CN117336091A - Interface calling method, system and storage medium - Google Patents

Interface calling method, system and storage medium Download PDF

Info

Publication number
CN117336091A
CN117336091A CN202311476239.1A CN202311476239A CN117336091A CN 117336091 A CN117336091 A CN 117336091A CN 202311476239 A CN202311476239 A CN 202311476239A CN 117336091 A CN117336091 A CN 117336091A
Authority
CN
China
Prior art keywords
paas
signature
client
interface
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311476239.1A
Other languages
Chinese (zh)
Inventor
陆志鹏
韩光
李嘉宁
郑曦
郭祎萍
国丽
刘彬彬
马博原
周洋
王洪伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongdian Data Industry Co ltd
Original Assignee
Zhongdian Data Industry Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongdian Data Industry Co ltd filed Critical Zhongdian Data Industry Co ltd
Priority to CN202311476239.1A priority Critical patent/CN117336091A/en
Publication of CN117336091A publication Critical patent/CN117336091A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an interface calling method, an interface calling system and a storage medium, wherein the interface calling method comprises the following steps: receiving an interface calling request sent by a client; analyzing according to the interface call request to obtain a platform as a service PaaS identifier of the client and a first signature generated by the client based on a first PaaS token corresponding to the PaaS identifier; invoking a pre-registered second PaaS token according to the PaaS identifier, and generating a second signature based on the second PaaS token; if the first signature is the same as the second signature, the interface call request is sent to the corresponding server, a response result made by the server based on the interface call request is received, and the response result is sent to the client. Based on the scheme, the security of interface call can be effectively improved by introducing the PaaS identifier and the signature verification mechanism of the PaaS token.

Description

Interface calling method, system and storage medium
Technical Field
The present disclosure relates to the field of network communications technologies, and in particular, to an interface calling method, system, and storage medium.
Background
At present, platforms with higher security requirements such as an open service platform face security risks of interface (Application Programming Interface, API) call, the platforms can be regarded as service ends, the interfaces are required to be provided for communication with external clients, and the clients can be third party interfaces, micro services, cloud services and the like. In order to ensure the security of the server, it is generally required to manage the interface calling behavior from the client to the server, for example, an API key signature verification mechanism is introduced in the process of interface calling, the API key is carried in the interface calling request of the client, and the server verifies the validity of the API key. However, such API key verification has a risk of misuse in the case of API key leakage, and it is difficult to ensure security of interface calls.
Disclosure of Invention
The main purpose of the present application is to provide an interface calling method, system and storage medium, which aims to solve or improve the problem that it is difficult to ensure the security of interface calling.
In order to achieve the above object, the present application provides an interface calling method, where the interface calling method is applied to a gateway, and the interface calling method includes:
receiving an interface calling request sent by a client;
analyzing and obtaining a platform serving PaaS identifier of the client according to the interface call request, and generating a first signature by the client based on a first PaaS token corresponding to the PaaS identifier;
invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token;
and if the first signature is the same as the second signature, sending the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client.
Optionally, the step of parsing the platform as a service PaaS identifier of the client according to the interface call request, and the step of generating, by the client, a first signature based on a first PaaS token corresponding to the PaaS identifier includes:
Analyzing the PaaS identifier, the first signature and a timestamp corresponding to the moment when the client generates the interface calling request according to the interface calling request;
if the first signature is the same as the second signature, the step of sending the interface call request to the corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client includes:
if the first signature is the same as the second signature and the time difference between the moment corresponding to the timestamp and the current moment is smaller than a preset time difference threshold, the interface calling request is sent to a corresponding server, a response result of the server based on the interface calling request is received, and the response result is sent to the client.
Optionally, if the first signature and the second signature are the same, and the time difference between the time corresponding to the timestamp and the current time is smaller than a preset time difference threshold, the step of sending the interface call request to the corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client includes:
If the first signature is the same as the second signature, the time difference between the moment corresponding to the timestamp and the current moment is smaller than a preset time difference threshold, and the client is confirmed to have the calling authority of the interface corresponding to the interface calling request based on the PaaS identifier, the interface calling request is sent to the corresponding server, a response result of the server based on the interface calling request is received, and the response result is sent to the client.
Optionally, the interface calling method further includes:
and if the first signature is different from the second signature, or the time difference between the moment corresponding to the time stamp and the current moment is not smaller than a preset time difference threshold, or the client does not have the calling authority of the interface corresponding to the interface calling request based on the PaaS identifier, sending a corresponding error code to the client.
Optionally, the step of parsing the PaaS identifier, the first signature according to the interface call request, and the timestamp corresponding to the time when the client generates the interface call request includes:
analyzing the PaaS identifier, the first signature, the time stamp and the random character string according to the interface calling request;
The first signature is generated by the client based on the first PaaS token, the timestamp, the random string, and the step of generating a second signature based on the second PaaS token comprises:
the second signature is generated based on the second PaaS token, the timestamp, the random string.
Optionally, the step of sending the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client includes:
determining a corresponding target service from a plurality of services of the server according to the interface call request;
sending the interface call request to the target service;
and receiving a response result of the target service based on the interface call request, and sending the response result to the client.
In order to achieve the above object, the present application further provides an interface calling method, where the interface calling method is applied to a client, and the interface calling method includes:
acquiring a platform serving PaaS identifier of the client and a first PaaS token corresponding to the PaaS identifier;
Generating a first signature based on the first PaaS token;
generating and sending a corresponding interface call request to a gateway based on the PaaS identifier and the first signature so that the gateway can receive the interface call request; analyzing the PaaS identifier and the first signature according to the interface call request; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; the interface calling request is sent to a corresponding server under the condition that the first signature and the second signature are the same, a response result made by the server based on the interface calling request is received, and the response result is sent to the client;
and receiving the response result.
In order to achieve the above object, the present application further provides an interface calling method, where the interface calling method is applied to a server, and the interface calling method includes:
receiving an interface call request sent by a gateway, wherein after receiving the interface call request sent by a client, the gateway analyzes according to the interface call request to obtain a platform serving PaaS identifier of the client, and a first signature generated by the client based on a first PaaS token corresponding to the PaaS identifier; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; if the first signature is the same as the second signature, the interface calling request is sent to the server;
And sending the response result to the gateway based on the response result made by the interface call request, so that the gateway can send the response result to the client.
The embodiment of the application also provides an interface calling system which comprises a client, a gateway and a server, and the interface calling system executes the steps of realizing the interface calling method.
The embodiments of the present application also propose a computer-readable storage medium, on which an interface calling program is stored, which when executed by a processor implements the steps of the interface calling method as described above.
The interface calling method, the system and the storage medium provided by the embodiment of the application are used for receiving the interface calling request sent by the client; analyzing and obtaining a platform serving PaaS identifier of the client according to the interface call request, and generating a first signature by the client based on a first PaaS token corresponding to the PaaS identifier; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; and if the first signature is the same as the second signature, sending the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client. Based on the scheme of the application, the first signature generated by the client and the second signature generated by the server are compared and checked by introducing the PaaS identifier and the signature checking mechanism of the PaaS token, so that the server is ensured to respond to the interface calling request only on the premise that the client has validity. In addition, paaS identification and PaaS token are obtained based on registration, are not easy to misuse, and can effectively improve the security of interface call.
Drawings
FIG. 1 is a schematic diagram of an interface invocation system of the present application;
FIG. 2 is a flow chart of a first exemplary embodiment of an interface invocation method of the present application;
FIG. 3 is a flow chart of a second exemplary embodiment of an interface invocation method of the present application;
FIG. 4 is a flowchart of a third exemplary embodiment of an interface invocation method of the present application;
FIG. 5 is a flowchart of a fourth exemplary embodiment of an interface invocation method of the present application;
FIG. 6 is a flowchart of a fifth exemplary embodiment of an interface invocation method of the present application;
FIG. 7 is a flowchart of a sixth exemplary embodiment of an interface invocation method of the present application;
FIG. 8 is a flowchart of a seventh exemplary embodiment of an interface invocation method of the present application;
FIG. 9 is a flowchart illustrating an eighth exemplary embodiment of an interface invocation method of the present application;
fig. 10 is a flowchart of a ninth exemplary embodiment of an interface calling method of the present application.
The realization, functional characteristics and advantages of the present application will be further described with reference to the embodiments, referring to the attached drawings.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The main solutions of the embodiments of the present application are: receiving an interface calling request sent by a client; analyzing and obtaining a platform serving PaaS identifier of the client according to the interface call request, and generating a first signature by the client based on a first PaaS token corresponding to the PaaS identifier; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; and if the first signature is the same as the second signature, sending the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client. Based on the scheme of the application, the first signature generated by the client and the second signature generated by the server are compared and checked by introducing the PaaS identifier and the signature checking mechanism of the PaaS token, so that the server is ensured to respond to the interface calling request only on the premise that the client has validity. In addition, paaS identification and PaaS token are obtained based on registration, are not easy to misuse, and can effectively improve the security of interface call.
Specifically, referring to fig. 1, fig. 1 is a schematic diagram of an interface calling system of the present application. In this embodiment, the interface calling system to which the interface calling device belongs at least includes a client, a gateway, and a server.
The interface calls the system to execute the following steps:
receiving an interface call request sent by a client through the gateway;
analyzing and obtaining a platform serving PaaS identifier of the client according to the interface call request, and generating a first signature by the client based on a first PaaS token corresponding to the PaaS identifier;
invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token;
and if the first signature is the same as the second signature, sending the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client.
Further, the interface calling system may also perform the following steps:
analyzing the PaaS identifier, the first signature and a timestamp corresponding to the moment when the client generates the interface calling request according to the interface calling request;
If the first signature is the same as the second signature, the step of sending the interface call request to the corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client includes:
if the first signature is the same as the second signature and the time difference between the moment corresponding to the timestamp and the current moment is smaller than a preset time difference threshold, the interface calling request is sent to a corresponding server, a response result of the server based on the interface calling request is received, and the response result is sent to the client.
Further, the interface calling system may also perform the following steps:
if the first signature is the same as the second signature, the time difference between the moment corresponding to the timestamp and the current moment is smaller than a preset time difference threshold, and the client is confirmed to have the calling authority of the interface corresponding to the interface calling request based on the PaaS identifier, the interface calling request is sent to the corresponding server through the gateway, a response result made by the server based on the interface calling request is received, and the response result is sent to the client.
Further, the interface calling system may also perform the following steps:
and if the first signature is different from the second signature, or the time difference between the moment corresponding to the time stamp and the current moment is not smaller than a preset time difference threshold, or the client does not have the calling authority of the interface corresponding to the interface calling request based on the PaaS identifier, sending a corresponding error code to the client through the gateway.
Further, the interface calling system may also perform the following steps:
analyzing the PaaS identifier, the first signature, the timestamp and the random character string according to the interface call request through the gateway;
further, the interface calling system may also perform the following steps:
generating, by the gateway, the second signature based on the second PaaS token, the timestamp, the random string.
Further, the interface calling system may also perform the following steps:
determining a corresponding target service from a plurality of services of the server through the gateway according to the interface call request;
sending the interface call request to the target service;
And receiving a response result of the target service based on the interface call request, and sending the response result to the client.
Further, the interface calling system may also perform the following steps:
acquiring a platform serving PaaS identifier of the client and a first PaaS token corresponding to the PaaS identifier by the client;
generating a first signature based on the first PaaS token;
generating and sending a corresponding interface call request to a gateway based on the PaaS identifier and the first signature so that the gateway can receive the interface call request; analyzing the PaaS identifier and the first signature according to the interface call request; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; the interface calling request is sent to a corresponding server under the condition that the first signature and the second signature are the same, a response result made by the server based on the interface calling request is received, and the response result is sent to the client;
and receiving the response result.
Further, the interface calling system may also perform the following steps:
Receiving an interface call request sent by a gateway through the server, wherein after receiving the interface call request sent by a client, the gateway analyzes and obtains a platform serving PaaS identifier of the client according to the interface call request, and the client generates a first signature based on a first PaaS token corresponding to the PaaS identifier; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; if the first signature is the same as the second signature, the interface calling request is sent to the server;
and sending the response result to the gateway based on the response result made by the interface call request, so that the gateway can send the response result to the client.
In the embodiment, by introducing the PaaS identifier and the signature verification mechanism of the PaaS token, the first signature generated by the client and the second signature generated by the server are compared and verified, so that the server is ensured to respond to the interface call request only on the premise that the client has validity. In addition, paaS identification and PaaS token are obtained based on registration, are not easy to misuse, and can effectively improve the security of interface call.
Referring to fig. 2, a first embodiment of an interface calling method of the present application provides a flowchart, where the interface calling method is applied to a gateway, and the interface calling method includes:
and step A10, receiving an interface calling request sent by the client.
Specifically, in order to improve the security of the client for the calling behavior of the client your interface, the embodiment provides a signature verification mechanism based on the PaaS identifier and the PaaS token, and transmits the interface calling request and the corresponding response result between the client and the client through a gateway (or intelligent gateway).
In this embodiment, the gateway serves as an intermediary for security verification, the gateway may be deployed by using a distributed cluster, and an HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer protocol security) protocol is used to implement a communication function, and based on the characteristics of the distributed cluster deployment, the gateway may process a large number of requests at the same time. Alternatively, the gateway may employ a RESTful (Representational State Transfer) software architecture style, RESTful software architecture style based on a set of constraints and attributes, aimed at providing a simple, lightweight, scalable, easy-to-maintain network service.
The gateway-supported functions mainly comprise five functions of service calling authority application, service calling authority examination, gateway request unified authentication, unified authentication and request unified forwarding. The functions of service calling authority application and service calling authority auditing are realized based on a register micro service (self-registration micro service), and the functions of gateway request unified authentication, unified authentication and request unified forwarding are realized based on a gateway micro service (gateway micro service). And pulling PaaS identifiers (or PaaS IDs) corresponding to different clients, a second PaaS Token (or PaaS Token) and authorization interface information from the register micro service at regular time by the gateway micro service, and loading the PaaS identifiers (or PaaS IDs), the second PaaS Token and the authorization interface information into a cache.
When the client side needs to initiate an interface call request to the server side, the client side firstly needs to send the interface call request to the gateway. Correspondingly, the gateway receives an interface call request sent by the client. The interface call request is used to enable the client to obtain services, data of the server, or enable the client to perform specific operations on the server.
And step A20, analyzing and obtaining a platform serving PaaS identifier of the client according to the interface call request, and generating a first signature by the client based on a first PaaS token corresponding to the PaaS identifier.
Specifically, the interface call request at least includes a platform as a service PaaS identifier of the client and a first signature generated by the client based on a first PaaS token corresponding to the PaaS identifier, where PaaS (Platform as a Service) may also be referred to as "platform as a service". If the PaaS identifier and the first PaaS token of the client are obtained by register micro-service registration of the gateway in advance, the PaaS identifier and the first PaaS token of the client are legal and effective; if the PaaS identifier and the first PaaS token of the client are not previously registered through the register micro service of the gateway, the PaaS identifier and the first PaaS token of the client are illegally invalidated.
Optionally, in the legal case, the composition rule of the PaaS identifier and the PaaS token obtained by the client through register micro-service registration of the gateway is: (1) Based on the custom separator, splicing IDs (identifiers) obtained by registering the clients through the register micro-service, and then performing escape processing to obtain PaaS identifiers of the clients; (2) Encrypting the PaaS identifier of the client to obtain a ciphertext, and taking the ciphertext as the PaaS token of the client.
When the client needs to call the interface of the server, a first signature is generated based on a first PaaS token corresponding to the PaaS identifier. And then setting a request head based on the PaaS identifier of the client and the first signature, and adding a request address on the basis of the request head to obtain an interface call request. It will be appreciated that the request address points to the interface of the server that the client wants to invoke.
After receiving the interface call request of the client, the gateway further analyzes the interface call request and obtains the PaaS identifier of the client and the first signature generated by the client based on the first PaaS token corresponding to the PaaS identifier.
And step A30, calling a pre-registered second PaaS token according to the PaaS identifier, and generating a second signature based on the second PaaS token.
Specifically, since the PaaS identifier of the client belongs to a plaintext message, the gateway may invoke the pre-registered second PaaS token in the cache according to the PaaS identifier of the client. It is understood that the second PaaS token is a legal token corresponding to the PaaS identifier of the client.
Further, the gateway generates the second signature based on the second PaaS token in the same manner as the client generates the first signature based on the first PaaS token, so that the first signature and the second signature can be ensured to have comparability.
And step A40, if the first signature is the same as the second signature, sending the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client.
Specifically, the gateway will compare the first signature with the second signature, and the following two comparison results may occur:
in one possible comparison result, the first signature and the second signature are the same, which indicates that the first PaaS token of the client is a legal token, and the gateway may further send the interface call request to the corresponding server through signature verification. Correspondingly, the server receives the interface call request, and obtains a response result according to the response made by the interface call request, and the server returns the response result to the gateway. Correspondingly, the gateway receives a response result which is made by the server based on the interface calling request and sends the response result to the client, so that the interface calling of the client to the server is realized.
In another possible comparison result, the first signature and the second signature are different, which indicates that the first PaaS token of the client is an illegal token, the interface call request of the client cannot pass through the verification signature, and the gateway cannot send the interface call request to the server. At the same time, the gateway may also return an error code to the client.
Optionally, the micro-service for providing the interface is deployed in a container, the bridge mode is not accessed externally, and the external request is uniformly authenticated by the gateway and then forwarded to the micro-service of the server.
In the embodiment, by introducing the PaaS identifier and the signature verification mechanism of the PaaS token, the first signature generated by the client and the second signature generated by the server are compared and verified, so that the server is ensured to respond to the interface call request only on the premise that the client has validity. In addition, paaS identification and PaaS token are obtained based on registration, are not easy to misuse, and can effectively improve the security of interface call.
Further, referring to fig. 3a and fig. 3b, a flowchart is provided in a second embodiment of the interface calling method, based on the embodiment shown in fig. 2, the further refinement of "resolving the platform as a service PaaS identifier of the client according to the interface calling request" in step a20, and the first signature generated by the client based on the first PaaS token corresponding to the PaaS identifier "includes:
And step A21, analyzing the PaaS identifier, the first signature and a timestamp corresponding to the moment when the client generates the interface call request according to the interface call request.
Specifically, replay Attack (Replay Attack) is a type of network security Attack in which an attacker intercepts or records legitimate communication packets and resends them at a later time, attempting to fool the system into performing repeated operations or gaining improper access rights. Such attacks may result in unauthorized access, data leakage, or other malicious activity. Replay attacks can seriously affect the security of the server.
In order to prevent replay attacks, this embodiment proposes an interface calling method combined with time stamp verification. More specifically, when the client needs to call the interface of the server, a first signature is generated based on a first PaaS token corresponding to the PaaS identifier. And then setting a request header based on the PaaS identifier of the client, the first signature and the timestamp of the current moment (the timestamp corresponding to the moment when the interface call request is generated), and adding a request address on the basis of the request header to obtain the interface call request.
After receiving the interface call request of the client, the gateway further analyzes the interface call request, and obtains the PaaS identifier and the first signature of the client, and a timestamp corresponding to the moment when the client generates the interface call request.
And (c) for the step (A40), if the first signature is the same as the second signature, sending the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client, wherein the step (A) is further refined and comprises the following steps:
and step A41, if the first signature is the same as the second signature and the time difference between the moment corresponding to the timestamp and the current moment is smaller than a preset time difference threshold, sending the interface calling request to a corresponding server, receiving a response result of the server based on the interface calling request, and sending the response result to the client.
Specifically, the gateway compares the first signature with the second signature, calculates a time difference between a time corresponding to the timestamp and the current time, and compares the time difference with a preset time difference threshold. The following four results may occur: (1) The first signature and the second signature are the same, and the time difference is smaller than a preset time difference threshold; (2) The first signature and the second signature are the same, and the time difference is not smaller than a preset time difference threshold; (3) The first signature and the second signature are different, and the time difference is smaller than a preset time difference threshold; (4) The first signature and the second signature are different, and the time difference is not smaller than a preset time difference threshold.
In the case of the above (1), the gateway sends the interface call request to the corresponding server, receives the response result made by the server based on the interface call request, and sends the response result to the client. In the case of the above (2), (3) and (4), the gateway does not send the interface call request to the server. At the same time, the gateway may also return an error code to the client.
In this embodiment, the introduction of the timestamp ensures the freshness of the interface call, since the request will be accepted only during the legal time. The security of interface call is effectively improved, and replay attack and illegal access are effectively prevented.
Further, referring to fig. 4, a flow chart is provided in a third embodiment of the interface calling method according to the present application, based on the embodiment shown in fig. 3, for further refinement of "if the first signature and the second signature are the same and the time difference between the time corresponding to the timestamp and the current time is less than a preset time difference threshold in step a41, the interface calling request is sent to the corresponding server, a response result made by the server based on the interface calling request is received, and the response result is sent to the client" includes:
And step A411, if the first signature is the same as the second signature, the time difference between the moment corresponding to the timestamp and the current moment is smaller than a preset time difference threshold, and the client has the calling authority of the interface corresponding to the interface calling request based on the PaaS identifier, the interface calling request is sent to the corresponding server, a response result of the server based on the interface calling request is received, and the response result is sent to the client.
Specifically, in order to prevent the client from calling the corresponding interface of the server under the unauthorized condition, the embodiment provides an interface calling mode combined with authority verification. More specifically, the gateway will compare the first signature to the second signature; calculating the time difference between the moment corresponding to the time stamp and the current moment, and comparing the time difference with a preset time difference threshold; and inquiring whether the client has the calling authority of the interface corresponding to the interface calling request from the register micro-service according to the PaaS identifier of the client. The following eight consequences may occur:
(1) The first signature and the second signature are the same, the time difference is smaller than a preset time difference threshold, and the client has the calling authority of the interface corresponding to the interface calling request; (2) The first signature and the second signature are the same, the time difference is smaller than a preset time difference threshold, and the client does not have the calling authority of the interface corresponding to the interface calling request; (3) The first signature and the second signature are the same, the time difference is not smaller than a preset time difference threshold, and the client has the calling authority of the interface corresponding to the interface calling request; (4) The first signature and the second signature are the same, the time difference is not smaller than a preset time difference threshold, and the client does not have the calling authority of the interface corresponding to the interface calling request; (5) The first signature and the second signature are different, the time difference is smaller than a preset time difference threshold, and the client has the calling authority of the interface corresponding to the interface calling request; (6) The first signature and the second signature are different, the time difference is smaller than a preset time difference threshold, and the client does not have the calling authority of the interface corresponding to the interface calling request; (7) The first signature and the second signature are different, the time difference is not smaller than a preset time difference threshold, and the client has the calling authority of the interface corresponding to the interface calling request; (8) The first signature and the second signature are different, the time difference is not smaller than a preset time difference threshold, and the client does not have the calling authority of the interface corresponding to the interface calling request.
In the case of the above (1), the gateway sends the interface call request to the corresponding server, receives the response result made by the server based on the interface call request, and sends the response result to the client. In the case of the above (2) (3) (4) (5) (6) (7) (8), the gateway does not send the interface call request to the server. At the same time, the gateway may also return an error code to the client.
In the embodiment, by combining the triple verification of the signature, the time stamp and the calling authority, the security of interface calling is effectively improved, misuse and illegal access are reduced, and the stability of the data and the system of the server side is maintained.
Further, referring to fig. 5, a flowchart is provided in a fourth embodiment of the interface calling method according to the present application, based on the embodiment shown in fig. 4, the interface calling method further includes:
and step A50, if the first signature is different from the second signature, or the time difference between the moment corresponding to the time stamp and the current moment is not smaller than a preset time difference threshold, or the client does not have the calling authority of the interface corresponding to the interface calling request based on the PaaS identifier, transmitting a corresponding error code to the client.
Specifically, in combination with the cases (2) (3) (4) (5) (6) (7) (8) listed in the third embodiment of the interface calling method of the present application, if the first signature and the second signature are different, or the time difference between the time corresponding to the timestamp and the current time is not less than a preset time difference threshold, or it is confirmed based on PaaS identifier that the client does not have the calling authority of the interface corresponding to the interface calling request, the client cannot call the corresponding interface of the server. At this time, the gateway may adaptively send a corresponding error code to the client, and the error code may be filled in HTTP information returned by the gateway to the client.
The partial error codes are listed below:
400: erroneous requests, typically requests that are incomplete or corrupted in content format.
403: access is prohibited, typically if the caller signature algorithm is miscalculating, the PaaS token is incorrect, the timestamp error exceeds a certain range, and the response header is not signed.
404: the interface does not exist and the interface call address is incorrect.
421: the number of source concurrent calls exceeds the limit.
502: service is not available and the gateway is abnormal.
503: the interface call frequency exceeds the frequency limit of the application.
Optionally, the error code in the HTTP information complies with a rule: a value equal to 200 indicates a successful response; a client error of 400 to 500; greater than 500 is a server error.
In this embodiment, when the first signature is not matched with the second signature, the timestamp exceeds a threshold value or the client authority is insufficient, the gateway not only refuses the invalid request, but also sends a corresponding error code, so as to provide clear information for the client, so that the client can perform appropriate processing, and the client can recognize and solve the problem in time.
Further, referring to fig. 6a and 6b, a fifth embodiment of an interface call method of the present application provides a flowchart, based on the embodiment shown in fig. 3, the further refinement of "resolving the PaaS identifier and the first signature according to the interface call request and the timestamp corresponding to the time when the client generates the interface call request" in step a21 includes:
step a211, parsing the PaaS identifier, the first signature, the timestamp and the random string according to the interface call request.
Specifically, in order to increase the complexity of signature verification and improve the security of interface call, the embodiment combines random character strings to perform signature verification.
When the client needs to call the interface of the server, a first signature is generated based on the first PaaS token corresponding to the PaaS identifier, the timestamp of the current moment (which can be regarded as the timestamp corresponding to the moment of generating the interface call request), and the random character string. And then setting a request header based on the PaaS identifier, the first signature, the timestamp and the random character string of the client, and adding a request address on the basis of the request header to obtain an interface call request.
The random character string may be a random character string that is not repeated within a preset time range, for example, the preset time range is ten minutes, and then the random character strings generated within ten minutes have no repetition.
The first signature is generated by the client based on the first PaaS token, the timestamp, the random string, and the step a30 of generating a second signature based on the second PaaS token is further refined, including:
step a31, generating the second signature based on the second PaaS token, the timestamp, and the random string.
Further, the gateway generates the second signature based on the second PaaS token, the timestamp and the random string in the same way as the client generates the first signature based on the first PaaS token, the timestamp and the random string, so that the first signature and the second signature can be ensured to have comparability.
In this embodiment, the second signature is made more complex and difficult to crack by introducing a time stamp and a random string. This increases the resistance of the interface call to attacks, reducing the probability of success of malicious attacks. In addition, the timestamp can effectively prevent replay attacks, and ensure that the request is not used for a plurality of times.
Further, referring to fig. 7, a flowchart is provided in a sixth embodiment of the interface calling method according to the present application, based on the embodiment shown in fig. 2, for "send the interface calling request to the corresponding server side" in step a40, receive a response result made by the server side based on the interface calling request, and send the response result to the client side "further refine, including:
and step A42, determining a corresponding target service from a plurality of services of the service end according to the interface call request.
And step A43, sending the interface call request to the target service.
And step A44, receiving a response result of the target service based on the interface call request, and sending the response result to the client.
Specifically, the service end comprises a plurality of services, and interfaces provided by different services are different. The gateway needs to decide which specific service of the server should send the interface call request to according to the interface call request.
The gateway interprets the interface call request and obtains the request address in the interface call request. Then, determining a corresponding target service from a plurality of services of the service end according to the request address. Further, the gateway sends the interface call request to the target service, receives a response result made by the target service based on the interface call request, and sends the response result to the client.
In this embodiment, by determining the target service, the gateway can accurately route the request to the appropriate service, which reduces unnecessary load and resource consumption and helps to improve the response speed of the interface call request.
Referring to fig. 8, a flowchart of a seventh embodiment of an interface calling method is provided. The interface calling method is applied to the client, and comprises the following steps:
and step B10, acquiring a platform serving PaaS identifier of the client and a first PaaS token corresponding to the PaaS identifier.
And step B20, generating a first signature based on the first PaaS token.
Step B30, based on the PaaS identifier and the first signature, generating and sending a corresponding interface call request to a gateway so that the gateway can receive the interface call request; analyzing the PaaS identifier and the first signature according to the interface call request; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; and sending the interface call request to a corresponding server under the condition that the first signature and the second signature are the same, receiving a response result made by the server based on the interface call request, and sending the response result to the client.
And step B40, receiving the response result.
Specifically, in order to improve the security of the client for the calling behavior of the client your interface, the embodiment provides a signature verification mechanism based on the PaaS identifier and the PaaS token, and transmits the interface calling request and the corresponding response result between the client and the client through a gateway (or intelligent gateway).
In this embodiment, the gateway serves as an intermediary for security verification, the gateway may be deployed by using a distributed cluster, and an HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer protocol security) protocol is used to implement a communication function, and based on the characteristics of the distributed cluster deployment, the gateway may process a large number of requests at the same time. Alternatively, the gateway may employ a RESTful (Representational State Transfer) software architecture style, RESTful software architecture style based on a set of constraints and attributes, aimed at providing a simple, lightweight, scalable, easy-to-maintain network service.
The gateway-supported functions mainly comprise five functions of service calling authority application, service calling authority examination, gateway request unified authentication, unified authentication and request unified forwarding. The functions of service calling authority application and service calling authority auditing are realized based on a register micro service (self-registration micro service), and the functions of gateway request unified authentication, unified authentication and request unified forwarding are realized based on a gateway micro service (gateway micro service). And pulling PaaS identifiers (or PaaS IDs) corresponding to different clients, a second PaaS Token (or PaaS Token) and authorization interface information from the register micro service at regular time by the gateway micro service, and loading the PaaS identifiers (or PaaS IDs), the second PaaS Token and the authorization interface information into a cache.
When the client side needs to initiate an interface call request to the server side, the client side firstly needs to send the interface call request to the gateway. Correspondingly, the gateway receives an interface call request sent by the client. The interface call request is used to enable the client to obtain services, data of the server, or enable the client to perform specific operations on the server.
The interface call request at least comprises a platform as a service PaaS identifier of the client and a first signature generated by the client based on a first PaaS token corresponding to the PaaS identifier, wherein PaaS (Platform as a Service) may also be referred to as "platform as a service". If the PaaS identifier and the first PaaS token of the client are obtained by register micro-service registration of the gateway in advance, the PaaS identifier and the first PaaS token of the client are legal and effective; if the PaaS identifier and the first PaaS token of the client are not previously registered through the register micro service of the gateway, the PaaS identifier and the first PaaS token of the client are illegally invalidated.
Optionally, in the legal case, the composition rule of the PaaS identifier and the PaaS token obtained by the client through register micro-service registration of the gateway is: (1) Based on the custom separator, splicing IDs (identifiers) obtained by registering the clients through the register micro-service, and then performing escape processing to obtain PaaS identifiers of the clients; (2) Encrypting the PaaS identifier of the client to obtain a ciphertext, and taking the ciphertext as the PaaS token of the client.
When the client needs to call the interface of the server, a first signature is generated based on a first PaaS token corresponding to the PaaS identifier. And then setting a request head based on the PaaS identifier of the client and the first signature, and adding a request address on the basis of the request head to obtain an interface call request. It will be appreciated that the request address points to the interface of the server that the client wants to invoke.
After receiving the interface call request of the client, the gateway further analyzes the interface call request and obtains the PaaS identifier of the client and the first signature generated by the client based on the first PaaS token corresponding to the PaaS identifier.
Because the PaaS identifier of the client belongs to a kind of plaintext information, the gateway can call the pre-registered second PaaS token in the cache according to the PaaS identifier of the client. It is understood that the second PaaS token is a legal token corresponding to the PaaS identifier of the client.
Further, the gateway generates the second signature based on the second PaaS token in the same manner as the client generates the first signature based on the first PaaS token, so that the first signature and the second signature can be ensured to have comparability.
The gateway will compare the first signature with the second signature, and the following two comparison results may occur:
In one possible comparison result, the first signature and the second signature are the same, which indicates that the first PaaS token of the client is a legal token, and the gateway may further send the interface call request to the corresponding server through signature verification. Correspondingly, the server receives the interface call request, and obtains a response result according to the response made by the interface call request, and the server returns the response result to the gateway. Correspondingly, the gateway receives a response result which is made by the server based on the interface calling request and sends the response result to the client, so that the interface calling of the client to the server is realized.
In another possible comparison result, the first signature and the second signature are different, which indicates that the first PaaS token of the client is an illegal token, the interface call request of the client cannot pass through the verification signature, and the gateway cannot send the interface call request to the server. At the same time, the gateway may also return an error code to the client.
Optionally, the micro-service for providing the interface is deployed in a container, the bridge mode is not accessed externally, and the external request is uniformly authenticated by the gateway and then forwarded to the micro-service of the server.
In the embodiment, by introducing the PaaS identifier and the signature verification mechanism of the PaaS token, the first signature generated by the client and the second signature generated by the server are compared and verified, so that the server is ensured to respond to the interface call request only on the premise that the client has validity. In addition, paaS identification and PaaS token are obtained based on registration, are not easy to misuse, and can effectively improve the security of interface call.
Referring to fig. 9, an eighth embodiment of an interface calling method of the present application provides a flowchart. The interface calling method is applied to the server, and comprises the following steps:
step C10, receiving an interface call request sent by a gateway, wherein after receiving the interface call request sent by a client, the gateway analyzes and obtains a platform serving PaaS identifier of the client according to the interface call request, and a first signature generated by the client based on a first PaaS token corresponding to the PaaS identifier; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; and if the first signature is the same as the second signature, sending the interface calling request to the server.
And step C20, based on the response result of the interface call request, sending the response result to the gateway, so that the gateway can send the response result to the client.
Specifically, in order to improve the security of the client for the calling behavior of the client your interface, the embodiment provides a signature verification mechanism based on the PaaS identifier and the PaaS token, and transmits the interface calling request and the corresponding response result between the client and the client through a gateway (or intelligent gateway).
In this embodiment, the gateway serves as an intermediary for security verification, the gateway may be deployed by using a distributed cluster, and an HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer protocol security) protocol is used to implement a communication function, and based on the characteristics of the distributed cluster deployment, the gateway may process a large number of requests at the same time. Alternatively, the gateway may employ a RESTful (Representational State Transfer) software architecture style, RESTful software architecture style based on a set of constraints and attributes, aimed at providing a simple, lightweight, scalable, easy-to-maintain network service.
The gateway-supported functions mainly comprise five functions of service calling authority application, service calling authority examination, gateway request unified authentication, unified authentication and request unified forwarding. The functions of service calling authority application and service calling authority auditing are realized based on a register micro service (self-registration micro service), and the functions of gateway request unified authentication, unified authentication and request unified forwarding are realized based on a gateway micro service (gateway micro service). And pulling PaaS identifiers (or PaaS IDs) corresponding to different clients, a second PaaS Token (or PaaS Token) and authorization interface information from the register micro service at regular time by the gateway micro service, and loading the PaaS identifiers (or PaaS IDs), the second PaaS Token and the authorization interface information into a cache.
When the client side needs to initiate an interface call request to the server side, the client side firstly needs to send the interface call request to the gateway. Correspondingly, the gateway receives an interface call request sent by the client. The interface call request is used to enable the client to obtain services, data of the server, or enable the client to perform specific operations on the server.
The interface call request at least comprises a platform as a service PaaS identifier of the client and a first signature generated by the client based on a first PaaS token corresponding to the PaaS identifier, wherein PaaS (Platform as a Service) may also be referred to as "platform as a service". If the PaaS identifier and the first PaaS token of the client are obtained by register micro-service registration of the gateway in advance, the PaaS identifier and the first PaaS token of the client are legal and effective; if the PaaS identifier and the first PaaS token of the client are not previously registered through the register micro service of the gateway, the PaaS identifier and the first PaaS token of the client are illegally invalidated.
Optionally, in the legal case, the composition rule of the PaaS identifier and the PaaS token obtained by the client through register micro-service registration of the gateway is: (1) Based on the custom separator, splicing IDs (identifiers) obtained by registering the clients through the register micro-service, and then performing escape processing to obtain PaaS identifiers of the clients; (2) Encrypting the PaaS identifier of the client to obtain a ciphertext, and taking the ciphertext as the PaaS token of the client.
When the client needs to call the interface of the server, a first signature is generated based on a first PaaS token corresponding to the PaaS identifier. And then setting a request head based on the PaaS identifier of the client and the first signature, and adding a request address on the basis of the request head to obtain an interface call request. It will be appreciated that the request address points to the interface of the server that the client wants to invoke.
After receiving the interface call request of the client, the gateway further analyzes the interface call request and obtains the PaaS identifier of the client and the first signature generated by the client based on the first PaaS token corresponding to the PaaS identifier.
Because the PaaS identifier of the client belongs to a kind of plaintext information, the gateway can call the pre-registered second PaaS token in the cache according to the PaaS identifier of the client. It is understood that the second PaaS token is a legal token corresponding to the PaaS identifier of the client.
Further, the gateway generates the second signature based on the second PaaS token in the same manner as the client generates the first signature based on the first PaaS token, so that the first signature and the second signature can be ensured to have comparability.
The gateway will compare the first signature with the second signature, and the following two comparison results may occur:
In one possible comparison result, the first signature and the second signature are the same, which indicates that the first PaaS token of the client is a legal token, and the gateway may further send the interface call request to the corresponding server through signature verification. Correspondingly, the server receives the interface call request, and obtains a response result according to the response made by the interface call request, and the server returns the response result to the gateway. Correspondingly, the gateway receives a response result which is made by the server based on the interface calling request and sends the response result to the client, so that the interface calling of the client to the server is realized.
In another possible comparison result, the first signature and the second signature are different, which indicates that the first PaaS token of the client is an illegal token, the interface call request of the client cannot pass through the verification signature, and the gateway cannot send the interface call request to the server. At the same time, the gateway may also return an error code to the client.
Optionally, the micro-service for providing the interface is deployed in a container, the bridge mode is not accessed externally, and the external request is uniformly authenticated by the gateway and then forwarded to the micro-service of the server.
In the embodiment, by introducing the PaaS identifier and the signature verification mechanism of the PaaS token, the first signature generated by the client and the second signature generated by the server are compared and verified, so that the server is ensured to respond to the interface call request only on the premise that the client has validity. In addition, paaS identification and PaaS token are obtained based on registration, are not easy to misuse, and can effectively improve the security of interface call.
The ninth embodiment is presented based on the first to eighth embodiments of the interface calling method of the present application. Referring to fig. 10, a flowchart of a ninth embodiment of an interface calling method is provided.
First, a client obtains a PaaS identifier and a first PaaS token through register micro-service registration of a gateway. The gateway also stores the first PaaS token of the client as a second PaaS token, and stores the PaaS identifier of the client and the second PaaS token in the cache.
When the client needs to call an interface to the server, a corresponding interface call request is generated, wherein the interface call request at least comprises a request head and a request address, and the generation process comprises the following steps: (1) and acquiring the PaaS identifier, the first PaaS token, the timestamp corresponding to the current moment and the non-repeated random character string. (2) And splicing the first PaaS token, the time stamp and the random character string, and encrypting by using a hash algorithm to obtain a first signature. For example, the first signature=sha-256 (timestamp+first PaaS token+random string+timestamp), where SHA-256 is a hash algorithm, also referred to as secure hash algorithm 256 bits. (3) The original (http:// service system ip: port/service method) is replaced with a new request address (http:// gateway domain name/API/service method). (4) Filling PaaS identification, time stamp, random character string and first signature as request header of interface call request, and filling (http:// gateway domain name/API/service method) as request address of interface call request to obtain complete interface call request.
The client sends an interface call request to the gateway. Correspondingly, the gateway receives the request, sends the request to the gateway, and analyzes the request according to the interface call to obtain the PaaS identifier, the time stamp, the random character string, the first signature and the request address.
And the gateway invokes a corresponding second PaaS token from the cache according to the PaaS identification of the client. Then, a second signature is generated using the same algorithm that the client generates the first signature.
The gateway firstly carries out signature verification based on the comparison of the first signature and the second signature, and if the signature verification does not pass, an error code is returned to the client; if the verification sign passes, further verifying whether the time difference between the moment corresponding to the time stamp and the current moment is smaller than a preset time difference threshold value. If the time stamp verification is not passed, an error code is returned to the client; if the timestamp passes verification, whether the client has the calling authority of the interface corresponding to the interface calling request is further confirmed based on the PaaS identification. If the client does not have the calling authority, an error code is returned to the client; if the client has the calling authority, the gateway determines the corresponding target service from a plurality of services of the server according to the PaaS identification of the interface calling request, and sends the interface calling request to the target service, and the process can be regarded as a route replacement. Then, the gateway receives a response result of the target service based on the interface call request, and sends the response result to the client.
In the embodiment, by introducing the PaaS identifier and the signature verification mechanism of the PaaS token, the first signature generated by the client and the second signature generated by the server are compared and verified, so that the server is ensured to respond to the interface call request only on the premise that the client has validity. In addition, paaS identification and PaaS token are obtained based on registration, are not easy to misuse, and can effectively improve the security of interface call.
In addition, the embodiment of the application also provides an interface calling system, which comprises a client, a gateway and a server, and executes the steps of realizing the interface calling method.
Because the interface calling program is executed by the processor and adopts all the technical schemes of all the embodiments, the interface calling program at least has all the beneficial effects brought by all the technical schemes of all the embodiments and is not described in detail herein.
In addition, the embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores an interface calling program, and the interface calling program realizes the steps of the interface calling method when being executed by a processor.
Because the interface calling program is executed by the processor and adopts all the technical schemes of all the embodiments, the interface calling program at least has all the beneficial effects brought by all the technical schemes of all the embodiments and is not described in detail herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as above, comprising several instructions for causing an interface invoking system to perform the method of each embodiment of the present application.
The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the claims, and all equivalent structures or equivalent processes using the descriptions and drawings of the present application, or direct or indirect application in other related technical fields are included in the scope of the claims of the present application.

Claims (10)

1. An interface calling method, wherein the interface calling method is applied to a gateway, and the interface calling method comprises the following steps:
receiving an interface calling request sent by a client;
analyzing and obtaining a platform serving PaaS identifier of the client according to the interface call request, and generating a first signature by the client based on a first PaaS token corresponding to the PaaS identifier;
invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token;
and if the first signature is the same as the second signature, sending the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client.
2. The method of claim 1, wherein the parsing the request to obtain the platform as a service PaaS identifier of the client, and the step of generating the first signature by the client based on the first PaaS token corresponding to the PaaS identifier, comprises:
Analyzing the PaaS identifier, the first signature and a timestamp corresponding to the moment when the client generates the interface calling request according to the interface calling request;
if the first signature is the same as the second signature, the step of sending the interface call request to the corresponding server, receiving a response result made by the server based on the interface call request, and sending the response result to the client includes:
if the first signature is the same as the second signature and the time difference between the moment corresponding to the timestamp and the current moment is smaller than a preset time difference threshold, the interface calling request is sent to a corresponding server, a response result of the server based on the interface calling request is received, and the response result is sent to the client.
3. The interface calling method of claim 2, wherein if the first signature and the second signature are the same and a time difference between a time corresponding to the timestamp and a current time is less than a preset time difference threshold, the step of sending the interface calling request to a corresponding server, receiving a response result by the server based on the interface calling request, and sending the response result to the client includes:
If the first signature is the same as the second signature, the time difference between the moment corresponding to the timestamp and the current moment is smaller than a preset time difference threshold, and the client is confirmed to have the calling authority of the interface corresponding to the interface calling request based on the PaaS identifier, the interface calling request is sent to the corresponding server, a response result of the server based on the interface calling request is received, and the response result is sent to the client.
4. The interface calling method of claim 3, wherein the interface calling method further comprises:
and if the first signature is different from the second signature, or the time difference between the moment corresponding to the time stamp and the current moment is not smaller than a preset time difference threshold, or the client does not have the calling authority of the interface corresponding to the interface calling request based on the PaaS identifier, sending a corresponding error code to the client.
5. The interface calling method according to claim 2, wherein the step of parsing the PaaS identifier, the first signature, and the timestamp corresponding to the time when the client generated the interface calling request according to the interface calling request includes:
Analyzing the PaaS identifier, the first signature, the time stamp and the random character string according to the interface calling request;
the first signature is generated by the client based on the first PaaS token, the timestamp, the random string, and the step of generating a second signature based on the second PaaS token comprises:
the second signature is generated based on the second PaaS token, the timestamp, the random string.
6. The interface call method as claimed in claim 1, wherein the steps of transmitting the interface call request to a corresponding server, receiving a response result made by the server based on the interface call request, and transmitting the response result to the client include:
determining a corresponding target service from a plurality of services of the server according to the interface call request;
sending the interface call request to the target service;
and receiving a response result of the target service based on the interface call request, and sending the response result to the client.
7. An interface calling method, wherein the interface calling method is applied to a client, and the interface calling method comprises the following steps:
Acquiring a platform serving PaaS identifier of the client and a first PaaS token corresponding to the PaaS identifier;
generating a first signature based on the first PaaS token;
generating and sending a corresponding interface call request to a gateway based on the PaaS identifier and the first signature so that the gateway can receive the interface call request; analyzing the PaaS identifier and the first signature according to the interface call request; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; the interface calling request is sent to a corresponding server under the condition that the first signature and the second signature are the same, a response result made by the server based on the interface calling request is received, and the response result is sent to the client;
and receiving the response result.
8. An interface calling method, which is characterized in that the interface calling method is applied to a server, and the interface calling method comprises the following steps:
receiving an interface call request sent by a gateway, wherein after receiving the interface call request sent by a client, the gateway analyzes according to the interface call request to obtain a platform serving PaaS identifier of the client, and a first signature generated by the client based on a first PaaS token corresponding to the PaaS identifier; invoking a second PaaS token registered in advance according to the PaaS identifier, and generating a second signature based on the second PaaS token; if the first signature is the same as the second signature, the interface calling request is sent to the server;
And sending the response result to the gateway based on the response result made by the interface call request, so that the gateway can send the response result to the client.
9. An interface call system, characterized in that the interface call system comprises a client, a gateway, a server, the interface call system performing the steps of implementing the interface call method according to any of claims 1-6 or 7 or 8.
10. A computer-readable storage medium, wherein an interface calling program is stored on the computer-readable storage medium, which when executed by a processor, implements the steps of the interface calling method according to any of claims 1-6 or 7 or 8.
CN202311476239.1A 2023-11-07 2023-11-07 Interface calling method, system and storage medium Pending CN117336091A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311476239.1A CN117336091A (en) 2023-11-07 2023-11-07 Interface calling method, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311476239.1A CN117336091A (en) 2023-11-07 2023-11-07 Interface calling method, system and storage medium

Publications (1)

Publication Number Publication Date
CN117336091A true CN117336091A (en) 2024-01-02

Family

ID=89293342

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311476239.1A Pending CN117336091A (en) 2023-11-07 2023-11-07 Interface calling method, system and storage medium

Country Status (1)

Country Link
CN (1) CN117336091A (en)

Similar Documents

Publication Publication Date Title
JP6625211B2 (en) Key exchange through partially trusted third parties
Hodges et al. Http strict transport security (hsts)
US9003484B2 (en) Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer
US9240945B2 (en) Access, priority and bandwidth management based on application identity
RU2378773C2 (en) Signing and verifying authenticity of session initiation protocol routing headers
CN107579991B (en) Method for performing cloud protection authentication on client, server and client
US9705895B1 (en) System and methods for classifying internet devices as hostile or benign
US11570203B2 (en) Edge network-based account protection service
US9490986B2 (en) Authenticating a node in a communication network
US10348701B2 (en) Protecting clients from open redirect security vulnerabilities in web applications
US20100306820A1 (en) Control of message to be transmitted from an emitter domain to a recipient domain
CN104579657A (en) Method and device for identity authentication
CN112448930A (en) Account registration method, device, server and computer readable storage medium
CN110839036B (en) Attack detection method and system for SDN (software defined network)
WO2019093932A1 (en) Lawful interception security
CN112566121B (en) Method for preventing attack, server and storage medium
CN110336773B (en) Credibility guaranteeing system, verification method and storage medium of IoT (Internet of things) equipment data
CN111385258B (en) Data communication method, device, client, server and storage medium
CN111614458A (en) Method, system and storage medium for generating gateway JWT
CN117336091A (en) Interface calling method, system and storage medium
Schulz et al. d 2 Deleting Diaspora: Practical attacks for profile discovery and deletion
WO2011118237A1 (en) Authentication device and authentication method
US11399092B2 (en) Method for preventing sip device from being attacked, calling device, and called device
CN114745138B (en) Equipment authentication method, device, control platform and storage medium
CN114079573B (en) Router access method and router

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination