CN113949566B - Resource access method, device, electronic equipment and medium - Google Patents
Resource access method, device, electronic equipment and medium Download PDFInfo
- Publication number
- CN113949566B CN113949566B CN202111206702.1A CN202111206702A CN113949566B CN 113949566 B CN113949566 B CN 113949566B CN 202111206702 A CN202111206702 A CN 202111206702A CN 113949566 B CN113949566 B CN 113949566B
- Authority
- CN
- China
- Prior art keywords
- server
- information
- gateway
- resource access
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 95
- 238000012795 verification Methods 0.000 claims abstract description 130
- 238000004590 computer program Methods 0.000 claims description 21
- 238000004364 calculation method Methods 0.000 claims description 19
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 18
- 238000013475 authorization Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 15
- 230000008569 process Effects 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 10
- 230000015654 memory Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000009466 transformation Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000009472 formulation Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a resource access method, a resource access device, electronic equipment and a medium. The resource access method and the resource access device can be used in the financial field or the information security technical field, for example, can be used for security authentication in resource access. The method comprises the following steps: the method comprises the steps that a first server receives a request message from a client; the first server carries out first signature on the request message to generate first signature verification information, and the first signature verification information and the request message jointly form first request information; the first server encrypts the first request information to generate a ciphertext; the gateway decrypts the first request information to obtain a request message and first signature verification information; the gateway checks the first signature checking information; if the verification is passed, the gateway carries out a second signature on the request message to generate second signature verification information; the second server verifies the second signature verification information; and if the verification is passed, acquiring the resource access address based on the second server.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a method, an apparatus, an electronic device, and a medium for accessing resources.
Background
Currently, a security authentication procedure is required for an access manner of requesting a resource server to obtain a static resource, for example, a scenario in which a resource caller system accesses a protected resource on a resource server of a resource provider. The same is true for the page service (e.g., H5) provided by the resource provider. Currently, there is no complete security authentication process in the industry, which is conventionally solved by a resource caller logging into a resource provider system, and another scheme is to let the resource caller access information of the resource provider based on OAuth 2.0 (Authorization Framework RFC 6759) open authorization token.
In implementing the concepts of the present disclosure, the inventors found that at least the following problems exist in the prior art:
Whether based on login or token time limit security authentication, each resource provider needs to develop authentication service, and the authentication mechanism has no universality.
Disclosure of Invention
In view of this, embodiments of the present disclosure provide a resource access method, apparatus, electronic device, and medium.
One aspect of the present disclosure provides a resource access method, including: the method comprises the steps that a first server receives a request message from a client; the first server carries out first signature on the request message based on a first private key, and generates first signature verification information, wherein the first signature verification information and the request message jointly form first request information; the first server encrypts the first request information based on a first public key to generate a ciphertext; the gateway decrypts the first request information based on the second private key to obtain the request message and the first signature verification information; the gateway performs first verification on the first signature verification information based on the second public key; if the first verification is passed, the gateway carries out a second signature on the request message based on a third private key, and second signature verification information is generated; the second server performs second verification on the second signature verification information based on a third public key; if the second verification passes, acquiring a resource access address based on the second server, wherein the first private key is matched with the second public key; the first public key is matched with the second private key; the third private key matches the third public key.
In some embodiments, the decrypting and the first verifying are performed based on an automatic commit form technique; the second check is performed based on a page redirection technique.
In some embodiments, the decrypting and first verifying based on the automatic submission form technique includes: after generating a ciphertext, the first server generates first automatic submission form information based on the ciphertext, wherein the first automatic submission form information comprises a request URL, and the request URL is a gateway service address; the first server returns the first automatic submission form information to the client; the client loads and renders a first automatic submission form, and requests the gateway service, wherein the gateway service comprises decryption and first verification.
In some embodiments, performing the second check based on the page redirection technique further comprises: after generating second signature verification information, the gateway modifies a request URL in the first automatic submission form information into a second server service address, and generates second automatic submission form information, wherein the second automatic submission form information comprises a state control code, and the state control code is used for controlling page redirection; the gateway returns the second automatic submission form information to the client; and the client loads and renders a second automatic submission form, and performs page skip according to the redirection address to request a second server service, wherein the second server service comprises a second check.
In some embodiments, after the obtaining, based on the second server, a resource access address, the method further includes: the second server returns the resource access address to the client; and the client accesses the resource access address to acquire the resource.
In some embodiments, the first server comprises an API caller backend server; the gateway comprises an API gateway; the second server includes an API provider backend server.
In some embodiments, the first server holds the first private key and the second public key, the gateway holds the second private key, the first public key, and the third private key, and the second server holds the third public key.
Another aspect of the present disclosure provides a resource access system, including: the system comprises a first server, a gateway and a second server, wherein the first server is configured to receive a request message from a client; carrying out first signature on the request message based on a first private key, and generating first signature verification information; encrypting the first request information based on a first public key to generate a ciphertext, wherein the first signature verification information and the request message jointly form the first request information; the gateway is configured to decrypt the first request information based on a second private key, and acquire the request message and the first signature verification information; performing a first verification of the first signature verification information based on the second public key; if the first verification is passed, carrying out second signature on the request message based on a third private key, and generating second signature verification information; the second server is configured to perform second verification on the second signature verification information based on a third public key, and if the second verification passes, a resource inquiry address is acquired based on the second server, wherein the first private key is matched with the second public key; the first public key is matched with the second private key; the third private key matches the third public key.
In some embodiments, the first server comprises: the first acquisition module is configured to receive a request message from a client; the first computing module is configured to carry out first signature on the request message based on a first private key and generate first signature verification information; and the second calculation module is configured to encrypt the first request information based on the first public key and generate ciphertext.
In some embodiments, the gateway comprises: the decryption module is configured to decrypt the first request information based on the second private key to obtain the request message and the first signature verification information; a first verification module configured to perform a first verification of the first signature verification information based on the second public key; and the third calculation module is configured to perform second signature on the request message based on a third private key and generate second signature verification information.
In certain embodiments, the second server comprises: the second verification module is configured to carry out second verification on the second signature verification information; and a second acquisition module configured to acquire a resource access address if the second check passes.
In certain embodiments, the first server further comprises: a first generation module configured to generate first automatic submission form information based on the ciphertext; and the first return module returns the first automatic submission form information to the client.
In some embodiments, the gateway further comprises: a third obtaining module configured to obtain a first automatic submission form from the client; the conversion module is configured to modify a request URL in the first automatic submission form information into a second server service address and generate second automatic submission form information, wherein the second automatic submission form information comprises a state control code, and the state control code is used for controlling page redirection; and the second returning module is configured to return the second automatic submission form information to the client.
In certain embodiments, the second server further comprises: and the fourth acquisition module is configured to acquire a second automatic submission form from the client.
Another aspect of the present disclosure provides an electronic device comprising one or more processors and a storage device for storing executable instructions that, when executed by the processors, implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are configured to implement a method as described above.
Another aspect of the present disclosure provides a computer program product comprising a computer program comprising computer executable instructions which, when executed, are for implementing a method as described above.
The resource access method provided by the embodiment of the disclosure overcomes the defects in the aspect of security authentication technology when the resource caller system accesses the resource of the resource provider in the prior art, and provides a universal, safe and easy-to-use resource service authentication calling mechanism based on a gateway architecture.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:
fig. 1 schematically illustrates the authentication process of an OAuth 2.0 open authorization solution.
Fig. 2 schematically illustrates an exemplary system architecture to which the methods, apparatuses may be applied according to embodiments of the present disclosure.
Fig. 3 schematically illustrates a flow chart of a resource access method according to an embodiment of the disclosure.
Fig. 4 schematically illustrates a flow chart of a method of performing the decryption and the first verification based on an automated commit form technique according to another embodiment of the present disclosure.
Fig. 5 schematically illustrates a flow chart of a method of performing the second check based on a page redirection technique in accordance with another embodiment of the present disclosure.
Fig. 6 schematically illustrates a flowchart of a method for resource access based on a second server according to an embodiment of the disclosure.
Fig. 7 schematically illustrates an architecture of a resource access system according to an embodiment of the present disclosure.
Fig. 8 schematically illustrates a block diagram of a first server according to an embodiment of the present disclosure.
Fig. 9 schematically shows a block diagram of a gateway according to an embodiment of the present disclosure.
Fig. 10 schematically illustrates a block diagram of a second server according to an embodiment of the present disclosure.
Fig. 11 schematically illustrates a block diagram of a first server according to another embodiment of the present disclosure.
Fig. 12 schematically shows a block diagram of a gateway according to another embodiment of the present disclosure.
Fig. 13 schematically illustrates a block diagram of a second server according to another embodiment of the present disclosure.
Fig. 14 schematically illustrates a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more of the described features.
In the present, the implementation mode of accessing static resources by the PC end and the mobile end (IOS, android) is to configure resource information into a dynamic/static resource server, inform the front end of resource path information, and acquire required resource information through a request path. For the access mode of requesting the resource server to acquire the static resource, the industry does not have a set of standard safe calling mechanism, and some page services interact with the service side even directly through a user browser, so that the security can be completely absent.
According to the current prior art, one implementation scheme is to implement identity authentication through an account system of a resource service provider, but the calling mechanism is very invasive. Another solution is OAuth 2.0 (Authorization Framework RFC 6759) open authorization, which provides a secure authentication procedure that allows the user to provide a token instead of a username and password to let the resource caller access the resource provider's information. In the authentication process, each resource provider needs to develop an authentication service, and a resource caller needs to first acquire an authorization code and an Access token, and carry the Access token to request a service resource provided by the resource provider. Obviously, the flow has the defects of multiple interactions, poor universality and the like.
The embodiment of the disclosure provides a resource access method, a device, electronic equipment and a medium. The resource access method comprises the following steps: the method comprises the steps that a first server receives a request message from a client; the first server carries out first signature on the request message based on a first private key, and generates first signature verification information, wherein the first signature verification information and the request message jointly form first request information; the first server encrypts the first request information based on a first public key to generate a ciphertext; the gateway decrypts the first request information based on the second private key to obtain the request message and the first signature verification information; the gateway performs first verification on the first signature verification information based on the second public key; if the first verification is passed, the gateway carries out a second signature on the request message based on a third private key, and second signature verification information is generated; the second server performs second verification on the second signature verification information based on a third public key; and if the second check passes, acquiring a resource access address based on the second server. Wherein the first private key is matched with the second public key; the first public key is matched with the second private key; the third private key matches the third public key. In some preferred embodiments, to further reduce user interaction and improve user experience, the decryption and first verification may be performed based on an automated submit form technique; the second check may be based on a page redirection technique.
The resource access method provided by the embodiment of the disclosure technically signs and encrypts the request information based on the asymmetric encryption algorithm, so that bidirectional verification of the access request is realized, and the real address of the resource service of the resource provider is hidden based on the gateway; the dual authentication mechanism that the gateway authenticates the third party caller and the resource provider authenticates the gateway is realized on the service, and the security of the calling mechanism is further improved. In the method of the embodiment of the disclosure, the unified safety authentication of the identity of the calling party is realized based on the gateway, and the intrusion of the calling party to the provider is zero, so that the workload of developing authentication service is reduced. Furthermore, after the technologies of automatic form submission, page redirection and the like are introduced, a gateway architecture is combined, so that a calling mechanism that a user can access resource service of a resource provider without a perceived one-time service request can be realized.
It should be noted that the method, the device, the system and the electronic equipment for resource questioning provided by the embodiment of the disclosure can be used for the information security technology in the aspect of resource access security authentication, and can also be used in various fields other than the information security technology, such as financial fields and the like. The application fields of the method, the device, the system and the electronic equipment for resource access provided by the embodiment of the disclosure are not limited.
The above-described operations for accomplishing at least one object of the present disclosure will be described below in conjunction with the accompanying drawings and their description.
In a typical scenario, a resource caller, such as a third party API caller system, accesses a resource provider, such as the protected resource on an API provider resource server, a security authentication procedure is required, as is the case for the page service (e.g., H5) provided by the API provider. There is no complete security authentication procedure in the industry, and according to the current prior art, the conventional method is that an API caller logs in to an API provider system to solve the problem, but the authentication mechanism has no universality. In one solution (OAuth 2.0 (Authorization Framework RFC 6759) open authorization), the user is allowed to provide a token instead of a username and password to let a third party API caller access the API service provider's information.
Fig. 1 schematically illustrates the authentication process of an OAuth 2.0 open authorization solution.
As shown in fig. 1, in this authentication flow, the user first accesses the client, the latter directs the former to the authentication server. The user selects whether to grant authorization to the client. Assuming that the user gives authorization, the authentication server directs the user to a "redirect URI" (redirect URI) previously specified by the client, with an authorization code attached. The client receives the authorization code, appends the earlier "redirect URI", and applies for the token from the authentication server. This is done on the server in the background of the client, invisible to the user. The authentication server checks the authorization code and the redirect URI, and sends an access token (access token) and an update token (refresh token) to the client after confirming that there is no error.
As can be seen from the above flow, each API provider needs to develop an authentication service, and an API caller needs to first obtain an authorization code and an Access token, and then carry the Access token to request a service resource provided by the API provider. Obviously, the flow has the defects of multiple interactions, poor universality and the like.
Therefore, development of a new security authentication method is needed to overcome the problem that each resource provider needs to develop authentication clothing in the prior art, which is not universal. Furthermore, the new security authentication method is expected to solve the problems of high data transmission cost, tedious flow and poor user experience caused by multiple interactions.
Fig. 2 schematically illustrates an exemplary system architecture in which methods, apparatuses, and methods may be applied for resource access according to embodiments of the present disclosure. It should be noted that fig. 2 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 2, the system architecture 200 according to this embodiment may include terminal devices 201, 202, 203, a network 204, and a resource access system 205. The network 204 is used as a medium for providing communication links between the terminal devices 201, 202, 203 and the resource access system 205. The network 204 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the resource serving system 205 through the network 204 using the terminal devices 201, 202, 203 to receive or transmit information or the like. The terminal device 201, 202, 203 may have an access request function and an instruction transmission function, such as requesting access to the first server to provide a service. The terminal devices 201, 202, 203 may also have the function of communicating with the resource service system 205 and transmitting data to finally acquire resources. In addition, various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc., may also be installed on the terminal devices 201, 202, 203 (as examples only).
Terminal devices 201, 202, 203 include, but are not limited to, smartphones, tablets, laptop portable computers, and the like.
The resource service system 205 may parse the user information data set to obtain a service request of the user, and may further perform security authentication on the service request of the user and provide a resource access service. The resource service system 205 may include database servers, background management servers, server clusters, and the like. The background management server can analyze and process the received data such as the user request and the like, and feed the data back to the terminal equipment based on the processing result. The resource service system can also comprise a gateway to realize the security authentication of the system, provide a uniform resource access entrance and manage the service call among the service ports in the resource service system.
It should be understood that the number of terminal devices, networks, resource access systems is merely illustrative. There may be any number of terminal devices, networks, number of resource access systems, as desired for implementation.
Fig. 3 schematically illustrates a flow chart of a resource access method according to an embodiment of the disclosure.
As shown in fig. 3, the method may include operations S301 to S310.
In operation S301, a first server receives a request message from a client.
According to embodiments of the present disclosure, the client may be a browser or a mobile terminal application, such as a mobile APP. The request message may be used to request the first server to provide access to the resource service.
In operation S302, the first server performs a first signature on the request message based on a first private key, and generates first signature verification information, where the first signature verification information and the request message together form first request information.
In operation S303, the first server encrypts the first request information based on the first public key, and generates a ciphertext.
According to an embodiment of the present disclosure, the first server may be a back-end server of the resource caller, for example, may be an API caller back-end server, which may integrate different services into its own system, and even derive new services.
In an embodiment of the present disclosure, the first request information is signed and encrypted using an asymmetric encryption algorithm. In the asymmetric encryption technology, there are two kinds of keys, namely a private key and a public key, wherein the private key is held by a secret key to an owner and cannot be published. The public key is published to others by the key pair holder. The private key is used to sign the data, and the data signed with the private key can only be signed with the public key. The signature is that the message sender encrypts the text to be transmitted by using the private key in the key pair, and the obtained ciphertext is called signature information (check information) in the request process, and the signature can enable the message receiver to confirm the identity of the sender. The verification is that the message receiver takes the transmission text and needs to verify the identity of the message sender. Therefore, the public key in the key pair is taken to decrypt the signature, signature information is checked, and the identity of the message sender can be authenticated after the verification is passed. Public keys, on the other hand, are used to encrypt data, and data encrypted with public keys can only be decrypted using private keys. The encryption is to encrypt the data (plaintext) through an encryption algorithm and a public key, and the decryption is to decrypt the data (ciphertext) through a decryption algorithm and a private key, so as to obtain the plaintext. Meanwhile, signature and encryption technology are applied, so that the safety of the message can be ensured, and the message is prevented from being tampered or leaked. According to the embodiment of the disclosure, the first server may generate a pair of public and private keys in advance, for example, when the third-party API caller backend server may register on the API gateway, a pair of public and private key pairs may be generated, where the first private key may be held by the first server, and the first private key is used to sign the request message, and since the first private key is only held by the first server, the first signature verification information cannot be forged, thereby preventing the request message from being tampered with.
In operation S304, the gateway decrypts the first request information based on the second private key, and obtains the request message and the first signature verification information.
According to an embodiment of the present disclosure, the first public key is matched with the second private key. The gateway may be an API gateway, which is the only portal to the resource service system through which all requests from third party API callers need to be forwarded to be routed to the API provider. The API gateway encapsulates and protects the internal structure of the API provider, provides unified services for each API provider, and many functions can be extracted from the API provider and implemented on the gateway. The first public key and the second private key may be a pair of public keys pre-generated by a gateway, the gateway holds the second private key, and transmits the first public key to the first server. Because the second private key is only held by the gateway, only the private key of the gateway can decrypt the first request information, thereby preventing the disclosure of the first request information content.
In operation S305, the gateway performs a first verification of the first signature verification information based on the second public key.
According to an embodiment of the present disclosure, the first private key is matched with the second public key. The first server communicates the second public key to the gateway. The gateway firstly decrypts the first request information, and obtains a plaintext after decryption, namely the request message and the first signature verification information. And the gateway uses the second public key to check the first signature checking information, and if the first signature checking information is not verified, the first signature checking information is illegally accessed. If the verification is passed, the sender of the request message can be confirmed not to be tampered.
In operation S306, it is determined whether the first check passes.
In operation S307, if the first verification passes, the gateway performs a second signature on the request message based on a third private key, and generates second signature verification information.
In operation S308, the second server performs a second verification of the second signature verification information based on the third public key.
In an embodiment of the disclosure, the second server may be a back-end server of the resource owner, for example, may be an API provider back-end server, which may provide services (including page services) inside a platform or a system, etc. to a third party API caller for use by way of a Restful API. The gateway may pre-generate a third private key-third public key pair, where the third private key is held by and only by the gateway, and the third public key may be passed by the gateway to the second server. And the gateway performs secondary signature on the request message by using the third private key to obtain second signature verification information. The third private key is only held by the gateway, so that the second signature verification information cannot be forged, and the request message is prevented from being tampered. And the second server verifies the second signature verification information by using the third public key, and if the verification is not passed, the second server indicates that the second signature verification information is illegally accessed. After passing the verification, the sender of the request message can be confirmed to be not tampered.
In operation S309, it is determined whether the second check is passed.
In operation S310, if the second check passes, a resource access address is acquired based on the second server.
According to the embodiment of the disclosure, after two times of verification pass, double security authentication is completed, and the second server can return a resource access address based on the request message to provide a real access address of the resource for the client. Wherein the real access address of the resource may be provided by a resource provider, such as an API provider Web server. Since the security authentication is passed, the gateway no longer participates in subsequent interactions, and the user interacts with the page service of the API provider through the client.
According to the method provided by the embodiment of the disclosure, the request information is signed and encrypted based on the asymmetric encryption algorithm, so that the bidirectional verification of the access request is realized, and the real address of the resource service of the resource provider is hidden based on the gateway. The system design for realizing unified entry security authentication based on the gateway can be performed based on Spring Cloud Gateway, has special functions of authority control, load balancing, hidden service end IP, security authentication and the like, has zero invasion to a resource provider, and reduces the workload of developing authentication service. The dual authentication process of the gateway authentication resource caller and the resource provider authentication gateway is realized on the service, so that the security of the calling mechanism can be further improved.
In other embodiments, the decrypting and the first verifying may be performed based on an automated commit form technique; the second check may be based on a page redirection technique.
According to the embodiment of the disclosure, the automatic form submitting technology, namely a section of HTML code, triggers automatic submission when a client, such as a browser or a mobile phone App, initiates loading of a rendered webpage, and requests an address specified in a form with a request parameter. Redirection (Redirect) technology is the redirection of various network requests to other locations by various methods. The browser or mobile App receives an HTTP data stream in response to the request, the data stream including a status code, the value of the status code being determined by the HTTP protocol, and the browser or mobile App makes the determination based on the content in the HTTP data stream. The "HTTP stream" information referred to herein is also called "Header information". The header information includes the date, the server type, and typically there is a piece of "200OK" information. If everything is good, the web server will send the "200OK" message and request page. If the web site has already established a redirect at this time, the server will include a response message such as "302 Moved Temporarily" or "301 Moved Permanent" in the header.
According to the embodiment of the disclosure, by introducing the technologies of automatic form submission, page redirection and the like into the gateway architecture, the resource service calling mechanism of the resource provider can be accessed based on one service request under the condition that a user does not feel, so that the interaction between the user and the system is reduced, and the user experience is improved.
Fig. 4 schematically illustrates a flow chart of a method of performing the decryption and the first verification based on an automated commit form technique according to another embodiment of the present disclosure.
As shown in fig. 4, the method may include operations S401 to S403.
In operation S401, after generating the ciphertext, the first server generates first automatic submission form information based on the ciphertext, where the first automatic submission form information includes a request URL, and the request URL is a gateway service address.
In operation S402, the first server returns the first auto-commit form information to the client.
In operation S403, the client loads a rendering first auto-commit form, requesting the gateway service, wherein the gateway service includes decryption and a first check.
According to another embodiment of the present disclosure, the generated first automatic submission form information is HTML form information containing a signature, and after the first automatic submission form information is returned to the client, the client may be triggered to automatically load and render the first automatic submission form containing the signature to request the gateway service. This process does not require the user to manually re-submit the service request.
Fig. 5 schematically illustrates a flow chart of a method of performing the second check based on a page redirection technique in accordance with another embodiment of the present disclosure.
As shown in fig. 5, the method may include operations S501 to S503.
In operation S501, after generating the second signature verification information, the gateway modifies the request URL in the first automatic submission form information to be a second server service address, and generates second automatic submission form information, where the second automatic submission form information includes a state control code, and the state control code is used to control page redirection.
In operation S502, the gateway returns the second auto-commit form information to the client.
In operation S503, the client loads and renders a second automatic submission form, and performs a page jump according to the redirection address, requesting a second server service, where the second server service includes a second check.
According to another embodiment of the present disclosure, the request URL in the automatically submitted HTML form information may be modified by the API gateway to the page service address of the API provider back-end service, controlling page redirection by returning 302 or 307HTTP status codes. And after loading the rendering automatic submitted HTML form, the client performs page jump according to the redirection address, namely requests the back-end service of the API provider. In the process, the user does not need to manually submit the service request again, so that the security authentication process is completed under the condition that the user does not feel, the resource service of the resource provider is acquired, in the subsequent process, the user can directly interact with the resource provider by the client, the interaction flow of the user and the system is reduced, the data acquisition efficiency is improved, and the user experience is enhanced.
Fig. 6 schematically illustrates a flowchart of a method for resource access based on a second server according to an embodiment of the disclosure.
As shown in fig. 6, the method may include operations S601 to S602.
In operation S601, the second server returns the resource access address to the client.
In operation S602, the client accesses the resource access address and obtains a resource.
Another aspect of the present disclosure provides a resource access system.
Fig. 7 schematically illustrates an architecture of a resource access system 700 according to an embodiment of the disclosure.
As shown in fig. 7, a resource access system 700 of an embodiment of the present disclosure includes a first server 701, a gateway 702, and a second server 703.
The first server 701 may be a back-end server of a resource caller, for example, may be an API caller back-end server, which may integrate different services into its own system, and even derive new services. The first server 701 is configured to receive a request message from a client; carrying out first signature on the request message based on a first private key, and generating first signature verification information; and encrypting the first request information based on the first public key to generate a ciphertext, wherein the first signature verification information and the request message jointly form the first request information.
Gateway 702 may be an API gateway that is the only portal to the resource service system through which all requests from third party API callers need to be forwarded to be routed to the API provider. The API gateway encapsulates and protects the internal structure of the API provider, provides unified services for each API provider, and many functions can be extracted from the API provider and implemented on the gateway. Gateway 702 is configured to decrypt the first request message based on the second private key, and obtain the request message and the first signature verification information; performing a first verification of the first signature verification information based on the second public key; and if the first verification is passed, carrying out second signature on the request message based on a third private key, and generating second signature verification information.
The second server 703 may be a back-end server of the resource owner, for example, may be an API provider back-end server, which may provide services (including page services) inside a platform or a system, etc. to a third party API caller for use by way of a Restful API. The second server 703 is configured to perform a second verification on the second signature verification information based on a third public key, and if the second verification passes, obtain a resource access address based on the second server.
According to an embodiment of the present disclosure, the first private key matches the second public key; the first public key is matched with the second private key; the third private key matches the third public key. The first server may generate a pair of public and private keys in advance, for example, when the third party API caller backend server may register on the API gateway, a pair of public and private key pairs may be generated, where the first private key may be held by the first server, and the first private key is used to sign the request message. The first public key and the second private key may be a pair of public keys pre-generated by a gateway, the gateway holds the second private key, and transmits the first public key to the first server. Because the second private key is only held by the gateway, only the private key of the gateway can decrypt the first request information, thereby preventing the disclosure of the first request information content. The gateway may pre-generate a third private key-third public key pair, where the third private key is held by and only by the gateway, and the third public key may be communicated by the gateway to the second server. And the gateway performs secondary signature on the request message by using the third private key to obtain second signature verification information. The third private key is only held by the gateway, so that the second signature verification information cannot be forged, and the request message is prevented from being tampered.
The user accesses resources based on a resource access system constituted by the first server 701, the gateway 702, and the second server 703. The user can interact with the resource access system through the client, and the required resources are acquired under the condition of ensuring the safety of the resource provider.
Fig. 8 schematically illustrates a block diagram of a first server according to an embodiment of the present disclosure.
As shown in fig. 8, the first server 701 may include a first acquisition module 7011, a first calculation module 7012, and a second calculation module 7013.
Wherein the first obtaining module 7011 is configured to receive a request message from a client.
The first computing module 7012 is configured to generate first signature verification information by first signing the request message based on the first private key.
The second computing module 7013 is configured to encrypt the first request information based on the first public key, generating ciphertext.
Fig. 9 schematically shows a block diagram of a gateway according to an embodiment of the present disclosure.
As shown in fig. 9, the gateway 702 may include a decryption module 7021, a first authentication module 7022, and a third calculation module 7023.
The decryption module 7021 is configured to decrypt the first request message based on the second private key, and obtain the request message and the first signature verification information.
The first verification module 7022 is configured to perform a first verification of the first signature verification information based on the second public key.
The third computing module 7023 is configured to generate second signature verification information by performing a second signature on the request message based on a third private key.
Fig. 10 schematically illustrates a block diagram of a second server according to an embodiment of the present disclosure.
As shown in fig. 10, the second server 703 may include a second authentication module 7031, a second acquisition module 7032.
Wherein the second verification module 7031 is configured to perform a second verification on the second signature verification information.
The second obtaining module 7032 is configured to obtain a resource access address if the second check passes.
Fig. 11 schematically illustrates a block diagram of a first server according to another embodiment of the present disclosure.
As shown in fig. 11, the first server 701 may further include a first generation module 7014 and a first return module 7015 in addition to the first acquisition module 7011, the first calculation module 7012, and the second calculation module 7013.
Wherein the first generation module 7014 is configured to generate first auto-commit form information based on the ciphertext.
The first return module 7015 is configured to return the first auto-commit form information to the client.
Fig. 12 schematically shows a block diagram of a gateway according to another embodiment of the present disclosure.
As shown in fig. 12, the gateway 702 may further include a third acquisition module 7024, a transformation module 7025, and a second return module 7026 in addition to the decryption module 7021, the first verification module 7022, and the third calculation module 7023.
Wherein the third obtaining module 7024 is configured to obtain the first auto-commit form from the client.
The transformation module 7025 is configured to modify the request URL in the first auto-commit form information to a second server service address, generating second auto-commit form information, wherein the second auto-commit form information includes a state control code, the state control code for controlling page redirection.
The second return module 7026 is configured to return the second auto-commit form information to the client.
Fig. 13 schematically illustrates a block diagram of a second server according to another embodiment of the present disclosure.
As shown in fig. 13, the second server 703 may include a fourth acquisition module 7033 in addition to the second authentication module 7031 and the second acquisition module 7032.
Wherein the fourth obtaining module 7033 is configured to obtain a second auto-commit form from the client.
The implementation manner, the solved technical problems, the realized functions and the realized technical effects of the modules/units/sub-units and the like in the device part embodiment are the same as or similar to the implementation manner, the solved technical problems, the realized functions and the realized technical effects of the corresponding steps in the method part embodiment.
Any number of the modules, units, or at least some of the functionality of any number of the modules, units, or units according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, units according to embodiments of the present disclosure may be implemented as split into multiple modules. Any one or more of the modules, units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable manner of integrating or packaging the circuits, or in any one of or in any suitable combination of three of software, hardware, and firmware. Or one or more of the modules, units according to embodiments of the present disclosure may be at least partially implemented as computer program modules which, when executed, may perform the corresponding functions.
For example, any of the first acquisition module 7011, the first calculation module 7012, the second calculation module 7013, the first generation module 7014, the first return module 7015, the decryption module 7021, the first verification module 7022, the third calculation module 7023, the third acquisition module 7024, the conversion module 7025, the second return module 7026, the second verification module 7031, the second acquisition module 7032, and the fourth acquisition module 7033 may be incorporated in one module or any of the modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the first acquisition module 7011, the first calculation module 7012, the second calculation module 7013, the first generation module 7014, the first return module 7015, the decryption module 7021, the first validation module 7022, the third calculation module 7023, the third acquisition module 7024, the transformation module 7025, the second return module 7026, the second validation module 7031, the second acquisition module 7032, and the fourth acquisition module 7033 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a package, an Application Specific Integrated Circuit (ASIC), or any other reasonable manner of integrating or packaging the circuitry, or as any one of or a suitable combination of three implementations of software, hardware, and firmware. Or at least one of the first acquisition module 7011, the first calculation module 7012, the second calculation module 7013, the first generation module 7014, the first return module 7015, the decryption module 7021, the first verification module 7022, the third calculation module 7023, the third acquisition module 7024, the transformation module 7025, the second return module 7026, the second verification module 7031, the second acquisition module 7032, and the fourth acquisition module 7033 may be at least partially implemented as a computer program module, which may perform a corresponding function when executed.
Fig. 14 schematically illustrates a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 14 is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present disclosure.
As shown in fig. 14, an electronic device 1400 according to an embodiment of the present disclosure includes a processor 1401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1402 or a program loaded from a storage section 1408 into a Random Access Memory (RAM) 1403. The processor 1401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 1401 may also include on-board memory for caching purposes. The processor 1401 may include a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the present disclosure.
In the RAM 1403, various programs and data necessary for the operation of the electronic device 1400 are stored. The processor 1401, ROM 1402, and RAM 1403 are connected to each other through a bus 1404. The processor 1401 performs various operations of the method flow according to the embodiment of the present disclosure by executing programs in the ROM 1402 and/or the RAM 1403. Note that the program may be stored in one or more memories other than the ROM 1402 and the RAM 1403. The processor 1401 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 1400 may also include an input/output (I/O) interface 1405, the input/output (I/O) interface 1405 also being connected to the bus 1404. Electronic device 1400 may also include one or more of the following components connected to I/O interface 1405: an input section 1406 including a keyboard, a mouse, and the like; an output portion 1407 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 1408 including a hard disk or the like; and a communication section 1409 including a network interface card such as a LAN card, a modem, and the like. The communication section 1409 performs communication processing via a network such as the internet. The drive 1410 is also connected to the I/O interface 1405 as needed. Removable media 1411, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memory, and the like, is installed as needed on drive 1410 so that a computer program read therefrom is installed as needed into storage portion 1408.
According to embodiments of the present disclosure, the method flow according to embodiments of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1409 and/or installed from the removable medium 1411. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1401. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 1402 and/or RAM 1403 described above and/or one or more memories other than ROM 1402 and RAM 1403.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The present disclosure also provides a computer program product comprising a computer program comprising one or more programs. The above-described method may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1409 and/or installed from the removable medium 1411. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1401. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (16)
1. A method for accessing resources, comprising:
The method comprises the steps that a first server receives a request message from a client;
The first server carries out first signature on the request message based on a first private key, and generates first signature verification information, wherein the first signature verification information and the request message jointly form first request information;
the first server encrypts the first request information based on a first public key to generate a ciphertext;
The gateway decrypts the first request information based on the second private key to obtain the request message and the first signature verification information;
the gateway performs first verification on the first signature verification information based on the second public key;
If the first verification is passed, the gateway carries out a second signature on the request message based on a third private key, and second signature verification information is generated;
The second server performs second verification on the second signature verification information based on a third public key; and
If the second check passes, based on the second server obtaining a resource access address,
Wherein the first private key is matched with the second public key; the first public key is matched with the second private key; the third private key is matched with the third public key, and the first private key and the second public key are generated based on the first server; the second private key and the first public key, and the third private key and the third public key are generated based on the gateway.
2. The resource access method of claim 1, wherein the decrypting and the first verifying are performed based on an automatic commit form technique; the second check is performed based on a page redirection technique.
3. The resource access method of claim 2, wherein the decrypting and first verifying based on an automatic commit form technique comprises:
after generating a ciphertext, the first server generates first automatic submission form information based on the ciphertext, wherein the first automatic submission form information comprises a request URL, and the request URL is a gateway service address;
The first server returns the first automatic submission form information to the client;
The client loads and renders a first automatic submission form, and requests the gateway service, wherein the gateway service comprises decryption and first verification.
4. The resource access method of claim 2, wherein performing the second check based on a page redirection technique further comprises:
after generating second signature verification information, the gateway modifies a request URL in the first automatic submission form information into a second server service address, and generates second automatic submission form information, wherein the second automatic submission form information comprises a state control code, and the state control code is used for controlling page redirection;
the gateway returns the second automatic submission form information to the client;
And the client loads and renders a second automatic submission form, and performs page skip according to the redirection address to request a second server service, wherein the second server service comprises a second check.
5. The resource access method of claim 1, wherein after the obtaining the resource access address based on the second server, the method further comprises:
The second server returns the resource access address to the client; and
And the client accesses the resource access address to acquire the resource.
6. The resource access method of any one of claims 1 to 5, wherein the first server comprises an API caller backend server; the gateway comprises an API gateway; the second server includes an API provider backend server.
7. A resource access system, comprising: a first server, a gateway, a second server,
The first server is configured to receive a request message from a client; carrying out first signature on the request message based on a first private key, and generating first signature verification information; encrypting the first request information based on a first public key to generate a ciphertext, wherein the first signature verification information and the request message jointly form the first request information;
the gateway is configured to decrypt the first request information based on a second private key, and acquire the request message and the first signature verification information; performing a first verification of the first signature verification information based on the second public key; if the first verification is passed, carrying out second signature on the request message based on a third private key, and generating second signature verification information; and
The second server is configured to perform second verification on the second signature verification information based on a third public key, and if the second verification passes, obtain a resource access address based on the second server, wherein the first private key is matched with the second public key; the first public key is matched with the second private key; the third private key is matched with the third public key, wherein the first private key and the second public key are generated based on the first server; the second private key and the first public key, and the third private key and the third public key are generated based on the gateway.
8. The resource access system of claim 7, wherein the first server comprises:
The first acquisition module is configured to receive a request message from a client;
the first computing module is configured to carry out first signature on the request message based on a first private key and generate first signature verification information;
and the second calculation module is configured to encrypt the first request information based on the first public key and generate ciphertext.
9. The resource access system of claim 7, wherein the gateway comprises:
the decryption module is configured to decrypt the first request information based on the second private key to obtain the request message and the first signature verification information;
A first verification module configured to perform a first verification of the first signature verification information based on the second public key; and
And the third calculation module is configured to perform second signature on the request message based on a third private key and generate second signature verification information.
10. The resource access system of claim 7, wherein the second server comprises:
the second verification module is configured to carry out second verification on the second signature verification information; and
And the second acquisition module is configured to acquire the resource access address if the second check passes.
11. The resource access system of claim 8, wherein the first server further comprises:
a first generation module configured to generate first automatic submission form information based on the ciphertext; and
And the first return module returns the first automatic submission form information to the client.
12. The resource access system of claim 9, wherein the gateway further comprises:
a third obtaining module configured to obtain a first automatic submission form from the client;
The conversion module is configured to modify a request URL in the first automatic submission form information into a second server service address and generate second automatic submission form information, wherein the second automatic submission form information comprises a state control code, and the state control code is used for controlling page redirection;
and the second returning module is configured to return the second automatic submission form information to the client.
13. The resource access system of claim 10, wherein the second server further comprises:
and the fourth acquisition module is configured to acquire a second automatic submission form from the client.
14. An electronic device, comprising:
One or more processors;
Storage means for storing executable instructions which when executed by the processor implement a resource access method according to any one of claims 1 to 6.
15. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement the resource access method according to any of claims 1 to 6.
16. A computer program comprising one or more executable instructions which when executed by a processor implement the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111206702.1A CN113949566B (en) | 2021-10-15 | 2021-10-15 | Resource access method, device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111206702.1A CN113949566B (en) | 2021-10-15 | 2021-10-15 | Resource access method, device, electronic equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113949566A CN113949566A (en) | 2022-01-18 |
| CN113949566B true CN113949566B (en) | 2024-06-11 |
Family
ID=79331018
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111206702.1A Active CN113949566B (en) | 2021-10-15 | 2021-10-15 | Resource access method, device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113949566B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114500054B (en) * | 2022-01-27 | 2024-03-01 | 百度在线网络技术(北京)有限公司 | Service access method, service access device, electronic device, and storage medium |
| CN114614996B (en) * | 2022-05-12 | 2023-03-28 | 深圳市华曦达科技股份有限公司 | Terminal request processing method, device and system |
| CN115242486B (en) * | 2022-07-19 | 2024-04-19 | 阿里巴巴(中国)有限公司 | Data processing method, device and computer readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011145949A1 (en) * | 2010-05-18 | 2011-11-24 | Sibcom As | Method, system and devices for the establishment of a secure communication session |
| CN106850699A (en) * | 2017-04-10 | 2017-06-13 | 中国工商银行股份有限公司 | A kind of mobile terminal login authentication method and system |
| CN109981665A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | Resource provider method and device, resource access method and device and system |
| CN109981666A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | A kind of cut-in method, access system and access server |
| CN110460674A (en) * | 2019-08-21 | 2019-11-15 | 中国工商银行股份有限公司 | A kind of information-pushing method, apparatus and system |
| CN110661817A (en) * | 2019-10-25 | 2020-01-07 | 新华三大数据技术有限公司 | Resource access method and device and service gateway |
| CN112564916A (en) * | 2020-12-01 | 2021-03-26 | 上海艾融软件股份有限公司 | Access client authentication system applied to micro-service architecture |
| CN112822675A (en) * | 2021-01-11 | 2021-05-18 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10164963B2 (en) * | 2015-10-23 | 2018-12-25 | Oracle International Corporation | Enforcing server authentication based on a hardware token |
| US10454917B2 (en) * | 2015-11-05 | 2019-10-22 | Red Hat, Inc. | Enabling single sign-on authentication for accessing protected network services |
| FR3044499B1 (en) * | 2015-11-26 | 2017-12-15 | Commissariat Energie Atomique | METHOD OF ESTABLISHING SECURE END-TO-END COMMUNICATION BETWEEN A USER TERMINAL AND A CONNECTED OBJECT |
| US10834096B2 (en) * | 2018-06-05 | 2020-11-10 | The Toronto-Dominion Bank | Methods and systems for controlling access to a protected resource |
| US11108762B2 (en) * | 2018-06-05 | 2021-08-31 | The Toronto-Dominion Bank | Methods and systems for controlling access to a protected resource |
| US10992658B2 (en) * | 2019-01-21 | 2021-04-27 | Microsoft Technology Licensing, Llc | Client-side native application and browser identification for session control in proxy solutions |
| US11146398B2 (en) * | 2019-08-30 | 2021-10-12 | Comcast Cable Communications, Llc | Method and apparatus for secure token generation |
| US11463258B2 (en) * | 2020-03-13 | 2022-10-04 | Ebay Inc. | Secure token refresh |
-
2021
- 2021-10-15 CN CN202111206702.1A patent/CN113949566B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011145949A1 (en) * | 2010-05-18 | 2011-11-24 | Sibcom As | Method, system and devices for the establishment of a secure communication session |
| CN106850699A (en) * | 2017-04-10 | 2017-06-13 | 中国工商银行股份有限公司 | A kind of mobile terminal login authentication method and system |
| CN109981665A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | Resource provider method and device, resource access method and device and system |
| CN109981666A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | A kind of cut-in method, access system and access server |
| CN110460674A (en) * | 2019-08-21 | 2019-11-15 | 中国工商银行股份有限公司 | A kind of information-pushing method, apparatus and system |
| CN110661817A (en) * | 2019-10-25 | 2020-01-07 | 新华三大数据技术有限公司 | Resource access method and device and service gateway |
| CN112564916A (en) * | 2020-12-01 | 2021-03-26 | 上海艾融软件股份有限公司 | Access client authentication system applied to micro-service architecture |
| CN112822675A (en) * | 2021-01-11 | 2021-05-18 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
Non-Patent Citations (2)
| Title |
|---|
| Secure and Lightweight Mutual Multi-Factor Authentication for IoT Communication Systems;H. N. Noura, R. Melki and A. Chehab;2019 IEEE 90th Vehicular Technology Conference (VTC2019-Fall);20191107;第1-7页 * |
| 一种基于Token的安全跨域登录方法及实现;胡小舟;网络安全和信息化;20210805(第08期);第131-133页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113949566A (en) | 2022-01-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220255931A1 (en) | Domain unrestricted mobile initiated login | |
| US10110579B2 (en) | Stateless and secure authentication | |
| US9485228B2 (en) | Selectively performing man in the middle decryption | |
| US10313112B2 (en) | Browser security module | |
| US20210056541A1 (en) | Method and system for mobile cryptocurrency wallet connectivity | |
| CN113949566B (en) | Resource access method, device, electronic equipment and medium | |
| US11102191B2 (en) | Enabling single sign-on authentication for accessing protected network services | |
| US9825917B2 (en) | System and method of dynamic issuance of privacy preserving credentials | |
| US20150188779A1 (en) | Split-application infrastructure | |
| US10257171B2 (en) | Server public key pinning by URL | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| US20160241536A1 (en) | System and methods for user authentication across multiple domains | |
| CN110933078B (en) | H5 unregistered user session tracking method | |
| US11595215B1 (en) | Transparently using macaroons with caveats to delegate authorization for access | |
| US11606210B1 (en) | Secure activation, service mode access and usage control of IOT devices using bearer tokens | |
| US11595389B1 (en) | Secure deployment confirmation of IOT devices via bearer tokens with caveats | |
| US9053297B1 (en) | Filtering communications | |
| CN114491489A (en) | Request response method and device, electronic equipment and storage medium | |
| CN114826616B (en) | Data processing method, device, electronic equipment and medium | |
| CN114553570B (en) | Method, device, electronic equipment and storage medium for generating token | |
| CN114386073A (en) | Method and device for creating security certificate, electronic equipment and storage medium | |
| CN106961411B (en) | Data transmission method and system | |
| CN118264422A (en) | Multi-factor identity authentication method, device and system for mail system | |
| CN118233167A (en) | User login method, device, equipment, medium and product | |
| CN118316615A (en) | Data transmission method, apparatus, medium, device and computer program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |