CN113076555A - Security authentication method and system based on open interface communication - Google Patents

Security authentication method and system based on open interface communication Download PDF

Info

Publication number
CN113076555A
CN113076555A CN202110332256.2A CN202110332256A CN113076555A CN 113076555 A CN113076555 A CN 113076555A CN 202110332256 A CN202110332256 A CN 202110332256A CN 113076555 A CN113076555 A CN 113076555A
Authority
CN
China
Prior art keywords
authorization
authentication
interface
sign
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110332256.2A
Other languages
Chinese (zh)
Other versions
CN113076555B (en
Inventor
刘杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Minglue Artificial Intelligence Group Co Ltd
Original Assignee
Shanghai Minglue Artificial Intelligence Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Minglue Artificial Intelligence Group Co Ltd filed Critical Shanghai Minglue Artificial Intelligence Group Co Ltd
Priority to CN202110332256.2A priority Critical patent/CN113076555B/en
Publication of CN113076555A publication Critical patent/CN113076555A/en
Application granted granted Critical
Publication of CN113076555B publication Critical patent/CN113076555B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24552Database cache management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a security authentication method and a system based on open interface communication, wherein the method comprises the following steps: establishing an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service; caching the updated authorization data in the authorization table into the memory data of the authorization service; the authorized service specifies the interface that needs security authentication; the authorized service initiates a request to the interface through the interface of the security authentication, and simultaneously carries the relevant authentication parameters; obtaining a comparison slign according to the authentication parameters, the authorization table and the memory data, and comparing the comparison slign with the slign in the authentication parameters; and after the comparison is passed, the interface passes through the authorization and authentication module to carry out authorization and authentication, and if the authorization and authentication are successful, the authorization process is completed.

Description

Security authentication method and system based on open interface communication
Technical Field
The invention relates to the technical field of computers, in particular to a security authentication method and system based on open interface communication.
Background
With the updating and upgrading of internet micro services and distributed technologies, communication among services is indispensable, a scene is often used, an open service interface authorizes an authorized service to access, if the authorized service accesses the open interface, the open service interface is exposed to other non-target services in a public network or an internal network if security verification does not exist, the open service interface can be accessed or even maliciously utilized by other non-specified services, the access can be cracked due to interface replay attack, if high-frequency interface access authentication exists, database penetration is likely to occur, and at this time, a data access authorization scheme for directional service authorization needs to be designed to ensure that the service can only be accessed by the service which is authorized by the user, so that the final purpose of data security is achieved. The existing data access authorization scheme has a certain amount of requirements on the memory of a machine, the memory cost is high, and security problems caused by key leakage or decryption due to data unpacking of http requests can also occur.
Disclosure of Invention
The invention provides a security authentication method and system based on open interface communication, aiming at the technical problem that the open service interface can be utilized maliciously.
In a first aspect, an embodiment of the present application provides a security authentication method based on open interface communication, including:
service building steps: constructing an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
a data caching step: caching the updated authorization data in the authorization table into the memory data of the authorization service;
an interface specifying step: the authorized service specifies the interface that needs security authentication;
an interface request step: the authorized service initiates a request to an interface passing through the security authentication in the interfaces and simultaneously carries related authentication parameters;
and (3) comparison: obtaining a comparison sign according to the authentication parameters, the authorization table and the memory data, and comparing the comparison sign with the sign in the authentication parameters;
and authorization and authentication steps: and after the comparison is passed, the interface carries out authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
In the above security authentication method based on open interface communication, the information specified by the field of the authorization table includes but is not limited to: app source name, App id, App secret, state validity, creation date.
The security authentication method based on open interface communication, wherein the data caching step further includes:
a data refreshing step: and setting a refresh frequency, and refreshing the updated authorization data in the authorization table according to the refresh frequency.
The security authentication method based on open interface communication, wherein the interface specifying step further includes:
a safety authentication step: and carrying out security authentication on the interface through a security authentication module.
The security authentication method based on open interface communication, wherein the interface request step further includes: when the authorized service initiates a request, the http request header carries the relevant authentication parameters, where the authentication parameters include: ts, nonce, sign, ApId, sign generate rule hash (ts + nonce + ApId + AppSecret).
The security authentication method based on open interface communication, wherein the comparing step further comprises: and the open interface service caches the nonce according to the set caching time.
The security authentication method based on open interface communication, wherein the comparing step includes:
AppSecret query step: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
and a sign comparison obtaining step: comparing the AppSecret with ts, nonce and ApId in the authentication parameters according to the sign generation rule to obtain a sign;
sign comparison step: and comparing the sign with the sign in the authentication parameters.
In the security authentication method based on open interface communication, after the authorization process in the authorization authentication step is completed, the open interface service enters an interface logic layer for processing, and returns the relevant data of the interface with successful authorization authentication.
In a second aspect, an embodiment of the present application provides a security authentication system based on open interface communication, including:
a service building unit: constructing an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
a data caching unit: caching the updated authorization data in the authorization table into the memory data of the authorization service;
an interface specifying unit: the authorized service specifies the interface that needs security authentication;
an interface request unit: the authorized service initiates a request to an interface passing through the security authentication in the interfaces and simultaneously carries related authentication parameters;
an alignment unit: obtaining a comparison sign according to the authentication parameters, an authorization table and memory data, and comparing the comparison sign with the sign in the authentication parameters;
an authorization authentication unit: and after the comparison is passed, the interface carries out authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
The above-mentioned security authentication system based on open interface communication, wherein, the comparison unit includes:
AppSecret query module: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
and a sign comparison obtaining module: comparing the AppSecret with ts, nonce and ApId in the authentication parameters according to the sign generation rule to obtain a sign;
sign comparison module: and comparing the sign with the sign in the authentication parameters.
Compared with the prior art, the invention has the advantages and positive effects that:
1. the latest authorization data of the authorization table in the MYSQL service is refreshed and cached according to a certain refreshing frequency, so that the database access times of the authorization access list can be reduced, and database penetration caused by high-frequency interface access authentication is prevented.
2. The open interface service caches the nonce according to the caching time, so that the interface replay attack can be prevented, the probability of being cracked is reduced, and the risk is reduced.
3. The problem of the safety certification of the service open interface design is solved, the interface is protected to the greatest extent, the problem that the secret key corresponds to the http request is solved in the form of the appSect pre-authorized by each service, the safety problem caused by secret key leakage or cracking due to data unpacking of the http request is also solved, and therefore the safety of data capacity is improved.
Drawings
Fig. 1 is a schematic diagram illustrating steps of a security authentication method based on open interface communication according to the present invention;
FIG. 2 is a flowchart based on step S5 in FIG. 1 according to the present invention;
fig. 3 is a block diagram of a security authentication system based on open interface communication according to the present invention;
fig. 4 is a block diagram of a computer device according to an embodiment of the present application.
Wherein the reference numerals are:
11. a service building unit; 12. a data cache unit; 13. an interface specifying unit; 14. an interface request unit; 15. a comparison unit; 151. an AppSecret query module; 152. comparing sign to obtain a module; 153. a sign comparison module; 16. an authorization authentication unit; 81. a processor; 82. a memory; 83. a communication interface; 80. a bus.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The present invention is described in detail with reference to the embodiments shown in the drawings, but it should be understood that these embodiments are not intended to limit the present invention, and those skilled in the art should understand that functional, methodological, or structural equivalents or substitutions made by these embodiments are within the scope of the present invention.
Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.
The invention refreshes the latest authorization data from MYSQL service on time, caches the updated data in OpenAuth (authorization table), the authorized service appoints a relevant interface needing to be authenticated, when the authorized service initiates a request, a http request header carries relevant authentication parameters, then a corresponding appSect is inquired and applied in the OpenAuth data table or cache according to appId, a comparison sign is obtained according to a sign generation rule, the comparison sign is compared with the sign transmitted by the authorized service, and after the comparison is passed, the interface passes through an authorization authentication module, and the authorization process is completed.
The first embodiment is as follows:
fig. 1 is a schematic step diagram of a security authentication method based on open interface communication according to the present invention. As shown in fig. 1, this embodiment discloses a specific implementation of a security authentication method (hereinafter referred to as "method") based on open interface communication.
Specifically, the method disclosed in this embodiment mainly includes the following steps:
step S1: constructing an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
specifically, the MYSQL service is built and a related authorization table (OpenAuth) in the MYSQL service is initialized, and information specified by fields of the authorization table includes but is not limited to: app source name, App id, App secret, state validity, creation date.
Step S2: caching the updated authorization data in the authorization table into the memory data of the authorization service;
specifically, when the memory data cache is used, a refresh frequency is set, the latest authorization data is refreshed in the MYSQL service according to the refresh frequency, and the OpenAuth data is cached, so that the database access times of an authorization access list are reduced, and database penetration caused by high-frequency interface access authentication is prevented.
The OpenAuth table is generated by combining and generating multi-dimensional character strings as much as possible when authorized App names, AppId, ApSecrets and ApSecrets are added, wherein the AppId and the ApSecrets are delivered to a related application user for storage, the transmission safety of the AppId and the ApSecrets is guaranteed, and data safety risks caused by leakage are prevented.
Step S3: the authorized service specifies the interface that needs security authentication;
specifically, the open service, i.e., the authorized service, specifies the relevant interface to be authenticated, which needs to be securely authenticated by the security authentication module.
Step S4: the authorized service initiates a request to an interface passing through the security authentication in the interfaces and simultaneously carries related authentication parameters;
specifically, the authorized service initiates a request, and the http request header needs to carry relevant authentication parameters including ts (timestamp), nonce (random string), sign (signature check), appId (application id), and sign generation rule: hash (ts + nonce + appId + appreverse) when requesting the interface.
Step S5: obtaining a comparison sign according to the authentication parameters, an authorization table and memory data, and comparing the comparison sign with the sign in the authentication parameters;
specifically, firstly, the open interface service caches nonces according to the set caching time to prevent interface replay attack, and then, referring to fig. 2, step S5 specifically includes the following steps:
step S51: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
step S52: comparing the AppSecret with ts, nonce and ApId in the authentication parameters according to the sign generation rule to obtain a sign;
step S53: and comparing the sign with the sign in the authentication parameters.
Step S6: and after the comparison is passed, the interface carries out authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
Specifically, after the authorization process in step S6 is completed, the open interface service enters an interface logic layer for processing, and returns the relevant data of the interface that is successfully authorized and authenticated.
The application flow of the method is concretely illustrated as follows:
1. an authorization service MYSQL service is built, a related authorization table OpenAuth is initialized, and fields of the related table specify the name of an App source, AppId, AppSecret, state validity, creation date and the like.
2. And refreshing the latest authorization data from MYSQL once every 60 seconds by using a memory data cache to cache OpenAuth data, so that the database access times of an authorization access list are reduced, and database penetration caused by high-frequency interface access authentication is prevented.
3. The OpenAuth table increases authorized App names, AppId and ApSecret which are generated by using multi-dimensional character string combination as much as possible to increase safety, and the AppId and the ApSecret are delivered to a related application user for storage, so that the transmission safety of the AppId and the ApSecret needs to be ensured, and data safety risks caused by leakage are prevented.
4. The open service specifies the relevant interfaces that need authentication, in order to achieve that the relevant security authentication protection interfaces must pass through the security authentication module.
5. The authorized service initiates a request, and when a security authentication protection interface is requested, the http request header needs to carry relevant authentication parameters, including ts (timestamp), nonce (random string), sign (signature check), appId (application id), and sign generation rule: hash (ts + nonce + appId + appreverse).
6. The open interface service needs buffering the nonce to prevent the interface replay attack, the buffering time is 60 seconds. And then, inquiring and applying corresponding appSecret in an OpenAuth data table or a cache according to the appId, and finally, comparing the hash (ts + nonce + appId + appSecret) with the same rule with sign transmitted by an authorized service, wherein if the comparison is passed, the authorization is completed.
7. And if the interface passes through the authorization authentication module, the authorization process is completed, the interface enters an interface logic layer for processing, and relevant interface data are returned.
The invention solves the safety certification problem of the service open interface design, protects the interface to the greatest extent, removes the corresponding problem of the secret key in the http request in the form of the appSect pre-authorized by each service, and reduces the safety problem caused by secret key leakage or decryption due to data unpacking of the http request. Meanwhile, the interface can be prevented from replaying attacks, so that the probability of being cracked is reduced, and the risk is reduced. Meanwhile, the authorization efficiency is considered, the authorization data caching module is added, and the influence of the authorization module on the application efficiency is reduced to the maximum extent.
Example two:
in combination with the method for security authentication based on open interface communication disclosed in the first embodiment, the present embodiment discloses a specific implementation example of a security authentication system (hereinafter referred to as "system") based on open interface communication.
Referring to fig. 3, the system includes:
service establishment unit 11: establishing an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
the data buffer unit 12: caching the updated authorization data in the authorization table into the memory data of the authorization service;
the interface specifying unit 13: the authorized service specifies the interface that needs security authentication;
the interface request unit 14: the authorized service initiates a request to an interface passing through the security authentication in the interfaces and simultaneously carries related authentication parameters;
an alignment unit 15: obtaining a comparison sign according to the authentication parameters, an authorization table and memory data, and comparing the comparison sign with the sign in the authentication parameters;
the authorization authentication unit 16: and after the comparison is passed, the interface carries out authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
Specifically, the alignment unit 15 includes:
AppSecret query module 151: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
compare sign acquisition module 152: comparing the AppSecret with ts, nonce and ApId in the authentication parameters according to the sign generation rule to obtain a sign;
sign alignment module 153: and comparing the sign with the sign in the authentication parameters.
Please refer to the description of the first embodiment, which will not be repeated herein.
Example three:
referring to FIG. 4, the embodiment discloses an embodiment of a computer device. The computer device may comprise a processor 81 and a memory 82 in which computer program instructions are stored.
Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 82 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.
The processor 81 implements any of the above described embodiments of the method of secure authentication by reading and executing computer program instructions stored in the memory 82.
In some of these embodiments, the computer device may also include a communication interface 83 and a bus 80. As shown in fig. 4, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.
The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication port 83 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
Bus 80 includes hardware, software, or both to couple the components of the computer device to each other. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a HyperTransport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a Microchannel Architecture (MCA) Bus, a Peripheral Component Interconnect (PC) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (AGP) Bus, a Local Video Association (Video Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
In addition, in combination with the security authentication method in the foregoing embodiments, the embodiments of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the security authentication methods in the above embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
In conclusion, the method has the advantages that the latest authorization data of the authorization table in the MYSQL service are refreshed and cached according to a certain refreshing frequency, so that the database access times of the authorization access list can be reduced, and database penetration caused by high-frequency interface access authentication is prevented; the open interface service caches the nonce according to the caching time, so that interface replay attack can be prevented, the probability of being cracked is reduced, and the risk is reduced; the problem of safety certification for the design of the service open interface is solved, the interface is protected to the greatest extent, the problem that the secret key corresponds to the http request is solved in the form of the appSect pre-authorized by each service, and the safety problem caused by leakage or cracking of the secret key due to data unpacking of the http request is also solved.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A security authentication method based on open interface communication is characterized by comprising the following steps:
service building steps: constructing an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
a data caching step: caching the updated authorization data in the authorization table into the memory data of the authorization service;
an interface specifying step: the authorized service specifies the interface that needs security authentication;
an interface request step: the authorized service initiates a request to an interface passing through the security authentication in the interfaces and simultaneously carries related authentication parameters;
and (3) comparison: obtaining a comparison sign according to the authentication parameters, the authorization table and the memory data, and comparing the comparison sign with the sign in the authentication parameters;
and authorization and authentication steps: and after the comparison is passed, the interface carries out authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
2. The method of claim 1, wherein the information specified by the fields of the authorization table includes but is not limited to: app source name, App id, App secret, state validity, creation date.
3. The security authentication method based on open interface communication of claim 1, wherein the data caching step further comprises:
a data refreshing step: and setting a refresh frequency, and refreshing the updated authorization data in the authorization table according to the refresh frequency.
4. The method according to claim 1, wherein the interface assigning step further comprises:
a safety authentication step: and carrying out security authentication on the interface through a security authentication module.
5. The method of claim 1, wherein the interface request step further comprises: when the authorized service initiates a request, the http request header carries the relevant authentication parameters, where the authentication parameters include: ts, nonce, sign, ApId, sign generate rule hash (ts + nonce + ApId + AppSecret).
6. The method of claim 5, wherein the comparing step further comprises: and the open interface service caches the nonce according to the set caching time.
7. The method according to claim 5, wherein the comparing step comprises:
AppSecret query step: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
and a sign comparison obtaining step: comparing the AppSecret with ts, nonce and ApId in the authentication parameters according to the sign generation rule to obtain a sign;
sign comparison step: and comparing the sign with the sign in the authentication parameters.
8. The security authentication method according to claim 6, wherein after the authorization process in the authorization authentication step is completed, the open interface service enters an interface logic layer for processing, and returns the data related to the interface that is successfully authorized and authenticated.
9. A security authentication system based on open interface communication, comprising:
a service building unit: constructing an authorization service and a MYSQL service, and initializing a related authorization table in the MYSQL service;
a data caching unit: caching the updated authorization data in the authorization table into the memory data of the authorization service;
an interface specifying unit: the authorized service specifies the interface that needs security authentication;
an interface request unit: the authorized service initiates a request to an interface passing through the security authentication in the interfaces and simultaneously carries related authentication parameters;
an alignment unit: obtaining a comparison sign according to the authentication parameters, the authorization table and the memory data, and comparing the comparison sign with the sign in the authentication parameters;
an authorization authentication unit: and after the comparison is passed, the interface carries out authorization authentication through an authorization authentication module, and the authorization process is completed if the authorization authentication is successful.
10. The system of claim 9, wherein the comparing unit comprises:
AppSecret query module: inquiring corresponding AppSecret through the authorization table or the memory data according to the AppId;
and a sign comparison obtaining module: comparing the AppSecret with ts, nonce and ApId in the authentication parameters according to the sign generation rule to obtain a sign;
sign comparison module: and comparing the sign with the sign in the authentication parameters.
CN202110332256.2A 2021-03-29 2021-03-29 Security authentication method and system based on open interface communication Active CN113076555B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110332256.2A CN113076555B (en) 2021-03-29 2021-03-29 Security authentication method and system based on open interface communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110332256.2A CN113076555B (en) 2021-03-29 2021-03-29 Security authentication method and system based on open interface communication

Publications (2)

Publication Number Publication Date
CN113076555A true CN113076555A (en) 2021-07-06
CN113076555B CN113076555B (en) 2024-02-06

Family

ID=76610887

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110332256.2A Active CN113076555B (en) 2021-03-29 2021-03-29 Security authentication method and system based on open interface communication

Country Status (1)

Country Link
CN (1) CN113076555B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104350501A (en) * 2012-05-25 2015-02-11 佳能株式会社 Authorization server and client apparatus, server cooperative system, and token management method
US20190281487A1 (en) * 2017-11-17 2019-09-12 Huawei Technologies Co., Ltd. System and Method for Channel Measurement and Interference Measurement in Wireless Network
CN110945850A (en) * 2017-08-11 2020-03-31 万事达卡国际公司 System and method for automating security control between computer networks
CN112016106A (en) * 2020-08-19 2020-12-01 杭州指令集智能科技有限公司 Authentication calling method, device, equipment and readable storage medium of open interface

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104350501A (en) * 2012-05-25 2015-02-11 佳能株式会社 Authorization server and client apparatus, server cooperative system, and token management method
CN110945850A (en) * 2017-08-11 2020-03-31 万事达卡国际公司 System and method for automating security control between computer networks
US20190281487A1 (en) * 2017-11-17 2019-09-12 Huawei Technologies Co., Ltd. System and Method for Channel Measurement and Interference Measurement in Wireless Network
CN112016106A (en) * 2020-08-19 2020-12-01 杭州指令集智能科技有限公司 Authentication calling method, device, equipment and readable storage medium of open interface

Also Published As

Publication number Publication date
CN113076555B (en) 2024-02-06

Similar Documents

Publication Publication Date Title
CN106209749B (en) Single sign-on method and device, and related equipment and application processing method and device
EP3092775B1 (en) Method and system for determining whether a terminal logging into a website is a mobile terminal
CN107689869B (en) User password management method and server
US9288201B2 (en) Disconnected credential validation using pre-fetched service tickets
CN108632253B (en) Client data security access method and device based on mobile terminal
US9172541B2 (en) System and method for pool-based identity generation and use for service access
CN112131021B (en) Access request processing method and device
US9673979B1 (en) Hierarchical, deterministic, one-time login tokens
KR101729960B1 (en) Method and Apparatus for authenticating and managing an application using trusted platform module
US8977857B1 (en) System and method for granting access to protected information on a remote server
US20140351583A1 (en) Method of implementing a right over a content
US10536271B1 (en) Silicon key attestation
CN109714176A (en) Command identifying method, device and storage medium
US10122728B2 (en) Delegated resource authorization for replicated applications
CN114598481B (en) Authorization authentication method and device, electronic equipment and storage medium
CN113726774A (en) Client login authentication method, system and computer equipment
CN111988262B (en) Authentication method, authentication device, server and storage medium
CN116484338A (en) Database access method and device
CN115085999A (en) Identity authentication method, system, computer device and storage medium
CN108055299A (en) Portal page push method, network access server and portal certification system
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
CN113076555A (en) Security authentication method and system based on open interface communication
US10785213B2 (en) Continuous authentication
WO2022193494A1 (en) Permission control method, server, terminal, storage medium, and computer program
CN117157623A (en) System and method for protecting secrets when used in conjunction with containerized applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant