CN117978521A

CN117978521A - Authentication method, apparatus, computer device, storage medium, and program product

Info

Publication number: CN117978521A
Application number: CN202410196739.8A
Authority: CN
Inventors: 王璐洋; 魏成燕
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2024-02-22
Filing date: 2024-02-22
Publication date: 2024-05-03

Abstract

The present application relates to an authentication method, apparatus, computer device, storage medium and program product. The method comprises the following steps: by receiving the access request sent by the client, because the access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client, standard encryption authentication information corresponding to the client can be obtained in the configuration file according to the target monitoring port address, the login information is authenticated according to the standard encryption authentication information, and the access request is forwarded to a target server corresponding to the monitoring port address through the target monitoring port address under the condition that the login information passes the authentication. The authentication security can be improved by adopting the method.

Description

Authentication method, apparatus, computer device, storage medium, and program product

Technical Field

The present application relates to the field of information security technologies, and in particular, to an authentication method, apparatus, computer device, storage medium, and program product.

Background

With the popularization of network technology, data interaction is more frequent, and authentication needs to be performed before data interaction in order to ensure the security of the data interaction. The authentication is used for confirming the identity of a user or a system so as to control the access of the user or the system to system resources, and the authentication is carried out before data interaction, so that only authorized users can conduct data interaction operation, and the security and confidentiality of data are maintained.

In a conventional authentication method, a client directly sends an access request to a server, and the server authenticates according to the access request sent by the client, and the access of the client is allowed after the authentication passes.

However, the conventional authentication method has the problem of low authentication security.

Disclosure of Invention

In view of the foregoing, it is desirable to provide an authentication method, apparatus, computer device, storage medium, and program product that can improve authentication security.

In a first aspect, the present application provides an authentication method for an authentication server, including:

receiving an access request sent by a client, wherein the access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client;

According to the target monitoring port address, standard encryption authentication information corresponding to the client is obtained from the configuration file, and login information is authenticated according to the standard encryption authentication information;

and forwarding the access request to a target server corresponding to the monitoring port address through the target monitoring port address under the condition that the login information passes authentication.

In one embodiment, authenticating the login information according to the standard encrypted authentication information includes:

encrypting the login information according to a preset encryption mode to obtain encrypted login information;

And matching the encrypted login information with standard encryption authentication information, and determining that the login information passes authentication under the condition of successful matching.

In one embodiment, the method further comprises:

acquiring a monitoring port address corresponding to at least one client and a server address corresponding to each monitoring port address;

acquiring corresponding encryption authentication information of each client;

and for each client, storing the encryption authentication information, the monitoring port address and the server address association corresponding to the client in a configuration file.

In one embodiment, according to the listening port address, obtaining standard encryption authentication information corresponding to the client in the configuration file includes:

determining whether the access request comprises first security header information according to the access request;

And if the access request comprises the first security header information, acquiring standard encryption authentication information corresponding to the client in the configuration file according to the monitoring port address.

In one embodiment, before forwarding the access request to the target server corresponding to the listening port address through the listening port address, the method further includes:

second security header information is obtained and encapsulated in a header field of the access request.

In one embodiment, the method further comprises:

under the condition that login information authentication fails, acquiring authentication log information;

Determining whether the number of continuous authentication failures of the client reaches a failure number threshold according to the authentication log information;

if the number of continuous authentication failures reaches the failure number threshold, abnormal alarm information is generated.

In a second aspect, the present application provides an authentication method for a target server, including:

Receiving an access request sent by an authentication server, wherein the access request is obtained by the authentication server encrypting authentication information according to a standard corresponding to a client, transmitting login information carried in the access request to a target server after passing authentication, and carrying a target monitoring port address corresponding to the client in the access request;

And performing access response on the client based on the access request.

In one embodiment, based on the access request, performing an access response to the client includes:

acquiring a standard monitoring port address corresponding to a target server, and verifying the target monitoring port address according to the standard monitoring port address;

And under the condition that the matching is passed, the target server responds to the access of the client.

acquiring second security header information encapsulated in a header field of the access request according to the access request, wherein the second security header information is encapsulated in the header field of the access request by the authentication server;

And carrying out security verification on the second security header information, and carrying out access response on the client under the condition that the security verification is passed.

In a third aspect, the present application provides an authentication method, for a client, including:

And sending an access request to the authentication server, wherein the access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client, and the access request is used for forwarding the authentication server to a target server corresponding to the target monitoring port address under the condition that the login information and the security pass.

In one embodiment, sending an access request to an authentication server includes:

acquiring first security header information, and packaging the first security header information in an access request;

and sending an access request to the authentication server.

In a fourth aspect, the present application provides an authentication apparatus for an authentication server, including:

the first receiving module is used for receiving an access request sent by the client, wherein the access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client;

The authentication module is used for acquiring standard encryption authentication information corresponding to the client in the configuration file according to the target monitoring port address, and authenticating the login information according to the standard encryption authentication information;

And the forwarding module is used for forwarding the access request to the target server corresponding to the monitoring port address through the target monitoring port address under the condition that the login information passes authentication.

In a fifth aspect, the present application provides an authentication apparatus for a target server, including:

The second receiving module is used for receiving an access request sent by the authentication server, wherein the access request is encrypted authentication information by the authentication server according to a standard corresponding to the client, login information carried in the access request is forwarded to the target server after passing authentication, and the access request also carries a target monitoring port address corresponding to the client;

and the response module is used for carrying out access response on the client based on the access request.

In a sixth aspect, the present application provides an authentication apparatus, for a client, including:

The access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client, wherein the access request is used for forwarding the authentication server to a target server corresponding to the target monitoring port address under the condition that the login information and the security pass.

In a sixth aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the method according to the first, second or third aspect described above when the computer program is executed.

In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method as described in the first, second or third aspect above.

In a fifth aspect, the present application also provides a computer program product. The computer program product comprising a computer program which, when executed by a processor, implements the steps of the method as described in the first, second or third aspects above.

According to the authentication method, the device, the computer equipment, the storage medium and the program product, by receiving the access request sent by the client, because the access request carries login information to be authenticated corresponding to the client and the target monitoring port address corresponding to the client, standard encryption authentication information corresponding to the client can be obtained in the configuration file according to the target monitoring port address, the login information is authenticated according to the standard encryption authentication information, and the access request is forwarded to the target server corresponding to the monitoring port address through the target monitoring port address under the condition that the login information passes authentication. Therefore, when the client needs to access the target server, the access request sent by the client can be authenticated by the authentication server, so that the problem of low authentication security caused by the fact that the client directly sends the access request to the server and the server authenticates according to the access request is solved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.

FIG. 1 is a diagram of an application environment for an authentication method in one embodiment;

FIG. 2 is a flow diagram of an authentication method for authenticating a server in one embodiment;

FIG. 3 is a flow chart of step 202 in another embodiment;

FIG. 4 is a flow chart of an authentication server configuration file according to another embodiment;

FIG. 5 is a flow diagram of an authentication method for a target server in one embodiment;

FIG. 6 is a flow diagram of an exemplary authentication method in one embodiment;

fig. 7 is a block diagram of an authentication apparatus for authenticating a server in one embodiment;

FIG. 8 is a block diagram of an authentication device for a target server in one embodiment;

FIG. 9 is a block diagram of an authentication apparatus for a client in one embodiment;

FIG. 10 is an internal block diagram of a computer device in one embodiment;

FIG. 11 is an internal block diagram of a computer device in one embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

With the popularization of network technology, data interaction is more frequent, and authentication needs to be performed before data interaction in order to ensure the security of the data interaction. Authentication is an important concept in the field of computer security for validating the identity of a user or system to control access to system resources, and in network applications and systems, authentication is a critical mechanism to ensure that only authorized users can access restricted resources. Common authentication methods include authentication based on user name and password, OAuth authorization, token authentication, etc. Authentication is performed before data interaction, so that only authorized users can perform data interaction operation, and safety and confidentiality of data are maintained.

Authentication includes several related operations that together form the basis of authentication, ensuring that only authenticated legitimate users or systems can gain authorized access to restricted resources, thereby maintaining security of the system and confidentiality of data.

1. Authentication, which is a process of confirming whether the identity of a user or system is legal. The user will typically provide some identity credentials, such as a user name and password, digital certificate, token, etc., for verifying his identity, and after successful authentication will identify the user and confirm his legitimacy.

2. Authorization, which is the process of granting a user or system specific rights after authentication is successful. Corresponding rights are assigned according to the identity and role of the user to decide the resources and operations that the user can access.

3. Single sign-on is an authentication mechanism that allows a user to access related resources and operations after successful authentication without having to input credentials again.

4. The identity certificate is information which is provided for the warship whole system by the user to carry out authentication and is used for proving the legality of the identity of the user. Common identity credentials include user names and passwords, digital certificates, API keys, tokens, and the like.

In the conventional authentication method, a client directly sends an access request to a server, and the server authenticates according to the access request sent by the client, and the client is allowed to access after the authentication is passed, so that the conventional authentication method has the problem of low authentication security.

In view of this, the embodiments of the present application provide an authentication method, an apparatus, a computer device, a storage medium, and a program product, by receiving an access request sent by a client, since the access request carries login information to be authenticated corresponding to the client and a target listening port address corresponding to the client, standard encrypted authentication information corresponding to the client may be obtained in a configuration file according to the target listening port address, and authentication is performed on the login information according to the standard encrypted authentication information, and in case that authentication of the login information passes, the access request is forwarded to a target server corresponding to the listening port address through the target listening port address. Therefore, when the client needs to access the target server, the access request sent by the client can be authenticated by the authentication server, so that the problem of low authentication security caused by the fact that the client directly sends the access request to the server and the server authenticates according to the access request is solved.

The authentication method provided by the embodiment of the application can be applied to an application environment shown in figure 1. Wherein the client 101 communicates with the authentication server 102 through a network, and the authentication server 102 communicates with the target server 103 through a network, wherein the authentication server 102 may be an nginx server.

The nginx server is high-performance open source Web server software and can also be used as a reverse proxy server, a load balancer, an HTTP cache and the like. Is first released in 2004 and is widely used and continuously improved in later developments. nginx is known for its excellent performance, high concurrency processing power, and low resource consumption, and is the preferred server for many large websites and applications. It has the following advantages and characteristics:

1. high performance: the core design concept of nginx is an event-driven, non-blocking I/O model, which enables it to efficiently handle large numbers of parallel connection requests with high concurrency, while having low CPU and memory consumption.

2. Reverse proxy: the nginx may act as a reverse proxy server forwarding client requests to multiple servers at the backend, thereby achieving load balancing and high availability.

3. Static file service: the processing of the static file by the nginx is very efficient, the access of the static resource can be rapidly provided, and the load of the dynamic request is lightened.

4. HTTP caching: the nginx supports HTTP caching, can cache frequently requested resources, reduces pressure on a back-end server, and improves response speed.

5. Lightweight class: the code quantity of the nginx is relatively small, and the memory and the disk space are small, so that the method is very rapid to operate.

Since the nginx server has the above performance specific, in the embodiment of the present application, the authentication method can be more efficiently executed by the nginx server.

The operation state of the ngix server can be determined by monitoring the operation log of the ngix server, and regarding the monitoring tool, for example, prometaus (Promethur monitoring system) and Grafana (query, visualization and alarm observation platform), prometaus is an open-source monitoring and alarm tool, grafana is an open-source platform for visual data, and the method can be implemented by using an "ngix-vts-exporter" exporter to collect the operation index of the ngix, then using Grafana to create an instrument panel, and visually displaying the operation log through the instrument panel to visually display the operation state of the ngix server and determine whether the ngix server is available.

In an exemplary embodiment, as shown in fig. 2, an authentication method is provided, and an example of application of the method to the authentication server 102 in fig. 1 is described, including the following steps 201 to 203. Wherein:

step 201, an access request sent by a client is received.

The access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client.

The access request is sent to the authentication server by the client and is used for indicating the authentication server to perform authentication operation according to login information carried in the access request, so as to determine whether the client can be authorized and allowed to access the target server corresponding to the target monitoring port address.

The login information carried in the access request can be a user name and a password, or can be a digital certificate, a token and the like, and the authentication server can determine whether authentication is successful according to the login information carried in the access request.

The access request also carries a target monitoring port address corresponding to the client, the target monitoring port address is one of port addresses which can output data by the authentication server, the authentication server can send the data to different servers through a plurality of monitoring port addresses, the different monitoring port addresses correspond to different servers, and the target monitoring port address corresponds to the target server.

Step 202, according to the target monitoring port address, standard encryption authentication information corresponding to the client is obtained from the configuration file, and login information is authenticated according to the standard encryption authentication information.

In the embodiment of the application, the authentication server also stores a configuration file, the configuration file records the link relation between a plurality of monitoring port addresses and each server and the encryption authentication information corresponding to each monitoring port address, optionally, when the authentication server obtains an access request sent by a client, the authentication server can obtain a target monitoring port address carried in the access request, the authentication server can match the target monitoring port address with each monitoring port address in the configuration file one by one, and the encryption authentication information corresponding to the successfully matched monitoring port address is used as standard encryption authentication information; optionally, the authentication server determines, according to the access request, whether the access request includes first security header information, where the first security header information may be a series of preset fields, for example, the field may be "Authorization" for characterizing that the access request is used for authentication, and if the access request includes the first security header information, the authentication server may obtain, according to the listening port address, standard encrypted authentication information corresponding to the client in the configuration file.

The standard encryption authentication information is data for authenticating the login information, which can be obtained by encrypting the correct login information according to a preset encryption mode, and regarding the authentication process, optionally, the login information obtained by the authentication server is in a plaintext form, after the login information is obtained, the login information can be encrypted according to the preset encryption mode, and the encrypted login information is matched with the standard encryption authentication information, so as to determine whether the authentication is passed; optionally, the authentication server may perform hash processing on the standard encryption authentication information and the login information according to a preset hash condition to obtain a corresponding hash value, and match the hash value of the standard encryption authentication information with the hash value of the login information, so as to determine whether the authentication passes; optionally, the authentication server may directly match the encrypted login information with the standard encrypted authentication information when the login information obtained by the authentication server is encrypted by the client according to a preset encryption manner, so as to determine whether the authentication passes.

Step 203, forwarding the access request to the target server corresponding to the monitoring port address through the target monitoring port address under the condition that the login information passes the authentication.

In the embodiment of the application, when the login information passes the authentication, the authentication server can determine the target monitoring port according to the target monitoring port address and send the access request to the corresponding target server through the target monitoring port.

In one possible implementation manner, in order to improve the security of the access, before forwarding the access request to the target server corresponding to the listening port address through the listening port address, the authentication server may further acquire second security header information, and encapsulate the second security header information in a header field of the access request.

The second Security header information may be, for example, 'structure-Transport-Security', 'Content-Security-Policy', etc., and the authentication server may encapsulate the second Security header information in a header field of the access request, and then send the access request encapsulated with the second Security header information to the target server, and when the target server receives the access request, it may first check whether the access request carries the second Security header information, and if so, it will respond, thereby improving access Security.

In a possible implementation manner, in the case that the login information fails in authentication, the authentication server may acquire authentication log information, and determine whether the number of continuous authentication failures of the client reaches a failure number threshold according to the authentication log information; if the number of continuous authentication failures reaches the failure number threshold, abnormal alarm information is generated.

The authentication log information comprises historical data of authentication executed by the authentication server, the authentication server can acquire the number of continuous authentication failures of the current client through the authentication log information, a failure number threshold is preset, when the number of continuous authentication failures reaches the failure number threshold, abnormal alarm information is generated and used for prompting the current client to have potential safety hazards, optionally, the authentication server can perform abnormal marking on the client according to the abnormal alarm information, and when an access request sent by the client with the abnormal marking and received by the authentication server can not be processed.

In one possible implementation, the authentication server may analyze and monitor the authentication log information in real time through an intelligent risk analysis engine, which may be deployed on other servers or on the authentication server.

The intelligent risk analysis engine, which may be FireEye Helix, fireEye Helix, for example, is an integrated secure operations platform for integrating, automating, and coordinating security event responses. The Heix integrates threat information, event response, analysis, report and other functions, and provides comprehensive safe operation support.

In a possible implementation manner, the authentication server may export the authentication log information through a log collector, the log collector may be Filebeat, after exporting, the authentication server may archive the authentication log information, for convenience in managing the authentication log information, optionally, the authentication server may send the authentication log information to an ES (search server, elastic search), store the authentication log information through the ES, and the ES may perform data processing on the authentication log information through configuring a log record, and send the processed authentication log information to an intelligent risk analysis engine, perform real-time monitoring on the authentication log information through the intelligent risk analysis engine, and when the number of times of monitoring that a certain client fails to continuously authenticate reaches a failure number threshold, may generate abnormal alarm information.

According to the authentication method, by receiving the access request sent by the client, because the access request carries the login information to be authenticated corresponding to the client and the target monitoring port address corresponding to the client, standard encryption authentication information corresponding to the client can be obtained in the configuration file according to the target monitoring port address, the login information is authenticated according to the standard encryption authentication information, and the access request is forwarded to the target server corresponding to the monitoring port address through the target monitoring port address under the condition that the login information passes the authentication. Therefore, when the client needs to access the target server, the access request sent by the client can be authenticated by the authentication server, so that the problem of low authentication security caused by the fact that the client directly sends the access request to the server and the server authenticates according to the access request is solved.

In one embodiment, based on the embodiment shown in fig. 2 and described above, referring to fig. 3, this embodiment refers to a process of authenticating login information according to standard encryption authentication information. As shown in fig. 3, step 202 may include step 301 and step 302.

Step 301, encrypting the login information according to a preset encryption mode to obtain encrypted login information.

Step 302, the encrypted login information is matched with standard encryption authentication information, and the login information authentication is determined to pass under the condition that the matching is successful.

In this embodiment, the login information acquired by the authentication server is in plaintext form, and the authentication server may encrypt the login information according to a preset encryption manner, optionally, the preset encryption manner is the same as that of the standard encrypted authentication information, and, illustratively, the authentication server encrypts the standard encrypted authentication information through a preset hash algorithm, and after the authentication server acquires the login information, the authentication server may encrypt the login information according to the same hash algorithm, so as to obtain encrypted login information.

At this time, the encrypted login information is matched with the standard encryption authentication information, and if the encrypted login information is the same as the standard encryption authentication information, the matching is determined to be successful.

Optionally, the authentication server may encrypt the login information according to other preset encryption modes, and the obtained encrypted authentication information may be an authentication field, at this time, the authentication server may match the encrypted login information with standard encrypted authentication information, and if the standard encrypted authentication information includes the authentication field, the authentication is determined to be successful.

In one embodiment, based on the embodiment shown in fig. 2 and described above, referring to fig. 4, this embodiment relates to a process of authenticating a server configuration profile. As shown in fig. 4, the process may include steps 401 to 403.

Step 401, obtaining a listening port address corresponding to at least one client and a server address corresponding to each listening port address.

Step 402, obtaining the encryption authentication information corresponding to each client.

Step 403, for each client, storing the encrypted authentication information, the listening port address and the server address associated with the client in a configuration file.

In the embodiment of the application, different clients can access different servers, and the authentication server can allocate different monitoring ports for each client, so that the authentication server can acquire the corresponding monitoring port addresses of each client and the server addresses of each server.

For different clients, the authentication server can authenticate each client according to different encryption authentication information, and the authentication server needs to correlate the encryption authentication information, the monitoring port address and the server address corresponding to each client, so that the authentication server needs to acquire the encryption authentication information corresponding to each client.

Optionally, the authentication server directly obtains the encryption authentication information corresponding to each client through the external equipment; optionally, the authentication server obtains authentication information corresponding to each client, encrypts the authentication information corresponding to each client according to a preset encryption mode, so as to obtain encrypted authentication information corresponding to each client, where the encryption modes corresponding to each client may be the same or different, and regarding the preset encryption mode, for example, the authentication information may be encrypted by a htpasswd command.

After the authentication server obtains the encrypted authentication information, the monitoring port address and the server address corresponding to each client, the encrypted authentication information, the monitoring port address and the server address are associated and stored in the configuration file, and when the authentication server is an nginx server, the storage process can be as follows: and adding a service block in the nginx.conf configuration file of the nginx server, and writing the secret authentication information, the monitoring port address and the server address into the service block of the configuration file.

In one embodiment, as shown in fig. 5, an authentication method is provided, and the method is applied to the target server 103 in fig. 1, and is illustrated as an example, and includes the following steps:

step 501, an access request sent by an authentication server is received.

The access request is that the authentication server encrypts authentication information according to a standard corresponding to the client, the login information carried in the access request is forwarded to the target server after passing authentication, and the access request also carries a target monitoring port address corresponding to the client.

For the process of the authentication server for authenticating the login information carried in the access request, reference may be made to the related description of the above embodiment, which is not repeated herein.

Step 502, performing access response on the client based on the access request.

In one possible implementation manner, before sending the access request, the authentication server encapsulates the second security header information in the header field of the access request, so as to improve the security of the access process, and then the target server may obtain, according to the access request, the second security header information encapsulated in the header field of the access request, and perform security verification on the second security header information, and perform an access response on the client under the condition that the security verification passes.

The second Security header information is encapsulated in the header field of the access request by the authentication server, and may be 'structure-Transport-Security', 'Content-Security-Policy', etc., and regarding the specific process of Security verification, optionally, after the target server obtains the access request, the target server analyzes the header field of the access request, matches the header field according to the second Security header information, and if the header field contains the second Security header information, the Security verification passes.

In one possible implementation manner, the target server further needs to detect an issue port of the received access request, so as to determine whether the access request is issued by a listening port address corresponding to the target server, and regarding a specific detection process, optionally, the target server obtains a standard listening port address corresponding to the target server, verifies the target listening port address according to the standard listening port address, and in a case that the matching is passed, the target server responds to the access of the client.

In the embodiment of the application, the access request carries the target monitoring port address, the target server carries out matching processing on the target monitoring port address and the standard monitoring port address corresponding to the target server, and optionally, if the matching is successful, the target server carries out access response on the client through verification; optionally, if the matching fails, the verification fails, which means that the access request is not sent through the listening port address corresponding to the target server, the target server does not respond to the client, and further, the target server generates abnormal information to prompt that the listening port address fails to verify.

In the above embodiment, after receiving the access request authenticated by the authentication server, the target server may perform security verification on the access request through the second security header information, and may also perform verification on the listening port address carried by the access request, thereby improving access security through multiple security verifications.

In one embodiment, an authentication method is provided, which is illustrated by taking the application of the method to the client 101 in fig. 1 as an example, and includes the following steps: and sending an access request to the authentication server.

The access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client, and the access request is used for forwarding the authentication server to a target server corresponding to the target monitoring port address under the condition that the login information and the security pass.

With respect to the method for generating the access request, optionally, the client receives login information uploaded by the user through the external device, and may generate the access request according to the login information and the target listening port address corresponding to the client; optionally, the client locally stores historical login information, and when the client receives an access instruction input by a user and used for indicating to access the target server, the client can use the historical login information as login information and generate an access request according to the login information and a target monitoring port address corresponding to the client.

The login information carried in the access request can be in a plaintext form or an encrypted form, and optionally, the client can directly carry the login information in the access request after acquiring the login information; optionally, after the client acquires the login information, the client encrypts the login information according to a preset encryption mode and carries the encrypted login information in the access request.

To improve access security, optionally, the client obtains first security header information, and encapsulates the first security header information in an access request, and then sends the access request to the authentication server, where the first security header information may be a set of preset fields, for example, the field may be "Authorization" to characterize the access request for authentication.

In the above embodiment, when the client needs to access the target server, the authentication server authenticates the transmitted access request, and after the authentication is successful, the client receives the access response of the target server, thereby improving the security of the authentication process.

In one embodiment, please refer to fig. 6, which illustrates a flowchart of an exemplary authentication method according to an embodiment of the present application, which may be applied in the implementation environment shown in fig. 1.

In step 601, the client obtains the first security header information, and encapsulates the first security header information in the access request.

In step 602, the client sends an access request to the authentication server.

In step 603, the authentication server obtains the listening port address corresponding to at least one client and the server address corresponding to each listening port address.

In step 604, the authentication server obtains the encrypted authentication information corresponding to each client.

Step 605, the authentication server stores, for each client, the encrypted authentication information, the listening port address, and the server address association corresponding to the client in a configuration file.

In step 606, the authentication server receives the access request sent by the client.

In step 607, the authentication server determines, according to the access request, whether the access request includes the first security header information.

In step 608, if the access request includes the first security header information, the authentication server obtains standard encryption authentication information corresponding to the client in the configuration file according to the listening port address.

In step 609, the authentication server encrypts the login information according to a preset encryption mode to obtain encrypted login information.

Step 610, the authentication server matches the encrypted login information with standard encrypted authentication information, and determines that the login information passes authentication if the matching is successful.

In step 611, the authentication server obtains the second security header information if the login information passes authentication, and encapsulates the second security header information in the header field of the access request.

In step 612, the authentication server forwards the access request to the target server corresponding to the listening port address through the target listening port address.

In step 613, the authentication server obtains authentication log information in case of failed authentication of the login information.

In step 614, the authentication server determines, according to the authentication log information, whether the number of consecutive authentication failures of the client reaches the failure number threshold.

In step 615, if the number of continuous authentication failures reaches the failure number threshold, the authentication server generates abnormal alarm information.

In step 616, the target server receives the access request sent by the authentication server.

Step 617, the target server obtains the standard monitoring port address corresponding to the target server, and verifies the target monitoring port address according to the standard monitoring port address.

In step 618, the target server responds to the client with access if the match passes.

Step 619, the target server obtains, according to the access request, second security header information encapsulated in a header field of the access request.

Wherein the second secure header information is encapsulated by the authentication server in a header field of the access request.

In step 620, the target server performs security verification on the second security header information, and performs access response on the client if the security verification passes.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides an authentication device for realizing the above-mentioned related authentication method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of one or more authentication devices provided below may be referred to the limitation of the authentication method hereinabove, and will not be repeated here.

In an exemplary embodiment, as shown in fig. 7, there is provided an authentication apparatus for authenticating a server, including: a first receiving module 701, an authentication module 702 and a forwarding module 703, wherein:

a first receiving module 701, configured to receive an access request sent by a client, where the access request carries login information to be authenticated corresponding to the client and a target listening port address corresponding to the client;

The authentication module 702 is configured to obtain standard encryption authentication information corresponding to the client from a configuration file according to the target listening port address, and authenticate the login information according to the standard encryption authentication information;

And a forwarding module 703, configured to forward, when the login information passes authentication, the access request to a target server corresponding to the listening port address through the target listening port address.

In one embodiment, the authentication module 702 includes:

the encryption unit is used for carrying out encryption processing on the login information according to a preset encryption mode to obtain encrypted login information;

And the matching unit is used for matching the encrypted login information with the standard encryption authentication information and determining that the login information passes authentication under the condition of successful matching.

In one embodiment, the authentication apparatus further comprises:

The address acquisition module is used for acquiring the monitoring port address corresponding to at least one client and the server address corresponding to each monitoring port address;

The information acquisition module is used for acquiring the encryption authentication information corresponding to each client;

And the configuration module is used for storing the encryption authentication information, the monitoring port address and the server address corresponding to the client in the configuration file in an associated manner for each client.

In one embodiment, the authentication module 702 further comprises:

a first security determining unit, configured to determine, according to the access request, whether first security header information is included in the access request;

And the standard encryption authentication information acquisition unit is used for acquiring the standard encryption authentication information corresponding to the client in the configuration file according to the monitoring port address if the access request comprises the first security header information.

In one embodiment, the authentication apparatus further comprises:

and the second security encapsulation module is used for acquiring second security header information and encapsulating the second security header information in a header field of the access request.

In one embodiment, the authentication apparatus further comprises:

The log acquisition module is used for acquiring authentication log information under the condition that the authentication of the login information fails;

the failure number determining module is used for determining whether the number of continuous authentication failures of the client reaches a failure number threshold according to the authentication log information;

And the alarm module is used for generating abnormal alarm information if the number of times of continuous authentication failure reaches the failure number threshold value.

The respective modules in the authentication apparatus for an authentication server described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In an exemplary embodiment, as shown in fig. 8, there is provided an authentication apparatus for a target server, including: a second receiving module 801 and a response module 802, wherein:

a second receiving module 801, configured to receive an access request sent by an authentication server, where the access request is encrypted and authenticated by the authentication server according to a standard corresponding to a client, and the login information carried in the access request is forwarded to the target server after passing authentication, and the access request also carries a target monitoring port address corresponding to the client;

And a response module 802, configured to respond to the client by accessing based on the access request.

In one embodiment, the response module 802 includes:

the address verification unit is used for obtaining a standard monitoring port address corresponding to the target server and verifying the target monitoring port address according to the standard monitoring port address;

and the response unit is used for carrying out access response on the client by the target server under the condition that the matching is passed.

In one embodiment, the response module 802 includes:

A second security obtaining unit, configured to obtain, according to the access request, second security header information encapsulated in a header field of the access request, where the second security header information is encapsulated in the header field of the access request by the authentication server;

and the second security verification unit is used for performing security verification on the second security header information and performing access response on the client under the condition that the security verification passes.

The respective modules in the authentication apparatus for the target server described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In an exemplary embodiment, as shown in fig. 9, there is provided an authentication apparatus for a client, including: a sending module 901, wherein:

The sending module 901 is configured to send an access request to an authentication server, where the access request carries login information to be authenticated corresponding to the client and a target listening port address corresponding to the client, where the access request is used for forwarding, by the authentication server, to a target server corresponding to the target listening port address under a condition that the login information and security pass through the access request.

In one embodiment, the transmitting module 901 includes:

the first security encapsulation unit is used for acquiring first security header information and encapsulating the first security header information in the access request;

and the sending unit is used for sending the access request to the authentication server.

The respective modules in the authentication apparatus for a client described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one exemplary embodiment, a computer device is provided, which may be a server, and the internal structure thereof may be as shown in fig. 10. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used to store XX data. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an authentication method.

In an exemplary embodiment, a computer device, which may be a terminal, is provided, and an internal structure thereof may be as shown in fig. 11. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an authentication method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the structures shown in fig. 10 and 11 are merely block diagrams of portions of structures associated with aspects of the application and are not intended to limit the computer device to which aspects of the application may be applied, and that a particular computer device may include more or fewer components than those shown, or may combine certain components, or may have a different arrangement of components.

In an exemplary embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, which in one possible implementation is an authentication server, the processor executing the computer program to perform the steps of:

Acquiring standard encryption authentication information corresponding to the client in a configuration file according to the target monitoring port address, and authenticating the login information according to the standard encryption authentication information;

In one embodiment, the processor when executing the computer program further performs the steps of:

and matching the encrypted login information with the standard encryption authentication information, and determining that the login information passes authentication under the condition of successful matching.

acquiring corresponding encryption authentication information of each client;

and for each client, storing the encryption authentication information, the monitoring port address and the server address corresponding to the client in the configuration file in an associated manner.

And if the access request comprises the first security header information, acquiring standard encryption authentication information corresponding to the client in a configuration file according to the monitoring port address.

In one embodiment, before the access request is forwarded to the target server corresponding to the listening port address through the listening port address, the processor further implements the following steps when executing the computer program:

and acquiring second security header information, and packaging the second security header information in a header field of the access request.

Under the condition that the login information fails in authentication, acquiring authentication log information;

and if the number of continuous authentication failures reaches the failure number threshold, generating abnormal alarm information.

In one exemplary embodiment, a computer device is provided, comprising a memory having a computer program stored therein and a processor that when executing the computer program, in one possible implementation, performs the steps of:

Receiving an access request sent by an authentication server, wherein the access request is encrypted authentication information by the authentication server according to a standard corresponding to a client, the login information carried in the access request is forwarded to the target server after passing authentication, and the access request also carries a target monitoring port address corresponding to the client;

And performing access response on the client based on the access request.

acquiring a standard monitoring port address corresponding to the target server, and verifying the target monitoring port address according to the standard monitoring port address;

In one exemplary embodiment, a computer device is provided, comprising a memory having a computer program stored therein and a processor, which when executing the computer program, in one possible implementation is a client, performs the steps of:

And sending an access request to an authentication server, wherein the access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client, and the access request is used for forwarding the authentication server to a target server corresponding to the target monitoring port address under the condition that the login information and the security pass.

Acquiring first security header information, and packaging the first security header information in the access request;

And sending the access request to the authentication server.

In one embodiment, a computer readable storage medium is provided, on which a computer program is stored, which in one possible implementation is applied to an authentication server, the computer program when executed by a processor implementing the steps of:

In one embodiment, the computer program when executed by the processor further performs the steps of:

acquiring corresponding encryption authentication information of each client;

In one embodiment, before the access request is forwarded to the target server corresponding to the listening port address through the listening port address, the computer program when executed by the processor further implements the following steps:

In one embodiment, a computer readable storage medium is provided, having a computer program stored thereon, which in one possible implementation is applied to a target server, the computer program when executed by a processor implementing the steps of:

And performing access response on the client based on the access request.

In one embodiment, a computer readable storage medium is provided, on which a computer program is stored, which in one possible implementation is applied to a client, the computer program when executed by a processor implementing the steps of:

And sending the access request to the authentication server.

In one embodiment, a computer program product is provided, comprising a computer program which, in one possible implementation, is applied to an authentication server, the computer program, when executed by a processor, implements the steps of:

acquiring corresponding encryption authentication information of each client;

In one embodiment, a computer program product is provided, comprising a computer program which, in one possible implementation, is applied to a target server, the computer program when executed by a processor, implements the steps of:

And performing access response on the client based on the access request.

In one embodiment, a computer program product is provided, comprising a computer program which, in one possible implementation, is applied to a client, the computer program, when executed by a processor, implements the steps of:

And sending the access request to the authentication server.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are both information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to meet the related regulations.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims

1. An authentication method for an authentication server, the method comprising:

2. The method of claim 1, wherein authenticating the login information according to the standard encrypted authentication information comprises:

3. The method according to claim 1, wherein the method further comprises:

acquiring corresponding encryption authentication information of each client;

4. The method of claim 1, wherein the obtaining standard encrypted authentication information corresponding to the client in a configuration file according to the listening port address includes:

5. The method of claim 1, wherein before forwarding the access request to the target server corresponding to the snoop port address via the snoop port address, the method further comprises:

6. The method according to claim 1, wherein the method further comprises:

7. An authentication method for a target server, the method comprising:

And performing access response on the client based on the access request.

8. The method of claim 7, wherein the responding to the access to the client based on the access request comprises:

9. The method of claim 7, wherein the responding to the access to the client based on the access request comprises:

10. An authentication method for a client, the method comprising:

11. The method of claim 10, wherein the sending the access request to the authentication server comprises:

And sending the access request to the authentication server.

12. An authentication apparatus for authenticating a server, the apparatus comprising:

The first receiving module is used for receiving an access request sent by a client, wherein the access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client;

the authentication module is used for acquiring standard encryption authentication information corresponding to the client in a configuration file according to the target monitoring port address, and authenticating the login information according to the standard encryption authentication information;

And the forwarding module is used for forwarding the access request to a target server corresponding to the monitoring port address through the target monitoring port address under the condition that the login information passes authentication.

13. An authentication apparatus for a target server, the apparatus comprising:

The second receiving module is used for receiving an access request sent by an authentication server, wherein the access request is encrypted authentication information according to a standard corresponding to a client by the authentication server, login information carried in the access request is forwarded to the target server after passing authentication, and a target monitoring port address corresponding to the client is also carried in the access request;

14. An authentication apparatus for a client, the apparatus comprising:

The access request carries login information to be authenticated corresponding to the client and a target monitoring port address corresponding to the client, wherein the access request is used for the authentication server to forward to the target server corresponding to the target monitoring port address under the condition that the login information and the security pass.

15. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 11 when the computer program is executed.

16. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 11.

17. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 11.