CN113472794B - Multi-application system authority unified management method based on micro-service and storage medium - Google Patents

Multi-application system authority unified management method based on micro-service and storage medium Download PDF

Info

Publication number
CN113472794B
CN113472794B CN202110755655.XA CN202110755655A CN113472794B CN 113472794 B CN113472794 B CN 113472794B CN 202110755655 A CN202110755655 A CN 202110755655A CN 113472794 B CN113472794 B CN 113472794B
Authority
CN
China
Prior art keywords
service
application
token
gateway
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110755655.XA
Other languages
Chinese (zh)
Other versions
CN113472794A (en
Inventor
陈献宇
李�昊
田有隆
谢招楷
徐术欢
陈骏
余永先
孔令豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuzhou Institute Of Data Technology Co ltd
Original Assignee
Fuzhou Institute Of Data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fuzhou Institute Of Data Technology Co ltd filed Critical Fuzhou Institute Of Data Technology Co ltd
Priority to CN202110755655.XA priority Critical patent/CN113472794B/en
Publication of CN113472794A publication Critical patent/CN113472794A/en
Application granted granted Critical
Publication of CN113472794B publication Critical patent/CN113472794B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to the technical field of micro-services, in particular to a multi-application system authority unified management method and a storage medium based on micro-services. The multi-application system authority unified management method based on the micro-service comprises the following steps: generating an independent user authority service for the user authorities of different applications; receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service; the application service receives the external request and verifies the service token carried by the external request, and/or the user rights service receives the external request and verifies the service token carried by the external request. In the steps, an independent user authority service is generated for the user authorities of different applications, a consistent service version is provided for the outside, the version is forced to be unified, interface incompatibility caused by different SDK versions is avoided, multi-version maintenance is difficult, and unified management provides guarantee for stable operation of the system.

Description

Multi-application system authority unified management method based on micro-service and storage medium
Technical Field
The application relates to the technical field of micro-services, in particular to a multi-application system authority unified management method and a storage medium based on micro-services.
Background
Along with expansion of Internet application, development, deployment and operation and maintenance of a traditional single application architecture are slower and more complex, and even the agile mode cannot be developed in single architecture application development; based on this, micro services with higher independence, availability and flexibility have been developed. Structurally, the micro-service architecture splits an application into a plurality of loosely coupled services, and the services cooperate with each other through a certain protocol (REST, RPC, etc.), so that the original single-body architecture function is completed, but a more flexible deployment mode is provided, the expansion is easier, and the complexity in development and operation is reduced.
In the micro-service architecture, the control of the access authority by the system is mainly realized through an API gateway. The gateway is used as an entrance to authenticate and authenticate the external request, after the authentication is successful, the request is distributed to the corresponding micro service application, the micro service does not perform effective safety authentication and authorization any more, and due to the fact that the authentication cannot be performed, a certain private API interface is directly exposed, and the safety of the whole system is reduced greatly.
In traditional monomer applications, the authority control of users is mostly realized through Session; the micro-service architecture is a distributed architecture, retains the authority control of the traditional Session mode, and needs to provide an additional Session replication mechanism. In this mode, the more system service splits occupy the network, the more server resources; and each service needs to independently check authority, so that delay and complexity of system response are increased, and the method is not suitable for being applied to a micro-service architecture.
The multiple application systems generally adopt a unified SDK mode to realize unified authentication, and the iteration of the SDK version is not unified along with the continuous expansion of a service system, so that the condition of untimely updating is caused; repeating construction of basic services of the same type of business system, and the like; how to effectively realize authority authentication under a micro-service architecture becomes a problem to be solved.
Disclosure of Invention
Therefore, a unified management method of the multi-application system permission based on the micro-service is needed to be provided, so that the technical problems of low security, slow system response and the like of the authentication of the micro-service permission in the prior art are solved. The specific technical scheme is as follows:
the unified management method of the rights of the multi-application system based on the micro-service comprises the following steps:
generating an independent user authority service for the user authorities of different applications;
receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service;
the application service receives the external request and verifies a service token carried by the external request, and/or the user rights service receives the external request and verifies a service token carried by the external request.
Further, before the step of receiving the external request and the step of checking the information of the external request by the unified gateway, the method further comprises the steps of:
the gateway service, the user authority service and each application service register the service to a registration service center, and synchronize all service instances registered to the registration service center from the registration service center;
the gateway service and the application service apply for a service token from the user authority service;
when the gateway service forwards other service requests, the service token is carried in a request header of request information of the service request; or when the application service sends out a request, carrying the service token in a request header of the request information of the request.
Further, the gateway service, the user authority service and each application service register the service with the registration service center, and synchronize all service instances registered with the registration service center from the registration service center, and specifically further includes the steps of:
the gateway service, the user authority service and each application service automatically register the service with a registration service center when being started;
the gateway service, the user authority service and each application service synchronize address lists of all service instances registered in the registration service center to the local in real time after being started;
and connecting the different application services with the respective application stores, and synchronizing the storage connection configuration information to the user authority service.
Further, the "the gateway service and the application service apply for a service token from the user authority service" specifically further includes the steps of:
the gateway service issues a gateway service public key to the user authority service, loads a gateway service private key after the gateway service public key is issued successfully, and encrypts a registered gateway service ID (identity) by using the gateway service private key to generate a gateway service ID ciphertext;
the application service issues an application service public key and application stores the connected configuration information to the user authority service, loads an application service private key after the application service public key is issued successfully, and encrypts a registered application service ID to generate an application service ID ciphertext;
the gateway service submits the gateway service ID ciphertext and gateway registration information to the user authority service to apply for a service token;
the application service submits the application service ID ciphertext and application registration information to the user authority service to apply for a service token;
the user authority service checks whether the gateway registration information is legal and uses the gateway service public key to verify the gateway service ID ciphertext, if the gateway registration information is legal and the gateway service ID ciphertext passes the verification, the user authority service generates a service token and returns the service token to the gateway service;
the user authority service checks whether the application registration information is legal and uses the application service public key to verify the application service ID ciphertext, if the application registration information is legal and the application service ID ciphertext is verified, the user authority service generates a service token and returns the service token to the application service;
the service token is generated by a user authority service token private key which is built in the user authority service;
the public key of the user authority service token is published externally.
Further, the step of receiving the external request, auditing the information of the external request by the unified gateway, and distributing the external request passing the audit to the corresponding application service, specifically further includes the steps of:
the external application initiates an authorization application to the user authority service through a unified gateway;
the unified gateway responds to an external request and sends request information of an authorization application to the user authority service;
the user authority service loads configuration information according to an application system identifier in the request information of the authorization application, connects the loaded configuration information with a corresponding storage library, acquires request user information and verifies user legitimacy, if the user is legal, creates a Session of a legal user, stores the Session into a storage cache, generates an authorization Token according to the user Session and the application system identifier, and returns the generated Token to an external application through a gateway;
the authorization Token is generated by encrypting a Token private key built in the user authority service, and a Token public key is published externally.
Further, after the "the user authority service loads the configuration information according to the application system identifier in the request information of the authorization application", the method specifically further includes the steps of:
if the configuration information corresponding to the application system is not found, directly returning an error prompt;
after the request user information is acquired and the user validity is verified, the method specifically further comprises the steps of:
if the user is illegal, an error prompt is directly returned.
Further, the method further comprises the steps of:
the external application sends a request carrying the Token to a unified gateway;
the unified gateway uses the Token public key to verify Token information, and after Token verification is legal, the unified gateway obtains the authorization information of the corresponding user from the user authorization service;
the user authority service verifies the Token again, connects the corresponding storage library according to the application identifier in the Token, retrieves the user authorization information from the corresponding storage library, and returns the retrieval result to the unified gateway;
the unified gateway matches the request resource according to the returned user authorization list, and if the request resource is matched with the authorization list, the request is distributed to a server of the corresponding running application service according to the service routing rule;
the application service receives the external request and verifies the service token carried by the external request, and specifically further comprises the steps of:
after receiving the request information, the application service verifies whether the service Token and the Token are legal, if the service Token and the Token are legal, the application service uses a Token public key to extract user information in the Token, executes a service flow according to the user information and the requested resource, and returns an execution result to the unified gateway;
and the unified gateway synchronously returns an execution result to the external application.
Further, after the "match request resource", the method specifically further includes the steps of:
if the request resource does not match the authorized list, returning override error information;
after the Token public key is used for extracting the user information in the Token, the method specifically further comprises the steps of:
and if more user information is needed, synchronously sending a request to the user authority service to acquire user detail information.
Further, the "the user authority service receives the external request and verifies the service token carried by the external request", and specifically further includes the steps of:
and the unified gateway packages the application identifier, the request information and the execution result into an audit log, asynchronously submits the audit log to the user authority service, and the user authority service verifies the service token, if the service token passes the verification, the service token is stored into a corresponding storage library according to the application identifier of the audit log, and returns to a log state.
To solve the above technical problem, there is also provided a storage medium having stored thereon a computer program which, when executed by a processor, implements any of the steps of the above-mentioned micro-service based multi-application rights unified management method.
The beneficial effects of the application are as follows: the unified management method of the rights of the multi-application system based on the micro-service comprises the following steps: generating an independent user authority service for the user authorities of different applications; receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service; the application service receives the external request and verifies a service token carried by the external request, and/or the user rights service receives the external request and verifies a service token carried by the external request. In the steps, an independent user authority service is generated for the user authorities of different applications, a consistent service version is provided for the outside, the version is forced to be unified, interface incompatibility caused by different SDK versions is avoided, multi-version maintenance is difficult, and unified management provides guarantee for stable operation of the system. And the authority authentication of the multi-application system under the micro-service architecture is efficiently realized through the unified user authority service, so that the complex authority control of a third party framework is not needed, and the subsequent adjustment and expansion of the authority function are convenient. The running application service instance does not process the authority control any more, so that the service flow can be processed more efficiently, and the response speed is improved. And the development process of each application system does not pay attention to and process the authority control flow any more, so that the development efficiency of the development personnel is improved.
Further, various services are effectively managed through a registration service center; the same service can deploy a plurality of service instances, realize the dynamic capacity expansion of the service, effectively share the pressure and improve the performance, and when a certain service instance is abnormally interrupted, other service instances can also continue to respond.
Furthermore, the interfaces of each micro-service application are effectively protected from being directly exposed through a service token mode, the external application calling interfaces are required to be realized through a unified gateway, and the safety of an application system is improved.
Furthermore, the multi-application system unifies the resource authentication, authentication and log audit in different application systems through a micro-service architecture mode, and ensures that the business application is focused on the realization of business logic of the multi-application system.
Drawings
FIG. 1 is a flowchart of a method for unified management of rights of a multi-application micro-service based system according to an embodiment;
FIG. 2 is a schematic diagram of an operation framework of a micro-service architecture based method for unified management of rights of a multi-application system based on micro-services according to an embodiment;
FIG. 3 is a flowchart showing a step of the gateway service and the application service acquiring a service token according to the embodiment;
FIG. 4 is a flowchart showing a second step of obtaining a service token by a gateway service and an application service according to an embodiment;
FIG. 5 is a flowchart of a step of the gateway service and the application service acquiring a service token according to the embodiment;
FIG. 6 is a flowchart showing the steps of processing a login request according to an embodiment;
FIG. 7 is a timing diagram of a Token authorization of a user according to one embodiment;
FIG. 8 is a timing diagram of user authentication according to an embodiment;
fig. 9 is a schematic block diagram of a storage medium according to an embodiment.
Reference numerals illustrate:
900. a storage medium.
Detailed Description
In order to describe the technical content, constructional features, achieved objects and effects of the technical solution in detail, the following description is made in connection with the specific embodiments in conjunction with the accompanying drawings.
Referring to fig. 1 to 8, the core technical idea of the present application is to separate the user authority functions of different applications into a micro service, provide unified user login and authority service to the outside, force a unified version, avoid interface incompatibility caused by different SDK versions, make multi-version maintenance difficult, and provide a guarantee for stable operation of the system. And the authority authentication of the multi-application system under the micro-service architecture is efficiently realized through the unified user authority service, so that the complex authority control of a third party framework is not needed, and the subsequent adjustment and expansion of the authority function are convenient. And a unified gateway service is set, the external request is firstly and completely checked through the unified gateway, and the next processing is carried out after the checking is passed, so that the safety of an application system is improved, the user authority service can be directly called in the micro service, the authentication and the audit processing of the gateway are not passed, and the efficient and stable service realization of the service is ensured.
The following description will be developed specifically:
first, as shown in fig. 2, a framework is shown in which the multi-application system authority unified management method based on the micro-service operates. It comprises the following steps: an access layer (external request), a unified gateway service, a lightweight service layer, and a multi-source storage layer. The access layer mainly refers to an external application initiating a resource request through an HTTP/HTTPS standard protocol; the external requests are uniformly proxied through Gateway, and the Gateway distributes the requests to the servers of the corresponding running micro services according to the service route. The gateway, the user authority service and various application services automatically register themselves to the registry when being started, and synchronously synchronize address lists of various application service instances from the registry to the local in real time after being started, so that the gateway, the user authority service and the various application services are used for dynamic capacity expansion of the same service, and a client load balancing strategy is combined to achieve high available service performance; the different application services are connected with respective application storage, and the storage connection configuration information is synchronized into the user authority service, when the user authority service performs authority resource retrieval, the user authority service obtains the authority resources of corresponding users according to the configured business storage library, so that the same configuration of the authority resources under the multi-application system is realized, the unified management is realized, and the user authority resources among the multi-application systems share the network and server resources.
As shown in fig. 1, the unified management method for rights of multiple application systems based on micro-services specifically includes the steps of:
step S101: an independent user rights service is generated for the user rights of different applications.
Step S102: and receiving an external request, auditing the information of the external request by the unified gateway, and distributing the external request passing the auditing to the corresponding application service.
Step S103: the application service receives the external request and verifies a service token carried by the external request, and/or the user rights service receives the external request and verifies a service token carried by the external request.
The unified management method of the rights of the multi-application system based on the micro-service comprises the following steps: generating an independent user authority service for the user authorities of different applications; receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service; the application service receives the external request and verifies a service token carried by the external request, and/or the user rights service receives the external request and verifies a service token carried by the external request. In the steps, an independent user authority service is generated for the user authorities of different applications, a consistent service version is provided for the outside, the version is forced to be unified, interface incompatibility caused by different SDK versions is avoided, multi-version maintenance is difficult, and unified management provides guarantee for stable operation of the system. And the authority authentication of the multi-application system under the micro-service architecture is efficiently realized through the unified user authority service, so that the complex authority control of a third party framework is not needed, and the subsequent adjustment and expansion of the authority function are convenient. The running application service instance does not process the authority control any more, so that the service flow can be processed more efficiently, and the response speed is improved. And the development process of each application system does not pay attention to and process the authority control flow any more, so that the development efficiency of the development personnel is improved.
The following describes how the gateway service and the application service obtain the service token:
as shown in fig. 3, step S102 specifically further includes the steps of:
step S301: the gateway service, the user authority service and the application services register the service with the registration service center, and synchronize all service instances registered with the registration service center from the registration service center.
Step S302: the gateway service and the application service apply for a service token from the user authority service.
Step S303: when the gateway service forwards other service requests, the service token is carried in a request header of request information of the service request; or when the application service sends out a request, carrying the service token in a request header of the request information of the request.
The registration service center is used for effectively managing various services; the same service can deploy a plurality of service instances, realize the dynamic capacity expansion of the service, effectively share the pressure and improve the performance, and when a certain service instance is abnormally interrupted, other service instances can also continue to respond. Through the user authority of the service, in the mode of a multi-application system, operation and maintenance can be simplified, and the requirement of maintenance personnel on technical thresholds can be reduced. The interfaces of each micro-service application are effectively protected from being directly exposed through a service token mode, and the calling interfaces of the external application are required to be realized through a unified gateway, so that the safety of an application system is improved.
Further, as shown in fig. 4, step S301 specifically further includes the steps of:
step S401: the gateway service, the user authority service and each application service automatically register the service with a registration service center when being started. When the whole micro-service application runs, firstly, a registration service is started, after the registration service center is started, a user authority service is started, the registration service is registered with the registration service center, after the registration service center service and the user authority service are started, a gateway service and application services corresponding to all application systems are started, and the gateway service and the application services register the service with the registration service center.
Step S402: and the gateway service, the user authority service and each application service synchronize address lists of all service instances registered in the registration service center to the local in real time after being started. And detecting the running state of each service on the registration service center by adopting a real-time (polling) mode, and updating the address list of the local service in time.
Step S403: and connecting the different application services with the respective application stores, and synchronizing the storage connection configuration information to the user authority service.
Further, as shown in fig. 5, step S302 specifically further includes the steps of:
step S501: and the gateway service issues a gateway service public key to the user authority service, loads a gateway service private key after the gateway service public key is issued successfully, and encrypts the registered gateway service ID by the gateway service private key to generate a gateway service ID ciphertext. This step occurs at gateway service initialization.
Step S502: and the application service issues an application service public key and the application stores the connected configuration information to the user authority service, loads an application service private key after the application service public key is issued successfully, and encrypts the registered application service ID to generate an application service ID ciphertext. This step occurs at application service initialization.
It should be noted that, step S501 and step S502 do not have a precedence relationship, and any one of the steps may be performed before or simultaneously.
Step S503: and the gateway service submits the gateway service ID ciphertext and gateway registration information to the user authority service to apply for a service token.
Step S504: and the application service submits the application service ID ciphertext and application registration information to the user authority service to apply for a service token.
It should be noted that, step S503 and step S504 do not have a precedence relationship, and any one of the steps may be performed before or simultaneously.
Step S505: and the user authority service checks whether the gateway registration information is legal and uses the gateway service public key to verify the gateway service ID ciphertext, and if the gateway registration information is legal and the gateway service ID ciphertext passes the verification, the user authority service generates a service token and returns the service token to the gateway service. The gateway service stores the received service token, and carries the service token in the request header when other services are routed subsequently, and when the called micro-service receives the request, the service token is verified by using the service token public key so as to ensure that the request is from the call inside the micro-service.
Step S506: and the user authority service checks whether the application registration information is legal and uses the application service public key to verify the application service ID ciphertext, and if the application registration information is legal and the application service ID ciphertext is verified, the user authority service generates a service token and returns the service token to the application service. The application service stores the received service token, and carries the service token in the request header when other services are routed subsequently, and when the called micro-service receives the request, the service token is verified by using the service token public key so as to ensure that the request is from the call inside the micro-service.
It should be noted that, step S505 and step S506 do not have a precedence relationship, and any one of the steps may be performed before or simultaneously.
Step S507: the service token is generated by a private key of a user authority service token built in the user authority service. Step S508: the public key of the user authority service token is published externally.
It should be noted that, before the external application initiates the resource request, it must first send a login request to the corresponding application system to obtain the user credential Token called by the background interface of the current operating user, the external application stores the obtained Token properly, and in the subsequent request process, the request Header needs to carry the Token, where the Key of the Header corresponding to the Token is the Authorization. The flow of Token acquisition is illustrated in fig. 7.
The following description will be given of the login request with reference to fig. 6:
step S601: and the external application initiates an authorization application to the user authority service through the unified gateway. The method comprises the following steps: and the external application inputs the provided authentication information such as the application system identifier, the operation account number, the password and the like, and initiates an authorization application to the user authority service through the unified gateway.
Step S602: and the unified gateway responds to an external request and sends request information of an authorization application to the user authority service. The method comprises the following steps: after receiving the request, the unified gateway sends authorization application information to the user authority service according to the address table information of the user authority service instance synchronized from the registration center.
Step S603: and the user authority service loads configuration information according to the application system identifier in the request information of the authorization application, connects the loaded configuration information with a corresponding storage library, acquires the request user information and verifies the legality of the user, if the user is legal, creates a Session of the legal user, stores the Session into a storage buffer, generates an authorization Token according to the user Session and the application system identifier, and returns the generated Token to the external application through a gateway. The external application only needs to take the Token to request the resource, and does not need to take the user name and the password again. And finally, recording the request information and the result of the user authority service on the authorization application into a storage corresponding to the application identifier. The background service does not store the Session any more, so that the memory overhead caused by the user Session under the multi-application system can be effectively reduced, and the hidden trouble caused by the multi-machine storage of the Session is avoided; and the application of cross-domain and cross-service to the user information under the distributed micro-service architecture is satisfied.
After the user authority service loads configuration information according to the application system identifier in the request information of the authorization application, the method specifically further comprises the following steps:
and if the configuration information corresponding to the application system is not found, directly returning an error prompt.
After the request user information is acquired and the user validity is verified, the method specifically further comprises the steps of:
if the user is illegal, an error prompt is directly returned.
Step S604: the authorization Token is generated by encrypting a Token private key built in the user authority service, and a Token public key is published externally. The method comprises the following steps: the authorization Token is generated by built-in Token private key encryption in the standard manner of JSON Web Token, and this information can be verified and trusted during the validity period. Generating the user Token by the JWT method can reduce the number of times the application service retrieves the stored information when obtaining the requested user information.
As shown in fig. 8, after the authorization Token is obtained, the external application may access the protected service resource through the authorization Token. Further, the method further comprises the steps of:
and the external application sends a request carrying the Token to the unified gateway. In this embodiment, the front-end application is required to place the Token in Authorization header and send a request carrying the Token to the unified gateway using the beer schema.
And the unified gateway uses the Token public key to verify Token information, and after the Token is verified to be legal, the unified gateway acquires the authorization information of the corresponding user from the user authorization service.
And the user authority service verifies the Token again, connects the corresponding storage library according to the application identifier in the Token, retrieves the user authority information from the corresponding storage library, and returns the retrieval result to the unified gateway.
The unified gateway matches the request resource according to the returned user authorization list, and if the request resource is matched with the authorization list, the request is distributed to a server of the corresponding running application service according to the service routing rule; after the matching of the request resources, the method specifically further comprises the following steps: if the requested resource does not match the authorization list, override error information is returned.
The application service receives the external request and verifies the service token carried by the external request, and specifically further comprises the steps of:
after receiving the request information, the application service verifies whether the service Token and the Token are legal, if the service Token and the Token are legal, the application service uses a Token public key to extract user information in the Token, executes a service flow according to the user information and the requested resource, and returns an execution result to the unified gateway; after the Token public key is used for extracting the user information in the Token, the method specifically further comprises the steps of: and if more user information is needed, synchronously sending a request to the user authority service to acquire user detail information.
And the unified gateway synchronously returns an execution result to the external application.
Further, the "the user authority service receives the external request and verifies the service token carried by the external request", and specifically further includes the steps of:
and the unified gateway packages the application identifier, the request information and the execution result into an audit log, asynchronously submits the audit log to the user authority service, and the user authority service verifies the service token, if the service token passes the verification, the service token is stored into a corresponding storage library according to the application identifier of the audit log, and returns to a log state.
In the whole process, the multi-application system unifies the resource authentication, authentication and log audit in different application systems through a micro-service architecture mode, and ensures that the business application is focused on the realization of business logic of the multi-application system.
Referring to fig. 9, in one embodiment, a storage medium 900 is provided, on which a computer program is stored, the program, when executed by a processor, implementing any of the steps of the micro-service based multi-application rights unified management method described above.
It should be noted that, although the foregoing embodiments have been described herein, the scope of the present application is not limited thereby. Therefore, based on the innovative concepts of the present application, alterations and modifications to the embodiments described herein, or equivalent structures or equivalent flow transformations made by the present description and drawings, apply the above technical solution, directly or indirectly, to other relevant technical fields, all of which are included in the scope of the application.

Claims (7)

1. The unified management method of the rights of the multi-application system based on the micro-service is characterized by comprising the following steps:
generating an independent user authority service for the user authorities of different applications;
receiving an external request, auditing the information of the external request by a unified gateway, and distributing the external request passing the auditing to a corresponding application service;
the application service receives the external request and verifies a service token carried by the external request, and/or the user authority service receives the external request and verifies the service token carried by the external request;
the method for receiving the external request, the unified gateway audits the information of the external request and distributes the audited external request to the corresponding application service, and the method specifically further comprises the steps of:
the external application initiates an authorization application to the user authority service through a unified gateway;
the unified gateway responds to an external request and sends request information of an authorization application to the user authority service;
the user authority service loads configuration information according to an application system identifier in the request information of the authorization application, connects the loaded configuration information with a corresponding storage library, acquires request user information and verifies user legitimacy, if the user is legal, creates a Session of a legal user, stores the Session into a storage cache, generates an authorization Token according to the user Session and the application system identifier, and returns the generated Token to an external application through a gateway;
the authorization Token is generated by encrypting a Token private key built in the user authority service, and a Token public key is published outwards; before the 'receiving the external request and the unified gateway auditing the information of the external request', the method further comprises the following steps:
the gateway service, the user authority service and each application service register the service to a registration service center, and synchronize all service instances registered to the registration service center from the registration service center;
the gateway service and the application service apply for a service token from the user authority service;
when the gateway service forwards other service requests, the service token is carried in a request header of request information of the service request; or when the application service sends out a request, carrying the service token in a request header of request information of the request; the gateway service, the user authority service and each application service register the service with a registration service center, and synchronize all service instances registered with the registration service center from the registration service center, and specifically further comprises the steps of:
the gateway service, the user authority service and each application service automatically register the service with a registration service center when being started;
the gateway service, the user authority service and each application service synchronize address lists of all service instances registered in the registration service center to the local in real time after being started;
and connecting the different application services with the respective application stores, and synchronizing the storage connection configuration information to the user authority service.
2. The unified management method of multi-application system authority based on micro-service according to claim 1, wherein the gateway service and the application service apply for a service token to the user authority service, specifically further comprising the steps of:
the gateway service issues a gateway service public key to the user authority service, loads a gateway service private key after the gateway service public key is issued successfully, and encrypts a registered gateway service ID (identity) by using the gateway service private key to generate a gateway service ID ciphertext;
the application service issues an application service public key and application stores the connected configuration information to the user authority service, loads an application service private key after the application service public key is issued successfully, and encrypts a registered application service ID to generate an application service ID ciphertext;
the gateway service submits the gateway service ID ciphertext and gateway registration information to the user authority service to apply for a service token;
the application service submits the application service ID ciphertext and application registration information to the user authority service to apply for a service token;
the user authority service checks whether the gateway registration information is legal and uses the gateway service public key to verify the gateway service ID ciphertext, if the gateway registration information is legal and the gateway service ID ciphertext passes the verification, the user authority service generates a service token and returns the service token to the gateway service;
the user authority service checks whether the application registration information is legal and uses the application service public key to verify the application service ID ciphertext, if the application registration information is legal and the application service ID ciphertext is verified, the user authority service generates a service token and returns the service token to the application service;
the service token is generated by a user authority service token private key which is built in the user authority service;
the public key of the user authority service token is published externally.
3. The unified management method of multi-application system authority based on micro-service according to claim 1, wherein after the user authority service loads configuration information according to the application system identifier in the request information of the authorization application, the method specifically further comprises the steps of:
if the configuration information corresponding to the application system is not found, directly returning an error prompt;
after the request user information is acquired and the user validity is verified, the method specifically further comprises the steps of:
if the user is illegal, an error prompt is directly returned.
4. The unified management method of multi-application system rights based on micro-services according to claim 1, further comprising the steps of:
the external application sends a request carrying the Token to a unified gateway;
the unified gateway uses the Token public key to verify Token information, and after Token verification is legal, the unified gateway obtains the authorization information of the corresponding user from the user authorization service;
the user authority service verifies the Token again, connects the corresponding storage library according to the application identifier in the Token, retrieves the user authorization information from the corresponding storage library, and returns the retrieval result to the unified gateway;
the unified gateway matches the request resource according to the returned user authorization list, and if the request resource is matched with the authorization list, the request is distributed to a server of the corresponding running application service according to the service routing rule;
the application service receives the external request and verifies the service token carried by the external request, and specifically further comprises the steps of:
after receiving the request information, the application service verifies whether the service Token and the Token are legal, if the service Token and the Token are legal, the application service uses a Token public key to extract user information in the Token, executes a service flow according to the user information and the requested resource, and returns an execution result to the unified gateway;
and the unified gateway synchronously returns an execution result to the external application.
5. The unified management method for rights of multiple application systems based on micro-services according to claim 4, wherein after the matching of the request resources, the method specifically further comprises the steps of:
if the request resource does not match the authorized list, returning override error information;
after the Token public key is used for extracting the user information in the Token, the method specifically further comprises the steps of:
and if more user information is needed, synchronously sending a request to the user authority service to acquire user detail information.
6. The unified management method of multi-application system rights based on micro-services according to claim 4, wherein the step of the user rights service receiving the external request and verifying the service token carried by the external request further comprises the steps of:
and the unified gateway packages the application identifier, the request information and the execution result into an audit log, asynchronously submits the audit log to the user authority service, and the user authority service verifies the service token, if the service token passes the verification, the service token is stored into a corresponding storage library according to the application identifier of the audit log, and returns to a log state.
7. A storage medium having a computer program stored thereon, characterized in that,
the program when executed by a processor performs the steps of any one of claims 1 to 6.
CN202110755655.XA 2021-07-05 2021-07-05 Multi-application system authority unified management method based on micro-service and storage medium Active CN113472794B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110755655.XA CN113472794B (en) 2021-07-05 2021-07-05 Multi-application system authority unified management method based on micro-service and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110755655.XA CN113472794B (en) 2021-07-05 2021-07-05 Multi-application system authority unified management method based on micro-service and storage medium

Publications (2)

Publication Number Publication Date
CN113472794A CN113472794A (en) 2021-10-01
CN113472794B true CN113472794B (en) 2023-08-15

Family

ID=77877974

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110755655.XA Active CN113472794B (en) 2021-07-05 2021-07-05 Multi-application system authority unified management method based on micro-service and storage medium

Country Status (1)

Country Link
CN (1) CN113472794B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992381A (en) * 2021-10-22 2022-01-28 北京天融信网络安全技术有限公司 Authorization method, device, authorization platform and storage medium
CN114666387A (en) * 2022-03-25 2022-06-24 广州方硅信息技术有限公司 Interface management system, method, storage medium and computer device
CN115242486B (en) * 2022-07-19 2024-04-19 阿里巴巴(中国)有限公司 Data processing method, device and computer readable storage medium
CN115549966A (en) * 2022-08-25 2022-12-30 支付宝(杭州)信息技术有限公司 Security audit method and device for service request

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924125A (en) * 2018-06-29 2018-11-30 招银云创(深圳)信息技术有限公司 Control method, device, computer equipment and the storage medium of interface calling permission
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
CN110138741A (en) * 2019-04-15 2019-08-16 平安科技(深圳)有限公司 Micro services management method, device and computer equipment based on management platform
CN110149211A (en) * 2019-05-15 2019-08-20 杭州朗和科技有限公司 Entitlement method, entitlement device, medium and electronic equipment
CN110445636A (en) * 2019-07-03 2019-11-12 平安科技(深圳)有限公司 Micro services method for early warning, device and computer equipment based on management platform
CN110554927A (en) * 2019-09-12 2019-12-10 北京笔新互联网科技有限公司 Micro-service calling method based on block chain
CN110781505A (en) * 2019-10-11 2020-02-11 南京医基云医疗数据研究院有限公司 System construction method and device, retrieval method and device, medium and equipment
CN111030828A (en) * 2019-12-19 2020-04-17 中国电建集团华东勘测设计研究院有限公司 Authority control method and system under micro-service architecture and access token
CN111130892A (en) * 2019-12-27 2020-05-08 上海浦东发展银行股份有限公司 Enterprise-level microservice management system and method
CN111181991A (en) * 2020-01-03 2020-05-19 苏州融卡智能科技有限公司 Method and device for constructing terminal access platform of Internet of things
WO2020134838A1 (en) * 2018-12-29 2020-07-02 深圳云天励飞技术有限公司 Authority verification method and related device
CN111786998A (en) * 2020-06-30 2020-10-16 成都新潮传媒集团有限公司 Authority management method and device based on micro-service calling and storage medium
CN112035867A (en) * 2020-11-06 2020-12-04 成都掌控者网络科技有限公司 Web application authority management method, system, equipment and storage medium
CN112149079A (en) * 2020-10-22 2020-12-29 国网冀北电力有限公司经济技术研究院 Planning review management platform based on micro-service architecture and user access authorization method
CN112350978A (en) * 2019-08-08 2021-02-09 中移(苏州)软件技术有限公司 Service processing method, system, device and storage medium
CN112559010A (en) * 2020-12-22 2021-03-26 福州数据技术研究院有限公司 Multi-application system data isolation implementation method and system based on micro-service
CN112564916A (en) * 2020-12-01 2021-03-26 上海艾融软件股份有限公司 Access client authentication system applied to micro-service architecture
CN112637192A (en) * 2020-12-17 2021-04-09 航天精一(广东)信息科技有限公司 Authorization method and system for accessing micro-service
CN113055367A (en) * 2021-03-08 2021-06-29 浪潮云信息技术股份公司 Method and system for realizing micro-service gateway authentication

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11057393B2 (en) * 2018-03-02 2021-07-06 Cloudentity, Inc. Microservice architecture for identity and access management

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924125A (en) * 2018-06-29 2018-11-30 招银云创(深圳)信息技术有限公司 Control method, device, computer equipment and the storage medium of interface calling permission
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
WO2020134838A1 (en) * 2018-12-29 2020-07-02 深圳云天励飞技术有限公司 Authority verification method and related device
CN110138741A (en) * 2019-04-15 2019-08-16 平安科技(深圳)有限公司 Micro services management method, device and computer equipment based on management platform
CN110149211A (en) * 2019-05-15 2019-08-20 杭州朗和科技有限公司 Entitlement method, entitlement device, medium and electronic equipment
CN110445636A (en) * 2019-07-03 2019-11-12 平安科技(深圳)有限公司 Micro services method for early warning, device and computer equipment based on management platform
WO2021000416A1 (en) * 2019-07-03 2021-01-07 平安科技(深圳)有限公司 Micro-service early warning method and apparatus based on management platform, and computer device
CN112350978A (en) * 2019-08-08 2021-02-09 中移(苏州)软件技术有限公司 Service processing method, system, device and storage medium
CN110554927A (en) * 2019-09-12 2019-12-10 北京笔新互联网科技有限公司 Micro-service calling method based on block chain
CN110781505A (en) * 2019-10-11 2020-02-11 南京医基云医疗数据研究院有限公司 System construction method and device, retrieval method and device, medium and equipment
CN111030828A (en) * 2019-12-19 2020-04-17 中国电建集团华东勘测设计研究院有限公司 Authority control method and system under micro-service architecture and access token
CN111130892A (en) * 2019-12-27 2020-05-08 上海浦东发展银行股份有限公司 Enterprise-level microservice management system and method
CN111181991A (en) * 2020-01-03 2020-05-19 苏州融卡智能科技有限公司 Method and device for constructing terminal access platform of Internet of things
CN111786998A (en) * 2020-06-30 2020-10-16 成都新潮传媒集团有限公司 Authority management method and device based on micro-service calling and storage medium
CN112149079A (en) * 2020-10-22 2020-12-29 国网冀北电力有限公司经济技术研究院 Planning review management platform based on micro-service architecture and user access authorization method
CN112035867A (en) * 2020-11-06 2020-12-04 成都掌控者网络科技有限公司 Web application authority management method, system, equipment and storage medium
CN112564916A (en) * 2020-12-01 2021-03-26 上海艾融软件股份有限公司 Access client authentication system applied to micro-service architecture
CN112637192A (en) * 2020-12-17 2021-04-09 航天精一(广东)信息科技有限公司 Authorization method and system for accessing micro-service
CN112559010A (en) * 2020-12-22 2021-03-26 福州数据技术研究院有限公司 Multi-application system data isolation implementation method and system based on micro-service
CN113055367A (en) * 2021-03-08 2021-06-29 浪潮云信息技术股份公司 Method and system for realizing micro-service gateway authentication

Also Published As

Publication number Publication date
CN113472794A (en) 2021-10-01

Similar Documents

Publication Publication Date Title
CN113472794B (en) Multi-application system authority unified management method based on micro-service and storage medium
CN109981561B (en) User authentication method for migrating single-body architecture system to micro-service architecture
US10263855B2 (en) Authenticating connections and program identity in a messaging system
CN110808989B (en) HTTPS acceleration method and system based on content distribution network
US11394703B2 (en) Methods for facilitating federated single sign-on (SSO) for internal web applications and devices thereof
JP5458888B2 (en) Certificate generation / distribution system, certificate generation / distribution method, and program
US8161164B2 (en) Authorizing service requests in multi-tiered applications
CN106134155B (en) Method relating to overlay network
US20080010288A1 (en) Method and system for distributed retrieval of data objects within multi-protocol profiles in federated environments
US9077719B2 (en) Method and system for automatic distribution and installation of a client certificate in a secure manner
US20100154040A1 (en) Method, apparatus and system for distributed delegation and verification
CN102638454A (en) Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
CN112822675A (en) MEC environment-oriented OAuth 2.0-based single sign-on mechanism
JP2017004301A (en) Authentication server system, method, program, and storage medium
US20200076794A1 (en) Certificate-initiated access to services
CN112468481A (en) Single-page and multi-page web application identity integrated authentication method based on CAS
US8650392B2 (en) Ticket authorization
CN112291221A (en) Method and system for authenticating service access between micro services
CN114338242A (en) Cross-domain single sign-on access method and system based on block chain technology
CN112751870B (en) NFS (network file system) safety transmission device and method based on proxy forwarding
CN114553480A (en) Cross-domain single sign-on method and device
US10931662B1 (en) Methods for ephemeral authentication screening and devices thereof
US11611541B2 (en) Secure method to replicate on-premise secrets in a cloud environment
Morgner et al. Securing transactions with the eIDAS protocols
JP2015505626A (en) Integrate server applications with many authentication providers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant