CN113067706A - Application identification system and method, storage medium and electronic device - Google Patents

Application identification system and method, storage medium and electronic device Download PDF

Info

Publication number
CN113067706A
CN113067706A CN202110413658.5A CN202110413658A CN113067706A CN 113067706 A CN113067706 A CN 113067706A CN 202110413658 A CN202110413658 A CN 202110413658A CN 113067706 A CN113067706 A CN 113067706A
Authority
CN
China
Prior art keywords
service
authentication
identification
provider
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110413658.5A
Other languages
Chinese (zh)
Other versions
CN113067706B (en
Inventor
朱海申
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jingdong Allianz Property Insurance Co ltd
Original Assignee
Jingdong Allianz Property Insurance Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jingdong Allianz Property Insurance Co ltd filed Critical Jingdong Allianz Property Insurance Co ltd
Priority to CN202110413658.5A priority Critical patent/CN113067706B/en
Publication of CN113067706A publication Critical patent/CN113067706A/en
Application granted granted Critical
Publication of CN113067706B publication Critical patent/CN113067706B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure provides an application recognition system, an application recognition method, a computer-readable storage medium, and an electronic device. The application recognition system includes: a service authentication system; the service issuing system is used for requesting to acquire a service identification certificate from the service authentication system when the service is issued; the access side service node is used for sending the service identification certificate acquired from the service issuing system to the service authentication system for authentication and identification, acquiring service identification information and writing the service identification information into the service request; and the provider service node is used for analyzing the service identification information after receiving the service request and processing the service request according to the analysis result. The scheme for reducing the authority verification cost and improving the service safety is provided.

Description

Application identification system and method, storage medium and electronic device
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to an application identification system, an application identification method, a computer-readable storage medium, and an electronic device.
Background
Under the micro-service architecture, since one service can be split into several micro-services, the calls between the services become more frequent. Interface access rights checking between services also becomes complicated based on data security requirements.
The existing interface access authorization scheme mainly provides an authorization token directly by a service interface provider, and an access party accesses an interface through the token.
According to the scheme, in a micro-service scene, an access party needs to maintain a plurality of different tokens so as to access different micro-service interfaces, and the maintenance difficulty of the access party is increased.
Disclosure of Invention
The present disclosure provides an application identification system, an application identification method, a computer-readable storage medium, and an electronic device, thereby avoiding a problem of a higher cost of authority verification caused by a case where an accessing party maintains a plurality of different tokens.
According to a first aspect of the present disclosure, there is provided an application recognition system comprising:
a service authentication system;
the service issuing system is used for requesting to acquire a service identification certificate from the service authentication system when issuing the service;
the access party service node is used for sending the service identification certificate acquired from the service issuing system to the service authentication system for authentication and identification, acquiring service identification information and writing the service identification information into a service request;
and the provider service node is used for analyzing the service identification information after receiving the service request and processing the service request according to an analysis result.
Optionally, the visitor service node includes a visitor identification plug-in;
the access party identification plug-in is used for reading the service identification certificate of the access party service node when the access party service node is started, and sending the service identification certificate to the service authentication system for authentication and identification;
the accessor identification plug-in is also used for acquiring the service identification information returned by the service authentication system and writing the service identification information into the service request.
Optionally, the provider service node comprises a provider authentication plug-in;
and the provider authentication plug-in is used for acquiring an authentication key from the service authentication system when the provider service node is started, analyzing the service identification information according to the authentication key, and writing an access party service identifier into the service request after the analysis is successful.
Optionally, the provider service node is further configured to obtain the accessor service identifier in the service request.
Optionally, the method further includes:
and the authentication service system is used for acquiring the access party service identifier from the provider service node and performing service authorization check by using the access party service identifier.
Optionally, the provider service node is further configured to perform service processing according to the information in the service request when the service authorization check is passed.
Optionally, the authentication service system is further configured to respond to error information and send the error information to the service node of the access party when the service authorization check fails.
According to a second aspect of the present disclosure, there is provided an application identification method for an application identification system including a service issuing system, a service authentication system, an accessor service node, and a provider service node, the method including:
when the service is released, the service release system requests to acquire a service identification certificate from the service authentication system;
the service identification certificate acquired from the service issuing system is sent to the service authentication system through the access party service node for authentication and identification, and service identification information is acquired and written into a service request;
and after receiving the service request, the service provider service node identifies the service identification information and processes the service request according to an identification result.
According to a third aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the application recognition method described above.
According to a fourth aspect of the present disclosure, there is provided an electronic device comprising:
a processor;
a memory for storing one or more programs which, when executed by the processor, cause the processor to implement the application recognition method described above.
In the technical solutions provided in some embodiments of the present disclosure, on one hand, when a service is issued, a service identification certificate is obtained from a service authentication system through a service issuing system, and when a plurality of accessor service nodes perform interface access from a provider service node, authority verification of an accessor can be performed through the service identification certificate, thereby avoiding a situation that the accessor maintains a plurality of different tokens, and reducing cost of authority verification and corresponding maintenance cost thereof. On the other hand, the service identification certificate is acquired from the service authentication system independent of the service cluster, so that the authority verification can be separated from the service logic, the service safety is effectively improved, developers are liberated from authorized maintenance, and the purposes of safety management and research and development resource saving are achieved. On the other hand, the service authentication system belongs to a part of operation and maintenance, the service identification certificate also belongs to a part of operation and maintenance, and the safety of related data is protected by the operation and maintenance scheme, so that the safety protection level is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty. In the drawings:
FIG. 1 schematically illustrates a block diagram of an application recognition system, according to an exemplary embodiment of the present disclosure;
fig. 2 schematically shows a structural diagram of an application recognition system of an exemplary embodiment of the present disclosure;
FIG. 3 schematically illustrates a block diagram of another application identification system of an exemplary embodiment of the present disclosure;
FIG. 4 schematically illustrates a service identification authentication and authorization validation process diagram of an application identification system according to an exemplary embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of an application identification method according to an exemplary embodiment of the present disclosure;
fig. 6 schematically shows a block schematic of an electronic device according to an exemplary embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the steps. For example, some steps may be decomposed, and some steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation. In addition, all of the following terms "first" and "second" are used for distinguishing purposes only and should not be construed as limiting the present disclosure.
With the rise of micro-service architecture, the challenge of identity authentication and authorization under the traditional single application scenario is getting bigger and bigger. In a single application system, the application is a whole, and generally, permission verification is performed on all requests. The request generally checks the authority through an authority interceptor, and caches the user information in session (session control) during login, and acquires the user information from the cache for subsequent access.
Under the micro service architecture, one application can be split into a plurality of micro applications, each micro application needs to authenticate access, and each micro application needs to determine a current access user and the authority of the current access user. Especially when the access source is not only a browser but also calls for other services, the authentication method under the single application architecture is not particularly suitable.
If the service interface provider directly provides the authorized token, the access party accesses the interface through the token, so that the pressure of the server can be reduced, frequent database query is reduced, and the server is more robust. However, in the micro-service scenario, the accessing party needs to maintain a plurality of different tokens in order to access different micro-service interfaces, which causes inconvenience for the accessing party to maintain.
Based on a micro-service architecture scenario, an application recognition system is provided in exemplary embodiments of the present disclosure. Fig. 1 schematically illustrates a block diagram of an application recognition system according to an exemplary embodiment of the present disclosure. Referring to fig. 1, the application recognition system 100 may include a service authentication system 110, a service publishing system 120, an accessor service node 130, and a provider service node 140.
In actual practice, as shown in FIG. 2, there may be hundreds or thousands of services in a microservice architecture that are provided to a web page or APP or other client call. Therefore, it is necessary to establish a service cluster, which includes a plurality of visitor service nodes 130 and a plurality of provider service nodes 140, and one visitor service node 130 can interface with the plurality of provider service nodes 140.
In the exemplary embodiment of the present disclosure, when a service is issued, the service issuing system 120 is configured to apply for a service identification certificate to the service authentication system, and the service authentication system 110 generates a corresponding service identification certificate according to information, such as an identifier related to the service, carried in the application information by the service issuing system 120.
The generated service identification certificate is equivalent to identification information of the service, and in a subsequent service invoking process, any one of the accessor service nodes 130 in the service cluster can carry the service identification certificate to implement identity authentication, so as to access the interface to invoke the relevant service from the provider service node 140.
After obtaining the service identification certificate, the service issuing system 120 packages the service identification certificate into a service request during service operation, so that the service request is used when the service node 130 of the accessing party calls the service.
After the service is started, the visitor service node 130 reads a service identification certificate from a service request acquired from the service issuing system 120, and sends the service identification certificate to the service authentication system 110, the service authentication system 110 identifies the service identification certificate, and if the service identification certificate passes the identification, the service authentication system 110 generates service identification information and sends the service identification information to the visitor service node 130.
It should be noted that each accessor service node 130 is provided with an accessor identification plug-in 131, and the accessor identification plug-in 131 is used for automatically running when the accessor service node 130 is started, and reading a service identification certificate from a service request of the accessor service node 130. Upon reading the service identification certificate, the accessing party identification plug-in 131 sends the service identification certificate to the service authentication system 110.
After receiving the service identification certificate sent by the accessor identification plug-in 131, the service authentication system 110 performs identification authentication on the service identification certificate, and determines whether the service identification certificate is the same as the previously generated service identification certificate; if the service identification information is the same as the service identification information, the service authentication system 110 returns service identification information to the accessing party identification plug-in 131, which indicates that the service is the service specified by the service issuing system 120 and can be accessed; the visitor identification plug-in 131 writes the service identification information into the service request after obtaining the service identification information.
After receiving the service request written with the service identification information, the provider service node 140 parses the service identification information, and processes the service request according to a parsing result.
Similarly, the provider service node 140 is generally provided with a provider authentication plug-in 141, and the provider authentication plug-in 141 is configured to automatically operate when the provider service node 140 is started, and upon receiving a service request from the accessor identification plug-in 131, obtain an authentication key from the service authentication system 110, parse the service identification information according to the authentication key, and write the accessor service identification into the service request after successful parsing.
After the above-described parsing is completed, the provider authentication plug-in 141 completes application authentication for the access party and identifies the access party by the user. If the analysis is successful, the access party has the authority of authorizing the call. Then, interface authentication with finer granularity needs to be performed on the access party, and the access is allowed to pass after the authentication. The common interface authentication includes call authentication between RPC interfaces, HTTP interface call authentication, and the like. After the interface authentication is passed, the provider service node 140 may obtain the visitor service identifier in the service request.
In addition, as shown in fig. 3, the application identification system provided in the exemplary embodiment of the present disclosure further includes an authentication service system 150, after obtaining the service identifier of the access party, the provider service node 140 sends the service identifier of the access party to the authentication service system 150, the authentication service system 150 performs service authorization check by using the service identifier of the access party, after the service authorization check is passed, the authentication result is sent to the provider service node 140, and the provider service node 140 may perform relevant service processing according to information in the service request, for example, return the service required by the access party to the access party.
However, if the service authorization check is not passed, the authentication service system 150 directly responds to the error message and sends the error message to the visitor service node 130 to end the entire access process.
For a clearer explanation of the service identification authentication and authorization confirmation process of the application identification system provided in the exemplary embodiment of the present disclosure, referring to fig. 4, the interaction process among the visitor service node 130, the provider service node 140, and the authentication service system 150 is described in detail as follows:
initially, an accessing user will submit an access provider interface request through the accessing party service node 130; the visitor identification plug-in 131 intercepts the request and, after obtaining the service identification information, writes the service identification information into the request, for example, into a header of the http/https protocol.
Then, the visitor identification plug-in 131 transmits the request to the provider authentication plug-in 141 through the network, and the provider authentication plug-in 141 intercepts the request and enters the determination condition 1, that is, determines whether the request includes the service identification information; if so, i.e., contains service identification information, the provider authentication plug-in 141 parses the service identification information that authenticates the accessor, and writes the accessor service identification into the request context.
In practical applications, there may be a case where an open interface does not carry service identification information, and at this time, the provider authentication plug-in 141 does not perform the above analysis authentication procedure on the open interface.
For the different interfaces, in the exemplary embodiment of the present disclosure, it is further necessary to enter the determination condition 2 to determine whether the interface needs to be authenticated.
If not, the provider service node 140 directly performs service processing on the request without performing an open interface for interface authentication, and returns the processed service to the access party service node 130, and the access party service node 130 processes corresponding response data and feeds back the result to the access user.
For the interface that needs to be authenticated, the provider service node 140 obtains the visitor service identifier in the request context and sends the visitor service identifier to the authentication service system 150. The authentication service system 150 will perform service authorization check according to the service identifier of the access party and return the authentication result of the determination condition 3. And if the authentication is passed, authorizing the service to the provider service node 140, wherein the provider service node 140 performs normal service processing, transmits a service processing result to the access party service node 130, and the access party service node 130 processes corresponding response data and feeds the result back to the access user.
In case the authentication is not passed, the authentication service system 150 directly transmits an error message response to the visitor service node 130, and the visitor service node 130 processes corresponding response data and feeds back the result to the visitor.
In summary, based on the application identification system according to the exemplary embodiment of the present disclosure, on one hand, when a service is issued, a service identification certificate is obtained from a service authentication system through the service issuing system, and when a plurality of accessor service nodes perform interface access from a provider service node, authority verification of an accessor can be performed through the service identification certificate, so that a situation that the accessor maintains a plurality of different tokens is avoided, and cost of authority verification and corresponding maintenance cost thereof are reduced. On the other hand, the service identification certificate is acquired from the service authentication system independent of the service cluster, so that the authority verification can be separated from the service logic, the service safety is effectively improved, developers are liberated from authorized maintenance, and the purposes of safety management and research and development resource saving are achieved. On the other hand, the service authentication system belongs to a part of operation and maintenance, the service identification certificate also belongs to a part of operation and maintenance, and the safety of related data is protected by the operation and maintenance scheme, so that the safety protection level is improved.
Having introduced the application recognition system of the exemplary embodiment of the present disclosure, an application recognition method of the exemplary embodiment of the present invention is described next with reference to fig. 5. The method embodiment part can inherit the related description in the system embodiment, so that the method embodiment can obtain the support of the related specific description of the system embodiment.
The application identification method according to the exemplary embodiment of the present disclosure is applied to the application identification system including the service authentication system, the service issuing system, the visitor service node, and the provider service node, and specifically may include the following steps:
step S510, when the service is released, the service release system requests to acquire a service identification certificate from the service authentication system;
step S520, the service identification certificate acquired from the service issuing system is sent to the service authentication system through the service node of the access party for authentication and identification, and the acquired service identification information is written into the service request;
step S530, after receiving the service request, the service provider service node identifies the service identification information, and processes the service request according to the identification result.
In some embodiments of the present disclosure, when the accessor service node is started, the accessor identification plug-in reads the service identification certificate of the accessor service node and sends the service identification certificate to the service authentication system for authentication and identification;
and acquiring the service identification information returned by the service authentication system through the access party identification plug-in so as to write the service identification information into the service request.
In some embodiments of the present disclosure, when the provider service node is started, the provider authentication plug-in obtains the authentication key from the service authentication system, and analyzes the service identification information according to the authentication key, and after the analysis is successful, writes the accessor service identifier into the service request.
In some embodiments of the present disclosure, the accessor service identification in the service request is obtained by the provider service node.
In some embodiments of the present disclosure, the accessor service identifier is obtained from the provider service node by the authentication service system and used for service authorization checking.
In some embodiments of the present disclosure, when the service authorization check passes, the service processing is performed by the provider service node according to the information in the service request.
In some embodiments of the present disclosure, the authentication service system responds to the error message when the service authorization check fails, and sends the error message to the visitor service node.
Since the steps and processes of the application identification method according to the embodiment of the present disclosure are the same as those in the embodiment of the system described above, they are not described herein again.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Furthermore, the above-described figures are merely schematic illustrations of processes included in methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 6. The electronic device 600 shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 6, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: the at least one processing unit 66, the at least one memory unit 620, a bus 630 connecting the various system components (including the memory unit 620 and the processing unit 66), and a display unit 640.
Wherein the storage unit 620 stores program code executable by the processing unit 66 to cause the processing unit 610 to perform steps according to various exemplary embodiments of the present invention as described in the above section "exemplary methods" of the present specification. For example, the processing unit 66 may execute step S510 shown in fig. 5, request acquisition of a service identification certificate from the service authentication system through the service issuing system at the time of service issuing; step S520, the service identification certificate acquired from the service issuing system is sent to the service authentication system through the service node of the access party for authentication and identification, and the acquired service identification information is written into the service request; step S530, after receiving the service request, the service provider service node identifies the service identification information, and processes the service request according to the identification result.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 630 may be one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 600 may also communicate with one or more external devices 670 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. As shown, the network adapter 660 communicates with the other modules of the electronic device 600 over the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
A program product for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the terms of the appended claims.

Claims (10)

1. An application recognition system, comprising:
a service authentication system;
the service issuing system is used for requesting to acquire a service identification certificate from the service authentication system when issuing the service;
the access party service node is used for sending the service identification certificate acquired from the service issuing system to the service authentication system for authentication and identification, acquiring service identification information and writing the service identification information into a service request;
and the provider service node is used for analyzing the service identification information after receiving the service request and processing the service request according to an analysis result.
2. The system of claim 1, wherein the visitor service node comprises a visitor identification plug-in;
the access party identification plug-in is used for reading the service identification certificate of the access party service node when the access party service node is started, and sending the service identification certificate to the service authentication system for authentication and identification;
the accessor identification plug-in is also used for acquiring the service identification information returned by the service authentication system and writing the service identification information into the service request.
3. The system of claim 2, wherein the provider service node comprises a provider authentication plug-in;
and the provider authentication plug-in is used for acquiring an authentication key from the service authentication system when the provider service node is started, analyzing the service identification information according to the authentication key, and writing an access party service identifier into the service request after the analysis is successful.
4. The system of claim 3, wherein the provider service node is further configured to obtain the visitor service identifier in the service request.
5. The system of claim 4, further comprising:
and the authentication service system is used for acquiring the access party service identifier from the provider service node and performing service authorization check by using the access party service identifier.
6. The system of claim 5, wherein the provider service node is further configured to perform a service process according to information in the service request when the service authorization check passes.
7. The system of claim 5, wherein the authentication service system is further configured to respond to an error message and send the error message to the visitor service node if the service authorization check fails.
8. An application identification method for an application identification system, the application identification system comprising a service publishing system, a service authentication system, an accessor service node and a provider service node, the method comprising:
when the service is released, the service release system requests to acquire a service identification certificate from the service authentication system;
the service identification certificate acquired from the service issuing system is sent to the service authentication system through the access party service node for authentication and identification, and service identification information is acquired and written into a service request;
and after receiving the service request, the service provider service node identifies the service identification information and processes the service request according to an identification result.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the application recognition method according to claim 8.
10. An electronic device, comprising:
a processor;
a memory for storing one or more programs that, when executed by the processor, cause the processor to implement the application recognition method of claim 8.
CN202110413658.5A 2021-04-16 2021-04-16 Service identification system and method, storage medium, and electronic device Active CN113067706B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110413658.5A CN113067706B (en) 2021-04-16 2021-04-16 Service identification system and method, storage medium, and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110413658.5A CN113067706B (en) 2021-04-16 2021-04-16 Service identification system and method, storage medium, and electronic device

Publications (2)

Publication Number Publication Date
CN113067706A true CN113067706A (en) 2021-07-02
CN113067706B CN113067706B (en) 2022-12-02

Family

ID=76567183

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110413658.5A Active CN113067706B (en) 2021-04-16 2021-04-16 Service identification system and method, storage medium, and electronic device

Country Status (1)

Country Link
CN (1) CN113067706B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE0104344D0 (en) * 2001-12-20 2001-12-20 Au System Ab Publ System and procedure
US20020049912A1 (en) * 2000-10-20 2002-04-25 Shinsuke Honjo Access control method
US8898806B1 (en) * 2011-12-15 2014-11-25 Symantec Corporation Systems and methods for protecting services
US10728247B1 (en) * 2019-08-02 2020-07-28 Alibaba Group Holding Limited Selecting an authentication system for handling an authentication request
CN112564916A (en) * 2020-12-01 2021-03-26 上海艾融软件股份有限公司 Access client authentication system applied to micro-service architecture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020049912A1 (en) * 2000-10-20 2002-04-25 Shinsuke Honjo Access control method
SE0104344D0 (en) * 2001-12-20 2001-12-20 Au System Ab Publ System and procedure
US8898806B1 (en) * 2011-12-15 2014-11-25 Symantec Corporation Systems and methods for protecting services
US10728247B1 (en) * 2019-08-02 2020-07-28 Alibaba Group Holding Limited Selecting an authentication system for handling an authentication request
CN112564916A (en) * 2020-12-01 2021-03-26 上海艾融软件股份有限公司 Access client authentication system applied to micro-service architecture

Also Published As

Publication number Publication date
CN113067706B (en) 2022-12-02

Similar Documents

Publication Publication Date Title
US20200304485A1 (en) Controlling Access to Resources on a Network
CN110809011B (en) Access control method and system, and storage medium
CN110414268B (en) Access control method, device, equipment and storage medium
US7178163B2 (en) Cross platform network authentication and authorization model
KR101841860B1 (en) Method, device, and system for managing user authentication
US8108907B2 (en) Authentication of user database access
US8966570B1 (en) Entity to authorize delegation of permissions
CN111311251A (en) Binding processing method, device and equipment
KR20220019834A (en) Method and system for authenticating transmission of secure credentials to a device
US9092607B2 (en) Dynamic flow control for access managers
CN105141580B (en) A kind of resource access control method based on the domain AD
CN116170234B (en) Single sign-on method and system based on virtual account authentication
CN113569229B (en) Synchronous login method and device, storage medium and electronic equipment
CN111865882A (en) Micro-service authentication method and system
CN103975567B (en) Two-factor authentication method and virtual machine facility
WO2023241060A1 (en) Data access method and apparatus
CN114900448A (en) Micro-service gateway flow management method and device and electronic equipment
CN111901289B (en) Identity authentication method, device, equipment and storage medium
CN113067706B (en) Service identification system and method, storage medium, and electronic device
CN113612756B (en) Shared login method and device, computer readable storage medium and electronic equipment
CN112287327A (en) Method, apparatus, medium, and device for easily reconfiguring a single sign-on system
CN115426146B (en) System login method, device, computer equipment and storage medium
CN113660245B (en) Terminal access right control method, device, equipment and medium
CN117762601B (en) Method, system, terminal and storage medium for invoking hydra service
CN115001808B (en) Domain user login method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant