WO2019047064A1 - Permission control method, and server end - Google Patents

Permission control method, and server end Download PDF

Info

Publication number
WO2019047064A1
WO2019047064A1 PCT/CN2017/100719 CN2017100719W WO2019047064A1 WO 2019047064 A1 WO2019047064 A1 WO 2019047064A1 CN 2017100719 W CN2017100719 W CN 2017100719W WO 2019047064 A1 WO2019047064 A1 WO 2019047064A1
Authority
WO
WIPO (PCT)
Prior art keywords
token
information
identity information
rights
interface
Prior art date
Application number
PCT/CN2017/100719
Other languages
French (fr)
Chinese (zh)
Inventor
梁锦友
Original Assignee
深圳峰创智诚科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳峰创智诚科技有限公司 filed Critical 深圳峰创智诚科技有限公司
Priority to PCT/CN2017/100719 priority Critical patent/WO2019047064A1/en
Publication of WO2019047064A1 publication Critical patent/WO2019047064A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a rights control method and a server.
  • the application interface is often called in software.
  • the main purpose of the application interface is to provide applications and developers with the ability to access a set of routines without accessing the source code. Or understand the details of the internal working mechanism. Communication between software can be achieved through an application interface. By using an application interface, you can avoid writing useless programs to ease programming tasks.
  • the server cannot control the access rights of each application interface well, which causes the security of the service in the application interface to be relatively low.
  • the main purpose of the present invention is to solve the problem that the current server is not able to control the access rights of each application interface well in the process of being invoked by the application, resulting in a relatively low security of the service in the application interface.
  • the present invention provides a method for controlling rights, which is applied to a server, and the method for controlling rights includes:
  • the step of receiving the request message of the calling application interface sent by the external calling program further includes:
  • the step of generating a token according to the identity information includes:
  • the step of verifying the identity information and the rights information of the token comprises:
  • the identity information and the rights information meet the verification condition of the application program interface, the identity information and the rights information of the token are verified;
  • the identity information and the rights information do not satisfy the verification condition of the application interface, the identity information and the rights information of the token are failed to be verified.
  • the step of allowing the external caller to invoke the application interface further includes:
  • the present invention further provides a server, where the server includes:
  • a receiving module configured to receive a request message sent by an external calling program to invoke an application interface, where the request message includes a token
  • a verification module configured to verify identity information and rights information of the token
  • a processing module configured to allow the external calling program to invoke the application program interface if the identity information and the permission information of the token are verified to pass;
  • the prompting module is configured to: if the identity information and the permission information of the token fail to be verified, return a prompt for verifying failure to the external calling program.
  • the server further includes:
  • a generating module configured to receive identity information sent by the external calling program, generate a token according to the identity information, send the token to the external calling program, and store the token.
  • the generating module is further configured to set corresponding authority information to the identity information, and perform encryption processing on the identity information and the rights information to obtain the token.
  • the verification module is configured to perform decryption processing on the token, obtain the identity information and the rights information included in the token, and determine whether the identity information and the rights information meet the requirements. Determining an authentication condition of the application program interface, if the identity information and the rights information meet the verification condition of the application program interface, the identity information and the rights information of the token are verified, if the identity information and the If the permission information does not satisfy the verification condition of the application interface, the identity information and the permission information of the token are failed to be verified.
  • the server further includes:
  • a transmission module configured to return, to the external calling program, service data corresponding to the application program interface.
  • the permission control method and the server provided by the invention verify the token sent by the external calling program, and when the verification passes, the external calling program is allowed to call the application program interface, and the access authority of each application program interface can be well controlled. Improve the security of business code in the application interface.
  • FIG. 1 is a schematic flow chart of an embodiment of an authority control method according to the present invention.
  • FIG. 2 is a schematic diagram of a specific refinement process for verifying identity information and authority information of the token in step 20 of FIG. 1;
  • FIG. 3 is a schematic diagram of functional modules of an embodiment of a server according to the present invention.
  • FIG. 4 is a schematic diagram of functional modules of another embodiment of a server according to the present invention.
  • FIG. 5 is a schematic diagram of functional modules of another embodiment of a server according to the present invention.
  • FIG. 1 is a flowchart of a method for controlling rights according to an embodiment of the present invention.
  • the method for controlling rights is applied to a server.
  • the method for controlling rights includes the following steps:
  • Step S10 Receive a request message sent by an external calling program to invoke an application interface, where the request message includes a token.
  • the external calling program may be a client installed on the mobile terminal or a web application.
  • the external caller wants to call an application interface, it needs to send a request message to the server to call the application interface.
  • the token needs to be sent to the server. The token has permission to request an interface within a specified valid time.
  • the method may include the steps of: receiving identity information sent by the external calling program, generating a token according to the identity information, sending the token to the external calling program, and storing the token Token.
  • the token may be obtained by performing an encryption process on the identity information by using an encryption algorithm, where the encryption algorithm may be an RSA encryption algorithm or a symmetric encryption algorithm.
  • the identity information includes account information, visitor information, and/or trial account information.
  • the account information indicates that the user has completed registration and has complete registered account information, and the visitor information indicates that the user accessing the device is an unregistered user.
  • the user information is incomplete.
  • the trial account information can be the information of the identification device, such as the MAC address or other identification information of the device. By using the trial account information, the user can preset the preset permission on the device within the trial duration.
  • Some application interfaces only authorize the registration of user accounts that have been registered. Some application interfaces can be authorized to be called for incomplete visitors. Some application interfaces can authorize calls to trial accounts.
  • the application interface can be labeled differently: the first is the application interface for the visitor to access the tag; the second is the application interface for the user login tag; and the third is the application interface for the trial account login tag.
  • the token may be sent to the server to request the corresponding application interface to be called from the server.
  • the step of generating a token according to the identity information may include the following steps: setting corresponding rights information to the identity information, and performing encryption processing on the identity information and the rights information to obtain a Describe the token.
  • the account information is set with the permission information corresponding to the application interface of the user login tag; if the identity information is the visitor information, the application interface of the visitor information setting and the visitor access tag is set. Corresponding permission information.
  • the identity information and the rights information are encrypted, which can prevent important information from leaking and ensure information security.
  • Step S20 Verify identity information and rights information of the token.
  • the token is encrypted data, and after the token is decrypted, the decrypted token is authenticated by the identity information and the authority information.
  • the token can be encrypted by the public key of the RSA encryption algorithm, and the token can be decrypted by the private key of the RSA encryption algorithm.
  • the token can also be encrypted by the encryption key of the symmetric encryption algorithm, and can be symmetrically encrypted.
  • the inverse operation of the encryption key of the algorithm is decrypted, and the encryption algorithm may also be other algorithms, which is not limited herein.
  • Step 30 If the identity information and the rights information of the token are verified to pass, the external calling program is allowed to invoke the application program interface.
  • the server if the server verifies the identity information and the authority information of the token, indicating that the server has authorized the external calling program to invoke the application interface, the server allows the external calling program to invoke the application interface, that is, the server. Allows the external caller to call the business data of the application interface.
  • the method may further include the step of: returning, to the external calling program, service data corresponding to the application program interface.
  • the call of the application program interface can be quickly completed, the time for running the program is saved, and the execution efficiency of the external call program is improved.
  • Step 40 If the identity information and the authority information of the token fail to be verified, return a prompt for verification failure to the external calling program.
  • the server if the server fails to verify the identity information and the authority information of the token, indicating that the server does not authorize the external caller to invoke the application interface, the server prohibits the external caller from calling the application interface, ie, the service.
  • the external calling program is prohibited from calling the business data of the application interface.
  • the external calling program needs to return a prompt for the verification failure, and the prompt may include prompt information such as a user account error or a password error.
  • FIG. 2 is a schematic diagram of a specific refinement process for verifying identity information and authority information of the token in step 20 of FIG.
  • Step S21 Perform decryption processing on the token to obtain the identity information and the rights information included in the token.
  • the token is encrypted data, and after the token is decrypted, the corresponding identity information and the authority information are obtained from the decrypted token.
  • the server can encrypt the identity information and the authority information according to the encryption method. Specifically, the server can encrypt the identity information and the authority information through the public key of the RSA encryption algorithm to obtain the token.
  • the token can be decrypted by the private key of the RSA encryption algorithm to obtain corresponding identity information and authority information.
  • Step 22 Determine whether the identity information and the rights information meet the verification condition of the application program interface.
  • the verification condition of the application program interface includes an identity verification condition and a rights verification condition.
  • identity verification condition When the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information are satisfied.
  • the verification condition of the application interface When the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information are satisfied.
  • the verification condition of the application interface includes an identity verification condition and a rights verification condition.
  • Step 23 If the identity information and the rights information meet the verification condition of the application program interface, the identity information and the rights information of the token are verified.
  • the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information of the token are verified.
  • Step 24 If the identity information and the rights information do not satisfy the verification condition of the application interface, the identity information and the rights information of the token are failed to be verified.
  • the identity information does not satisfy the identity verification condition, or the rights information does not satisfy the rights verification condition, the identity information and the rights information of the token are failed to be verified.
  • the permission control method provided by the invention verifies the token sent by the external calling program, and when the verification passes, the external calling program is allowed to call the application program interface, which can well control the access rights of each application program interface, and improve the application program.
  • the security of the business code in the interface is not limited to
  • FIG. 3 is a schematic diagram of functional modules of an embodiment of a server according to the present invention.
  • the server 100 includes a receiving module 101, a verification module 102, a processing module 103, and a prompting module 104.
  • the receiving module 101 is configured to receive a request message sent by an external calling program to invoke an application interface, where the request message includes a token.
  • the verification module 102 is configured to verify identity information and rights information of the token.
  • the processing module 103 is configured to allow the external calling program to invoke the application program interface if the identity information and the rights information of the token are verified.
  • the prompting module 104 is configured to return a prompt for verification failure to the external calling program if the identity information and the authority information of the token fail to be verified.
  • the external calling program may be a client installed on the mobile terminal or a web application.
  • the external caller wants to call an application interface, it needs to send a request message to the server to call the application interface.
  • the token needs to be sent to the server. The token has permission to request an interface within a specified valid time.
  • the token is encrypted data, and after the token is decrypted, the decrypted token is authenticated by the identity information and the authority information.
  • the token can be encrypted by the public key of the RSA encryption algorithm, and the token can be decrypted by the private key of the RSA encryption algorithm.
  • the token can also be encrypted by the encryption key of the symmetric encryption algorithm, and can be symmetrically encrypted.
  • the inverse operation of the encryption key of the algorithm is decrypted, and the encryption algorithm may also be other algorithms, which is not limited herein.
  • the server if the server verifies the identity information and the authority information of the token, indicating that the server has authorized the external calling program to invoke the application interface, the server allows the external calling program to invoke the application interface, that is, the server. Allows the external caller to call the business data of the application interface.
  • the server if the server fails to verify the identity information and the authority information of the token, indicating that the server does not authorize the external caller to invoke the application interface, the server prohibits the external caller from calling the application interface, ie, the service.
  • the external calling program is prohibited from calling the business data of the application interface.
  • the external calling program needs to return a prompt for the verification failure, and the prompt may include information such as a user account error or a password error.
  • the verification module 102 is specifically configured to perform decryption processing on the token, obtain the identity information and the rights information included in the token, and determine the identity information and the rights information. Whether the authentication condition of the application program interface is met, and if the identity information and the rights information satisfy the verification condition of the application program interface, the identity information and the rights information of the token are verified, if the identity information is And the permission information does not satisfy the verification condition of the application program interface, and the identity information and the rights information of the token are failed to be verified.
  • the token is encrypted data, and after the token is decrypted, the corresponding identity information and the authority information may be obtained from the decrypted token.
  • the server can encrypt the identity information and the authority information according to the encryption method. Specifically, the server can encrypt the identity information and the authority information through the public key of the RSA encryption algorithm to obtain the token.
  • the token can be decrypted by the private key of the RSA encryption algorithm to obtain corresponding identity information and authority information.
  • the verification condition of the application program interface includes an identity verification condition and a rights verification condition.
  • identity verification condition When the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information are satisfied.
  • the verification condition of the application interface When the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information are satisfied.
  • the verification condition of the application interface includes an identity verification condition and a rights verification condition.
  • the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition
  • the identity information and the rights information of the token are verified.
  • the identity information does not satisfy the identity verification condition, or the rights information does not satisfy the rights verification condition
  • the identity information and the rights information of the token are failed to be verified.
  • FIG. 4 is a functional block diagram of another server according to an embodiment of the present invention.
  • the embodiment shown in FIG. 4 is based on the addition of the generation module 105 to the server 100 shown in FIG. 3, wherein:
  • the generating module 105 is configured to receive identity information sent by the external calling program, generate a token according to the identity information, send the token to the external calling program, and store the token.
  • the token may be obtained by performing an encryption process on the identity information by using an encryption algorithm, where the encryption algorithm may be an RSA encryption algorithm or a symmetric encryption algorithm.
  • the identity information includes account information, visitor information, and/or trial account information.
  • the account information indicates that the user has completed registration, the server has complete registered account information, and the visitor information indicates that the user accessing the device is an uncompleted registration.
  • User the user data of the server is incomplete.
  • the trial account information can be the information of the identification device, such as the MAC address or other identification information of the device. By using the account information, the user can preset the default permission on the device within the trial period. .
  • Some application interfaces only call the registered account authorization. Some application interfaces can be authorized to call the incomplete user information. Some application interfaces can authorize the trial account.
  • the application interface can be tagged according to requirements: the first type is the application interface for the visitor to access the tag; the second is the application interface for the user login tag; and the third is the application interface for the trial account login tag.
  • the token may be sent to the server to request the corresponding application interface to be called from the server.
  • the generating module 105 is further configured to set corresponding authority information to the identity information, and perform encryption processing on the identity information and the rights information to obtain the token.
  • the account information is set with the permission information corresponding to the application interface of the user login tag; if the identity information is the visitor information, the application interface of the visitor information setting and the visitor access tag is set. Corresponding permission information.
  • the identity information and the rights information are encrypted, which can prevent important information from leaking and ensure information security.
  • FIG. 5 is a functional block diagram of another server according to an embodiment of the present invention.
  • the embodiment shown in FIG. 5 is based on the addition of the transmission module 106 to the server 100 shown in FIG. 3, wherein:
  • the transmission module 106 is configured to return, to the external calling program, service data corresponding to the application program interface.
  • the call of the application program interface can be quickly completed, the time for running the program is saved, and the execution efficiency of the external call program is improved.
  • the server provided by the invention verifies the token sent by the external calling program, and when the verification passes, the external calling program is allowed to call the application program interface, which can well control the access rights of each application program interface, and improve the application program interface.
  • the security of the business code is the security of the business code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Provided is a permission control method. The method comprises: receiving a request message, sent by an external calling program, for calling an application program interface, wherein the request message comprises a token; verifying identity information and permission information about the token; if the verification of the identity information and permission information about the token is passed, allowing the external calling program to call the application program interface; and if the verification of the identity information and permission information about the token fails, returning a prompt of verification failure to the external calling program. Further disclosed is a server end. The permission control method and the server end provided in the present invention can fully control the access permissions of various application program interfaces and improve the security of a service code in the application program interfaces.

Description

权限控制方法及服务端  Authority control method and server 技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种权限控制方法及服务端。The present invention relates to the field of communications technologies, and in particular, to a rights control method and a server.
背景技术Background technique
随着软件规模的日益庞大,为了节约软件编写时间,常常在软件中调用应用程序接口,应用程序接口的主要目的是给应用程序与开发人员提供访问一组例程的能力,而又无需访问源码,或理解内部工作机制的细节。通过应用程序接口可以实现软件之间的相互通信。通过使用应用程序接口,从而可以避免编写无用程序,以减轻编程任务。但是,目前服务端在被外部应用程序调用应用程序接口的过程中,不能很好地控制各个应用程序接口的访问权限,造成应用程序接口中业务的安全性比较低的问题。With the increasing size of software, in order to save software writing time, the application interface is often called in software. The main purpose of the application interface is to provide applications and developers with the ability to access a set of routines without accessing the source code. Or understand the details of the internal working mechanism. Communication between software can be achieved through an application interface. By using an application interface, you can avoid writing useless programs to ease programming tasks. However, in the process of calling the application interface by the external application, the server cannot control the access rights of each application interface well, which causes the security of the service in the application interface to be relatively low.
技术问题technical problem
本发明的主要目的在于解决现有目前服务端在被应用程序调用的过程中,不能很好地控制各个应用程序接口的访问权限,造成应用程序接口中业务的安全性比较低的问题。The main purpose of the present invention is to solve the problem that the current server is not able to control the access rights of each application interface well in the process of being invoked by the application, resulting in a relatively low security of the service in the application interface.
技术解决方案Technical solution
为实现上述目的,本发明提供一种权限控制方法,应用于服务端,所述权限控制方法包括:To achieve the above object, the present invention provides a method for controlling rights, which is applied to a server, and the method for controlling rights includes:
接收外部调用程序发送的调用应用程序接口的请求消息,所述请求消息包括令牌;Receiving a request message sent by an external calling program to invoke an application interface, where the request message includes a token;
对所述令牌的身份信息和权限信息进行验证;Verifying identity information and permission information of the token;
若所述令牌的身份信息和权限信息验证通过,则允许所述外部调用程序调用所述应用程序接口;Allowing the external calling program to call the application program interface if the identity information and the rights information of the token are verified to pass;
若所述令牌的身份信息和权限信息验证失败,则向所述外部调用程序返回验证失败的提示。If the identity information and the authority information of the token fail to be verified, a prompt for verification failure is returned to the external calling program.
优选地,所述接收外部调用程序发送的调用应用程序接口的请求消息的步骤之前还包括:Preferably, the step of receiving the request message of the calling application interface sent by the external calling program further includes:
接收所述外部调用程序发送的身份信息,根据所述身份信息生成令牌,向所述外部调用程序发送所述令牌,并存储所述令牌。 Receiving identity information sent by the external calling program, generating a token according to the identity information, transmitting the token to the external calling program, and storing the token.
优选地,所述根据所述身份信息生成令牌的步骤包括:Preferably, the step of generating a token according to the identity information includes:
对所述身份信息设置对应的权限信息,将所述身份信息及所述权限信息进行加密处理,得到所述令牌。And setting the corresponding authority information to the identity information, and performing the encryption process on the identity information and the rights information to obtain the token.
优选地,所述对所述令牌的身份信息和权限信息进行验证的步骤包括:Preferably, the step of verifying the identity information and the rights information of the token comprises:
对所述令牌进行解密处理,得到所述令牌包括的所述身份信息及所述权限信息;Decrypting the token to obtain the identity information and the rights information included in the token;
判断所述身份信息及所述权限信息是否满足所述应用程序接口的验证条件;Determining whether the identity information and the permission information satisfy a verification condition of the application program interface;
若所述身份信息及所述权限信息满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证通过;If the identity information and the rights information meet the verification condition of the application program interface, the identity information and the rights information of the token are verified;
若所述身份信息及所述权限信息不满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证失败。If the identity information and the rights information do not satisfy the verification condition of the application interface, the identity information and the rights information of the token are failed to be verified.
优选地,所述若所述令牌通过身份和权限验证,则允许所述外部调用程序调用应用程序接口的步骤之后还包括:Preferably, if the token is verified by identity and rights, the step of allowing the external caller to invoke the application interface further includes:
向所述外部调用程序返回所述应用程序接口对应的业务数据。Returning the business data corresponding to the application interface to the external calling program.
此外,为实现上述目的,本发明还提供一种服务端,所述服务端包括:In addition, to achieve the above object, the present invention further provides a server, where the server includes:
接收模块,用于接收外部调用程序发送的调用应用程序接口的请求消息,所述请求消息包括令牌;a receiving module, configured to receive a request message sent by an external calling program to invoke an application interface, where the request message includes a token;
验证模块,用于对所述令牌的身份信息和权限信息进行验证;a verification module, configured to verify identity information and rights information of the token;
处理模块,用于若所述令牌的身份信息和权限信息验证通过,则允许所述外部调用程序调用所述应用程序接口;a processing module, configured to allow the external calling program to invoke the application program interface if the identity information and the permission information of the token are verified to pass;
提示模块,用于若所述令牌的身份信息和权限信息验证失败,则向所述外部调用程序返回验证失败的提示。The prompting module is configured to: if the identity information and the permission information of the token fail to be verified, return a prompt for verifying failure to the external calling program.
优选地,所述服务端还包括:Preferably, the server further includes:
生成模块,用于接收所述外部调用程序发送的身份信息,根据所述身份信息生成令牌,用于向所述外部调用程序发送所述令牌,并存储所述令牌。And a generating module, configured to receive identity information sent by the external calling program, generate a token according to the identity information, send the token to the external calling program, and store the token.
优选地,所述生成模块,具体还用于对所述身份信息设置对应的权限信息,将所述身份信息及所述权限信息进行加密处理,得到所述令牌。Preferably, the generating module is further configured to set corresponding authority information to the identity information, and perform encryption processing on the identity information and the rights information to obtain the token.
优选地,所述验证模块,具体用于对所述令牌进行解密处理,得到所述令牌包括的所述身份信息及所述权限信息,判断所述身份信息及所述权限信息是否满足所述应用程序接口的验证条件,若所述身份信息及所述权限信息满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证通过,若所述身份信息及所述权限信息不满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证失败。Preferably, the verification module is configured to perform decryption processing on the token, obtain the identity information and the rights information included in the token, and determine whether the identity information and the rights information meet the requirements. Determining an authentication condition of the application program interface, if the identity information and the rights information meet the verification condition of the application program interface, the identity information and the rights information of the token are verified, if the identity information and the If the permission information does not satisfy the verification condition of the application interface, the identity information and the permission information of the token are failed to be verified.
优选地,所述服务端还包括:Preferably, the server further includes:
传输模块,用于向所述外部调用程序返回所述应用程序接口对应的业务数据。And a transmission module, configured to return, to the external calling program, service data corresponding to the application program interface.
有益效果Beneficial effect
本发明提供的权限控制方法及服务端,对外部调用程序发送的令牌进行验证,当验证通过时,才允许外部调用程序调用应用程序接口,能很好地控制各个应用程序接口的访问权限,提高应用程序接口中业务代码的安全性。The permission control method and the server provided by the invention verify the token sent by the external calling program, and when the verification passes, the external calling program is allowed to call the application program interface, and the access authority of each application program interface can be well controlled. Improve the security of business code in the application interface.
附图说明DRAWINGS
图1为本发明的权限控制方法一实施例的流程示意图;1 is a schematic flow chart of an embodiment of an authority control method according to the present invention;
图2为图1中步骤20对所述令牌的身份信息和权限信息进行验证的一具体细化流程示意图;2 is a schematic diagram of a specific refinement process for verifying identity information and authority information of the token in step 20 of FIG. 1;
图3为本发明的服务端一实施例的功能模块示意图;3 is a schematic diagram of functional modules of an embodiment of a server according to the present invention;
图4为本发明的服务端另一实施例的功能模块示意图;4 is a schematic diagram of functional modules of another embodiment of a server according to the present invention;
图5为本发明的服务端另一实施例的功能模块示意图。FIG. 5 is a schematic diagram of functional modules of another embodiment of a server according to the present invention.
本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional features, and advantages of the present invention will be further described in conjunction with the embodiments.
本发明的实施方式Embodiments of the invention
应当理解,此处所描述的优选实施例仅用于说明和解释本发明,并不用于限定本发明。The preferred embodiments described herein are to be construed as illustrative only and not limiting.
参见图1,图1是本发明实施例提供的一种权限控制方法的流程图,所述权限控制方法应用于服务端,如图1所示,所述权限控制方法包括以下步骤:Referring to FIG. 1 , FIG. 1 is a flowchart of a method for controlling rights according to an embodiment of the present invention. The method for controlling rights is applied to a server. As shown in FIG. 1 , the method for controlling rights includes the following steps:
步骤S10、接收外部调用程序发送的调用应用程序接口的请求消息,所述请求消息包括令牌。Step S10: Receive a request message sent by an external calling program to invoke an application interface, where the request message includes a token.
在上述实施例中,外部调用程序可以是安装在移动终端上的客户端,也可以是网页应用程序。当外部调用程序想要调用一个应用程序接口时,需要向服务端发送调用应用程序接口的请求消息,为了进行权限验证,需要向服务端发送令牌。所述令牌在指定有效时间内具有请求接口的权限。In the above embodiment, the external calling program may be a client installed on the mobile terminal or a web application. When the external caller wants to call an application interface, it needs to send a request message to the server to call the application interface. In order to perform the permission verification, the token needs to be sent to the server. The token has permission to request an interface within a specified valid time.
在上述实施例中,步骤10之前可以包括以下步骤:接收所述外部调用程序发送的身份信息,根据所述身份信息生成令牌,向所述外部调用程序发送所述令牌,并存储所述令牌。具体来说,可以通过加密算法对所述身份信息进行加密处理得到所述令牌,所述加密算法可以为RSA加密算法或对称加密算法。In the above embodiment, before step 10, the method may include the steps of: receiving identity information sent by the external calling program, generating a token according to the identity information, sending the token to the external calling program, and storing the token Token. Specifically, the token may be obtained by performing an encryption process on the identity information by using an encryption algorithm, where the encryption algorithm may be an RSA encryption algorithm or a symmetric encryption algorithm.
在上述实施例中,身份信息包括账户信息、游客信息和/或试用账户信息,账户信息表明用户已经注册完成,具有完整的注册账户资料,游客信息表明访问设备的用户为未完成注册的用户,用户资料不完整,试用账户信息可以为标识设备的信息,例如MAC地址、或设备的其他标识信息,通过试用账户信息,用户可以预设试用时长之内在设备上享有预设的权限。有些应用程序接口仅仅对注册完成的用户账号授权调用,有些应用程序接口可以对资料不完整的游客用户授权调用,有些应用程序接口可以对试用账户授权调用。可以将应用程序接口打上不同标签:第一类为游客访问标签的应用程序接口;第二类为用户登录标签的应用程序接口;第三类为试用账户登录标签的应用程序接口。In the above embodiment, the identity information includes account information, visitor information, and/or trial account information. The account information indicates that the user has completed registration and has complete registered account information, and the visitor information indicates that the user accessing the device is an unregistered user. The user information is incomplete. The trial account information can be the information of the identification device, such as the MAC address or other identification information of the device. By using the trial account information, the user can preset the preset permission on the device within the trial duration. Some application interfaces only authorize the registration of user accounts that have been registered. Some application interfaces can be authorized to be called for incomplete visitors. Some application interfaces can authorize calls to trial accounts. The application interface can be labeled differently: the first is the application interface for the visitor to access the tag; the second is the application interface for the user login tag; and the third is the application interface for the trial account login tag.
在上述实施例中,外部调用程序接收令牌后,若外部调用程序想要调用一个应用程序接口,可以向服务端发送令牌,请求从服务端调用相应的应用程序接口。In the above embodiment, after the external caller receives the token, if the external caller wants to call an application interface, the token may be sent to the server to request the corresponding application interface to be called from the server.
在上述实施例中,所述根据所述身份信息生成令牌的步骤可以包括以下步骤:对所述身份信息设置对应的权限信息,将所述身份信息及所述权限信息进行加密处理,得到所述令牌。In the foregoing embodiment, the step of generating a token according to the identity information may include the following steps: setting corresponding rights information to the identity information, and performing encryption processing on the identity information and the rights information to obtain a Describe the token.
具体来说,若身份信息为账号信息,则对账号信息设置与用户登录标签的应用程序接口所对应的权限信息;若身份信息为游客信息,则对游客信息设置与游客访问标签的应用程序接口所对应的权限信息。Specifically, if the identity information is account information, the account information is set with the permission information corresponding to the application interface of the user login tag; if the identity information is the visitor information, the application interface of the visitor information setting and the visitor access tag is set. Corresponding permission information.
在上述实施例中,将身份信息及权限信息进行加密处理,可以防止重要消息泄露,确保信息安全。In the above embodiment, the identity information and the rights information are encrypted, which can prevent important information from leaking and ensure information security.
步骤S20、对所述令牌的身份信息和权限信息进行验证。Step S20: Verify identity information and rights information of the token.
在上述实施例中,所述令牌为加密处理的数据,需要对令牌进行解密处理后,对解密后的令牌进行身份信息和权限信息验证。具体来说,令牌可以通过RSA加密算法的公钥进行加密,可以通过RSA加密算法的私钥对令牌进行解密,令牌也可以通过对称加密算法的加密密钥进行加密,可以通过对称加密算法的加密密钥的逆运算进行解密,加密算法也可以为其他算法,在此不做限制。In the above embodiment, the token is encrypted data, and after the token is decrypted, the decrypted token is authenticated by the identity information and the authority information. Specifically, the token can be encrypted by the public key of the RSA encryption algorithm, and the token can be decrypted by the private key of the RSA encryption algorithm. The token can also be encrypted by the encryption key of the symmetric encryption algorithm, and can be symmetrically encrypted. The inverse operation of the encryption key of the algorithm is decrypted, and the encryption algorithm may also be other algorithms, which is not limited herein.
步骤30、若所述令牌的身份信息和权限信息验证通过,则允许所述外部调用程序调用所述应用程序接口。Step 30: If the identity information and the rights information of the token are verified to pass, the external calling program is allowed to invoke the application program interface.
在上述实施例中,若服务端对令牌的身份信息和权限信息验证通过,说明服务端已经授权外部调用程序可以调用应用程序接口,则服务端允许外部调用程序调用应用程序接口,即服务端允许外部调用程序调用应用程序接口的业务数据。In the above embodiment, if the server verifies the identity information and the authority information of the token, indicating that the server has authorized the external calling program to invoke the application interface, the server allows the external calling program to invoke the application interface, that is, the server. Allows the external caller to call the business data of the application interface.
在上述实施例中,步骤30之后,还可以包括以下步骤:向所述外部调用程序返回所述应用程序接口对应的业务数据。In the above embodiment, after step 30, the method may further include the step of: returning, to the external calling program, service data corresponding to the application program interface.
这样,外部调用程序接收服务端返回的业务数据后,可以快速完成应用程序接口的调用,节约程序运行的时间,提高外部调用程序的执行效率。In this way, after the external caller receives the service data returned by the server, the call of the application program interface can be quickly completed, the time for running the program is saved, and the execution efficiency of the external call program is improved.
步骤40、若所述令牌的身份信息和权限信息验证失败,则向所述外部调用程序返回验证失败的提示。Step 40: If the identity information and the authority information of the token fail to be verified, return a prompt for verification failure to the external calling program.
在上述实施例中,若服务端对令牌的身份信息和权限信息验证失败,说明服务端未对外部调用程序调用应用程序接口进行授权,则服务端禁止外部调用程序调用应用程序接口,即服务端禁止外部调用程序调用应用程序接口的业务数据,此时,需要向外部调用程序返回验证失败的提示,提示可以包括用户账号错误或密码错误等提示信息。In the above embodiment, if the server fails to verify the identity information and the authority information of the token, indicating that the server does not authorize the external caller to invoke the application interface, the server prohibits the external caller from calling the application interface, ie, the service. The external calling program is prohibited from calling the business data of the application interface. At this time, the external calling program needs to return a prompt for the verification failure, and the prompt may include prompt information such as a user account error or a password error.
请参阅图2,图2为图1中步骤20对所述令牌的身份信息和权限信息进行验证的一具体细化流程示意图,其中:Please refer to FIG. 2. FIG. 2 is a schematic diagram of a specific refinement process for verifying identity information and authority information of the token in step 20 of FIG.
步骤S21、对令牌进行解密处理,得到所述令牌包括的所述身份信息及所述权限信息。Step S21: Perform decryption processing on the token to obtain the identity information and the rights information included in the token.
在上述实施例中,所述令牌为加密处理的数据,需要对令牌进行解密处理后,从解密处理后的令牌中得到对应的身份信息和权限信息。加密方式有多种多样,服务端可以根据需求选择加密方式对身份信息和权限信息进行加密,具体来说,服务端可以通过RSA加密算法的公钥对身份信息和权限信息进行加密得到令牌,可以通过RSA加密算法的私钥对令牌进行解密,得到对应的身份信息和权限信息。In the above embodiment, the token is encrypted data, and after the token is decrypted, the corresponding identity information and the authority information are obtained from the decrypted token. There are various encryption methods. The server can encrypt the identity information and the authority information according to the encryption method. Specifically, the server can encrypt the identity information and the authority information through the public key of the RSA encryption algorithm to obtain the token. The token can be decrypted by the private key of the RSA encryption algorithm to obtain corresponding identity information and authority information.
步骤22、判断所述身份信息及所述权限信息是否满足所述应用程序接口的验证条件。Step 22: Determine whether the identity information and the rights information meet the verification condition of the application program interface.
在本实施例中,所述应用程序接口的验证条件包括身份验证条件和权限验证条件,当身份信息满足身份验证条件且权限信息满足权限验证条件时,所述身份信息及所述权限信息才满足所述应用程序接口的验证条件。In this embodiment, the verification condition of the application program interface includes an identity verification condition and a rights verification condition. When the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information are satisfied. The verification condition of the application interface.
步骤23、若所述身份信息及所述权限信息满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证通过。Step 23: If the identity information and the rights information meet the verification condition of the application program interface, the identity information and the rights information of the token are verified.
具体来说,当身份信息满足身份验证条件且权限信息满足权限验证条件时,所述令牌的身份信息和权限信息验证通过。Specifically, when the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information of the token are verified.
步骤24、若所述身份信息及所述权限信息不满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证失败。Step 24: If the identity information and the rights information do not satisfy the verification condition of the application interface, the identity information and the rights information of the token are failed to be verified.
具体来说,当身份信息不满足身份验证条件,或者权限信息不满足权限验证条件时,所述令牌的身份信息和权限信息验证失败。Specifically, when the identity information does not satisfy the identity verification condition, or the rights information does not satisfy the rights verification condition, the identity information and the rights information of the token are failed to be verified.
本发明提供的权限控制方法,对外部调用程序发送的令牌进行验证,当验证通过时,才允许外部调用程序调用应用程序接口,能很好地控制各个应用程序接口的访问权限,提高应用程序接口中业务代码的安全性。The permission control method provided by the invention verifies the token sent by the external calling program, and when the verification passes, the external calling program is allowed to call the application program interface, which can well control the access rights of each application program interface, and improve the application program. The security of the business code in the interface.
本发明进一步提供一种服务端。图3为本发明的服务端一实施例的功能模块示意图。在该实施例中,服务端100包括:接收模块101、验证模块102、处理模块103及提示模块104。其中,接收模块101用于接收外部调用程序发送的调用应用程序接口的请求消息,所述请求消息包括令牌。验证模块102用于对所述令牌的身份信息和权限信息进行验证。处理模块103用于若所述令牌的身份信息和权限信息验证通过,则允许所述外部调用程序调用所述应用程序接口。提示模块104用于若所述令牌的身份信息和权限信息验证失败,则向所述外部调用程序返回验证失败的提示。The invention further provides a server. FIG. 3 is a schematic diagram of functional modules of an embodiment of a server according to the present invention. In this embodiment, the server 100 includes a receiving module 101, a verification module 102, a processing module 103, and a prompting module 104. The receiving module 101 is configured to receive a request message sent by an external calling program to invoke an application interface, where the request message includes a token. The verification module 102 is configured to verify identity information and rights information of the token. The processing module 103 is configured to allow the external calling program to invoke the application program interface if the identity information and the rights information of the token are verified. The prompting module 104 is configured to return a prompt for verification failure to the external calling program if the identity information and the authority information of the token fail to be verified.
在上述实施例中,外部调用程序可以是安装在移动终端上的客户端,也可以是网页应用程序。当外部调用程序想要调用一个应用程序接口时,需要向服务端发送调用应用程序接口的请求消息,为了进行权限验证,需要向服务端发送令牌。所述令牌在指定有效时间内具有请求接口的权限。In the above embodiment, the external calling program may be a client installed on the mobile terminal or a web application. When the external caller wants to call an application interface, it needs to send a request message to the server to call the application interface. In order to perform the permission verification, the token needs to be sent to the server. The token has permission to request an interface within a specified valid time.
在上述实施例中,所述令牌为加密处理的数据,需要对令牌进行解密处理后,对解密后的令牌进行身份信息和权限信息验证。具体来说,令牌可以通过RSA加密算法的公钥进行加密,可以通过RSA加密算法的私钥对令牌进行解密,令牌也可以通过对称加密算法的加密密钥进行加密,可以通过对称加密算法的加密密钥的逆运算进行解密,加密算法也可以为其他算法,在此不做限制。In the above embodiment, the token is encrypted data, and after the token is decrypted, the decrypted token is authenticated by the identity information and the authority information. Specifically, the token can be encrypted by the public key of the RSA encryption algorithm, and the token can be decrypted by the private key of the RSA encryption algorithm. The token can also be encrypted by the encryption key of the symmetric encryption algorithm, and can be symmetrically encrypted. The inverse operation of the encryption key of the algorithm is decrypted, and the encryption algorithm may also be other algorithms, which is not limited herein.
在上述实施例中,若服务端对令牌的身份信息和权限信息验证通过,说明服务端已经授权外部调用程序可以调用应用程序接口,则服务端允许外部调用程序调用应用程序接口,即服务端允许外部调用程序调用应用程序接口的业务数据。In the above embodiment, if the server verifies the identity information and the authority information of the token, indicating that the server has authorized the external calling program to invoke the application interface, the server allows the external calling program to invoke the application interface, that is, the server. Allows the external caller to call the business data of the application interface.
在上述实施例中,若服务端对令牌的身份信息和权限信息验证失败,说明服务端未对外部调用程序调用应用程序接口进行授权,则服务端禁止外部调用程序调用应用程序接口,即服务端禁止外部调用程序调用应用程序接口的业务数据,此时,需要向外部调用程序返回验证失败的提示,提示可以包括用户账号错误或密码错误等信息。In the above embodiment, if the server fails to verify the identity information and the authority information of the token, indicating that the server does not authorize the external caller to invoke the application interface, the server prohibits the external caller from calling the application interface, ie, the service. The external calling program is prohibited from calling the business data of the application interface. At this time, the external calling program needs to return a prompt for the verification failure, and the prompt may include information such as a user account error or a password error.
在上述实施例中,所述验证模块102具体用于对所述令牌进行解密处理,得到所述令牌包括的所述身份信息及所述权限信息,判断所述身份信息及所述权限信息是否满足所述应用程序接口的验证条件,若所述身份信息及所述权限信息满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证通过,若所述身份信息及所述权限信息不满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证失败。In the foregoing embodiment, the verification module 102 is specifically configured to perform decryption processing on the token, obtain the identity information and the rights information included in the token, and determine the identity information and the rights information. Whether the authentication condition of the application program interface is met, and if the identity information and the rights information satisfy the verification condition of the application program interface, the identity information and the rights information of the token are verified, if the identity information is And the permission information does not satisfy the verification condition of the application program interface, and the identity information and the rights information of the token are failed to be verified.
在上述实施例中,所述令牌为加密处理的数据,需要对令牌进行解密处理后,从解密处理后的令牌中可以得到对应的身份信息和权限信息。加密方式有多种多样,服务端可以根据需求选择加密方式对身份信息和权限信息进行加密,具体来说,服务端可以通过RSA加密算法的公钥对身份信息和权限信息进行加密得到令牌,可以通过RSA加密算法的私钥对令牌进行解密,得到对应的身份信息和权限信息。In the above embodiment, the token is encrypted data, and after the token is decrypted, the corresponding identity information and the authority information may be obtained from the decrypted token. There are various encryption methods. The server can encrypt the identity information and the authority information according to the encryption method. Specifically, the server can encrypt the identity information and the authority information through the public key of the RSA encryption algorithm to obtain the token. The token can be decrypted by the private key of the RSA encryption algorithm to obtain corresponding identity information and authority information.
在本实施例中,所述应用程序接口的验证条件包括身份验证条件和权限验证条件,当身份信息满足身份验证条件且权限信息满足权限验证条件时,所述身份信息及所述权限信息才满足所述应用程序接口的验证条件。In this embodiment, the verification condition of the application program interface includes an identity verification condition and a rights verification condition. When the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information are satisfied. The verification condition of the application interface.
具体来说,当身份信息满足身份验证条件且权限信息满足权限验证条件时,所述令牌的身份信息和权限信息验证通过。当身份信息不满足身份验证条件,或者权限信息不满足权限验证条件时,所述令牌的身份信息和权限信息验证失败。Specifically, when the identity information satisfies the identity verification condition and the rights information satisfies the rights verification condition, the identity information and the rights information of the token are verified. When the identity information does not satisfy the identity verification condition, or the rights information does not satisfy the rights verification condition, the identity information and the rights information of the token are failed to be verified.
请参阅图4,图4所示为本发明实施例另一服务端的功能模块图。图4所示实施例是基于图3所示的服务端100中增加了生成模块105,其中:Please refer to FIG. 4. FIG. 4 is a functional block diagram of another server according to an embodiment of the present invention. The embodiment shown in FIG. 4 is based on the addition of the generation module 105 to the server 100 shown in FIG. 3, wherein:
生成模块105用于接收所述外部调用程序发送的身份信息,根据所述身份信息生成令牌,向所述外部调用程序发送所述令牌,并存储所述令牌。具体来说,可以通过加密算法对所述身份信息进行加密处理得到所述令牌,所述加密算法可以为RSA加密算法或对称加密算法。The generating module 105 is configured to receive identity information sent by the external calling program, generate a token according to the identity information, send the token to the external calling program, and store the token. Specifically, the token may be obtained by performing an encryption process on the identity information by using an encryption algorithm, where the encryption algorithm may be an RSA encryption algorithm or a symmetric encryption algorithm.
在上述实施例中,身份信息包括账户信息、游客信息和/或试用账户信息,账户信息表明用户已经注册完成,服务端具有完整的注册账户资料,游客信息表明访问设备的用户为未完成注册的用户,服务端的用户资料不完整,试用账户信息可以为标识设备的信息,例如MAC地址、或设备的其他标识信息,通过试用账户信息,用户可以预设试用时长之内在设备上享有预设的权限。有些应用程序接口仅仅对注册完成的账号授权调用,有些应用程序接口可以对资料不完整的游客用户授权调用,有些应用程序接口可以对试用账户授权调用。可以根据需求将应用程序接口打上不同标签:第一类为游客访问标签的应用程序接口;第二类为用户登录标签的应用程序接口;第三类为试用账户登录标签的应用程序接口。In the above embodiment, the identity information includes account information, visitor information, and/or trial account information. The account information indicates that the user has completed registration, the server has complete registered account information, and the visitor information indicates that the user accessing the device is an uncompleted registration. User, the user data of the server is incomplete. The trial account information can be the information of the identification device, such as the MAC address or other identification information of the device. By using the account information, the user can preset the default permission on the device within the trial period. . Some application interfaces only call the registered account authorization. Some application interfaces can be authorized to call the incomplete user information. Some application interfaces can authorize the trial account. The application interface can be tagged according to requirements: the first type is the application interface for the visitor to access the tag; the second is the application interface for the user login tag; and the third is the application interface for the trial account login tag.
在上述实施例中,外部调用程序接收令牌后,若外部调用程序想要调用一个应用程序接口,可以向服务端发送令牌,请求从服务端调用相应的应用程序接口。In the above embodiment, after the external caller receives the token, if the external caller wants to call an application interface, the token may be sent to the server to request the corresponding application interface to be called from the server.
所述生成模块105具体还用于对所述身份信息设置对应的权限信息,将所述身份信息及所述权限信息进行加密处理,得到所述令牌。The generating module 105 is further configured to set corresponding authority information to the identity information, and perform encryption processing on the identity information and the rights information to obtain the token.
具体来说,若身份信息为账号信息,则对账号信息设置与用户登录标签的应用程序接口所对应的权限信息;若身份信息为游客信息,则对游客信息设置与游客访问标签的应用程序接口所对应的权限信息。Specifically, if the identity information is account information, the account information is set with the permission information corresponding to the application interface of the user login tag; if the identity information is the visitor information, the application interface of the visitor information setting and the visitor access tag is set. Corresponding permission information.
在上述实施例中,将身份信息及权限信息进行加密处理,可以防止重要消息泄露,确保信息安全。In the above embodiment, the identity information and the rights information are encrypted, which can prevent important information from leaking and ensure information security.
请参阅图5,图5所示为本发明实施例另一服务端的功能模块图。图5所示实施例是基于图3所示的服务端100中增加了传输模块106,其中:Please refer to FIG. 5. FIG. 5 is a functional block diagram of another server according to an embodiment of the present invention. The embodiment shown in FIG. 5 is based on the addition of the transmission module 106 to the server 100 shown in FIG. 3, wherein:
传输模块106用于向所述外部调用程序返回所述应用程序接口对应的业务数据。The transmission module 106 is configured to return, to the external calling program, service data corresponding to the application program interface.
这样,外部调用程序接收服务端返回的业务数据后,可以快速完成应用程序接口的调用,节约程序运行的时间,提高外部调用程序的执行效率。In this way, after the external caller receives the service data returned by the server, the call of the application program interface can be quickly completed, the time for running the program is saved, and the execution efficiency of the external call program is improved.
本发明提供的服务端,对外部调用程序发送的令牌进行验证,当验证通过时,才允许外部调用程序调用应用程序接口,能很好地控制各个应用程序接口的访问权限,提高应用程序接口中业务代码的安全性。The server provided by the invention verifies the token sent by the external calling program, and when the verification passes, the external calling program is allowed to call the application program interface, which can well control the access rights of each application program interface, and improve the application program interface. The security of the business code.
以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only the preferred embodiments of the present invention, and are not intended to limit the scope of the invention, and the equivalent structure or equivalent process transformations made by the description of the present invention and the drawings are directly or indirectly applied to other related technical fields. The same is included in the scope of patent protection of the present invention.

Claims (10)

  1. 一种权限控制方法,其特征在于,所述权限控制方法包括: A method for controlling rights, characterized in that the method for controlling rights includes:
    接收外部调用程序发送的调用应用程序接口的请求消息,所述请求消息包括令牌;Receiving a request message sent by an external calling program to invoke an application interface, where the request message includes a token;
    对所述令牌的身份信息和权限信息进行验证;Verifying identity information and permission information of the token;
    若所述令牌的身份信息和权限信息验证通过,则允许所述外部调用程序调用所述应用程序接口;Allowing the external calling program to call the application program interface if the identity information and the rights information of the token are verified to pass;
    若所述令牌的身份信息和权限信息验证失败,则向所述外部调用程序返回验证失败的提示。If the identity information and the authority information of the token fail to be verified, a prompt for verification failure is returned to the external calling program.
  2. 如权利要求1所述的权限控制方法,其特征在于,所述接收外部调用程序发送的调用应用程序接口的请求消息的步骤之前还包括:The access control method according to claim 1, wherein the step of receiving the request message of the calling application interface sent by the external calling program further comprises:
    接收所述外部调用程序发送的身份信息,根据所述身份信息生成令牌,向所述外部调用程序发送所述令牌,并存储所述令牌。Receiving identity information sent by the external calling program, generating a token according to the identity information, transmitting the token to the external calling program, and storing the token.
  3. 如权利要求2所述的权限控制方法,其特征在于,所述根据所述身份信息生成令牌的步骤包括:The access control method according to claim 2, wherein the step of generating a token according to the identity information comprises:
    对所述身份信息设置对应的权限信息,将所述身份信息及所述权限信息进行加密处理,得到所述令牌。And setting the corresponding authority information to the identity information, and performing the encryption process on the identity information and the rights information to obtain the token.
  4. 如权利要求3所述的权限控制方法,其特征在于,所述对所述令牌的身份信息和权限信息进行验证的步骤包括:The access control method according to claim 3, wherein the step of verifying the identity information and the rights information of the token comprises:
    对所述令牌进行解密处理,得到所述令牌包括的所述身份信息及所述权限信息;Decrypting the token to obtain the identity information and the rights information included in the token;
    判断所述身份信息及所述权限信息是否满足所述应用程序接口的验证条件;Determining whether the identity information and the permission information satisfy a verification condition of the application program interface;
    若所述身份信息及所述权限信息满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证通过;If the identity information and the rights information meet the verification condition of the application program interface, the identity information and the rights information of the token are verified;
    若所述身份信息及所述权限信息不满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证失败。If the identity information and the rights information do not satisfy the verification condition of the application interface, the identity information and the rights information of the token are failed to be verified.
  5. 如权利要求1所述的权限控制方法,其特征在于,所述若所述令牌通过身份和权限验证,则允许所述外部调用程序调用应用程序接口的步骤之后还包括:The privilege control method according to claim 1, wherein if the token is authenticated by identity and authority, the step of allowing the external caller to invoke the application interface further includes:
    向所述外部调用程序返回所述应用程序接口对应的业务数据。Returning the business data corresponding to the application interface to the external calling program.
  6. 一种服务端,其特征在于,包括:A server, characterized in that it comprises:
    接收模块,用于接收外部调用程序发送的调用应用程序接口的请求消息,所述请求消息包括令牌;a receiving module, configured to receive a request message sent by an external calling program to invoke an application interface, where the request message includes a token;
    验证模块,用于对所述令牌的身份信息和权限信息进行验证;a verification module, configured to verify identity information and rights information of the token;
    处理模块,用于若所述令牌的身份信息和权限信息验证通过,则允许所述外部调用程序调用所述应用程序接口;a processing module, configured to allow the external calling program to invoke the application program interface if the identity information and the permission information of the token are verified to pass;
    提示模块,用于若所述令牌的身份信息和权限信息验证失败,则向所述外部调用程序返回验证失败的提示。The prompting module is configured to: if the identity information and the permission information of the token fail to be verified, return a prompt for verifying failure to the external calling program.
  7. 如权利要求6所述的服务端,其特征在于,还包括:The server according to claim 6, further comprising:
    生成模块,用于接收所述外部调用程序发送的身份信息,根据所述身份信息生成令牌,向所述外部调用程序发送所述令牌,并存储所述令牌。And a generating module, configured to receive identity information sent by the external calling program, generate a token according to the identity information, send the token to the external calling program, and store the token.
  8. 如权利要求7所述的服务端,其特征在于,所述生成模块,具体还用于对所述身份信息设置对应的权限信息,将所述身份信息及所述权限信息进行加密处理,得到所述令牌。The server according to claim 7, wherein the generating module is further configured to set corresponding authority information for the identity information, and encrypt the identity information and the rights information to obtain a Describe the token.
  9. 如权利要求8所述的服务端,其特征在于,所述验证模块,具体用于对所述令牌进行解密处理,得到所述令牌包括的所述身份信息及所述权限信息,判断所述身份信息及所述权限信息是否满足所述应用程序接口的验证条件,若所述身份信息及所述权限信息满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证通过,若所述身份信息及所述权限信息不满足所述应用程序接口的验证条件,则所述令牌的身份信息和权限信息验证失败。The server according to claim 8, wherein the verification module is configured to decrypt the token, obtain the identity information and the permission information included in the token, and determine the location Determining whether the identity information and the rights information satisfy the verification condition of the application program interface, if the identity information and the rights information satisfy the verification condition of the application program interface, the identity information and the rights information of the token If the identity information and the rights information do not satisfy the verification condition of the application interface, the identity information and the rights information of the token are failed to be verified.
  10. 如权利要求6所述的服务端,其特征在于,还包括:The server according to claim 6, further comprising:
    传输模块,用于向所述外部调用程序返回所述应用程序接口对应的业务数据。 And a transmission module, configured to return, to the external calling program, service data corresponding to the application program interface.
PCT/CN2017/100719 2017-09-06 2017-09-06 Permission control method, and server end WO2019047064A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/100719 WO2019047064A1 (en) 2017-09-06 2017-09-06 Permission control method, and server end

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/100719 WO2019047064A1 (en) 2017-09-06 2017-09-06 Permission control method, and server end

Publications (1)

Publication Number Publication Date
WO2019047064A1 true WO2019047064A1 (en) 2019-03-14

Family

ID=65633355

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/100719 WO2019047064A1 (en) 2017-09-06 2017-09-06 Permission control method, and server end

Country Status (1)

Country Link
WO (1) WO2019047064A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285808A (en) * 2021-05-18 2021-08-20 挂号网(杭州)科技有限公司 Identity information verification method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188344A (en) * 2013-02-22 2013-07-03 浪潮电子信息产业股份有限公司 Method for safely invoking REST API (representational state transfer, application programming interface)
US9402002B1 (en) * 2015-08-11 2016-07-26 Verizon Patent And Licensing Inc. Open API for toll free data on demand
CN106302346A (en) * 2015-05-27 2017-01-04 阿里巴巴集团控股有限公司 The safety certifying method of API Calls, device, system
CN106897586A (en) * 2016-08-04 2017-06-27 阿里巴巴集团控股有限公司 A kind of application programming interface API right management methods and device
CN107395648A (en) * 2017-09-06 2017-11-24 深圳峰创智诚科技有限公司 Authority control method and service end

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188344A (en) * 2013-02-22 2013-07-03 浪潮电子信息产业股份有限公司 Method for safely invoking REST API (representational state transfer, application programming interface)
CN106302346A (en) * 2015-05-27 2017-01-04 阿里巴巴集团控股有限公司 The safety certifying method of API Calls, device, system
US9402002B1 (en) * 2015-08-11 2016-07-26 Verizon Patent And Licensing Inc. Open API for toll free data on demand
CN106897586A (en) * 2016-08-04 2017-06-27 阿里巴巴集团控股有限公司 A kind of application programming interface API right management methods and device
CN107395648A (en) * 2017-09-06 2017-11-24 深圳峰创智诚科技有限公司 Authority control method and service end

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285808A (en) * 2021-05-18 2021-08-20 挂号网(杭州)科技有限公司 Identity information verification method, device, equipment and storage medium
CN113285808B (en) * 2021-05-18 2024-03-26 挂号网(杭州)科技有限公司 Identity information verification method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
WO2021095998A1 (en) A trusted computing method and system
CN111010410B (en) Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
WO2020181845A1 (en) Method and device for encrypting blockchain data, computer apparatus, and storage medium
US9847882B2 (en) Multiple factor authentication in an identity certificate service
WO2019132272A1 (en) Id as blockchain based service
WO2014063455A1 (en) Instant messaging method and system
JP4294728B2 (en) Robbing software license for hardware agents
JP5619019B2 (en) Method, system, and computer program for authentication (secondary communication channel token-based client-server authentication with a primary authenticated communication channel)
WO2020147383A1 (en) Process examination and approval method, device and system employing blockchain system, and non-volatile storage medium
EP0936530A1 (en) Virtual smart card
WO2019127973A1 (en) Authority authentication method, system and device for mirror repository, and storage medium
US8499147B2 (en) Account management system, root-account management apparatus, derived-account management apparatus, and program
JP2016512374A5 (en)
WO2013170653A1 (en) Unlocking system and method for screen lock
JP4336803B2 (en) Communication system with specific relay device authentication function
US20050027979A1 (en) Secure transmission of data within a distributed computer system
WO2020034527A1 (en) User personal information encryption and authorisation method, apparatus, and device, and readable storage medium
WO2020022700A1 (en) Secure element for processing and authenticating digital key and operation method therefor
CN115277168B (en) Method, device and system for accessing server
JP2024051151A (en) Cryptographic communication system, secure element, device, and cryptographic communication method
WO2018187960A1 (en) Method and system for managing and controlling root permission
WO2017128585A1 (en) Advanced secure output content protection method and condition receiving module
JPH10336172A (en) Managing method of public key for electronic authentication
CN114091009A (en) Method for establishing secure link by using distributed identity
WO2019047064A1 (en) Permission control method, and server end

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17924555

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17924555

Country of ref document: EP

Kind code of ref document: A1