CN113709221A - API management and API gateway calling method - Google Patents

Abstract

The invention discloses a calling method of API management and API gateway, which provides a platform for releasing, selling and managing API for a third-party developer through an open API, so that the third-party developer can effectively manage an API interface and can share the interface for other people to use; storing an API (application programming interface) in the system in a database in an interface scanning mode through an API market, supporting the addition of an external interface, displaying the API in a commodity mode, and providing an API method for subscribing, purchasing and calling the system or APIs issued by other third-party developers for the third-party developers; the API Gateway is realized through the Gateway, the calling of the API interface is processed in a unified mode, the calling of the internal API interface and the calling of the external API interface are realized, and safety and convenience are achieved. The invention manages the API interface better and more safely, processes the calling of the API interface uniformly, facilitates the access, the entrance and the API subscription of third-party developers, provides data and resources for the third-party development and reduces the development workload of the third-party developers.

Description

API management and API gateway calling method

Technical Field

The invention relates to the technical field of electronic information, in particular to a calling method of API (application program interface) management and an API gateway.

Background

With the generation of internet technology and a lot of data, the API interface receives more and more attention from people, and as a set of definitions, programs and protocols, the API interface can realize the intercommunication and data exchange between computer software through the API interface. One main function of the system is to provide a universal function set, and programmers develop API interfaces by using various programming languages to achieve the purposes of one-time development and multiple-time use, so that users do not need to access source codes or understand details of internal working mechanisms.

Currently, the development of API interfaces in the industry generally defines metadata information of API interfaces, including: information such as request addresses, request modes, request conditions, return data and the like is acquired, and then development of API interfaces is realized through a programming language, but in the development process, along with increase of development systems, API interfaces of the systems are increased, the API interfaces are difficult to uniformly manage, and calling of the API interfaces among the systems is difficult to uniformly process.

Disclosure of Invention

Aiming at the technical problems, the invention provides a calling method of API management and API gateway, which realizes the unified management of API interfaces and the unified calling of API gateway by the API interfaces, the management of the API interfaces manages the API interface information in a unified way in the form of API market, requests of the API interfaces are processed in a unified way through the API gateway, unified application management, API interface management and API interface calling are provided for resident third-party developers, the cost problem of developing and maintaining the API interfaces in the prior art is solved, and the open workload is reduced.

The method is realized through an open platform as follows:

1) establishment of an API market:

an opener creates an API group on an open platform and inputs API interface information into the open platform, and the input of the API interface information has two modes: the first method is as follows: through an interface provided by the open platform, the API interface information is manually input into the open platform and stored in a database, and the second mode is as follows: API information is scanned to an open platform in an API interface scanning mode and is stored in a database, and finally the information of the API interface is displayed in an API market in a commodity form; a caller subscribes and purchases API in an API market, and the purchased API interface can call the subscribed API interface through the API gateway only by authorization; the establishment of the API market provides manual entry and automatic scanning entry, provides a simpler, more convenient and faster mode for an opener to enter API information, and the opener can manage an open API interface more conveniently and flexibly.

2) Calling an API gateway:

a creating an application and calling an API gateway:

a caller creates own application on an open platform, introduces an SDK provided by the open platform and configures key and Secret of the application, public key and private key of the application and an API gateway address; calling an API interface through the SDK:

the SDK packages and encrypts application parameters configured by a caller and request parameters for purchasing a subscription API, and finally sends the application parameters and the request parameters to an API gateway for verification;

b, calling the parameter to check and sign: performing parameter verification on a request sent to an API Gateway by a caller, intercepting a network request through a Filter of the Gateway, acquiring parameters of the request, performing non-null verification on a mandatory parameter, and ensuring normal operation of subsequent services and verification on a signature;

c, checking the calling authority: verifying the key of the application created by the caller, verifying the API after the key of the application passes the verification, judging whether the API called by the caller exists, finally, checking the subscription relationship between the application of the caller and the API, and calling the next step if the subscription relationship exists;

d, calling encryption and decryption and adaptation of parameters: decrypting the request parameter of the API interface transmitted by the caller through the SDK, and adapting and assembling the decrypted parameter transmitted by the caller according to the request parameter in the API interface information;

e, initiating calling, counting, charging, overtime check and response parameter encryption: and performing HTTP request calling according to the assembled request parameters, API request modes and API methods, counting and charging the calls after the request is completed, performing overtime check on the response result, if overtime exists, returning overtime exception, performing encryption processing on the response result set after the overtime check is completed, and finally returning the result to the client.

The open platform provides an SDK (software development kit) to encapsulate an HTTP (hyper text transport protocol) client for a caller, the SDK acquires a Key, a Secret, a public Key, a private Key and a gateway address configured in an application, when the caller uses the SDK to invoke an API (application programming interface) gateway, the caller only needs to invoke parameters and a method name of an API method, the SDK automatically encapsulates, encrypts and signs the invoked parameters and then sends the parameters to the API gateway, and the API gateway then decrypts, verifies, signs and invokes the API method; the SDK encapsulates a request tool for a caller, so that the calling of the API is more convenient, and the information is prevented from being leaked and tampered by means of encryption and signature, so that the calling of the API is safer.

When the API gateway is called, all API requests pass through the API gateway, the API gateway uniformly processes the requests, the request processing services of the API are written in a filter of a spring closed gateway, and a gateway mapper and a filter perform service processing, wherein the service processing comprises checking and signature verification of calling parameters, checking of calling authority, encryption and decryption and adaptation of the calling parameters, initiation calling, counting, charging, overtime checking and response parameter encryption; the verification of the authority is to verify whether the API interface is created or not and whether the application created by the caller is subscribed to the API interface or not.

The caller initiates a request to call the API gateway, and the service logic for uniformly realizing the API call through the gateway mapper and the filter is as follows:

1) gateway Handle Mapping: the gateway mapping processor is used for mapping the requested address;

2) gateway Web Handle: the gateway WEB processor finds a corresponding processing method according to a processing result of the mapping processor;

3) TraceFilter: the log link filter generates a log link tracking id and transmits the log link tracking id to the header;

4) beforhandlefilter: the pre-filter processes main services and comprises: assembling request parameters, parameter verification and signature verification, and verification of calling authority; checking the APPKey, the subscription relation and the authorization relation, and splicing the interface parameters at the rear end;

5) after the AfterHandleFilter: a post filter for encrypting the response data;

6) TimeoutFilter: the overtime filter requests response overtime check processing and independently processes the overtime time of each interface;

the specific implementation method comprises the following steps:

when a request reaches an API gateway, the request firstly reaches a mapping processor and a WEB processor of the gateway, address mapping processing is carried out on the request, then the request is intercepted through an API gateway filter, a TraceFilter log link filter is firstly executed to generate a log link tracking id and is transmitted into a header, a BeforeHandleFilter prefilter is executed to acquire a URL of the request, whether the URL is correct or not is checked, whether a dynamic route is added or not is checked, if the URL is not added, the route is added, then parameters sent to the API gateway are acquired, and the parameters are checked;

the verification of the API gateway parameters mainly comprises the steps of verifying, signing and packaging the parameters, and the verification of the parameters mainly comprises the steps of judging and verifying, so that the normal operation of subsequent service logic is ensured; checking the calling authority after the request parameter checking, the signature checking and the encapsulation are finished, wherein the checking of the calling authority mainly comprises checking whether an application corresponding to an application key created by a caller exists or not; if the current application does not have the authority to call the current interface, judging the subscription relationship;

after the verification of the calling authority is completed, performing AES decryption on the requested service parameters to obtain the service parameters, and splicing, adapting and packaging the decrypted service parameters according to the parameter information of the calling API interface;

after the calling of the API gateway interface is finished, counting and charging operations are carried out on the application calling API interface, message pushing is realized by using kafka message middleware, and the calling result is processed; firstly, recording interface calling time of the API, encrypting a response result set through an AfterHandleFilter, and individually processing the overtime time of each calling through a TimeoutFilter to check whether the API calling is overtime.

The API Gateway uses the latest Spring Cloud Gateway, the Spring Cloud Gateway bottom layer uses a high-performance communication framework Netty and response programming adopting Webflux, verified services are placed in a filter, and the Gateway performance is better and safer.

Drawings

FIG. 1 is a schematic flow diagram of the present invention;

FIG. 2 is a business flow diagram of an API gateway used by the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The unified management of the API interface and the unified calling of the API gateway are realized, the management of the API interface uniformly manages the API interface information in an API market mode, the request of the API interface is uniformly processed through the API gateway, the unified application management, the API interface management and the API interface calling are provided for resident third-party developers, the cost problem of developing and maintaining the API interface in the prior art is solved, and the open workload is reduced.

The method is realized through an open platform as follows:

2) establishment of an API market:

an opener creates an API group on an open platform and inputs API interface information into the open platform, and the input of the API interface information has two modes: the first method is as follows: through an interface provided by the open platform, the API interface information is manually input into the open platform and stored in a database, and the second mode is as follows: API information is scanned to an open platform in an API interface scanning mode and is stored in a database, and finally the information of the API interface is displayed in an API market in a commodity form; a caller subscribes and purchases API in an API market, and the purchased API interface can call the subscribed API interface through the API gateway only by authorization; the establishment of the API market provides manual entry and automatic scanning entry, provides a simpler, more convenient and faster mode for an opener to enter API information, and the opener can manage an open API interface more conveniently and flexibly.

2) Calling an API gateway:

a creating an application and calling an API gateway:

a caller creates own application on an open platform, introduces an SDK provided by the open platform and configures key and Secret of the application, public key and private key of the application and an API gateway address; calling an API interface through the SDK:

the SDK packages and encrypts application parameters configured by a caller and request parameters for purchasing a subscription API, and finally sends the application parameters and the request parameters to an API gateway for verification;

b, calling the parameter to check and sign: performing parameter verification on a request sent to an API Gateway by a caller, intercepting a network request through a Filter of the Gateway, acquiring parameters of the request, performing non-null verification on a mandatory parameter, and ensuring normal operation of subsequent services and verification on a signature;

c, checking the calling authority: verifying the key of the application created by the caller, verifying the API after the key of the application passes the verification, judging whether the API called by the caller exists, finally, checking the subscription relationship between the application of the caller and the API, and calling the next step if the subscription relationship exists;

d, calling encryption and decryption and adaptation of parameters: decrypting the request parameter of the API interface transmitted by the caller through the SDK, and adapting and assembling the decrypted parameter transmitted by the caller according to the request parameter in the API interface information;

e, initiating calling, counting, charging, overtime check and response parameter encryption: and performing HTTP request calling according to the assembled request parameters, API request modes and API methods, counting and charging the calls after the request is completed, performing overtime check on the response result, if overtime exists, returning overtime exception, performing encryption processing on the response result set after the overtime check is completed, and finally returning the result to the client.

The open platform provides an SDK (software development kit) to encapsulate an HTTP (hyper text transport protocol) client for a caller, the SDK acquires a Key, a Secret, a public Key, a private Key and a gateway address configured in an application, when the caller uses the SDK to invoke an API (application programming interface) gateway, the caller only needs to invoke parameters and a method name of an API method, the SDK automatically encapsulates, encrypts and signs the invoked parameters and then sends the parameters to the API gateway, and the API gateway then decrypts, verifies, signs and invokes the API method; the SDK encapsulates a request tool for a caller, so that the calling of the API is more convenient, and the information is prevented from being leaked and tampered by means of encryption and signature, so that the calling of the API is safer.

When the API gateway is called, all API requests pass through the API gateway, the API gateway uniformly processes the requests, the request processing services of the API are written in a filter of a spring closed gateway, and a gateway mapper and a filter perform service processing, wherein the service processing comprises checking and signature verification of calling parameters, checking of calling authority, encryption and decryption and adaptation of the calling parameters, initiation calling, counting, charging, overtime checking and response parameter encryption; the verification of the authority is to verify whether the API interface is created or not and whether the application created by the caller is subscribed to the API interface or not.

4. The caller initiates a request to call the API gateway, and the service logic for uniformly realizing the API call through the gateway mapper and the filter is as follows:

1) gateway Handle Mapping: the gateway mapping processor is used for mapping the requested address;

2) gateway Web Handle: the gateway WEB processor finds a corresponding processing method according to a processing result of the mapping processor;

3) TraceFilter: the log link filter generates a log link tracking id and transmits the log link tracking id to the header;

4) beforhandlefilter: the pre-filter processes main services and comprises: assembling request parameters, parameter verification and signature verification, and verification of calling authority; checking the APPKey, the subscription relation and the authorization relation, and splicing the interface parameters at the rear end;

5) after the AfterHandleFilter: a post filter for encrypting the response data;

6) TimeoutFilter: the overtime filter requests response overtime check processing and independently processes the overtime time of each interface;

the specific implementation method comprises the following steps:

when a request reaches an API gateway, the request firstly reaches a mapping processor and a WEB processor of the gateway, address mapping processing is carried out on the request, then the request is intercepted through an API gateway filter, a TraceFilter log link filter is firstly executed to generate a log link tracking id and is transmitted into a header, a BeforeHandleFilter prefilter is executed to acquire a URL of the request, whether the URL is correct or not is checked, whether a dynamic route is added or not is checked, if the URL is not added, the route is added, then parameters sent to the API gateway are acquired, and the parameters are checked;

the verification of the API gateway parameters mainly comprises the steps of verifying, signing and packaging the parameters, and the verification of the parameters mainly comprises the steps of judging and verifying, so that the normal operation of subsequent service logic is ensured; checking the calling authority after the request parameter checking, the signature checking and the encapsulation are finished, wherein the checking of the calling authority mainly comprises checking whether an application corresponding to an application key created by a caller exists or not; if the current application does not have the authority to call the current interface, judging the subscription relationship;

after the verification of the calling authority is completed, performing AES decryption on the requested service parameters to obtain the service parameters, and splicing, adapting and packaging the decrypted service parameters according to the parameter information of the calling API interface;

after the calling of the API gateway interface is finished, counting and charging operations are carried out on the application calling API interface, message pushing is realized by using kafka message middleware, and the calling result is processed; firstly, recording interface calling time of the API, encrypting a response result set through an AfterHandleFilter, and individually processing the overtime time of each calling through a TimeoutFilter to check whether the API calling is overtime.

The API Gateway uses the latest Spring Cloud Gateway, the Spring Cloud Gateway bottom layer uses a high-performance communication framework Netty and response programming adopting Webflux, verified services are placed in a filter, and the Gateway performance is better and safer.

Claims (3)

1. A calling method of API management and API gateway is characterized in that the method is realized through an open platform as follows:

1) establishment of an API market:

the method comprises the following steps that a developer stores an API interface into a database, and information of the API interface is displayed in an API market in a commodity form; a caller purchases and subscribes an API in an API market, and the purchased API interface can call the subscribed API interface through the API gateway only by the authorization of a developer;

2) calling an API gateway:

a creating an application and calling an API gateway:

a caller creates own application on an open platform, introduces an SDK provided by the open platform and configures key and Secret of the application, public key and private key of the application and an API gateway address; calling an API interface through the SDK:

the SDK packages and encrypts application parameters configured by a caller and request parameters for purchasing a subscription API, and finally sends the application parameters and the request parameters to an API gateway for verification;

b, calling the parameter to check and sign: performing parameter verification on a request sent to an API Gateway by a caller, intercepting a network request through a Filter of the Gateway, acquiring parameters of the request, performing non-null verification on a mandatory parameter, and ensuring normal operation of subsequent services and verification on a signature;

c, checking the calling authority: verifying the key of the application created by the caller, verifying the API after the key of the application passes the verification, judging whether the API called by the caller exists, finally, checking the subscription relationship between the application of the caller and the API, and calling the next step if the subscription relationship exists;

d, calling encryption and decryption and adaptation of parameters: decrypting the request parameter of the API interface transmitted by the caller through the SDK, and adapting and assembling the decrypted parameter transmitted by the caller according to the request parameter in the API interface information;

e, initiating calling, counting, charging, overtime check and response parameter encryption: and performing HTTP request calling according to the assembled request parameters, API request modes and API methods, counting and charging the calls after the request is completed, performing overtime check on the response result, if overtime exists, returning overtime exception, performing encryption processing on the response result set after the overtime check is completed, and finally returning the result to the client.

2. The method as claimed in claim 1, wherein when the API gateway is called, all API requests pass through the API gateway, the API gateway uniformly processes the requests, the API request processing service is written in a springclosed gateway filter, and the gateway filter performs service processing including checking and signature verification of calling parameters, checking of calling authority, encryption and decryption and adaptation of calling parameters, initiating calling, counting, charging, timeout checking, and response parameter encryption, wherein the authority checking is whether the API interface is created or not, and whether the application created by the caller subscribes to the API interface or not.

3. The method as claimed in claim 2, wherein the caller initiates a request to call the API gateway, and the service logic for implementing the API call through the gateway mapper and the filter is as follows:

1) gateway handling mapping: the gateway mapping processor is used for mapping the requested address;

2) gateway webhandle: the gateway WEB processor finds a corresponding processing method according to a processing result of the mapping processor;

3) TraceFilter: the log link filter generates a log link tracking id and transmits the log link tracking id to the header;

4) beforhandlefilter: the pre-filter processes main services and comprises: assembling request parameters, parameter verification and signature verification, and verification of calling authority; checking the APPKey, the subscription relation and the authorization relation, and splicing the interface parameters at the rear end;

5) after the AfterHandleFilter: a post filter for encrypting the response data;

6) TimeoutFilter: the overtime filter requests response overtime check processing and independently processes the overtime time of each interface;

the specific implementation method comprises the following steps:

when a request reaches an API gateway, the request firstly reaches a mapping processor and a WEB processor of the gateway, address mapping processing is carried out on the request, then the request is intercepted through an API gateway filter, a TraceFilter log link filter is firstly executed to generate a log link tracking id and is transmitted into a header, a BeforeHandleFilter prefilter is executed to acquire a URL of the request, whether the URL is correct or not is checked, whether a dynamic route is added or not is checked, if the URL is not added, the route is added, then parameters sent to the API gateway are acquired, and the parameters are checked;

the verification of the API gateway parameters mainly comprises the steps of verifying, signing and packaging the parameters, and the verification of the parameters mainly comprises the steps of judging and verifying, so that the normal operation of subsequent service logic is ensured; checking the calling authority after the request parameter checking, the signature checking and the encapsulation are finished, wherein the checking of the calling authority mainly comprises checking whether an application corresponding to an application key created by a caller exists or not; if the current application does not have the authority to call the current interface, judging the subscription relationship;

after the verification of the calling authority is completed, performing AES decryption on the requested service parameters to obtain the service parameters, and splicing, adapting and packaging the decrypted service parameters according to the parameter information of the calling API interface;

after the calling of the API gateway interface is finished, counting and charging operations are carried out on the application calling API interface, message pushing is realized by using kafka message middleware, and the calling result is processed; firstly, recording interface calling time of the API, encrypting a response result set through an AfterHandleFilter, and individually processing the overtime time of each calling through a TimeoutFilter to check whether the API calling is overtime.

Images