CN117353947A - Authentication method and system applied to gateway service - Google Patents
Authentication method and system applied to gateway service Download PDFInfo
- Publication number
- CN117353947A CN117353947A CN202210738800.8A CN202210738800A CN117353947A CN 117353947 A CN117353947 A CN 117353947A CN 202210738800 A CN202210738800 A CN 202210738800A CN 117353947 A CN117353947 A CN 117353947A
- Authority
- CN
- China
- Prior art keywords
- authentication
- authentication request
- gateway
- service
- gateway service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 239000003999 initiator Substances 0.000 claims description 15
- 238000001914 filtration Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 238000012423 maintenance Methods 0.000 abstract description 5
- 238000004590 computer program Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 238000012795 verification Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000178 monomer Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an authentication method applied to gateway service, which comprises the following steps: the client initiates an authentication request; the gateway service judges whether the authentication request meets the authentication condition; and if the authentication request meets the authentication condition, verifying by using a gateway security policy. The gateway service of the invention can be suitable for complex micro-service architecture, and can reduce the burden of the micro-service architecture caused by expansion and maintenance by combining the gateway service of unified authentication and security policy management.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an authentication method and system applied to gateway services.
Background
In the mobile internet era, services are becoming more and more complex. Taking intelligent light boat (iLink) as an example, the traffic and the number of users are continuously increased, and the data volume of each service module is continuously increased. The application of the monomer cannot meet the requirements of isolation, horizontal expansion, flexible upgrading, multi-team collaborative development and the like. Therefore, iLink adopts industry-accepted micro-service technology architecture, and the number of micro-services is tens, and each of these micro-services may support requests from multiple sources, such as PC, MAC, an Zhuoduan, iOS, WEB, and open platforms. In the iLink development process, different technical stacks are employed by the microservices that are responsible for the different team members. Many micro services more or less realize certain authentication logic and security policy, but in long time, the development and maintenance of the services are burdened.
Disclosure of Invention
The invention mainly aims at solving the defects that complicated authentication logic and security policy of a micro-service architecture bring load to development and maintenance of micro-service, and provides an authentication method and system applied to gateway service.
In order to achieve the above object, the present invention provides an authentication method applied to a gateway service, comprising the following steps:
the client initiates an authentication request;
the gateway service judges whether the authentication request meets the authentication condition;
and if the authentication request meets the authentication condition, verifying by using a gateway security policy.
In the authentication method applied to the gateway service provided by the invention, the step of judging whether the authentication request meets the authentication condition by the gateway service comprises the following steps:
the gateway service judges whether the authentication request exceeds a current limiting threshold or a fusing threshold; or alternatively
The gateway service judges whether the authentication request is authenticated; or alternatively
The gateway service judges whether an authentication party needing authentication is in a white list or not; or alternatively
The gateway service determines whether the IP of the originator of the authentication request is in the blacklist.
In the authentication method applied to gateway service provided by the invention, if the authentication request meets the authentication condition, the step of using the gateway security policy for verification comprises the following steps:
if the gateway service judges that the authentication request exceeds the current limiting threshold or the fusing threshold, or the gateway service judges that the authentication request is authenticated, or the gateway service judges that the authentication party needing authentication is in a white list, or the gateway service judges that the IP of the initiator of the authentication request is not in the black list, judging whether the authentication request is tampered;
if the authentication request is not tampered, double authentication is carried out on the token and the signature of the authentication request, and special characters of the authentication request are filtered;
comparing the signature of the authentication request with the signature in the database, and confirming the authentication request through the timestamp and the signature after the comparison is passed;
and acquiring a service authority list, and inquiring whether an initiator of the authentication request has access authority.
In the authentication method applied to gateway service provided by the invention, if the authentication request meets the authentication condition, the step of verifying by using the gateway security policy further comprises the following steps:
and if the gateway security policy is passed, allowing the client to access the target service and monitoring the client.
In addition, in order to achieve the above purpose, the present invention also provides an authentication system applied to gateway service, comprising a client and a gateway module;
the client initiates an authentication request;
the gateway module judges whether the authentication request meets the authentication condition;
if the authentication request meets the authentication condition, the gateway module uses the gateway security policy for verification.
In the authentication system applied to gateway service provided by the invention, the gateway module is used for judging whether the authentication request exceeds the current limiting threshold or the fusing threshold, judging whether the authentication request is authenticated, judging whether an authentication party needing authentication is in a white list, or judging whether the IP of an initiator of the authentication request is in the black list.
In the authentication system applied to gateway service provided by the invention, if the gateway module judges that the authentication request exceeds the current limiting threshold or the fusing threshold, or the gateway module judges that the authentication request is authenticated, or the gateway module judges that the authentication party needing authentication is in a white list, or the gateway module judges that the IP of the initiator of the authentication request is not in the black list, judging whether the authentication request is tampered;
if the authentication request is not tampered, the gateway module performs double authentication on the token and the signature of the authentication request, and performs filtering processing on special characters of the authentication request;
the gateway module compares the signature of the authentication request with the signature in the database, and confirms the authentication request through the timestamp and the signature after the comparison;
the gateway module acquires the service authority list and inquires whether an initiator of the authentication request has access authority.
In the authentication system applied to the gateway service, which is provided by the invention, the system further comprises a cloud end, and if the gateway security policy is passed, the gateway module allows the client to access the target service, and the cloud end monitors the client.
In addition, to achieve the above object, the present invention also provides a terminal device, including:
a memory for storing a computer program;
a processor for implementing the steps of the authentication method applied to the gateway service as described above when executing the computer program.
In addition, to achieve the above object, the present invention also provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the authentication method applied to a gateway service as above.
The invention provides an authentication method and a system applied to gateway service, wherein a client initiates an authentication request; the gateway service judges whether the authentication request meets the authentication condition; and if the authentication request meets the authentication condition, verifying by using a gateway security policy. The gateway service of the invention can be suitable for complex micro-service architecture, and can reduce the burden of the micro-service architecture caused by expansion and maintenance by combining the gateway service of unified authentication and security policy management.
Drawings
For a clearer description of an embodiment of the invention or of a technical solution in the prior art, the drawings that are needed in the description of the embodiment or of the prior art will be briefly described, it being obvious that the drawings in the description below are only embodiments of the invention, and that other drawings can be obtained, without inventive effort, by a person skilled in the art from the drawings provided:
fig. 1 is a flow chart of an authentication method applied to a gateway service according to an embodiment of the present invention.
Fig. 2 is a first interactive diagram of an authentication method applied to a gateway service according to an embodiment of the present invention.
Fig. 3 is a second interactive diagram of an authentication method applied to a gateway service according to an embodiment of the present invention.
Fig. 4 is a third interaction diagram of an authentication method applied to a gateway service according to an embodiment of the present invention.
Fig. 5 is a fourth interaction diagram of an authentication method applied to a gateway service according to an embodiment of the present invention.
Fig. 6 is a fifth interaction diagram of an authentication method applied to a gateway service according to an embodiment of the present invention.
Fig. 7 is a sixth interaction diagram of an authentication method applied to a gateway service according to an embodiment of the present invention.
Fig. 8 is a block diagram of an authentication system applied to a gateway service according to an embodiment of the present invention.
Fig. 9 is a schematic diagram of a terminal device according to an embodiment of the present invention.
Detailed Description
In order that the invention may be readily understood, a more complete description of the invention will be rendered by reference to the appended drawings. Exemplary embodiments of the present invention are illustrated in the accompanying drawings. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
In order to better understand the above technical solutions, the following detailed description will be made with reference to the accompanying drawings and specific embodiments, and it should be understood that specific features in the embodiments and examples of the present invention are detailed descriptions of the technical solutions of the present application, and not limit the technical solutions of the present application, and the technical features in the embodiments and examples of the present invention may be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a flow chart of an authentication method applied to a gateway service according to an embodiment of the present invention, where in the embodiment, the authentication method applied to the gateway service includes:
step S10, a client initiates an authentication request;
step S20, the gateway service judges whether the authentication request meets the authentication condition;
and step S30, if the authentication request meets the authentication condition, the gateway security policy is used for verification.
Gateway services may be designed based on SpringCloud Alibaba framework, and the technical framework and middleware of the main application may include, but are not limited to: springCloud Gateway SpringCloud-Alibaba-Sentinel, redis (remote dictionary service), nacos and mysql (relational database management system).
Judging whether the authentication request exceeds a current limiting threshold or a fusing threshold, judging whether the authentication request is authenticated, judging whether an authentication party needing authentication is in a white list, and judging whether the IP of an initiator of the authentication request is in a black list by gateway service, wherein the authentication request and the fusing threshold are not sequentially separated, the authentication request and the fusing threshold can be simultaneously performed, the sequence is not limited, and in addition, only one, two or three of the authentication requests can be judged.
For example, in an embodiment of the present invention, the gateway service determines whether the authentication request exceeds a current limit threshold or a fusing threshold, or the gateway service determines whether the authentication request is authenticated, or the gateway service determines whether an authenticator requiring authentication is in a white list, or the gateway service determines whether the IP of the initiator of the authentication request is in a black list.
For another example, in an embodiment of the present invention, the gateway service first determines whether the authentication request exceeds the current limit threshold or the fusing threshold, then determines whether the authentication request is authenticated, then determines whether the authentication party requiring authentication is in the white list, and finally determines whether the IP of the initiator of the authentication request is in the black list.
For another example, in an embodiment of the present invention, the gateway service first determines whether the authentication request exceeds the current limit threshold or the fusing threshold, then determines whether the authentication party needing authentication is in the white list, and finally determines whether the IP of the initiator of the authentication request is in the black list.
Gateway services include, but are not limited to, integrated sendtinel, background management systems include, but are not limited to, nacos, and target services include, but are not limited to, micro-services.
Referring to fig. 2, in an embodiment of the present invention, a client initiates a batch authentication request to a gateway service, where the gateway service provides a current limiting manner such as QPS (query rate per second) or thread number, and may use Nacos to configure a partial authentication request exceeding a current limiting threshold, return a partial authentication request prompting that a user service is busy and does not exceed the current limiting threshold, and then continue authentication, where an authentication result determines whether to continue to access a target service, and the target service may be an iLink application service.
Referring to fig. 2, in an embodiment of the present invention, a client initiates a batch of authentication requests to a gateway service, and the average response time, an abnormal proportion, an abnormal constant, and other fusing modes of the gateway service may be configured by using a Nacos, and a part of authentication requests exceeding a current limit threshold value returns to prompt that a user service is busy, and a part of authentication requests not exceeding the current limit threshold value continues authentication, and an authentication result determines whether to continue to access a target service, where the target service may be an iLink application service.
Referring to fig. 3, in an embodiment of the present invention, a token (token) invalidation extension mechanism may be added by redis caching user information and setting a caching time after a user logs in. The user initiates an authentication request, the gateway acquires user information corresponding to the token from the redis, if the token is successfully acquired, authentication is continued, if the token is failed to acquire, the user is prompted to log in again, whether the target service can be continuously accessed is determined by the authentication result, and the target service can be the iLink application service.
Referring to fig. 4, in one embodiment of the present invention, an authenticator may set a whitelist of services or APIs (application programming interfaces) for a system administrator of a background management system. The gateway service inquires the white list of the service or the API from the background management system, and the background management system returns the inquiry result, and if the service or the API belongs to the white list range, the gateway service directly routes to the corresponding service or the API without authentication. If the service or API does not belong to the white list range, continuing to authenticate, and determining whether the target service can be accessed continuously according to the authentication result, wherein the target service can be the iLink application service or the iLink application API.
Referring to fig. 5, in an embodiment of the present invention, a system administrator of the background management system sets a whitelist or a blacklist of an IP (internet protocol). The gateway service inquires a white list or a black list of the IP from the background management system, the background management system returns an inquiry result, the IP belongs to the black list range, the access is intercepted, the user is informed, the IP belongs to the white list range, the authentication is continued, whether the target service can be continuously accessed is determined by the authentication result, and the target service can be the iLink application service or the iLink application API.
In an embodiment of the present invention, when the external network goes to the quarantine area, the request content of the HTTP channel is encrypted, the generated signature is used for tamper resistance of the request content, and the token is used for verifying compliance of the request, and in the quarantine area, the external network address is converted to the internal network address, and the HTTP channel request is converted to the HTTP channel request of the internal network.
The gateway service of the intranet acquires the signature of the client, if the authentication passes, the gateway service judges whether the authentication request is tampered, if the authentication request does not pass, the token and the signature of the authentication request are subjected to double authentication, special characters of the authentication request are filtered, the signature of the authentication request is compared with the signature in the database, and after the comparison passes, the authentication request is confirmed through the timestamp and the signature.
The applied algorithm may be a client number+ "; "+user identification+"; "+random code+"; "+timestamp+"; "+token+"; the encryption algorithm may be SHA512 algorithm or MD5 algorithm.
Referring to fig. 6, in an embodiment of the present invention, a system administrator of a background management system sets a permission relationship between a user or a role to which the user belongs and a service, the user initiates a request, and a gateway obtains a service permission list corresponding to the user or the role to which the user belongs from a redis through a user identifier.
If the role in redis or the user does not have the access right of the corresponding service, the query is continued to the database. If the database query result has the access right, updating the latest service right list to redis and setting the expiration time, and forwarding to the corresponding service, and if the database query result has no access right, prompting that the access is not authorized. If the role/user in redis has access rights to the corresponding service, the access rights are directly routed to the corresponding target service, which may be an iLink application service.
Referring to fig. 7, in an embodiment of the present invention, a background management system sets a permission relationship between an application or a role to which the application belongs and a service API, and when the service API is accessed, a gateway obtains a permission list of an application or an open service API corresponding to the role to which the application belongs from a redis through a service access token.
If the application or the role to which the application belongs in the redis has no access right corresponding to the open service API, the query is continued to the database. If the database query result has the access right, updating the latest service right list to redis and setting the expiration time, and forwarding to the corresponding open service API, and if the database query result has no access right, prompting that the access is not authorized. If the application or the role to which the application belongs in the redis has the access right corresponding to the open service API, the application is directly routed to the corresponding open service API.
If the gateway security policy is passed, the client is allowed to access the target service and is monitored, specifically, the gateway service is accessed to the monitoring cloud, so as to realize log persistence.
Based on the above mode, the authentication request is initiated by the client, the gateway service judges whether the authentication request meets the authentication condition, and if the authentication request meets the authentication condition, the gateway security policy is used for verification. Therefore, the gateway service can be suitable for complex micro-service architecture, and the burden of the micro-service architecture caused by expansion and maintenance can be reduced by combining the gateway service with the unified authentication and security policy management.
Referring to fig. 8, correspondingly, the present invention also provides an authentication system 200 applied to the gateway service, including a client 201 and a gateway module 202;
the client 201 initiates an authentication request;
the gateway module 202 determines whether the authentication request satisfies an authentication condition;
if the authentication request satisfies the authentication condition, the gateway module 202 verifies using the gateway security policy.
Further, in an embodiment of the present invention, the gateway module 202 is configured to determine whether the authentication request exceeds a current limit threshold or a fusing threshold, whether the authentication request is authenticated, whether an authentication party requiring authentication is in a white list, or whether an IP of an initiator of the authentication request is in a black list.
Further, in an embodiment of the present invention, if the gateway module 202 determines that the authentication request exceeds the current limit threshold or the fusing threshold, or the gateway module 202 determines that the authentication request is authenticated, or the gateway module 202 determines that the authentication party requiring authentication is in the white list, or the gateway module 202 determines that the IP of the initiator of the authentication request is not in the black list, then determining whether the authentication request is tampered;
if the authentication request is not tampered, the gateway module 202 performs double authentication on the token and the signature of the authentication request, and performs filtering processing on special characters of the authentication request;
the gateway module 202 compares the signature of the authentication request with the signature in the database, and after the comparison is passed, confirms the authentication request through the timestamp and the signature;
the gateway module 202 obtains a service rights list and queries whether the originator of the authentication request has access rights.
Further, in an embodiment of the present invention, in the authentication system applied to a gateway service provided by the present invention, the system further includes a cloud 203, and if the gateway security policy is passed, the gateway module 202 allows the client 201 to access the target service, and the cloud 203 monitors the client 201.
Referring to fig. 9, an embodiment of the present invention further provides a terminal device 100, which may include:
a memory 101 for storing a computer program;
the processor 102, when executing the computer program stored in the memory 101, may implement the following steps:
the client initiates an authentication request; the gateway module judges whether the authentication request meets the authentication condition; if the authentication request meets the authentication condition, the gateway module uses the gateway security policy for verification.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program can realize the following steps when being executed by a processor;
the client initiates an authentication request; the gateway module judges whether the authentication request meets the authentication condition; if the authentication request meets the authentication condition, the gateway module uses the gateway security policy for verification.
The computer readable storage medium may include: u disk, mobile hard disk, ROM (Read-Only Memory) > RAM (Random Access Memory, RAM), magnetic disk or optical disk, etc.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in accordance with embodiments of the present invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present invention can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
Claims (10)
1. An authentication method applied to gateway service, comprising the steps of:
the client initiates an authentication request;
the gateway service judges whether the authentication request meets the authentication condition;
and if the authentication request meets the authentication condition, verifying by using a gateway security policy.
2. The authentication method applied to a gateway service according to claim 1, wherein the step of the gateway service judging whether the authentication request satisfies an authentication condition comprises:
the gateway service judges whether the authentication request exceeds a current limiting threshold or a fusing threshold; or alternatively
The gateway service judges whether the authentication request is authenticated; or alternatively
The gateway service judges whether an authentication party needing authentication is in a white list or not; or alternatively
The gateway service determines whether the IP of the originator of the authentication request is in a white list or a black list.
3. The authentication method applied to a gateway service according to claim 2, wherein the step of verifying using a gateway security policy if the authentication request satisfies the authentication condition comprises:
if the gateway service judges that the authentication request exceeds a current limiting threshold or a fusing threshold, or the gateway service judges that the authentication request is authenticated, or the gateway service judges that the authentication party needing authentication is in a white list, or the gateway service judges that the IP of the initiator of the authentication request is not in a black list, judging whether the authentication request is tampered;
if the authentication request is not tampered, performing double authentication on the token and the signature of the authentication request, and performing filtering processing on special characters of the authentication request;
comparing the signature of the authentication request with the signature in the database, and confirming the authentication request through the timestamp and the signature after the comparison is passed;
and acquiring a service authority list, and inquiring whether the initiator of the authentication request has access authority.
4. The authentication method applied to a gateway service according to claim 1, wherein after the step of verifying using a gateway security policy if the authentication request satisfies the authentication condition, further comprising:
and if the gateway security policy is passed, allowing the client to access the target service and monitoring the client.
5. An authentication system applied to gateway service, characterized in that the system comprises a client and a gateway module;
the client initiates an authentication request;
the gateway module judges whether the authentication request meets an authentication condition;
and if the authentication request meets the authentication condition, the gateway module uses a gateway security policy to verify.
6. The authentication system for gateway services according to claim 5, wherein said gateway module is configured to determine whether said authentication request exceeds a throttling threshold or a fusing threshold, whether said authentication request is authenticated, whether an authenticator requiring authentication is in a white list, or whether an IP of an initiator of said authentication request is in a black list.
7. The authentication system for gateway service according to claim 6, wherein if the gateway module determines that the authentication request exceeds a current limit threshold or a fusing threshold, or the gateway module determines that the authentication request is authenticated, or the gateway module determines that the authentication party requiring authentication is in a white list, or the gateway module determines that the IP of the originator of the authentication request is not in a black list, then determining whether the authentication request is tampered;
if the authentication request is not tampered, the gateway module performs double authentication on the token and the signature of the authentication request, and performs filtering processing on special characters of the authentication request;
the gateway module compares the signature of the authentication request with the signature in the database, and confirms the authentication request through the timestamp and the signature after the comparison;
the gateway module acquires a service authority list and inquires whether the initiator of the authentication request has access authority.
8. The authentication system for a gateway service according to claim 5, further comprising a cloud, wherein the gateway module allows the client to access a target service if the gateway security policy is passed, the cloud monitoring the client.
9. A terminal device, characterized in that the terminal device comprises: a memory, a processor and a data processing program stored on the memory and executable on the processor, which when executed by the processor, implements the method of any one of claims 1 to 4.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a data processing program which, when executed by a processor, implements the method according to any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210738800.8A CN117353947A (en) | 2022-06-27 | 2022-06-27 | Authentication method and system applied to gateway service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210738800.8A CN117353947A (en) | 2022-06-27 | 2022-06-27 | Authentication method and system applied to gateway service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117353947A true CN117353947A (en) | 2024-01-05 |
Family
ID=89365469
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210738800.8A Pending CN117353947A (en) | 2022-06-27 | 2022-06-27 | Authentication method and system applied to gateway service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117353947A (en) |
-
2022
- 2022-06-27 CN CN202210738800.8A patent/CN117353947A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108173822B (en) | Intelligent door lock control method, intelligent door lock and computer readable storage medium | |
| WO2015078244A1 (en) | Identifying and destroying potentially misappropriated access tokens | |
| US7568218B2 (en) | Selective cross-realm authentication | |
| US9148435B2 (en) | Establishment of a trust index to enable connections from unknown devices | |
| US11201778B2 (en) | Authorization processing method, device, and system | |
| US11425166B2 (en) | Identifier-based application security | |
| US8856892B2 (en) | Interactive authentication | |
| US20090217353A1 (en) | Method, system and device for network access control supporting quarantine mode | |
| US20170147600A1 (en) | Techniques for securely sharing files from a cloud storage | |
| CN110365483B (en) | Cloud platform authentication method, client, middleware and system | |
| US20200329025A1 (en) | Preventing account lockout through request throttling | |
| US9635017B2 (en) | Computer network security management system and method | |
| WO2019134234A1 (en) | Rooting-prevention log-in method, device, terminal apparatus, and storage medium | |
| CN112261172A (en) | Service addressing access method, device, system, equipment and medium | |
| CN110943840B (en) | Signature verification method | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
| CN116049860B (en) | Access control method, device, computer equipment and storage medium | |
| CN114338177B (en) | Directional access control method and system for Internet of things | |
| CN117353947A (en) | Authentication method and system applied to gateway service | |
| WO2016177051A1 (en) | Security authentication method and device | |
| WO2010038726A1 (en) | Information report system, information report method, communication terminal, and program | |
| JP7510340B2 (en) | Authentication device, authentication method, and authentication program | |
| CN113297629B (en) | Authentication method, device, system, electronic equipment and storage medium | |
| KR102202109B1 (en) | Questionnaire security system and method by multi-authorization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |