CN115604033A - Micro service system access control method, device, equipment and storage medium - Google Patents

Micro service system access control method, device, equipment and storage medium Download PDF

Info

Publication number
CN115604033A
CN115604033A CN202211545339.0A CN202211545339A CN115604033A CN 115604033 A CN115604033 A CN 115604033A CN 202211545339 A CN202211545339 A CN 202211545339A CN 115604033 A CN115604033 A CN 115604033A
Authority
CN
China
Prior art keywords
service
authorization code
micro
information
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211545339.0A
Other languages
Chinese (zh)
Inventor
徐霞
杨健伟
张社丽
李衡
严明镜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Landray Software Co ltd
Original Assignee
Shenzhen Landray Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Landray Software Co ltd filed Critical Shenzhen Landray Software Co ltd
Priority to CN202211545339.0A priority Critical patent/CN115604033A/en
Publication of CN115604033A publication Critical patent/CN115604033A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Abstract

The embodiment of the invention provides a method, a device, equipment and a storage medium for controlling access of a micro-service system, and relates to the technical field of artificial intelligence. The method comprises the following steps: the first back-end micro service is used for generating a service authorization code according to the first service request information, and when next operation is needed, the service authorization code and the second service request information are combined and sent, so that the second back-end micro service directly performs authority verification by using the generated service authorization code, the whole authorization process of authorization-sending-verification is avoided to be completed by each micro service when a plurality of micro services are needed to participate in the same service respectively, the problem that access is easy to timeout is solved, the complexity of authority verification among different micro services is reduced, and the access efficiency of a micro service system is improved.

Description

Micro service system access control method, device, equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for controlling access to a microservice system.
Background
The microservice architecture is a distributed framework primarily used to deploy applications and services in the cloud. The micro-service architecture is to develop a single program into one micro-service, each micro-service runs in its own process and communicates by using a lightweight mechanism, and the services are divided and constructed around business capacity and are independently deployed by a fully-automatic deployment mechanism. Different microservices may use different programming languages, and different data storage technologies, to ensure minimal centralized management.
In the related art, if one user service needs a plurality of micro services to provide services, respective authorization processes need to be performed between different micro services, otherwise, the corresponding service cannot be completed. However, the authorization process between each microservice is independent, and if a user service needs more microservices to participate, the authorization and permission verification processes are repeated, which easily causes service timeout.
Disclosure of Invention
The main purpose of the embodiments of the present application is to provide a method, an apparatus, a device and a storage medium for controlling access to a micro service system, so as to reduce the complexity of performing permission verification between different micro services and improve the access efficiency of the micro service system.
In order to achieve the above object, a first aspect of the embodiments of the present application provides an access control method for a micro service system, where the micro service system at least includes a first back-end micro service and a second back-end micro service, and the micro service system is configured such that different back-end micro services can generate a service authorization code that can be used for accessing other back-end micro services according to request information of a requesting entity; the method comprises the following steps:
a first back-end micro service receives first service request information of a request entity;
the first back-end micro service responds to the first service request information to generate first service response information and a service authorization code; the first service response information is generated by the first back-end micro-service according to the first service request information; the first back-end micro service is used for generating the service authorization code of at least one second back-end micro service to the request entity;
the first back-end micro service sends the first service response information and the service authorization code to the requesting entity;
the second back-end micro-service receives second service request information generated by the requesting entity based on the service authorization code;
the second back-end micro service performs authority verification on the service authorization code;
and according to the permission verification result, the second back-end micro-service responds to the second service request information to generate second service response information.
In an embodiment, the generating, by the first back-end micro service in response to the first service request information, first service response information and a service authorization code includes:
the first back-end micro-service responds to the first service request information to generate first service response information;
and generating the service authorization code according to the first service request information by utilizing an authority control module.
In an embodiment, the first service request information includes an access token, and the generating, by the utilization-permission control module, the service authorization code according to the first service request information includes:
judging whether to authorize or not by utilizing the authority control module according to the access token;
if the judgment result is that authorization is carried out, the authority control module generates the service authorization code according to a preset authorization code format.
In an embodiment, the first service request information further includes: requesting user information, operation file information and file authority information; the right control module generates the service authorization code according to a preset authorization code format, including:
generating an authorization code parameter according to the first service request information, where the authorization code parameter includes: requesting user parameters, operating file parameters and file authority parameters;
generating the service authorization code of the authorization code parameter based on the preset authorization code format.
In one embodiment, the operation file information includes: operating the document class name and the operating document number; the generating the service authorization code of the authorization code parameter based on the preset authorization code format includes:
generating the operation file parameters according to the operation document class name and the operation document number, wherein the operation file parameters comprise: operating a document class parameter and an operating document number parameter;
splicing the operation file parameters to the request user parameters to obtain first authorization code information;
and splicing the file permission parameters with the first authorization code information to obtain the service authorization code.
In an embodiment, after the generating the serving authorization code of the authorization code parameter based on the preset authorization code format, the method further includes: and encrypting the service authorization code by using a preset encryption algorithm and a preset key to obtain the encrypted service authorization code.
In one embodiment, the requesting user information is a user session number.
In an embodiment, the service authorization code includes at least one file right parameter, and different file right parameters are generated by separating with a preset separator.
In an embodiment, the performing, by the second backend microservice, the right verification on the service authorization code includes:
extracting the service authorization code from the second service request information, wherein the service authorization code is located at a preset position of the second service request information;
obtaining the authorization code parameter in the service authorization code;
and if the authorization code parameter meets the permission verification condition, the permission verification is passed.
In an embodiment, if the authorization code parameter satisfies the authorization check condition, the authorization check is passed, including:
judging that the current user is an authorized user according to the request user parameter, and passing the first permission verification;
judging whether the file requested to be operated is an authorized file according to the operation file parameters, and if so, verifying the second authority;
judging whether the file operation authority is an authorized interface according to the file authority parameter, and checking a third authority;
and if the first right check is passed, the second right check is passed and the third right check is passed, the right check is passed.
In an embodiment, the second service request information is http/https request information, and the serving authorization code is located in URL information, request header information, or request body information of the http/https request information.
In an embodiment, the sending the service authorization code to the requesting entity includes: and sending the service authorization code to the requesting entity by using a parameter transmission mode.
In order to achieve the above object, a second aspect of the embodiments of the present application provides an access control device for a micro service system, where the micro service system includes at least a first back-end micro service and a second back-end micro service, and the micro service system is configured such that different back-end micro services can generate a service authorization code that can be used to access other back-end micro services according to request information of a requesting entity; the device comprises:
the first request receiving module is used for receiving first service request information of a request entity by the first back-end micro service;
a first request response module, configured to respond to the first service request information by a first back-end micro service, and generate first service response information and a service authorization code; the first service response information is generated by the first back-end micro-service according to the first service request information; the first back-end micro service is used for generating the service authorization code of at least one second back-end micro service to the request entity;
a service authorization code sending module, configured to send, by the first backend microservice, the first service response information and the service authorization code to the requesting entity;
a second request receiving module, configured to receive, by a second back-end micro service, second service request information generated by the requesting entity based on the service authorization code;
the authority verification module is used for the second back-end micro service to carry out authority verification on the service authorization code;
and the second request response module is used for responding the second service request information by the second back-end micro service according to the permission verification result and generating second service response information.
In order to achieve the above object, a third aspect of the embodiments of the present application provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the method of the first aspect when executing the computer program.
To achieve the above object, a fourth aspect of the embodiments of the present application proposes a storage medium, which is a computer-readable storage medium, and the storage medium stores a computer program, and the computer program, when executed by a processor, implements the method of the first aspect.
According to the method, the device, the equipment and the storage medium for controlling the access of the micro service system, the first back-end micro service receives first service request information of a request entity and responds to the first service request information to generate first service response information and a service authorization code, then the service authorization code is sent to the request entity, and the second back-end micro service receives second service request information generated by the request entity based on the service authorization code; and performing authority verification on the service authorization code by using the second back-end micro service, and if the authority verification is passed, responding to the second service request information by using the second back-end micro service to generate second service response information. According to the method and the device, the first back-end micro service is used for generating the service authorization code according to the first service request information, and when subsequent operation is needed, the service authorization code and the second service request information are sent in a combined mode, so that the second back-end micro service can directly conduct authority verification by using the generated service authorization code, the situation that when multiple micro services are needed to participate in the same service respectively, the whole authorization process of authorization, sending and verification needs to be completed by each micro service is avoided, the problem that access is easy to timeout is solved, the complexity of authority verification conducted among different micro services is reduced, and the access efficiency of a micro service system is improved.
Drawings
Fig. 1 is a schematic structural diagram of a microservice system according to an embodiment of the present invention.
Fig. 2 is a flowchart of a method for controlling access to a microservice system according to an embodiment of the present invention.
Fig. 3 is a flowchart of step S120 in fig. 2.
Fig. 4 is a flowchart of step S122 in fig. 3.
Fig. 5 is a flowchart of step S1222 in fig. 4.
Fig. 6 is a flowchart of step S1224 in fig. 5.
Fig. 7 is a schematic diagram of an encryption process of the access control method for a microservice system according to an embodiment of the present invention.
Fig. 8 is a schematic diagram of a packet encryption process of the access control method for the microservice system according to the embodiment of the present invention.
Fig. 9 is a flowchart of step S150 in fig. 2.
Fig. 10 is a flowchart of step S153 in fig. 9.
Fig. 11 is a flowchart of a method for controlling access to a microservice system according to another embodiment of the present invention.
Fig. 12 is a flowchart of a method for controlling access to a microservice system according to another embodiment of the present invention.
Fig. 13 is a flowchart of a method for controlling access to a microservice system according to another embodiment of the present invention.
Fig. 14 is a block diagram of a microservice system access control device according to still another embodiment of the present invention.
Fig. 15 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
It should be noted that although functional blocks are partitioned in a schematic diagram of an apparatus and a logical order is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the partitioning of blocks in the apparatus or the order in the flowchart.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
The microservice architecture is a distributed framework primarily used to deploy applications and services in the cloud. The micro-service architecture is to develop a single program into one micro-service, each micro-service runs in its own process and communicates by using a lightweight mechanism, and the services are divided and constructed around business capacity and are independently deployed by a fully-automatic deployment mechanism. Different microservices may use different programming languages, and different data storage technologies, to ensure minimal centralized management.
The applicant finds that, in the related art, each service under the micro-service architecture runs on an independent java virtual machine, the databases of the services are independent of each other, and the rights are independent of each other, and have no dependency relationship except for defined interfaces. The external data interface of each service is controlled by the authority of the service, each service has an independent authentication mechanism, when the front end needs to access a certain interface, the current user must have the authority of the service, otherwise, the current user has no access authority. If one user service needs a plurality of micro services to provide services respectively, different micro services finish the service process independently at the moment, different authorization processes are required to be carried out among different micro services, and otherwise, the corresponding service cannot be finished. However, the authorization process between each micro-service is independent, and if a user service needs more micro-services to participate, the authorization and permission verification processes are repeated, which easily causes service timeout.
Based on this, embodiments of the present invention provide a method, an apparatus, a device, and a storage medium for controlling access to a micro service system, where a first back-end micro service generates a service authorization code according to first service request information, and when a next operation needs to be performed, the service authorization code and second service request information are sent in a combined manner, so that a second back-end micro service directly performs permission verification by using the generated service authorization code, thereby avoiding that when a plurality of micro services need to participate in the same service, each micro service needs to complete the whole authorization process of authorization, sending, and verification, overcoming the problem of easy access timeout, reducing complexity of permission verification between different micro services, and improving access efficiency of the micro service system.
Embodiments of the present invention provide a method, an apparatus, a device, and a storage medium for controlling access to a microservice system, which are specifically described in the following embodiments, first, an access control method for a microservice system in an embodiment of the present invention is described.
In order to facilitate understanding of the embodiments of the present application, the following first describes a microservice system in the embodiments of the present application.
Referring to fig. 1, the microservice system 100 includes: a plurality of microservices 200 (illustrated as 3 microservices).
In one embodiment, each microservice 200 has an entitlement control module disposed therein. In other embodiments, the authority control module may also be independently configured, and each microservice 200 is connected to the authority control module, where a specific location of the authority control module is not limited. The authority control module is used for generating a service authorization code and verifying the authority.
The first backend microservice and the second backend microservice both belong to the plurality of microservices 200 in fig. 1, and the authority control module may be integrated with the first backend microservice and the second backend microservice, or may be an independent module, which is not specifically limited in this embodiment.
In one embodiment, a requesting entity 10 sends a service request to the microservice system 100, the service request is transmitted to a microservice 200 providing service, the microservice 200 performs permission verification on the service request by using a permission control module, and if the permission verification passes, the microservice 200 providing service provides service to the requesting entity and returns service data. It will be appreciated that the requesting entity may be a mobile device application or a network application or the like.
In an embodiment, the microservice system 100 needs more than one microservice 200 to provide services respectively to implement the service request sent by the requesting entity, for example, the service implementation sequence is: the micro service A, the micro service B and the micro service C respond to the service request to complete the content of the corresponding part, then the response data is transmitted to the request entity, then the request entity requests the micro service B for service, the micro service B responds to the service request to complete the content of the corresponding part, then the response data is transmitted to the request entity, the request entity requests the micro service C for service, and the micro service C responds to the service request to complete the content of the corresponding part.
The following describes a method for controlling access to a microservice system in an embodiment of the present invention.
Fig. 2 is an alternative flowchart of a method for controlling access to a microservice system according to an embodiment of the present invention, where the method in fig. 2 may include, but is not limited to, step S110 to step S170. Meanwhile, it is understood that, in this embodiment, the sequence from step S110 to step S170 in fig. 2 is not specifically limited, and the step sequence may be adjusted or some steps may be reduced or increased according to actual requirements.
Step S110: the first back-end micro-service receives first service request information of a request entity.
In an embodiment, the micro service system includes at least a first back-end micro service and a second back-end micro service, and the micro service system is configured such that different back-end micro services can generate a service authorization code that can be used to access other back-end micro services according to the request information of the requesting entity. In this embodiment, the first backend microservice is a backend microservice for which the request entity first sends a request, and it can be understood that any backend microservice in the microservice system of this embodiment can be used as the first backend microservice to receive request information sent by the request entity. That is, the rule may be agreed in advance in the microservice system: different back-end micro services can be mutually authorized, and a certain back-end micro service can be used as a first back-end micro service to receive first service request information and generate a service authorization code for accessing other back-end micro services.
In an embodiment, the service authorization code generated by the first backend microservice may be an access right to access one backend microservice, or may be an access right to access a plurality of different backend microservices.
In an embodiment, a requesting entity receives operation information of a user through a user interface, and generates first service request information according to the operation information of the user. The first service request information is used for representing and calling the micro-service system to complete the corresponding application function, wherein all back-end micro-services for completing the corresponding function are included.
Step S120: the first back-end micro-service responds to the first service request information and generates first service response information and a service authorization code.
In an embodiment, the first back-end micro service is configured to generate a service authorization code of the at least one second back-end micro service to the requesting entity. Referring to fig. 3, a flowchart is a flowchart illustrating a specific implementation of step S120 in an embodiment, in the present embodiment, the step S120 of generating first service response information and a service authorization code in response to first service request information by a microservice includes:
step S121: and the first back-end micro-service responds to the first service request information to generate first service response information.
In an embodiment, the first service request message includes service information. The micro-service system selects more than one micro-service for executing the business according to the business information and generates an access sequence. And sending the access token to a first micro service according to the access sequence, wherein the first micro service is a first back-end micro service, and the first back-end micro service responds to the first service request information to generate corresponding first service response information.
Step S122: and generating a service authorization code by using the authority control module according to the first service request information.
In an embodiment, the first service request information further includes an access token, and the access token characterizes user information of the requesting entity. And the first back-end micro-service authenticates the user identity of the requesting entity to the authority control module according to the access token to generate a service authorization code.
In an embodiment, referring to fig. 4, which is a flowchart illustrating a specific implementation of step S122 in an embodiment, in the embodiment, the step S122 of generating the service authorization code according to the first service request information by using the authorization control module includes:
step S1221: and judging whether to authorize or not by using the authority control module according to the access token.
Step S1222: if the judgment result is that authorization is carried out, the authority control module generates a service authorization code according to a preset authorization code format.
In an embodiment, the access token includes an application number, which is denoted as App Id, and the authorization control module determines, according to the application number, whether the requesting entity that sends the first service request information is an authorized requesting entity, that is, the micro service system cannot implement the service request of the application. And if the judgment result is that authorization is carried out, authorizing the service request of the requesting entity.
In an embodiment, when the authorization control module determines that authorization needs to be performed on the requesting entity, the authorization control module generates a service authorization code according to a preset authorization code format.
In an embodiment, the service information of the first service request information further includes: requesting user information, operating file information and file authority information.
The requesting user information is a session number of an application of the requesting entity requesting the service. Since http is a stateless protocol, when a requesting entity sends a service request to a microservice system, the microservice system does not know whether the request is the 1 st or nth request of the requesting entity, and therefore, in this embodiment, request information association is performed through a session number, and the session number can be used as a unique user identifier. For example, under a framework such as spring or under a container such as tomcat, the session numbers can be used to indicate that different service requests correspond to unique identification information of the same user.
In one embodiment, the operation file information includes: the operation document class name and the operation document number, that is, in this embodiment, the service request sent by the requesting entity is related to the file operation. The operation file information is used for representing the document name corresponding to the requested data when the corresponding service is requested, and the operation document number is combined to represent the data item content granted with the authority when the authority is checked. For example, if the configuration file 1 needs to be downloaded, the operation document class name may be: configuration file, operation document number may be: "1".
In an embodiment, the file authority information indicates an authority that authorizes the user to operate the configuration file 1. For example, the file authority information includes: the authority can be selected according to actual requirements, and the method is not limited to the above. It can be understood that the file authority information represents that the requesting entity can not only access the file in the backend microservice, but also perform the operation processes of editing, deleting and the like on the file.
In an embodiment, referring to fig. 5, which is a flowchart illustrating a specific implementation of step S1222 according to an embodiment, in the step S1222, where the right control module generates the service authorization code according to the preset authorization code format, includes:
step S1223, generating an authorization code parameter according to the first service request information.
Step S1224, generating a service authorization code corresponding to the authorization code parameter based on the preset authorization code format.
In an embodiment, the request user information, the operation file information, and the file permission information corresponding to the first service request information, and the corresponding authorization code parameter includes: a requesting user parameter (denoted sessionId), an operating file parameter, and a file rights parameter (denoted file rights). It can be understood that the authorization code parameter is a format conversion for parameterizing the request user information, the operation file information and the file authority information, and converting the request user information, the operation file information and the file authority information into a character format capable of being operated by the system.
In an embodiment, referring to fig. 6, which is a flowchart illustrating a specific implementation of step S1224 in an embodiment, in this embodiment, the step S1224 of generating a service authorization code of an authorization code parameter based on a preset authorization code format includes:
step S1225: and generating an operation file parameter according to the operation document class name and the operation document number.
In one embodiment, since the operation file information includes: the operation document class name and the operation document number, and thus the operation file parameters include: an operation document class parameter (denoted as document class name) and an operation document number parameter (denoted as document ID).
Step S1226: and splicing the parameters of the operation file with the parameters of the requesting user to obtain first authorization code information.
Step S1227: and splicing the file permission parameter with the first authorization code information to obtain a service authorization code.
In one embodiment, the preset authorization code format of the service authorization code is: "request user parameters; operation document class parameter # operation document number parameter; file rights parameter ", expressed as: "sessionId, # document class name, # document ID, # file rights".
In an embodiment, the service authorization code includes at least one file authority parameter, that is, the service requested by the user includes multiple authorities for file operation, for example, the authority can be edited or deleted, so that different file authority parameters are separated by using a preset separator. The preset delimiter may be: a symbol such as "/" - "" "&" as long as it is possible to distinguish different file authority parameters.
As can be seen from the above, in the embodiment of the present application, the request user parameter, the operation file parameter, and the file authority parameter are arranged according to the format of the preset authorization code.
In an embodiment, for safety, the obtained serving authorization code is encrypted, for example, the serving authorization code is encrypted by using a preset encryption algorithm and a preset key, so as to obtain an encrypted serving authorization code.
It can be understood that, in order to avoid the problem that the generated ciphertext serving authorization code character string is long and will grow with the increase of the number of permissions, the embodiment of the present application may selectively encrypt the authorization code parameter.
In one embodiment, the predetermined encryption algorithm is an AES encryption algorithm. The AES Encryption algorithm is also called Advanced Encryption Standard (AES), and belongs to a symmetric Encryption algorithm, which means that an Encryption process and a decryption process use the same preset key. Specifically, the present embodiment uses the ECB encryption mode of the AES encryption algorithm, which is to divide the entire plaintext into several segments of the same length and then encrypt each segment.
Fig. 7 is a schematic diagram of an encryption process according to an embodiment of the present application.
An encryption party (such as an authority control module) encrypts a plaintext serving authorization code P by using an AES encryption function and a preset key K to obtain an encrypted ciphertext serving authorization code C. If a subsequent decryption party (for example, a certain micro service) needs to decrypt the ciphertext serving authorization code C, the ciphertext serving authorization code C is decrypted by using the AES decryption function and a preset key K which is the same as the encryption process, and a plaintext serving authorization code P is obtained. Further, according to the format of the preset authorization code, the request user parameter, the operation file parameter and the file authority parameter are obtained from the plaintext service authorization code.
In one embodiment, encrypting the service authorization code employs a packet encryption process. Referring to fig. 8, in the block encryption process, a plaintext service authorization code P is first divided into a plurality of independent plaintext blocks Pi according to a preset division length, then each plaintext block Pi is encrypted by using an AES encryption function and a preset key K to generate a corresponding ciphertext block Ci, and all ciphertext blocks Ci are spliced together according to a division sequence to obtain a ciphertext service authorization code C. Wherein the preset division length may be 128 bits.
In an embodiment, if the length of a certain plaintext block obtained after the plaintext service authorization code P is partitioned according to the preset partition length is smaller than the preset partition length, the plaintext block is filled. For example, the length of the plaintext dsq code P is 192 bits, the predetermined fragmentation length is 128 bits, and if the plaintext block is divided by one plaintext block every 128 bits, the second plaintext block has only 64 bits and is less than 128 bits, so that the second plaintext block needs to be padded. The filling method of this embodiment is PKCS5, and this filling method is: if the number of bytes missing from the plaintext block is less than 16 bytes (128 bits), a corresponding number of characters are made up at the end of the plaintext block, and the value of each byte is equal to the number of missing characters. It can be understood that decryption needs to be performed according to the padding method used in the encryption process.
It is understood that the encryption key of the embodiment of the present application can be freely defined or obtained in a configuration file.
As can be seen from the above, in the embodiment of the present application, according to the format of the preset authorization code, the request user parameter, the operation file parameter, and the file authority parameter are arranged to obtain the plaintext service authorization code, and then the encrypted service authorization code is generated according to the preset encryption manner and the preset key.
Step S130: and sending the first service response information and the service authorization code to the requesting entity.
In an embodiment, the micro service system invokes the first back-end micro service to respond to the first service request information, and generates corresponding first service response information. And sending the first service response message and the service authorization code to the requesting entity at the same time.
In an embodiment, the first backend micro-service of the micro-service system sends the serving authorization code to the requesting entity in a parameter transferring manner, that is, the serving authorization code is converted into a URL parameter and sent to the requesting entity.
Step S140: and the second back-end micro-service receives second service request information generated by the requesting entity based on the service authorization code.
In an embodiment, the requesting entity generates second service request information after receiving the serving authorization code and the first service response information, where the second service request information is generated based on the first service response information and includes the serving authorization code.
Step S150: and performing authority verification on the service authorization code by using the second back-end micro service.
In an embodiment, the micro service system selects the micro service executing the service request according to the second service request information as a second back-end micro service, and the second back-end micro service needs to perform permission verification before executing the second service request information to ensure security.
In an embodiment, referring to fig. 9, which is a flowchart illustrating a specific implementation of step S150 in an embodiment, in the embodiment, the step S150 of performing the permission check on the service authorization code by using the second backend microservice includes:
step S151: and extracting a service authorization code from the second service request information, wherein the service authorization code is positioned at a preset position of the second service request information.
In an embodiment, the second service request information is http/https request information, and the serving authorization code is located in the second service request information. For example, the location may be in URL information of http/https request information, request header information, or request body information, where the location of the authorization code is not limited.
Step S152: and obtaining the authorization code parameter in the service authorization code.
In an embodiment, after obtaining the serving authorization code, according to a preset authorization code format, the following is obtained from the serving authorization code: requesting user parameters, operating file parameters and file authority parameters, wherein the operating file parameters comprise: an operation document class parameter and an operation document number parameter.
Step S153: and if the authorization code parameter meets the authority verification condition, the authority verification is passed.
In an embodiment, referring to fig. 10, which is a flowchart illustrating a specific implementation of step S153 in an embodiment, in this embodiment, the step S153 of performing the authority check on the service authorization code by using the second backend microservice includes:
step S1531: and judging that the current user is an authorized user according to the request user parameter, and passing the first permission verification.
In an embodiment, the user identity is first determined, that is, whether the current user is an authorized user is determined according to the request user parameter, and if the current user is an authorized user, the first permission check is passed.
Step S1532: and judging that the file requested to be operated is an authorized file according to the operation file parameters, and checking the second authority to pass.
In an embodiment, on the premise that the user identity is legal, whether the file requested to be operated is an authorized file or not is judged according to the operation file parameters, namely the file beyond the operation authority cannot be operated, and if the file is the authorized file, the second authority is verified to be passed.
Step S1533: and judging that the file operation authority is an authorized interface according to the file authority parameter, and checking the third authority to pass.
In one embodiment, the authorization interface includes, corresponding to a plurality of permissions for file operations: a view interface, an edit interface, a delete interface, etc. And on the premise of requesting the authorization file, judging whether the file operation authority is an authorization interface according to the file authority parameter, and if the operation authority range interface conforms to the authorization interface, passing the verification of the third authority.
Step S1534: and if the first right check is passed, the second right check is passed and the third right check is passed, the right check is passed.
As can be seen from the above, the authority check is passed only if the first authority check passes, the second authority check passes and the third authority check passes, and the three kinds of authority checks pass.
Step S160: and according to the permission verification result, the second back-end micro-service responds to the second service request information to generate second service response information.
In an embodiment, if the permission check is passed, the micro service system responds to the second service request information by using the second back-end micro service, and generates second service response information.
Therefore, in the embodiment of the application, the first back-end micro service is used for generating the service authorization code according to the first service request information, and when the next operation needs to be performed, the service authorization code and the second service request information are combined and sent, so that the second back-end micro service directly performs authority verification by using the generated service authorization code, and when the same service needs to participate in a plurality of micro services respectively, the whole authorization process of authorization-sending-verification needs to be completed by each micro service, the problem that access is easy to timeout is solved, the complexity of authority verification performed between different micro services is reduced, and the access efficiency of a micro service system is improved.
The service authorization code of the embodiment of the application does not need to be stored, and the problem that remote access or data storage is easily caused in the authorization and authentication process, so that timeout is easily caused is avoided. And the service authorization code can be added or superposed in different authorization of the same document, namely, authorization addition after decryption is carried out at any code position of a single request, and the use scene of file authorization is expanded. Meanwhile, the service authorization code of the embodiment of the application is transmitted through the front end, the authorization code is shown when services of other micro services are requested, after the other micro services use the same encryption key for decoding, various authorization code parameter information in the micro services can be checked, whether an authorized user is matched with a current user or not is judged, whether an authorized document is the document requested at this time or not is judged, whether the authorized authority accords with the interface authority of the request at this time or not is judged, and the task processing efficiency is improved. Further, since the information of the requesting user is the session number of the application requesting the service from the requesting entity, when the user logs out or the session is overtime, the serving authorization code automatically fails, thereby improving the security of the serving authorization code. And the encrypted content can be flexibly adjusted according to actual requirements, for example, when the authorized authority does not need to be distinguished, the part of the authority is not needed.
A specific flow of the method for controlling access to a microservice system according to the embodiment of the present application is described below with a specific embodiment.
In this embodiment, the micro service system needs 2 micro services to implement the service request sent by the requesting entity, and the service implementation sequence is: micro service A (first back-end micro service) -micro service B (first back-end micro service), and the micro service A and the micro service B can be independent of each other to complete the service process. The micro-service a first responds to the service request to complete the content of the corresponding part, and then transmits the response data and the authorization code to the micro-service B, and the micro-service B responds to the service request to complete the content of the corresponding part, and in this process, each micro-service needs to complete the permission verification process by using the permission control module.
Fig. 11 is a schematic diagram of a first back-end micro-service processing flow of the micro-service system access control method in the embodiment of the present application.
Since the first service request information of the requesting entity needs to be processed by the first backend microservice, step S1110 acquires the first service request information from the user interface of the requesting entity, where the first service request information includes service information, and the microservice system selects the first backend microservice for executing the service according to the service information, so that the main entry of the first service request information is connected to the first backend microservice.
In this embodiment, the first service request information further includes an access token, and the access token represents user information of the requesting entity. Step S1120, the first back-end micro-service authenticates the user identity of the requesting entity to the authorization control module according to the access token, step S1130 determines whether to authorize or not by using the authorization control module according to the access token, if so, step S1140 performs authorization, and the authorization control module generates a service authorization code according to a preset authorization code format; otherwise, step S150 rejects the authorization, and returns the result of the authorization request to the first backend microservice.
In this embodiment, the authorization in step S1140, and the process of the authorization control module generating the service authorization code according to the preset authorization code format specifically includes:
the service information of the first service request information further includes: requesting user information, operating file information and file authority information, wherein obtaining corresponding authorization code parameters corresponding to the first service request information comprises: the requesting user parameter (denoted sessionId), the operation file parameter, and the file authority parameter (denoted file authority), since the operation file information includes: the operation document class name and the operation document number, and thus the operation file parameters include: an operation document class parameter (denoted as document class name) and an operation document number parameter (denoted as document ID). The authorization code parameter is used for parameterizing the information of the requesting user, the information of the operation file and the information of the file authority.
The preset authorization code format of the service authorization code is as follows: "request user parameters; operation document class parameter # operation document number parameter; file rights parameter ", expressed as: "sessionId, # document class name, # document ID, # file rights".
In this embodiment, the encryption and decryption algorithm of the serving grant code is an AES encryption algorithm, and the working mode is as follows: ECB encryption mode, filling mode: PKCS5, and convert the encrypted cipher text service authorization code, the conversion mode is: and (4) performing Base64.EncodeBase64URLSafestring conversion, wherein the conversion aims to convert the ciphertext service authorization code into a url parameter form, and transcoding is not required in the subsequent processing process.
And sending the first service response information and the service authorization code to a requesting entity according to the first service response information and the service authorization code generated by the first back-end micro service according to the first service request information, so as to obtain second service request information generated by the requesting entity.
Fig. 12 is a schematic diagram of a second back-end micro-service processing flow of the micro-service system access control method in the embodiment of the present application.
Since the second service request information of the requesting entity needs to be processed by a second backend microservice (different from the first backend microservice). Step S1210 obtains second service request information from the user interface of the requesting entity, where the second service request information is generated based on the first service response information and includes a service authorization code. In step S1220, the second backend microservice performs permission check on the service authorization code, if the permission check is passed, step S1230 responds to the second service request information by using the second backend microservice, step S1240 returns the generated second service response information, and if the permission check is not passed, the second service response information is no permission.
In this embodiment, the process of the second backend microservice performing the permission check on the service authorization code in step S1220 is as follows: and extracting the second service request information to obtain a service authorization code, then obtaining an authorization code parameter in the service authorization code by using a decryption mode which is the same as the encryption mode, and if the authorization code parameter meets the authorization verification condition, the authorization verification is passed.
The checking process comprises the following steps:
firstly, judging that the current user is an authorized user according to a request user parameter (the Session Id), and then the first permission passes verification; then judging that the file requested to be operated is an authorized file according to the parameters of the operation file (the 'document ID' and the 'document class name'), and passing the second permission verification; and when the file operation authority is judged to be the authorized interface according to the file authority parameter (the 'document authority'), the third authority passes verification, and if the first authority passes verification, the second authority passes verification and the third authority passes verification, the authority passes verification. As can be seen from the above, the permission check is passed only if the first permission check passes, the second permission check passes, and the third permission check passes, and the permission checks pass all of the three permission checks. The permission check can process data, such as query, by the "document ID" and the "document class name".
Referring to fig. 13, a detailed flow of a micro service system access control method according to another embodiment of the present application is shown.
The figure comprises a request entity, a first back-end micro service and a second back-end micro service, wherein the request entity is a front end of a business module, the first back-end micro service is a back end of the business module, and the second back-end micro service is an accessory back-end service.
The first back-end micro service and the second back-end micro service are integrated with an authority control module, so that the first back-end micro service comprises a service execution module and an authority control module which respectively execute service operation and authority control, and similarly, the second back-end micro service also comprises a service execution module and an authority control module which respectively execute service operation and authority control.
The method comprises the steps that a requesting entity sends first service request information through a viewing page (namely a user interface), a first back-end micro-service is called, the first service request information is sent to the first back-end micro-service, a service processing module of the first back-end micro-service applies an authority control module to carry out user identity authentication on the requesting entity according to the first service request information, the authority control module carries out authorization according to an access token, if the authorization is successful, a service authorization code is generated and returned to the first back-end micro-service, and the first back-end micro-service returns first service response information and the service authorization code to the requesting entity.
And then the requesting entity generates second service request information based on the first service response information, calls an interface of a second back-end micro-service, and sends the second service request information to the second back-end micro-service, wherein the second service request information comprises a service authorization code. And the service execution module of the second back-end micro service sends the service authorization code to the authority control module, acquires the authorization code parameter in the service authorization code by using a decryption mode which is the same as the encryption mode, and if the authorization code parameter meets the authority verification condition, the authority verification is passed. And the authority control module sends the result of passing the authority verification to the second back-end micro-service. The second backend microservice generates second service response information according to the second service request information, for example, the second backend microservice may provide microservice for the requesting entity to provide the attachment service, and correspondingly, the second service response information may allow the requesting entity to download the attachment.
In this embodiment, the authorization code parameter is expressed as:
request user parameter (sessionId):
MGUyOTA5NzMtYTcyZC00ZmMzLTkzM2YtNWQ0YWI3NDVlNGU0;
operation document class parameter (document class name):
com.landray.sys.xform.core.entity.official.SysXFormOfficial;
operational document number parameter (document ID): 1g6v5lf07w572w4adw3p08js1slobm02ciw0;
file authority parameter (file authority): attachGetAll;
the preset key is as follows:
{-122,47,-49,-55,-14,-99,-51,-69,-2,124,-80,45,27,76,-17,93}
generating a plaintext service authorization code according to the parameters according to a preset authorization code format ' sessionId ', a document class name # document ID and a file authority ', and then encrypting based on an AES encryption mode, wherein a ciphertext service authorization code obtained by utilizing the preset secret key is expressed as:
TpfpROYGLURxadEn1CHgxvcgQPw_YrBDA6H9kdWZc0ldBaGbEOF5r0szxvwv4CJzAOhi5NghDaafTRfDyZt1pq0yzaTMi1WBoJ0rrgnP5msB2PEjOeu0hsugAmAYwEUVe193GL7Y-BMNw34VSbU0BMmw3HCJt3xBMg6psbbghYxIa57dUHnlzr7ReFSQmZ5pFMYQXOZrqJd-6Lo6fz32TA
since the accessory download request protocol is HTTPS, the generated cryptograph service authorization code is transmitted to the requesting entity by means of parameter transmission (mechhauthtoken), and the second service request information generated by the requesting entity based on the first service response information is represented as:
https://test.ywork.me/data/sys-attach/checkDownload/1g6v5l3tuw57lwg7dwfpspnbnlcpbp2bjiw0mechAuthToken=TpfpROYGLURxadEn1CHgxvcgQPw_YrBDA6H9kdWZc0ldBaGbEOF5r0szxvwv4CJzAOhi5NghDaafTRfDyZt1pq0yzaTMi1WBoJ0rrgnP5msB2PEjOeu0hsugAmAYwEUVe193GL7Y-BMNw34VSbU0BMmw3HCJt3xBMg6psbbghYxIa57dUHnlzr7ReFSQmZ5pFMYQXOZrqJd-6Lo6fz32TA
as can be known from the "mechhauthtoken" part of the second service request information, the second service request information contains a service authorization code of the ciphertext, and the service authorization code is located in the URL information.
Meanwhile, the "X-AUTH-TOKEN" information of the second service request information indicates user identity information in an stateless state, and may be used for verifying an authorization code in the next step, where:
X-AUTH-TOKEN =1gf7sauasw89w4eqws9bjnp16h15ork0jbw0
and decrypting the ciphertext service authorization code by using a preset key and the same decryption algorithm to obtain an authorization code parameter in the service authorization code, and if the authorization code parameter meets the authorization verification condition, verifying the authorization.
The request user parameter (SessionId) is compared with the current user identity information, namely the user identity information X-AUTH-TOKEN carried in the header information, is compared with the SessionId obtained by decrypting the service authorization code, and if the current user is an authorized user, the first authority verification is passed. And then judging whether the file requested to be operated is a file existing in the second back-end microservice or not according to the operation file parameters (the 'document ID' and the 'document class name'), and if so, the second authority passes verification. And judging whether the file operation authority is consistent with the file authority according to the file authority parameter (document authority), if so, passing the third authority verification, and if the first authority verification is passed, the second authority verification is passed and the third authority verification is passed, passing the authority verification, and performing document downloading, inquiring, modifying or deleting and other operations.
It can be understood that, in the above embodiment, a second backend microservice is used for illustration, in practice, if an independent third backend microservice needs to be called after the second backend microservice is processed, a service authorization code generated by the first backend microservice may be added to the service request information of the third backend microservice within the session time, and the third backend microservice performs the permission check on the service authorization code in the same manner as the second backend microservice, and so on, and may be used in an independent processing flow of a plurality of backend microservices.
For example, when the content in the same user interface is provided separately by a plurality of different microservices, the authorization method of the embodiment of the present application does not require a dependency relationship between the two services, and in terms of performance, it is not required to store data in a database or a data storage service such as redis, or to call the interfaces with each other, and the authorization is temporary and confidential, and is automatically disabled after a period of time, and when the user sends an access link to another unauthorized user, the unauthorized user is still inaccessible.
According to the access control method for the micro service system, the first back-end micro service receives first service request information of a request entity and responds to the first service request information to generate first service response information and a service authorization code, then the service authorization code is sent to the request entity, and the second back-end micro service receives second service request information generated by the request entity based on the service authorization code; and performing authority verification on the service authorization code by using the second back-end micro service, and if the authority verification is passed, responding to the second service request information by using the second back-end micro service to generate second service response information.
According to the method and the device, the first back-end micro service is used for generating the service authorization code according to the first service request information, and when next operation is needed, the service authorization code and the second service request information are combined and sent, so that the second back-end micro service directly conducts authority verification by using the generated service authorization code, the situation that when multiple micro services are needed to participate in the same service respectively is avoided, the whole authorization process of authorization, sending and verification needs to be completed for each micro service, the problem that access is easy to timeout is solved, the complexity of authority verification among different micro services is reduced, and the access efficiency of a micro service system is improved.
An embodiment of the present invention further provides an access control device for a micro service system, which can implement the access control method for the micro service system, where the micro service system at least includes a first backend micro service and a second backend micro service, and the micro service system is configured such that different backend micro services can generate a service authorization code for accessing other backend micro services according to request information of a request entity, with reference to fig. 14, the device includes:
the first request receiving module 1410 is configured to receive, by the first backend micro-service, first service request information of the requesting entity.
A first request response module 1420, configured to respond to the first service request information by the first back-end micro service, and generate first service response information and a service authorization code; the first service response information is generated by the first back-end micro-service according to the first service request information; the first back-end microservice is configured to generate the service authorization code of the at least one second back-end microservice for the requesting entity.
A service authorization code sending module 1430, configured to send the first service response information and the service authorization code to the requesting entity by the first backend microservice.
A second request receiving module 1440, configured to receive, by the second backend micro service, second service request information that is generated by the requesting entity based on the service authorization code.
The permission verification module 1450 is configured to verify the permission of the service authorization code by the second backend microservice.
The second request response module 1460 is configured to, according to a permission check result, respond to the second service request information by the second backend micro service, and generate second service response information.
The specific implementation of the micro service system access control apparatus of this embodiment is substantially the same as the specific implementation of the micro service system access control method described above, and details are not described here again.
An embodiment of the present invention further provides an electronic device, including:
at least one memory;
at least one processor;
at least one program;
the programs are stored in the memory and the processor executes the at least one program to implement the microservice system access control method of the present invention as described above. The electronic device can be any intelligent terminal including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA for short), a vehicle-mounted computer and the like.
Referring to fig. 15, fig. 15 illustrates a hardware structure of an electronic device according to another embodiment, where the electronic device includes:
the processor 1501 may be implemented by a general-purpose CPU (central processing unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, and is configured to execute a relevant program to implement the technical solution provided in the embodiment of the present invention;
the memory 1502 may be implemented in the form of a ROM (read only memory), a static memory device, a dynamic memory device, or a RAM (random access memory). The memory 1502 may store an operating system and other application programs, and when the technical solution provided by the embodiment of the present disclosure is implemented by software or firmware, the relevant program codes are stored in the memory 1502 and called by the processor 1501 to execute the micro service system access control method according to the embodiment of the present disclosure;
an input/output interface 1503 for realizing information input and output;
the communication interface 1504 is used for realizing communication interaction between the device and other devices, and can realize communication in a wired manner (for example, USB, network cable, and the like) and also can realize communication in a wireless manner (for example, mobile network, WIFI, bluetooth, and the like); and
a bus 1505 that transfers information between various components of the device (e.g., the processor 1501, memory 1502, input/output interface 1503, and communication interface 1504);
wherein the processor 1501, memory 1502, input/output interface 1503 and communication interface 1504 enable communication within the device with one another via bus 1505.
The embodiment of the present application further provides a storage medium, which is a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the method for controlling access to the microservice system is implemented.
The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The method for controlling access to a micro service system, the device for controlling access to a micro service system, the electronic device, and the storage medium provided in the embodiments of the present invention receive first service request information of a requesting entity through a first back-end micro service and respond to the first service request information to generate first service response information and a service authorization code, and then send the service authorization code to the requesting entity, where a second back-end micro service receives second service request information generated by the requesting entity based on the service authorization code; and performing authority verification on the service authorization code by using the second back-end micro service, and if the authority verification is passed, responding to the second service request information by using the second back-end micro service to generate second service response information. According to the method and the device, the first back-end micro service is used for generating the service authorization code according to the first service request information, and when next operation is needed, the service authorization code and the second service request information are combined and sent, so that the second back-end micro service directly conducts authority verification by using the generated service authorization code, the situation that when multiple micro services are needed to participate in the same service respectively is avoided, the whole authorization process of authorization, sending and verification needs to be completed for each micro service, the problem that access is easy to timeout is solved, the complexity of authority verification among different micro services is reduced, and the access efficiency of a micro service system is improved.
The embodiments described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute a limitation to the technical solutions provided in the embodiments of the present application, and it is obvious to those skilled in the art that the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems with the evolution of technology and the emergence of new application scenarios.
It will be appreciated by those skilled in the art that the embodiments shown in the figures are not intended to limit the embodiments of the present application and may include more or fewer steps than those shown, or some of the steps may be combined, or different steps may be included.
The above-described embodiments of the apparatus are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may also be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
One of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
The terms "first," "second," "third," "fourth," and the like in the description of the application and the above-described figures, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be implemented in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that, in this application, "at least one" means one or more, "a plurality" means two or more. "and/or" is used to describe the association relationship of the associated object, indicating that there may be three relationships, for example, "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is only one type of division of logical functions, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application, which are essential or part of the technical solutions contributing to the prior art, or all or part of the technical solutions, may be embodied in the form of a software product stored in a storage medium, which includes multiple instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing programs, such as a usb disk, a portable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and the scope of the claims of the embodiments of the present application is not limited thereto. Any modifications, equivalents and improvements that may occur to those skilled in the art without departing from the scope and spirit of the embodiments of the present application are intended to be within the scope of the claims of the embodiments of the present application.

Claims (15)

1. A micro-service system access control method is characterized in that the micro-service system at least comprises a first back-end micro-service and a second back-end micro-service, and the micro-service system is configured in such a way that different back-end micro-services can generate service authorization codes which can be used for accessing other back-end micro-services according to request information of a request entity; the method comprises the following steps:
the first back-end micro-service receives first service request information of a request entity;
the first back-end micro service responds to the first service request information to generate first service response information and a service authorization code; the first service response information is generated by the first back-end micro-service according to the first service request information; the first back-end micro service is used for generating the service authorization code of at least one second back-end micro service to the request entity;
the first back-end micro service sends the first service response information and the service authorization code to the requesting entity;
the second back-end micro-service receives second service request information generated by the request entity based on the service authorization code;
the second back-end micro service carries out authority verification on the service authorization code;
and according to the authority verification result, the second back-end micro-service responds to the second service request information to generate second service response information.
2. The method according to claim 1, wherein the generating a first service response message and a service authorization code in response to the first service request message by the first backend micro service includes:
the first back-end micro-service responds to the first service request information to generate first service response information;
and generating the service authorization code according to the first service request information by utilizing an authority control module.
3. The method according to claim 2, wherein the first service request information includes an access token, and the generating the service authorization code by the utilization right control module according to the first service request information includes:
judging whether to authorize or not by utilizing the authority control module according to the access token;
if the judgment result is that authorization is carried out, the authority control module generates the service authorization code according to a preset authorization code format.
4. The method as claimed in claim 3, wherein the first service request message further includes: requesting user information, operation file information and file authority information; the authority control module generates the service authorization code according to a preset authorization code format, including:
generating an authorization code parameter according to the first service request information, wherein the authorization code parameter includes: requesting user parameters, operating file parameters and file authority parameters;
generating the service authorization code of the authorization code parameter based on the preset authorization code format.
5. The micro service system access control method according to claim 4, wherein the operation file information comprises: operating the document class name and the operating document number; the generating the service authorization code of the authorization code parameter based on the preset authorization code format includes:
generating the operation file parameters according to the operation document class name and the operation document number, wherein the operation file parameters comprise: operating document class parameters and operating document number parameters;
splicing the operation file parameters to the request user parameters to obtain first authorization code information;
and splicing the file permission parameter with the first authorization code information to obtain the service authorization code.
6. The method according to claim 4, wherein after the generating the service authorization code of the authorization code parameter based on the preset authorization code format, the method further includes: and encrypting the service authorization code by using a preset encryption algorithm and a preset key to obtain the encrypted service authorization code.
7. The method of claim 4, wherein the requesting user information is a user session number.
8. The method according to claim 4, wherein the service authorization code includes at least one of the file right parameters, and different file right parameters are generated by being separated by a preset separator.
9. The method according to claim 4, wherein the second backend microservice performs permission verification on the service authorization code, and the method includes:
extracting the service authorization code from the second service request information, wherein the service authorization code is located at a preset position of the second service request information;
obtaining the authorization code parameter in the service authorization code;
and if the authorization code parameter meets the authority verification condition, the authority verification is passed.
10. The method according to claim 9, wherein if the authorization code parameter satisfies a permission check condition, the permission check is passed, including:
judging that the current user is an authorized user according to the request user parameter, and passing the first permission verification;
judging whether the file requested to be operated is an authorized file according to the operation file parameters, and if the file requested to be operated is the authorized file, verifying the second authority;
judging whether the file operation authority is an authorized interface according to the file authority parameter, and checking a third authority;
and if the first authority check is passed, the second authority check is passed and the third authority check is passed, the authority check is passed.
11. The access control method of the micro service system according to claim 1, wherein the second service request information is http/https request information, and the serving grant code is located in URL information, request header information, or request body information of the http/https request information.
12. The method as claimed in claim 1, wherein the sending the service authorization code to the requesting entity includes: and sending the service authorization code to the requesting entity by using a parameter transmission mode.
13. The micro-service system access control device is characterized in that the micro-service system at least comprises a first back-end micro-service and a second back-end micro-service, and the micro-service system is configured in such a way that different back-end micro-services can generate service authorization codes which can be used for accessing other back-end micro-services according to request information of a request entity; the device comprises:
the first request receiving module is used for receiving first service request information of a request entity by the first back-end micro-service;
the first request response module is used for responding the first service request information by the first back-end micro service and generating first service response information and a service authorization code; the first service response information is generated by the first back-end micro-service according to the first service request information; the first back-end micro service is used for generating the service authorization code of at least one second back-end micro service to the request entity;
a service authorization code sending module, configured to send, by the first backend microservice, the first service response information and the service authorization code to the requesting entity;
a second request receiving module, configured to receive, by a second back-end micro service, second service request information generated by the requesting entity based on the serving authorization code;
the authority verification module is used for the second back-end micro service to carry out authority verification on the service authorization code;
and the second request response module is used for responding the second service request information by the second back-end micro service according to the permission verification result and generating second service response information.
14. An electronic device, comprising a memory storing a computer program and a processor implementing the micro service system access control method of any one of claims 1 to 12 when the computer program is executed by the processor.
15. A computer-readable storage medium, storing a computer program, wherein the computer program, when executed by a processor, implements the micro service system access control method of any one of claims 1 to 12.
CN202211545339.0A 2022-12-05 2022-12-05 Micro service system access control method, device, equipment and storage medium Pending CN115604033A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211545339.0A CN115604033A (en) 2022-12-05 2022-12-05 Micro service system access control method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211545339.0A CN115604033A (en) 2022-12-05 2022-12-05 Micro service system access control method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115604033A true CN115604033A (en) 2023-01-13

Family

ID=84853393

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211545339.0A Pending CN115604033A (en) 2022-12-05 2022-12-05 Micro service system access control method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115604033A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110271353A1 (en) * 2010-04-29 2011-11-03 International Business Machines Corporation Performing authorization control in a cloud storage system
CN106878007A (en) * 2017-02-08 2017-06-20 飞天诚信科技股份有限公司 A kind of authorization method and system
US20200059360A1 (en) * 2018-08-20 2020-02-20 Jpmorgan Chase Bank, N.A. System and method for service-to-service authentication
CN112333272A (en) * 2020-11-06 2021-02-05 杭州安恒信息技术股份有限公司 Micro-service data access method, device, equipment and readable storage medium
CN113098695A (en) * 2021-04-21 2021-07-09 金陵科技学院 Micro-service unified authority control method and system based on user attributes
CN114793243A (en) * 2021-01-26 2022-07-26 Sap欧洲公司 One-time use authorization code in self-contained format

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110271353A1 (en) * 2010-04-29 2011-11-03 International Business Machines Corporation Performing authorization control in a cloud storage system
CN106878007A (en) * 2017-02-08 2017-06-20 飞天诚信科技股份有限公司 A kind of authorization method and system
US20200059360A1 (en) * 2018-08-20 2020-02-20 Jpmorgan Chase Bank, N.A. System and method for service-to-service authentication
CN112333272A (en) * 2020-11-06 2021-02-05 杭州安恒信息技术股份有限公司 Micro-service data access method, device, equipment and readable storage medium
CN114793243A (en) * 2021-01-26 2022-07-26 Sap欧洲公司 One-time use authorization code in self-contained format
CN113098695A (en) * 2021-04-21 2021-07-09 金陵科技学院 Micro-service unified authority control method and system based on user attributes

Similar Documents

Publication Publication Date Title
JP4366037B2 (en) System and method for controlling and exercising access rights to encrypted media
US5142578A (en) Hybrid public key algorithm/data encryption algorithm key distribution method based on control vectors
JP2005512468A (en) Access to broadcast content
CN110690956B (en) Bidirectional authentication method and system, server and terminal
CN109672521B (en) Security storage system and method based on national encryption engine
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN112597523B (en) File processing method, file conversion encryption machine, terminal, server and medium
CN112653719A (en) Automobile information safety storage method and device, electronic equipment and storage medium
EP1728136A1 (en) Method and system for the cipher key controlled exploitation of data resources, related network and computer program products
CN110505053B (en) Quantum key filling method, device and system
CN112087302A (en) Device for encrypting and decrypting algorithm of asymmetric dynamic token
CN110855616A (en) Digital key generation system
CN112672342A (en) Data transmission method, device, equipment, system and storage medium
US10785193B2 (en) Security key hopping
CN111431922A (en) Internet of things data encryption transmission method and system
CN114745114B (en) Key agreement method, device, equipment and medium based on password derivation
CN115604033A (en) Micro service system access control method, device, equipment and storage medium
CN112769759B (en) Information processing method, information gateway, server and medium
CN112367329B (en) Communication connection authentication method, device, computer equipment and storage medium
CN111212044B (en) Data transmission method, device and storage medium
CN115996141A (en) File access authentication method, device, equipment and storage medium
CN112333699B (en) Internet of things communication protocol encryption method, equipment and storage medium
CN113672955B (en) Data processing method, system and device
CN112398818B (en) Software activation method and related device thereof
CN116828456B (en) Encryption storage authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination