CN113672896A - Interface authority verification method, system, electronic device and storage medium - Google Patents
Interface authority verification method, system, electronic device and storage medium Download PDFInfo
- Publication number
- CN113672896A CN113672896A CN202110774018.7A CN202110774018A CN113672896A CN 113672896 A CN113672896 A CN 113672896A CN 202110774018 A CN202110774018 A CN 202110774018A CN 113672896 A CN113672896 A CN 113672896A
- Authority
- CN
- China
- Prior art keywords
- service
- interface
- user
- target
- interface authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to an interface authority verification method, a system, an electronic device and a storage medium, which are used for acquiring a service request message initiated by a user and acquiring a user identifier and a service identifier of a target service requested by the service request message from the service request message; acquiring target interface authority information of the target service from pre-stored interface authority information according to the service identifier; authenticating the user according to the target interface authority information and the user identification; and under the condition that the authentication is passed, the service request message is forwarded to the target service, so that the problems that the interface authority cannot be uniformly checked and the service development and maintenance cost is high in the related technology are solved, the uniform check of the interface authority is realized, and the service development and maintenance cost is reduced.
Description
Technical Field
The present application relates to the field of service permission verification, and in particular, to a method, a system, an electronic device, and a storage medium for interface permission verification.
Background
Micro-service architecture: a single application program is developed into a group of small services, each service runs in own process, the services are built around single business capability, and the services can communicate with each other.
In a micro-service architecture system, the user access service API (Application Programming Interface) authority is usually configured at the client, and the configuration data is stored in the authentication center; the context information of each API authority is stored in the service where each API is located. The request of the user is forwarded through the gateway, and the gateway and the API are not in the same service process, so that the context information of the user requesting the API permission cannot be directly obtained, the API permission of the user needs to be verified in each service, the API permission verification efficiency is low, and a lot of repetitive work is generated in the development and maintenance process.
Aiming at the problems that interface authority cannot be uniformly verified and service development and maintenance cost is high in the related technology, no effective solution is provided at present.
Disclosure of Invention
The embodiment provides an interface authority checking method, an interface authority checking system, an electronic device and a storage medium, so as to solve the problems that the interface authority cannot be checked uniformly in the related art and the service development and maintenance cost is high.
In a first aspect, in this embodiment, a method for checking interface permissions is provided, including:
acquiring a service request message initiated by a user, and acquiring a user identifier and a service identifier of a target service requested by the service request message from the service request message;
acquiring target interface authority information of the target service from pre-stored interface authority information according to the service identifier;
authenticating the user according to the target interface authority information and the user identification;
and forwarding the service request message to the target service in the case of passing the authentication.
In some embodiments, before obtaining the target interface permission information of the target service from the pre-stored interface permission information according to the service identifier, the method further includes:
introducing preset annotations into the starting classes of a plurality of services, introducing preset objects into the preset annotations, and acquiring monitoring information whether the process of monitoring each service by the preset objects completes initialization;
judging whether a service for completing process initialization exists according to the monitoring information;
and under the condition that the service of which the process initialization is finished exists according to the monitoring information, scanning the interface of the corresponding service to obtain the interface authority information of the corresponding service.
In some embodiments, when it is determined that there is a service for which process initialization is completed according to the monitoring information, scanning an interface of a corresponding service to obtain interface authority information of the corresponding service includes:
and generating an interface authority information list according to the interface authority information belonging to the corresponding service, and storing the service identifier and the interface authority information of the corresponding service by taking the service identifier of the corresponding service as a key and the interface authority information list of the corresponding service as a value.
In some embodiments, the interface permission information list includes a request method and interface permission information associated with each other, and the service request message carries a service identifier and a request method of the target service; according to the service identifier, acquiring target interface authority information of the target service from pre-stored interface authority information comprises the following steps:
and acquiring an interface authority information list of the target service from the pre-stored interface authority information according to the service identifier, and acquiring the interface authority information of the target service from the interface authority information list according to the request method.
In some embodiments, authenticating the user according to the target interface permission information and the user identifier comprises:
and calling an authentication service to authenticate the interface of the user accessing the target service according to the target interface authority information and the user identification to obtain an authentication result, wherein the authentication service is used for acquiring interface authority configuration information corresponding to the user identification, matching the interface authority configuration information with the interface authority information in the request parameter and outputting the authentication result.
In some embodiments, after authenticating the user according to the target interface authority information and the user identifier, the method further comprises;
and intercepting the service request message and sending a message for indicating that the user authentication fails to pass the authentication to the user under the condition that the authentication fails.
In some embodiments, after obtaining the user-initiated service request message, the method further comprises:
and filtering the service request message by adopting a preset filtering rule, wherein the preset filtering rule comprises an authentication filtering rule, and the authentication filtering rule is used for responding to an authentication result obtained after the user is authenticated according to the target interface authority information and the user identification, and determining whether to intercept the service request message according to the authentication result.
In some embodiments, the target service includes a microservice for implementing a single business capability, and processes between the microservices are independent.
In a second aspect, in this embodiment, there is provided an interface right checking system, including: the gateway is respectively connected with the authentication center and the storage engine; wherein the content of the first and second substances,
the gateway is provided with at least one layer of filters, the filters are connected in sequence according to priority, service request messages initiated by users pass through the filters from high to low priority, and authentication filtering rules for responding target interface authority information and user identification are arranged in the at least one layer of filters;
the storage engine is connected with a plurality of services, and the storage engine is used for acquiring interface authority information of each service;
the authentication center stores the interface authority configuration information of the user, and is used for matching the interface authority configuration information corresponding to the user identification with the interface authority information in the request parameters transmitted by the gateway and outputting an authentication result to the gateway.
In a third aspect, in the present embodiment, there is provided an electronic apparatus, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the computer program to execute the interface right checking method according to the first aspect.
In a fourth aspect, in the present embodiment, there is provided a storage medium, on which a computer program is stored, which when executed by a processor, implements the interface right checking method according to the first aspect.
Compared with the related art, the interface permission verification method, the system, the electronic device and the storage medium provided in the embodiment acquire the user identifier and the service identifier of the target service requested by the service request message from the service request message by acquiring the service request message initiated by the user; acquiring target interface authority information of the target service from pre-stored interface authority information according to the service identifier; authenticating the user according to the target interface authority information and the user identification; and under the condition that the authentication is passed, the service request message is forwarded to the target service, so that the problems that the interface authority cannot be uniformly checked and the service development and maintenance cost is high in the related technology are solved, the uniform check of the interface authority is realized, and the service development and maintenance cost is reduced.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a terminal of the interface right verification method according to the present embodiment;
FIG. 2 is a flowchart of an interface permission checking method according to an embodiment of the present application;
fig. 3 is an architecture diagram of the interface right checking system of the present embodiment;
FIG. 4 is a diagram illustrating a list of interface rights information according to an embodiment of the present application;
fig. 5 is a flowchart of an interface authority checking method according to the preferred embodiment of the present application.
Detailed Description
For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.
Unless defined otherwise, technical or scientific terms used herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of this application do not denote a limitation of quantity, either in the singular or the plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.
The method embodiments provided in the present embodiment may be executed in a terminal, a computer, or a similar computing device. For example, the method is executed on a terminal, and fig. 1 is a block diagram of a hardware structure of the terminal according to the interface right verification method in this embodiment. As shown in fig. 1, the terminal may include one or more processors 102 (only one shown in fig. 1) and a memory 104 for storing data, wherein the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA. The terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely an illustration and is not intended to limit the structure of the terminal described above. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the interface authorization checking method in the embodiment, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, that is, implementing the methods described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. The network described above includes a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The interface authority checking method of the present application can be applied to a gateway, and fig. 2 is a flowchart of the interface authority checking method of the embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, obtains a service request message initiated by a user, and obtains a user identifier and a service identifier of a target service requested by the service request message from the service request message.
The gateway obtains a service request message initiated by a user, obtains a user identifier and a request path (URL for short) from the service request message, and locates a target service requested by the user according to the request path, thereby obtaining a service identifier of the target service.
Step S202, according to the service identification, the target interface authority information of the target service is obtained from the pre-stored interface authority information.
The interface authority information is used for restricting the access authority of the user to the service interface, the pre-stored interface authority information and the service identifier are stored in an associated mode, and the gateway can inquire the authority information of the interface which the user requests to access according to the service identifier. The pre-stored interface authority information may be configured in the gateway, or may be configured in other services independent of the gateway, which is not limited in this embodiment.
Step S203, authenticating the user according to the target interface authority information and the user identification.
The gateway can pre-configure the interface authority information of the user, when the user needs to be authenticated, the gateway matches the interface authority configuration information corresponding to the user identification with the authority information of the interface requested by the user, and outputs the authentication result.
Or, interface authority information of the user may be preconfigured in other services independent of the gateway, and the gateway calls the service by passing a request parameter to the service and receives an authentication result returned by the service, where the request parameter may include target interface authority information and a user identifier.
Step S204, under the condition that the authentication is passed, the service request message is forwarded to the target service.
And if the authentication is passed, the gateway releases the service request message and sends the service request message to the target service.
In the above steps S201 to S204, the gateway can directly obtain the context information of the interface permission of the user requesting the target service in one service process, without checking the interface permission of the user in each target service, so that the gateway performs unified authentication on the interface permission of the user accessing the target service, thereby improving the interface permission checking efficiency. Moreover, since the interface authority of the user for accessing the target service does not need to be verified in each target service, development and maintenance work for the interface authority verification function in each target service can be omitted.
Through the steps, the problems that interface authorities cannot be verified in a unified mode and the development and maintenance cost of the service is high in the related technology are solved, the unified verification of the interface authorities is achieved, and the development and maintenance cost of the service is reduced.
In some embodiments, before obtaining the target interface permission information of the target service from the pre-stored interface permission information according to the service identifier, the method further includes the following steps:
introducing preset annotations into the starting classes of the plurality of services, introducing preset objects into the preset annotations, and acquiring monitoring information whether the process of monitoring each service by the preset objects completes initialization; judging whether a service for completing process initialization exists according to the monitoring information; and under the condition that the service of which the process initialization is finished exists according to the monitoring information, scanning the interface of the corresponding service to obtain the interface authority information of the corresponding service.
For example, introducing an @ EnableAuthClient annotation (a requirement service framework is springboot, and a redisplate object is configured) to a start class of each service to start a switch for uploading interface permission information. The method comprises the steps of introducing a RequestMappingConfigure class object inside an @ EnableAuthClient annotation in an import mode, monitoring an applicationReadyEvent event by adopting the object, scanning all APIs of a service after the service is successfully started, and uploading interface permission information to a Redis database.
The setting enables the interface authority context information of the service to be obtained under the condition that each service is not aware.
After the interface authority information of the corresponding service is obtained by scanning, in order to facilitate subsequent inquiry of the interface authority information of the corresponding service, an interface authority information list can be generated according to the interface authority information belonging to the corresponding service, and the service identifier and the interface authority information of the corresponding service are stored in a form that the service identifier of the corresponding service is taken as a key and the interface authority information list of the corresponding service is taken as a value.
In some embodiments, the interface right information list includes a request method and interface right information associated with each other, the service request message carries a service identifier and a request method of the target service, and when the target interface right information of the target service is acquired from the pre-stored interface right information according to the service identifier, the interface right information list of the target service may be acquired from the pre-stored interface right information according to the service identifier, and then the interface right information of the target service is acquired from the interface right information list according to the request method.
When the user is authenticated according to the target interface authority information and the user identification, the authentication service is called to authenticate the interface of the user accessing the target service according to the target interface authority information and the user identification to obtain an authentication result, wherein the authentication service is used for obtaining interface authority configuration information corresponding to the user identification, matching the interface authority configuration information with the interface authority information in the request parameter and outputting the authentication result.
In some embodiments, after obtaining the service request message initiated by the user, the service request message is further filtered by using a preset filtering rule, where the preset filtering rule includes an authentication filtering rule, and the authentication filtering rule is used for responding to an authentication result and determining whether to intercept the service request message according to the authentication result. And the authentication result is used for indicating whether the user has the authority of accessing the interface of the target service. Under the condition that the authentication is passed, forwarding the service request message to the target service; and in the case that the authentication is not passed, intercepting a service request message and sending a message for indicating that the authentication of the user fails to the user.
In some embodiments, the target service includes micro-services that are used to implement a single business capability, with processes between each micro-service being independent of each other.
Fig. 3 is an architecture diagram of the interface right checking system of this embodiment, and as shown in fig. 3, the system includes a gateway 31, an authentication center 32, and a storage engine 33, where the gateway 31 is connected to the authentication center 32 and the storage engine 33, respectively.
The gateway 31 is provided with at least one layer of filters, the filters are connected in sequence according to priority, service request messages initiated by users pass through the filters from high to low priority, wherein at least one layer of filters is provided with an authentication filtering rule for responding target interface authority information and user identification; the storage engine 33 is connected with a plurality of services, and the storage engine 33 is used for acquiring interface authority information of each service; the authentication center 32 stores interface authority configuration information of a user, and the authentication center 32 is configured to match the interface authority configuration information corresponding to the user identifier with the interface authority information in the request parameter transmitted by the gateway 31, and output an authentication result to the gateway 31.
The interface authority checking method will be further described below based on the design of the gateway, the authentication center and the storage engine, respectively.
The gateway can be provided with one or more layers of filters, wherein the filters are provided with filtering rules for indicating modification requests and response contents, and the filters can intercept and modify service request messages and perform secondary processing on upstream responses.
The filters are connected in sequence according to the priority, the service request message passes through at least one layer of filter from high to low priority, and the at least one layer of filter is provided with a filtering rule for responding the target interface authority information and the user identification.
For example, the gateway includes an authentication filter (for verifying the interface authority of the user to access the target service) and a non-authentication filter, and if the authentication filter is set to be prior to the non-authentication filter, the non-authentication filter may determine whether to perform filtering processing according to a filtering result of the authentication filter. That is, if none of the filters with high priority passes, the subsequent filters with low priority do not need to perform filtering processing, so as to save computer resources.
In this embodiment, an authentication center provides an authentication service, the authentication center stores interface authority configuration information of a user, and the authentication center is configured to match the interface authority configuration information corresponding to the user identifier with the interface authority information in the request parameter, and output an authentication result to the gateway.
The authentication filter determines whether to pass the service request message of the user according to the authentication result.
And in the case that the authentication filter judges that the authentication is passed, the authentication filter will pass the service request message. The authentication filter may send the service request message directly to the target service; or, in case that the authentication filter is connected to a filter of relatively low priority, the authentication filter sends the service request message and the filtering result to the low priority filter; and the low-priority filter filters the service request message according to the filtering result and then sends the service request message to the target service.
And the authentication filter intercepts the service request message and sends a message of authentication failure to the user under the condition that the authentication filter judges that the authentication fails.
In some embodiments, after the authentication filter passes the service request message and forwards the service request message to the target service, the gateway receives a response message returned by the target service in response to the service request message, and passes the response message through the filter in order of priority from low to high, and finally reaches the user.
In some embodiments, the service request message carries a service identifier and a request method of a target service, and the gateway first obtains an interface authority information list corresponding to the service identifier from interface authority information pre-stored in the storage engine, and then obtains the interface authority information corresponding to the request method from the interface authority information list.
The storage engine is connected with the plurality of services, a preset annotation is introduced into the preset annotation by introducing the preset annotation into the starting classes of the plurality of services, and monitoring information of whether the process of monitoring each service by the preset object is initialized or not is acquired; judging whether a service for completing process initialization exists according to the monitoring information; and under the condition that the service of which the process initialization is finished exists according to the monitoring information, scanning the interface of the corresponding service to obtain the interface authority information of the corresponding service.
The method comprises the steps that a preset annotation is arranged on a starting class of the service, a preset object is arranged in the preset annotation, the preset object is used for monitoring whether a process of the service is initialized or not, and if the preset object monitors that the process of the service is initialized, the service uploads interface authority information to a storage engine.
In some embodiments, the storage engine is implemented based on a Redis (data structure server), and introduces an @ EnableAuthClient annotation (a required service framework is springboot, and a redisemplate object is configured) to start a switch for uploading interface permission information on a start class of each service. The method comprises the steps that a @ EnableAuthClient annotation is internally introduced into a RequestMappingConfigure class object in an import mode, the object is used for monitoring an applicationReadyEvent event, and after the service is started successfully, all APIs of the service are scanned and interface permission information is uploaded to a Redis database.
The storage engine generates an interface authority information list according to the interface authority information belonging to the same target service, and stores the service identifier of the target service and the interface authority information list in a key-value pair mode, wherein the service identifier of the target service is a key, and the interface authority information list is a value. For example, a Hash (Hash function) data structure is used to store all interface authority information of each service, and the storage form is as follows: and taking the service identifier of the service as a key and the interface authority information list as a value.
As shown in fig. 4, the interface permission information list includes a service identifier (URL), a request method, and interface permission information, where the service identifier has multiple methods and multiple items of interface permission information, and the request method is associated with the interface permission information.
In some embodiments, the target service comprises a microservice, the microservice is used for realizing single business capability, and processes among a plurality of microservices connected by the storage engine are independent.
The interface authority verification method of the present application is described below by a preferred embodiment.
Fig. 5 is a flowchart of an interface authority verification method according to a preferred embodiment of the present application, and as shown in fig. 5, the flowchart includes the following steps:
in step S51, the gateway receives a service request message initiated by the user. After the service request message of the user enters the authentication filter, the authentication filter acquires the user identifier from the head of the service request message, and then locates which service the user requests according to the request URL of the user, namely acquires the service identifier of the target service.
And step S52, the gateway acquires the interface authority information of the target service from the storage engine according to the service request message. The storage engine queries the interface permission information list of the service according to the service identifier, circularly traverses the interface permission information list, and matches with the permission information of each interface according to a request Method (Method) and a request path, for example, the Method may first perform equivalent matching on the request Method, and then perform regular matching on the request path, thereby obtaining corresponding interface permission information.
Step S53, the gateway requests the authentication center to check the interface authority of the user. The gateway takes the user identifier and the interface authority information as request parameters, and calls an authority verification interface of the authentication center in an HTTP (Hypertext Transfer Protocol) calling mode.
Step S54, the authentication center checks the interface authority of the user. After receiving the request of the gateway, the authentication center inquires the preset interface authority information owned by the gateway through the user identification in the parameter, then compares the preset interface authority information with the interface authority information in the transmitted parameter, and returns a check result to the gateway. If the verification is passed, the HTTP response status code 200 of the gateway request is returned, and if the verification is not passed, the HTTP response status code 401 of the gateway request is returned.
In step S55, the gateway determines whether the interface right is successfully verified. If yes, go to step S56; if not, step S57 is executed. The authentication filter receives the response returned by the authentication center, judges the HTTP status code of the response, if 200, the interface authority check is passed, and the request is released; if the result is not 200, the interface authority check is not passed, and the response information that the user authority check is not passed is directly returned.
Step S56, the service request message is forwarded to the target service.
And step S57, returning the information of the client interface permission verification failure.
By the preferred embodiment, unified interface authority information management is realized, and interface authority context information in the service is uniformly uploaded to a storage engine for storage in the service starting process under the condition that each service is not perceived. Secondly, an authentication filter for a user is designed in a gateway layer, when a user request passes through a gateway, the context information of the interface authority of the user is inquired from a storage engine according to the user request, and then an authentication center interface is called to check whether the user has the interface authority for accessing the service, so that the problem that the user access interface authority cannot be uniformly checked through the gateway under a micro-service architecture is solved.
There is also provided in this embodiment an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, obtaining the service request message initiated by the user, and obtaining the user identification and the service identification of the target service requested by the service request message from the service request message.
And S2, acquiring the target interface authority information of the target service from the pre-stored interface authority information according to the service identifier.
And S3, authenticating the user according to the target interface authority information and the user identification.
And S4, in case of passing the authentication, forwarding the service request message to the target service.
It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementations, and details are not described again in this embodiment.
In addition, in combination with the interface authority verification method provided in the foregoing embodiment, a storage medium may also be provided in this embodiment to implement the method. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any of the interface permission verification methods in the above embodiments.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.
It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (11)
1. An interface authority verification method is characterized by comprising the following steps:
acquiring a service request message initiated by a user, and acquiring a user identifier and a service identifier of a target service requested by the service request message from the service request message;
acquiring target interface authority information of the target service from pre-stored interface authority information according to the service identifier;
authenticating the user according to the target interface authority information and the user identification;
and forwarding the service request message to the target service in the case of passing the authentication.
2. The interface authorization verification method according to claim 1, wherein before acquiring the target interface authorization information of the target service from the pre-stored interface authorization information according to the service identifier, the method further comprises:
introducing preset annotations into the starting classes of a plurality of services, introducing preset objects into the preset annotations, and acquiring monitoring information whether the process of monitoring each service by the preset objects completes initialization;
judging whether a service for completing process initialization exists according to the monitoring information;
and under the condition that the service of which the process initialization is finished exists according to the monitoring information, scanning the interface of the corresponding service to obtain the interface authority information of the corresponding service.
3. The method of claim 2, wherein scanning the interface of the corresponding service to obtain the interface permission information of the corresponding service when it is determined that the service for which the process initialization has been completed exists according to the monitored information comprises:
and generating an interface authority information list according to the interface authority information belonging to the corresponding service, and storing the service identifier and the interface authority information of the corresponding service by taking the service identifier of the corresponding service as a key and the interface authority information list of the corresponding service as a value.
4. The interface authority checking method according to claim 3, wherein the interface authority information list includes associated request method and interface authority information, and the service request message carries the service identifier and request method of the target service; according to the service identifier, acquiring target interface authority information of the target service from pre-stored interface authority information comprises the following steps:
and acquiring an interface authority information list of the target service from the pre-stored interface authority information according to the service identifier, and acquiring the interface authority information of the target service from the interface authority information list according to the request method.
5. The interface authorization verification method according to claim 1, wherein authenticating the user according to the target interface authorization information and the user identifier comprises:
and calling an authentication service to authenticate the interface of the user accessing the target service according to the target interface authority information and the user identification to obtain an authentication result, wherein the authentication service is used for acquiring interface authority configuration information corresponding to the user identification, matching the interface authority configuration information with the interface authority information in the request parameter and outputting the authentication result.
6. The interface authorization verification method according to claim 1, wherein after authenticating the user according to the target interface authorization information and the user identifier, the method further comprises;
and intercepting the service request message and sending a message for indicating that the user authentication fails to pass the authentication to the user under the condition that the authentication fails.
7. The interface permission verification method of claim 1, wherein after obtaining the user-initiated service request message, the method further comprises:
and filtering the service request message by adopting a preset filtering rule, wherein the preset filtering rule comprises an authentication filtering rule, and the authentication filtering rule is used for responding to an authentication result obtained after the user is authenticated according to the target interface authority information and the user identification, and determining whether to intercept the service request message according to the authentication result.
8. The interface permission verification method according to any one of claims 1 to 7, wherein the target service includes a micro-service, the micro-service is configured to implement a single business capability, and processes between the micro-services are independent of each other.
9. An interface privilege verification system, comprising: the gateway is respectively connected with the authentication center and the storage engine; wherein the content of the first and second substances,
the gateway is provided with at least one layer of filters, the filters are connected in sequence according to priority, service request messages initiated by users pass through the filters from high to low priority, and authentication filtering rules for responding target interface authority information and user identification are arranged in the at least one layer of filters;
the storage engine is connected with a plurality of services, and the storage engine is used for acquiring interface authority information of each service;
the authentication center stores the interface authority configuration information of the user, and is used for matching the interface authority configuration information corresponding to the user identification with the interface authority information in the request parameters transmitted by the gateway and outputting an authentication result to the gateway.
10. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the interface authorization checking method according to any one of claims 1 to 8.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the interface authorization checking method according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110774018.7A CN113672896A (en) | 2021-07-08 | 2021-07-08 | Interface authority verification method, system, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110774018.7A CN113672896A (en) | 2021-07-08 | 2021-07-08 | Interface authority verification method, system, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113672896A true CN113672896A (en) | 2021-11-19 |
Family
ID=78538720
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110774018.7A Pending CN113672896A (en) | 2021-07-08 | 2021-07-08 | Interface authority verification method, system, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113672896A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114238178A (en) * | 2021-12-09 | 2022-03-25 | 零氪科技(北京)有限公司 | Calling method and device of micro-service architecture, electronic equipment and storage medium |
| CN114465996A (en) * | 2022-01-30 | 2022-05-10 | 中国农业银行股份有限公司 | Interface authority control system and method and electronic equipment |
| CN114465892A (en) * | 2022-03-16 | 2022-05-10 | 北京字节跳动网络技术有限公司 | Interface maintenance method and device, electronic equipment and storage medium |
| CN114666387A (en) * | 2022-03-25 | 2022-06-24 | 广州方硅信息技术有限公司 | Interface management system, method, storage medium and computer device |
| CN114884752A (en) * | 2022-07-11 | 2022-08-09 | 天津金城银行股份有限公司 | Inline gateway system, inline loan service docking method, apparatus, and medium |
| CN115065726A (en) * | 2022-06-10 | 2022-09-16 | 北京天融信网络安全技术有限公司 | Protocol format control method, device, controller, server and storage medium |
-
2021
- 2021-07-08 CN CN202110774018.7A patent/CN113672896A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114238178A (en) * | 2021-12-09 | 2022-03-25 | 零氪科技(北京)有限公司 | Calling method and device of micro-service architecture, electronic equipment and storage medium |
| CN114465996A (en) * | 2022-01-30 | 2022-05-10 | 中国农业银行股份有限公司 | Interface authority control system and method and electronic equipment |
| CN114465892A (en) * | 2022-03-16 | 2022-05-10 | 北京字节跳动网络技术有限公司 | Interface maintenance method and device, electronic equipment and storage medium |
| CN114666387A (en) * | 2022-03-25 | 2022-06-24 | 广州方硅信息技术有限公司 | Interface management system, method, storage medium and computer device |
| CN115065726A (en) * | 2022-06-10 | 2022-09-16 | 北京天融信网络安全技术有限公司 | Protocol format control method, device, controller, server and storage medium |
| CN114884752A (en) * | 2022-07-11 | 2022-08-09 | 天津金城银行股份有限公司 | Inline gateway system, inline loan service docking method, apparatus, and medium |
| CN114884752B (en) * | 2022-07-11 | 2022-09-23 | 天津金城银行股份有限公司 | Inline gateway system, inline loan service docking method, apparatus, and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113672896A (en) | Interface authority verification method, system, electronic device and storage medium | |
| CN106101258B (en) | Interface calling method, device and system of hybrid cloud | |
| CN109067728B (en) | Access control method and device for application program interface, server and storage medium | |
| CN110493184B (en) | Method and device for processing login page in client and electronic device | |
| CN108512845B (en) | Interface calling verification method and device | |
| US20170085567A1 (en) | System and method for processing task resources | |
| CN112948802A (en) | Single sign-on method, device, equipment and storage medium | |
| CN105722072A (en) | Business authorization method, device, system and router | |
| CN112468540A (en) | Data distribution method, device and medium based on cloud platform | |
| CN113726774A (en) | Client login authentication method, system and computer equipment | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| CN109428893A (en) | A kind of identity identifying method, apparatus and system | |
| CN108009439B (en) | Resource request method, device and system | |
| CN111737681A (en) | Resource acquisition method and device, storage medium and electronic device | |
| CN113489689B (en) | Authentication method and device for access request, storage medium and electronic equipment | |
| US11463429B2 (en) | Network controls for application access secured by transport layer security (TLS) using single sign on (SSO) flow | |
| CN111541649A (en) | Password resetting method, device, server and storage medium | |
| CN106453400B (en) | A kind of authentication method and system | |
| CN114338132B (en) | Secret-free login method, client application, operator server and electronic equipment | |
| CN113691520B (en) | Method and device for acquiring streaming media information, storage medium and electronic device | |
| CN115412294A (en) | Platform service-based access method and device, storage medium and electronic equipment | |
| CN112597118A (en) | Method and device for adding shared file | |
| CN113395249A (en) | Client login authentication method, system and computer equipment | |
| CN112134705A (en) | Data authentication method and device, storage medium and electronic device | |
| CN106817361A (en) | The control method and device of group's online |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |