CN113949566A - Resource access method, device, electronic equipment and medium - Google Patents
Resource access method, device, electronic equipment and medium Download PDFInfo
- Publication number
- CN113949566A CN113949566A CN202111206702.1A CN202111206702A CN113949566A CN 113949566 A CN113949566 A CN 113949566A CN 202111206702 A CN202111206702 A CN 202111206702A CN 113949566 A CN113949566 A CN 113949566A
- Authority
- CN
- China
- Prior art keywords
- server
- information
- gateway
- resource access
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 99
- 238000012795 verification Methods 0.000 claims abstract description 117
- 238000004590 computer program Methods 0.000 claims description 22
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 claims description 2
- 238000012544 monitoring process Methods 0.000 claims 2
- 238000005516 engineering process Methods 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 18
- 230000008569 process Effects 0.000 description 17
- 238000013475 authorization Methods 0.000 description 16
- 230000007246 mechanism Effects 0.000 description 10
- 230000015654 memory Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000001131 transforming effect Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a resource access method, a resource access device, an electronic device and a medium. The resource access method and the resource access device can be used in the field of finance or the field of information security technology, for example, can be used for security authentication in resource access. The method comprises the following steps: a first server receives a request message from a client; the first server carries out first signature on the request message to generate first signature verification information, and the first signature verification information and the request message jointly form first request information; the first server encrypts the first request information to generate a ciphertext; the gateway decrypts the first request message to obtain a request message and first signature verification information; the gateway checks the first signature checking information; if the verification is passed, the gateway carries out second signature on the request message to generate second signature verification information; the second server verifies the second signature verification information; and if the verification is passed, acquiring the resource access address based on the second server.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a resource access method, apparatus, electronic device, and medium.
Background
Currently, a security authentication procedure is required for an access method for requesting a resource server to obtain a static resource, for example, a scenario where a resource caller system accesses a protected resource on a resource provider resource server. The same is true for page services (e.g., H5) provided by resource providers. Currently, there is no complete security authentication process in the industry, the traditional method is to log in a resource provider system by a resource caller, and another scheme is to open an Authorization token based on OAuth 2.0(Authorization Framework RFC 6749) to allow the resource caller to access information of the resource provider.
In the course of implementing the disclosed concept, the inventors found that there are at least the following problems in the prior art:
whether the authentication is carried out based on login or token time limit safety authentication, each resource provider is required to develop authentication service, and the authentication mechanism has no universality.
Disclosure of Invention
In view of this, embodiments of the present disclosure provide a resource access method, apparatus, electronic device, and medium.
One aspect of the present disclosure provides a resource access method, including: a first server receives a request message from a client; the first server carries out first signature on the request message based on a first private key to generate first signature verification information, and the first signature verification information and the request message jointly form first request information; the first server encrypts the first request information based on the first public key to generate a ciphertext; the gateway decrypts the first request information based on a second private key to obtain the request message and the first signature verification information; the gateway carries out first verification on the first signature verification information based on the second public key; if the first verification is passed, the gateway carries out second signature on the request message based on a third private key to generate second signature verification information; the second server carries out second verification on the second signature verification information based on a third public key; if the second check is passed, acquiring a resource access address based on the second server, wherein the first private key is matched with the second public key; the first public key is matched with the second private key; the third private key matches the third public key.
In some embodiments, the decrypting and the first verifying are performed based on an auto-submit form technique; the second check is performed based on a page redirection technique.
In some embodiments, performing the decryption and the first verification based on an auto-submit form technique comprises: after a ciphertext is generated, the first server generates first automatic submission form information based on the ciphertext, wherein the first automatic submission form information comprises a request URL, and the request URL is a gateway service address; the first server returns the first auto-submit form information to the client; and the client loads and renders a first automatic submission form and requests the gateway service, wherein the gateway service comprises decryption and first verification.
In some embodiments, performing the second check based on page redirection techniques further comprises: after generating second signature verification information, the gateway modifies a request URL in the first automatic submission form information into a second server service address to generate second automatic submission form information, wherein the second automatic submission form information contains a state control code, and the state control code is used for controlling page redirection; the gateway returns the second auto-submission form information to the client; and the client loads and renders a second automatic submission form, performs page jump according to the redirection address and requests a second server service, wherein the second server service comprises a second check.
In some embodiments, after obtaining the resource access address based on the second server, the method further includes: the second server returns the resource access address to the client; and the client accesses the resource access address to acquire the resource.
In certain embodiments, the first server comprises an API-caller backend server; the gateway comprises an API gateway; the second server comprises an API provider backend server.
In some embodiments, the first server holds the first private key and the second public key, the gateway holds the second private key, the first public key, and the third private key, and the second server holds the third public key.
Another aspect of the present disclosure provides a resource access system, including: the system comprises a first server, a gateway and a second server, wherein the first server is configured to receive a request message from a client; performing first signature on the request message based on a first private key to generate first signature verification information; encrypting first request information based on a first public key to generate a ciphertext, wherein the first signature verification information and the request message jointly form first request information; the gateway is configured to decrypt the first request information based on a second private key, and obtain the request message and the first signature verification information; performing first verification on the first signature verification information based on the second public key; if the first verification is passed, performing second signature on the request message based on a third private key to generate second signature verification information; the second server is configured to perform second verification on the second signature verification information based on a third public key, and if the second verification is passed, obtain a resource access address based on the second server, wherein the first private key is matched with the second public key; the first public key is matched with the second private key; the third private key matches the third public key.
In some embodiments, the first server comprises: the first acquisition module is configured to receive a request message from a client; the first computing module is configured to perform first signature on the request message based on a first private key and generate first signature verification information; and the second calculation module is configured to encrypt the first request information based on the first public key to generate a ciphertext.
In some embodiments, the gateway comprises: the decryption module is configured to decrypt the first request information based on a second private key to obtain the request message and the first signature verification information; the first verification module is configured to perform first verification on the first signature verification information based on the second public key; and the third computing module is configured to perform second signature on the request message based on a third private key and generate second signature verification information.
In certain embodiments, the second server comprises: the second verification module is configured to perform second verification on the second signature verification information; and the second acquisition module is configured to acquire the resource access address if the second check passes.
In some embodiments, the first server further comprises: the first generation module is configured to generate first automatic submission form information based on the ciphertext; and the first returning module is used for returning the first automatic submission form information to the client.
In some embodiments, the gateway further comprises: the third acquisition module is configured to acquire a first automatic submission form from the client; the conversion module is configured to modify a request URL in the first automatic submission form information into a second server service address and generate second automatic submission form information, wherein the second automatic submission form information contains a state control code, and the state control code is used for controlling page redirection; a second return module configured to return the second auto-submit form information to the client.
In certain embodiments, the second server further comprises: and the fourth acquisition module is configured to acquire the second automatic submission form from the client.
Another aspect of the present disclosure provides an electronic device comprising one or more processors and a storage, wherein the storage is configured to store executable instructions that, when executed by the processors, implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program product comprising a computer program comprising computer executable instructions for implementing the method as described above when executed.
The resource access method provided by the embodiment of the disclosure overcomes the defects in the aspect of the security authentication technology when the resource caller system accesses the resource provider resource in the prior art, and provides a universal, safe and easy-to-use resource service authentication calling mechanism based on a gateway architecture.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
figure 1 schematically shows the authentication process of the OAuth 2.0 open authorization solution.
Fig. 2 schematically illustrates an exemplary system architecture to which the methods, apparatuses, according to embodiments of the present disclosure, may be applied.
Fig. 3 schematically shows a flow chart of a resource access method according to an embodiment of the present disclosure.
Fig. 4 schematically illustrates a flow chart of a method of performing the decryption and first verification based on an auto-submit form technique according to another embodiment of the present disclosure.
Fig. 5 schematically shows a flowchart of a method of performing the second check based on a page redirection technique according to another embodiment of the present disclosure.
Fig. 6 schematically shows a flow chart of a method for resource access based on a second server according to an embodiment of the present disclosure.
FIG. 7 schematically shows an architecture of a resource access system according to an embodiment of the present disclosure.
Fig. 8 schematically shows a block diagram of a first server according to an embodiment of the present disclosure.
Fig. 9 schematically shows a block diagram of a gateway according to an embodiment of the present disclosure.
Fig. 10 schematically shows a block diagram of the second server according to an embodiment of the present disclosure.
Fig. 11 schematically shows a block diagram of a first server according to another embodiment of the present disclosure.
Fig. 12 schematically shows a block diagram of a gateway according to another embodiment of the present disclosure.
Fig. 13 schematically shows a block diagram of a second server according to another embodiment of the present disclosure.
FIG. 14 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second", may explicitly or implicitly include one or more of the described features.
Now, the implementation manner of accessing static resources by the PC and the mobile terminal (IOS, android) is to configure resource information into the dynamic/static resource server, notify the front end of the resource path information, and obtain required resource information through a request path. For the access mode of requesting the resource server to obtain the static resource, the industry has no standard safe calling mechanism, and some page services even directly interact with the service party through the user browser, so that the security is completely absent.
According to the current prior art, one implementation scheme is to implement identity authentication through the account system of the resource service provider, but the invoking mechanism is very intrusive. Another solution is OAuth 2.0(Authorization Framework RFC 6749) open Authorization, which provides a secure authentication procedure that allows a user to provide a token, rather than a username and password, to allow a resource invoker to access the resource provider's information. In the authentication process, each resource provider needs to develop an authentication service, and a resource caller needs to first obtain an authorization code and an Access token (Access token), and carry the Access token to request a service resource provided by the resource provider. Obviously, the above process has the disadvantages of multiple interactions, poor generality, etc.
The embodiment of the disclosure provides a resource access method, a resource access device, electronic equipment and a medium. The resource access method comprises the following steps: a first server receives a request message from a client; the first server carries out first signature on the request message based on a first private key to generate first signature verification information, and the first signature verification information and the request message jointly form first request information; the first server encrypts the first request information based on the first public key to generate a ciphertext; the gateway decrypts the first request information based on a second private key to obtain the request message and the first signature verification information; the gateway carries out first verification on the first signature verification information based on the second public key; if the first verification is passed, the gateway carries out second signature on the request message based on a third private key to generate second signature verification information; the second server carries out second verification on the second signature verification information based on a third public key; and if the second check is passed, acquiring a resource access address based on the second server. Wherein the first private key matches the second public key; the first public key is matched with the second private key; the third private key matches the third public key. In some preferred embodiments, to further reduce user interaction and improve user experience, the decryption and the first verification may be performed based on an auto-submit form technique; the second check may be based on a page redirection technique.
The resource access method provided by the embodiment of the disclosure technically signs and encrypts the request information based on the asymmetric encryption algorithm, realizes the bidirectional verification of the access request, and hides the real address of the resource service of the resource provider based on the gateway; the dual authentication mechanism of the gateway authentication third party caller and the resource provider authentication gateway is realized in service, and the security of the calling mechanism is further improved. In the method of the embodiment of the disclosure, the unified security authentication of the identity of the calling party is realized based on the gateway, and the zero intrusion is performed on the calling party, so that the workload of developing authentication service is reduced. Furthermore, after technologies such as automatic form submission and page redirection are introduced, a gateway architecture is combined, and a calling mechanism that a user can access resource services of a resource provider by one service request without perception can be achieved.
It should be noted that the method, the apparatus, the system, and the electronic device for resource access prevention provided by the embodiments of the present disclosure may be used in aspects related to resource access security authentication in information security technology, and may also be used in various fields other than information security technology, such as financial field, etc. The method, the device, the system and the application field of the electronic device for resource access provided by the embodiment of the disclosure are not limited.
The above-described operations for carrying out at least one of the objects of the present disclosure will be described with reference to the accompanying drawings and description thereof.
In a typical scenario, a scenario where a resource caller, e.g., a third party API caller system, accesses a protected resource on a resource provider, e.g., an API provider resource server, requires a secure authentication procedure, as does the API provider's provided page service (e.g., H5). There is no complete security authentication process in the industry, and according to the current prior art, the traditional method is solved by logging in an API provider system by an API caller, but the authentication mechanism has no universality. In one solution (OAuth 2.0(Authorization Framework RFC 6749) open Authorization), the user is allowed to provide a token, rather than a username and password, for third party API callers to access the API service provider's information.
Figure 1 schematically shows the authentication process of the OAuth 2.0 open authorization solution.
As shown in fig. 1, in this authentication flow, a user first accesses a client, which directs the former to an authentication server. The user selects whether to give authorization to the client. Assuming the user gives authorization, the authentication server directs the user to a "redirect URI" that the client specifies in advance, with an authorization code attached. The client receives the authorization code, attaches the previous "redirect URI", and applies for a token from the authentication server. This is done on the background server of the client, not visible to the user. The authentication server checks the authorization code and the redirect URI, and sends an access token (access token) and an update token (refresh token) to the client after confirming that the authorization code and the redirect URI are correct.
As can be seen from the above process, each API provider needs to develop an authentication service, and an API caller needs to first obtain an authorization code and an Access token, and then carry the Access token to request a service resource provided by the API provider. Obviously, the above process has the disadvantages of multiple interactions, poor generality, etc.
Therefore, it is necessary to develop a new security authentication method to overcome the problem of the prior art that each resource provider needs to develop an authentication server and has no universality. Furthermore, the new security authentication method is expected to solve the problems of high data transmission overhead, tedious process and poor user experience caused by multiple interactions.
Fig. 2 schematically illustrates an exemplary system architecture to which the resource access method and apparatus may be applied, according to an embodiment of the present disclosure. It should be noted that fig. 2 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 2, the system architecture 200 according to this embodiment may include terminal devices 201, 202, 203, a network 204, a resource access system 205. The network 204 serves as a medium for providing communication links between the terminal devices 201, 202, 203 and the resource access system 205. Network 204 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 201, 202, 203 to interact with the resource serving system 205 over the network 204 to receive or transmit information or the like. The terminal devices 201, 202, 203 may have an access request function and an instruction transmission function, such as requesting access to a first server providing a service. The terminal devices 201, 202, 203 may also have the function of communicating with the resource service system 205 and transmitting data to finally acquire resources. In addition, various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, and the like (for example only), may be installed on the terminal devices 201, 202, and 203.
The terminal devices 201, 202, 203 include, but are not limited to, smart phones, tablet computers, laptop portable computers, and the like.
The resource service system 205 may parse the user information data set to obtain a service request of the user, and may perform security authentication on the service request of the user and provide a resource access service. The resource service system 205 may include a database server, a background management server, a cluster of servers, and the like. The background management server can analyze and process the received data such as the user request and feed back the data to the terminal equipment based on the processing result. The resource service system can also comprise a gateway to realize the safety authentication of the system, provide a uniform resource access entrance and manage the service call among the service ports in the resource service system.
It should be understood that the number of terminal devices, networks, resource access systems are merely illustrative. There may be any number of terminal devices, networks, resource access systems, as desired for implementation.
Fig. 3 schematically shows a flow chart of a resource access method according to an embodiment of the present disclosure.
As shown in fig. 3, the method may include operations S301 to S310.
In operation S301, a first server receives a request message from a client.
According to an embodiment of the disclosure, the client may be a browser or a mobile terminal application, such as a cell phone APP. The request message may be used to request that the first server provide access to the resource service.
In operation S302, the first server performs a first signature on the request packet based on a first private key, and generates first signature check information, where the first signature check information and the request packet together form first request information.
In operation S303, the first server encrypts the first request message based on the first public key to generate a ciphertext.
According to the embodiment of the disclosure, the first server may be a back-end server of the resource caller, for example, may be an API caller back-end server, which may integrate different services into its own system, or even derive new services.
In an embodiment of the present disclosure, the first request message is signed and encrypted using an asymmetric encryption algorithm. In the asymmetric encryption technology, there are two keys, which are a private key and a public key, and the private key is a key that is held by an owner and cannot be published. The public key is a key that is published to others by the holder. The private key is used for signing data, and the data signed by the private key can only be verified by the public key. The signature is that the message sender uses a private key in a key pair to encrypt the text to be transmitted, and the obtained ciphertext is called signature information (verification information) of the request process, and the signature can enable the message receiver to confirm the identity of the sender. The verification is that the message receiver takes the transmission text, and the identity of the message sender needs to be verified. Therefore, the public key in the key pair is taken to decrypt the signature, the signature information is verified, and the identity of the message sender can be authenticated if the verification is passed. On the other hand, the public key is used to encrypt data, and data encrypted with the public key can only be decrypted using the private key. The encryption is to encrypt the data (plaintext) through an encryption algorithm and a public key, and the decryption is to decrypt the data (ciphertext) through a decryption algorithm and a private key to obtain the plaintext. And meanwhile, by applying the signature and encryption technology, the safety of the message can be ensured, and the message is prevented from being tampered or leaked. According to the embodiment of the disclosure, the first server may generate a pair of public and private keys in advance, for example, the third-party API caller backend server may generate a pair of public and private key pairs when registering on the API gateway, where the first private key may be held by the first server, and the request message is signed by using the first private key, and since the first private key is only held by the first server, the first signature verification information cannot be forged, thereby preventing the request message from being tampered.
In operation S304, the gateway decrypts the first request message based on the second private key, and obtains the request message and the first signature check information.
According to an embodiment of the disclosure, the first public key matches the second private key. The gateway can be an API gateway which is the only entrance of the resource service system, and all requests of the API caller of the third party need to be forwarded and routed to the API provider through the API gateway. The API gateway encapsulates and protects the internal structure of the API provider, provides uniform service for each API provider, and can extract a plurality of functions from the API provider to realize the functions on the gateway. The first public key and the second private key may be a pair of public and private keys generated in advance by the gateway, and the gateway holds the second private key and transmits the first public key to the first server. Because the second private key is only held by the gateway, only the private key of the gateway can decrypt the first request information, and the leakage of the content of the first request information is prevented.
In operation S305, the gateway performs a first check on the first signature check information based on the second public key.
According to an embodiment of the disclosure, the first private key matches the second public key. The first server passes the second public key to the gateway. The gateway decrypts the first request message to obtain a plaintext, i.e., the request message and the first signature check message. And the gateway verifies the first signature verification information by using the second public key, and if the verification fails, the first signature verification information is illegal access. If the verification is passed, the sender of the request message can be confirmed to be not tampered.
In operation S306, it is determined whether the first check passes.
In operation S307, if the first verification passes, the gateway performs a second signature on the request packet based on a third private key, and generates second signature verification information.
In operation S308, the second server performs a second verification on the second signature verification information based on the third public key.
In an embodiment of the present disclosure, the second server may be a backend server of the resource owner, for example, may be an API provider backend server, which may provide services (including page services) inside a platform or a system or the like to the third party API caller by means of Restful API. The gateway may pre-generate a third private-third public key pair, where the third private key is held by and only by the gateway and the third public key may be communicated by the gateway to the second server for holding. And the gateway signs the request message for the second time by using the third private key to obtain second signature verification information. Because the third private key is only held by the gateway, the second signature verification information cannot be forged, and the request message is prevented from being tampered. And the second server verifies the second signature verification information by using the third public key, and if the verification fails, the second server indicates that the access is illegal. After the verification is passed, the sender of the request message can be confirmed to be not tampered.
In operation S309, it is determined whether the second check-up passes.
In operation S310, if the second check passes, a resource access address is obtained based on the second server.
According to the embodiment of the disclosure, after the two verifications are passed, the double security authentication is completed, and the second server can return the resource access address based on the request message, so as to provide the real access address of the resource for the client. Wherein the real access address of the resource may be provided by a resource provider, such as an API provider Web server. And because the security authentication is passed, the gateway does not participate in subsequent interaction any more, and the user interacts with the page service of the API provider through the client.
According to the method provided by the embodiment of the disclosure, the request information is signed and encrypted based on the asymmetric encryption algorithm, so that the bidirectional verification of the access request is realized, and the real address of the resource service of the resource provider is hidden based on the gateway. The system design for realizing the uniform entrance security authentication based on the Gateway can be carried out based on Spring Cloud Gateway, has special functions of authority control, load balancing, service end IP hiding, security authentication and the like, has zero intrusion on a resource provider, and reduces the workload of developing authentication service. The dual authentication process of the gateway authentication resource caller and the resource provider authentication gateway is realized in service, so that the security of the calling mechanism can be further improved.
In other embodiments, the decrypting and first verifying may be based on an auto-submit form technique; the second check may be based on a page redirection technique.
According to the embodiment of the disclosure, a form automatic submission technology, that is, a section of HTML code, triggers automatic submission when a client, for example, a browser or a mobile phone App, initializes and loads a rendered web page, and carries a request parameter to request a specified address in a form. Redirection (Redirect) techniques Redirect various network requests to other locations by various methods. The browser or the mobile phone App receives an HTTP data stream responding to the request, the data stream comprises a state code, the value of the state code is determined by an HTTP protocol, and the browser or the mobile phone App makes a determination according to the content in the HTTP data stream. The "HTTP stream" information is also called "Header information (Header)". The header information includes the date, the server type, and typically a "200 OK" message. If everything is good, the web server sends out a "200 OK" message along with the requested page. If the web site has established a redirect at this time, the server will include a response message such as "302 Moved Temporarily" or "301 Moved Permanent" in the header.
According to the embodiment of the disclosure, by introducing technologies such as automatic form submission and page redirection in a gateway architecture, a resource service calling mechanism of a resource provider can be accessed based on one-time service request under the condition that a user does not sense, so that the interaction between the user and a system is reduced, and the user experience is improved.
Fig. 4 schematically illustrates a flow chart of a method of performing the decryption and first verification based on an auto-submit form technique according to another embodiment of the present disclosure.
As shown in fig. 4, the method may include operations S401 to S403.
In operation S401, after generating a ciphertext, the first server generates first auto-submit form information based on the ciphertext, where the first auto-submit form information includes a request URL, and the request URL is a gateway service address.
In operation S402, the first server returns the first auto-submit form information to the client.
In operation S403, the client loads and renders a first auto-submit form, and requests the gateway service, where the gateway service includes decryption and a first check.
According to another embodiment of the disclosure, the generated first auto-submission form information is HTML form information containing a signature, and after the first auto-submission form information is returned to the client, the client can be triggered to automatically load and render the first auto-submission form containing the signature to request a gateway service. This process eliminates the need for the user to manually resubmit the service request.
Fig. 5 schematically shows a flowchart of a method of performing the second check based on a page redirection technique according to another embodiment of the present disclosure.
As shown in fig. 5, the method may include operations S501 to S503.
In operation S501, after generating the second signature verification information, the gateway modifies the request URL in the first auto-submit form information to be the second server service address, and generates second auto-submit form information, where the second auto-submit form information includes a status control code, and the status control code is used to control page redirection.
In operation S502, the gateway returns the second auto-submit form information to the client.
In operation S503, the client loads and renders a second auto-submit form, performs page jump according to the redirection address, and requests a second server service, where the second server service includes a second check.
According to another embodiment of the present disclosure, the request URL in the automatically submitted HTML form information may be modified by the API gateway to be the page service address of the API provider backend service, and the page redirection may be controlled by returning 302 or 307HTTP status codes. And after loading and rendering the automatically submitted HTML form, the client side carries out page jump according to the redirection address, namely, requests the API to provide the back-end service. In the process, the user does not need to manually submit the service request again, so that the safety authentication process is completed under the condition that the user does not sense the resource service of the resource provider, the user can directly interact with the resource provider by the client in the subsequent process, the interaction flow of the user and the system is reduced, the data acquisition efficiency is improved, and the user experience is enhanced.
Fig. 6 schematically shows a flow chart of a method for resource access based on a second server according to an embodiment of the present disclosure.
As shown in fig. 6, the method may include operations S601 to S602.
In operation S601, the second server returns the resource access address to the client.
In operation S602, the client accesses the resource access address to obtain a resource.
Another aspect of the disclosure provides a resource access system.
Fig. 7 schematically shows the architecture of a resource access system 700 according to an embodiment of the present disclosure.
As shown in fig. 7, a resource access system 700 of an embodiment of the present disclosure includes a first server 701, a gateway 702, and a second server 703.
The first server 701 may be a back-end server of a resource caller, for example, may be an API caller back-end server, which may integrate different services into its own system, or even derive new services. The first server 701 is configured to receive a request message from a client; performing first signature on the request message based on a first private key to generate first signature verification information; and encrypting the first request message based on the first public key to generate a ciphertext, wherein the first signature verification message and the request message jointly form the first request message.
The gateway 702 may be an API gateway, which is the only entry into the resource servicing system, through which all requests of third party API callers need to be forwarded for routing to the API provider. The API gateway encapsulates and protects the internal structure of the API provider, provides uniform service for each API provider, and can extract a plurality of functions from the API provider to realize the functions on the gateway. The gateway 702 is configured to decrypt the first request information based on the second private key, and obtain the request message and the first signature verification information; performing first verification on the first signature verification information based on the second public key; and if the first verification is passed, performing second signature on the request message based on a third private key to generate second signature verification information.
The second server 703 may be a backend server of the resource owner, for example, may be an API provider backend server, which may provide services (including page services) inside a platform or system or the like to a third party API caller by means of Restful API. The second server 703 is configured to perform a second check on the second signature check information based on a third public key, and obtain a resource access address based on the second server if the second check is passed.
According to an embodiment of the present disclosure, the first private key matches the second public key; the first public key is matched with the second private key; the third private key matches the third public key. The first server may generate a pair of public and private keys in advance, for example, the third-party API caller backend server may generate a pair of public and private key pairs when registering on the API gateway, where the first private key may be held by the first server, and the request packet is signed by using the first private key, and since the first private key is only held by the first server, the first signature verification information cannot be forged, thereby preventing the request packet from being tampered. The first public key and the second private key may be a pair of public and private keys generated in advance by the gateway, and the gateway holds the second private key and transmits the first public key to the first server. Because the second private key is only held by the gateway, only the private key of the gateway can decrypt the first request information, and the leakage of the content of the first request information is prevented. The gateway may pre-generate a third private-third public key pair, where the third private key is held by and only by the gateway and the third public key may be communicated by the gateway to the second server. And the gateway signs the request message for the second time by using the third private key to obtain second signature verification information. Because the third private key is only held by the gateway, the second signature verification information cannot be forged, and the request message is prevented from being tampered.
The user accesses the resource based on the resource access system composed of the first server 701, the gateway 702 and the second server 703. The user can interact with the resource access system through the client, and the required resources are acquired under the condition that the safety of the resource provider is guaranteed.
Fig. 8 schematically shows a block diagram of a first server according to an embodiment of the present disclosure.
As shown in fig. 8, the first server 701 may include a first obtaining module 7011, a first calculating module 7012, and a second calculating module 7013.
The first obtaining module 7011 is configured to receive a request message from a client.
The first computing module 7012 is configured to perform a first signature on the request packet based on a first private key, and generate first signature check information.
The second calculation module 7013 is configured to encrypt the first request information based on the first public key, and generate a ciphertext.
Fig. 9 schematically shows a block diagram of a gateway according to an embodiment of the present disclosure.
As shown in fig. 9, the gateway 702 may include a decryption module 7021, a first authentication module 7022, and a third computing module 7023.
The decryption module 7021 is configured to decrypt the first request information based on the second private key, and obtain the request packet and the first signature check information.
The first verification module 7022 is configured to perform a first verification on the first signature verification information based on the second public key.
The third computing module 7023 is configured to perform a second signature on the request packet based on a third private key, and generate second signature check information.
Fig. 10 schematically shows a block diagram of the second server according to an embodiment of the present disclosure.
As shown in fig. 10, the second server 703 may include a second authentication module 7031 and a second obtaining module 7032.
Wherein the second verification module 7031 is configured to perform a second verification on the second signature verification information.
The second retrieving module 7032 is configured to retrieve the resource access address if the second check passes.
Fig. 11 schematically shows a block diagram of a first server according to another embodiment of the present disclosure.
As shown in fig. 11, the first server 701 may further include a first generating module 7014 and a first returning module 7015 in addition to the first obtaining module 7011, the first calculating module 7012 and the second calculating module 7013.
Wherein the first generation module 7014 is configured to generate the first auto-submit form information based on the ciphertext.
The first return module 7015 is configured to return the first auto-submit form information to the client.
Fig. 12 schematically shows a block diagram of a gateway according to another embodiment of the present disclosure.
As shown in fig. 12, the gateway 702 may further include a third obtaining module 7024, a transforming module 7025, and a second returning module 7026, in addition to the decrypting module 7021, the first verifying module 7022, and the third calculating module 7023.
Wherein the third obtaining module 7024 is configured to obtain the first auto-submit form from the client.
The transformation module 7025 is configured to modify the request URL in the first auto-submit form information to a second server service address, and generate second auto-submit form information, where the second auto-submit form information includes a status control code, and the status control code is used to control page redirection.
The second return module 7026 is configured to return the second auto-submit form information to the client.
Fig. 13 schematically shows a block diagram of a second server according to another embodiment of the present disclosure.
As shown in fig. 13, the second server 703 may further include a fourth obtaining module 7033 in addition to the second verifying module 7031 and the second obtaining module 7032.
Wherein the fourth obtaining module 7033 is configured to obtain a second auto-submit form from the client.
It should be noted that the implementation, solved technical problems, implemented functions, and achieved technical effects of each module/unit/subunit and the like in the apparatus part embodiment are respectively the same as or similar to the implementation, solved technical problems, implemented functions, and achieved technical effects of each corresponding step in the method part embodiment.
Any of the modules, units, or at least part of the functionality of any of them according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules and units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, units according to the embodiments of the present disclosure may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by any other reasonable means of hardware or firmware by integrating or packaging the circuits, or in any one of three implementations of software, hardware and firmware, or in any suitable combination of any of them. Alternatively, one or more of the modules, units according to embodiments of the present disclosure may be implemented at least partly as computer program modules, which, when executed, may perform the respective functions.
For example, any plurality of the first obtaining module 7011, the first calculating module 7012, the second calculating module 7013, the first generating module 7014, the first returning module 7015, the decrypting module 7021, the first verifying module 7022, the third calculating module 7023, the third obtaining module 7024, the transforming module 7025, the second returning module 7026, the second verifying module 7031, the second obtaining module 7032, and the fourth obtaining module 7033 may be combined and implemented in one module, or any one of them may be divided into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first obtaining module 7011, the first calculating module 7012, the second calculating module 7013, the first generating module 7014, the first returning module 7015, the decrypting module 7021, the first verifying module 7022, the third calculating module 7023, the third obtaining module 7024, the transforming module 7025, the second returning module 7026, the second verifying module 7031, the second obtaining module 7032, the fourth obtaining module 7033 may be implemented at least partially as a hardware circuit, such as Field Programmable Gate Arrays (FPGAs), Programmable Logic Arrays (PLAs), systems on a chip, systems on a substrate, systems on a package, Application Specific Integrated Circuits (ASICs), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging circuits, or in any one of three implementations, software, hardware and firmware, or in any suitable combination of any of them. Alternatively, at least one of the first obtaining module 7011, the first calculating module 7012, the second calculating module 7013, the first generating module 7014, the first returning module 7015, the decrypting module 7021, the first verifying module 7022, the third calculating module 7023, the third obtaining module 7024, the transforming module 7025, the second returning module 7026, the second verifying module 7031, the second obtaining module 7032, and the fourth obtaining module 7033 may be at least partially implemented as a computer program module, which, when executed, may perform a corresponding function.
FIG. 14 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 14 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 14, an electronic device 1400 according to an embodiment of the present disclosure includes a processor 1401, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1402 or a program loaded from a storage portion 1408 into a Random Access Memory (RAM) 1403. Processor 1401 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1401 may also include onboard memory for caching purposes. Processor 1401 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the present disclosure.
In the RAM 1403, various programs and data necessary for the operation of the electronic device 1400 are stored. The processor 1401, the ROM 1402, and the RAM 1403 are connected to each other by a bus 1404. The processor 1401 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1402 and/or the RAM 1403. Note that the programs may also be stored in one or more memories other than ROM 1402 and RAM 1403. The processor 1401 may also perform various operations of the method flows according to the embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 1400 may also include an input/output (I/O) interface 1405, which input/output (I/O) interface 1405 is also connected to bus 1404. Electronic device 1400 may also include one or more of the following components connected to I/O interface 1405: an input portion 1406 including a keyboard, a mouse, and the like; an output portion 1407 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker and the like; a storage portion 1408 including a hard disk and the like; and a communication portion 1409 including a network interface card such as a LAN card, a modem, or the like. The communication section 1409 performs communication processing via a network such as the internet. The driver 1410 is also connected to the I/O interface 1405 as necessary. A removable medium 1411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1410 as necessary, so that a computer program read out therefrom is installed into the storage section 1408 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 1409 and/or installed from the removable medium 1411. The computer program, when executed by the processor 1401, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include one or more memories other than ROM 1402 and/or RAM 1403 and/or ROM 1402 and RAM 1403 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The present disclosure also provides a computer program product comprising a computer program comprising one or more programs. The above-described method may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 1409 and/or installed from the removable medium 1411. The computer program, when executed by the processor 1401, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (17)
1. A method for accessing resources, comprising:
a first server receives a request message from a client;
the first server carries out first signature on the request message based on a first private key to generate first signature verification information, and the first signature verification information and the request message jointly form first request information;
the first server encrypts the first request information based on the first public key to generate a ciphertext;
the gateway decrypts the first request information based on a second private key to obtain the request message and the first signature verification information;
the gateway carries out first verification on the first signature verification information based on the second public key;
if the first verification is passed, the gateway carries out second signature on the request message based on a third private key to generate second signature verification information;
the second server carries out second verification on the second signature verification information based on a third public key; and
if the second check is passed, acquiring a resource access address based on the second server,
wherein the first private key matches the second public key; the first public key is matched with the second private key; the third private key matches the third public key.
2. The resource access method according to claim 1, wherein the decrypting and the first checking are performed based on an auto-submit form technique; the second check is performed based on a page redirection technique.
3. The resource access method of claim 2, wherein the decrypting and first verifying based on an auto-submit form technique comprises:
after a ciphertext is generated, the first server generates first automatic submission form information based on the ciphertext, wherein the first automatic submission form information comprises a request URL, and the request URL is a gateway service address;
the first server returns the first auto-submit form information to the client;
and the client loads and renders a first automatic submission form and requests the gateway service, wherein the gateway service comprises decryption and first verification.
4. The resource access method of claim 2, wherein performing the second check based on a page redirection technique further comprises:
after generating second signature verification information, the gateway modifies a request URL in the first automatic submission form information into a second server service address to generate second automatic submission form information, wherein the second automatic submission form information contains a state control code, and the state control code is used for controlling page redirection;
the gateway returns the second auto-submission form information to the client;
and the client loads and renders a second automatic submission form, performs page jump according to the redirection address and requests a second server service, wherein the second server service comprises a second check.
5. The resource access method of claim 1, wherein after obtaining the resource access address based on the second server, the method further comprises:
the second server returns the resource access address to the client; and
and the client accesses the resource access address to acquire the resource.
6. The resource access method of any of claims 1 to 5, wherein the first server comprises an API-caller backend server; the gateway comprises an API gateway; the second server comprises an API provider backend server.
7. The resource access method according to claim 1, wherein the first server holds the first private key and the second public key, the gateway holds the second private key, the first public key, and the third private key, and the second server holds the third public key.
8. A resource access system, comprising: a first server, a gateway, a second server,
wherein the first server is configured to receive a request message from a client; performing first signature on the request message based on a first private key to generate first signature verification information; encrypting first request information based on a first public key to generate a ciphertext, wherein the first signature verification information and the request message jointly form first request information;
the gateway is configured to decrypt the first request information based on a second private key, and obtain the request message and the first signature verification information; performing first verification on the first signature verification information based on the second public key; if the first verification is passed, performing second signature on the request message based on a third private key to generate second signature verification information; and
the second server is configured to perform second verification on the second signature verification information based on a third public key, and if the second verification is passed, obtain a resource access address based on the second server, wherein the first private key is matched with the second public key; the first public key is matched with the second private key; the third private key matches the third public key.
9. The resource access system of claim 8, wherein the first server comprises:
the first acquisition module is configured to receive a request message from a client;
the first computing module is configured to perform first signature on the request message based on a first private key and generate first signature verification information;
and the second calculation module is configured to encrypt the first request information based on the first public key to generate a ciphertext.
10. The resource access system of claim 8, wherein the gateway comprises:
the decryption module is configured to decrypt the first request information based on a second private key to obtain the request message and the first signature verification information;
the first verification module is configured to perform first verification on the first signature verification information based on the second public key; and
and the third computing module is configured to perform second signature on the request message based on a third private key and generate second signature verification information.
11. The resource access system of claim 8, wherein the second server comprises:
the second verification module is configured to perform second verification on the second signature verification information; and
and the second acquisition module is configured to acquire the resource access address if the second check passes.
12. The resource access system of claim 9, wherein the first server further comprises:
the first generation module is configured to generate first automatic submission form information based on the ciphertext; and
and the first returning module is used for returning the first automatic submission form information to the client.
13. The resource access system of claim 10, wherein the gateway further comprises:
the third acquisition module is configured to acquire a first automatic submission form from the client;
the conversion module is configured to modify a request URL in the first automatic submission form information into a second server service address and generate second automatic submission form information, wherein the second automatic submission form information contains a state control code, and the state control code is used for controlling page redirection;
a second return module configured to return the second auto-submit form information to the client.
14. The resource access system of claim 11, wherein the second server further comprises:
and the fourth acquisition module is configured to acquire the second automatic submission form from the client.
15. An electronic device, comprising:
one or more processors;
storage means for storing executable instructions which, when executed by the processor, implement a data monitoring method according to any one of claims 1 to 7.
16. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement a data monitoring method according to any one of claims 1 to 7.
17. A computer program product comprising a computer program comprising one or more executable instructions which, when executed by a processor, implement the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111206702.1A CN113949566A (en) | 2021-10-15 | 2021-10-15 | Resource access method, device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111206702.1A CN113949566A (en) | 2021-10-15 | 2021-10-15 | Resource access method, device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113949566A true CN113949566A (en) | 2022-01-18 |
Family
ID=79331018
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111206702.1A Pending CN113949566A (en) | 2021-10-15 | 2021-10-15 | Resource access method, device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113949566A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114500054A (en) * | 2022-01-27 | 2022-05-13 | 百度在线网络技术(北京)有限公司 | Service access method, service access device, electronic device, and storage medium |
| CN114614996A (en) * | 2022-05-12 | 2022-06-10 | 深圳市华曦达科技股份有限公司 | Terminal request processing method, device and system |
| CN115242486A (en) * | 2022-07-19 | 2022-10-25 | 阿里巴巴(中国)有限公司 | Data processing method, device and computer readable storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170118196A1 (en) * | 2015-10-23 | 2017-04-27 | Oracle International Corporation | Enforcing server authentication based on a hardware token |
| US20170134370A1 (en) * | 2015-11-05 | 2017-05-11 | Red Hat, Inc. | Enabling single sign-on authentication for accessing protected network services |
| US20170155647A1 (en) * | 2015-11-26 | 2017-06-01 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method for setting up a secure end-to-end communication between a user terminal and a connected object |
| CN106850699A (en) * | 2017-04-10 | 2017-06-13 | 中国工商银行股份有限公司 | A kind of mobile terminal login authentication method and system |
| CN109981665A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | Resource provider method and device, resource access method and device and system |
| CN109981666A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | A kind of cut-in method, access system and access server |
| US20190372993A1 (en) * | 2018-06-05 | 2019-12-05 | The Toronto-Dominion Bank | Methods and systems for controlling access to a protected resource |
| CN110661817A (en) * | 2019-10-25 | 2020-01-07 | 新华三大数据技术有限公司 | Resource access method and device and service gateway |
| US20200236102A1 (en) * | 2019-01-21 | 2020-07-23 | Microsoft Technology Licensing, Llc | Client-side native application and browser identification for session control in proxy solutions |
| US20210067341A1 (en) * | 2019-08-30 | 2021-03-04 | Comcast Cable Communications, Llc | Method and apparatus for secure token generation |
| CN112822675A (en) * | 2021-01-11 | 2021-05-18 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
| US20210288808A1 (en) * | 2020-03-13 | 2021-09-16 | Ebay Inc. | Secure token refresh |
-
2021
- 2021-10-15 CN CN202111206702.1A patent/CN113949566A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170118196A1 (en) * | 2015-10-23 | 2017-04-27 | Oracle International Corporation | Enforcing server authentication based on a hardware token |
| US20170134370A1 (en) * | 2015-11-05 | 2017-05-11 | Red Hat, Inc. | Enabling single sign-on authentication for accessing protected network services |
| US20170155647A1 (en) * | 2015-11-26 | 2017-06-01 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method for setting up a secure end-to-end communication between a user terminal and a connected object |
| CN106850699A (en) * | 2017-04-10 | 2017-06-13 | 中国工商银行股份有限公司 | A kind of mobile terminal login authentication method and system |
| US20190372993A1 (en) * | 2018-06-05 | 2019-12-05 | The Toronto-Dominion Bank | Methods and systems for controlling access to a protected resource |
| US20200236102A1 (en) * | 2019-01-21 | 2020-07-23 | Microsoft Technology Licensing, Llc | Client-side native application and browser identification for session control in proxy solutions |
| CN109981665A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | Resource provider method and device, resource access method and device and system |
| CN109981666A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | A kind of cut-in method, access system and access server |
| US20210067341A1 (en) * | 2019-08-30 | 2021-03-04 | Comcast Cable Communications, Llc | Method and apparatus for secure token generation |
| CN110661817A (en) * | 2019-10-25 | 2020-01-07 | 新华三大数据技术有限公司 | Resource access method and device and service gateway |
| US20210288808A1 (en) * | 2020-03-13 | 2021-09-16 | Ebay Inc. | Secure token refresh |
| CN112822675A (en) * | 2021-01-11 | 2021-05-18 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
Non-Patent Citations (2)
| Title |
|---|
| H. N. NOURA, R. MELKI AND A. CHEHAB: "Secure and Lightweight Mutual Multi-Factor Authentication for IoT Communication Systems", 2019 IEEE 90TH VEHICULAR TECHNOLOGY CONFERENCE (VTC2019-FALL), 7 November 2019 (2019-11-07), pages 1 - 7 * |
| 胡小舟: "一种基于Token的安全跨域登录方法及实现", 网络安全和信息化, no. 08, 5 August 2021 (2021-08-05), pages 131 - 133 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114500054A (en) * | 2022-01-27 | 2022-05-13 | 百度在线网络技术(北京)有限公司 | Service access method, service access device, electronic device, and storage medium |
| CN114500054B (en) * | 2022-01-27 | 2024-03-01 | 百度在线网络技术(北京)有限公司 | Service access method, service access device, electronic device, and storage medium |
| CN114614996A (en) * | 2022-05-12 | 2022-06-10 | 深圳市华曦达科技股份有限公司 | Terminal request processing method, device and system |
| CN115242486A (en) * | 2022-07-19 | 2022-10-25 | 阿里巴巴(中国)有限公司 | Data processing method, device and computer readable storage medium |
| CN115242486B (en) * | 2022-07-19 | 2024-04-19 | 阿里巴巴(中国)有限公司 | Data processing method, device and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9749292B2 (en) | Selectively performing man in the middle decryption | |
| US20150188779A1 (en) | Split-application infrastructure | |
| US9021552B2 (en) | User authentication for intermediate representational state transfer (REST) client via certificate authority | |
| US10218691B2 (en) | Single sign-on framework for browser-based applications and native applications | |
| US10320771B2 (en) | Single sign-on framework for browser-based applications and native applications | |
| CN113949566A (en) | Resource access method, device, electronic equipment and medium | |
| US10454917B2 (en) | Enabling single sign-on authentication for accessing protected network services | |
| US10262146B2 (en) | Application-to-application messaging over an insecure application programming interface | |
| US10257171B2 (en) | Server public key pinning by URL | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| US11489831B2 (en) | Communication system and computer readable storage medium | |
| CN113141365B (en) | Distributed micro-service data transmission method, device, system and electronic equipment | |
| CN107920060B (en) | Data access method and device based on account | |
| CN113094190B (en) | Micro-service calling method, micro-service calling device, electronic equipment and storage medium | |
| US11595389B1 (en) | Secure deployment confirmation of IOT devices via bearer tokens with caveats | |
| US11595215B1 (en) | Transparently using macaroons with caveats to delegate authorization for access | |
| EP3511852B1 (en) | Method for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted to a client computing device; system, software client application instance or client computing device, third party server entity, and program and computer program product | |
| US20200053059A1 (en) | Secure Method to Replicate On-Premise Secrets in a Cloud Environment | |
| CN110808993A (en) | Data transmission control method, device, computer system and medium | |
| CN114244607B (en) | Single sign-on method, system, device, medium, and program | |
| CN114826616B (en) | Data processing method, device, electronic equipment and medium | |
| US11606210B1 (en) | Secure activation, service mode access and usage control of IOT devices using bearer tokens | |
| KR102507864B1 (en) | Secure instant messaging method and apparatus thereof | |
| CN114386073A (en) | Method and device for creating security certificate, electronic equipment and storage medium | |
| CN114666119A (en) | Data processing method, device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |