WO2019062536A1 - 资源处理方法、装置、系统及计算机可读介质 - Google Patents
资源处理方法、装置、系统及计算机可读介质 Download PDFInfo
- Publication number
- WO2019062536A1 WO2019062536A1 PCT/CN2018/104986 CN2018104986W WO2019062536A1 WO 2019062536 A1 WO2019062536 A1 WO 2019062536A1 CN 2018104986 W CN2018104986 W CN 2018104986W WO 2019062536 A1 WO2019062536 A1 WO 2019062536A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- interface
- resource
- cloud service
- authentication
- information
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/564—Enhancement of application control based on intercepted application data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Definitions
- the present application relates to the field of Internet technologies, and in particular, to a resource processing method, apparatus, system, and computer readable medium.
- the rights management of the cloud service is generally directed to the scenario in which the client invokes the cloud interface.
- the user side manages the access rights of the resources provided by the cloud service.
- This privilege management method is a pre-authorization method and is mainly used to solve the problem of the rights management of the cloud service provider to the user.
- the client may use the interface to initiate a processing request for the resource provided by the cloud service A. If the user using the client passes the authentication, the background server may process the resource. However, if the background server needs to access the resources provided by the other two cloud services when processing the resources of the cloud service A, the client needs to continue to initiate the processing request twice, and the user needs to be authenticated twice. The background server is allowed to access the resources provided by the other two cloud services only when the authentication is all passed. In this scenario, three sets of calling logics are also required to be configured on the user side, so the design complexity and maintenance cost are relatively high. Moreover, the client on the user side needs to initiate these three requests, which reduces the processing efficiency of the resources provided by the cloud service.
- the embodiment of the present application provides a resource processing method, apparatus, system, and computer readable medium, which reduces design complexity and maintenance cost to a certain extent, and improves processing efficiency of resources provided by the cloud service.
- the embodiment of the present application provides a resource processing method, which is applied to a system including an interface device, a background server, and an authentication server.
- the interface device is configured with at least a first interface and a second interface.
- the first interface corresponds to the first cloud service
- the second interface corresponds to the second cloud service; the method includes:
- the background server acquires a resource processing indication from the first interface
- the background server performs identification according to the resource processing indication, and determines a resource to be processed
- the background server sends a resource processing request to the second interface, and the second interface performs the authentication according to the resource processing request.
- the server initiates an authentication request for accessing resources provided by the second cloud service;
- the authentication server authenticates the resource accessed by the second cloud service in response to the authentication request, and returns an authentication pass message to the second interface if the authentication succeeds;
- the second interface In response to the authentication pass message, the second interface sends a resource processing indication to the background server;
- the background server processes the to-be-processed resource in response to a resource processing indication from the second interface.
- the embodiment of the present application further provides a resource processing method, which is applied to a system including an interface device, a background server, and an authentication server.
- the interface device is configured with at least a first interface and a second interface.
- the first interface corresponds to the first cloud service
- the second interface corresponds to the second cloud service
- the method is performed by the background server; the method includes:
- the embodiment of the present application further provides a resource processing method, which is applied to a system including an interface device, a background server, and an authentication server.
- the interface device is configured with at least a first interface and a second interface.
- An interface where the first interface corresponds to the first cloud service, and the second interface corresponds to the second cloud service; the method is performed by the authentication server, and the method includes:
- the background server identifies, according to the resource processing indication from the first interface, the to-be-processed resource includes the resource provided by the second cloud service;
- an authentication pass message is returned to the second interface.
- the embodiment of the present application further provides a resource processing system, including an interface device, a background server, and an authentication server, where the interface device is configured with at least a first interface and a second interface, where the first interface corresponds to the first cloud service, The second interface corresponds to the second cloud service;
- the background server is configured to acquire a resource processing indication from the first interface
- the background server is further configured to perform identification according to the resource processing indication, and determine a resource to be processed;
- the background server is further configured to send a resource processing request to the second interface;
- the second interface is configured to initiate, according to the resource processing request, an authentication request for accessing resources provided by the second cloud service to the authentication server;
- the authentication server is configured to perform authentication on the resource provided by accessing the second cloud service in response to the authentication request, and return an authentication pass message to the second interface if the authentication succeeds;
- the second interface is further configured to send a resource processing indication to the background server, in response to the authentication pass message;
- the background server is further configured to process the to-be-processed resource in response to the resource processing indication from the second interface.
- the embodiment of the present application further provides a storage medium, where the storage medium stores a computer program, and after the computer program is executed by the processor, the resource processing method can be implemented.
- FIG. 1 is a schematic diagram showing an architecture of a system to which the technical solution provided by the embodiment of the present application is applied;
- FIG. 2 is a schematic diagram of an interaction process of a resource processing method provided by an embodiment of the present application
- FIG. 3 is a schematic diagram of another interaction process of a resource processing method provided by an embodiment of the present application.
- FIG. 4 is a schematic flowchart of a resource processing method provided by an embodiment of the present application on a background server side;
- FIG. 5 is a schematic flowchart of a resource processing method provided by an embodiment of the present application on an authentication server side;
- FIG. 6 is a flowchart showing an example of an implementation manner of a resource processing method according to an embodiment of the present application.
- FIG. 7 is a diagram showing an example of an interaction process of an identity verification method between an interface and an authentication server provided by an embodiment of the present application
- FIG. 8 is a diagram showing an example of an interaction process of an identity verification method between an interface and a backend server provided by an embodiment of the present application
- FIG. 9 is a schematic structural diagram of a resource processing system according to an embodiment of the present application.
- FIG. 10 is a functional block diagram of a resource processing apparatus in a background server according to an embodiment of the present application.
- FIG. 11 is another functional block diagram of an authentication server resource processing apparatus according to an embodiment of the present application.
- FIG. 12 is a hardware architecture diagram of a resource processing apparatus in a background server according to an embodiment of the present application.
- FIG. 13 is a hardware architecture diagram of a resource processing apparatus in an authentication server according to an embodiment of the present application.
- the background server processes the resources provided by the specified cloud service, and needs to access the resources provided by the other cloud services
- the user side needs to separately initiate the resource processing request, and separately performs the design brought by the authentication.
- the problem of the complexity and the maintenance cost is high, and the processing efficiency is low.
- the embodiment of the present application provides a corresponding solution:
- the background server processes the resources provided by the first cloud service, the access to the first
- the background server initiates a resource processing request to the second interface corresponding to the second cloud service, so as to trigger the second interface to initiate the access to the second cloud service by the first cloud service to the authentication server.
- the resource is authenticated, and when the authentication is passed, the background server is triggered by the second interface corresponding to the second cloud service to perform resource processing.
- FIG. 1 is a schematic diagram of an architecture of a system to which the technical solution provided by the embodiment of the present application is applied.
- the system includes an interface device, a background server, an authentication server, and one or more cloud services. .
- the interface device is configured with at least a first interface and a second interface.
- first interface and the second interface are used as an example, and the interface device is not used to limit the interface device.
- the first interface corresponds to the first cloud service
- the second interface corresponds to the second cloud service
- each cloud service may have one or more interfaces, which is not specifically limited in this embodiment of the present application.
- the interface corresponding to each cloud service is used to process a resource processing request initiated by the user side or the background server for the resource provided by the cloud service.
- each interface in the interface device functions as an access layer and a process controller, and is responsible for the processing flow of the request, stringing each operation flow, and each server separately Interfaces interact to perform the appropriate operations and processing.
- the interface involved in the embodiment of the present application may be a cloud application programming interface (API).
- cloud services are networks that increase, use, and deliver Internet-related services, providing dynamic, scalable, and often virtualized resources over the Internet.
- the cloud service can be hosted by the cloud server, and the cloud service provider publishes the cloud service through the cloud server.
- the resources provided by cloud services are an integral part of cloud services.
- the resources provided by the cloud service may include, but are not limited to, a cloud virtual host, a content delivery network (CDN), a virtual private network, etc., and only the resources provided by the cloud service are exemplified herein, and are not used for Limit the type and number of resources provided by the cloud service.
- CDN content delivery network
- the cloud service provider is mainly responsible for publishing the cloud service that can be provided by the cloud server.
- the developer refers to the user who registers with the cloud service provider and uses the resource provided by the cloud service, which is equivalent to the cloud service provided.
- the user of the resource can also be a developer, that is, a user of other cloud services.
- the developer can also be a cloud service provider and provide cloud services to other users.
- the authentication server is configured to respond to the authentication request sent by each interface, perform authentication, and return a corresponding authentication result to the interface that sends the authentication request.
- the background server is configured to process resources according to the resource processing indication of the interface.
- the client does not directly operate and process the resources provided by the cloud service, but is instead configured by the background server.
- the background server is the real performer of resource processing, which is used to operate and process the resources provided by the cloud service.
- the operation of the resource provided by the cloud service may be applied for a cloud virtual host, a modified cloud virtual host, or a cluster of a plurality of cloud virtual hosts, etc., which can be understood by those skilled in the art, and is not used for the resources.
- Type and operation type are qualified.
- FIG. 2 is a schematic diagram of an interaction process of a resource processing method according to an embodiment of the present application, as shown in the figure, the method includes The following steps:
- the background server acquires a resource processing indication from the first interface.
- the background server performs identification according to the resource processing indication, and determines a to-be-processed resource.
- the background server sends a resource processing request to the second interface, and the second interface initiates, according to the resource processing request, the resource for accessing the second cloud service to the authentication server. Authentication request.
- the authentication server authenticates the resource accessed by accessing the second cloud service in response to the authentication request, and returns an authentication pass message to the second interface if the authentication succeeds.
- the second interface sends a resource processing indication to the background server in response to the authentication pass message.
- the background server processes the processing resource in response to the resource processing indication from the second interface.
- step 201 the following steps may also be included:
- the first interface initiates an authentication request for accessing resources provided by the first cloud service to the authentication server in response to the resource processing request sent by the client.
- the authentication server authenticates the resource provided for accessing the first cloud service in response to the authentication request for accessing the resource provided by the first cloud service, and returns an authentication pass message to the first interface if the authentication succeeds.
- the first interface sends a resource processing indication to the background server in response to the authentication pass message.
- step 200c coincides with step 201 in FIG. 3, so step 200c is not embodied in FIG.
- the embodiment of the present application provides the following embodiments:
- the client may invoke a first interface corresponding to the first cloud service to be processed to send a resource processing request to the first interface, where the resource processing request carries the following information:
- the client or the background server can send a related request to the interface by calling the interface, and the two descriptions have the same meaning.
- the first interface is configured to respond to the resource processing request sent by the client, according to the signature information of the user that is input by the client when the first interface is invoked, and the first cloud service that is requested to be processed.
- the information of the resource generates an authentication request for accessing the resource provided by the first cloud service.
- the authentication request carries the following information:
- the information of the resource provided by the first cloud service that is requested to be processed may include the identifier information of the resource provided by the first cloud service that is requested to be processed, and the specific processing manner for requesting the resource.
- the resource is a specified cloud virtual host provided by the first cloud service, and the specific processing manner reads a certain data from the cloud virtual host.
- the resource is a plurality of designated cloud virtual hosts provided by the first cloud service, and the specific processing manner is to cluster several cloud virtual hosts.
- the embodiment of the present application provides the following embodiments:
- the authentication server sends an authentication request sent by the first interface for accessing the resource provided by the first cloud service, according to the first cloud service processed by the request carried by the authentication request.
- the information of the resource, the information of the first interface, and the user information stored locally generate the signature information of the user.
- the authentication server compares the signature information of the user generated by the authentication with the signature information of the user carried in the authentication request. If the comparison result is that the two signature information are the same, it is determined that the authentication is passed, indicating that the client has The access server returns an authentication pass message to the first interface for accessing the resource provided by the first cloud service. Conversely, if the comparison result is that the two signatures are different, it is determined that the authentication fails, indicating that the client does not have the access right to the resource provided by the first cloud service, and the authentication server returns the authentication failure to the first interface. Message.
- the embodiment of the present application provides the following embodiments:
- the first interface sends a resource processing indication to the background server in response to the authentication pass message returned by the authentication server, so that the background server processes the resource provided by the first cloud service requested by the client.
- the resource processing indication may carry information about the resource provided by the first cloud service that is requested to be processed, so that the background server performs the specified processing on the specified resource according to the information.
- the first interface returns an authentication failure indication to the client in response to the authentication failure message returned by the authentication server, and the client further prompts the user to fail the authentication according to the authentication failure indication.
- the access process to the resources provided by the first cloud service ends.
- the embodiment of the present application provides the following embodiments:
- the background server may first identify the resource to be processed according to the resource processing indication, and when the to-be-processed resource further includes a cloud other than the resource provided by the first cloud service, When the resources provided by the service are used, the resources provided by the other cloud services can be used to initiate an authentication request to the authentication server through the corresponding interface. When the background server obtains the authentication pass message corresponding to all the resources, the resource processing is started.
- the background server can obtain access rights to each resource before processing the resources.
- the second type after receiving the resource processing indication from the first interface, the background server processes the resources provided by the first cloud service. If the resource to be processed does not belong to the first cloud service, When the second cloud service belongs to the second cloud service, the background server can initiate an authentication request to the authentication server through the corresponding interface to the resource provided by the second cloud service, and then start the second cloud service providing when the background server obtains the authentication pass message. After processing the resources and then performing the processing on the resources provided by the second cloud service, the resources provided by the first cloud service may be further processed, or an authentication request for other cloud services may be initiated.
- the background server can obtain access rights to the resources when it needs to access resources provided by other cloud services.
- the background server After receiving the resource processing indication from the first interface, the background server processes the resource provided by the first cloud service according to the information about the resource provided by the first cloud service that is requested to be processed in the resource processing instruction, The resource responds to the process. If other resources need to be accessed, the background server may obtain a request returned by the resource and need to access other resources. Based on the request, the background server may determine the resource to be processed.
- the client requests to process the virtual private network provided by the first cloud service, and the background server needs to read the specified data from the virtual private network.
- the virtual private network needs to acquire a certain cloud virtual
- the security group information of the host can complete the data reading task.
- the security group information of a cloud virtual host is obtained, the cloud virtual host and the security group are involved. Therefore, the virtual private network returns the information of the two resources to the background server. Based on the returned information, the server determines that the to-be-processed resource includes a cloud virtual host and a security group of the cloud virtual host.
- the background server after determining the to-be-processed resource, obtains the to-be-processed resource according to the preset relationship between the cloud service and the resource according to the one or more resources included in the to-be-processed resource.
- the cloud service corresponding to each resource.
- the background server determines whether the acquired cloud service includes the second cloud service, that is, whether the cloud service other than the first cloud service is included. If the background server determines that the acquired cloud service includes the second cloud service, the background server determines that the to-be-processed resource includes the resource provided by the second cloud service, that is, the to-be-processed resource includes other resources than the resource provided by the first cloud service. Then, step 203 is performed.
- the background server determines that the acquired cloud service is the first cloud service, the background server determines that the to-be-processed resource does not include the resource provided by the second cloud service, that is, the to-be-processed resource only includes the resource provided by the first cloud service. .
- the background server may continue to process the processing resource, and after all processing of the to-be-processed resource is completed, return the processing result to the first interface. So that the first interface returns the processing result to the client.
- the embodiment of the present application provides the following embodiments:
- the background server when the background server determines that the to-be-processed resource includes the resource provided by the second cloud service, the background server sends a resource processing request to the second interface.
- the resource processing request carries signature information of the first cloud service, information of resources included in the to-be-processed resource and provided by the second cloud service.
- the signature information of the first cloud service may be pre-configured in the background server, or may be temporarily generated by the background server according to requirements, which is not specifically limited in the embodiment of the present application.
- the second interface initiates an authentication request for accessing resources provided by the second cloud service to the authentication server according to the resource processing request sent by the background server.
- the authentication request carries the signature information of the first cloud service, the information of the resource included in the to-be-processed resource and provided by the second cloud service, and the information of the second interface.
- the second interface may extract the information therein from the resource processing request, and then generate the authentication request based on the extracted information and its own information, and send the authentication request to the authentication server.
- the background server can invoke the second interface through the intranet interface in consideration of security between the background server and the second interface.
- the resource processing request of the resource provided by the first cloud service is initiated by the client, but in the process of processing the resource provided by the first cloud service by the background server, if the resource is ringing It should be processed, the resource needs to access the resources provided by the other cloud service, and is referred to as the resource provided by the second cloud service in the embodiment of the present application.
- the background server initiates the resource processing request of the resource provided by the second cloud service instead of A resource processing request of a resource provided by the second cloud service by the client.
- the user of the resource provided by the second cloud service is equivalent to the first cloud service.
- the first cloud service is not a general developer (ie, the user, the general developer is the user), but a super developer.
- the super developer has the interface corresponding to the cloud service provided by itself and the access rights of the resource, and can also grant other cloud service providers access to the resources and interfaces of the cloud service provided by the cloud service provider, and can also be granted by other cloud service providers. Access to resources and interfaces provided by other cloud service providers enables interoperability between the cloud services and interoperability between interfaces. Based on this, when the background server initiates a resource processing request to the second interface, it carries the signature information of the first cloud service.
- the second interface when the second interface initiates the authentication request to the authentication server, the second interface also carries the signature information of the first cloud service, and is used to initiate an access request for the resource provided by the second cloud service.
- the authentication server receives the signature information of the first cloud service, and is also based on the signature information of the first cloud service, and authenticates the access permission of the first cloud service to the resource provided by the second cloud service.
- the embodiment of the present application provides the following embodiments:
- the authentication server sends an authentication request for accessing the resource provided by the second cloud service sent by the second interface, according to the second cloud service processed by the request carried by the authentication request.
- the information of the resource, the information of the second interface, and the information of the first cloud service stored locally generate the signature information of the user.
- the authentication server compares the signature information of the user generated by itself with the signature information of the user carried in the authentication request; if the comparison result is that the two signature information are the same, it is determined that the authentication passes, indicating the first cloud The service has access to the resource provided by the second cloud service, and the authentication server returns an authentication pass message to the second interface. Conversely, if the comparison result is that the two signatures are different, it is determined that the authentication fails, indicating that the first cloud service does not have access to the resource provided by the second cloud service, and the authentication server returns the template to the second interface. Right failure message.
- the information of the first cloud service may be obtained according to the preset policy information of the first cloud service, and based on the obtained information of the first cloud service. , get the signature information of the first cloud service.
- the policy information of the first cloud service can be as shown in Table 1.
- the licensor is the second cloud service, that is, accessing the resources provided by the second cloud service.
- the accessible interface refers to an interface corresponding to the second cloud service that the first cloud service can invoke, such as the cloud API (X) and the cloud API (F) of the second cloud service.
- the cloud API (X) and the cloud API (F) may be all interfaces corresponding to the second cloud service, or may also be partial interfaces corresponding to the second cloud service.
- the resource that can be processed refers to which resources the first cloud service can access by the second cloud service; the condition refers to what conditions are required for the first cloud service to access the specified resource provided by the second cloud service, such as processing of the resource.
- Time and number of times, etc.; effectiveness refers to whether the authorized person's authority for the callable interface and the processable resource is valid. If the effect is allowed, the authorized person is currently allowed to invoke the interface defined in the policy information and the corresponding resource. If the validity is not allowed, the authorized person is currently not allowed to invoke the interface defined in the policy information and the corresponding resources.
- the authentication server may store the first The policy information of the cloud service is subsequently used to generate signature information and perform authentication.
- the first cloud service is not authorized in the pre-authorization stage of the rights management, or there is no resource provided by the second cloud service in the authorized resource, or the authorized interface is not used for sending.
- the resource processing request interface, etc. so that the policy information of the first cloud service stored by the authentication server is inconsistent with the received signature information of the first cloud service when the signature information is generated, and cannot pass the authentication.
- the interface whitelist may be pre-configured in the authentication server.
- the authentication server receives the authentication request sent by the second interface, the authentication server first determines the second interface according to the information of the second interface carried by the authentication interface. Whether it belongs to the interface whitelist. If it belongs, the authentication server can respond to the authentication request and perform the above authentication. Conversely, if not, the authentication server may not respond to the authentication request, or may return an invalidity notification message to the second interface.
- the embodiment of the present application provides the following embodiments:
- the second interface sends a resource processing indication to the background server in response to the authentication pass message returned by the authentication server, so that the background server processes the resource provided by the requested second cloud service.
- the resource processing indication may carry the information of the resource provided by the second cloud service that is requested to be processed, so that the background server performs the specified processing on the specified resource according to the information.
- the second interface returns an authentication failure indication to the client in response to the authentication failure message returned by the authentication server, and the client further prompts the user to fail the authentication according to the authentication failure indication.
- the access process of the cloud service to the resources provided by the second cloud service ends.
- the embodiment of the present application provides the following embodiments:
- the background server processes the processing resource in response to the resource processing indication from the second interface.
- the background server learns that the resource provided by the second cloud service can be processed, and therefore, responding to the resource processing indication.
- the background server may process the resources provided by the second cloud service, and after processing the resources provided by the second cloud service, continue to process the resources provided by the first cloud service.
- the background server may encrypt the information carried in the resource processing request by using the first encryption key, and send a resource processing request to the second interface, where the resource processing request carries the information obtained by the encryption.
- the second interface sends an authentication request carrying the signature information of the first cloud service, the information of the resource included in the to-be-processed resource and the resource provided by the second cloud service, and the information of the second interface to the authentication server,
- the second interface decrypts the information carried in the resource processing request by using the first decryption key, and if the decryption is successful, encrypts the decrypted information by using the second encryption key, that is, And encrypting the information of the second interface and the obtained information by using the second encryption key, and sending an authentication request to the authentication server, where the authentication request carries the information obtained after the encryption.
- the interaction information between the background server and the interface corresponding to each cloud service may ensure the basic security of the information through encryption and decryption.
- a mutual trust mechanism can be established in advance between the background server and each interface, and the encryption key and the corresponding decryption key are determined by the mutual trust mechanism.
- each information in the resource processing request sent by the background server to the second interface may be encrypted.
- the second interface decrypts the information in the received resource processing request, and if the decryption succeeds, the two parties have already A mutual trust mechanism has been established, and information has certain security guarantees.
- the authentication server authenticates the resource provided by the second cloud service according to the information carried in the authentication request.
- the authentication server may use the second decryption key pair.
- the information in the authentication request sent by the second interface is decrypted. If the decryption is successful, the resource provided by accessing the second cloud service is authenticated based on the information obtained after the decryption.
- the interaction information between the interface corresponding to each cloud service and the authentication server may ensure the basic security of the information through encryption and decryption.
- a mutual trust mechanism may be established in advance between each interface and the authentication server, and the encryption key and the corresponding decryption key are determined by the mutual trust mechanism.
- each information sent by the second interface to the authentication server may be encrypted.
- the authentication server decrypts the information in the received authentication request. If the decryption succeeds, the two parties have established a mutual trust mechanism.
- the information has certain security guarantees.
- step 200a to step 200c the information interaction between the first interface and the authentication server involved, and the information interaction between the first interface and the background server may also use the above mutual trust mechanism. Encryption and decryption are used in the interaction process to ensure information security, and will not be described here.
- FIG. 4 is a schematic flowchart of a resource processing method provided by an embodiment of the present application on a background server side. As shown in the figure, the method includes the following steps:
- step 402 For a specific implementation of step 402, reference may be made to the related description of step 202, and details are not described herein again.
- the to-be-processed resource includes the resource provided by the second cloud service, send a resource processing request to the second interface.
- step 403 For a specific implementation of step 403, reference may be made to the related description of step 203, and details are not described herein again.
- step 404 For a specific implementation of step 404, reference may be made to the related description for step 206, and details are not described herein again.
- FIG. 5 is a schematic flowchart of a resource processing method provided by an embodiment of the present application on an authentication server side. As shown in the figure, the method includes the following steps:
- step 501 For a specific implementation of step 501, reference may be made to the related description of step 204, and details are not described herein again.
- step 502 For a specific implementation of step 502, reference may be made to the related description for step 204, and details are not described herein again.
- step 503 For a specific implementation of step 503, reference may be made to the related description for step 204, and details are not described herein again.
- FIG. 6 is a flowchart diagram of an implementation of a resource processing method according to an embodiment of the present application.
- a cloud API (X) cloud service B corresponding to cloud service A and cloud service A is used.
- the cloud API (Y) corresponding to the cloud service B is taken as an example to describe the resource processing method provided by the embodiment of the present application.
- the client sends a resource processing request to the cloud API (X) corresponding to the cloud service A, where the user carries the signature information of the user and the information of the resource provided by the cloud service A.
- the cloud API (X) sends an authentication request to the authentication server in response to the resource processing request sent by the client, where the signature information of the user, the information of the resource provided by the cloud service A, and the information of the cloud API (X) are carried.
- the authentication server authenticates the resource provided by the client accessing the cloud service A in response to the authentication request from the cloud API (X). If the authentication is passed, step 604 is performed. If the authentication fails, the authentication failure message is returned to the cloud API (X). It should be noted that the present embodiment is illustrated by taking the authentication as an example, and thus the authentication failure is not shown in the flowchart 6.
- the authentication server generates the signature information of the user according to the information of the resource provided by the cloud service A carried by the authentication request, the information of the cloud API (X), and the locally stored user information. Then, the signature information of the user generated by the user is compared with the signature information of the user carried in the authentication request. If the comparison result is the same as the two signature information, it is determined that the authentication is passed, indicating that the client has provided the cloud service A. Access to the resource is then performed in step 604. Conversely, if the comparison result is that the two signatures are different, it is determined that the authentication fails, indicating that the client does not have access to the resource provided by the cloud service A, and the authentication server returns the authentication to the cloud API (X). Failure message.
- the authentication server returns an authentication pass message to the cloud API (X).
- the cloud API (X) sends a resource processing indication to the background server in response to the authentication pass message returned by the authentication server.
- the resource processing indication may carry information of resources provided by the cloud service A that requests processing.
- the background server determines, according to the resource processing indication, the resource processing indication, and determines the to-be-processed resource.
- the to-be-processed resource further includes the resource provided by the cloud service B
- the background server sends the resource processing to the cloud API (Y) corresponding to the cloud service B.
- the resource processing request carries the signature information of the cloud service A and the information of the resource provided by the cloud service B.
- the cloud API (Y) sends an authentication request to the authentication server, where the signature information of the cloud service A, the information of the resource provided by the cloud service B, and the cloud API (Y) are carried. information.
- the authentication server authenticates the resource provided by the cloud service A accessing the cloud service B in response to the authentication request from the cloud API (X). If the authentication is passed, step 609 is performed. If the authentication fails, the authentication failure message is returned to the cloud API (Y). It should be noted that the present embodiment is illustrated by taking the authentication as an example, and thus the authentication failure is not shown in the flowchart 6.
- the authentication server generates the signature information of the cloud service A according to the information of the resource provided by the cloud service B carried by the authentication request, the information of the cloud API (Y), and the authentication information of the locally stored cloud service A. Then, the signature information of the cloud service A generated by itself is compared with the signature information of the cloud service A carried in the authentication request. If the comparison result is the same as the two signature information, it is determined that the authentication is passed, indicating that the cloud service A has Access to the resource provided by cloud service B, and then step 609 is performed.
- the authentication server returns an authentication pass message to the cloud API (Y).
- the cloud API (Y) sends a resource processing indication to the background server in response to the authentication pass message returned by the authentication server.
- the resource processing indication may carry information of resources provided by the cloud service B that requests processing.
- the background server processes the resource provided by the cloud service A in response to the resource processing instruction, and then processes the resource provided by the cloud service B, and finally processes the resource provided by the cloud service A.
- the mutual trust mechanism needs to be established in advance, and the encryption key and the decryption key are determined through the mutual trust mechanism.
- a lightweight mutual trust mechanism can be adopted, which can improve service performance on the one hand, and ensure basic performance on the other hand. Security.
- the interface authenticates the authentication server
- the authentication of the interface may be implemented by using a signature mechanism.
- Each interface and a cloud service corresponding to each interface are assigned a certificate.
- the certificate needs to be added in the request, and the certificate is used as an interface.
- the information such as the information of the first interface or the information of the second interface involved in the above, that is, using the certificate as the information of the interface to access the authentication server.
- each interface and the certificate of the cloud service corresponding to each interface may be offlinely allocated by the certificate server.
- the certificate may be encrypted and decrypted by using a symmetric key, or You can also use an asymmetric key for encryption and decryption.
- the certificate server Involving the authentication of the background server and the authentication server, the certificate server also needs to perform offline distribution of the certificate.
- the asymmetric key can be used for encryption and decryption, or the symmetric key can also be used. Encrypt and decrypt.
- the public key can be saved on one side of the access server, and the private key is saved by the server itself, so that the probability of being attacked can be reduced to a certain extent, and the security of the interactive information can be ensured.
- FIG. 7 is an example of an interaction process of an identity verification method between an interface and an authentication server according to an embodiment of the present application. As shown in FIG. 7 , the method includes the following steps:
- the certificate server allocates a certificate Pub_CA (Pub_Auth, Domain%) and a public key to the authentication server, and a corresponding private key is pre-configured in the authentication server, and the authentication server stores the allocated certificate and the public key.
- Pub_CA Pub_Auth, Domain
- the certificate server allocates a certificate to the interface, and the certificate may be formed by using an interface identifier (API_ID) and a private key (API_Secret).
- API_ID interface identifier
- API_Secret private key
- Step 701 and step 702 belong to the certificate server offline distribution certificate phase.
- the public key and the private key involved in assigning the certificate may be symmetric keys, or may be asymmetric keys.
- a symmetric key may be used for a service scenario with high performance requirements and low security requirements.
- an asymmetric key may be used, which is not specifically limited in this embodiment of the present application.
- the interface sends a certificate acquisition request to the authentication server.
- the authentication server responds to the certificate obtaining request, and after the certificate assigned by the previous certificate server is encrypted by the public key, returns the response to the interface through the certificate obtaining response.
- the interface decrypts the received certificate by using a private key provided by the certificate server. If the decryption succeeds, the interface and the authentication server are authenticated, and then step 706 is performed.
- the interface successfully decrypts the certificate by using the private key, it indicates that the private key and the public key of the encryption certificate are a pair of encryption keys and decryption keys, so that the authentication server is proved.
- Identity also proves the identity of the interface, both sides of the authentication pass.
- the interface between the interface and the authentication server is negotiated between the encryption key and the decryption key. After the negotiation, the interface holds the encryption key, and the authentication server holds the decryption key, and the encryption key and the decryption key can be used for The information carried in the authentication request initiated by the interface is encrypted and decrypted to ensure the security of the communication.
- Steps 703 to 706 belong to the key negotiation phase between the interface and the authentication server, and steps 703 to 706 need to be performed before the interface interacts with the authentication server to complete key negotiation, so that when the two need to interact,
- the encryption key and the decryption key can be directly used, and the interaction efficiency between the interface and the authentication server and the execution performance of the interface are improved.
- the steps 703 to 706 can also be performed periodically, so that the interface and the authentication server can perform secret key negotiation periodically to update the encryption key and the decryption key, thereby further improving the security of information interaction.
- the above-mentioned interface refers to an interface corresponding to the cloud service in the interface device, such as the first interface, the second interface, and the like, that is, each interface in the interface device is implemented and authenticated based on the foregoing method. Between the authentication.
- FIG. 8 is a schematic diagram of an interaction process of an identity verification method between an interface and a background server according to an embodiment of the present application. As shown in FIG. 8 , the method includes the following steps:
- the certificate server allocates a certificate Pub_CA1 (Pub_Auth1, Domain%) and a public key to the background server, and the corresponding private key is pre-configured in the authentication server, and the background server stores the allocated certificate and the public key.
- Pub_CA1 Pub_Auth1, Domain
- the certificate server allocates a certificate to the interface, and the certificate may be formed by using an interface identifier (API_ID) and a private key (API_Secret).
- API_ID interface identifier
- API_Secret private key
- Steps 801 and 802 belong to the certificate server offline distribution certificate phase.
- the interface sends a certificate acquisition request to the background server.
- the background server responds to the certificate obtaining request, and after the certificate assigned by the previous certificate server is encrypted by the public key, returns the response to the interface through the certificate obtaining response.
- the interface decrypts the received certificate by using a private key provided by the certificate server. If the decryption succeeds, the interface and the background server are authenticated, and then step 806 is performed.
- the interface successfully decrypts the certificate by using the private key, it indicates that the private key and the public key of the encryption certificate are a pair of encryption keys and decryption keys, so that the identity of the background server is proved. , also proved the identity of the interface, both sides of the authentication passed.
- the interface between the interface and the background server is negotiated between the encryption key and the decryption key. After the negotiation, the interface holds the encryption key, and the background server holds the decryption key.
- the encryption key and the decryption key can be used to initiate the interface.
- the information carried in the authentication request is encrypted and decrypted to ensure the security of the communication.
- Steps 803 to 806 belong to the key negotiation phase between the interface and the background server, and steps 803 to 806 need to be performed before the interface interacts with the background server to complete key negotiation, so that when the two need to interact, the The use of the encryption key and the decryption key improves the interaction efficiency between the interface and the background server and the execution performance of the interface.
- step 803 to step 806 can also be executed periodically, so that the key and the server can be periodically negotiated with the backend server to update the encryption key and the decryption key, thereby further improving the security of information interaction.
- the interface involved in the above refers to an interface corresponding to the cloud service in the interface device, such as the first interface, the second interface, and the like, that is, each interface in the interface device is implemented according to the foregoing method and the background server. Authentication between.
- the embodiment of the present application further provides an apparatus embodiment for implementing the steps and methods in the foregoing method embodiments.
- FIG. 9 is a schematic structural diagram of a resource processing system according to an embodiment of the present application.
- the system includes an interface device 100, a background server 200, and an authentication server 300.
- the interface device 100 is configured with at least a first interface 101 and a second interface 102, where the first interface 101 corresponds to a first cloud service.
- the second interface 102 corresponds to the second cloud service.
- the background server 200 is configured to acquire a resource processing indication from the first interface 101.
- the background server 200 is further configured to perform identification according to the resource processing indication, and determine a resource to be processed;
- the background server 200 is further configured to send a resource processing request to the second interface 102, when the to-be-processed resource includes the resource provided by the second cloud service;
- the second interface 102 is configured to initiate, according to the resource processing request, an authentication request for accessing resources provided by the second cloud service to the authentication server 300;
- the authentication server 300 is configured to authenticate the resource accessed by the second cloud service in response to the authentication request, and return an authentication pass message to the second interface 102 if the authentication succeeds;
- the second interface 102 is further configured to send a resource processing indication to the background server 200, in response to the authentication pass message;
- the background server 200 is further configured to process the to-be-processed resource in response to the resource processing indication from the second interface.
- FIG. 10 is a functional block diagram of a resource processing apparatus according to an embodiment of the present application.
- the system is applied to the system including the interface device, the background server, and the authentication server, where the interface device is configured with at least a first interface and a second interface, where the first interface corresponds to the first cloud service, and the second interface The interface corresponds to the second cloud service; the device is located in the background server; as shown in FIG. 10, the device includes:
- the receiving unit 201 is configured to acquire a resource processing indication from the first interface.
- the resource identification unit 202 is configured to perform identification according to the resource processing indication, and determine a resource to be processed;
- the sending unit 203 is configured to: when the to-be-processed resource includes the resource provided by the second cloud service, send a resource processing request to the second interface;
- the resource processing unit 204 is configured to process the to-be-processed resource in response to a resource processing indication from the second interface.
- the device also includes:
- the resource discriminating unit 205 is configured to acquire, according to a preset correspondence between the cloud service and the resource, a cloud service corresponding to each resource in the to-be-processed resource; and determine whether the acquired cloud service includes the second cloud service; When it is determined that the acquired cloud service includes the second cloud service, determining that the to-be-processed resource includes the resource provided by the second cloud service.
- FIG. 11 is another functional block diagram of a resource processing apparatus according to an embodiment of the present application.
- the system is applied to the system including the interface device, the background server, and the authentication server, where the interface device is configured with at least a first interface and a second interface, where the first interface corresponds to the first cloud service, and the second interface The interface corresponds to the second cloud service; the device is located in the authentication server, as shown in FIG.
- the receiving unit 301 is configured to receive, by the second interface, an authentication request for accessing resources provided by the second cloud service.
- the authentication unit 302 is configured to perform authentication on a resource provided by accessing the second cloud service in response to the authentication request.
- the sending unit 303 is configured to return an authentication pass message to the second interface if the authentication succeeds.
- FIG. 12 is a hardware architecture diagram of a resource processing apparatus according to an embodiment of the present application.
- the system is applied to the system including the interface device, the background server, and the authentication server, where the interface device is configured with at least a first interface and a second interface, where the first interface corresponds to the first cloud service, and the second interface
- the interface corresponds to the second cloud service;
- the device is located at the background server, as shown in FIG. 12, the device includes a processor and a memory, and the memory stores instructions executable by the processor when performing the The processor is configured to perform the resource processing method applied to the background server side as shown in FIG. 4, and details are not described herein again.
- FIG. 13 is a hardware architecture diagram of a resource processing apparatus according to an embodiment of the present application.
- the system is applied to the system including the interface device, the background server, and the authentication server, where the interface device is configured with at least a first interface and a second interface, where the first interface corresponds to the first cloud service, and the second interface
- the interface corresponds to a second cloud service;
- the device is located at the authentication server, as shown in FIG. 13, the device includes a processor and a memory, and the memory stores instructions executable by the processor, when executed
- the processor is configured to perform the resource processing method applied to the authentication server side as shown in FIG. 5, and details are not described herein again.
- the embodiment of the present application further provides a computer readable medium, comprising: computer executable instructions, when the computer executable instructions are executed, perform the following steps;
- the embodiment of the present application further provides a computer readable medium, comprising: computer executable instructions, when the computer executable instructions are executed, perform the following steps;
- an authentication pass message is returned to the second interface.
- the background server when the background server needs to access the resource provided by the second cloud service in the process of processing the resource provided by the first cloud service, the background server initiates the resource to the second interface corresponding to the second cloud service.
- the request is sent to trigger the second interface to initiate authentication to the authentication server to access the resource provided by the first cloud service to access the second cloud service.
- the second interface corresponding to the second cloud service is triggered to trigger the background.
- the server performs resource processing.
- the background server in the process of processing the resource, if the resource provided by the other cloud service needs to be accessed, the background server initiates a resource processing request to the interface corresponding to the other cloud service to trigger the authentication server to perform authentication.
- the background server It avoids configuring multiple sets of calling logic on the user side, and does not require the user side to provide information for authentication, thereby reducing the complexity of the design and maintenance cost of the client side of the user side, and in the process of processing the resources, the background server It can identify the resources that need to be accessed by other cloud services. Therefore, the background server can directly initiate a resource processing request to avoid interaction with the client, so that the client initiates a resource processing request, thereby improving resource processing efficiency.
- a lightweight mutual trust mechanism is added, and an interface between the interface and the authentication server can be authenticated between the interface and the background server, and the key is negotiated based on the authentication key.
- the information is encrypted and guaranteed to a certain degree of security and traceability under the premise of ensuring processing efficiency.
- each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
- the above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium.
- the software functional unit is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to perform the methods of the various embodiments of the present application. Part of the steps.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims (17)
- 一种资源处理方法,应用于包括接口设备、后台服务器和鉴权服务器的系统,在该系统中,所述接口设备至少配置有第一接口和第二接口,所述第一接口对应第一云服务,所述第二接口对应第二云服务;所述方法包括:所述后台服务器获取来自所述第一接口的资源处理指示;所述后台服务器根据所述资源处理指示进行识别,确定待处理资源;当所述待处理资源包括所述第二云服务提供的资源时,所述后台服务器向所述第二接口发送资源处理请求,所述第二接口根据所述资源处理请求,向所述鉴权服务器发起用于访问所述第二云服务提供的资源的鉴权请求;所述鉴权服务器响应于所述鉴权请求,对访问所述第二云服务提供的资源进行鉴权,若鉴权通过,向所述第二接口返回鉴权通过消息;响应于所述鉴权通过消息,所述第二接口向所述后台服务器发送资源处理指示;响应于来自所述第二接口的资源处理指示,所述后台服务器对所述待处理资源进行处理。
- 根据权利要求1所述的方法,其中,所述后台服务器获取来自第一接口的资源处理指示之前,还包括:所述第一接口响应于客户端发送的资源处理请求,向所述鉴权服务器发起用于访问所述第一云服务提供的资源的鉴权请求;所述鉴权服务器响应于所述用于访问所述第一云服务提供的资源的鉴权请求,对访问所述第一云服务提供的资源进行鉴权,若鉴权通过, 向所述第一接口返回鉴权通过消息;响应于鉴权通过消息,所述第一接口向所述后台服务器发送资源处理指示。
- 根据权利要求1或2所述的方法,其中,所述后台服务器向所述第二接口发送资源处理请求,包括:所述后台服务器向所述第二接口发送携带有所述第一云服务的签名信息、所述待处理资源所包括的且由所述第二云服务提供的资源的信息的资源处理请求;所述第二接口根据所述资源处理请求,向所述鉴权服务器发起用于访问所述第二云服务提供的资源的鉴权请求,包括:所述第二接口向所述鉴权服务器发起携带有所述第一云服务的签名信息、所述待处理资源所包括的且由所述第二云服务提供的资源的信息以及所述第二接口的信息的鉴权请求;所述鉴权服务器响应于所述鉴权请求,对访问所述第二云服务提供的资源进行鉴权,包括:所述鉴权服务器根据所述鉴权请求所携带的各信息,对所述访问所述第二云服务提供的资源进行鉴权。
- 根据权利要求3所述的方法,其中,所述后台服务器向所述第二接口发送携带有所述第一云服务的签名信息、所述待处理资源所包括的且由所述第二云服务提供的资源的信息的资源处理请求,包括:所述后台服务器利用第一加密秘钥对所述资源处理请求携带的信息进行加密,并向所述第二接口发送资源处理请求,所述资源处理请求携带有加密后得到的信息;所述第二接口向所述鉴权服务器发起携带有所述第一云服务的签名信息、所述待处理资源所包括的且由所述第二云服务提供的资源的信息以及所述第二接口的信息的所述鉴权请求,包括:所述第二接口利用第一解密秘钥对资源处理请求所携带的信息进行解密,如果解密成 功,利用第二加密秘钥对解密后得到的信息进行加密,并向鉴权服务器发送鉴权请求,所述鉴权请求携带加密后得到的信息;所述鉴权服务器根据所述鉴权请求所携带的各信息,对访问所述第二云服务提供的资源进行鉴权,包括:所述鉴权服务器利用第二解密秘钥对所述第二接口发送的鉴权请求中的信息进行解密,如果解密成功,基于解密后得到的信息对访问所述第二云服务提供的资源进行鉴权。
- 根据权利要求1所述的方法,其中,当所述待处理资源包括所述第二云服务提供的资源时,向所述第二接口发送资源处理请求之前,还包括:根据预设的云服务与资源的对应关系,获取所述待处理资源中每个资源对应的云服务;判断获取的云服务是否包括第二云服务;判断出获取的云服务包括第二云服务时,确定所述待处理资源包括所述第二云服务提供的资源。
- 一种资源处理方法,应用于包括接口设备、后台服务器和鉴权服务器的系统,在该系统中,所述接口设备至少配置有第一接口和第二接口,所述第一接口对应第一云服务,所述第二接口对应第二云服务;由所述后台服务器执行该方法;所述方法包括:获取来自第一接口的资源处理指示,其中所述资源处理指示为第一接口响应于鉴权服务器对访问第一云服务提供的资源进行鉴权的鉴权通过消息而发送的;根据所述资源处理指示进行识别,确定待处理资源;当所述待处理资源包括所述第二云服务提供的资源时,向所述第二接口发送资源处理请求;响应于来自所述第二接口的资源处理指示,对所述待处理资源进行 处理,其中所述资源处理指示为第二接口响应于鉴权服务器对访问第二云服务提供的资源进行鉴权的鉴权通过消息而发送的。
- 根据权利要求6所述的方法,其中,当所述待处理资源包括所述第二云服务提供的资源时,向所述第二接口发送资源处理请求之前,还包括:根据预设的云服务与资源的对应关系,获取所述待处理资源中每个资源对应的云服务;判断获取的云服务是否包括第二云服务;判断出获取的云服务包括第二云服务时,确定所述待处理资源包括所述第二云服务提供的资源。
- 根据权利要求6所述的方法,其中,向所述第二接口发送资源处理请求之前,还包括:生成第一云服务的签名信息;所述资源处理请求携带所述第一云服务的签名信息、所述待处理资源所包括的且由所述第二云服务提供的资源的信息。
- 一种资源处理方法,应用于包括接口设备、后台服务器和鉴权服务器的系统,在该系统中,所述接口设备至少配置有第一接口和第二接口,所述第一接口对应第一云服务,所述第二接口对应第二云服务;由所述鉴权服务器执行该方法,所述方法包括:接收第二接口发送的用于访问所述第二云服务提供的资源的鉴权请求,其中,所述鉴权请求为所述第二接口在接收到后台服务器发送的资源处理请求后发送的,且所述后台服务器根据来自第一接口的资源处理指示识别的待处理资源包括第二云服务提供的资源;响应于所述鉴权请求,对访问所述第二云服务提供的资源进行鉴权;若鉴权通过,向所述第二接口返回鉴权通过消息。
- 根据权利要求9所述的方法,其中,所述鉴权请求携带所述第一云服务的签名信息、所述待处理资源所包括的且由所述第二云服务提供的资源的信息以及所述第二接口的信息;响应于所述鉴权请求,对访问所述第二云服务提供的资源进行鉴权,包括:根据所述第二接口的信息、需要访问的第二云服务提供的资源以及本地存储的所述第一云服务的信息,生成所述第一云服务的签名信息;将通过所述第二接口接收到的第一云服务的签名信息与自身生成的第一云服务的签名信息进行比对,若两个签名信息相同,确定鉴权通过。
- 根据权利要求9所述的方法,其中,所述接收第二接口发送的用于访问所述第二云服务提供的资源的鉴权请求之前,还包括:接收第一接口发送的用于访问所述第一云服务提供的资源的鉴权请求;响应于所述用于访问所述第一云服务提供的资源的鉴权请求,对访问所述第一云服务提供的资源进行鉴权,若鉴权通过,向所述第一接口返回鉴权通过消息。
- 一种资源处理系统,包括接口设备、后台服务器和鉴权服务器,所述接口设备至少配置有第一接口和第二接口,所述第一接口对应第一云服务,所述第二接口对应第二云服务;所述后台服务器,用于获取来自所述第一接口的资源处理指示;所述后台服务器,还用于根据所述资源处理指示进行识别,确定待处理资源;当所述待处理资源包括所述第二云服务提供的资源时,所述后台服务器,还用于向所述第二接口发送资源处理请求;所述第二接口,用于根据所述资源处理请求,向所述鉴权服务器发起用于访问所述第二云服务提供的资源的鉴权请求;所述鉴权服务器,用于响应于所述鉴权请求,对访问所述第二云服务提供的资源进行鉴权,若鉴权通过,向所述第二接口返回鉴权通过消息;响应于所述鉴权通过消息,所述第二接口,还用于向所述后台服务器发送资源处理指示;响应于来自所述第二接口的资源处理指示,所述后台服务器,还用于对所述待处理资源进行处理。
- 根据权利要求12所述的系统,其中,所述后台服务器获取来自第一接口的资源处理指示之前,所述第一接口响应于客户端发送的资源处理请求,向所述鉴权服务器发起用于访问所述第一云服务提供的资源的鉴权请求;所述鉴权服务器响应于所述用于访问所述第一云服务提供的资源的鉴权请求,对访问所述第一云服务提供的资源进行鉴权,若鉴权通过,向所述第一接口返回鉴权通过消息;响应于鉴权通过消息,所述第一接口向所述后台服务器发送资源处理指示。
- 根据权利要求12或13所述的系统,其中,所述后台服务器进一步用于向所述第二接口发送携带有所述第一云服务的签名信息、所述待处理资源所包括的且由所述第二云服务提供的资源的信息的资源处理请求;所述第二接口向所述鉴权服务器发起携带有所述第一云服务的签名信息、所述待处理资源所包括的且由所述第二云服务提供的资源的信息以及所述第二接口的信息的鉴权请求;所述鉴权服务器响应于所述鉴权请求,根据所述鉴权请求所携带的各信息,对所述访问所述第二云服务提供的资源进行鉴权。
- 根据权利要求14所述的系统,其中,所述后台服务器进一步用于利用第一加密秘钥对所述资源处理请求携带的信息进行加密,并向所述第二接口发送资源处理请求,所述资源处理请求携带有加密后得到的信息;所述第二接口进一步用于利用第一解密秘钥对资源处理请求所携带的信息进行解密,如果解密成功,利用第二加密秘钥对解密后得到的信息进行加密,并向鉴权服务器发送鉴权请求,所述鉴权请求携带加密后得到的信息;所述鉴权服务器进一步用于利用第二解密秘钥对所述第二接口发送的鉴权请求中的信息进行解密,如果解密成功,基于解密后得到的信息对访问所述第二云服务提供的资源进行鉴权。
- 根据权利要求14所述的系统,其中,所述鉴权服务器进一步用于根据所述第二接口的信息、需要访问的第二云服务提供的资源以及本地存储的所述第一云服务的信息,生成所述第一云服务的签名信息;所述鉴权服务器将通过所述第二接口接收到的第一云服务的签名信息与自身生成的第一云服务的签名信息进行比对,若两个签名信息相同,确定鉴权通过。
- 一种存储介质,所述存储介质存储有计算机程序,所述计算机程序被处理器执行之后,能够实现权利要求1至11任一项所述的资源处理方法。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020207007631A KR102338718B1 (ko) | 2017-09-30 | 2018-09-11 | 리소스 처리 방법, 장치, 및 시스템, 및 컴퓨터 판독가능 매체 |
EP18863724.3A EP3664405B1 (en) | 2017-09-30 | 2018-09-11 | Resource processing between two cloudsystems |
JP2020517453A JP6943511B2 (ja) | 2017-09-30 | 2018-09-11 | リソース処理方法、装置、システムおよびコンピュータ読み取り可能な媒体 |
US16/803,443 US11190503B2 (en) | 2017-09-30 | 2020-02-27 | Resource processing method, apparatus, and system, and computer-readable medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710914860.XA CN109600337B (zh) | 2017-09-30 | 2017-09-30 | 资源处理方法、装置、系统及计算机可读介质 |
CN201710914860.X | 2017-09-30 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/803,443 Continuation US11190503B2 (en) | 2017-09-30 | 2020-02-27 | Resource processing method, apparatus, and system, and computer-readable medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019062536A1 true WO2019062536A1 (zh) | 2019-04-04 |
Family
ID=65900756
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/104986 WO2019062536A1 (zh) | 2017-09-30 | 2018-09-11 | 资源处理方法、装置、系统及计算机可读介质 |
Country Status (6)
Country | Link |
---|---|
US (1) | US11190503B2 (zh) |
EP (1) | EP3664405B1 (zh) |
JP (1) | JP6943511B2 (zh) |
KR (1) | KR102338718B1 (zh) |
CN (1) | CN109600337B (zh) |
WO (1) | WO2019062536A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110650142A (zh) * | 2019-09-25 | 2020-01-03 | 腾讯科技(深圳)有限公司 | 访问请求处理方法、装置、系统、存储介质和计算机设备 |
CN112346880A (zh) * | 2019-08-07 | 2021-02-09 | 腾讯科技(深圳)有限公司 | 接口调用方法、装置、计算机可读存储介质和计算机设备 |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11212269B2 (en) * | 2018-12-18 | 2021-12-28 | American Megatrends International, Llc | Secure remote online debugging of firmware on deployed hardware |
CN110719288A (zh) * | 2019-10-12 | 2020-01-21 | 深圳市道通科技股份有限公司 | 云端服务访问的方法、云端服务器及终端 |
JP7490620B2 (ja) | 2021-08-27 | 2024-05-27 | キヤノン株式会社 | 情報処理装置および情報処理システムの方法 |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110137805A1 (en) * | 2009-12-03 | 2011-06-09 | International Business Machines Corporation | Inter-cloud resource sharing within a cloud computing environment |
CN102255933A (zh) * | 2010-05-20 | 2011-11-23 | 中兴通讯股份有限公司 | 云服务中介、云计算方法及云系统 |
CN102369714A (zh) * | 2011-08-31 | 2012-03-07 | 华为技术有限公司 | 云计算系统中云终端访问云服务器的方法及云计算系统 |
CN104052775A (zh) * | 2013-03-14 | 2014-09-17 | 腾讯科技(深圳)有限公司 | 一种云平台服务的权限管理方法、装置和系统 |
CN106559453A (zh) * | 2015-09-29 | 2017-04-05 | 中兴通讯股份有限公司 | 云互通的外部资源管理方法、装置及系统 |
CN106657152A (zh) * | 2017-02-07 | 2017-05-10 | 腾讯科技(深圳)有限公司 | 一种鉴权方法及服务器、访问控制装置 |
CN106933648A (zh) * | 2015-12-31 | 2017-07-07 | 中国电信股份有限公司 | 用于多租户容器资源管理的方法和系统 |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7685206B1 (en) * | 2004-02-12 | 2010-03-23 | Microsoft Corporation | Authorization and access control service for distributed network resources |
JP4334515B2 (ja) * | 2005-08-30 | 2009-09-30 | 日本電信電話株式会社 | サービス提供サーバ、認証サーバ、および認証システム |
JP5040367B2 (ja) * | 2007-03-02 | 2012-10-03 | 日本電気株式会社 | サービス連携システム、サービス連携方法、およびサービス連携プログラム |
JP5153591B2 (ja) * | 2008-11-26 | 2013-02-27 | 株式会社日立製作所 | 認証仲介サーバ、プログラム、認証システム及び選択方法 |
CN102546561B (zh) * | 2010-12-30 | 2016-10-05 | 联想(北京)有限公司 | 终端设备、服务器、信息处理系统及其信息处理方法 |
CN103019837A (zh) * | 2011-09-27 | 2013-04-03 | 中国移动通信集团公司 | 资源调度方法、装置及终端设备 |
JP5988699B2 (ja) * | 2012-05-30 | 2016-09-07 | キヤノン株式会社 | 連携システム、その連携方法、情報処理システム、およびそのプログラム。 |
US8875166B2 (en) * | 2012-11-08 | 2014-10-28 | Sharp Laboratories Of America, Inc. | Method and cloud security framework for implementing tenant license verification |
CA2896086C (en) * | 2012-12-21 | 2023-01-17 | Deka Products Limited Partnership | System, method, and apparatus for electronic patient care |
US9154488B2 (en) * | 2013-05-03 | 2015-10-06 | Citrix Systems, Inc. | Secured access to resources using a proxy |
US20150026772A1 (en) * | 2013-07-16 | 2015-01-22 | Samsung Electronics Co., Ltd. | Media based authentication and authorization for secure services |
US10650424B2 (en) * | 2015-03-17 | 2020-05-12 | International Business Machines Corporation | Dynamic cloud solution catalog |
KR102368614B1 (ko) * | 2015-08-12 | 2022-02-25 | 삼성전자주식회사 | 인증 처리 방법 및 이를 지원하는 전자 장치 |
US10169265B2 (en) * | 2015-10-16 | 2019-01-01 | Gopro, Inc. | Configurable input / output connector in a camera |
JP2017079419A (ja) * | 2015-10-21 | 2017-04-27 | 日本電信電話株式会社 | サーバ認証システム、端末、サーバ、サーバ認証方法、プログラム |
JP2019508763A (ja) * | 2016-01-29 | 2019-03-28 | グーグル エルエルシー | ローカルデバイス認証 |
US9935955B2 (en) * | 2016-03-28 | 2018-04-03 | Zscaler, Inc. | Systems and methods for cloud based unified service discovery and secure availability |
CN106060017A (zh) * | 2016-05-19 | 2016-10-26 | 上海承蓝科技股份有限公司 | 一种数据管控的云平台及方法 |
JP6471728B2 (ja) * | 2016-06-23 | 2019-02-20 | ブラザー工業株式会社 | 特定のサーバ及び通信装置 |
US10523648B2 (en) * | 2017-04-03 | 2019-12-31 | Microsoft Technology Licensing, Llc | Password state machine for accessing protected resources |
US10749868B2 (en) * | 2018-06-29 | 2020-08-18 | Microsoft Technology Licensing, Llc | Registration of the same domain with different cloud services networks |
-
2017
- 2017-09-30 CN CN201710914860.XA patent/CN109600337B/zh active Active
-
2018
- 2018-09-11 KR KR1020207007631A patent/KR102338718B1/ko active IP Right Grant
- 2018-09-11 JP JP2020517453A patent/JP6943511B2/ja active Active
- 2018-09-11 WO PCT/CN2018/104986 patent/WO2019062536A1/zh unknown
- 2018-09-11 EP EP18863724.3A patent/EP3664405B1/en active Active
-
2020
- 2020-02-27 US US16/803,443 patent/US11190503B2/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110137805A1 (en) * | 2009-12-03 | 2011-06-09 | International Business Machines Corporation | Inter-cloud resource sharing within a cloud computing environment |
CN102255933A (zh) * | 2010-05-20 | 2011-11-23 | 中兴通讯股份有限公司 | 云服务中介、云计算方法及云系统 |
CN102369714A (zh) * | 2011-08-31 | 2012-03-07 | 华为技术有限公司 | 云计算系统中云终端访问云服务器的方法及云计算系统 |
CN104052775A (zh) * | 2013-03-14 | 2014-09-17 | 腾讯科技(深圳)有限公司 | 一种云平台服务的权限管理方法、装置和系统 |
CN106559453A (zh) * | 2015-09-29 | 2017-04-05 | 中兴通讯股份有限公司 | 云互通的外部资源管理方法、装置及系统 |
CN106933648A (zh) * | 2015-12-31 | 2017-07-07 | 中国电信股份有限公司 | 用于多租户容器资源管理的方法和系统 |
CN106657152A (zh) * | 2017-02-07 | 2017-05-10 | 腾讯科技(深圳)有限公司 | 一种鉴权方法及服务器、访问控制装置 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3664405A4 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112346880A (zh) * | 2019-08-07 | 2021-02-09 | 腾讯科技(深圳)有限公司 | 接口调用方法、装置、计算机可读存储介质和计算机设备 |
CN112346880B (zh) * | 2019-08-07 | 2023-10-31 | 腾讯科技(深圳)有限公司 | 接口调用方法、装置、计算机可读存储介质和计算机设备 |
CN110650142A (zh) * | 2019-09-25 | 2020-01-03 | 腾讯科技(深圳)有限公司 | 访问请求处理方法、装置、系统、存储介质和计算机设备 |
CN110650142B (zh) * | 2019-09-25 | 2022-05-24 | 腾讯科技(深圳)有限公司 | 访问请求处理方法、装置、系统、存储介质和计算机设备 |
Also Published As
Publication number | Publication date |
---|---|
CN109600337B (zh) | 2020-12-15 |
JP6943511B2 (ja) | 2021-10-06 |
EP3664405A4 (en) | 2020-07-08 |
CN109600337A (zh) | 2019-04-09 |
KR20200038991A (ko) | 2020-04-14 |
KR102338718B1 (ko) | 2021-12-14 |
EP3664405B1 (en) | 2022-06-15 |
JP2020535530A (ja) | 2020-12-03 |
US20200195632A1 (en) | 2020-06-18 |
US11190503B2 (en) | 2021-11-30 |
EP3664405A1 (en) | 2020-06-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021114923A1 (zh) | 针对隐私数据的数据存储、数据读取方法及装置 | |
US9917829B1 (en) | Method and apparatus for providing a conditional single sign on | |
US9846778B1 (en) | Encrypted boot volume access in resource-on-demand environments | |
US9729531B2 (en) | Accessing a computer resource using an access control model and policy | |
EP1914658B1 (en) | Identity controlled data center | |
WO2019062536A1 (zh) | 资源处理方法、装置、系统及计算机可读介质 | |
US8838961B2 (en) | Security credential deployment in cloud environment | |
WO2017020452A1 (zh) | 认证方法和认证系统 | |
JP7202688B2 (ja) | 認証システム、認証方法、アプリケーション提供装置、認証装置、及び認証用プログラム | |
WO2019020051A1 (zh) | 一种安全认证的方法及装置 | |
WO2015196659A1 (zh) | 一种桌面云客户端和服务端之间连接认证的方法及装置 | |
WO2018219056A1 (zh) | 鉴权方法、装置、系统和存储介质 | |
WO2018145605A1 (zh) | 鉴权方法及服务器、访问控制装置 | |
CN112187724B (zh) | 访问控制方法、装置、网关、客户端和安全令牌服务 | |
TW201042973A (en) | Token-based client to server authentication of a secondary communication channel by way of primary authenticated communication channels | |
US10819709B1 (en) | Authorizing delegated capabilities to applications in a secure end-to-end communications system | |
US11663318B2 (en) | Decentralized password vault | |
EP4096147A1 (en) | Secure enclave implementation of proxied cryptographic keys | |
US10516655B1 (en) | Encrypted boot volume access in resource-on-demand environments | |
US11177958B2 (en) | Protection of authentication tokens | |
TWI469613B (zh) | 雲端認證系統及方法 | |
CN114520735A (zh) | 一种基于可信执行环境的用户身份鉴定方法、系统及介质 | |
US11790115B1 (en) | Privacy preserving data processing in a Solid ecosystem using agents | |
US11736461B1 (en) | Sharing secrets over one or more computer networks using proxies | |
CN114329574B (zh) | 基于域管平台的加密分区访问控制方法、系统及计算设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18863724 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2018863724 Country of ref document: EP Effective date: 20200303 |
|
ENP | Entry into the national phase |
Ref document number: 20207007631 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2020517453 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |