CN115514533A - Cross-platform distributed unified authentication method - Google Patents

Cross-platform distributed unified authentication method Download PDF

Info

Publication number
CN115514533A
CN115514533A CN202211056016.5A CN202211056016A CN115514533A CN 115514533 A CN115514533 A CN 115514533A CN 202211056016 A CN202211056016 A CN 202211056016A CN 115514533 A CN115514533 A CN 115514533A
Authority
CN
China
Prior art keywords
access request
authentication
request
access
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211056016.5A
Other languages
Chinese (zh)
Inventor
张伶俐
吴玮
张聪
口拴军
王宗力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Financial Leasing Co ltd
Original Assignee
Jiangsu Financial Leasing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Financial Leasing Co ltd filed Critical Jiangsu Financial Leasing Co ltd
Priority to CN202211056016.5A priority Critical patent/CN115514533A/en
Publication of CN115514533A publication Critical patent/CN115514533A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a cross-platform distributed uniform authentication method. The method comprises the steps of receiving an access request sent by a client, analyzing the received access request to judge the type of the current access request and a target application system requesting access, if the current time is the first time for requesting access to the target application system in a first set time period, logging in and authenticating authority, and if the authentication is successful or the current time is the first time for requesting access to the target application system in a second set time period, encrypting to generate authentication information, then sending the authentication information to the client, and sending the current access request and the authentication information to an application server; the client stores the received authentication information and carries the authentication information in the subsequent access request information. The invention can provide service for business systems of different bottom layer technical frameworks, provide a unified solution of user request and system call, and solve the performance bottleneck problem under the condition of large-scale business volume.

Description

Cross-platform distributed unified authentication method
Technical Field
The invention relates to the technical field of authentication, in particular to a cross-platform distributed uniform authentication method.
Background
More and more business systems are provided, and the technical stacks of the systems are different from each other, so that troubles are brought to the maintenance and the expansion of services. Companies need to uniformly manage and authenticate systems scattered everywhere, so as to improve user service efficiency and operation and maintenance efficiency.
Patent application with application number CN201810689051.8 discloses a micro-service unified authentication method and gateway, which is used for micro-service authentication of multiple service types by providing a micro-service gateway. The gateway receives a micro-service authentication request sent by a client, and extracts a Uniform Resource Identifier (URI) from the authentication request; the gateway sends the URI to a gateway management micro-service, and the gateway management micro-service is used for storing a mapping table of the URI and a micro-service interface type, a micro-service address, a micro-service authentication type and an authentication voucher parameter; the gateway receives the corresponding micro service interface type, the micro service address, the micro service authentication type and the authentication voucher parameter sent by the gateway management micro service, and extracts the corresponding authentication voucher parameter from the authentication request; the gateway sends the URI and the corresponding authentication voucher parameters to an authentication service for authentication and receives a corresponding authentication result. However, the method does not form a complete closed loop for the authentication service, and when the service micro service forbids the access of a certain client, the micro service gateway cannot synchronize the access authority of the client in real time, so that the potential safety hazard of the network exists.
The patent application with the application number of CN202110180771.3 discloses a tool and a method for realizing unified authentication, and a unified authentication gateway is designed, wherein the gateway has the functions of session management, authentication, audit, service routing, current-limiting fusing, CSRF and the like. However, the unified authentication gateway only has one service node, and inevitably causes the problems of over-high occupied resources, reduced access speed and the like when dealing with large-scale service requests.
Disclosure of Invention
The invention aims to provide a cross-platform distributed uniform authentication method aiming at the defects in the prior art.
In order to achieve the above object, the present invention provides a cross-platform distributed uniform authentication method, which comprises:
step 1, receiving an access request sent by a client, wherein the type of the access request comprises a user login access request and a system call access request, analyzing the received access request to judge the type of the current access request and a target application system requesting access, entering step 2 if the type of the current access request is the user login access request, and entering step 3 if the type of the current access request is the system call access request;
step 2, judging whether the access request is the first request of the user to access the target application system within a first set time period, if so, entering step 4, otherwise, entering step 6;
step 3, judging whether the access request is the first request of the system to access the target application system in a second set time interval, if so, entering step 5, otherwise, entering step 6;
step 4, authenticating according to the user login information, judging whether the user has the access right of the target application system, if the user passes the authentication and has the access right of the target application system, entering step 5, otherwise, returning the authentication failure or no right to the client;
step 5, analyzing the authentication parameters according to the access request, generating authentication information from the analyzed authentication parameters by adopting a corresponding encryption algorithm, sending the authentication information to the client, and sending the access request and the authentication information to the application server; the client stores the received authentication information and carries the authentication information in subsequent access request information;
and 6, verifying the authentication information carried by the access request, if the authentication is passed, sending the access request to an application server, otherwise, intercepting the access request and returning a request failure to the client.
Further, receiving the access request sent by the client is completed by a plurality of request receiving modules, which further includes:
and analyzing the load conditions of the plurality of request receiving modules in real time through the load balancing server, and selecting the request receiving module with the lowest current load to receive and process the access request sent by the client.
Further, the first set period of time is 30 minutes.
Further, the second set period of time is 5 minutes.
Further, the access right of the target application system is stored in a right matrix form.
Has the advantages that: the invention can provide service for business systems of different bottom layer technical frameworks, provide a unified solution of user request and system call, and solve the performance bottleneck problem under the condition of large-scale business volume.
Drawings
Fig. 1 is a flowchart illustrating a cross-platform distributed unified authentication method according to an embodiment of the present invention.
Detailed Description
The present invention will be further illustrated with reference to the accompanying drawings and specific examples, which are carried out on the premise of the technical solution of the present invention, and it should be understood that these examples are only for illustrating the present invention and are not intended to limit the scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a cross-platform distributed unified authentication method, including:
step 1, receiving an access request sent by a client, wherein the type of the access request comprises a user login access request and a system call access request, analyzing the received access request to judge the type of the current access request and a target application system requesting access, if the type of the current access request is the user login access request, entering step 2, and if the type of the current access request is the system call access request, entering step 3. The received access request is analyzed to obtain information such as URI and access mark, and according to the corresponding relation between the URI and the code value, the code table of the target application system of the request can be obtained, and the access mark can distinguish whether the access request is a user login access request or a system call access request.
Specifically, whether authentication information is carried or not can be distinguished by analyzing an access request structure, and a message carrying the authentication information has a Signature paragraph; through the Request type parameter in the Request HEAD, whether the Request is a User login access Request or a system call access Request can be distinguished, wherein the User login access Request type is 'User _ Request', and the system call access Request type is 'Sys _ Request'.
The user login access request is as follows:
Figure BDA0003824927410000031
Figure BDA0003824927410000041
the user login access request with authentication information is as follows:
Figure BDA0003824927410000042
Figure BDA0003824927410000051
the system call access request is as follows:
Figure BDA0003824927410000052
the system call access request with authentication information is as follows:
Figure BDA0003824927410000053
Figure BDA0003824927410000061
and 2, judging whether the access request is the first request of the user to access the target application system within a first set time period, if so, entering a step 4, otherwise, entering a step 6. The first set period is preferably 30 minutes.
And 3, judging whether the access request is the first request of the system to access the target application system in a second set time period, if so, entering the step 5, otherwise, entering the step 6. The second set period is preferably 5 minutes.
And 4, authenticating according to the user login information, judging whether the user has the access authority of the target application system, if the user passes the authentication and has the access authority of the target application system, entering the step 5, and if not, returning the authentication failure or no authority to the client. The user information comprises a system code value, a job number, a login password and the like, when authentication is carried out, the system code value, the job number and the login password are spliced into a request string and then sent to an authentication module of the user information management system for authentication, and the authentication module of the user information management system returns a result of successful authentication or failed authentication after the authentication is completed. When judging whether the access authority of the target application system exists, the work number and the information of the target application system and the like which are requested to access are spliced into a request string and then sent to an authority module of the user information management system, the access authority of the target application system is stored in the authority module of the user information management system in an authority matrix form preferentially, and an authority authentication result can be returned according to the information in the request string.
Step 5, analyzing the authentication parameters according to the access request, generating JWT information (authentication information) by adopting a corresponding encryption algorithm according to the analyzed authentication parameters, then sending the authentication information to the client, and sending the access request and the authentication information to the application server; the client stores the received authentication information and carries the stored authentication information in the subsequent access request information. Specifically, if the access request is a user login access request, the authentication parameters include parameter information such as a user work number, a login password, a URI and the like; if the access request is a system call access request, the authentication parameters comprise parameter information such as a port number, a URI and the like. The client stores the received JWT information in the Cookie, and in subsequent calls, for example, when the application system is accessed again, the JWT information is carried in the Authorization information of the HTTP request header, and the carried JWT information is utilized for authentication in a set time period. If the current user has access rights of a plurality of application systems, corresponding authentication information is respectively generated and stored according to different application systems when each application system is accessed for the first time, encryption algorithms adopted by different application systems are different, and then the authentication information generated aiming at each application system is different. The encryption algorithm is pre-stored in the application system and the encryption algorithm mapping module, and the corresponding encryption algorithm can be directly called according to the target application system.
And 6, verifying the authentication information carried by the access request, if the authentication is passed, sending the access request to an application server, otherwise, intercepting the access request and returning a request failure to the client. After receiving the access request, the application server decrypts the JWT information sent or carried together by adopting a corresponding decryption algorithm, then judges whether the JWT information is valid or not, and returns a request result to the client if the JWT information is valid; if not, returning to the client side that the calling cannot be carried out and the authority needs to be reapplied.
In the embodiment of the invention, the load balancing server analyzes the load conditions of the plurality of request receiving modules in real time and selects the request receiving module with the lowest current load to receive the access request sent by the processing client.
It can be seen from the above embodiments that the present invention differentiates application systems upon first request. Examples are: and the user job number 0001 and the password ABCD recorded in the user information management service module are used for logging in and authenticating when the user requests to access the application system A for the first time, and acquiring authentication information for accessing the application system A. Then, when the user accesses the application system B for the first time, the user should request the authentication information of the application system B again. And in a first set period of time, when the user needs to access the application system A or the application system B again, carrying corresponding authentication information in the access request.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that other parts not specifically described are within the prior art or common general knowledge to those of ordinary skill in the art. Without departing from the principle of the invention, several improvements and modifications can be made, and these improvements and modifications should also be construed as the scope of the invention.

Claims (5)

1. A cross-platform distributed uniform authentication method is characterized by comprising the following steps:
step 1, receiving an access request sent by a client, wherein the type of the access request comprises a user login access request and a system call access request, analyzing the received access request to judge the type of the current access request and a target application system requesting access, if the type of the current access request is the user login access request, entering step 2, and if the type of the current access request is the system call access request, entering step 3;
step 2, judging whether the access request is the first request of the user to access the target application system within a first set time period, if so, entering step 4, otherwise, entering step 6;
step 3, judging whether the access request is the first request of the system to access the target application system in a second set time interval, if so, entering step 5, otherwise, entering step 6;
step 4, authenticating according to the user login information, judging whether the user has the access right of the target application system, if the user passes the authentication and has the access right of the target application system, entering step 5, and if not, returning the authentication failure or no permission to the client;
step 5, analyzing the authentication parameters according to the access request, generating authentication information from the analyzed authentication parameters by adopting a corresponding encryption algorithm, sending the authentication information to the client, and sending the access request and the authentication information to the application server; the client stores the received authentication information and carries the authentication information in subsequent access request information;
and 6, verifying the authentication information carried by the access request, if the authentication is passed, sending the access request to an application server, otherwise, intercepting the access request and returning a request failure to the client.
2. The cross-platform distributed unified authentication method according to claim 1, wherein receiving the access request issued by the client is performed by a plurality of request receiving modules, further comprising:
and analyzing the load conditions of the plurality of request receiving modules in real time through the load balancing server, and selecting the request receiving module with the lowest current load to receive and process the access request sent by the client.
3. The cross-platform distributed uniform authentication method as claimed in claim 1, wherein the first set time period is 30 minutes.
4. The cross-platform distributed uniform authentication method as claimed in claim 1, wherein the second set time period is 5 minutes.
5. The cross-platform distributed uniform authentication method as claimed in claim 1, wherein the access rights of the target application system are stored in the form of a rights matrix.
CN202211056016.5A 2022-08-31 2022-08-31 Cross-platform distributed unified authentication method Pending CN115514533A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211056016.5A CN115514533A (en) 2022-08-31 2022-08-31 Cross-platform distributed unified authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211056016.5A CN115514533A (en) 2022-08-31 2022-08-31 Cross-platform distributed unified authentication method

Publications (1)

Publication Number Publication Date
CN115514533A true CN115514533A (en) 2022-12-23

Family

ID=84502500

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211056016.5A Pending CN115514533A (en) 2022-08-31 2022-08-31 Cross-platform distributed unified authentication method

Country Status (1)

Country Link
CN (1) CN115514533A (en)

Similar Documents

Publication Publication Date Title
CA2514004C (en) System and method for controlling network access
CN112422532B (en) Service communication method, system and device and electronic equipment
US6892307B1 (en) Single sign-on framework with trust-level mapping to authentication requirements
US8782757B2 (en) Session sharing in secure web service conversations
US5586260A (en) Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms
US7590844B1 (en) Decryption system and method for network analyzers and security programs
EP2328107A2 (en) Identity controlled data center
US9325697B2 (en) Provisioning and managing certificates for accessing secure services in network
WO2001011452A2 (en) Access management system and method employing secure credentials
JP2005521279A (en) Secure service access providing system and method
WO2000042730A1 (en) Seamless integration of application programs with security key infrastructure
US10257171B2 (en) Server public key pinning by URL
CN110430065B (en) Application service calling method, device and system
CN101057201A (en) Method and system for authenticating a requester without providing a key
CN106341428A (en) Cross-domain access control method and system
CN109361753A (en) A kind of Internet of things system framework and encryption method
US11805104B2 (en) Computing system operational methods and apparatus
CN1930850A (en) An apparatus, computer-readable memory and method for authenticating and authorizing a service request sent from a service client to a service provider
CN112788031A (en) Envoy architecture-based micro-service interface authentication system, method and device
CN109040225A (en) A kind of dynamic port desktop access management method and system
CN109905402B (en) SSO login method and device based on SSL VPN
CN104009846B (en) A kind of single-sign-on apparatus and method
CN104753774B (en) A kind of distributed enterprise comprehensive access gate
EP1981242B1 (en) Method and system for securing a commercial grid network
CN115514533A (en) Cross-platform distributed unified authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination