CN114598481A - Authorization authentication method, device, electronic equipment and storage medium - Google Patents
Authorization authentication method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114598481A CN114598481A CN202011301384.2A CN202011301384A CN114598481A CN 114598481 A CN114598481 A CN 114598481A CN 202011301384 A CN202011301384 A CN 202011301384A CN 114598481 A CN114598481 A CN 114598481A
- Authority
- CN
- China
- Prior art keywords
- certificate
- authorization
- service
- license
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 200
- 238000000034 method Methods 0.000 title claims abstract description 103
- 238000012795 verification Methods 0.000 claims abstract description 110
- 230000004044 response Effects 0.000 claims abstract description 52
- 230000032683 aging Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 5
- 238000010200 validation analysis Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 238000013478 data encryption standard Methods 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention discloses an authorization authentication method, an authorization authentication device, electronic equipment and a storage medium. The method comprises the following steps: loading an authorization certificate by providing a file based on a packaged service license when a login request sent by a target client is received; verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result, thereby realizing the authentication of the authorization certificate; if the verification result is that the verification passes, generating service response information and sending the service response information to the target client, so that the service is provided only when the verification of the authorization certificate passes, the safety of the network application program interface service is improved, and the network application program interface is prevented from being illegally deployed to an unauthorized server.
Description
Technical Field
The embodiment of the invention relates to the technical field of program design and coding, in particular to an authorization authentication method, an authorization authentication device, electronic equipment and a storage medium.
Background
With the development of internet technology and the improvement of hardware performance of client and server, the functions of application programs presented on web pages are becoming rich. The method comprises the steps that a web page application is transmitted from a client program of a desktop end to a mobile phone application of a mobile end by using an HTTP (hyper text transport protocol) protocol, the HTTP protocol is stateless, all authorization authentication requests are based on a server end, traditional session authentication and cookie authentication run well on a single server, but the shared session can solve the problems of migration and copying among multiple servers as the server scale is enlarged, and the performance is sharply reduced along with the continuous increase of the number of the servers. Modern WEB application introduces a front-end and back-end separation technology, a server end does not store the context of user session, but generates a token object through a specific algorithm, and a client end uses the token to complete identity verification work when requesting data.
With the development and popularization of distributed applications for constructing services based on HTTP protocols, token certifications or Restful patterns, the update of Hospital Information System architectures, and the requirement for interconnection and intercommunication among systems, it is becoming a standard to provide business services externally in the form of WEB Application Programming Interface (WEBAPI), such as the basic HIS (Hospital Information System) Information services of Hospital Information, patient Information, medical insurance Information, etc. Currently, the mainstream practice in the industry is to satisfy the authorization service requirement by means of WEBAPI and token check.
However, for an information system manufacturer, once the WEBAPI service is deployed, the control on the WEBAPI is lost, so that it is impossible to prevent the WEBAPI from being illegally deployed on an unauthorized server, and it is difficult to ensure the security of the WEBAPI service.
Disclosure of Invention
The invention provides an authorization authentication method, an authorization authentication device, electronic equipment and a storage medium, which are used for verifying an authorization certificate, so that the safety of a network application program interface service is improved, and the problem that a network application program interface is illegally deployed on an unauthorized server is solved.
In a first aspect, an embodiment of the present invention provides an authorization authentication method, including:
when a login request sent by a target client is received, providing a file loading authorization certificate based on packaged service permission;
verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result;
and if the verification result is that the verification result is passed, generating service response information and sending the service response information to the target client.
In a second aspect, an embodiment of the present invention further provides an authorization authentication apparatus, where the apparatus includes:
the certificate loading module is used for providing a file loading authorization certificate based on the packaged service permission when a login request sent by a target client is received;
the certificate verification module is used for verifying the authorization certificate based on the packaged invalid permission providing file to obtain a verification result;
and the response generation module is used for generating service response information and sending the service response information to the target client if the verification result is that the service response information passes.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the authorization authentication method provided by the embodiments of the invention.
In a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the authorization authentication method provided in the embodiment of the present invention.
The embodiment of the invention has the following advantages or beneficial effects:
loading an authorization certificate by providing a file based on a packaged service license when a login request sent by a target client is received; verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result, thereby realizing the authentication of the authorization certificate; if the verification result is that the verification passes, generating service response information and sending the service response information to the target client, so that the service is provided only when the verification of the authorization certificate passes, the safety of the network application program interface service is improved, and the network application program interface is prevented from being illegally deployed to an unauthorized server.
Drawings
In order to more clearly illustrate the technical solutions of the exemplary embodiments of the present invention, a brief description is given below of the drawings used in describing the embodiments. It should be clear that the described figures are only views of some of the embodiments of the invention to be described, not all, and that for a person skilled in the art, other figures can be derived from these figures without inventive effort.
Fig. 1 is a flowchart illustrating an authorization authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an authorization authentication method according to a second embodiment of the present invention;
fig. 3 is a flowchart illustrating an authorization authentication method according to a second embodiment of the present invention;
fig. 4 is a schematic diagram of an authorization and authentication process according to a second embodiment of the present invention;
fig. 5 is a schematic structural diagram of an authorization and authentication apparatus according to a third embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a schematic flowchart of an authorization authentication method according to an embodiment of the present invention, where this embodiment is applicable to a situation that an authorization certificate needs to be checked when a target client sends a login request, and a service response is generated according to a check result, where the method may be executed by an authorization authentication device, where the device may be implemented by hardware and/or software, and the method specifically includes the following steps:
s110, when a login request sent by a target client is received, providing a file loading authorization certificate based on the packaged service permission.
The target client is an application program capable of initiating a service request to a network application program interface, and the target client can also interact with a target user and provide a visual user interface for the target user, so that when it is monitored that the target user triggers a service control on the user interface, a service request corresponding to a service is initiated to the network application program interface. When a target client needs to initiate a service request to a network application program interface, the target client generates a login request according to login information of a target user, and sends the login request to the network application program interface so as to request the network application program interface to provide corresponding service. The authorization certificate refers to authorization permission data for a network application program interface, which is deployed in a server in advance by an information system manufacturer. Illustratively, the specific data content of the authorization certificate may contain the following fields: an interface code | interface name | hospital code | hospital name | authorization validity start date | authorization validity expiration date | interface validity expiration date | control mode | usage validity period type, wherein the interface code and the interface name are respectively a number and a name of a network application program interface, the hospital code and the hospital name respectively refer to a number and a name of a hospital to which a server deploying the network application program interface belongs, the authorization validity start date and the authorization validity expiration date respectively refer to an authorization start date and an authorization end date for the network application program interface, the interface validity start date and the interface validity expiration date respectively refer to a valid start date and an effective end date of the network application program interface, the control mode is a control identification bit of the network application program interface, the control mode is a prompt mode when the control mode is 0, and the use is prohibited when the control mode is 1, the validity period type refers to the type of authorization time of the network application program interface, such as permanent authorization, temporary authorization or time limit authorization. The content in the authorization certificate may be updated after each authorization check.
It should be noted that the network application program interface in this embodiment refers to WEBAPI, and particularly refers to Restful API of the NET platform. The Restful API refers to an API which uses a URI to represent a resource and uses an HTTP method (GET, POST, PUT, DELETE) to represent an operation on the resource, that is, the Restful API requires a target client to send a request in a predefined syntax format (such as JSON format), and the server only needs to define a uniform response interface without separately parsing a format of data sent by each target client.
In this embodiment, the process of loading and verifying the authorization certificate uses the NET framework. Specifically, a NET platform component library license provider object is adopted, is located in a system.dll, and has a space name: system. The service license providing file refers to a class with a license caching function in a NET framework authorization structure, such as Serverlicense provider. cs, the service license providing file can be formed by self-defining packaging of C # codes, an authorization certificate of a network application program interface can be searched in a license cache, and data of the authorization certificate is loaded from an lic text file, wherein a lic file is stored in a license directory in a network application program root directory.
Optionally, providing a file loading authorization certificate based on the encapsulated service license includes: and calling a certificate acquisition method in the pre-created service license providing file to load the certificate, wherein the certificate acquisition method is acquired by the service license providing file inheriting from the license providing object.
The method for acquiring the certificate refers to a method for loading the certificate provided by the service license providing file in the NET framework authorization structure, such as a Getlicense method. The license provisioning object refers to an object in the license provisioning class, which refers to a class in the NET framework that can implement the issue and verification of authorization certificates, such as license Provider. It should be noted that the certificate acquisition method is provided by the license provision class, and the service license provision file may acquire the certificate acquisition method by inheriting an object in the license provision class. Illustratively, the statement to load the certificate of authority by calling the certificate acquisition method GetLicense is as follows: protected virtual string getlicense data (Type), which indicates that the authorization credential data is retrieved from the license stream and loaded by reading from the first line of data in the license stream. GetLicense to load the authorization credentials may also use other derived methods to read the authorization credential data from other license stores that are not stream-based. In this embodiment, the loading of the authorization certificate is realized by calling the certificate acquisition method in the service license providing file created in advance, so that the loading speed of the authorization certificate is increased, and further, the verification speed of the authorization certificate is increased.
And S120, verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result.
The network framework authorization structure is a class with a license authentication function, such as expiringlinseprovider. The service license providing file is derived from the service license providing file, that is, the service license providing file can inherit the object in the service license providing file, obtain the authorization certificate loaded by the service license providing file, and verify the authorization certificate. Specifically, the verification method may be to determine the verification result of the authorization certificate by judging whether the number of times of using the network application program interface in the authorization certificate exceeds a specified number of times, and it should be noted that, before each verification, the number of times of using the network application program interface in the authorization certificate is incremented. For example, the verification method may further determine whether the current time is within the authorization period by obtaining an authorization start date and an authorization expiration date of the network application program interface in the authorization certificate, so as to obtain a verification result of the authorization certificate. For example, the verification method may also be implemented by judging whether the content of a specific field in the authorization certificate matches the preset content, and if so, determining that the authorization certificate passes the verification.
It should be noted that, before the certificate of authority is checked, a Controller (Controller) of WEBAPI is modified by using a license provider attribute, where a license provider attribute object is located in system.dll and a name space is: system.
Optionally, verifying the authorization certificate based on the encapsulated license revocation providing file includes: a certificate is verified by invoking a validate license method in the pre-created invalidation license provisioning document, wherein the validate license method is obtained by the invalidation license provisioning document inheriting from the service license provisioning document.
The method for verifying the license refers to a method for providing a certificate for verification provided by a file by a service license in a NET framework authorization structure, namely a ValidateLicense method, wherein the ValidateLicense method obtains a verification result of the certificate by checking metadata of the certificate. It should be noted that the verification license method is provided by the service license providing file, and the revocation license providing file can acquire the verification license method by inheriting the service license providing file. Illustratively, the statement to verify a certificate by calling the validate permission method ValidateLicense is as follows: a protected virtual pool valid license data (Type, string license data), which indicates that when the data of the authorization certificate is valid, True is returned, and the verification of the authorization certificate passes. And if the data of the authorization certificate is invalid, transmitting the license exception verification result to the calling code, thereby generating a verification failure response and transmitting the verification failure response to the target client. In the embodiment, the verification method in the pre-created invalidation license providing file is called to verify the authorization certificate, so that the verification speed of the authorization certificate and the accuracy of the verification result are improved.
Optionally, invoking a pre-created license validation method in the license invalidation providing file to verify the certificate includes: judging whether the certificate is a valid certificate or not through the authorization key word; and calling an aging verification method in the license management component introduced in the business webpage interface to check whether the certificate exceeds the service period aging.
The process of verifying the authorization certificate by the verification and permission method is divided into two parts, namely, whether the authorization certificate is valid is verified, and whether the authorization certificate exceeds the time efficiency of the server is verified. The authorization key words are specifically used for being matched with the contents in each field of the authorization certificate one by one, if the authorization certificate contains the authorization key words, the authorization key words are successfully matched with part of the contents of the authorization certificate, and the authorization certificate is determined to be a valid certificate. The authorization key may be a specified interface code, interface name, hospital code, hospital name, or usage expiration type content. For example, if an authorization key is specified as the interface name content, such as "CA standard interface service", the statement for determining whether the authorization key is a valid certificate is as follows:
in this embodiment, the business web interface refers to a web application interface, and the license management component refers to a license manager component in the NET framework, where the license manager component is located in the system. System. The aging verification method refers to a static method IsValid method provided by a license manager component in a NET framework. Illustratively, the statement that the IsValid method checks whether the certificate of authority exceeds the service period by the time limit is: IsValid (typeof (UserController)), a judgment result of whether the authorization certificate exceeds the service period time is returned by a statement. Wherein, the UserController is a service controller of WEBAPI, and before checking the authorization certificate, a modification attribute is created in advance in the service controller, for example: [ LipcenseProvider (typeof (ExpringLicenseProvider)) ] public class UserController: ApiController. It should be noted that whether the certificate is a valid certificate is determined by the authorization key. In this embodiment, the second verification of the authorization certificate is implemented by dividing the verification process of the authorization certificate into determining whether the certificate is valid or not and whether the certificate exceeds the server timeliness or not, so that the accuracy of the verification result of the authorization certificate is improved, the network application program interface is prevented from being illegally deployed to an unauthorized server, and the security of the network application program interface service is ensured.
Optionally, invoking an aging verification method in a license management component introduced in the service web interface to check whether the certificate exceeds the service period aging includes: and calling an expiration verification method in the invalidation license providing file through an aging verification method in a license management component introduced in the business webpage interface so that the expiration verification method judges whether the certificate exceeds the service period aging or not.
The network framework provides an IsExpired method in a failure license providing file. The IsExpired method can judge whether the authorization certificate exceeds the server time efficiency by using the authorization valid start date and the authorization valid expiration date in the authorization certificate, and can also judge by using the interface valid start date and the interface valid expiration date in the authorization certificate. For example, the IsExpired method uses the authorization validity start date and the authorization validity expiration date to determine whether the certificate exceeds the service period by the following statements:
wherein, datetime.now refers to the current time, which may be the time for starting verification, or may be the time for receiving a login request sent by a target client, _ start represents an authorized valid start date, _ end represents an authorized valid expiration date, datetime.now < _ start | | | datetime.now > _ end represents that the current time is less than the authorized valid start date or the current time is greater than the authorized valid expiration date, if the current time is less than the authorized valid start date or the current time is greater than the authorized valid expiration date, 1 is returned to indicate that the authorized certificate exceeds the service life, and the check result does not pass.
In this embodiment, the expiration verification method in the revocation permission providing file is called, so that the expiration verification method determines whether the certificate exceeds the service period aging, thereby determining whether the service period aging is exceeded based on the specific information of the authorization certificate, and improving the accuracy of the verification result of the authorization certificate.
Optionally, if the expiration verification method determines that the certificate exceeds the service period time limit, the service period of the authorization certificate may be updated according to the usage period type in the authorization certificate, and the updated authorization certificate is stored in a permission cache in the server, so that when the next login request is received, the updated authorization certificate in the permission cache is loaded, and the updated authorization certificate is further verified. For example, if the usage period type is a temporary authorization, the authorization validity start date and the authorization validity expiration date in the authorization certificate may be updated according to the period of the temporary authorization, and/or the interface validity start date and the interface validity expiration date in the authorization certificate may be updated. By updating the service period of the authorization certificate, the secondary authorization is provided for the WEBAPI, and further, the service timeliness of the WEBAPI is effectively controlled.
And S130, if the verification result is that the service response message passes, generating service response message and sending the service response message to the target client.
After the network application program interface verifies the authorization certificate, feedback information is generated according to a verification result and sent to the target client. If the verification result is correct, generating service response information as feedback information to be sent to the target client so as to provide the service corresponding to the service for the target client; and if the verification result is wrong, generating verification failure information serving as feedback information to be sent to the target client so as to refuse to provide service corresponding to the service for the target client.
According to the technical scheme of the embodiment, when a login request sent by a target client is received, a file loading authorization certificate is provided based on packaged service permission; verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result, thereby realizing the authentication of the authorization certificate; if the verification result is that the verification passes, generating service response information and sending the service response information to the target client, so that the service is provided only when the verification of the authorization certificate passes, the safety of the network application program interface service is improved, and the network application program interface is prevented from being illegally deployed to an unauthorized server.
Example two
Fig. 2 is a schematic flow chart of an authorization authentication method according to a second embodiment of the present invention, and in this embodiment, "check a token carried in a login request sent by a target client" is added on the basis of the foregoing embodiments. Wherein explanations of the same or corresponding terms as those of the above embodiments are omitted. Referring to fig. 2, an authorization authentication method provided in this embodiment includes:
s210, when a login request sent by a target client is received, providing a file loading authorization certificate based on the packaged service permission.
S220, verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result.
Optionally, before verifying the authorization certificate based on the encapsulated license revocation provider file, the method further includes: decrypting the authorization certificate through a symmetric encryption algorithm; and correspondingly, verifying the decrypted authorization certificate based on the encapsulated fail-safe license providing file.
It should be noted that, if the authorization certificate exists in the permission cache in the form of a plaintext file, an application developer can easily modify data in the authorization certificate, so that the WEBAPI is deployed in an illegal server, and an information system vendor also loses control over the WEBAPI. Therefore, by encrypting the authorization certificate, the security of the authorization certificate can be improved. The authorization certificate can be encrypted by adopting a symmetric encryption algorithm, and the encrypted authorization certificate is decrypted by adopting the symmetric encryption algorithm. The symmetric Encryption algorithm refers to an Encryption algorithm in which the Encryption and decryption processes use the same key, such as des (data Encryption standard), 3des (triple des), or aed (advanced Encryption standard). Because the encryption and decryption speed of the DES is high, the DES is suitable for encrypting and decrypting a large amount of data, and therefore, the DES encryption algorithm is preferably adopted. Specifically, the DESCRYPTOServiceProvider provided by the NET framework is adopted to realize the encryption and decryption of the authorization certificate. The encryption key is embedded into the encrypted license provider class as a private field encrypted keys, so that the difficulty degree of modifying the data of the authorization certificate is improved.
Illustratively, the contents of the encrypted authorization certificate are as follows: 6200000000000000D52AF38605AC9919BBD4861CD1525E51EEA18E838DDECD1AEBCD95F3BB0C332901A8A23794C7FD13A82E45578DFC812B44D8B5C16854EAA90662E8781CCF31D0D1ADDFE4805C62BAF428D626AFB461D72E1000CE1E2AE80F7D9F6EB5DF830E1 EDB7EA5DC10FAFFF17433B8397F 1F; the decryption authorization certificate obtained by the encryption symmetric algorithm is as follows: 251566| CA Standard interface service |234567| virtualizes first hospital |20201001|20230930|20201001|20230930|0| 2. In the embodiment, the authorization certificate is decrypted by adopting a symmetric encryption algorithm, and the decrypted authorization certificate is verified, so that the encryption and decryption of the authorization certificate are realized, the authorization certificate is prevented from being tampered, and meanwhile, the safety of the network application program interface service is improved.
And S230, if the verification result is that the verification is passed, verifying the carried token in the login request sent by the target client.
The carried token is a character string, namely token, generated by the server and used as a target client request identifier and carried by the target client when initiating a login request. Specifically, when a target client initiates a first login request, a server generates a token and returns the token to the target client after verifying user account information in the first login request, so that the target client carries the token when initiating a subsequent login request without carrying the user account information. Token may be generated based on the mac address of the target client device, or may be generated based on the session of the first session. It should be noted that, if the token is not carried in the login request sent by the target client, it is considered that the target client initiates the login request for the first time, or the verification of the user account information in the login request initiated before fails, and at this time, the user account information in the login request sent by the target client needs to be verified. Specifically, the token verification process is as follows: performing HS256 operation based on the header ciphertext and the payload ciphertext in the token to generate a signature; and comparing the generated signature with the signature carried in the token, and if the generated signature is consistent with the signature carried in the token, indicating that the verification of the token is correct.
And S240, if the verification is correct, generating service response information and sending the service response information to the target client.
As shown in fig. 3, when the authorization certificate and the token are both verified, acquiring WEBAPI service information as service response information and sending the service response information to the target client, and if the authorization certificate or the token is verified and the verification fails, generating request failure information and sending the request failure information to the client and ending the response process to the login request. Specifically, an interaction process between the target user, the information system manufacturer, the hospital, and the WEBAPI is shown in fig. 4, where the information system manufacturer provides an authorization certificate for the WEBAPI, and the target user provides a token for a verification process of the WEBAPI when initiating a login request. The WEBAPI is also connected with a hospital information system of the hospital, so that when the authorization certificate and token are checked to pass, the WEBAPI can acquire data of the hospital information system and provide corresponding business service for a target user. It can be understood that, in this embodiment, the sequence of S220 and S230 is not sequential, that is, the sequence of verifying the authorization certificate and verifying the token is not limited in this embodiment, as shown in fig. 3, the authorization certificate may be verified first, and the token may be verified again when the authorization certificate passes verification; or the token can be checked first, and the authorization certificate can be checked when the token passes the check.
According to the technical scheme, the authorization certificate is verified through the packaged invalidation permission providing file, the carrying token in the login request sent by the target client is verified, and the service response information is generated and sent to the target client only when the authorization certificate and the carrying token are verified to pass, so that the secondary verification of the authorization certificate and the token is realized, the illegal deployment of the network application program interface is avoided, the safety of the network application program interface service is further improved, and the safety guarantee is increased for the user to use the service.
EXAMPLE III
Fig. 5 is a schematic structural diagram of an authorization and authentication apparatus according to a third embodiment of the present invention, which is applicable to a situation that an authorization certificate needs to be verified when a target client sends a login request, and a service response is generated according to a verification result, where the apparatus specifically includes: certificate loading module 510, certificate verification module 520, and response generation module 530.
A certificate loading module 510, configured to provide a file loading authorization certificate based on a packaged service license when receiving a login request sent by a target client;
a certificate verification module 520, configured to verify the authorization certificate based on the encapsulated license providing file to obtain a verification result;
and a response generating module 530, configured to generate a service response message to send to the target client when the verification result is that the service response message passes.
In this embodiment, when a certificate loading module receives a login request sent by a target client, an authorization certificate is loaded based on a file provided by a packaged service license; verifying the authorization certificate by a certificate verification module based on the packaged failure permission providing file to obtain a verification result, thereby realizing the authentication of the authorization certificate; and when the verification result is that the verification passes, the response generation module generates service response information and sends the service response information to the target client, so that the service is provided only when the verification of the authorization certificate passes, the safety of the network application program interface service is improved, and the network application program interface is prevented from being illegally deployed to an unauthorized server.
On the basis of the foregoing apparatus, optionally, the certificate loading module is specifically configured to invoke a certificate obtaining method in a service license providing file created in advance to load a certificate, where the certificate obtaining method is obtained by inheriting the service license providing file from the license providing object.
Optionally, the certificate verification module includes a license calling unit, and the license calling unit is configured to call a verification license method in the pre-created revocation license providing file to verify the certificate, where the verification license method is obtained by inheriting the revocation license providing file from the service license providing file.
Optionally, the license invoking unit includes:
the effective verification subunit is used for judging whether the certificate is an effective certificate or not through the authorization keyword;
and the failure verification subunit is used for calling a time efficiency verification method in the permission management component introduced into the business webpage interface to verify whether the certificate exceeds the service period time efficiency.
Optionally, the expiration verification subunit is specifically configured to invoke an expiration verification method in the expiration license providing file through an aging verification method in a license management component introduced in the service web interface, so that the expiration verification method determines whether the certificate exceeds the service period aging.
Optionally, the authorization and authentication apparatus further includes:
the certificate decryption module is used for decrypting the authorization certificate through a symmetric encryption algorithm; accordingly, the certificate verification module 520 is configured to verify the decrypted authorization certificate based on the encapsulated license revocation provider file.
Optionally, the authorization and authentication apparatus further includes:
the token checking module is configured to check the token carried in the login request sent by the target client before the response generating module 530 generates the service response information and sends the service response information to the target client; correspondingly, the response generation module 530 generates the service response message to be sent to the target client when the token is carried and the check is correct.
The authorization authentication device provided by the embodiment of the invention can execute the authorization authentication method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
It should be noted that, the units and modules included in the system are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the embodiment of the invention.
Example four
Fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention. FIG. 6 illustrates a block diagram of an exemplary electronic device 60 suitable for use in implementing embodiments of the present invention. The electronic device 60 shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 6, the electronic device 60 is in the form of a general purpose computing device. The components of the electronic device 60 may include, but are not limited to: one or more processors or processing units 601, a system memory 602, and a bus 603 that couples various system components including the system memory 602 and the processing unit 601.
The system memory 602 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)604 and/or cache memory 605. The electronic device 60 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 606 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 6, commonly referred to as a "hard drive"). Although not shown in FIG. 6, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to the bus 603 by one or more data media interfaces. Memory 602 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 608 having a set (at least one) of program modules 607 may be stored, for example, in memory 602, such program modules 607 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. The program modules 607 generally perform the functions and/or methods of the described embodiments of the invention.
The electronic device 60 may also communicate with one or more external devices 609 (e.g., keyboard, pointing device, display 610, etc.), one or more devices that enable a user to interact with the electronic device 60, and/or any device (e.g., network card, modem, etc.) that enables the electronic device 60 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 611. Also, the electronic device 60 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 612. As shown, the network adapter 612 communicates with the other modules of the electronic device 60 via the bus 603. It should be appreciated that although not shown in FIG. 6, other hardware and/or software modules may be used in conjunction with electronic device 60, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 601 executes various functional applications and data processing by running programs stored in the system memory 602, for example, implementing steps of an authorization authentication method provided by the embodiment of the present invention, the method includes:
when a login request sent by a target client is received, providing a file loading authorization certificate based on packaged service permission;
verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result;
and if the verification result is that the verification result is passed, generating service response information and sending the service response information to the target client.
Of course, those skilled in the art can understand that the processor may also implement the technical solution of the authorization authentication method provided in any embodiment of the present invention.
EXAMPLE five
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of an authorization authentication method as provided by any of the embodiments of the invention, the method comprising:
when a login request sent by a target client is received, providing a file loading authorization certificate based on packaged service permission;
verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result;
and if the verification result is that the verification result is passed, generating service response information and sending the service response information to the target client.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. An authorization authentication method, comprising:
when a login request sent by a target client is received, providing a file loading authorization certificate based on packaged service permission;
verifying the authorization certificate based on the packaged invalid permission providing file to obtain a verification result;
and if the verification result is that the verification result is passed, generating service response information and sending the service response information to the target client.
2. The method of claim 1, wherein the package-based service license provides a file loading authorization certificate, comprising:
and calling a certificate acquisition method in the pre-created service license providing file to load the certificate, wherein the certificate acquisition method is acquired by the service license providing file inheriting from a license providing object.
3. The method of claim 1, wherein verifying the authorization credential based on the encapsulated revocation permission provision file comprises:
invoking a validation license method in a pre-created invalidation license provisioning file to verify a certificate, wherein the validation license method is obtained by the invalidation license provisioning file inheriting from the service license provisioning file.
4. The method of claim 3, wherein invoking the pre-created invalidation license provisioning method in the pre-created invalidation license provisioning file to verify the certificate comprises:
judging whether the certificate is a valid certificate or not through the authorization key word;
and calling an aging verification method in the license management component introduced in the business webpage interface to check whether the certificate exceeds the service period aging.
5. The method of claim 4, wherein invoking an age verification method in a license management component incorporated in the business web interface to verify that the certificate is over a service period age comprises:
and calling an expiration verification method in the invalidation license providing file through an aging verification method in a license management component introduced in a service webpage interface so that the expiration verification method judges whether the certificate exceeds the service period aging or not.
6. The method of claim 1, wherein before the verifying the authorization certificate based on the encapsulated revocation license providing file, further comprising:
decrypting the authorization certificate through a symmetric encryption algorithm;
and correspondingly, verifying the decrypted authorization certificate based on the encapsulated fail-safe license providing file.
7. The method of claim 1, further comprising, before sending the generated service response message to the target client:
verifying a carried token in a login request sent by a target client;
and if the verification is correct, generating service response information and sending the service response information to the target client.
8. An authorization authentication apparatus, comprising:
the certificate loading module is used for providing a file loading authorization certificate based on the packaged service permission when a login request sent by a target client is received;
the certificate verification module is used for verifying the authorization certificate based on the packaged failure permission providing file to obtain a verification result;
and the response generation module is used for generating service response information and sending the service response information to the target client if the verification result is that the service response information passes.
9. An electronic device, characterized in that the electronic device comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the authorization authentication method as recited in claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the authorization authentication method according to claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011301384.2A CN114598481A (en) | 2020-11-19 | 2020-11-19 | Authorization authentication method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011301384.2A CN114598481A (en) | 2020-11-19 | 2020-11-19 | Authorization authentication method, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114598481A true CN114598481A (en) | 2022-06-07 |
Family
ID=81802378
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011301384.2A Pending CN114598481A (en) | 2020-11-19 | 2020-11-19 | Authorization authentication method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114598481A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114896621A (en) * | 2022-07-15 | 2022-08-12 | 深圳竹云科技股份有限公司 | Application service acquisition method, encryption method, device and computer equipment |
| CN116684467A (en) * | 2023-08-02 | 2023-09-01 | 武汉吧哒科技股份有限公司 | Data acquisition method, electronic device and storage medium |
| CN117574333A (en) * | 2024-01-16 | 2024-02-20 | 四川精容数安科技有限公司 | Verification method for License validity period of backup software |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| US20130218779A1 (en) * | 2012-02-21 | 2013-08-22 | Rawllin International Inc. | Dual factor digital certificate security algorithms |
| WO2018120913A1 (en) * | 2016-12-28 | 2018-07-05 | 华为技术有限公司 | Certificate acquisition method, authentication method and network device |
| CN109379336A (en) * | 2018-09-18 | 2019-02-22 | 中汇信息技术(上海)有限公司 | A kind of uniform authentication method, distributed system and computer readable storage medium |
| CN110213276A (en) * | 2019-06-05 | 2019-09-06 | 宁波深擎信息科技有限公司 | Authority checking method, server, terminal and medium under a kind of micro services framework |
| CN111066284A (en) * | 2017-10-09 | 2020-04-24 | 华为技术有限公司 | Service certificate management method, terminal and server |
| CN111147525A (en) * | 2020-02-27 | 2020-05-12 | 深圳市伊欧乐科技有限公司 | Authentication method, system, server and storage medium based on API gateway |
| CN111800378A (en) * | 2020-05-21 | 2020-10-20 | 视联动力信息技术股份有限公司 | Login authentication method, device, system and storage medium |
-
2020
- 2020-11-19 CN CN202011301384.2A patent/CN114598481A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| US20130218779A1 (en) * | 2012-02-21 | 2013-08-22 | Rawllin International Inc. | Dual factor digital certificate security algorithms |
| WO2018120913A1 (en) * | 2016-12-28 | 2018-07-05 | 华为技术有限公司 | Certificate acquisition method, authentication method and network device |
| CN111066284A (en) * | 2017-10-09 | 2020-04-24 | 华为技术有限公司 | Service certificate management method, terminal and server |
| CN109379336A (en) * | 2018-09-18 | 2019-02-22 | 中汇信息技术(上海)有限公司 | A kind of uniform authentication method, distributed system and computer readable storage medium |
| CN110213276A (en) * | 2019-06-05 | 2019-09-06 | 宁波深擎信息科技有限公司 | Authority checking method, server, terminal and medium under a kind of micro services framework |
| CN111147525A (en) * | 2020-02-27 | 2020-05-12 | 深圳市伊欧乐科技有限公司 | Authentication method, system, server and storage medium based on API gateway |
| CN111800378A (en) * | 2020-05-21 | 2020-10-20 | 视联动力信息技术股份有限公司 | Login authentication method, device, system and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 范达纳·达特耶: ""ASP.NET 服务器控制许可"", pages 1 - 19, Retrieved from the Internet <URL:https://learn.microsoft.com/zh-cn/previous-versions/dotnet/articles/aa479017(v=msdn.10)?redirectedfrom=MSDN> * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114896621A (en) * | 2022-07-15 | 2022-08-12 | 深圳竹云科技股份有限公司 | Application service acquisition method, encryption method, device and computer equipment |
| CN116684467A (en) * | 2023-08-02 | 2023-09-01 | 武汉吧哒科技股份有限公司 | Data acquisition method, electronic device and storage medium |
| CN116684467B (en) * | 2023-08-02 | 2023-10-27 | 武汉吧哒科技股份有限公司 | Data acquisition method, electronic device and storage medium |
| CN117574333A (en) * | 2024-01-16 | 2024-02-20 | 四川精容数安科技有限公司 | Verification method for License validity period of backup software |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11895096B2 (en) | Systems and methods for transparent SaaS data encryption and tokenization | |
| CN108322461B (en) | Method, system, device, equipment and medium for automatically logging in application program | |
| US9530011B2 (en) | Method and system for provision of cryptographic services | |
| KR101067399B1 (en) | Saving and retrieving data based on symmetric key encryption | |
| KR100996784B1 (en) | Saving and retrieving data based on public key encryption | |
| US7178163B2 (en) | Cross platform network authentication and authorization model | |
| US20160134660A1 (en) | Securely operating a process using user-specific and device-specific security constraints | |
| US8549592B2 (en) | Establishing virtual endorsement credentials for dynamically generated endorsement keys in a trusted computing platform | |
| CN101771689B (en) | Method and system for enterprise network single-sign-on by a manageability engine | |
| US10164963B2 (en) | Enforcing server authentication based on a hardware token | |
| US20180020008A1 (en) | Secure asynchronous communications | |
| CN114598481A (en) | Authorization authentication method, device, electronic equipment and storage medium | |
| CN111262889A (en) | Authority authentication method, device, equipment and medium for cloud service | |
| JP2008502251A (en) | Computer apparatus having a keystore using process and method of operating computer apparatus | |
| US20180349576A1 (en) | Cryptographic mechanisms for software setup using token-based two-factor authentication | |
| US9129098B2 (en) | Methods of protecting software programs from unauthorized use | |
| JP5474091B2 (en) | How to secure gadget access to your library | |
| US7694154B2 (en) | Method and apparatus for securely executing a background process | |
| US7661111B2 (en) | Method for assuring event record integrity | |
| EP3036674B1 (en) | Proof of possession for web browser cookie based security tokens | |
| US11849041B2 (en) | Secure exchange of session tokens for claims-based tokens in an extensible system | |
| US20240080195A1 (en) | Managing composite tokens for content access requests | |
| Rahaeimehr et al. | Recursive Augmented Fernet (RAF) Token: Alleviating the Pain of Stolen Tokens | |
| CN113987461A (en) | Identity authentication method and device and electronic equipment | |
| CN116032627A (en) | Unified authentication and authorization method and device based on micro-service architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |