CN117499486A - Data processing method and device, electronic equipment and computer readable storage medium - Google Patents
Data processing method and device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN117499486A CN117499486A CN202310424462.5A CN202310424462A CN117499486A CN 117499486 A CN117499486 A CN 117499486A CN 202310424462 A CN202310424462 A CN 202310424462A CN 117499486 A CN117499486 A CN 117499486A
- Authority
- CN
- China
- Prior art keywords
- resource
- service
- application server
- target
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 45
- 238000012545 processing Methods 0.000 claims abstract description 119
- 238000000034 method Methods 0.000 claims abstract description 65
- 230000006870 function Effects 0.000 claims description 26
- 230000004044 response Effects 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 18
- 238000007726 management method Methods 0.000 description 110
- 101100264195 Caenorhabditis elegans app-1 gene Proteins 0.000 description 50
- 230000008569 process Effects 0.000 description 40
- 238000010586 diagram Methods 0.000 description 22
- 238000004891 communication Methods 0.000 description 8
- 238000013475 authorization Methods 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The present disclosure provides a data processing method and apparatus, an electronic device, and a computer readable storage medium, applied to a service gateway, where the service gateway is configured to perform interface route management on at least one application server, and the method includes: receiving a resource access request sent by a client; acquiring a service identifier of a target application server and a resource path of a target resource from a resource access request; inquiring whether a matching record matched with the service identifier and the resource path exists in the target white list set; and under the condition that the matching record exists in the target white list set, determining the resource access request as an authentication-free request, and forwarding the resource access request to the target application server. According to the embodiment of the disclosure, the processing efficiency of the service gateway can be improved.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a data processing method and apparatus, an electronic device, and a computer readable storage medium.
Background
Generally, when receiving a resource access request sent by a client, a service gateway often needs to perform authentication processing to determine whether a user has authority to access a resource, that is, the service gateway obtains user information of the user initiating the resource access request and a resource requested to be accessed by the resource access request, verifies whether the user has authority to access the resource in an authentication server according to the user information, and determines whether to forward the resource access request to a corresponding application service for processing according to an authentication result.
However, there are resources that need to set access rights in one application service, and there are resources that do not need to set access rights in one application service, in the above processing method, no matter what type of resources, service personnel are required to configure access rights of resources in the authentication server in advance, and in case that the service gateway receives a resource access request, it is required to first go to the authentication server to perform authentication processing to determine whether to forward the resource access request to the corresponding application service for processing, which has a problem of low efficiency.
Disclosure of Invention
The disclosure provides a data processing method and device, electronic equipment and a computer readable storage medium.
In a first aspect, the present disclosure provides a data processing method, applied to a service gateway, where the service gateway is configured to perform interface route management on at least one application server, and the method includes:
receiving a resource access request sent by a client; the resource access request is used for accessing a target resource provided by a target application server, and the target application server is any application server in the at least one application server;
Acquiring a service identifier of the target application server and a resource path of the target resource from the resource access request, wherein the resource path is a path of an interface for accessing the target resource;
inquiring whether a matching record matched with the service identifier and the resource path exists in a target white list set;
the target white list set comprises a plurality of resource records, and the resource records are in one-to-one correspondence with the application server; the resource record is generated according to first service information of a corresponding first application server, the first service information comprises a target resource path corresponding to the first application server, and the target resource path is a resource path of a resource containing a preset authentication identifier in a code of the first application server; the preset authentication mark is used for indicating that the marked resource in the first application server is an authentication-free resource, and the first application server is any application server in the at least one application server;
and under the condition that the matching record exists in the target white list set, determining that the resource access request is an authentication-free request, and forwarding the resource access request to the target application server.
In a second aspect, the present disclosure provides another data processing method applied to an application server, where the application server relies on a service gateway to perform interface routing management, the data processing method includes:
acquiring a resource path of a resource containing a preset authentication identifier, and acquiring a service identifier of the application server; the preset authentication mark is arranged in the code of the application server and used for indicating that the marked resource in the application server is an authentication-free resource; generating service information corresponding to the application server according to the service identifier and the resource path;
generating a service registration request according to the service information, and sending the service registration request to a service management platform; the service registration request is used for requesting the service management platform to perform service registration processing on the application server, and the service management platform is at least used for performing service registration processing on the application server and sending the service information to the service gateway.
In a third aspect, the present disclosure provides still another data processing method applied to a service management platform, where the data processing method includes:
Acquiring a service registration request sent by an application server; wherein, the service registration request comprises the service information of the application server; the service information comprises a resource path of a resource containing a preset authentication identifier in the code of the application server; the preset authentication mark is used for indicating that the marked resource in the application server is authentication-free resource;
after responding to the service registration request, carrying out service registration processing on the application server according to the service information, and then sending the service information to a service gateway, wherein the service gateway is used for carrying out interface route management on the application server.
In a fourth aspect, the present disclosure provides a data processing apparatus applied to a service gateway, where the service gateway is configured to perform interface route management on at least one application server, and the data processing apparatus includes:
the receiving unit is used for receiving the resource access request sent by the client; the resource access request is used for accessing a target resource provided by a target application server, and the target application server is any application server in the at least one application server;
The first acquisition unit is used for acquiring the service identifier of the target application server and the resource path of the target resource from the resource access request, wherein the resource path is a path of an interface for accessing the target resource;
a matching unit, configured to query whether a matching record matching the service identifier and the resource path exists in a target white list set;
the target white list set comprises a plurality of resource records, and the resource records are in one-to-one correspondence with the application server; the resource record is generated according to first service information of a corresponding first application server, the first service information comprises a target resource path corresponding to the first application server, and the target resource path is a resource path of a resource containing a preset authentication identifier in a code of the first application server; the preset authentication mark is used for indicating that the marked resource in the first application server is an authentication-free resource, and the first application server is any application server in the at least one application server;
and the forwarding unit is used for determining that the resource access request is an authentication-free request and forwarding the resource access request to the target application server under the condition that the matching record exists in the target white list set.
In a fifth aspect, the present disclosure provides another data processing apparatus applied to an application server, the application server performing interface routing management depending on a service gateway, the data processing apparatus comprising:
the second acquisition unit is used for acquiring a resource path of a resource containing a preset authentication identifier and acquiring a service identifier of the application server; the preset authentication mark is arranged in the code of the application server and used for indicating that the marked resource in the application server is an authentication-free resource;
the generating unit is used for generating service information corresponding to the application server according to the service identifier and the resource path;
the registration unit is used for generating a service registration request according to the service information and sending the service registration request to a service management platform; the service registration request is used for requesting the service management platform to perform service registration processing on the application server, and the service management platform is at least used for performing service registration processing on the application server and sending the service information to the service gateway.
In a sixth aspect, the present disclosure provides still another data processing apparatus applied to a service management platform, the data processing apparatus including:
A third obtaining unit, configured to obtain a service registration request sent by an application server; wherein, the service registration request comprises the service information of the application server; the service information comprises a resource path of a resource containing a preset authentication identifier in the code of the application server; the preset authentication mark is used for indicating that the marked resource in the application server is authentication-free resource;
and the response unit is used for sending the service information to a service gateway after responding to the service registration request and carrying out service registration processing on the application server according to the service information, wherein the service gateway is used for carrying out interface route management on the application server.
In a seventh aspect, the present disclosure provides a data processing system comprising:
at least one client;
a service gateway, configured to perform the data processing method described in the first aspect;
at least one application server for executing the data processing method according to the second aspect;
a service management platform, configured to execute the data processing method described in the third aspect.
In an eighth aspect, the present disclosure provides an electronic device comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores one or more computer programs executable by the at least one processor, one or more of the computer programs being executable by the at least one processor to enable the at least one processor to perform the data processing method of any one of the aspects described above.
In a ninth aspect, the present disclosure provides a computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the data processing method of any of the above aspects.
According to the embodiment provided by the disclosure, after receiving the resource access request sent by the client and used for accessing the target resource of the target application server, the service gateway obtains the service identifier of the target application server and the resource path of the target resource from the resource access request, and inquires whether a matching record matched with the service identifier and the resource path exists in the target white list set, so that whether the resource access request is an authentication-free request or not can be confirmed, namely, whether the authority of the user initiating the resource access request needs to be authenticated or not.
Because the resource records in the target white list set are in one-to-one correspondence with the application server; the resource record is generated according to the first service information of the first application service end corresponding to the resource record, and the first service information comprises a resource path of resources with preset authentication identifiers in codes of the first application service end, and the preset authentication identifiers represent marked resources as authentication-free type resources.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosure, and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure, without limitation to the disclosure. The above and other features and advantages will become more readily apparent to those skilled in the art by describing in detail exemplary embodiments with reference to the attached drawings, in which:
FIG. 1 is a schematic diagram of a data processing method in the related art;
FIG. 2 is a schematic diagram of a data processing system provided by an embodiment of the present disclosure;
FIG. 3 is a flowchart of a data processing method according to an embodiment of the present disclosure;
FIG. 4 is a flow chart of another data processing method provided by an embodiment of the present disclosure;
FIG. 5 is a flow chart of yet another data processing method provided by an embodiment of the present disclosure;
FIG. 6 is a block diagram of a data processing apparatus provided by an embodiment of the present disclosure;
FIG. 7 is a block diagram of another data processing apparatus provided by an embodiment of the present disclosure;
FIG. 8 is a block diagram of yet another data processing apparatus provided by an embodiment of the present disclosure;
fig. 9 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
For a better understanding of the technical solutions of the present disclosure, exemplary embodiments of the present disclosure will be described below with reference to the accompanying drawings, in which various details of the embodiments of the present disclosure are included to facilitate understanding, and they should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Embodiments of the disclosure and features of embodiments may be combined with each other without conflict.
As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used herein, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Please refer to fig. 1, which is a schematic diagram of a data processing method in the related art. As shown in fig. 1, in this data processing method, when an application server needs to be published, in order to facilitate unified management of the application server, the following processing needs to be generally executed: 1. the authority configuration processing, namely, before an application server is released, a business person manually configures the corresponding relation between each resource in the application server and the user authority in an authentication server in advance; 2. an application registration process, that is, automatically registering by the application server to a service management platform, for example, a nacos, during the starting process of the application server; 3. the service information acquisition process, namely, a service gateway is set, the service gateway acquires the service information of all registered application service terminals from a service management platform, wherein the service gateway can also be called as an API gateway, the service information of the application service terminals can comprise service identifiers and service address information, and the service address information can be the IP address and port number of the application service terminals; 4. the request sending process, namely, the common user can send a resource access request for accessing the resource provided by the application server to the service gateway based on the client, and the service gateway receives the resource access request to perform unified interface route management; 5. after receiving the resource access request, the service gateway responds to the resource access request to acquire user information of a user initiating the resource access request and resources requested to be accessed by the resource access request, and sends an authentication request to an authentication server according to the user information so as to verify whether the user has the authority to access the resources; 6. and request response processing, namely, when the service gateway receives an authentication result corresponding to the resource access request and confirms that the user has the authority to access the corresponding resource, forwarding the resource access request to the application server for response processing.
In the data processing method, on one hand, in the process of issuing an application server, authority configuration processing is required to be manually performed in an authentication server by service personnel, and under the condition that resources in the application server are updated, the service personnel are required to update corresponding configuration in the authentication server in time, so that the problems of errors and low efficiency are likely to exist; on the other hand, in an application server, not all resources often need to be authenticated, and the data processing method in the related art makes that even authentication-free resources, that is, resources which do not need to be authenticated, need to be preconfigured in an authentication server, and the service gateway needs to perform authentication interaction with the authentication server first under the condition of receiving an access request for the resources, so that the service gateway can determine to forward the access request for the resources to the corresponding application server.
Referring now to FIG. 2, a diagram of a data processing system is shown, according to one embodiment of the present disclosure. As shown in fig. 2, the data processing system may include at least one client 101, a service gateway 102, at least one application server, for example, an application server 103, a service management platform 104, and an authentication and authorization server 105 as shown in fig. 2.
The client 101 may be an application provided in a terminal device, where the terminal device may be, for example, a smart phone, a portable computer, a desktop computer, a tablet computer, etc.; currently, the client 101 may also be an application service provided in a server, where the application service is configured to send a resource access request to a downstream service, so as to perform self-service processing based on a resource provided by the downstream service.
The service gateway 102 may be a gateway server for performing interface route management on at least one application server, for example, may be a server for performing interface route management on the application server 103; the service gateway 102 may be implemented, for example, based on Spring Cloud Gateway.
The at least one application server, for example, application server 103, may be an application service running in one or more servers, for example, the application server may be any micro service in a micro service architecture (micro service).
The service management platform 104 may be a server for performing at least a service registration process and a service discovery process, and the service management platform 104 may be implemented based on, for example, a nacos.
The authentication server 105 may be configured to: receiving and storing configuration information configured by service personnel and used for representing the corresponding relation between authentication type resources and user rights in the application server 103; and performing authentication processing based on the configuration information when an authentication request sent by the service gateway is received.
In the embodiment of the present disclosure, the application server 103 may be configured to: acquiring a resource path of a resource containing a preset authentication identifier, and acquiring a service identifier of an application server; the preset authentication mark is arranged in the code of the application server and used for indicating that the marked resource in the application server is authentication-free resource; generating service information corresponding to the application server according to the service identifier and the resource path; and generating a service registration request according to the service information, and sending the service registration request to the service management platform 104, wherein the service registration request is used for requesting the service management platform to perform service registration processing on the application server, and the service management platform is at least used for performing service registration processing on the application server and sending the service information to the service gateway.
The service management platform 104 may be configured to: acquiring a service registration request sent by an application server 103; the service registration request comprises service information of an application server; the service information comprises a resource path of a resource of which the code of the application server contains a preset authentication mark; the preset authentication mark is used for indicating that the marked resource in the application server is authentication-free resource; after performing service registration processing on the application server 103 according to the service information in response to the service registration request, the service information is sent to the service gateway 102, where the service gateway 102 is configured to perform interface routing management on the application server 103.
The client 101 may be configured to send a resource access request for accessing a target resource provided by a target application server, for example, the application server 103.
The service gateway 102 may be configured to: acquiring service information of an application server 103 provided by a service management platform 104, wherein the service information comprises a target resource path corresponding to the application server 103, and the target resource path is a resource path of a resource containing a preset authentication identifier in a code of the application server 103; the resource authentication mark is used for indicating that the marked resource in the first application server is authentication-free resource; generating a resource record corresponding to the application server 103 according to the service information, and maintaining a target white list set according to the resource record; and under the condition that a resource access request which is sent by the client 101 and is used for accessing the target resource provided by the application server 103 is received, responding to the resource access request, and acquiring the service identifier of the application server 103 and the resource path of the target resource from the resource access request, wherein the resource path is the path of an interface used for accessing the target resource; inquiring whether a matching record matched with the service identifier and the resource path exists in the target white list set; and determining that the resource access request is an authentication-free type request under the condition that the matching record exists in the target white list set, and forwarding the resource access request to the application server 103 so that the application server 103 responds to the resource access request to send the target resource to the client 101.
Of course, in the case that the matching record does not exist in the target white list set, the service gateway 102 may also be configured to obtain user information of the user corresponding to the client 101; and sending an authentication request to the authentication and authorization server 105 according to the user information, the service identifier and the resource path to authenticate the user to obtain an authentication result, and forwarding the resource access request to the application server 103 to send the target resource to the client 101 by the application server 103 in response to the resource access request under the condition that the authentication result indicates that the user has the right to access the target resource.
It will be appreciated that the data processing system shown in fig. 1 is merely illustrative and is in no way intended to limit the disclosure, its application or uses. For example, although fig. 1 shows only one client 101, one service gateway 102, one application server 103, one service management platform 104, and one authentication server 105, it is not meant to limit the respective numbers, and the data processing system may include a plurality of clients 101, a plurality of service gateways 102, a plurality of application servers 103, a plurality of service management platforms 104, and a plurality of authentication servers 105.
Referring to fig. 3, a flowchart of a data processing method according to an embodiment of the disclosure is shown. As shown in fig. 3, the method may be applied to a service gateway, which may be used for performing interface routing management on at least one application server, where the service gateway may be, for example, the service gateway 102 shown in fig. 2.
As shown in fig. 3, the data processing method provided in the embodiment of the present disclosure includes the following steps S301 to S304, which are described in detail below.
Step S301, receiving a resource access request sent by a client; the resource access request is used for accessing a target resource provided by a target application server, and the target application server is any application server in at least one application server.
In the embodiment of the present disclosure, the resource refers to a network resource provided by an application server.
Typically, each network resource corresponds to an interface, and the client may access the corresponding network resource provided by the application server through the interface provided by the application server.
Step S302, a service identifier of a target application server and a resource path of a target resource are obtained from the resource access request, wherein the resource path is a path of an interface for accessing the target resource.
The service identifier of the target application server may be information for uniquely identifying the target application server, for example, may be a service id of the target application server.
The resource path, also called the interface path, is used to represent the address of the interface corresponding to the resource. For example, in case that a homepage resource of app1 needs to be accessed, a resource path of an interface corresponding to the homepage resource may be "/doc/index".
In the related art, when a service gateway receives a resource access request sent by a client, whether a resource requested to be accessed in the resource access request needs authentication, that is, whether access rights of a user need to be checked, the service gateway generally needs to acquire user information, such as a user ID, of the user from the resource access request first, then generates an authentication request according to the user ID, and sends the authentication request to an authentication server to confirm whether the user has access to the resource access request. The method has the problems of low efficiency due to the fact that communication time is consumed to carry out communication interaction with the authentication server and corresponding authority information is required to be configured in the authentication server in advance by service personnel.
To solve the problem, in the embodiment of the present disclosure, after receiving a resource access request, the service gateway does not need to authenticate in the authentication server, that is, may not send an authentication request for verifying access rights of a user to the authentication server, but may first obtain a service identifier of a target application server and a resource path of the target resource, so as to confirm whether the target resource is an authentication-free resource based on the following step S303, and if the target resource is an authentication-free resource through the following step S303, the resource access request may be directly forwarded to the corresponding application server, thereby saving communication time consumed when performing authentication interaction with the authentication server, and also eliminating the need for a service person to configure authority information of the authentication-free resource in the user and each application server in the authentication server, so as to improve processing efficiency of the service gateway.
That is, after step S302, step S303 is performed to query whether there is a matching record in the target white list set that matches the service identifier and the resource path; the target white list set comprises a plurality of resource records, and the resource records are in one-to-one correspondence with the application server; the resource record is generated according to first service information of a corresponding first application server, the first service information comprises a target resource path corresponding to the first application server, and the target resource path is a resource path of a resource containing a preset authentication identifier in a code of the first application server; the preset authentication mark is used for indicating that the marked resource in the first application server is authentication-free resource, and the first application server is any application server in at least one application server.
The target whitelist set may be a data set maintained by the service gateway for recording resource records of authentication-free class resources in each application server.
The preset authentication identifier set in the encoding of the application server may be "NoAuth", for example.
In the embodiment of the disclosure, an application server may automatically obtain all authentication-free resources of the application server by scanning an interface path, i.e., a resource path, of an interface marked by each preset authentication identifier in a self-code in a service starting process, and when sending self service information to the service gateway for interface routing management, the resource paths of the authentication-free resources are included in the service information, so that the service gateway may store, on one hand, a service identifier and service address information of the application server in the service information after obtaining the service information of the application server, so as to facilitate request interface routing management based on the service identifier and the service address information in the case of receiving a resource access request for the application server, and on the other hand, the service gateway may further obtain resource paths of all authentication-free resources of the application server from the service information, and generate a resource record corresponding to the application server according to the service identifier and the resource path of the application server, so as to maintain a target white list according to the resource record, so as to improve the processing efficiency of the service gateway when performing interface routing management.
In the embodiment of the present disclosure, the resource record in the target white list set may be "service identification: the form of the resource path "may be, for example," app1: form/doc/index ".
Of course, in the case that an application server includes a plurality of authentication-free resources, a corresponding resource record may be generated for each authentication-free resource, for example, for the authentication-free resource in app1: resource 1 and resource 2 may store resource record 1 corresponding to resource 1 and resource record 2 corresponding to resource 2, respectively, in the target whitelist set.
Alternatively, the resource record may be in the form of "service identifier: [ resource path list ]", that is, a resource record contains information of all authentication-free resources in an application server, for example, for the authentication-free resources in app1: the corresponding resource records of the resource 1 and the resource 2 can be' app1: [ resource 1 path, resource 2 path ].
It should be noted that, in the embodiment of the present disclosure, the authentication-free resource refers to a resource provided in an application server and not requiring verification of access rights of a user; correspondingly, the authentication type resource refers to a resource which is provided in the application server and needs to verify the access authority of the user. For example, in an e-commerce application, resources such as an application front page and a commodity detail page are usually authentication-free resources, i.e. anonymous users can access the resources; the resources such as shopping cart pages and order pages are generally authentication type resources, that is, the user information needs to be acquired and verified before the user is provided with the authentication type resources.
In addition, the target white list set may be stored in a local storage of the service gateway, or may also be stored in a database connected to the service gateway, and after the service gateway starts operation, the target white list set may be obtained from the local storage or the database and cached in the memory, so that under the condition that a resource access request is received, a matching record may be quickly searched in the cached target white list set, so as to determine whether the target resource is an authentication-free resource.
Step S304, under the condition that the matching record exists in the target white list set, determining that the resource access request is an authentication-free request, and forwarding the resource access request to the target application server.
In the embodiment of the present disclosure, in the case that the service gateway confirms that the matching record corresponding to the service identifier and the resource path in the received resource access request exists in the target white list set based on the above step S303, it may not only confirm that the target resource is an authentication-free resource, that is, the resource access request is an authentication-free request, but may not need to consume communication time to send an authentication request to the authentication server to perform authority authentication on the user corresponding to the request, and may directly forward the resource access request to the target application server, so that the target application server may provide the target resource to the client in response to the resource access request.
Therefore, according to the data processing method provided by the embodiment of the disclosure, the resource records in the target white list set are in one-to-one correspondence with the application server; the resource record is generated according to the first service information of the first application service end corresponding to the resource record, and the preset authentication mark represents the marked resource as authentication-free resource in the code of the first application service end, so that in the target white list set, the resource record generated according to the first service information of the first application service end can accurately represent the first application service end, namely the authentication-free resource in any application service end which is subjected to interface routing management by the service gateway, in the embodiment provided by the disclosure, the authentication-free resource in each application service end can be not required to be manually configured in the service gateway by a service staff, the authority information of the authentication-free resource in each application service end is not required to be manually configured in the authentication server corresponding to the service gateway, and the authentication-free resource can be automatically contained in the service gateway according to the preset authentication mark in the code when the application service end sends the service information to the service gateway, so that whether the authentication-free resource is required to be rapidly received in the service gateway according to the target white list set can be quickly acquired, and the service path can be rapidly acquired from the service gateway according to the request of the service information of the target authentication-free resource.
In some embodiments, the first service information further includes a first service identifier of the first application server; in such an embodiment, the resource record in the target whitelist may be obtained by: acquiring first service information of a first application server from a service management platform corresponding to a service gateway; acquiring a first service identifier and a target resource path from the first service information, and acquiring a first resource record according to the first service identifier and the target resource path; obtaining the resource record in the target white list according to the first resource record; the service management platform is at least used for providing service registration processing, the first service information is sent to the service management platform by the first application service end when a service registration request is sent to the service management platform, and the service registration request is used for requesting the service management platform to perform service registration processing on the application service end.
In this embodiment, the obtaining, according to the first resource record, the resource record in the target white list set may include: under the condition that the target white list set does not contain the resource record of the first application server, the first resource record is directly stored in the target white list set; and updating the resource record in the target white list set according to the first resource record under the condition that the target white list set contains the resource record of the first application server.
That is, for the first application server "app1", if the query results in that the target white list set does not include the resource record of "app1", the first resource record of "app1" may be directly stored in the target white list set; whereas if the set of target whitelists already contains the resource record of "app1", the corresponding resource record already stored in the set of target whitelists may be updated according to the first resource record of "app 1". Of course, in actual implementation, when updating the corresponding resource record in the target white list set according to the first resource record, it is also possible to delete all the resource records in the target white list set at the first application server according to the service identifier of the first application server, and then directly store the first resource record in the target white list set.
In the embodiment of the disclosure, after scanning the preset authentication identifier in the self-code to obtain the resource paths of all authentication-free resources marked by the preset authentication identifier in the self-code, the application server may provide the resource records to the service gateway by including the resource paths of the authentication-free resources in the service information when sending the service information of the application server to the service gateway.
However, since the service gateway is generally used for performing interface routing management, service information and resource record information of all application servers cannot be dynamically updated, and thus there may be a problem that cached resource records and cached service information of each application server are not timely enough.
For this reason, in the embodiment of the present disclosure, a service management platform may be set as shown in fig. 2, where the service management platform performs service registration processing to perform service registration processing on an application server, and after the service management platform responds to a service registration request sent by the application server to complete service registration processing on the application server, the service management platform may further perform service discovery processing on the application server to dynamically discover service information of all application servers that can be currently used for interface routing management by the service gateway, and send the service information to the service gateway; the service discovery process refers to using a registry to record information of all services in the distributed system, so that other services can quickly find the registered services.
In some embodiments, the obtaining the first service information of the first application server from the service management platform corresponding to the service gateway includes at least one of the following A1-A2:
A1, sending a service information acquisition request to a service management platform, and obtaining first service information from a response message corresponding to the service information acquisition request, wherein the service information acquisition request is used for acquiring the service information of a first application server; the response message is sent by the service management platform to the service gateway in response to the service information acquisition request.
A2, receiving first service information pushed by a service management platform; the first service information is pushed by the service management platform after service registration processing is performed on the first application server side, and/or is pushed by the service management platform under the condition that the service management platform detects that resources containing preset authentication identifiers in the first application server side are changed.
That is, in the embodiment of the present disclosure, the service management platform may be responsible for performing service registration, and may also be responsible for performing service discovery processing, so as to dynamically discover service information of each application server; then, the service gateway may send a service information acquisition request to the service management platform according to a preset mechanism, so as to acquire service information of each application server from the service management platform, and acquire a resource record of authentication-free resources in the corresponding application server from the service information, where the preset mechanism may be, for example, according to a preset time interval; and/or, after responding to the service registration request sent by the application server, the service management platform actively pushes the service information of the application server to the service gateway after performing service registration processing on the application server, and actively pushes the service information of the resource path containing the changed authentication-free resource to the service gateway under the condition that the authentication-free resource in the application server is found to be changed, so that the service gateway maintains the self target white list set based on the service information.
Because the service management platform can dynamically find the application service of each activity and the resource update condition in each application service, the service information of each application service end is acquired based on the service management platform, and the authentication-free resource path in the corresponding application service end contained in the service information is based on the resource path, so that the target white list set is maintained based on the resource path, the real-time performance and the accuracy of each resource record in the target white list set can be ensured, and the accuracy of the service gateway for carrying out interface routing management is improved.
It will be appreciated that in some embodiments, in the event that there is no matching path in the target whitelist set that matches the service identity and resource path in the resource access request, the service gateway may also be configured to: acquiring user information of a user corresponding to a client; and authenticating the user according to the user information, the service identifier and the resource path to obtain an authentication result, forwarding the resource access request to the target application server side when the authentication result indicates that the user has the right to access the target resource, and refusing to forward the resource access request when the authentication result indicates that the user does not have the right to access the target resource.
In this embodiment, when the service gateway performs authority authentication on the user, the processing steps may be: generating an authentication request according to the user information, the service identifier and the resource path; sending an authentication request to an authentication server, wherein the authentication server stores authority configuration information of authentication type resources in the user and each application server; and receiving an authentication result provided by the authentication server based on the authority configuration information. In this embodiment, the authentication server may be, for example, the authentication server 105 shown in fig. 2.
In correspondence with the above embodiments, the embodiments of the present disclosure further provide another data processing method, please refer to fig. 4, which is a flowchart of another data processing method provided by the embodiments of the present disclosure. The method may be applied to an application server, which relies on the service gateway in the above embodiment to perform interface routing management, for example, may be applied to the application server 103 shown in fig. 2.
As shown in fig. 4, the data processing method provided by the embodiment of the present disclosure may include the following steps S401 to S403.
Step S401, obtaining a resource path of a resource containing a preset authentication identifier, and obtaining a service identifier of an application server; the preset authentication mark is arranged in the code of the application server and used for indicating that the marked resource in the application server is authentication-free resource.
In some embodiments, the application server may perform this step if it detects a self service initiation. That is, the user does not need to manually configure the resource record of the authentication-free resource of each application server in the authentication server or the service gateway, but each application server scans all resource paths containing the resources of the preset authentication identifier in the self-code in the process of starting and loading each resource by self-service. Of course, this is merely illustrative, in the embodiment of the present disclosure, the execution timing of the step S401 is not limited specifically, and in actual implementation, the step S401 may be triggered and executed based on other mechanisms, for example, a task may be timed in the application server, so that the step S401 may be triggered and executed based on the timed task.
In some embodiments, the preset authentication identifier may be set in a naming of an interface corresponding to the authentication-free class resource.
Step S402, according to the service identification and the resource path, generating service information corresponding to the application server.
Step S403, generating a service registration request according to the service information, and sending the service registration request to a service management platform; the service registration request is used for requesting the service management platform to perform service registration processing on the application server, and the service management platform is at least used for performing service registration processing on the application server and sending service information to the service gateway.
After the resource paths of all authentication-free resources in the application server are acquired, the resource paths can be used as the custom metadata in the service registration request, and the application server sends the service registration request to the service management platform and simultaneously provides the resource paths for the service management platform.
Taking a service management platform as a Nacos and taking a resource path as an example of "/doc/index", an application server can create a Nacos registry and take the resource record as metadata of the Nacos registry, so that when the Nacos registry registers service for the Nacos, the resource path can be taken as a part of own service information to be provided for the Nacos together, and when the service gateway obtains service information of each application server from the Nacos, the resource path of authentication-free resources in each application server can be obtained simultaneously, so that a target white list set of the application server can be maintained based on the obtained resource path, and when a resource access request is received, the access request corresponding to the authentication-free resources can be rapidly forwarded based on the target white list set, so that the processing efficiency is improved.
In some embodiments, the obtaining the resource path of the resource including the preset authentication identifier in step S401 includes: and under the condition that the preset authentication mark is detected, acquiring a resource path of the resource marked by the preset authentication mark.
That is, in order to save personnel operations, the resource path of the authentication-free resource in the application server may not be manually configured in the service gateway or the service management platform by a service personnel, or in the authentication and authentication server, but a preset authentication identifier may be set in the code of the application server, and in the operation process of the application server, under the condition that the preset authentication identifier in the code is detected, the resource path of the resource marked by the preset authentication identifier is obtained.
It should be noted that, in actual implementation, the process of detecting the preset authentication identifier may be executed by the application server during the starting process and during the resource loading process; or the process of detecting the preset authentication identifier can be triggered and executed through a preset timing task in the running process of the application server, and the method is not particularly limited.
In some embodiments, the obtaining the resource path of the resource marked by the preset authentication identifier includes: taking the position marked by the preset authentication mark as an access point, switching the currently executed target processing of the application server to a preset tangent plane processing function to execute the processing of acquiring the resource path, and returning to the access point after acquiring the resource path to continue executing the target processing; the preset tangent plane processing function is a function realized based on tangent plane-oriented programming; the target process is any process executed by the application server.
Tangent plane oriented programming (AOP, aspect Oriented Programming) refers to a technique that enables unified maintenance of program functions through precompiled means and dynamic agents during run-time.
In the embodiment of the disclosure, in order to avoid the influence of the process of obtaining the resource path of the authentication-free resource on the service processing code of the application server, the preset authentication identifier may be set in the code of the application server in an Annotation (accounting) manner, so that the preset authentication identifier is used as an access point in the process of initially starting and loading the resource by the application server, and is switched to a unified tangent plane function to perform the process of obtaining the resource path of the authentication-free resource, so as to realize the decoupling of the service processing code and the resource path obtaining code, and improve the reusability and maintainability of the code of the application server.
That is, in some embodiments, the preset authentication identifier may be set in the code of the application server in an annotated manner, for example, the preset authentication identifier may be "@ NoAuth", and then the identifier may be added before the code function of an interface to mark the interface as an authentication-free resource, so, in the running process of the application server, when the process of acquiring the resource path of the authentication-free resource is triggered to be performed, the preset authentication identifier existing in the code may be detected line by line, and when a preset authentication identifier is detected, the position marked by the preset authentication identifier is taken as a point of entry (pointcut), that is, as a section, the target process performed by the current application server, for example, the resource loading process is switched to the preset section processing function to perform the resource path acquisition process, that is, the interface path of the interface marked by the preset authentication identifier is acquired as the resource path of the resource corresponding to the interface, and after the acquisition is completed, the target process is continuously performed.
It should be noted that, in the embodiment of the present disclosure, in order to improve the reusability of the resource path acquisition process, a common component for acquiring a resource path may be developed, and each application server may perform the process of acquiring the resource path by introducing the common component into the coding project engineering, so as to use the preset authentication identifier conveniently and introduce the preset tangent plane processing function conveniently; furthermore, the generation process of the registration request can also be integrated in the public component, so that other application servers can quickly and conveniently provide authentication-free resources of themselves to the service management platform, and the method is not particularly limited.
For ease of understanding, the following description will be given with reference to a common component for acquiring a resource path being "NoAuth-SDK", where the "NoAuth-SDK" includes a preset authentication identifier "@ NoAuth", and the data processing method provided in the embodiments of the present disclosure is illustrated with reference to a target application server being "app1", and with reference to a service management platform being a nano.
Specifically, the public component "NoAuth-SDK" may be introduced during the process of developing app1, and a developer adds a preset authentication identifier before the interface of the authentication-free resource of app1, for example, "@ NoAuth" may be added by the developer before the interface of the resource for the authentication-free resource "/doc/index" to mark the resource as the authentication-free resource.
In the process of starting the app1, the app1 may detect a preset authentication identifier "@ NoAuth" in the code based on a public component "NoAuth-SDK", and enter a preset tangent plane processing function to execute a process of acquiring a resource path of an authentication-free resource by taking a position marked by the preset authentication identifier as an access point when the preset authentication identifier is detected, and store each obtained resource path into a shared container of a predefined context object; finally, after the detection is completed, a NAcos monitor object corresponding to the NAcos is created, and resource paths of all authentication-free type resources detected in the shared container, such as "/doc/index", are put into the NAcos register object; then, app1 generates service information corresponding to app1 according to its own service identifier, service address and the detected resource paths, generates a service registration request according to the service information, and sends the service registration request to the nacos to perform service registration processing, where in the service information, the resource paths of authentication-free resources in app1 may be stored in a form of custom metadata, that is, the service registration request may be { name: app1, instance:10.Xx. Xx.1, metadata: { NoAuth: [ "/doc/index" ] } }.
In the case of receiving a service registration request sent by app1, the nacos performs service registration processing on app1 in response to the service registration request, and acquires service information of app1 from the service registration request and stores the service information in the local storage device.
In addition, a business person corresponding to the app1 may log in to the authentication server before the app1 is started to set authority information of authentication type resources corresponding to the app1, and the authentication type resources in the app1 may be role user information for configuring resources such as data management and project management, for example, the user 1 may be configured to have authority to access the authentication type resources.
When the service gateway receives a resource access request sent by the client for accessing a target resource, the service gateway may analyze the request to obtain that the resource access request needs to be sent to "app1", and at this time, in the case that no service information of app1 exists in the service gateway, the service gateway may send a service information acquisition request for acquiring service information of app1 to the nacos first, where the target resource may be in a form of "/app1/doc/index", for example.
The name responds to a service information acquisition request sent by the service gateway, and service information { name: app1, instance:10. Xx.1, metadata: { NoAuth: [ "/doc/index" ] } }, is sent to the service gateway in a response message.
After obtaining the service information, the service gateway can obtain that a resource path of the authentication-free resource of app1 is "/doc/index" by analyzing the service information, and can generate a resource record "app1" corresponding to app1 according to a service identifier "app1" of app1 and the resource path "/doc/index": and/doc/index ", updating the resource record to the target white list set. In addition, after obtaining the service information of app1, the service gateway may send a service information acquisition request for app1 to the nacos at a preset time interval, for example, 30s, so that in a case where the app1 service or the authentication-free resource in app1 is changed, the service information of app1 stored in the service gateway and the resource record corresponding to app1 may be updated in time.
After the service gateway obtains the service information of app1, the service gateway may process the received resource access request according to at least one of the following B1-B2:
b1: in the case that a resource path of a target resource for requesting access by a resource access request exists in a target white list set of a service gateway, the resource access request is determined to be an authentication-free type request, and the resource access request is forwarded to app1.
For example, the service gateway may query a resource access request sent by the client to obtain that the resource access request is used to access a target resource "doc/index" in app1, and in the case that a matching record exists in the target white list set, may determine that the resource access request is an authentication-free type request, and forward the resource access request to app1.
In this case, compared with the problem that the service gateway in the related art has low efficiency when receiving the resource access request for the authentication-free resource and needs to consume communication time to authenticate to the authentication server, the method provided by the embodiment of the disclosure can directly determine whether the resource access request needs to be authenticated by the service gateway based on the target white list set, so that the resource access request for the authentication-free resource is directly forwarded to the application server for response, and the processing efficiency is improved.
B2: and under the condition that the resource path of the target resource for requesting access by the resource access request does not exist in the target white list set of the service gateway, determining the resource access request as an authentication type request, acquiring user information of a user corresponding to the client, sending an authentication request for authenticating the user to an authentication server according to the user information, the service identifier of the app1 and the resource path in the resource access request, and forwarding the resource access request to the app1 under the condition that the received authentication result indicates that the user has the authority to access the target resource.
That is, if the record matching the resource path of the target resource requested to be accessed in the resource access request is not matched in the target white list set, the service gateway can determine that the resource access request is an authentication type request, at this time, user information of a user corresponding to the client can be obtained, and an authentication request can be generated based on the user information, so as to perform authentication processing on the authentication server.
For example, if the user corresponding to the client is "Zhang San", since the service personnel corresponding to the app1 has been configured with the authority information of the user "Zhang Sano" in the authentication and authorization server in advance, the resource access request may be forwarded to the app1 when the authentication result returned by the authentication and authorization server indicates that "Zhang Sano" has the authority to access the target resource.
It can be understood that, in B2, if the service gateway cannot obtain the user information of the user corresponding to the client, that is, the user is an anonymous user, the service gateway may directly reject the resource access request; alternatively, the resource access request may be directly denied when the authentication result returned by the authentication server indicates that the user does not have the right to access the target resource.
According to the above description, according to the data processing method provided by the embodiment of the present disclosure, an application server may automatically detect a resource path of an authentication-free resource included in the application server, and in a process of registering with a service management platform, the resource path is included in service information of a service registration request to send the resource path to the service management platform, so that the service gateway may obtain the service information and the resource path in the service information through the service management platform, and maintain a target whitelist set corresponding to the authentication-free resource in the application server based on the resource path, so as to improve processing efficiency for the authentication-free resource in case of receiving a resource access request, and avoid problems of low accuracy and low efficiency that may be caused when a service staff manually configures authority information of the type of resource in an authentication server.
In correspondence with the above embodiments, the present disclosure further provides another data processing method, please refer to fig. 5, which is a flowchart of another data processing method provided by the present disclosure embodiment. The method may be applied in a service management platform, for example, in the service management platform 104 as shown in fig. 2.
As shown in fig. 5, such a data processing method provided by an embodiment of the present disclosure may include the following steps S501 to S502.
Step S501, obtaining a service registration request sent by an application server; the service registration request comprises service information of an application server; the service information comprises a resource path of a resource of which the code of the application server contains a preset authentication mark; the preset authentication mark is used for indicating that the marked resource in the application server is authentication-free resource.
The detailed description of the service registration request refers to the above embodiment, and will not be repeated here.
Step S502, after responding to the service registration request and carrying out service registration processing on the application server according to the service information, the service information is sent to a service gateway, wherein the service gateway is used for carrying out interface route management on the application server.
That is, as can be seen from the above description of the embodiments, in the embodiments of the present disclosure, when an application server sends a service registration request to a service management platform, a resource record of an authentication-free resource in the application server may be included in service information of the service registration request in the form of metadata, so that the service management platform may acquire and store the resource record in the service information while performing registration processing on the service in response to the service registration request; after the service management platform completes the service registration processing on the application server, the service information containing the resource record can be sent to the service gateway.
In the embodiment of the present disclosure, the service information of the application server may be actively pushed by the service management platform to a service gateway connected to the service management platform in a communication manner, or the service gateway may obtain the service information by sending a service information obtaining request to the service management platform, which is not limited herein.
Therefore, according to the data processing method provided by the embodiment of the disclosure, the service management platform can obtain the resource path of the authentication-free resource in the application server side at the same time in the process of receiving the service registration request of the application server side, and the processing efficiency of the service gateway in interface routing management can be improved by sending the service information containing the resource path to the service gateway.
It will be appreciated that the above-mentioned method embodiments of the present disclosure may be combined with each other to form a combined embodiment without departing from the principle logic, and are limited to the description of the present disclosure. It will be appreciated by those skilled in the art that in the above-described methods of the embodiments, the particular order of execution of the steps should be determined by their function and possible inherent logic.
In addition, the disclosure further provides a data processing apparatus, an electronic device, and a computer readable storage medium, where the foregoing may be used to implement any one of the data processing methods provided in the disclosure, and corresponding technical schemes and descriptions and corresponding descriptions referring to method parts are not repeated.
Fig. 6 is a block diagram of a data processing apparatus according to an embodiment of the present disclosure.
Referring to fig. 6, an embodiment of the present disclosure provides a data processing apparatus, which may be applied to a service gateway, where the service gateway may be used to perform interface routing management on at least one application server, where the data processing apparatus 600 includes: a receiving unit 601, a first acquiring unit 602, a matching unit 603, and a forwarding unit 604.
The receiving unit 601 is configured to receive a resource access request sent by a client; the resource access request is used for accessing a target resource provided by a target application server, and the target application server is any application server in at least one application server.
The first obtaining unit 602 is configured to obtain, from the resource access request, a service identifier of the target application server and a resource path of the target resource, where the resource path is a path of an interface for accessing the target resource.
The matching unit 603 is configured to query whether a matching record matching the service identifier and the resource path exists in the target white list set; the target white list set comprises a plurality of resource records, and the resource records are in one-to-one correspondence with the application server; the resource record is generated according to first service information of a corresponding first application server, the first service information comprises a target resource path corresponding to the first application server, and the target resource path is a resource path of a resource containing a preset authentication identifier in a code of the first application server; the preset authentication mark is used for indicating that the marked resource in the first application server is authentication-free resource, and the first application server is any application server in at least one application server.
The forwarding unit 604 is configured to determine that the resource access request is an authentication-free request if the matching record exists in the target white list set, and forward the resource access request to the target application server.
In some embodiments, the first service information further includes a first service identifier of the first application server; the apparatus 600 comprises a resource record acquisition unit for: acquiring first service information of a first application server from a service management platform corresponding to a service gateway; acquiring a first service identifier and a target resource path from the first service information, and acquiring a first resource record according to the first service identifier and the target resource path; obtaining a resource record in a target white list according to the first resource record; the service management platform is at least used for providing service registration processing, the first service information is sent to the service management platform by the first application service end when a service registration request is sent to the service management platform, and the service registration request is used for requesting the service management platform to perform service registration processing on the application service end.
In some embodiments, the resource record obtaining unit obtains the first service information of the first application server from the service management platform corresponding to the service gateway through at least one of the following: sending a service information acquisition request to a service management platform, and obtaining first service information from a response message corresponding to the service information acquisition request, wherein the service information acquisition request is used for acquiring service information of a first application server; the response message is sent to the service gateway by the service management platform in response to the service information acquisition request; receiving first service information pushed by a service management platform; the first service information is pushed by the service management platform after service registration processing is performed on the first application server, and/or is pushed by the service management platform under the condition that the service management platform detects that resources containing preset authentication identifiers in the first application server are changed.
In some embodiments, the apparatus 600 further comprises an authentication unit for: under the condition that a matching record does not exist in the target white list set, user information of a user corresponding to the client is obtained; performing authority authentication on the user according to the user information, the service identifier and the resource path to obtain an authentication result; and forwarding the resource access request to the target application server side under the condition that the authentication result indicates that the user has the authority to access the target resource.
Therefore, according to the data processing device provided by the embodiment of the disclosure, the resource records in the target white list set are in one-to-one correspondence with the application server; the resource record is generated according to the first service information of the first application service end corresponding to the resource record, and the first service information comprises a resource path of resources with preset authentication identifiers in codes of the first application service end, and the preset authentication identifiers represent marked resources as authentication-free type resources.
Fig. 7 is a block diagram of another data processing apparatus according to an embodiment of the present disclosure.
Referring to fig. 7, another data processing apparatus is provided in an embodiment of the present disclosure, which may be applied to an application server, where the data processing apparatus 700 includes: a second acquisition unit 701, a generation unit 702, and a registration unit 703.
The second obtaining unit 701 is configured to obtain a resource path including a resource of a preset authentication identifier, and obtain a service identifier of an application server; the preset authentication mark is arranged in the code of the application server and used for indicating that the marked resource in the application server is authentication-free resource.
The generating unit 702 is configured to generate service information corresponding to the application server according to the service identifier and the resource path.
The registration unit 703 is configured to generate a service registration request according to the service information, and send the service registration request to the service management platform; the service registration request is used for requesting the service management platform to perform service registration processing on the application server, and the service management platform is at least used for performing service registration processing on the application server and sending service information to the service gateway.
In some embodiments, when acquiring the resource path including the resource of the preset authentication identifier, the second acquiring unit 701 may be configured to: and under the condition that the preset authentication mark is detected, acquiring a resource path of the resource marked by the preset authentication mark.
In some embodiments, the second obtaining unit 701 may be configured to, when obtaining a resource path of a resource marked by a preset authentication identifier: taking the position marked by the preset authentication mark as an access point, switching the currently executed target processing of the application server to a preset tangent plane processing function to execute the processing of acquiring the resource path, and returning to the access point after acquiring the resource path to continue executing the target processing; the preset tangent plane processing function is a function realized based on tangent plane-oriented programming; the target process is any process executed by the application server.
It can be seen that, based on the data processing apparatus provided in the embodiments of the present disclosure, an application server may automatically obtain a resource path of an authentication-free resource included in the application server based on the second obtaining unit 701, and in a process of registering a service with a service management platform, by generating service information including the resource path based on the generating unit, the service information including the resource path is sent to the service management platform based on the registering unit 703 conveniently, so that a service gateway may obtain the service information and the resource path in the service information through the service management platform, and further maintain a target whitelist set corresponding to the authentication-free resource in the application server based on the resource path, so as to improve processing efficiency for the authentication-free resource under a condition of receiving a resource access request, and avoid problems of low accuracy and low efficiency that may be caused when a service staff manually configures authority information of the type resource in the authentication server.
Fig. 8 is a block diagram of yet another data processing apparatus provided by an embodiment of the present disclosure.
Referring to fig. 8, an embodiment of the present disclosure provides still another data processing apparatus, which may be applied to a service management platform, the data processing apparatus 800 including: a third acquisition unit 801 and a response unit 802.
The third obtaining unit 801 is configured to obtain a service registration request sent by an application server; the service registration request comprises service information of an application server; the service information comprises a resource path of a resource of which the code of the application server contains a preset authentication mark; the preset authentication mark is used for indicating that the marked resource in the application server is authentication-free resource.
The response unit 802 is configured to send service information to a service gateway after performing service registration processing on the application server according to the service information in response to the service registration request, where the service gateway is configured to perform interface routing management on the application server.
Based on the data processing apparatus provided in the embodiments of the present disclosure, after receiving a service registration request of an application server based on the third obtaining unit 801, the service management platform may obtain service information corresponding to the application server and including a resource record of an authentication-free resource from the service registration request, and provide the service information to the service gateway through the response unit 802, so that processing efficiency of the service gateway in performing interface routing management may be improved.
Fig. 9 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Referring to fig. 9, an embodiment of the present disclosure provides an electronic device 900 including: at least one processor 901; at least one memory 902, and one or more I/O interfaces 903, connected between the processor 901 and the memory 902; wherein the memory 902 stores one or more computer programs executable by the at least one processor 901, the one or more computer programs being executable by the at least one processor 901 to enable the at least one processor 901 to perform the data processing methods described above.
The disclosed embodiments also provide a computer readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the data processing method described above. The computer readable storage medium may be a volatile or nonvolatile computer readable storage medium.
Embodiments of the present disclosure also provide a computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in a processor of an electronic device, performs the above-described data processing method.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer-readable storage media, which may include computer storage media (or non-transitory media) and communication media (or transitory media).
The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable program instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, random Access Memory (RAM), read Only Memory (ROM), erasable Programmable Read Only Memory (EPROM), static Random Access Memory (SRAM), flash memory or other memory technology, portable compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical disc storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable program instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and may include any information delivery media.
The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.
Computer program instructions for performing the operations of the present disclosure can be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, c++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present disclosure are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information of computer readable program instructions, which can execute the computer readable program instructions.
The computer program product described herein may be embodied in hardware, software, or a combination thereof. In an alternative embodiment, the computer program product is embodied as a computer storage medium, and in another alternative embodiment, the computer program product is embodied as a software product, such as a software development kit (Software Development Kit, SDK), or the like.
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Example embodiments have been disclosed herein, and although specific terms are employed, they are used and should be interpreted in a generic and descriptive sense only and not for purpose of limitation. In some instances, it will be apparent to one skilled in the art that features, characteristics, and/or elements described in connection with a particular embodiment may be used alone or in combination with other embodiments unless explicitly stated otherwise. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the disclosure as set forth in the appended claims.
Claims (11)
1. A data processing method, applied to a service gateway, where the service gateway is configured to perform interface route management on at least one application server, the method includes:
receiving a resource access request sent by a client; the resource access request is used for accessing a target resource provided by a target application server, and the target application server is any application server in the at least one application server;
acquiring a service identifier of the target application server and a resource path of the target resource from the resource access request, wherein the resource path is a path of an interface for accessing the target resource;
Inquiring whether a matching record matched with the service identifier and the resource path exists in a target white list set;
the target white list set comprises a plurality of resource records, and the resource records are in one-to-one correspondence with the application server; the resource record is generated according to first service information of a corresponding first application server, the first service information comprises a target resource path corresponding to the first application server, and the target resource path is a resource path of a resource containing a preset authentication identifier in a code of the first application server; the preset authentication mark is used for indicating that the marked resource in the first application server is an authentication-free resource, and the first application server is any application server in the at least one application server;
and under the condition that the matching record exists in the target white list set, determining that the resource access request is an authentication-free request, and forwarding the resource access request to the target application server.
2. The method of claim 1, wherein the first service information further includes a first service identifier of the first application server;
The resource record in the target white list is obtained through the following processing:
acquiring first service information of the first application server from a service management platform corresponding to the service gateway;
acquiring the first service identifier and the target resource path from the first service information, and acquiring a first resource record according to the first service identifier and the target resource path;
obtaining the resource record in the target white list according to the first resource record;
the service management platform is at least used for providing service registration processing, the first service information is sent to the service management platform by the first application service end when a service registration request is sent to the service management platform, and the service registration request is used for requesting the service management platform to perform service registration processing on the application service end.
3. The method of claim 2, wherein the obtaining the first service information of the first application server from the service management platform corresponding to the service gateway includes at least one of:
sending a service information acquisition request to the service management platform, and obtaining the first service information from a response message corresponding to the service information acquisition request, wherein the service information acquisition request is used for acquiring the service information of the first application server; the response message is sent to the service gateway by the service management platform in response to the service information acquisition request;
Receiving the first service information pushed by the service management platform; the first service information is pushed by the service management platform after service registration processing is performed on the first application server, and/or is pushed by the service management platform under the condition that the service management platform detects that resources containing preset authentication identifiers in the first application server are changed.
4. The method according to claim 1, wherein user information of a user corresponding to the client is obtained in the case that the matching record does not exist in the target white list set;
performing authority authentication on the user according to the user information, the service identifier and the resource path to obtain an authentication result;
and forwarding the resource access request to the target application server under the condition that the authentication result indicates that the user has the right to access the target resource.
5. A data processing method, applied to an application server, the application server relying on a service gateway for interface routing management, the method comprising:
acquiring a resource path of a resource containing a preset authentication identifier, and acquiring a service identifier of the application server; the preset authentication mark is arranged in the code of the application server and used for indicating that the marked resource in the application server is an authentication-free resource;
Generating service information corresponding to the application server according to the service identifier and the resource path;
generating a service registration request according to the service information, and sending the service registration request to a service management platform; the service registration request is used for requesting the service management platform to perform service registration processing on the application server, and the service management platform is at least used for performing service registration processing on the application server and sending the service information to the service gateway.
6. The method of claim 5, wherein the obtaining the resource path of the resource including the preset authentication identifier comprises:
and under the condition that the preset authentication identifier is detected, acquiring a resource path of the resource marked by the preset authentication identifier.
7. The method of claim 6, wherein the obtaining the resource path of the resource marked by the preset authentication identifier comprises:
taking the position marked by the preset authentication mark as an access point, switching the target processing currently executed by the application server to a preset tangent plane processing function to execute the processing for acquiring the resource path, and returning to the access point after acquiring the resource path to continue executing the target processing; the preset tangent plane processing function is a function realized based on tangent plane-oriented programming; the target processing is any processing executed by the application server.
8. A data processing method, applied to a service management platform, the method comprising:
acquiring a service registration request sent by an application server; wherein, the service registration request comprises the service information of the application server; the service information comprises a resource path of a resource containing a preset authentication identifier in the code of the application server; the preset authentication mark is used for indicating that the marked resource in the application server is authentication-free resource;
after responding to the service registration request, carrying out service registration processing on the application server according to the service information, and then sending the service information to a service gateway, wherein the service gateway is used for carrying out interface route management on the application server.
9. A data processing apparatus for use in a service gateway for interface routing management for at least one application server, the apparatus comprising:
the receiving unit is used for receiving the resource access request sent by the client; the resource access request is used for accessing a target resource provided by a target application server, and the target application server is any application server in the at least one application server;
The first acquisition unit is used for acquiring the service identifier of the target application server and the resource path of the target resource from the resource access request, wherein the resource path is a path of an interface for accessing the target resource;
a matching unit, configured to query whether a matching record matching the service identifier and the resource path exists in a target white list set;
the target white list set comprises a plurality of resource records, and the resource records are in one-to-one correspondence with the application server; the resource record is generated according to first service information of a corresponding first application server, the first service information comprises a target resource path corresponding to the first application server, and the target resource path is a resource path of a resource containing a preset authentication identifier in a code of the first application server; the preset authentication mark is used for indicating that the marked resource in the first application server is an authentication-free resource, and the first application server is any application server in the at least one application server;
and the forwarding unit is used for determining that the resource access request is an authentication-free request and forwarding the resource access request to the target application server under the condition that the matching record exists in the target white list set.
10. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores one or more computer programs executable by the at least one processor to enable the at least one processor to perform the data processing method of any one of claims 1-8.
11. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the data processing method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310424462.5A CN117499486A (en) | 2023-04-19 | 2023-04-19 | Data processing method and device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310424462.5A CN117499486A (en) | 2023-04-19 | 2023-04-19 | Data processing method and device, electronic equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117499486A true CN117499486A (en) | 2024-02-02 |
Family
ID=89680563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310424462.5A Pending CN117499486A (en) | 2023-04-19 | 2023-04-19 | Data processing method and device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117499486A (en) |
-
2023
- 2023-04-19 CN CN202310424462.5A patent/CN117499486A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7203444B2 (en) | Selectively provide mutual transport layer security using alternate server names | |
| US10891383B2 (en) | Validating computer resource usage | |
| CN108923908B (en) | Authorization processing method, device, equipment and storage medium | |
| US9614875B2 (en) | Scaling a trusted computing model in a globally distributed cloud environment | |
| KR101956486B1 (en) | Method and system for facilitating terminal identifiers | |
| US10142310B2 (en) | Method and cloud server for managing device | |
| WO2017129016A1 (en) | Resource access method, apparatus and system | |
| EP3200434A2 (en) | Domain name resolution | |
| CN107690800A (en) | Manage dynamic IP addressing distribution | |
| CN110300133B (en) | Cross-domain data transmission method, device, equipment and storage medium | |
| US10891282B1 (en) | Mutations with immediate feedback | |
| CN114025021B (en) | Communication method, system, medium and electronic equipment crossing Kubernetes cluster | |
| US11159634B1 (en) | Subscription fan out | |
| US10547612B2 (en) | System to resolve multiple identity crisis in indentity-as-a-service application environment | |
| US20080244514A1 (en) | Scriptable object model for network based services | |
| US7600253B1 (en) | Entity correlation service | |
| US11089133B1 (en) | Synchronizing data with delayed subscriptions | |
| US11126610B1 (en) | Conflict resolution in a data proxy | |
| US11521250B2 (en) | Method and apparatus for providing digital product using user account synchronization | |
| US9948632B2 (en) | Sharing data between sandboxed applications with certificates | |
| CN110049106B (en) | Service request processing system and method | |
| CN117499486A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
| US11956639B2 (en) | Internet of things device provisioning | |
| US10693882B2 (en) | Resource-based selection of identity provider | |
| CN112769863A (en) | Method and device for processing service request message data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |