CN113923203A - Network request checking method, device, equipment and storage medium - Google Patents

Network request checking method, device, equipment and storage medium Download PDF

Info

Publication number
CN113923203A
CN113923203A CN202111277113.2A CN202111277113A CN113923203A CN 113923203 A CN113923203 A CN 113923203A CN 202111277113 A CN202111277113 A CN 202111277113A CN 113923203 A CN113923203 A CN 113923203A
Authority
CN
China
Prior art keywords
information
data access
access request
authentication information
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111277113.2A
Other languages
Chinese (zh)
Other versions
CN113923203B (en
Inventor
孙梦君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Property and Casualty Insurance Company of China Ltd
Original Assignee
Ping An Property and Casualty Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Property and Casualty Insurance Company of China Ltd filed Critical Ping An Property and Casualty Insurance Company of China Ltd
Priority to CN202111277113.2A priority Critical patent/CN113923203B/en
Publication of CN113923203A publication Critical patent/CN113923203A/en
Application granted granted Critical
Publication of CN113923203B publication Critical patent/CN113923203B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to the technical field of artificial intelligence, and discloses a network request checking method, a device, equipment and a storage medium, wherein the method comprises the following steps: when a data access request sent by terminal equipment is received, acquiring an interface identifier of a data interface corresponding to the data access request, and judging whether the data access request is a sensitive data access request or not according to the interface identifier; when the data access request is a sensitive data access request, judging whether the data access request carries first authentication information and second authentication information; when the data access request carries the first authentication information and the second authentication information, identifying key parameters of the interface identifier; acquiring key information matched with the key parameters from the data access request; coding the first authentication information and the key information according to a preset rule to obtain verification information; verifying the second identification information according to the verification information; and when the verification is passed, acquiring response information corresponding to the data access request and returning the response information to the terminal equipment.

Description

Network request checking method, device, equipment and storage medium
Technical Field
The present application relates to the field of artificial intelligence technologies, and in particular, to a method, an apparatus, a device, and a storage medium for checking a network request.
Background
In the prior art, a terminal device generally performs data access by sending an https network request to a server. Although the security of network communication is greatly improved by using https to carry out network requests, the risk of intercepting and tampering network request information still exists, and certain potential safety hazards still exist only by relying on https to carry out network requests.
Disclosure of Invention
The present application mainly aims to provide a network request verification method, device, equipment and storage medium, and aims to improve the security of network request communication between a terminal device and a server.
In a first aspect, the present application provides a network request checking method, including:
when a data access request sent by terminal equipment is received, acquiring an interface identifier of a data interface corresponding to the data access request, and judging whether the data access request is a sensitive data access request or not according to the interface identifier;
when the data access request is a sensitive data access request, judging whether the data access request carries first authentication information and second authentication information, wherein the first authentication information is identity token information which is returned by the server and corresponds to a user when the user successfully logs in through the terminal equipment, and the second authentication information is generated by the terminal equipment according to the first authentication information and the data access request;
when the data access request carries the first authentication information and the second authentication information, identifying key parameters of the interface identifier;
acquiring key information matched with the key parameters from the data access request;
coding the first authentication information and the key information according to a preset rule to obtain verification information;
verifying the second authentication information according to the verification information;
and when the verification is passed, acquiring response information corresponding to the data access request and returning the response information to the terminal equipment.
In a second aspect, the present application further provides a network request verification apparatus, where the network request verification apparatus includes:
the sensitive interface identification module is used for acquiring an interface identifier of a data interface corresponding to a data access request when receiving the data access request sent by the terminal equipment, and judging whether the data access request is a sensitive data access request or not according to the interface identifier;
the request information judging module is used for judging whether the data access request carries first authentication information and second authentication information when the data access request is a sensitive data access request, wherein the first authentication information is identity token information which corresponds to a user and is returned by the server when the user successfully logs in through the terminal equipment, and the second authentication information is generated by the terminal equipment according to the first authentication information and the data access request;
the key parameter matching module is used for identifying the key parameters of the interface identifier when the data access request carries the first authentication information and the second authentication information;
the key information acquisition module is used for acquiring key information matched with the key parameters from the data access request;
the verification information generation module is used for coding the first authentication information and the key information according to a preset rule to obtain verification information;
the first verification module is used for verifying the second identification information according to the verification information;
and the sensitive information response module is used for acquiring response information corresponding to the data access request and returning the response information to the terminal equipment when the verification is passed.
In a third aspect, the present application also provides a computer device comprising a processor, a memory, and a computer program stored on the memory and executable by the processor, wherein the computer program, when executed by the processor, implements the steps of the network request checking method as described above.
In a fourth aspect, the present application further provides a storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the network request verification method as described above.
The application provides a network request verification method, a device, equipment and a storage medium, wherein terminal equipment and a server have defined corresponding key parameters for each interface, when the server receives a data access request which relates to sensitive data access and is sent by the terminal equipment, the server obtains first authentication information and second authentication information carried in the data access request, matches the key parameters corresponding to the data access request, obtains corresponding key information in the data access request according to the key parameters, codes the first authentication information and the key information according to a preset rule to obtain verification information, and verifies the second authentication information according to the verification information; and when the verification is passed, acquiring response information corresponding to the data access request and returning the response information to the terminal equipment. By the method and the device, the safety of network request communication between the terminal equipment and the server can be greatly improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart illustrating steps of a network request verification method according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating steps corresponding to one embodiment of step S10 of FIG. 1;
fig. 3 is a schematic block diagram of a network request verification apparatus according to an embodiment of the present application;
fig. 4 is a schematic block diagram of a structure of a computer device according to an embodiment of the present application.
The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The flow diagrams depicted in the figures are merely illustrative and do not necessarily include all of the elements and operations/steps, nor do they necessarily have to be performed in the order depicted. For example, some operations/steps may be decomposed, combined or partially combined, so that the actual execution sequence may be changed according to the actual situation. In addition, although the division of the functional blocks is made in the device diagram, in some cases, it may be divided in blocks different from those in the device diagram.
The embodiment of the application provides a network request checking method, a device, equipment and a storage medium. The network request verification method is applied to a server, and the server can be a single server or a server cluster consisting of a plurality of servers.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a procedure of a network request verification method according to an embodiment of the present disclosure.
As shown in fig. 1, the network request checking method includes steps S10 to S16.
Step S10, when receiving a data access request sent by a terminal device, obtaining an interface identifier of a data interface corresponding to the data access request, and determining whether the data access request is a sensitive data access request according to the interface identifier.
It is understood that the data access request is a network request sent by a user to the server through the terminal device, and the terminal device accesses data to the server through the data access request. And when receiving the data access request, the server accesses data according to the data interface corresponding to the data access request and returns the data access result to the terminal equipment.
Each data interface has its corresponding interface identification, and the interface identifications corresponding to different data interfaces are different. In some embodiments, the interface identification is a unique identifier for identifying the identity of the data interface.
When the data access request relates to sensitive data access, the data access request is a sensitive data access request, and in the application, the server identifies whether the received data access request is a sensitive data access request according to an interface identifier corresponding to the data access request.
As shown in fig. 2, in some embodiments, the obtaining an interface identifier of a data interface corresponding to the data access request, and determining whether the data access request is a sensitive data access request according to the interface identifier includes steps S100 to S102.
Step S100, acquiring an interface identifier of a data interface corresponding to the data access request according to an address path and a request method of the data access request;
step S101, when a preset sensitive interface information set comprises the interface identification, the data access request is a sensitive data access request;
step S102, when the sensitive interface information set does not include the interface identification, the data access request is a non-sensitive data access request.
It can be understood that, when the server receives the data access request, the server may obtain an address path and a request method of the data access request, and the interface identifier is obtained according to the address path and the request method.
When the terminal equipment sends a data access request to the server, and the request method is a GET request, the address path comprises a domain name part, a distinguishing part and a request parameter part. When the request method is a POST request, the address path comprises a domain name part and a distinguishing part, and the request parameters are set in a request body. In some embodiments, the interface identifier corresponding to the data access request obtained in the present application is obtained by splicing according to the difference portion of the address path and the request method.
For example, it is assumed that the request method corresponding to the data access request is a GET method, and the address path is "www.xxxxx.com/good _ listpage ═ 0& size ═ 20", in the address path, the domain name part is "www.xxxxx.com", the distinguishing part is "good _ list", and the parameter part is "page ═ 0& size ═ 20". The interface identification "good _ list _ & & _ get" may be obtained according to the address path and request method of the data access request.
In some embodiments, the sensitive interface information set is an array preset in the server, and if the interface identifier is stored in the sensitive interface information set, the data access request corresponding to the interface identifier is a sensitive data access request, otherwise, the data access request is a non-sensitive data access request.
When the server identifies that the data access request is a sensitive data access request, the server further verifies the data access request, and after the data access request passes the verification, the server executes corresponding data access operation and returns corresponding response data to the terminal equipment.
In some embodiments, the server is required to complete the login of the user at the server through the terminal device before further verification of the data access request is performed by the server.
In some embodiments, before step S10, the method further includes:
when a login request sent by the user through the terminal equipment is received, acquiring verification information carried in the login request;
acquiring a user information data set from a database, and judging whether user information matched with the verification information exists in the user information data set;
and when the user information exists, the user logs in successfully, and the identity token information corresponding to the user is returned to the terminal equipment according to the user information.
It can be understood that the login request sent by the user through the terminal device carries authentication information, and in some embodiments, the authentication information may be a login account and a login password input by the user, or may be other information for authenticating the identity of the login user.
The user information data set is a user data set stored in the database by the server, the data information of all registered users is stored in the user information data set, and when the user information which can be matched with the verification information exists in the user information data set, the fact that the user is registered before is explained, the verification for login is not wrong, and the user login is successful.
And when the user logs in successfully, the server returns the identity token information of the corresponding user to the terminal equipment. When the terminal equipment sends a data access request to the server in the subsequent process, the server can identify the identity of the user requesting the data access operation according to the identity token information carried in the data access request as long as the identity token information is set in the data access request.
In some embodiments, the returning the identity token information corresponding to the user to the terminal device according to the user information further includes:
and storing the identity token information in a memory database, and setting the expiration time of the identity token information according to preset time, wherein the memory database destroys the identity token information according to the expiration time.
In some embodiments, the in-memory database storing the identity token information is a Redis database, which is a very high performance database and has a read speed of 110000 times/s and a write speed of 81000 times/s. The Redis database is used for identity token information access, so that the memory loss of the server during operation can be reduced, and the identity token information access efficiency is improved.
The expiration time is equal to the sum of the writing time when the memory database stores the identity token information and the preset time length. When the expiration time is reached, the memory database can remove the identity token information from the memory database, and after the expired identity token information is destroyed, the identity token information is invalid. After the identity token information is invalid, the user needs to log in again to obtain valid identity token information.
In some embodiments, the preset time period may be set to 24 hours, 48 hours, or 72 hours, or other time periods as desired. If the identity token information fails after the preset time, the user needs to log in regularly, and the security of network request communication between the terminal device and the server can be improved.
It can be understood that even if the identity token information is acquired by other malicious lawbreakers, after the identity token information is invalid, the malicious lawbreakers cannot continue to perform malicious operations by using the expired identity token information as long as the malicious lawbreakers do not know the verification information for logging in of the corresponding user.
Step S11, when the data access request is a sensitive data access request, determining whether the data access request carries first authentication information and second authentication information, where the first authentication information is identity token information corresponding to the user returned by the server when the user logs in successfully through the terminal device, and the second authentication information is generated by the terminal device according to the first authentication information and the data access request.
It is understood that when the data access request is a sensitive data access request, the data access request relates to sensitive data access, and in this case, the server needs to perform further verification on the data access request, and the objects of the further verification are the first authentication information and the second authentication information in the data access request.
Before further verification, whether the data access request carries the first authentication information and the second authentication information needs to be judged, and if the data access request does not carry the first authentication information and the second authentication information, the corresponding data access request fails; correspondingly, if the data access request carries the first authentication information and the second authentication information, further verification is carried out according to the first authentication information and the second authentication information, and after the verification is passed, corresponding sensitive data access is executed.
The first authentication information is identity token information which is returned by the server and corresponds to the login user when the user initiates a login request to the server through the terminal equipment and the login is successful, and the second authentication information is generated by the terminal equipment according to the first authentication information and the data access request.
Step S12, when the data access request carries the first authentication information and the second authentication information, identifying a key parameter of the interface identifier.
It can be understood that when the data access request carries the first authentication information and the second authentication information, the server further verifies the first authentication information and the second authentication information, and before this, the key parameter of the interface identifier corresponding to the current data access request needs to be identified first.
In some embodiments, a key parameter matching information table is stored in the server, the key parameter matching information table is provided with key parameters corresponding to each interface identifier, and the key parameters of the interface identifier corresponding to the data access request can be acquired according to the key parameter matching information table.
Illustratively, assume that the key parameter match information table is shown in the following table.
Watch I,
Interface identification Interface identification description Key parameter Description of key parameters
transfer_account_&&_post Transferring accounts targetAccount Target account number
commodity_info_&&_get Details of the goods commodityId Commodity Id
asset_info&&_get Asset query assetId Asset type Id
Assuming that the data access request is a transfer request, that is, the interface identifier corresponding to the data access request is "transfer _ account _ & & _ post", the key parameter corresponding to the interface identifier is "targetAccount".
And step S13, obtaining the key information matched with the key parameters from the data access request.
It can be understood that, according to the identified key parameter corresponding to the interface identifier, the key information corresponding to the key parameter can be obtained from the parameter of the data access request.
For example, assume that the identified key parameter is "targetAccount", and the data access request includes the following information:
Figure BDA0003329848020000081
the key information corresponding to the key parameter is "158 xxxxxxxx".
And step S14, coding the first authentication information and the key information according to a preset rule to obtain verification information.
And coding the first authentication information and the key information according to a preset rule, wherein the obtained coding result is verification information, and the verification information is used for verifying the second authentication information in the data access request.
In some embodiments, step S14 includes steps S141 to S142.
Step S141, splicing the first authentication information and the key information according to a preset rule to obtain splicing result information;
and S142, encrypting the splicing result information according to a preset encryption method to obtain verification information.
It can be understood that the first authentication information and the key information are spliced to obtain splicing result information. And encrypting the splicing result information, wherein the obtained encryption result is the verification information.
In some embodiments, the preset rule may be that a splicing string is inserted between the first authentication information and the key information for splicing, or other splicing rules are selected for splicing according to a protocol agreement between the use requirement and the terminal device. The preset encryption method may be md5 encryption of the splicing result information, or other encryption methods may be selected for encryption according to the agreement with the terminal device protocol.
For example, assuming that the data access request is a transfer request, assuming that the first identification information is "u 12k41 iadwc", the key information is "158xxxxxxxx", and the splicing string is "_ ver & val _", the obtained splicing result information is "u 12k41iadwc _ ver & val _158 xxxxxxxx". Assuming that the predetermined encryption method is md5 encryption, md5 encryption is performed on the splicing result information, and the obtained encryption result is the verification information.
In some embodiments, before encoding the first authentication information and the key information according to the preset rule, the method further includes:
judging whether the memory database stores the identity token information corresponding to the first authentication information;
and when the identity token information is stored in the memory database, encoding the first authentication information and the key information according to a preset rule.
It can be understood that, when the user successfully logs in through the terminal device, the server returns the identity token information of the corresponding user to the terminal device, and meanwhile, the server stores the identity token information in the memory database and sets corresponding expiration time for the identity token information. Each identity token information corresponds to a first authentication information, which in some embodiments is the identity token information.
When the identity token information stored in the memory database reaches the expiration time, the identity token information is invalid, the memory database can remove and destroy the identity token information by self, and at the moment, the removed and destroyed identity token information is invalid.
In the application, before the first authentication information and the key information are encoded according to the preset rule, whether the first authentication information used for encoding is valid needs to be checked, if the identity token information is stored in the memory database, the identity token information is still in a valid state, and if not, the identity token information is invalid and the user needs to log in again.
Through the embodiment, the validity period is set for the identity token information, so that the user sends a data access request to the server through the terminal equipment and needs to log in regularly, and the security of network request communication between the terminal equipment and the server can be improved.
And step S15, verifying the second identification information according to the verification information.
It is understood that the second authentication information is generated by the terminal device according to the first authentication information and the data access request, and the second authentication information is generated by the same method as the verification information except that the execution subject is different. The execution subject of generating the verification information is the server, and the execution subject of generating the second authentication information is the terminal device.
Specifically, the second identification information is generated by the method comprising: when receiving a data access instruction sent by a user, the terminal equipment generates a data access request object according to the data access instruction, and initiates a data access request to the server according to the data access request object. Before initiating a data access request, the terminal device sets first authentication information in a data access request object, wherein the first authentication information is identity token information returned by the server when the user logs in successfully. In addition, the terminal device acquires the key parameter according to the interface identifier of the data interface of the server to be called by the data access request object, acquires the corresponding key information from the data access request object according to the key parameter, encodes the first authentication information and the key information to generate second authentication information, sets the second authentication information in the data access request object, and initiates a data access request to the server according to the data access request object.
It can be understood that, if the data access request is not intercepted by a lawbreaker and data is tampered during the sending process, the interface identifier matched when the terminal device sets the data access request object is the same as the interface identifier matched after the server receives the data access request, and the key parameters and the key information obtained by the terminal device and the subsequent corresponding interface identifier of the server are also the same, further, the terminal device performs encoding by using the same preset method, and finally, the second identification information generated by the terminal device is also correspondingly the same as the verification information generated by the server.
Correspondingly, if the data access request is intercepted by a lawbreaker in the sending process, after the lawbreaker acquires all parameters of the data access request, the generation rule and the coding rule of the second identification information agreed by the server and the terminal equipment are unknown, so that the second identification information cannot be modified even if the key parameters are modified. After receiving the maliciously intercepted and modified data access request, the server fails to verify the second authentication information according to the verification information, can identify that the data access request has a risk problem, and terminates the access operation of sensitive data, thereby greatly improving the security of network request communication between the terminal equipment and the server.
For example, it is assumed that a data access request to be sent to a server by a user through a terminal device is a transfer request, and before the transfer request is sent, identity token information of the corresponding user obtained by the terminal device when the user logs in is "UIdA", a target user to be transferred by the user is "targetB", and a transfer amount is "xxx", and in addition, the terminal device recognizes that a key parameter corresponding to the transfer request is "target user", that is, key information corresponding to the key parameter is "targetB", so that the terminal device sets "UIdA" as first authentication information, sets an encoding result obtained by encoding with "UIdA" and "targetB" as second authentication information, and sends the transfer request to the server. Assuming that the request is intercepted by a lawbreaker in the sending process, and the lawbreaker modifies the target user carrying the parameters of the request into 'targetC', and then continuously sends the transfer request with the modified parameters to the server.
After the server receives the transfer request, the server obtains verification information after coding according to the UIdA and the targetC, the verification information does not correspond to second identification information obtained after coding according to the UIdA and the targetB by the terminal equipment in the transfer request parameters, the network request is considered to have high risk, and the transfer operation is terminated.
And step S16, when the verification is passed, acquiring response information corresponding to the data access request and returning the response information to the terminal equipment.
It can be understood that when the second authentication information passes the verification, the server may consider that the data access request is not intercepted by a lawless person and is maliciously tampered during the transmission process. The server performs corresponding sensitive data access operation according to the data access request, and acquires corresponding response information to return to the terminal device.
In some embodiments, step S16 includes steps S161 through S162.
Step S161, when the verification is passed, forwarding the data access request to a second server, where the second server is used to access sensitive data information;
and step S162, when response information returned by the second server according to the data access request is received, returning the response information to the terminal equipment.
It can be understood that the security verification server is separated from the sensitive data access server, so that the security of sensitive data storage can be improved.
In the application, when a server receives a data access request which is sent by a terminal device and relates to sensitive data access, first authentication information and second authentication information in the data access request are obtained, key parameters corresponding to the data access request are matched, corresponding key information in the data access request is obtained according to the key parameters, the first authentication information and the key information are encoded according to a preset rule to obtain verification information, and the second authentication information is verified according to the verification information; and when the verification is passed, acquiring response information corresponding to the data access request and returning the response information to the terminal equipment. By the method and the device, the safety of network request communication between the terminal equipment and the server can be greatly improved.
Referring to fig. 3, fig. 3 is a schematic block diagram of a network request verification apparatus according to an embodiment of the present disclosure.
As shown in fig. 3, the network request verifying apparatus 201 includes:
the sensitive interface identification module 2011 is configured to, when receiving a data access request sent by a terminal device, obtain an interface identifier of a data interface corresponding to the data access request, and determine whether the data access request is a sensitive data access request according to the interface identifier;
a request information determining module 2012, configured to determine, when the data access request is a sensitive data access request, whether the data access request carries first authentication information and second authentication information, where the first authentication information is identity token information corresponding to a user returned by the server when the user logs in through the terminal device successfully, and the second authentication information is generated by the terminal device according to the first authentication information and the data access request;
a key parameter matching module 2013, configured to identify a key parameter of the interface identifier when the data access request carries the first authentication information and the second authentication information;
a key information obtaining module 2014, configured to obtain key information matching the key parameter from the data access request;
a verification information generating module 2015, configured to encode the first authentication information and the key information according to a preset rule to obtain verification information;
the first checking module 2016 is configured to check the second identification information according to the checking information;
and the sensitive information response module 2017 is configured to, when the verification is passed, obtain response information corresponding to the data access request and return the response information to the terminal device.
In some embodiments, when the sensitive interface identification module 2011 acquires an interface identifier of a data interface corresponding to the data access request, and determines whether the data access request is a sensitive data access request according to the interface identifier, the sensitive interface identification module 2011 includes:
acquiring an interface identifier of a data interface corresponding to the data access request according to the address path and the request method of the data access request;
when a preset sensitive interface information set comprises the interface identifier, the data access request is a sensitive data access request;
when the sensitive interface information set does not comprise the interface identification, the data access request is a non-sensitive data access request.
In some embodiments, the network request verification apparatus 201 further includes a user login module 2018, and before the sensitive interface identification module 2011 receives a data access request sent by a terminal device, the user login module 2018 is configured to, when receiving a login request sent by the user through the terminal device, obtain authentication information carried in the login request;
acquiring a user information data set from a database, and judging whether user information matched with the verification information exists in the user information data set;
and when the user information exists, the user logs in successfully, and the identity token information corresponding to the user is returned to the terminal equipment according to the user information.
In some embodiments, when the user login module 2018 returns the identity token information corresponding to the user to the terminal device according to the user information, the method further includes:
and storing the identity token information in a memory database, and setting the expiration time of the identity token information according to preset time, wherein the memory database destroys the identity token information according to the expiration time.
In some embodiments, the network request checking apparatus 201 further includes a second checking module 2019, before the checking information generating module 2015 encodes the first authentication information and the key information according to a preset rule, the second checking module 2019 is configured to determine whether the in-memory database stores the identity token information corresponding to the first authentication information;
and when the identity token information is stored in the memory database, encoding the first authentication information and the key information according to a preset rule.
In some embodiments, the verification information generating module 2015, when encoding the first identification information and the key information according to a preset rule to obtain verification information, includes:
splicing the first authentication information and the key information according to a preset rule to obtain splicing result information;
and encrypting the splicing result information according to a preset encryption method to obtain verification information.
In some embodiments, when the sensitive information response module 2017 obtains the response information corresponding to the data access request and returns the response information to the terminal device when the verification is passed, the sensitive information response module includes:
when the verification is passed, forwarding the data access request to a second server, wherein the second server is used for accessing sensitive data information;
and when response information returned by the second server according to the data access request is received, returning the response information to the terminal equipment.
It should be noted that, as will be clear to those skilled in the art, for convenience and brevity of description, the specific working processes of the apparatus and each module and unit described above may refer to the corresponding processes in the foregoing embodiments of the network request checking method, and are not described herein again.
The apparatus provided by the above embodiments may be implemented in the form of a computer program, which can be run on a computer device as shown in fig. 4.
Referring to fig. 4, fig. 4 is a schematic block diagram of a computer device according to an embodiment of the present disclosure. The computer device includes, but is not limited to, a terminal device.
As shown in fig. 4, the computer device 301 includes a processor 3011, a memory and a network interface connected through a system bus, where the memory may include a storage medium 3012 and an internal memory 3015, and the storage medium 3012 may be non-volatile or volatile.
The storage medium 3012 may store an operating system and computer programs. The computer program includes program instructions that, when executed, cause the processor 3011 to perform any of the network request validation methods.
Processor 3011 is used to provide computing and control capabilities, supporting the operation of the overall computer device.
The internal memory 3015 provides an environment for running a computer program on the storage medium 3012, and the computer program, when executed by the processor 3011, may cause the processor 3011 to execute any one of the network request verification methods.
The network interface is used for network communication, such as sending assigned tasks and the like. Those skilled in the art will appreciate that the architecture shown in fig. 4 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
It should be understood that Processor 3011 may be a Central Processing Unit (CPU), and that Processor 3011 may also be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In some embodiments, the processor 3011 is configured to run a computer program stored in the memory to implement the following steps:
when a data access request sent by terminal equipment is received, acquiring an interface identifier of a data interface corresponding to the data access request, and judging whether the data access request is a sensitive data access request or not according to the interface identifier;
when the data access request is a sensitive data access request, judging whether the data access request carries first authentication information and second authentication information, wherein the first authentication information is identity token information which is returned by the server and corresponds to a user when the user successfully logs in through the terminal equipment, and the second authentication information is generated by the terminal equipment according to the first authentication information and the data access request;
when the data access request carries the first authentication information and the second authentication information, identifying key parameters of the interface identifier;
acquiring key information matched with the key parameters from the data access request;
coding the first authentication information and the key information according to a preset rule to obtain verification information;
verifying the second authentication information according to the verification information;
and when the verification is passed, acquiring response information corresponding to the data access request and returning the response information to the terminal equipment.
In some embodiments, when the processor 3011 obtains an interface identifier of a data interface corresponding to the data access request, and determines whether the data access request is a sensitive data access request according to the interface identifier, it is configured to:
acquiring an interface identifier of a data interface corresponding to the data access request according to the address path and the request method of the data access request;
when a preset sensitive interface information set comprises the interface identifier, the data access request is a sensitive data access request;
when the sensitive interface information set does not comprise the interface identification, the data access request is a non-sensitive data access request.
In some embodiments, the processor 3011 is further configured to, before receiving a data access request sent by a terminal device, implement:
when a login request sent by the user through the terminal equipment is received, acquiring verification information carried in the login request;
acquiring a user information data set from a database, and judging whether user information matched with the verification information exists in the user information data set;
and when the user information exists, the user logs in successfully, and the identity token information corresponding to the user is returned to the terminal equipment according to the user information.
In some embodiments, when the processor 3011 returns the identity token information corresponding to the user to the terminal device according to the user information, is further configured to:
and storing the identity token information in a memory database, and setting the expiration time of the identity token information according to preset time, wherein the memory database destroys the identity token information according to the expiration time.
In some embodiments, the processor 3011, before encoding the first authentication information and the key information according to a preset rule, is further configured to:
judging whether the memory database stores the identity token information corresponding to the first authentication information;
and when the identity token information is stored in the memory database, encoding the first authentication information and the key information according to a preset rule.
In some embodiments, the processor 3011, when encoding the first authentication information and the key information according to a preset rule to obtain check information, is configured to:
splicing the first authentication information and the key information according to a preset rule to obtain splicing result information;
and encrypting the splicing result information according to a preset encryption method to obtain verification information.
In some embodiments, when the verification is passed, the processor 3011 is configured to obtain response information corresponding to the data access request and return the response information to the terminal device, and is configured to implement:
when the verification is passed, forwarding the data access request to a second server, wherein the second server is used for accessing sensitive data information;
and when response information returned by the second server according to the data access request is received, returning the response information to the terminal equipment.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the computer device described above may refer to the corresponding process in the foregoing network request checking method embodiment, and details are not described herein again.
The embodiments of the present application also provide a storage medium, where the storage medium is a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, where the computer program includes program instructions, and a method implemented when the program instructions are executed may refer to the embodiments of the network request verification method of the present application.
The computer-readable storage medium may be an internal storage unit of the computer device described in the foregoing embodiment, for example, a hard disk or a memory of the computer device. The computer readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the computer device.
It is to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments. While the invention has been described with reference to specific embodiments, the scope of the invention is not limited thereto, and those skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A network request verification method is applied to a server and is characterized by comprising the following steps:
when a data access request sent by terminal equipment is received, acquiring an interface identifier of a data interface corresponding to the data access request, and judging whether the data access request is a sensitive data access request or not according to the interface identifier;
when the data access request is a sensitive data access request, judging whether the data access request carries first authentication information and second authentication information, wherein the first authentication information is identity token information which is returned by the server and corresponds to a user when the user successfully logs in through the terminal equipment, and the second authentication information is generated by the terminal equipment according to the first authentication information and the data access request;
when the data access request carries the first authentication information and the second authentication information, identifying key parameters of the interface identifier;
acquiring key information matched with the key parameters from the data access request;
coding the first authentication information and the key information according to a preset rule to obtain verification information;
verifying the second authentication information according to the verification information;
and when the verification is passed, acquiring response information corresponding to the data access request and returning the response information to the terminal equipment.
2. The method according to claim 1, wherein the obtaining an interface identifier of a data interface corresponding to the data access request, and determining whether the data access request is a sensitive data access request according to the interface identifier comprises:
acquiring an interface identifier of a data interface corresponding to the data access request according to the address path and the request method of the data access request;
when a preset sensitive interface information set comprises the interface identifier, the data access request is a sensitive data access request;
when the sensitive interface information set does not comprise the interface identification, the data access request is a non-sensitive data access request.
3. The method of claim 1, wherein before receiving the data access request sent by the terminal device, the method further comprises:
when a login request sent by the user through the terminal equipment is received, acquiring verification information carried in the login request;
acquiring a user information data set from a database, and judging whether user information matched with the verification information exists in the user information data set;
and when the user information exists, the user logs in successfully, and the identity token information corresponding to the user is returned to the terminal equipment according to the user information.
4. The method of claim 3, wherein after the returning the identity token information corresponding to the user to the terminal device according to the user information, further comprising:
and storing the identity token information in a memory database, and setting the expiration time of the identity token information according to preset time, wherein the memory database destroys the identity token information according to the expiration time.
5. The method according to claim 4, wherein before encoding the first authentication information and the key information according to the predetermined rule, the method further comprises:
judging whether the memory database stores the identity token information corresponding to the first authentication information;
and when the identity token information is stored in the memory database, encoding the first authentication information and the key information according to a preset rule.
6. The method according to any one of claims 1 to 5, wherein the encoding the first authentication information and the key information according to a preset rule to obtain verification information comprises:
splicing the first authentication information and the key information according to a preset rule to obtain splicing result information;
and encrypting the splicing result information according to a preset encryption method to obtain verification information.
7. The method according to claim 6, wherein when the verification is passed, acquiring response information corresponding to the data access request and returning the response information to the terminal device comprises:
when the verification is passed, forwarding the data access request to a second server, wherein the second server is used for accessing sensitive data information;
and when response information returned by the second server according to the data access request is received, returning the response information to the terminal equipment.
8. A network request checking device applied to a server is characterized by comprising:
the sensitive interface identification module is used for acquiring an interface identifier of a data interface corresponding to a data access request when receiving the data access request sent by the terminal equipment, and judging whether the data access request is a sensitive data access request or not according to the interface identifier;
the request information judging module is used for judging whether the data access request carries first authentication information and second authentication information when the data access request is a sensitive data access request, wherein the first authentication information is identity token information which corresponds to a user and is returned by the server when the user successfully logs in through the terminal equipment, and the second authentication information is generated by the terminal equipment according to the first authentication information and the data access request;
the key parameter matching module is used for identifying the key parameters of the interface identifier when the data access request carries the first authentication information and the second authentication information;
the key information acquisition module is used for acquiring key information matched with the key parameters from the data access request;
the verification information generation module is used for coding the first authentication information and the key information according to a preset rule to obtain verification information;
the first verification module is used for verifying the second identification information according to the verification information;
and the sensitive information response module is used for acquiring response information corresponding to the data access request and returning the response information to the terminal equipment when the verification is passed.
9. A computer arrangement comprising a processor, a memory, and a computer program stored on the memory and executable by the processor, wherein the computer program, when executed by the processor, carries out the steps of the network request validation method according to any of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, performs the steps of the network request validation method according to any of claims 1 to 7.
CN202111277113.2A 2021-10-29 2021-10-29 Network request verification method, device, equipment and storage medium Active CN113923203B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111277113.2A CN113923203B (en) 2021-10-29 2021-10-29 Network request verification method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111277113.2A CN113923203B (en) 2021-10-29 2021-10-29 Network request verification method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113923203A true CN113923203A (en) 2022-01-11
CN113923203B CN113923203B (en) 2023-07-11

Family

ID=79243737

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111277113.2A Active CN113923203B (en) 2021-10-29 2021-10-29 Network request verification method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113923203B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109561093A (en) * 2018-12-06 2019-04-02 平安科技(深圳)有限公司 Ultra vires act detection method, device, computer equipment and storage medium
CN110266764A (en) * 2019-05-21 2019-09-20 深圳壹账通智能科技有限公司 Internal services call method, device and terminal device based on gateway
CN110602700A (en) * 2019-09-23 2019-12-20 飞天诚信科技股份有限公司 Seed key processing method and device and electronic equipment
CN112165448A (en) * 2020-08-21 2021-01-01 招联消费金融有限公司 Service processing method, device, system, computer equipment and storage medium
CN113487391A (en) * 2021-06-11 2021-10-08 弥达斯科技(深圳)有限公司 Auction trading method, device and equipment based on block chain and readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109561093A (en) * 2018-12-06 2019-04-02 平安科技(深圳)有限公司 Ultra vires act detection method, device, computer equipment and storage medium
CN110266764A (en) * 2019-05-21 2019-09-20 深圳壹账通智能科技有限公司 Internal services call method, device and terminal device based on gateway
CN110602700A (en) * 2019-09-23 2019-12-20 飞天诚信科技股份有限公司 Seed key processing method and device and electronic equipment
CN112165448A (en) * 2020-08-21 2021-01-01 招联消费金融有限公司 Service processing method, device, system, computer equipment and storage medium
CN113487391A (en) * 2021-06-11 2021-10-08 弥达斯科技(深圳)有限公司 Auction trading method, device and equipment based on block chain and readable storage medium

Also Published As

Publication number Publication date
CN113923203B (en) 2023-07-11

Similar Documents

Publication Publication Date Title
CN111756753B (en) Authority verification method and system
US20170316497A1 (en) Method for creating, registering, revoking authentication information and server using the same
EP2278523A2 (en) Network access protection
WO2020181809A1 (en) Data processing method and system based on interface checking, and computer device
CN108777675B (en) Electronic device, block chain-based identity authentication method, and computer storage medium
CN110661779B (en) Block chain network-based electronic certificate management method, system, device and medium
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
CN113360868A (en) Application program login method and device, computer equipment and storage medium
CN111953634B (en) Access control method and device for terminal equipment, computer equipment and storage medium
CN111143808B (en) System security authentication method and device, computing equipment and storage medium
CN112231366A (en) Enterprise credit report query method, device and system based on block chain
CN114297685A (en) Product key burning method, system, device, terminal equipment and storage medium
CN110223075B (en) Identity authentication method and device, computer equipment and storage medium
CN112149068A (en) Access-based authorization verification method, information generation method and device, and server
CN111833059B (en) Data asset management method in data bank and data bank system
KR101676846B1 (en) Mutual verification system and method performing thereof
US11874752B1 (en) Methods and systems for facilitating cyber inspection of connected and autonomous electrical vehicles using smart charging stations
CN112541820B (en) Digital asset management method, device, computer equipment and readable storage medium
CN112637167A (en) System login method and device, computer equipment and storage medium
CN111953477B (en) Terminal equipment, generation method of identification token of terminal equipment and interaction method of client
CN114584313B (en) Equipment physical identity authentication method, system, device and first platform
CN113923203B (en) Network request verification method, device, equipment and storage medium
CN112445705B (en) Software running system, method and device based on trusted verification and computer equipment
CN113472781A (en) Service acquisition method, server and computer readable storage medium
CN111988336A (en) Access request processing method, device and system and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant