CN113472794B - Multi-application system authority unified management method based on micro-service and storage medium - Google Patents
Multi-application system authority unified management method based on micro-service and storage medium Download PDFInfo
- Publication number
- CN113472794B CN113472794B CN202110755655.XA CN202110755655A CN113472794B CN 113472794 B CN113472794 B CN 113472794B CN 202110755655 A CN202110755655 A CN 202110755655A CN 113472794 B CN113472794 B CN 113472794B
- Authority
- CN
- China
- Prior art keywords
- service
- application
- token
- gateway
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the technical field of micro-services, in particular to a multi-application system authority unified management method and a storage medium based on micro-services. The multi-application system authority unified management method based on the micro-service comprises the following steps: generating an independent user authority service for the user authorities of different applications; receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service; the application service receives the external request and verifies the service token carried by the external request, and/or the user rights service receives the external request and verifies the service token carried by the external request. In the steps, an independent user authority service is generated for the user authorities of different applications, a consistent service version is provided for the outside, the version is forced to be unified, interface incompatibility caused by different SDK versions is avoided, multi-version maintenance is difficult, and unified management provides guarantee for stable operation of the system.
Description
Technical Field
The application relates to the technical field of micro-services, in particular to a multi-application system authority unified management method and a storage medium based on micro-services.
Background
Along with expansion of Internet application, development, deployment and operation and maintenance of a traditional single application architecture are slower and more complex, and even the agile mode cannot be developed in single architecture application development; based on this, micro services with higher independence, availability and flexibility have been developed. Structurally, the micro-service architecture splits an application into a plurality of loosely coupled services, and the services cooperate with each other through a certain protocol (REST, RPC, etc.), so that the original single-body architecture function is completed, but a more flexible deployment mode is provided, the expansion is easier, and the complexity in development and operation is reduced.
In the micro-service architecture, the control of the access authority by the system is mainly realized through an API gateway. The gateway is used as an entrance to authenticate and authenticate the external request, after the authentication is successful, the request is distributed to the corresponding micro service application, the micro service does not perform effective safety authentication and authorization any more, and due to the fact that the authentication cannot be performed, a certain private API interface is directly exposed, and the safety of the whole system is reduced greatly.
In traditional monomer applications, the authority control of users is mostly realized through Session; the micro-service architecture is a distributed architecture, retains the authority control of the traditional Session mode, and needs to provide an additional Session replication mechanism. In this mode, the more system service splits occupy the network, the more server resources; and each service needs to independently check authority, so that delay and complexity of system response are increased, and the method is not suitable for being applied to a micro-service architecture.
The multiple application systems generally adopt a unified SDK mode to realize unified authentication, and the iteration of the SDK version is not unified along with the continuous expansion of a service system, so that the condition of untimely updating is caused; repeating construction of basic services of the same type of business system, and the like; how to effectively realize authority authentication under a micro-service architecture becomes a problem to be solved.
Disclosure of Invention
Therefore, a unified management method of the multi-application system permission based on the micro-service is needed to be provided, so that the technical problems of low security, slow system response and the like of the authentication of the micro-service permission in the prior art are solved. The specific technical scheme is as follows:
the unified management method of the rights of the multi-application system based on the micro-service comprises the following steps:
generating an independent user authority service for the user authorities of different applications;
receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service;
the application service receives the external request and verifies a service token carried by the external request, and/or the user rights service receives the external request and verifies a service token carried by the external request.
Further, before the step of receiving the external request and the step of checking the information of the external request by the unified gateway, the method further comprises the steps of:
the gateway service, the user authority service and each application service register the service to a registration service center, and synchronize all service instances registered to the registration service center from the registration service center;
the gateway service and the application service apply for a service token from the user authority service;
when the gateway service forwards other service requests, the service token is carried in a request header of request information of the service request; or when the application service sends out a request, carrying the service token in a request header of the request information of the request.
Further, the gateway service, the user authority service and each application service register the service with the registration service center, and synchronize all service instances registered with the registration service center from the registration service center, and specifically further includes the steps of:
the gateway service, the user authority service and each application service automatically register the service with a registration service center when being started;
the gateway service, the user authority service and each application service synchronize address lists of all service instances registered in the registration service center to the local in real time after being started;
and connecting the different application services with the respective application stores, and synchronizing the storage connection configuration information to the user authority service.
Further, the "the gateway service and the application service apply for a service token from the user authority service" specifically further includes the steps of:
the gateway service issues a gateway service public key to the user authority service, loads a gateway service private key after the gateway service public key is issued successfully, and encrypts a registered gateway service ID (identity) by using the gateway service private key to generate a gateway service ID ciphertext;
the application service issues an application service public key and application stores the connected configuration information to the user authority service, loads an application service private key after the application service public key is issued successfully, and encrypts a registered application service ID to generate an application service ID ciphertext;
the gateway service submits the gateway service ID ciphertext and gateway registration information to the user authority service to apply for a service token;
the application service submits the application service ID ciphertext and application registration information to the user authority service to apply for a service token;
the user authority service checks whether the gateway registration information is legal and uses the gateway service public key to verify the gateway service ID ciphertext, if the gateway registration information is legal and the gateway service ID ciphertext passes the verification, the user authority service generates a service token and returns the service token to the gateway service;
the user authority service checks whether the application registration information is legal and uses the application service public key to verify the application service ID ciphertext, if the application registration information is legal and the application service ID ciphertext is verified, the user authority service generates a service token and returns the service token to the application service;
the service token is generated by a user authority service token private key which is built in the user authority service;
the public key of the user authority service token is published externally.
Further, the step of receiving the external request, auditing the information of the external request by the unified gateway, and distributing the external request passing the audit to the corresponding application service, specifically further includes the steps of:
the external application initiates an authorization application to the user authority service through a unified gateway;
the unified gateway responds to an external request and sends request information of an authorization application to the user authority service;
the user authority service loads configuration information according to an application system identifier in the request information of the authorization application, connects the loaded configuration information with a corresponding storage library, acquires request user information and verifies user legitimacy, if the user is legal, creates a Session of a legal user, stores the Session into a storage cache, generates an authorization Token according to the user Session and the application system identifier, and returns the generated Token to an external application through a gateway;
the authorization Token is generated by encrypting a Token private key built in the user authority service, and a Token public key is published externally.
Further, after the "the user authority service loads the configuration information according to the application system identifier in the request information of the authorization application", the method specifically further includes the steps of:
if the configuration information corresponding to the application system is not found, directly returning an error prompt;
after the request user information is acquired and the user validity is verified, the method specifically further comprises the steps of:
if the user is illegal, an error prompt is directly returned.
Further, the method further comprises the steps of:
the external application sends a request carrying the Token to a unified gateway;
the unified gateway uses the Token public key to verify Token information, and after Token verification is legal, the unified gateway obtains the authorization information of the corresponding user from the user authorization service;
the user authority service verifies the Token again, connects the corresponding storage library according to the application identifier in the Token, retrieves the user authorization information from the corresponding storage library, and returns the retrieval result to the unified gateway;
the unified gateway matches the request resource according to the returned user authorization list, and if the request resource is matched with the authorization list, the request is distributed to a server of the corresponding running application service according to the service routing rule;
the application service receives the external request and verifies the service token carried by the external request, and specifically further comprises the steps of:
after receiving the request information, the application service verifies whether the service Token and the Token are legal, if the service Token and the Token are legal, the application service uses a Token public key to extract user information in the Token, executes a service flow according to the user information and the requested resource, and returns an execution result to the unified gateway;
and the unified gateway synchronously returns an execution result to the external application.
Further, after the "match request resource", the method specifically further includes the steps of:
if the request resource does not match the authorized list, returning override error information;
after the Token public key is used for extracting the user information in the Token, the method specifically further comprises the steps of:
and if more user information is needed, synchronously sending a request to the user authority service to acquire user detail information.
Further, the "the user authority service receives the external request and verifies the service token carried by the external request", and specifically further includes the steps of:
and the unified gateway packages the application identifier, the request information and the execution result into an audit log, asynchronously submits the audit log to the user authority service, and the user authority service verifies the service token, if the service token passes the verification, the service token is stored into a corresponding storage library according to the application identifier of the audit log, and returns to a log state.
To solve the above technical problem, there is also provided a storage medium having stored thereon a computer program which, when executed by a processor, implements any of the steps of the above-mentioned micro-service based multi-application rights unified management method.
The beneficial effects of the application are as follows: the unified management method of the rights of the multi-application system based on the micro-service comprises the following steps: generating an independent user authority service for the user authorities of different applications; receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service; the application service receives the external request and verifies a service token carried by the external request, and/or the user rights service receives the external request and verifies a service token carried by the external request. In the steps, an independent user authority service is generated for the user authorities of different applications, a consistent service version is provided for the outside, the version is forced to be unified, interface incompatibility caused by different SDK versions is avoided, multi-version maintenance is difficult, and unified management provides guarantee for stable operation of the system. And the authority authentication of the multi-application system under the micro-service architecture is efficiently realized through the unified user authority service, so that the complex authority control of a third party framework is not needed, and the subsequent adjustment and expansion of the authority function are convenient. The running application service instance does not process the authority control any more, so that the service flow can be processed more efficiently, and the response speed is improved. And the development process of each application system does not pay attention to and process the authority control flow any more, so that the development efficiency of the development personnel is improved.
Further, various services are effectively managed through a registration service center; the same service can deploy a plurality of service instances, realize the dynamic capacity expansion of the service, effectively share the pressure and improve the performance, and when a certain service instance is abnormally interrupted, other service instances can also continue to respond.
Furthermore, the interfaces of each micro-service application are effectively protected from being directly exposed through a service token mode, the external application calling interfaces are required to be realized through a unified gateway, and the safety of an application system is improved.
Furthermore, the multi-application system unifies the resource authentication, authentication and log audit in different application systems through a micro-service architecture mode, and ensures that the business application is focused on the realization of business logic of the multi-application system.
Drawings
FIG. 1 is a flowchart of a method for unified management of rights of a multi-application micro-service based system according to an embodiment;
FIG. 2 is a schematic diagram of an operation framework of a micro-service architecture based method for unified management of rights of a multi-application system based on micro-services according to an embodiment;
FIG. 3 is a flowchart showing a step of the gateway service and the application service acquiring a service token according to the embodiment;
FIG. 4 is a flowchart showing a second step of obtaining a service token by a gateway service and an application service according to an embodiment;
FIG. 5 is a flowchart of a step of the gateway service and the application service acquiring a service token according to the embodiment;
FIG. 6 is a flowchart showing the steps of processing a login request according to an embodiment;
FIG. 7 is a timing diagram of a Token authorization of a user according to one embodiment;
FIG. 8 is a timing diagram of user authentication according to an embodiment;
fig. 9 is a schematic block diagram of a storage medium according to an embodiment.
Reference numerals illustrate:
900. a storage medium.
Detailed Description
In order to describe the technical content, constructional features, achieved objects and effects of the technical solution in detail, the following description is made in connection with the specific embodiments in conjunction with the accompanying drawings.
Referring to fig. 1 to 8, the core technical idea of the present application is to separate the user authority functions of different applications into a micro service, provide unified user login and authority service to the outside, force a unified version, avoid interface incompatibility caused by different SDK versions, make multi-version maintenance difficult, and provide a guarantee for stable operation of the system. And the authority authentication of the multi-application system under the micro-service architecture is efficiently realized through the unified user authority service, so that the complex authority control of a third party framework is not needed, and the subsequent adjustment and expansion of the authority function are convenient. And a unified gateway service is set, the external request is firstly and completely checked through the unified gateway, and the next processing is carried out after the checking is passed, so that the safety of an application system is improved, the user authority service can be directly called in the micro service, the authentication and the audit processing of the gateway are not passed, and the efficient and stable service realization of the service is ensured.
The following description will be developed specifically:
first, as shown in fig. 2, a framework is shown in which the multi-application system authority unified management method based on the micro-service operates. It comprises the following steps: an access layer (external request), a unified gateway service, a lightweight service layer, and a multi-source storage layer. The access layer mainly refers to an external application initiating a resource request through an HTTP/HTTPS standard protocol; the external requests are uniformly proxied through Gateway, and the Gateway distributes the requests to the servers of the corresponding running micro services according to the service route. The gateway, the user authority service and various application services automatically register themselves to the registry when being started, and synchronously synchronize address lists of various application service instances from the registry to the local in real time after being started, so that the gateway, the user authority service and the various application services are used for dynamic capacity expansion of the same service, and a client load balancing strategy is combined to achieve high available service performance; the different application services are connected with respective application storage, and the storage connection configuration information is synchronized into the user authority service, when the user authority service performs authority resource retrieval, the user authority service obtains the authority resources of corresponding users according to the configured business storage library, so that the same configuration of the authority resources under the multi-application system is realized, the unified management is realized, and the user authority resources among the multi-application systems share the network and server resources.
As shown in fig. 1, the unified management method for rights of multiple application systems based on micro-services specifically includes the steps of:
step S101: an independent user rights service is generated for the user rights of different applications.
Step S102: and receiving an external request, auditing the information of the external request by the unified gateway, and distributing the external request passing the auditing to the corresponding application service.
Step S103: the application service receives the external request and verifies a service token carried by the external request, and/or the user rights service receives the external request and verifies a service token carried by the external request.
The unified management method of the rights of the multi-application system based on the micro-service comprises the following steps: generating an independent user authority service for the user authorities of different applications; receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service; the application service receives the external request and verifies a service token carried by the external request, and/or the user rights service receives the external request and verifies a service token carried by the external request. In the steps, an independent user authority service is generated for the user authorities of different applications, a consistent service version is provided for the outside, the version is forced to be unified, interface incompatibility caused by different SDK versions is avoided, multi-version maintenance is difficult, and unified management provides guarantee for stable operation of the system. And the authority authentication of the multi-application system under the micro-service architecture is efficiently realized through the unified user authority service, so that the complex authority control of a third party framework is not needed, and the subsequent adjustment and expansion of the authority function are convenient. The running application service instance does not process the authority control any more, so that the service flow can be processed more efficiently, and the response speed is improved. And the development process of each application system does not pay attention to and process the authority control flow any more, so that the development efficiency of the development personnel is improved.
The following describes how the gateway service and the application service obtain the service token:
as shown in fig. 3, step S102 specifically further includes the steps of:
step S301: the gateway service, the user authority service and the application services register the service with the registration service center, and synchronize all service instances registered with the registration service center from the registration service center.
Step S302: the gateway service and the application service apply for a service token from the user authority service.
Step S303: when the gateway service forwards other service requests, the service token is carried in a request header of request information of the service request; or when the application service sends out a request, carrying the service token in a request header of the request information of the request.
The registration service center is used for effectively managing various services; the same service can deploy a plurality of service instances, realize the dynamic capacity expansion of the service, effectively share the pressure and improve the performance, and when a certain service instance is abnormally interrupted, other service instances can also continue to respond. Through the user authority of the service, in the mode of a multi-application system, operation and maintenance can be simplified, and the requirement of maintenance personnel on technical thresholds can be reduced. The interfaces of each micro-service application are effectively protected from being directly exposed through a service token mode, and the calling interfaces of the external application are required to be realized through a unified gateway, so that the safety of an application system is improved.
Further, as shown in fig. 4, step S301 specifically further includes the steps of:
step S401: the gateway service, the user authority service and each application service automatically register the service with a registration service center when being started. When the whole micro-service application runs, firstly, a registration service is started, after the registration service center is started, a user authority service is started, the registration service is registered with the registration service center, after the registration service center service and the user authority service are started, a gateway service and application services corresponding to all application systems are started, and the gateway service and the application services register the service with the registration service center.
Step S402: and the gateway service, the user authority service and each application service synchronize address lists of all service instances registered in the registration service center to the local in real time after being started. And detecting the running state of each service on the registration service center by adopting a real-time (polling) mode, and updating the address list of the local service in time.
Step S403: and connecting the different application services with the respective application stores, and synchronizing the storage connection configuration information to the user authority service.
Further, as shown in fig. 5, step S302 specifically further includes the steps of:
step S501: and the gateway service issues a gateway service public key to the user authority service, loads a gateway service private key after the gateway service public key is issued successfully, and encrypts the registered gateway service ID by the gateway service private key to generate a gateway service ID ciphertext. This step occurs at gateway service initialization.
Step S502: and the application service issues an application service public key and the application stores the connected configuration information to the user authority service, loads an application service private key after the application service public key is issued successfully, and encrypts the registered application service ID to generate an application service ID ciphertext. This step occurs at application service initialization.
It should be noted that, step S501 and step S502 do not have a precedence relationship, and any one of the steps may be performed before or simultaneously.
Step S503: and the gateway service submits the gateway service ID ciphertext and gateway registration information to the user authority service to apply for a service token.
Step S504: and the application service submits the application service ID ciphertext and application registration information to the user authority service to apply for a service token.
It should be noted that, step S503 and step S504 do not have a precedence relationship, and any one of the steps may be performed before or simultaneously.
Step S505: and the user authority service checks whether the gateway registration information is legal and uses the gateway service public key to verify the gateway service ID ciphertext, and if the gateway registration information is legal and the gateway service ID ciphertext passes the verification, the user authority service generates a service token and returns the service token to the gateway service. The gateway service stores the received service token, and carries the service token in the request header when other services are routed subsequently, and when the called micro-service receives the request, the service token is verified by using the service token public key so as to ensure that the request is from the call inside the micro-service.
Step S506: and the user authority service checks whether the application registration information is legal and uses the application service public key to verify the application service ID ciphertext, and if the application registration information is legal and the application service ID ciphertext is verified, the user authority service generates a service token and returns the service token to the application service. The application service stores the received service token, and carries the service token in the request header when other services are routed subsequently, and when the called micro-service receives the request, the service token is verified by using the service token public key so as to ensure that the request is from the call inside the micro-service.
It should be noted that, step S505 and step S506 do not have a precedence relationship, and any one of the steps may be performed before or simultaneously.
Step S507: the service token is generated by a private key of a user authority service token built in the user authority service. Step S508: the public key of the user authority service token is published externally.
It should be noted that, before the external application initiates the resource request, it must first send a login request to the corresponding application system to obtain the user credential Token called by the background interface of the current operating user, the external application stores the obtained Token properly, and in the subsequent request process, the request Header needs to carry the Token, where the Key of the Header corresponding to the Token is the Authorization. The flow of Token acquisition is illustrated in fig. 7.
The following description will be given of the login request with reference to fig. 6:
step S601: and the external application initiates an authorization application to the user authority service through the unified gateway. The method comprises the following steps: and the external application inputs the provided authentication information such as the application system identifier, the operation account number, the password and the like, and initiates an authorization application to the user authority service through the unified gateway.
Step S602: and the unified gateway responds to an external request and sends request information of an authorization application to the user authority service. The method comprises the following steps: after receiving the request, the unified gateway sends authorization application information to the user authority service according to the address table information of the user authority service instance synchronized from the registration center.
Step S603: and the user authority service loads configuration information according to the application system identifier in the request information of the authorization application, connects the loaded configuration information with a corresponding storage library, acquires the request user information and verifies the legality of the user, if the user is legal, creates a Session of the legal user, stores the Session into a storage buffer, generates an authorization Token according to the user Session and the application system identifier, and returns the generated Token to the external application through a gateway. The external application only needs to take the Token to request the resource, and does not need to take the user name and the password again. And finally, recording the request information and the result of the user authority service on the authorization application into a storage corresponding to the application identifier. The background service does not store the Session any more, so that the memory overhead caused by the user Session under the multi-application system can be effectively reduced, and the hidden trouble caused by the multi-machine storage of the Session is avoided; and the application of cross-domain and cross-service to the user information under the distributed micro-service architecture is satisfied.
After the user authority service loads configuration information according to the application system identifier in the request information of the authorization application, the method specifically further comprises the following steps:
and if the configuration information corresponding to the application system is not found, directly returning an error prompt.
After the request user information is acquired and the user validity is verified, the method specifically further comprises the steps of:
if the user is illegal, an error prompt is directly returned.
Step S604: the authorization Token is generated by encrypting a Token private key built in the user authority service, and a Token public key is published externally. The method comprises the following steps: the authorization Token is generated by built-in Token private key encryption in the standard manner of JSON Web Token, and this information can be verified and trusted during the validity period. Generating the user Token by the JWT method can reduce the number of times the application service retrieves the stored information when obtaining the requested user information.
As shown in fig. 8, after the authorization Token is obtained, the external application may access the protected service resource through the authorization Token. Further, the method further comprises the steps of:
and the external application sends a request carrying the Token to the unified gateway. In this embodiment, the front-end application is required to place the Token in Authorization header and send a request carrying the Token to the unified gateway using the beer schema.
And the unified gateway uses the Token public key to verify Token information, and after the Token is verified to be legal, the unified gateway acquires the authorization information of the corresponding user from the user authorization service.
And the user authority service verifies the Token again, connects the corresponding storage library according to the application identifier in the Token, retrieves the user authority information from the corresponding storage library, and returns the retrieval result to the unified gateway.
The unified gateway matches the request resource according to the returned user authorization list, and if the request resource is matched with the authorization list, the request is distributed to a server of the corresponding running application service according to the service routing rule; after the matching of the request resources, the method specifically further comprises the following steps: if the requested resource does not match the authorization list, override error information is returned.
The application service receives the external request and verifies the service token carried by the external request, and specifically further comprises the steps of:
after receiving the request information, the application service verifies whether the service Token and the Token are legal, if the service Token and the Token are legal, the application service uses a Token public key to extract user information in the Token, executes a service flow according to the user information and the requested resource, and returns an execution result to the unified gateway; after the Token public key is used for extracting the user information in the Token, the method specifically further comprises the steps of: and if more user information is needed, synchronously sending a request to the user authority service to acquire user detail information.
And the unified gateway synchronously returns an execution result to the external application.
Further, the "the user authority service receives the external request and verifies the service token carried by the external request", and specifically further includes the steps of:
and the unified gateway packages the application identifier, the request information and the execution result into an audit log, asynchronously submits the audit log to the user authority service, and the user authority service verifies the service token, if the service token passes the verification, the service token is stored into a corresponding storage library according to the application identifier of the audit log, and returns to a log state.
In the whole process, the multi-application system unifies the resource authentication, authentication and log audit in different application systems through a micro-service architecture mode, and ensures that the business application is focused on the realization of business logic of the multi-application system.
Referring to fig. 9, in one embodiment, a storage medium 900 is provided, on which a computer program is stored, the program, when executed by a processor, implementing any of the steps of the micro-service based multi-application rights unified management method described above.
It should be noted that, although the foregoing embodiments have been described herein, the scope of the present application is not limited thereby. Therefore, based on the innovative concepts of the present application, alterations and modifications to the embodiments described herein, or equivalent structures or equivalent flow transformations made by the present description and drawings, apply the above technical solution, directly or indirectly, to other relevant technical fields, all of which are included in the scope of the application.
Claims (7)
1. The unified management method of the rights of the multi-application system based on the micro-service is characterized by comprising the following steps:
generating an independent user authority service for the user authorities of different applications;
receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service;
the application service receives the external request and verifies a service token carried by the external request, and/or the user authority service receives the external request and verifies the service token carried by the external request;
the method for receiving the external request, the unified gateway audits the information of the external request and distributes the audited external request to the corresponding application service, and the method specifically further comprises the steps of:
the external application initiates an authorization application to the user authority service through a unified gateway;
the unified gateway responds to an external request and sends request information of an authorization application to the user authority service;
the user authority service loads configuration information according to an application system identifier in the request information of the authorization application, connects the loaded configuration information with a corresponding storage library, acquires request user information and verifies user legitimacy, if the user is legal, creates a Session of a legal user, stores the Session into a storage cache, generates an authorization Token according to the user Session and the application system identifier, and returns the generated Token to an external application through a gateway;
the authorization Token is generated by encrypting a Token private key built in the user authority service, and a Token public key is published outwards; before the 'receiving the external request and the unified gateway auditing the information of the external request', the method further comprises the following steps:
the gateway service, the user authority service and each application service register the service to a registration service center, and synchronize all service instances registered to the registration service center from the registration service center;
the gateway service and the application service apply for a service token from the user authority service;
when the gateway service forwards other service requests, the service token is carried in a request header of request information of the service request; or when the application service sends out a request, carrying the service token in a request header of request information of the request; the gateway service, the user authority service and each application service register the service with a registration service center, and synchronize all service instances registered with the registration service center from the registration service center, and specifically further comprises the steps of:
the gateway service, the user authority service and each application service automatically register the service with a registration service center when being started;
the gateway service, the user authority service and each application service synchronize address lists of all service instances registered in the registration service center to the local in real time after being started;
and connecting the different application services with the respective application stores, and synchronizing the storage connection configuration information to the user authority service.
2. The unified management method of multi-application system authority based on micro-service according to claim 1, wherein the gateway service and the application service apply for a service token to the user authority service, specifically further comprising the steps of:
the gateway service issues a gateway service public key to the user authority service, loads a gateway service private key after the gateway service public key is issued successfully, and encrypts a registered gateway service ID (identity) by using the gateway service private key to generate a gateway service ID ciphertext;
the application service issues an application service public key and application stores the connected configuration information to the user authority service, loads an application service private key after the application service public key is issued successfully, and encrypts a registered application service ID to generate an application service ID ciphertext;
the gateway service submits the gateway service ID ciphertext and gateway registration information to the user authority service to apply for a service token;
the application service submits the application service ID ciphertext and application registration information to the user authority service to apply for a service token;
the user authority service checks whether the gateway registration information is legal and uses the gateway service public key to verify the gateway service ID ciphertext, if the gateway registration information is legal and the gateway service ID ciphertext passes the verification, the user authority service generates a service token and returns the service token to the gateway service;
the user authority service checks whether the application registration information is legal and uses the application service public key to verify the application service ID ciphertext, if the application registration information is legal and the application service ID ciphertext is verified, the user authority service generates a service token and returns the service token to the application service;
the service token is generated by a user authority service token private key which is built in the user authority service;
the public key of the user authority service token is published externally.
3. The unified management method of multi-application system authority based on micro-service according to claim 1, wherein after the user authority service loads configuration information according to the application system identifier in the request information of the authorization application, the method specifically further comprises the steps of:
if the configuration information corresponding to the application system is not found, directly returning an error prompt;
after the request user information is acquired and the user validity is verified, the method specifically further comprises the steps of:
if the user is illegal, an error prompt is directly returned.
4. The unified management method of multi-application system rights based on micro-services according to claim 1, further comprising the steps of:
the external application sends a request carrying the Token to a unified gateway;
the unified gateway uses the Token public key to verify Token information, and after Token verification is legal, the unified gateway obtains the authorization information of the corresponding user from the user authorization service;
the user authority service verifies the Token again, connects the corresponding storage library according to the application identifier in the Token, retrieves the user authorization information from the corresponding storage library, and returns the retrieval result to the unified gateway;
the unified gateway matches the request resource according to the returned user authorization list, and if the request resource is matched with the authorization list, the request is distributed to a server of the corresponding running application service according to the service routing rule;
the application service receives the external request and verifies the service token carried by the external request, and specifically further comprises the steps of:
after receiving the request information, the application service verifies whether the service Token and the Token are legal, if the service Token and the Token are legal, the application service uses a Token public key to extract user information in the Token, executes a service flow according to the user information and the requested resource, and returns an execution result to the unified gateway;
and the unified gateway synchronously returns an execution result to the external application.
5. The unified management method for rights of multiple application systems based on micro-services according to claim 4, wherein after the matching of the request resources, the method specifically further comprises the steps of:
if the request resource does not match the authorized list, returning override error information;
after the Token public key is used for extracting the user information in the Token, the method specifically further comprises the steps of:
and if more user information is needed, synchronously sending a request to the user authority service to acquire user detail information.
6. The unified management method of multi-application system rights based on micro-services according to claim 4, wherein the step of the user rights service receiving the external request and verifying the service token carried by the external request further comprises the steps of:
and the unified gateway packages the application identifier, the request information and the execution result into an audit log, asynchronously submits the audit log to the user authority service, and the user authority service verifies the service token, if the service token passes the verification, the service token is stored into a corresponding storage library according to the application identifier of the audit log, and returns to a log state.
7. A storage medium having a computer program stored thereon, characterized in that,
the program when executed by a processor performs the steps of any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110755655.XA CN113472794B (en) | 2021-07-05 | 2021-07-05 | Multi-application system authority unified management method based on micro-service and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110755655.XA CN113472794B (en) | 2021-07-05 | 2021-07-05 | Multi-application system authority unified management method based on micro-service and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113472794A CN113472794A (en) | 2021-10-01 |
CN113472794B true CN113472794B (en) | 2023-08-15 |
Family
ID=77877974
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110755655.XA Active CN113472794B (en) | 2021-07-05 | 2021-07-05 | Multi-application system authority unified management method based on micro-service and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113472794B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113992381A (en) * | 2021-10-22 | 2022-01-28 | 北京天融信网络安全技术有限公司 | Authorization method, device, authorization platform and storage medium |
CN114666387A (en) * | 2022-03-25 | 2022-06-24 | 广州方硅信息技术有限公司 | Interface management system, method, storage medium and computer device |
CN115242486B (en) * | 2022-07-19 | 2024-04-19 | 阿里巴巴(中国)有限公司 | Data processing method, device and computer readable storage medium |
CN115549966A (en) * | 2022-08-25 | 2022-12-30 | 支付宝(杭州)信息技术有限公司 | Security audit method and device for service request |
Citations (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108924125A (en) * | 2018-06-29 | 2018-11-30 | 招银云创(深圳)信息技术有限公司 | Control method, device, computer equipment and the storage medium of interface calling permission |
CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
CN110138741A (en) * | 2019-04-15 | 2019-08-16 | 平安科技(深圳)有限公司 | Micro services management method, device and computer equipment based on management platform |
CN110149211A (en) * | 2019-05-15 | 2019-08-20 | 杭州朗和科技有限公司 | Entitlement method, entitlement device, medium and electronic equipment |
CN110445636A (en) * | 2019-07-03 | 2019-11-12 | 平安科技(深圳)有限公司 | Micro services method for early warning, device and computer equipment based on management platform |
CN110554927A (en) * | 2019-09-12 | 2019-12-10 | 北京笔新互联网科技有限公司 | Micro-service calling method based on block chain |
CN110781505A (en) * | 2019-10-11 | 2020-02-11 | 南京医基云医疗数据研究院有限公司 | System construction method and device, retrieval method and device, medium and equipment |
CN111030828A (en) * | 2019-12-19 | 2020-04-17 | 中国电建集团华东勘测设计研究院有限公司 | Authority control method and system under micro-service architecture and access token |
CN111130892A (en) * | 2019-12-27 | 2020-05-08 | 上海浦东发展银行股份有限公司 | Enterprise-level microservice management system and method |
CN111181991A (en) * | 2020-01-03 | 2020-05-19 | 苏州融卡智能科技有限公司 | Method and device for constructing terminal access platform of Internet of things |
WO2020134838A1 (en) * | 2018-12-29 | 2020-07-02 | 深圳云天励飞技术有限公司 | Authority verification method and related device |
CN111786998A (en) * | 2020-06-30 | 2020-10-16 | 成都新潮传媒集团有限公司 | Authority management method and device based on micro-service calling and storage medium |
CN112035867A (en) * | 2020-11-06 | 2020-12-04 | 成都掌控者网络科技有限公司 | Web application authority management method, system, equipment and storage medium |
CN112149079A (en) * | 2020-10-22 | 2020-12-29 | 国网冀北电力有限公司经济技术研究院 | Planning review management platform based on micro-service architecture and user access authorization method |
CN112350978A (en) * | 2019-08-08 | 2021-02-09 | 中移(苏州)软件技术有限公司 | Service processing method, system, device and storage medium |
CN112559010A (en) * | 2020-12-22 | 2021-03-26 | 福州数据技术研究院有限公司 | Multi-application system data isolation implementation method and system based on micro-service |
CN112564916A (en) * | 2020-12-01 | 2021-03-26 | 上海艾融软件股份有限公司 | Access client authentication system applied to micro-service architecture |
CN112637192A (en) * | 2020-12-17 | 2021-04-09 | 航天精一(广东)信息科技有限公司 | Authorization method and system for accessing micro-service |
CN113055367A (en) * | 2021-03-08 | 2021-06-29 | 浪潮云信息技术股份公司 | Method and system for realizing micro-service gateway authentication |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11057393B2 (en) * | 2018-03-02 | 2021-07-06 | Cloudentity, Inc. | Microservice architecture for identity and access management |
-
2021
- 2021-07-05 CN CN202110755655.XA patent/CN113472794B/en active Active
Patent Citations (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108924125A (en) * | 2018-06-29 | 2018-11-30 | 招银云创(深圳)信息技术有限公司 | Control method, device, computer equipment and the storage medium of interface calling permission |
CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
WO2020134838A1 (en) * | 2018-12-29 | 2020-07-02 | 深圳云天励飞技术有限公司 | Authority verification method and related device |
CN110138741A (en) * | 2019-04-15 | 2019-08-16 | 平安科技(深圳)有限公司 | Micro services management method, device and computer equipment based on management platform |
CN110149211A (en) * | 2019-05-15 | 2019-08-20 | 杭州朗和科技有限公司 | Entitlement method, entitlement device, medium and electronic equipment |
CN110445636A (en) * | 2019-07-03 | 2019-11-12 | 平安科技(深圳)有限公司 | Micro services method for early warning, device and computer equipment based on management platform |
WO2021000416A1 (en) * | 2019-07-03 | 2021-01-07 | 平安科技(深圳)有限公司 | Micro-service early warning method and apparatus based on management platform, and computer device |
CN112350978A (en) * | 2019-08-08 | 2021-02-09 | 中移(苏州)软件技术有限公司 | Service processing method, system, device and storage medium |
CN110554927A (en) * | 2019-09-12 | 2019-12-10 | 北京笔新互联网科技有限公司 | Micro-service calling method based on block chain |
CN110781505A (en) * | 2019-10-11 | 2020-02-11 | 南京医基云医疗数据研究院有限公司 | System construction method and device, retrieval method and device, medium and equipment |
CN111030828A (en) * | 2019-12-19 | 2020-04-17 | 中国电建集团华东勘测设计研究院有限公司 | Authority control method and system under micro-service architecture and access token |
CN111130892A (en) * | 2019-12-27 | 2020-05-08 | 上海浦东发展银行股份有限公司 | Enterprise-level microservice management system and method |
CN111181991A (en) * | 2020-01-03 | 2020-05-19 | 苏州融卡智能科技有限公司 | Method and device for constructing terminal access platform of Internet of things |
CN111786998A (en) * | 2020-06-30 | 2020-10-16 | 成都新潮传媒集团有限公司 | Authority management method and device based on micro-service calling and storage medium |
CN112149079A (en) * | 2020-10-22 | 2020-12-29 | 国网冀北电力有限公司经济技术研究院 | Planning review management platform based on micro-service architecture and user access authorization method |
CN112035867A (en) * | 2020-11-06 | 2020-12-04 | 成都掌控者网络科技有限公司 | Web application authority management method, system, equipment and storage medium |
CN112564916A (en) * | 2020-12-01 | 2021-03-26 | 上海艾融软件股份有限公司 | Access client authentication system applied to micro-service architecture |
CN112637192A (en) * | 2020-12-17 | 2021-04-09 | 航天精一(广东)信息科技有限公司 | Authorization method and system for accessing micro-service |
CN112559010A (en) * | 2020-12-22 | 2021-03-26 | 福州数据技术研究院有限公司 | Multi-application system data isolation implementation method and system based on micro-service |
CN113055367A (en) * | 2021-03-08 | 2021-06-29 | 浪潮云信息技术股份公司 | Method and system for realizing micro-service gateway authentication |
Also Published As
Publication number | Publication date |
---|---|
CN113472794A (en) | 2021-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113472794B (en) | Multi-application system authority unified management method based on micro-service and storage medium | |
CN109981561B (en) | User authentication method for migrating single-body architecture system to micro-service architecture | |
US10263855B2 (en) | Authenticating connections and program identity in a messaging system | |
CN110808989B (en) | HTTPS acceleration method and system based on content distribution network | |
US11394703B2 (en) | Methods for facilitating federated single sign-on (SSO) for internal web applications and devices thereof | |
JP5458888B2 (en) | Certificate generation / distribution system, certificate generation / distribution method, and program | |
US8161164B2 (en) | Authorizing service requests in multi-tiered applications | |
CN106134155B (en) | Method relating to overlay network | |
US20080010288A1 (en) | Method and system for distributed retrieval of data objects within multi-protocol profiles in federated environments | |
US9077719B2 (en) | Method and system for automatic distribution and installation of a client certificate in a secure manner | |
US20100154040A1 (en) | Method, apparatus and system for distributed delegation and verification | |
CN102638454A (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
CN112822675A (en) | MEC environment-oriented OAuth 2.0-based single sign-on mechanism | |
JP2017004301A (en) | Authentication server system, method, program, and storage medium | |
US20200076794A1 (en) | Certificate-initiated access to services | |
CN112468481A (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
US8650392B2 (en) | Ticket authorization | |
CN112291221A (en) | Method and system for authenticating service access between micro services | |
CN114338242A (en) | Cross-domain single sign-on access method and system based on block chain technology | |
CN112751870B (en) | NFS (network file system) safety transmission device and method based on proxy forwarding | |
CN114553480A (en) | Cross-domain single sign-on method and device | |
US10931662B1 (en) | Methods for ephemeral authentication screening and devices thereof | |
US11611541B2 (en) | Secure method to replicate on-premise secrets in a cloud environment | |
Morgner et al. | Securing transactions with the eIDAS protocols | |
JP2015505626A (en) | Integrate server applications with many authentication providers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |