23 | 2020-11-13 | 深圳奥联信息安全技术有限公司 | Handle-based open authentication method, device and system |
-
2021
- 2021-02-19 CN CN202110195720.8A patent/CN112910915A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
US20180034858A1 (en) * | 2016-07-27 | 2018-02-01 | BanyanOps, Inc. | Transparently enhanced authentication and authorization between networked services |
CN106302546A (en) * | 2016-10-18 | 2017-01-04 | 青岛海信电器股份有限公司 | The method and apparatus realizing server access |
US20190182250A1 (en) * | 2017-12-07 | 2019-06-13 | Symantec Corporation | Http proxy authentication using custom headers |
CN111935078A (en) * | 2020-06-23 | 2020-11-13 | 深圳奥联信息安全技术有限公司 | Handle-based open authentication method, device and system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113810468A (en) * | 2021-08-13 | 2021-12-17 | 济南浪潮数据技术有限公司 | Method, system, device and storage medium for distributing request by gateway under K8s architecture |
WO2024065648A1 (en) * | 2022-09-30 | 2024-04-04 | Apple Inc. | Consent-based exposure of ue-related information to application function |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107534557B (en) | Identity agent providing access control and single sign-on | |
US9825928B2 (en) | Techniques for optimizing authentication challenges for detection of malicious attacks | |
EP2078260B1 (en) | Detecting stolen authentication cookie attacks | |
KR101095447B1 (en) | Apparatus and method for preventing distributed denial of service attack | |
EP2347559B1 (en) | Service access control | |
US6874084B1 (en) | Method and apparatus for establishing a secure communication connection between a java application and secure server | |
US20100043065A1 (en) | Single sign-on for web applications | |
CN107579991B (en) | Method for performing cloud protection authentication on client, server and client | |
RU2755675C2 (en) | Identification of security vulnerabilities in application program interfaces | |
US10454949B2 (en) | Guarding against cross-site request forgery (CSRF) attacks | |
JP2020057363A (en) | Method and program for security assertion markup language (saml) service provider-initiated single sign-on | |
CN112491776B (en) | Security authentication method and related equipment | |
CN102710667B (en) | Method for realizing Portal authentication server attack prevention and broadband access server | |
CN108322416B (en) | Security authentication implementation method, device and system | |
CN110958119A (en) | Identity verification method and device | |
CN112910915A (en) | Trusted connection authentication method, device, equipment and computer readable storage medium | |
CN108259457A (en) | A kind of WEB authentication methods and device | |
CN113672897A (en) | Data communication method, device, electronic equipment and storage medium | |
CN115603932A (en) | Access control method, access control system and related equipment | |
CN113055357B (en) | Method and device for verifying credibility of communication link by single packet, computing equipment and storage medium | |
CN112968910B (en) | Replay attack prevention method and device | |
JP2006243924A (en) | Secure session management program for website, session management method, and session management system | |
CN112560102A (en) | Resource sharing method, resource accessing method, resource sharing equipment and computer readable storage medium | |
CN115001840B (en) | Agent-based authentication method, system and computer storage medium | |
US10313349B2 (en) | Service request modification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210604 |