WO2020233361A1 - Internal service invoking method and apparatus based on gateway, and terminal device - Google Patents

Internal service invoking method and apparatus based on gateway, and terminal device Download PDF

Info

Publication number
WO2020233361A1
WO2020233361A1 PCT/CN2020/087383 CN2020087383W WO2020233361A1 WO 2020233361 A1 WO2020233361 A1 WO 2020233361A1 CN 2020087383 W CN2020087383 W CN 2020087383W WO 2020233361 A1 WO2020233361 A1 WO 2020233361A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
forwarded
address
platform
call request
Prior art date
Application number
PCT/CN2020/087383
Other languages
French (fr)
Chinese (zh)
Inventor
李晨光
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2020233361A1 publication Critical patent/WO2020233361A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Definitions

  • This application belongs to the technical field of massive data processing, and particularly relates to a gateway-based internal service invocation method, device, terminal device, and computer-readable storage medium.
  • network isolation solutions are usually applied in the network architecture of the unit or government department, making different sub-units (internal network areas) ) Are isolated from each other to ensure that users cannot disclose secrets privately.
  • internal network A needs to obtain statistical data from internal network B for program development. Therefore, based on the applied network isolation scheme, it is usually built An intranet platform for data exchange.
  • an internal network wants to access the internal services provided by another internal network, it must pass the authentication and forwarding of the internal network platform.
  • the internal network platform often has special format requirements.
  • the intranet platform receives the request, it will allocate a token to the request to verify whether the request has the authority to access internal services.
  • the caller of the internal service Based on the access characteristics of the intranet platform, the caller of the internal service must manually configure the request according to the format requirements, and then wait for the intranet platform to allocate a token for the request before successfully accessing the internal service.
  • the inventor found that the existing process of invoking internal services is cumbersome, has a long operation time, and has low invocation efficiency.
  • the embodiments of the present application provide a gateway-based method, device, terminal device, and computer-readable storage medium for invoking internal services to solve the cumbersome process of invoking internal services in the prior art, complicated manual operations, and low invocation efficiency.
  • the problem is a gateway-based method, device, terminal device, and computer-readable storage medium for invoking internal services to solve the cumbersome process of invoking internal services in the prior art, complicated manual operations, and low invocation efficiency.
  • the first aspect of the embodiments of the present application provides a gateway-based internal service invocation method, including:
  • the gateway layer address is the preset gateway layer address
  • the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the second aspect of the embodiments of the present application provides a gateway-based internal service invocation device, including:
  • the setting unit is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
  • the storage unit is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
  • the configuration unit is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal service requested by the call request Determine it as a target service, configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • a judging unit configured to judge whether there is token information corresponding to the request to be forwarded in the cache
  • the splicing unit is configured to, if the token information corresponding to the request to be forwarded exists in the cache, splicing the token information with the request to be forwarded in the gateway layer, and splicing The subsequent request to be forwarded is sent to the intranet platform;
  • the forwarding unit is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
  • a third aspect of the embodiments of the present application provides a terminal device.
  • the terminal device includes a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor executes all When the computer program is described, the following steps are implemented:
  • the gateway layer address is the preset gateway layer address
  • the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the fourth aspect of the embodiments of the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the following steps are implemented:
  • the gateway layer address is the preset gateway layer address
  • the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the calling object is set to the gateway layer address, and the exposure information of all internal services is stored in the gateway layer. If the calling request is received in the gateway layer, the calling request is verified according to all the exposure information, and the After the verification is passed, configure the format of the transfer request to obtain the request to be forwarded, and then find the token information corresponding to the request to be forwarded in the cache, splice the token information with the request to be forwarded, and finally combine the spliced request to be forwarded Send to the intranet platform. If the authentication of the spliced request to be forwarded is passed, the request to be forwarded is forwarded to the target service.
  • the embodiment of the present invention configures the gateway layer, thereby realizing the automatic format configuration of the call request and reducing Manual operation simplifies the process of allocating tokens and improves the efficiency of calling internal services.
  • FIG. 1 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 1 of the present application;
  • FIG. 2 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 2 of the present application;
  • FIG. 3 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 3 of the present application;
  • FIG. 4 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 4 of the present application;
  • FIG. 5 is a structural block diagram of a gateway-based internal service invoking device provided by Embodiment 5 of the present application;
  • FIG. 6 is a schematic diagram of a terminal device provided in Embodiment 6 of the present application.
  • FIG 1 shows the implementation process of the gateway-based internal service invocation method provided by the embodiment of the present application, which is detailed as follows:
  • the calling object called by the caller is set as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address.
  • the network isolation solution is usually applied in the organization, such as The machines of the development department are divided into one internal network, the machines of the business department are divided into another internal network, and different internal networks are set up to isolate each other. Specifically, firewalls or hardware isolation can be used to achieve isolation.
  • firewalls or hardware isolation can be used to achieve isolation.
  • the development department needs to obtain business department data as background data for application development, so an intranet platform is usually set up to implement different internal networks Communication between.
  • the embodiment of this application is aimed at the above scenario.
  • a gateway layer is set between the internal network and the internal network platform.
  • the gateway layer refers to an intermediate module that packages requests and forwards requests according to specific routing rules.
  • the specific architecture of the intranet platform and gateway layer is not limited, as long as the intranet platform and gateway layer that can implement the corresponding functions can be applied in the embodiments of the present application
  • the manually configured call request is directly sent to the intranet platform, which is forwarded by the intranet platform.
  • the call object called by the caller is set to the preset gateway layer address , So that the call request initiated by the caller can be sent to the gateway layer, where the caller refers to the subject that initiates the call from an internal network, and the caller is an abstract name, which can be a certain piece of code in a machine located in the internal network Or a certain file, etc.
  • the gateway layer address is the Internet protocol address of the set gateway layer, which can be customized in advance.
  • S102 determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, and the exposure information includes the address of the internal service.
  • Service exposure can enable the intranet platform to display and call the internal service.
  • Service exposure refers to uploading the exposure information of the internal service to the intranet platform for registration. Only after the internal service registration is successful, the intranet platform can call the internal service. Requests for internal services are forwarded.
  • the embodiments of this application do not limit the service exposure requirements and the format of the exposed information, but the exposure information is limited to include at least the Internet Protocol address of the internal service. For example, in a practical application scenario, the exposed information also includes the port number and the name of the internal service. Wait.
  • While setting up the gateway layer determine all internal services that have been exposed on the internal network platform, and store the exposure information of all internal services in the gateway layer. In order to facilitate subsequent request forwarding, the exposure information can also be stored in the gateway layer Establish the mapping relationship between the gateway layer address and all exposed information.
  • the call request is verified according to all the exposure information, and the internal service requested by the call request is determined after the verification is passed.
  • the call request is configured according to the platform forwarding rule corresponding to the intranet platform, and the configured call request is determined as a request to be forwarded.
  • the caller directly configures the original The unconfigured call request is sent to the gateway layer, and the call request is configured in the gateway layer. Specifically, if a call request is received in the gateway layer, the call request is verified according to all the exposed information, and the internal service requested by the call request is determined as the target service after the verification is passed.
  • the verification process can be It depends on the format of the exposure information and the call request. For example, when the call request carries the name of the internal service, the call request can be verified according to the name of the internal service in all the exposed information to determine whether the call request contains one of the exposed information. The name of the internal service.
  • obtain the target address in the call request and determine whether there is exposure information containing the target address; if there is exposure information containing the target address, it is determined that the call request verification is passed, and the internal service corresponding to the exposed information is determined The internal service requested for the call request; if there is no exposed information containing the target address, the call request is discarded and an error message is output.
  • the call request initiated by the caller it usually contains the source address (usually the address of the caller) and the target address (the target address indicates the address of the internal service requested by the call request, and the aforementioned call object is only used to indicate the caller Initiating a call to the calling object has different meanings), so in this step, the target address in the call request can be obtained, and the acquisition location of the target address is related to the underlying protocol of the call request, which is not repeated in the embodiment of the application. For the obtained target address, compare it with the address of the internal service in all exposed information.
  • the target address is the same as the address of one of the internal services, it is determined that the call request is verified and the address of the internal service is The corresponding internal service is determined as the internal service requested by the call request; on the contrary, if the target address is different from the addresses of all internal services, the call request is discarded, and an error message is output to the caller, indicating that the caller does not exist and the call Request the corresponding internal service. Since the address is exclusive, that is, the addresses of different internal services are usually different, the accuracy of the verification based on the target address in the call request in the above method is relatively high.
  • the platform forwarding rule is a common rule for all requests that can be recognized by the intranet platform. It is related to the characteristics of the intranet platform and can be set according to actual application scenarios. For example, the platform forwarding rule can be set to the field "ESG". That is, only the request whose name contains the field "ESG" can be successfully recognized by the intranet platform. In this step, the field "ESG" is added to the name of the call request to complete the configuration of the call request.
  • the configuration process based on platform forwarding rules can be pre-stored in the gateway layer in code form, so as to realize the automatic configuration of the call request that passes the verification. In order to facilitate the distinction, the configured call request is determined as the request to be forwarded.
  • token authentication is performed on the request to be forwarded, specifically, the verification information in the request to be forwarded is extracted and viewed Whether there is token information corresponding to the verification information in the cache, the token information is used to indicate that the request to be forwarded has the right to call the target service.
  • the type of verification information can be determined according to the actual application scenario.
  • the verification information can be The username and password in the request to be forwarded.
  • the cache stores the token information corresponding to the verification information of the request that has successfully accessed the target service.
  • the token information is usually set with an expiration time (such as one hour), and a new token information is added to the cache.
  • the token information is discarded.
  • the embodiment of the application does not limit the generation of token information.
  • the token can be generated based on the user name, password, and timestamp through MD5 encryption algorithm or other irreversible encryption algorithm information.
  • the cached token information corresponding to different internal services may also be different. Therefore, in the embodiment of the present application, when the token information is stored in the cache, The internal service corresponding to the token information is also marked, and in this step, the token information corresponding to the target service in the cache is determined, and it is determined whether there is token information corresponding to the request to be forwarded. The accuracy of judgment.
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced The request to be forwarded is sent to the intranet platform.
  • the token information corresponding to the request to be forwarded exists in the cache, it proves that the same request has been used to call the target service, and for the request that has already called the target service, the corresponding token information will also be stored in the database, then
  • the token information is spliced with the request to be forwarded in the gateway layer, and the spliced call request is sent to the intranet platform, where the token information is spliced in the request header of the request to be forwarded.
  • the mapping relationship from the gateway layer address to the address of the intranet platform is stored in the gateway layer in advance.
  • the service access rules corresponding to all internal services are also stored in the gateway layer, the service access rules are used to indicate the access format of the internal services, then the spliced request to be forwarded is configured according to the service access rules corresponding to the target service , Send the configured request to be forwarded to the intranet platform.
  • the The service access rules corresponding to each internal service are stored at the gateway layer.
  • the gateway layer stores the service access rules corresponding to each internal service
  • the spliced request to be forwarded is configured according to the service access rule corresponding to the target service , And send the configured request to be forwarded to the intranet platform.
  • the embodiments of this application do not limit the types of service access rules.
  • the target service can only recognize requests sent from a specific address, and the service access rules can be set to replace the source address in the spliced request to be forwarded with the above
  • the target service can only recognize requests using the Hypertext Transfer Protocol Secure (HTTPS) protocol, you can set the service access rule to encapsulate the spliced request to be forwarded according to the HTTPS protocol; for example, the target
  • HTTPS Hypertext Transfer Protocol Secure
  • the service can only identify requests encrypted according to a specific key and a specific encryption algorithm, and the service access rule can be set to encrypt the spliced request to be forwarded according to the specific key and the specific encryption algorithm.
  • the above method configures the request according to the pre-stored service access rule, so that the configured request conforms to the access specification of the target service, which improves the success rate of internal service invocation.
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the verification information and token information therein are extracted for authentication, and it is specifically determined whether the verification information and token information are consistent with those in the database. If it is judged to be consistent, the authentication is passed, the request to be forwarded is forwarded to the target service, the target service is called according to the specific content of the request to be forwarded, and the entire internal service invocation process is completed; if it is inconsistent, it is the to be forwarded in the intranet platform Request to reallocate a token information.
  • the calling object is set to the gateway layer address and the exposure information of all internal services is stored in the gateway layer. If the calling request is received in the gateway layer, then The call request is verified according to all the exposed information, and after the verification is passed, the transfer request is formatted to obtain the request to be forwarded, and then the token information corresponding to the request to be forwarded is found in the cache, and the token information is compared with the request to be forwarded. The forwarding request is spliced, and the spliced request to be forwarded is finally sent to the intranet platform. If the spliced request to be forwarded is authenticated, the forwarded request is forwarded to the target service.
  • the embodiment of the application configures the gateway layer , Intercept the call request in the gateway layer, and automatically configure the call request, reducing manual configuration operations, and simplifying the process of assigning tokens in the follow-up, and improving the efficiency of calling internal services.
  • Figure 2 shows an internal service invocation method obtained by extending the process of judging whether the token information corresponding to the request to be forwarded exists in the cache based on the first embodiment of the present application.
  • the embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method. As shown in FIG. 2, the internal service invocation method may include the following steps:
  • the forwarding request is not spliced in the gateway layer, but the request to be forwarded is directly sent to the intranet platform.
  • the token information is created and allocated for the request to be forwarded, and the allocated token information is spliced with the request to be forwarded.
  • the pending forwarding request sent to the intranet platform For the pending forwarding request sent to the intranet platform, extract the verification information in the pending forwarding request, determine whether the verification information is valid, and after determining that the verification information is valid, generate token information based on the verification information, for example, when the verification information is In the case of the user name and password in the request to be forwarded, if it is determined that the user name is stored in the database, and the password matches the user name and is valid, based on the user name, the password and the timestamp, the MD5 encryption algorithm is used Or other irreversible encryption algorithms to generate token information. For the generated token information, it is spliced with the request to be forwarded.
  • the request to be forwarded is sent to the intranet platform in the gateway layer, which is the request to be forwarded Create token information, and splice the created token information with the request to be forwarded.
  • the embodiment of the application creates new token information in the intranet platform, completes the token information distribution mechanism, and improves the service call Comprehensiveness.
  • Figure 3 shows an internal service invoking method obtained after refining the process of setting the calling object called by the caller to the preset gateway layer address on the basis of the first embodiment of the present application.
  • the embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method.
  • the internal service invocation method may include the following steps:
  • the call object of the caller is the address of the intranet platform (for the sake of distinction, the address is named the platform address), so in this application embodiment
  • the traditional method is improved, the caller's bottom code is searched according to the platform address, and each line of bottom code containing the platform address is determined as the calling code.
  • the platform address is the calling object of the calling code. Therefore, in this step, the platform address in all calling codes is replaced with the gateway layer address to complete the replacement of the calling object. After the replacement is completed, when the calling code is run, the calling request can be automatically sent to the gateway layer.
  • the caller’s underlying code is searched according to the platform address, and each line of underlying code containing the platform address is determined as the calling code, and all the calling codes are
  • the platform addresses of are replaced with gateway-layer addresses.
  • the embodiment of the present application improves the convenience of setting call objects by performing batch replacement of platform addresses.
  • Figure 4 shows an internal service invoking method obtained by extending the process before configuring the invocation request according to the platform forwarding rules corresponding to the intranet platform on the basis of the first embodiment of the present application.
  • the embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method. As shown in FIG. 4, the internal service invocation method may include the following steps:
  • a permission address set corresponding to each internal service in the intranet platform is obtained, and the source address in the call request is obtained, wherein the permission address set includes at least one permission to access the The address of the internal service, where the source address is the address of the caller that initiated the call request.
  • the authority address set corresponding to the internal service can also be stored together.
  • the authority address set includes at least one authorized access to the internal service.
  • the address and authority address set can be set by the internal service manager.
  • the source address in the call request is obtained to facilitate subsequent analysis.
  • the source address is the address of the caller who initiated the call request.
  • the source address in the call request is located in the permission address set corresponding to the target service, it proves that the call request has the permission to access the target service, then continue to perform the subsequent operation of configuring the call request according to the platform forwarding rules preset in the intranet platform .
  • the gateway layer intercepts the call request, and outputs a prompt of unauthorized access to the caller who initiated the call request.
  • the prompt can be sent in a front-end prompt box, SMS, or email, which is not limited in the embodiment of the application.
  • the embodiment of this application it is determined whether the source address in the call request is located in the authority address set corresponding to the target service. If the source address is located in the authority address set, the subsequent steps according to the intranet platform will be executed normally.
  • the platform forwarding rules preset in the platform configure the operation of the call request; if the source address is not located in the authority address set, the call request is intercepted, and the caller is notified that there is no right to access.
  • the embodiment of this application has no right to access according to the call request Intercept the call request in time when accessing the target service, saving computing resources.
  • FIG. 5 shows a structural block diagram of the gateway-based internal service invocation device provided in an embodiment of the present application.
  • the internal service invocation device includes:
  • the setting unit 51 is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address;
  • the storage unit 52 is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
  • the configuration unit 53 is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal information requested by the call request.
  • the service is determined as the target service, and the invocation request is configured according to the platform forwarding rules corresponding to the intranet platform, and the configured invocation request is determined as the request to be forwarded;
  • the judging unit 54 is configured to judge whether there is token information corresponding to the request to be forwarded in the cache;
  • the splicing unit 55 is configured to splice the token information with the request to be forwarded in the gateway layer if the token information corresponding to the request to be forwarded exists in the cache, and Sending the spliced request to be forwarded to the intranet platform;
  • the forwarding unit 56 is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
  • the configuration unit 53 includes:
  • the target address obtaining unit is configured to obtain the target address in the call request, and determine whether the exposure information including the target address exists;
  • the verification passing unit is configured to, if the exposure information including the target address exists, determine that the invocation request has passed the verification, and determine that the internal service corresponding to the exposure information is the source of the invocation request The internal service requested;
  • the discarding unit is configured to discard the call request and output an error prompt if the exposed information including the target address does not exist.
  • the gateway layer also stores service access rules corresponding to all internal services, and the service access rules are used to indicate the access format of the internal services, and the splicing unit 55 includes:
  • the rule configuration unit is configured to configure the spliced request to be forwarded according to the service access rule corresponding to the target service, and send the configured request to be forwarded to the intranet platform.
  • the judging unit 54 further includes:
  • a sending unit configured to send the request to be forwarded to the intranet platform in the gateway layer if the token information corresponding to the request to be forwarded does not exist in the cache;
  • the creation unit is configured to create the token information for the request to be forwarded, and to splice the created token information with the request to be forwarded.
  • the setting unit 51 includes:
  • the search unit is configured to search in the bottom-level code of the caller according to the platform address, and determine that each line of the bottom-level code containing the platform address is the calling code, where the platform address is the internal The address of the network platform;
  • the replacement unit is used to replace the platform address in all the calling codes with the gateway layer address.
  • the configuration unit 53 further includes:
  • the source address obtaining unit is configured to obtain the authority address set corresponding to each of the internal services in the intranet platform, and obtain the source address in the call request, wherein the authority address set includes at least one authority An address for accessing the internal service, where the source address is the address of the caller who initiated the call request;
  • An execution unit configured to execute the operation of configuring the call request according to a platform forwarding rule preset in the intranet platform if the source address is in the authority address set corresponding to the target service;
  • the interception unit is configured to intercept the call request if the source address is not located in the authority address set corresponding to the target service, and output a prompt of unauthorized access to the caller who initiated the call request.
  • the gateway-based internal service invocation device provided by the embodiment of the present invention reduces manual configuration operations by setting the gateway layer, and simplifies the token distribution process by distributing token information in the cache, and improves the internal The convenience and efficiency of the service.
  • Fig. 6 is a schematic diagram of a terminal device provided by an embodiment of the present application.
  • the terminal device 6 of this embodiment includes: a processor 60, a memory 61, and a computer program 62 stored in the memory 61 and running on the processor 60, such as a gateway-based internal service Call the program.
  • the processor 60 executes the computer program 62, the steps in the above embodiments of the gateway-based internal service invoking method are implemented, and the steps include: S101. Setting the calling object called by the caller as a preset gateway layer Address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address; S102.
  • the token information corresponding to the request to be forwarded exists in the cache, Then, in the gateway layer, the token information is spliced with the request to be forwarded, and the spliced request to be forwarded is sent to the intranet platform; S106.
  • the spliced request to be forwarded The token information in the request is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the computer program 62 may be divided into one or more units, and the one or more units are stored in the memory 61 and executed by the processor 60 to complete the application.
  • the one or more units may be a series of computer program instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer program 62 in the terminal device 6.
  • the computer program 62 can be divided into a setting unit, a storage unit, a configuration unit, a judgment unit, a splicing unit, and a forwarding unit.
  • the specific functions of each unit are as follows:
  • the setting unit is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
  • the storage unit is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
  • the configuration unit is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal service requested by the call request Determine it as a target service, configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • a judging unit configured to judge whether there is token information corresponding to the request to be forwarded in the cache
  • the splicing unit is configured to, if the token information corresponding to the request to be forwarded exists in the cache, splicing the token information with the request to be forwarded in the gateway layer, and splicing The subsequent request to be forwarded is sent to the intranet platform;
  • the forwarding unit is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
  • the terminal device 6 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the terminal device may include, but is not limited to, a processor 60 and a memory 61.
  • FIG. 6 is only an example of the terminal device 6 and does not constitute a limitation on the terminal device 6. It may include more or less components than shown in the figure, or a combination of certain components, or different components.
  • the terminal device may also include input and output devices, network access devices, buses, etc.
  • the so-called processor 60 may be a central processing unit (Central Processing Unit, CPU), it can also be other general-purpose processors, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory 61 may be an internal storage unit of the terminal device 6, such as a hard disk or memory of the terminal device 6.
  • the memory 61 may also be an external storage device of the terminal device 6, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), or a secure digital (Secure Digital, SD) equipped on the terminal device 6. Card, Flash Card, etc.
  • the memory 61 may also include both an internal storage unit of the terminal device 6 and an external storage device.
  • the memory 61 is used to store the computer program and other programs and data required by the terminal device.
  • the memory 61 can also be used to temporarily store data that has been output or will be output.
  • the disclosed terminal device and method may be implemented in other ways.
  • the terminal device embodiments described above are only illustrative.
  • the division of the units is only a logical function division.
  • there may be other division methods for example, multiple units or components may be combined. Or it can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the computer-readable storage medium may be volatile or It can be non-volatile.
  • this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through a computer program.
  • the computer program can be stored in a computer-readable storage medium.
  • the steps of the foregoing method embodiments can be implemented. The steps include: S101. Setting the calling object called by the caller to a preset gateway layer address, wherein the caller is located in an internal network, and the gateway layer address is a preset gateway layer address; S102.
  • the platform forwarding rule corresponding to the intranet platform configures the call request, and determines the configured call request as a request to be forwarded; S104. Determine whether there is token information corresponding to the request to be forwarded in the cache; S105.
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced all The request to be forwarded is sent to the intranet platform; S106.
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the The target service.
  • the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file, or some intermediate forms.
  • the computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (Read-Only Memory, ROM) , Random Access Memory (Random Access Memory, RAM), electrical carrier signal, telecommunications signal, and software distribution media.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • electrical carrier signal telecommunications signal
  • software distribution media any entity or device capable of carrying the computer program code
  • recording medium U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (Read-Only Memory, ROM) , Random Access Memory (Random Access Memory, RAM), electrical carrier signal, telecommunications signal, and software distribution media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application is applicable to the technical field of massive data processing, and provides an internal service invoking method and apparatus based on a gateway, and a terminal device and a computer-readable storage medium. The method comprises: setting an invoking object invoked by an invoking party as a gateway layer address; storing exposure information of all internal services in a gateway layer; checking, according to all pieces of exposure information, an invoking request received by the gateway layer, and after the checking is passed, determining a corresponding internal service as a target service, and configuring the invoking request according to a platform forwarding rule to obtain a request to be forwarded; if there is token information, corresponding to the request to be forwarded, in a cache, splicing the token information with the request to be forwarded, and sending a spliced request to be forwarded to an internal network platform; and authenticating the token information, and after the authentication is passed, forwarding the request to be forwarded to the target service. According to the present application, by means of configuring the gateway layer, manual operation is reduced, and the efficiency of invoking the internal service is improved.

Description

基于网关的内部服务调用方法、装置及终端设备Gateway-based internal service calling method, device and terminal equipment
本申请要求于2019年5月21日提交中国专利局、申请号为201910422745.X,发明名称为“基于网关的内部服务调用方法、装置及终端设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on May 21, 2019, the application number is 201910422745.X, and the invention title is "gateway-based internal service invocation method, device and terminal equipment", and its entire content Incorporated in this application by reference.
技术领域Technical field
本申请属于海量数据处理技术领域,尤其涉及基于网关的内部服务调用方法、装置、终端设备以及计算机可读存储介质。This application belongs to the technical field of massive data processing, and particularly relates to a gateway-based internal service invocation method, device, terminal device, and computer-readable storage medium.
背景技术Background technique
随着计算机技术和通信技术的快速发展,针对于目前的单位或政府部门存在的数据保密需求,通常会在单位或政府部门的网络架构中应用网络隔离的方案,使得不同子单位(内部网络区域)之间相互隔离,保证用户无法私自泄密。但是由于不同的内部网络区域之间通常也会存在一定的通信需求,如内部网络A需要从内部网络B中获取统计数据以进行程序开发,故在已应用网络隔离方案的基础上,通常会搭建一个内网平台,以便进行数据交互。With the rapid development of computer technology and communication technology, in response to the data confidentiality requirements of current units or government departments, network isolation solutions are usually applied in the network architecture of the unit or government department, making different sub-units (internal network areas) ) Are isolated from each other to ensure that users cannot disclose secrets privately. However, there are usually certain communication requirements between different internal network areas. For example, internal network A needs to obtain statistical data from internal network B for program development. Therefore, based on the applied network isolation scheme, it is usually built An intranet platform for data exchange.
若一个内部网络想访问另一个内部网络所提供的内部服务,则必须通过内网平台的认证以及转发,在现有技术中,考虑到访问的安全性,内网平台往往对应有特殊的格式要求,并且内网平台在接收到请求时,会为请求分配令牌,以验证请求是否具有访问内部服务的权限。基于内网平台的访问特性,内部服务的调用方必须按照格式要求手动配置好请求,再等待内网平台为请求分配完毕令牌,才能成功访问内部服务。发明人发现,现有的调用内部服务的过程繁琐,操作时间长,调用效率较低。If an internal network wants to access the internal services provided by another internal network, it must pass the authentication and forwarding of the internal network platform. In the prior art, considering the security of access, the internal network platform often has special format requirements. , And when the intranet platform receives the request, it will allocate a token to the request to verify whether the request has the authority to access internal services. Based on the access characteristics of the intranet platform, the caller of the internal service must manually configure the request according to the format requirements, and then wait for the intranet platform to allocate a token for the request before successfully accessing the internal service. The inventor found that the existing process of invoking internal services is cumbersome, has a long operation time, and has low invocation efficiency.
技术问题technical problem
有鉴于此,本申请实施例提供了基于网关的内部服务调用方法、装置、终端设备以及计算机可读存储介质,以解决现有技术中对内部服务的调用过程繁琐,人工操作复杂,调用效率低的问题。In view of this, the embodiments of the present application provide a gateway-based method, device, terminal device, and computer-readable storage medium for invoking internal services to solve the cumbersome process of invoking internal services in the prior art, complicated manual operations, and low invocation efficiency. The problem.
技术解决方案Technical solutions
本申请实施例的第一方面提供了一种基于网关的内部服务调用方法,包括:The first aspect of the embodiments of the present application provides a gateway-based internal service invocation method, including:
将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;Setting the calling object called by the caller as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;Determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, where the exposure information includes the address of the internal service;
若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;If a call request is received in the gateway layer, the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
判断缓存中是否存在与所述待转发请求对应的令牌信息;Judging whether there is token information corresponding to the request to be forwarded in the cache;
若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
本申请实施例的第二方面提供了一种基于网关的内部服务调用装置,包括:The second aspect of the embodiments of the present application provides a gateway-based internal service invocation device, including:
设置单元,用于将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;The setting unit is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
存储单元,用于确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;The storage unit is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
配置单元,用于若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;The configuration unit is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal service requested by the call request Determine it as a target service, configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
判断单元,用于判断缓存中是否存在与所述待转发请求对应的令牌信息;A judging unit, configured to judge whether there is token information corresponding to the request to be forwarded in the cache;
拼接单元,用于若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;The splicing unit is configured to, if the token information corresponding to the request to be forwarded exists in the cache, splicing the token information with the request to be forwarded in the gateway layer, and splicing The subsequent request to be forwarded is sent to the intranet platform;
转发单元,用于对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The forwarding unit is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
本申请实施例的第三方面提供了一种终端设备,所述终端设备包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如下步骤:A third aspect of the embodiments of the present application provides a terminal device. The terminal device includes a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor executes all When the computer program is described, the following steps are implemented:
将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;Setting the calling object called by the caller as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;Determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, where the exposure information includes the address of the internal service;
若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;If a call request is received in the gateway layer, the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
判断缓存中是否存在与所述待转发请求对应的令牌信息;Judging whether there is token information corresponding to the request to be forwarded in the cache;
若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
本申请实施例的第四方面提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现如下步骤:The fourth aspect of the embodiments of the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the following steps are implemented:
将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;Setting the calling object called by the caller as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;Determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, where the exposure information includes the address of the internal service;
若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;If a call request is received in the gateway layer, the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
判断缓存中是否存在与所述待转发请求对应的令牌信息;Judging whether there is token information corresponding to the request to be forwarded in the cache;
若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
有益效果Beneficial effect
本发明实施例与现有技术相比存在的有益效果是:Compared with the prior art, the embodiments of the present invention have the following beneficial effects:
本发明实施例将调用对象设置为网关层地址,同时在网关层中存储所有内部服务的暴露信息,若在网关层中接收到调用请求,则根据所有暴露信息对调用请求进行校验,并在校验通过后对调动请求进行格式配置得到待转发请求,再在缓存中查找出与待转发请求对应的令牌信息,将令牌信息与待转发请求进行拼接,最终将拼接后的待转发请求发送至内网平台,若对拼接后的待转发请求鉴权通过,则将待转发请求转发至目标服务,本发明实施例对网关层进行配置,从而实现了调用请求的自动格式配置,减少了人工操作,同时简化了分配令牌的过程,提升了调用内部服务的效率。In the embodiment of the present invention, the calling object is set to the gateway layer address, and the exposure information of all internal services is stored in the gateway layer. If the calling request is received in the gateway layer, the calling request is verified according to all the exposure information, and the After the verification is passed, configure the format of the transfer request to obtain the request to be forwarded, and then find the token information corresponding to the request to be forwarded in the cache, splice the token information with the request to be forwarded, and finally combine the spliced request to be forwarded Send to the intranet platform. If the authentication of the spliced request to be forwarded is passed, the request to be forwarded is forwarded to the target service. The embodiment of the present invention configures the gateway layer, thereby realizing the automatic format configuration of the call request and reducing Manual operation simplifies the process of allocating tokens and improves the efficiency of calling internal services.
附图说明Description of the drawings
图1是本申请实施例一提供的基于网关的内部服务调用方法的实现流程图;FIG. 1 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 1 of the present application;
图2是本申请实施例二提供的基于网关的内部服务调用方法的实现流程图;FIG. 2 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 2 of the present application;
图3是本申请实施例三提供的基于网关的内部服务调用方法的实现流程图;FIG. 3 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 3 of the present application;
图4是本申请实施例四提供的基于网关的内部服务调用方法的实现流程图;4 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 4 of the present application;
图5是本申请实施例五提供的基于网关的内部服务调用装置的结构框图;FIG. 5 is a structural block diagram of a gateway-based internal service invoking device provided by Embodiment 5 of the present application;
图6是本申请实施例六提供的终端设备的示意图。FIG. 6 is a schematic diagram of a terminal device provided in Embodiment 6 of the present application.
本发明的实施方式Embodiments of the invention
为了说明本申请所述的技术方案,下面通过具体实施例来进行说明。In order to illustrate the technical solutions described in the present application, specific embodiments are used for description below.
图1示出了本申请实施例提供的基于网关的内部服务调用方法的实现流程,详述如下:Figure 1 shows the implementation process of the gateway-based internal service invocation method provided by the embodiment of the present application, which is detailed as follows:
在S101中,将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址。In S101, the calling object called by the caller is set as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address.
现今的企事业单位往往存在保密需求,如开发部门和业务部门之间须保证数据隔离,保证开发部门的数据不被泄漏,为了达到上述目的,通常是在单位中应用网络隔离的方案,比如将开发部门的机器划分至一个内部网络中,将业务部门的机器划分至另一个内部网络中,设置不同的内部网络之间互相隔离,具体可应用防火墙或设置硬件隔离等手段来实现隔离。在此基础上,由于不同内部网络之间可能存在通信需求,比如开发部门需要获取业务部门的数据来作为后台数据,从而进行应用程序开发,故通常还会设置一个内网平台来实现不同内部网络之间的通信。本申请实施例针对于上述场景,在内部网络与内网平台之间设置一个网关层,该网关层是指对请求进行包装及按照特定的路由规则进行请求转发的中间模块,本申请实施例对内网平台及网关层的具体架构并不做限定,只要能够实现对应功能的内网平台及网关层均可应用在本申请实施例中Today’s enterprises and institutions often have confidentiality requirements. For example, data isolation must be ensured between the development department and the business department to ensure that the data of the development department is not leaked. In order to achieve the above purpose, the network isolation solution is usually applied in the organization, such as The machines of the development department are divided into one internal network, the machines of the business department are divided into another internal network, and different internal networks are set up to isolate each other. Specifically, firewalls or hardware isolation can be used to achieve isolation. On this basis, because there may be communication requirements between different internal networks, for example, the development department needs to obtain business department data as background data for application development, so an intranet platform is usually set up to implement different internal networks Communication between. The embodiment of this application is aimed at the above scenario. A gateway layer is set between the internal network and the internal network platform. The gateway layer refers to an intermediate module that packages requests and forwards requests according to specific routing rules. The specific architecture of the intranet platform and gateway layer is not limited, as long as the intranet platform and gateway layer that can implement the corresponding functions can be applied in the embodiments of the present application
相较于传统方式中直接将人工配置好的调用请求发送至内网平台,由内网平台进行转发,在本申请实施例中,将调用方所调用的调用对象设置为预设的网关层地址,从而使得调用方发起的调用请求能够发送至网关层,其中,调用方是指从一个内部网络中发起调用的主体,调用方为抽象名称,具体可为位于内部网络的机器中的某一段代码或某一个文件等,网关层地址为设置的网关层的互联网协议地址,可预先进行自定义设置。Compared with the traditional method, the manually configured call request is directly sent to the intranet platform, which is forwarded by the intranet platform. In the embodiment of this application, the call object called by the caller is set to the preset gateway layer address , So that the call request initiated by the caller can be sent to the gateway layer, where the caller refers to the subject that initiates the call from an internal network, and the caller is an abstract name, which can be a certain piece of code in a machine located in the internal network Or a certain file, etc., the gateway layer address is the Internet protocol address of the set gateway layer, which can be customized in advance.
在S102中,确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址。In S102, determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, and the exposure information includes the address of the internal service.
内部网络往往会向外部提供服务(为了便于区分,将内部网络提供的服务命名为内部服务),比如数据获取服务或数据修改服务等,而对于内部服务来说,其须在内网平台上进行服务暴露,才能使内网平台展示并调用该内部服务,其中,服务暴露是指将内部服务的暴露信息上传至内网平台进行注册,只有在内部服务注册成功后,内网平台才能对调用该内部服务的请求进行转发。本申请实施例对服务暴露的要求及暴露信息的格式并不做限定,但限定暴露信息至少包括内部服务的互联网协议地址,比如在实际应用场景中,暴露信息还包括端口号及内部服务的名称等。在设置网关层的同时,确定已在内网平台上进行服务暴露的所有内部服务,并在网关层中存储所有内部服务的暴露信息,为了便于后续进行请求转发,还可在网关层存储暴露信息时,建立网关层地址与所有暴露信息的映射关系。Internal networks often provide external services (in order to distinguish the services provided by the internal network as internal services), such as data acquisition services or data modification services, and for internal services, they must be performed on the internal network platform Service exposure can enable the intranet platform to display and call the internal service. Service exposure refers to uploading the exposure information of the internal service to the intranet platform for registration. Only after the internal service registration is successful, the intranet platform can call the internal service. Requests for internal services are forwarded. The embodiments of this application do not limit the service exposure requirements and the format of the exposed information, but the exposure information is limited to include at least the Internet Protocol address of the internal service. For example, in a practical application scenario, the exposed information also includes the port number and the name of the internal service. Wait. While setting up the gateway layer, determine all internal services that have been exposed on the internal network platform, and store the exposure information of all internal services in the gateway layer. In order to facilitate subsequent request forwarding, the exposure information can also be stored in the gateway layer Establish the mapping relationship between the gateway layer address and all exposed information.
在S103中,若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求。In S103, if a call request is received in the gateway layer, the call request is verified according to all the exposure information, and the internal service requested by the call request is determined after the verification is passed. For the target service, the call request is configured according to the platform forwarding rule corresponding to the intranet platform, and the configured call request is determined as a request to be forwarded.
相较于传统方式中由人工对调用请求进行配置,以满足内网平台及内部服务的格式要求,在本申请实施例中,由于调用对象已设置为网关层地址,故直接由调用方将原始的未配置调用请求发送至网关层,在网关层中对调用请求进行配置。具体地,若在网关层中接收到调用请求,则根据所有所述暴露信息对调用请求进行校验,并在校验通过后将调用请求所请求的内部服务确定为目标服务,校验过程可根据暴露信息和调用请求的格式而定,如在调用请求携带内部服务的名称时,可根据所有暴露信息中的内部服务的名称对调用请求进行校验,判断调用请求是否包含其中一个暴露信息中的内部服务的名称。Compared with the traditional method of manually configuring the call request to meet the format requirements of the intranet platform and internal services, in this embodiment of the application, since the call object has been set to the gateway layer address, the caller directly configures the original The unconfigured call request is sent to the gateway layer, and the call request is configured in the gateway layer. Specifically, if a call request is received in the gateway layer, the call request is verified according to all the exposed information, and the internal service requested by the call request is determined as the target service after the verification is passed. The verification process can be It depends on the format of the exposure information and the call request. For example, when the call request carries the name of the internal service, the call request can be verified according to the name of the internal service in all the exposed information to determine whether the call request contains one of the exposed information. The name of the internal service.
可选地,获取调用请求中的目标地址,并判断是否存在包含目标地址的暴露信息;若存在包含目标地址的暴露信息,则确定调用请求校验通过,并将暴露信息所对应的内部服务确定为调用请求所请求的内部服务;若不存在包含目标地址的暴露信息,则丢弃调用请求,并输出错误提示。对于调用方发起的调用请求,其通常包含源地址(通常为调用方的地址)和目标地址(目标地址指示调用请求所请求的内部服务的地址,而前述的调用对象仅是用于指示调用方对调用对象发起调用,含义不同),故在本步骤中可获取调用请求中的目标地址,目标地址的获取位置与调用请求的底层协议相关,本申请实施例在此不做赘述。对于得到的目标地址,将其与所有暴露信息中的内部服务的地址进行比对,若目标地址与其中一个内部服务的地址相同,则确定调用请求校验通过,并将该内部服务的地址所对应的内部服务确定为调用请求所请求的内部服务;相反,若目标地址与所有内部服务的地址均不相同,则丢弃调用请求,并向调用方输出错误提示,提示调用方并不存在与调用请求对应的内部服务。由于地址具有独占性,即不同内部服务的地址通常是不同的,故在上述方法中根据调用请求中的目标地址进行校验的准确性较高。Optionally, obtain the target address in the call request, and determine whether there is exposure information containing the target address; if there is exposure information containing the target address, it is determined that the call request verification is passed, and the internal service corresponding to the exposed information is determined The internal service requested for the call request; if there is no exposed information containing the target address, the call request is discarded and an error message is output. For the call request initiated by the caller, it usually contains the source address (usually the address of the caller) and the target address (the target address indicates the address of the internal service requested by the call request, and the aforementioned call object is only used to indicate the caller Initiating a call to the calling object has different meanings), so in this step, the target address in the call request can be obtained, and the acquisition location of the target address is related to the underlying protocol of the call request, which is not repeated in the embodiment of the application. For the obtained target address, compare it with the address of the internal service in all exposed information. If the target address is the same as the address of one of the internal services, it is determined that the call request is verified and the address of the internal service is The corresponding internal service is determined as the internal service requested by the call request; on the contrary, if the target address is different from the addresses of all internal services, the call request is discarded, and an error message is output to the caller, indicating that the caller does not exist and the call Request the corresponding internal service. Since the address is exclusive, that is, the addresses of different internal services are usually different, the accuracy of the verification based on the target address in the call request in the above method is relatively high.
在对调用请求校验通过后,将调用请求所请求的内部服务确定为目标服务,并根据内网平台中预设的平台转发规则对调用请求进行配置,保证配置后的调用请求能够被内网平台成功识别。其中,平台转发规则是内网平台可识别的所有请求的共有规则,与内网平台的特性相关,可根据实际应用场景进行设置,举例来说,可将平台转发规则设置为字段“ESG”,即只有名称中包含字段“ESG”的请求才能被内网平台成功识别,则在本步骤中将字段“ESG”添加至调用请求的名称中,完成对调用请求的配置。基于平台转发规则实现的配置过程可以代码形式预先存储在网关层中,从而实现对校验通过的调用请求的自动配置。为了便于区分,将配置完成的调用请求确定为待转发请求。After the call request is verified, the internal service requested by the call request is determined as the target service, and the call request is configured according to the platform forwarding rules preset in the intranet platform to ensure that the configured call request can be used by the intranet The platform was successfully identified. Among them, the platform forwarding rule is a common rule for all requests that can be recognized by the intranet platform. It is related to the characteristics of the intranet platform and can be set according to actual application scenarios. For example, the platform forwarding rule can be set to the field "ESG". That is, only the request whose name contains the field "ESG" can be successfully recognized by the intranet platform. In this step, the field "ESG" is added to the name of the call request to complete the configuration of the call request. The configuration process based on platform forwarding rules can be pre-stored in the gateway layer in code form, so as to realize the automatic configuration of the call request that passes the verification. In order to facilitate the distinction, the configured call request is determined as the request to be forwarded.
在S104中,判断缓存中是否存在与所述待转发请求对应的令牌信息。In S104, it is determined whether there is token information corresponding to the request to be forwarded in the cache.
由于本申请实施例涉及到的网络均为内部网络,具有较大的操作权限,故在本申请实施例中对待转发请求进行令牌认证,具体地,提取待转发请求中的验证信息,并查看缓存中是否存在与验证信息对应的令牌信息(token),该令牌信息用于指示待转发请求拥有调用目标服务的权限,验证信息的类型可根据实际应用场景进行确定,比如验证信息可为待转发请求中的用户名和密码。值得一提的是,缓存中存放的是已成功访问过目标服务的请求的验证信息对应的令牌信息,令牌信息通常设置有过期时长(如一小时),在缓存中新增一个令牌信息后,若该令牌信息的存放时长超过过期时长,则丢弃该令牌信息。本申请实施例对令牌信息的生成方式并不做限定,比如在验证信息为用户名和密码的情况下,可基于用户名、密码以及时间戳,通过MD5加密算法或其他不可逆加密算法生成令牌信息。Since the networks involved in the embodiments of this application are all internal networks and have relatively large operation rights, in this embodiment of the application, token authentication is performed on the request to be forwarded, specifically, the verification information in the request to be forwarded is extracted and viewed Whether there is token information corresponding to the verification information in the cache, the token information is used to indicate that the request to be forwarded has the right to call the target service. The type of verification information can be determined according to the actual application scenario. For example, the verification information can be The username and password in the request to be forwarded. It is worth mentioning that the cache stores the token information corresponding to the verification information of the request that has successfully accessed the target service. The token information is usually set with an expiration time (such as one hour), and a new token information is added to the cache. Later, if the storage time of the token information exceeds the expiration time, the token information is discarded. The embodiment of the application does not limit the generation of token information. For example, when the authentication information is a user name and password, the token can be generated based on the user name, password, and timestamp through MD5 encryption algorithm or other irreversible encryption algorithm information.
可选地,在已缓存的与目标服务对应的令牌信息中判断是否存在与待转发请求对应的令牌信息。由于不同内部网络提供的内部服务的面向用户可能不同,故不同内部服务对应的已缓存的令牌信息也可能存在不同,故在本申请实施例中,在将令牌信息存储至缓存中时,还对该令牌信息对应的内部服务进行标记,并在本步骤中,确定位于缓存中的与目标服务对应的令牌信息,并判断其中是否存在与待转发请求对应的令牌信息,提升了判断的准确性。Optionally, it is determined whether there is token information corresponding to the request to be forwarded in the cached token information corresponding to the target service. Since the internal services provided by different internal networks may be different for users, the cached token information corresponding to different internal services may also be different. Therefore, in the embodiment of the present application, when the token information is stored in the cache, The internal service corresponding to the token information is also marked, and in this step, the token information corresponding to the target service in the cache is determined, and it is determined whether there is token information corresponding to the request to be forwarded. The accuracy of judgment.
在S105中,若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台。In S105, if the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced The request to be forwarded is sent to the intranet platform.
若缓存中存在与待转发请求对应的令牌信息,证明曾经存在相同的请求进行过目标服务的调用,而对于已调用过目标服务的请求,在数据库中同样会存储对应的令牌信息,则为了简化调用流程,在网关层中将令牌信息与待转发请求进行拼接,并将拼接后的调用请求发送至内网平台,其中,将令牌信息拼接在待转发请求的请求头中。另外,为了将拼接后的待转发请求成功发送至内网平台,预先在网关层中存储从网关层地址到内网平台的地址的映射关系。If the token information corresponding to the request to be forwarded exists in the cache, it proves that the same request has been used to call the target service, and for the request that has already called the target service, the corresponding token information will also be stored in the database, then In order to simplify the call process, the token information is spliced with the request to be forwarded in the gateway layer, and the spliced call request is sent to the intranet platform, where the token information is spliced in the request header of the request to be forwarded. In addition, in order to successfully send the spliced request to be forwarded to the intranet platform, the mapping relationship from the gateway layer address to the address of the intranet platform is stored in the gateway layer in advance.
可选地,若网关层中还存储所有内部服务对应的服务访问规则,该服务访问规则用于指示内部服务的访问格式,则根据目标服务对应的服务访问规则对拼接后的待转发请求进行配置,将配置后的待转发请求发送至内网平台。除了使调用请求符合内网平台的调用规范之外,由于不同内部服务往往也存在不同的访问格式,故在本申请实施例中,在网关层中存储所有内部服务的暴露信息的同时,还可在网关层存储与每个内部服务对应的服务访问规则。针对于网关层存储有与每个内部服务对应的服务访问规则的情况,在将令牌信息与待转发请求进行拼接后,再根据目标服务对应的服务访问规则对拼接后的待转发请求进行配置,并将配置后的待转发请求发送至内网平台。本申请实施例对服务访问规则的类型并不做限定,比如目标服务仅能识别某个特定地址发送的请求,则可设置服务访问规则为将拼接后的待转发请求中的源地址替换为上述的特定地址;比如目标服务仅能识别应用超文本传输安全协议(Hypertext Transfer Protocol Secure,HTTPS)协议的请求,则可设置服务访问规则为根据HTTPS协议对拼接后的待转发请求进行封装;比如目标服务仅能识别根据特定密钥和特定加密算法进行加密后的请求,则可设置服务访问规则为根据该特定密钥以及该特定加密算法对拼接后的待转发请求进行加密等。上述方法根据预先存储的服务访问规则对请求进行配置,以使配置后的请求符合目标服务的访问规范,提升了内部服务调用的成功率。Optionally, if the service access rules corresponding to all internal services are also stored in the gateway layer, the service access rules are used to indicate the access format of the internal services, then the spliced request to be forwarded is configured according to the service access rules corresponding to the target service , Send the configured request to be forwarded to the intranet platform. In addition to making the call request comply with the call specifications of the intranet platform, since different internal services often have different access formats, in the embodiment of this application, while storing the exposure information of all internal services in the gateway layer, the The service access rules corresponding to each internal service are stored at the gateway layer. For the case where the gateway layer stores the service access rules corresponding to each internal service, after the token information is spliced with the request to be forwarded, the spliced request to be forwarded is configured according to the service access rule corresponding to the target service , And send the configured request to be forwarded to the intranet platform. The embodiments of this application do not limit the types of service access rules. For example, the target service can only recognize requests sent from a specific address, and the service access rules can be set to replace the source address in the spliced request to be forwarded with the above For example, the target service can only recognize requests using the Hypertext Transfer Protocol Secure (HTTPS) protocol, you can set the service access rule to encapsulate the spliced request to be forwarded according to the HTTPS protocol; for example, the target The service can only identify requests encrypted according to a specific key and a specific encryption algorithm, and the service access rule can be set to encrypt the spliced request to be forwarded according to the specific key and the specific encryption algorithm. The above method configures the request according to the pre-stored service access rule, so that the configured request conforms to the access specification of the target service, which improves the success rate of internal service invocation.
在S106中,对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。In S106, the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
对于发送至内网平台的拼接后的调用请求,提取其中的验证信息和令牌信息进行鉴权,具体判断验证信息和令牌信息是否与数据库中的一致。如果判断出一致,则鉴权通过,将待转发请求转发至目标服务,按照待转发请求的具体内容调用目标服务,完成整个内部服务调用过程;如果不一致,则在内网平台中为该待转发请求重新分配一个令牌信息。For the spliced call request sent to the intranet platform, the verification information and token information therein are extracted for authentication, and it is specifically determined whether the verification information and token information are consistent with those in the database. If it is judged to be consistent, the authentication is passed, the request to be forwarded is forwarded to the target service, the target service is called according to the specific content of the request to be forwarded, and the entire internal service invocation process is completed; if it is inconsistent, it is the to be forwarded in the intranet platform Request to reallocate a token information.
通过图1所示实施例可知,在本申请实施例中,通过将调用对象设置为网关层地址,同时在网关层中存储所有内部服务的暴露信息,若在网关层中接收到调用请求,则根据所有暴露信息对调用请求进行校验,并在校验通过后对调动请求进行格式配置得到待转发请求,再在缓存中查找出与待转发请求对应的令牌信息,将令牌信息与待转发请求进行拼接,最终将拼接后的待转发请求发送至内网平台,若对拼接后的待转发请求鉴权通过,则将待转发请求转发至目标服务,本申请实施例对网关层进行配置,在网关层中拦截调用请求,并对调用请求进行自动配置,减少了人工配置操作,并在后续简化了分配令牌的过程,提升了调用内部服务的效率。It can be seen from the embodiment shown in Figure 1 that in the embodiment of this application, the calling object is set to the gateway layer address and the exposure information of all internal services is stored in the gateway layer. If the calling request is received in the gateway layer, then The call request is verified according to all the exposed information, and after the verification is passed, the transfer request is formatted to obtain the request to be forwarded, and then the token information corresponding to the request to be forwarded is found in the cache, and the token information is compared with the request to be forwarded. The forwarding request is spliced, and the spliced request to be forwarded is finally sent to the intranet platform. If the spliced request to be forwarded is authenticated, the forwarded request is forwarded to the target service. The embodiment of the application configures the gateway layer , Intercept the call request in the gateway layer, and automatically configure the call request, reducing manual configuration operations, and simplifying the process of assigning tokens in the follow-up, and improving the efficiency of calling internal services.
图2所示,是在本申请实施例一的基础上,对判断缓存中是否存在与待转发请求对应的令牌信息之后的过程进行扩展后得到的一种内部服务调用方法。本申请实施例提供了基于网关的内部服务调用方法的实现流程图,如图2所示,该内部服务调用方法可以包括以下步骤:Figure 2 shows an internal service invocation method obtained by extending the process of judging whether the token information corresponding to the request to be forwarded exists in the cache based on the first embodiment of the present application. The embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method. As shown in FIG. 2, the internal service invocation method may include the following steps:
在S201中,若所述缓存中不存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述待转发请求发送至所述内网平台。In S201, if the token information corresponding to the request to be forwarded does not exist in the cache, the request to be forwarded is sent to the intranet platform in the gateway layer.
在进行判断后,若缓存中不存在与待转发请求对应的令牌信息,则在网关层中不对待转发请求进行拼接,而是直接将待转发请求发送至内网平台。After the judgment is made, if the token information corresponding to the request to be forwarded does not exist in the cache, the forwarding request is not spliced in the gateway layer, but the request to be forwarded is directly sent to the intranet platform.
在S202中,为所述待转发请求创建并分配所述令牌信息,将分配的所述令牌信息与所述待转发请求进行拼接。In S202, the token information is created and allocated for the request to be forwarded, and the allocated token information is spliced with the request to be forwarded.
对于发送至内网平台的待转发请求,提取出该待转发请求中的验证信息,判断验证信息是否有效,并在判断出验证信息有效后,根据验证信息生成令牌信息,比如在验证信息为待转发请求中的用户名和密码的情况下,若判断出该用户名存储于数据库中,且该密码与该用户名匹配且有效后,基于该用户名、该密码以及时间戳,通过MD5加密算法或其他不可逆加密算法生成令牌信息。对于生成的令牌信息,将其与待转发请求进行拼接。For the pending forwarding request sent to the intranet platform, extract the verification information in the pending forwarding request, determine whether the verification information is valid, and after determining that the verification information is valid, generate token information based on the verification information, for example, when the verification information is In the case of the user name and password in the request to be forwarded, if it is determined that the user name is stored in the database, and the password matches the user name and is valid, based on the user name, the password and the timestamp, the MD5 encryption algorithm is used Or other irreversible encryption algorithms to generate token information. For the generated token information, it is spliced with the request to be forwarded.
通过图2所示实施例可知,在本申请实施例中,若缓存中不存在与待转发请求对应的令牌信息,则在网关层中将待转发请求发送至内网平台,为待转发请求创建令牌信息,将创建的令牌信息与待转发请求进行拼接,本申请实施例通过在内网平台中创建新的令牌信息,补全了令牌信息的分配机制,提升了服务调用的全面性。It can be seen from the embodiment shown in FIG. 2 that in the embodiment of this application, if the token information corresponding to the request to be forwarded does not exist in the cache, the request to be forwarded is sent to the intranet platform in the gateway layer, which is the request to be forwarded Create token information, and splice the created token information with the request to be forwarded. The embodiment of the application creates new token information in the intranet platform, completes the token information distribution mechanism, and improves the service call Comprehensiveness.
图3所示,是在本申请实施例一的基础上,对将调用方所调用的调用对象设置为预设的网关层地址的过程进行细化后得到的一种内部服务调用方法。本申请实施例提供了基于网关的内部服务调用方法的实现流程图,如图3所示,该内部服务调用方法可以包括以下步骤:Figure 3 shows an internal service invoking method obtained after refining the process of setting the calling object called by the caller to the preset gateway layer address on the basis of the first embodiment of the present application. The embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method. As shown in FIG. 3, the internal service invocation method may include the following steps:
在S301中,根据平台地址在所述调用方的底层代码中进行查找,并将含有所述平台地址的每一行所述底层代码均确定为调用代码,其中,所述平台地址为所述内网平台的地址。In S301, search in the bottom-level code of the caller according to the platform address, and determine each line of the bottom-level code that contains the platform address as the calling code, where the platform address is the intranet The address of the platform.
由于在传统方式中调用方是直接对内网平台发起调用,即调用方的调用对象为内网平台的地址(为了便于区分,将该地址命名为平台地址),故在本申请实施例中对传统方式进行改进,根据平台地址在调用方的底层代码中进行查找,并将含有平台地址的每一行底层代码均确定为调用代码。Since the caller directly initiates a call to the intranet platform in the traditional way, that is, the call object of the caller is the address of the intranet platform (for the sake of distinction, the address is named the platform address), so in this application embodiment The traditional method is improved, the caller's bottom code is searched according to the platform address, and each line of bottom code containing the platform address is determined as the calling code.
在S302中,将所有所述调用代码中的所述平台地址均替换为所述网关层地址。In S302, the platform address in all the calling codes is replaced with the gateway layer address.
对于查找出的调用代码,其中的平台地址即为该调用代码的调用对象,故在本步骤中将所有调用代码中的平台地址均替换为网关层地址,完成调用对象的替换。替换完成后,在运行调用代码时,调用请求便可自动被发送至网关层中。For the found calling code, the platform address is the calling object of the calling code. Therefore, in this step, the platform address in all calling codes is replaced with the gateway layer address to complete the replacement of the calling object. After the replacement is completed, when the calling code is run, the calling request can be automatically sent to the gateway layer.
通过图3所示实施例可知,在本申请实施例中,根据平台地址在调用方的底层代码中进行查找,将含有平台地址的每一行底层代码均确定为调用代码,并将所有调用代码中的平台地址均替换为网关层地址,本申请实施例通过对平台地址进行批量替换,提升了设置调用对象的便捷性。It can be seen from the embodiment shown in FIG. 3 that in the embodiment of the present application, the caller’s underlying code is searched according to the platform address, and each line of underlying code containing the platform address is determined as the calling code, and all the calling codes are The platform addresses of are replaced with gateway-layer addresses. The embodiment of the present application improves the convenience of setting call objects by performing batch replacement of platform addresses.
图4所示,是在本申请实施例一的基础上,对根据内网平台对应的平台转发规则对调用请求进行配置之前的过程进行扩展后得到的一种内部服务调用方法。本申请实施例提供了基于网关的内部服务调用方法的实现流程图,如图4所示,该内部服务调用方法可以包括以下步骤:Figure 4 shows an internal service invoking method obtained by extending the process before configuring the invocation request according to the platform forwarding rules corresponding to the intranet platform on the basis of the first embodiment of the present application. The embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method. As shown in FIG. 4, the internal service invocation method may include the following steps:
在S401中,获取所述内网平台中与每个所述内部服务对应的权限地址集,并获取所述调用请求中的源地址,其中,所述权限地址集包括至少一个有权限访问所述内部服务的地址,所述源地址为发起所述调用请求的所述调用方的地址。In S401, a permission address set corresponding to each internal service in the intranet platform is obtained, and the source address in the call request is obtained, wherein the permission address set includes at least one permission to access the The address of the internal service, where the source address is the address of the caller that initiated the call request.
除了在网关层中存储每个内部服务的暴露信息之外,在本申请实施例中,还可一并存储与内部服务对应的权限地址集,该权限地址集包括至少一个有权限访问内部服务的地址,权限地址集可由内部服务的管理人员进行设置。同时,获取调用请求中的源地址,便于进行后续分析,源地址即为发起调用请求的调用方的地址。In addition to storing the exposure information of each internal service in the gateway layer, in the embodiment of the present application, the authority address set corresponding to the internal service can also be stored together. The authority address set includes at least one authorized access to the internal service. The address and authority address set can be set by the internal service manager. At the same time, the source address in the call request is obtained to facilitate subsequent analysis. The source address is the address of the caller who initiated the call request.
在S402中,若所述源地址位于所述目标服务对应的所述权限地址集中,则执行所述根据所述内网平台中预设的平台转发规则对所述调用请求进行配置的操作。In S402, if the source address is in the authority address set corresponding to the target service, the operation of configuring the call request according to the platform forwarding rule preset in the intranet platform is performed.
若调用请求中的源地址位于目标服务对应的权限地址集中,证明该调用请求拥有访问目标服务的权限,则继续执行后续的根据内网平台中预设的平台转发规则对调用请求进行配置的操作。If the source address in the call request is located in the permission address set corresponding to the target service, it proves that the call request has the permission to access the target service, then continue to perform the subsequent operation of configuring the call request according to the platform forwarding rules preset in the intranet platform .
在S403中,若所述源地址不位于所述目标服务对应的所述权限地址集中,则拦截所述调用请求,并向发起所述调用请求的所述调用方输出无权访问的提示。In S403, if the source address is not located in the authority address set corresponding to the target service, the call request is intercepted, and a prompt of unauthorized access is output to the caller who initiated the call request.
相反地,若调用请求中的源地址不位于目标服务对应的权限地址集中,则在该调用请求后续会被目标服务拒绝接收的前提下,为了避免对该调用请求进行处理造成的资源浪费,在网关层中拦截该调用请求,并向发起该调用请求的调用方输出无权访问的提示,该提示可以前端提示框、短信或邮件等方式发送,本申请实施例对此不做限定。Conversely, if the source address in the call request is not located in the permission address set corresponding to the target service, under the premise that the call request will be rejected by the target service later, in order to avoid resource waste caused by processing the call request, The gateway layer intercepts the call request, and outputs a prompt of unauthorized access to the caller who initiated the call request. The prompt can be sent in a front-end prompt box, SMS, or email, which is not limited in the embodiment of the application.
通过图4所示实施例可知,在本申请实施例中,判断调用请求中的源地址是否位于目标服务对应的权限地址集中,若源地址位于权限地址集中,则正常执行后续的根据内网平台中预设的平台转发规则对调用请求进行配置的操作;若源地址不位于权限地址集中,则拦截调用请求,并向调用方输出无权访问的提示,本申请实施例根据在调用请求无权访问目标服务时及时拦截调用请求,节省了计算资源。It can be seen from the embodiment shown in FIG. 4 that in the embodiment of this application, it is determined whether the source address in the call request is located in the authority address set corresponding to the target service. If the source address is located in the authority address set, the subsequent steps according to the intranet platform will be executed normally. The platform forwarding rules preset in the platform configure the operation of the call request; if the source address is not located in the authority address set, the call request is intercepted, and the caller is notified that there is no right to access. The embodiment of this application has no right to access according to the call request Intercept the call request in time when accessing the target service, saving computing resources.
应理解,上述实施例中各步骤的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that the size of the sequence number of each step in the foregoing embodiment does not mean the order of execution. The execution sequence of each process should be determined by its function and internal logic, and should not constitute any limitation to the implementation process of the embodiment of the present application.
对应于上文实施例所述的基于网关的内部服务调用方法,图5示出了本申请实施例提供的基于网关的内部服务调用装置的结构框图,参照图5,该内部服务调用装置包括:Corresponding to the gateway-based internal service invocation method described in the above embodiment, FIG. 5 shows a structural block diagram of the gateway-based internal service invocation device provided in an embodiment of the present application. Referring to FIG. 5, the internal service invocation device includes:
设置单元51,用于将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;The setting unit 51 is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address;
存储单元52,用于确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;The storage unit 52 is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
配置单元53,用于若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;The configuration unit 53 is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal information requested by the call request The service is determined as the target service, and the invocation request is configured according to the platform forwarding rules corresponding to the intranet platform, and the configured invocation request is determined as the request to be forwarded;
判断单元54,用于判断缓存中是否存在与所述待转发请求对应的令牌信息;The judging unit 54 is configured to judge whether there is token information corresponding to the request to be forwarded in the cache;
拼接单元55,用于若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;The splicing unit 55 is configured to splice the token information with the request to be forwarded in the gateway layer if the token information corresponding to the request to be forwarded exists in the cache, and Sending the spliced request to be forwarded to the intranet platform;
转发单元56,用于对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The forwarding unit 56 is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
可选地,配置单元53包括:Optionally, the configuration unit 53 includes:
目标地址获取单元,用于获取所述调用请求中的目标地址,并判断是否存在包含所述目标地址的所述暴露信息;The target address obtaining unit is configured to obtain the target address in the call request, and determine whether the exposure information including the target address exists;
校验通过单元,用于若存在包含所述目标地址的所述暴露信息,则确定所述调用请求校验通过,并将所述暴露信息所对应的所述内部服务确定为所述调用请求所请求的所述内部服务;The verification passing unit is configured to, if the exposure information including the target address exists, determine that the invocation request has passed the verification, and determine that the internal service corresponding to the exposure information is the source of the invocation request The internal service requested;
丢弃单元,用于若不存在包含所述目标地址的所述暴露信息,则丢弃所述调用请求,并输出错误提示。The discarding unit is configured to discard the call request and output an error prompt if the exposed information including the target address does not exist.
可选地,网关层中还存储所有内部服务对应的服务访问规则,该服务访问规则用于指示内部服务的访问格式,则拼接单元55包括:Optionally, the gateway layer also stores service access rules corresponding to all internal services, and the service access rules are used to indicate the access format of the internal services, and the splicing unit 55 includes:
规则配置单元,用于根据所述目标服务对应的所述服务访问规则对拼接后的所述待转发请求进行配置,将配置后的所述待转发请求发送至所述内网平台。The rule configuration unit is configured to configure the spliced request to be forwarded according to the service access rule corresponding to the target service, and send the configured request to be forwarded to the intranet platform.
可选地,判断单元54还包括:Optionally, the judging unit 54 further includes:
发送单元,用于若所述缓存中不存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述待转发请求发送至所述内网平台;A sending unit, configured to send the request to be forwarded to the intranet platform in the gateway layer if the token information corresponding to the request to be forwarded does not exist in the cache;
创建单元,用于为所述待转发请求创建所述令牌信息,将创建的所述令牌信息与所述待转发请求进行拼接。The creation unit is configured to create the token information for the request to be forwarded, and to splice the created token information with the request to be forwarded.
可选地,设置单元51包括:Optionally, the setting unit 51 includes:
查找单元,用于根据平台地址在所述调用方的底层代码中进行查找,并将含有所述平台地址的每一行所述底层代码均确定为调用代码,其中,所述平台地址为所述内网平台的地址;The search unit is configured to search in the bottom-level code of the caller according to the platform address, and determine that each line of the bottom-level code containing the platform address is the calling code, where the platform address is the internal The address of the network platform;
替换单元,用于将所有所述调用代码中的所述平台地址均替换为所述网关层地址。The replacement unit is used to replace the platform address in all the calling codes with the gateway layer address.
可选地,配置单元53还包括:Optionally, the configuration unit 53 further includes:
源地址获取单元,用于获取所述内网平台中与每个所述内部服务对应的权限地址集,并获取所述调用请求中的源地址,其中,所述权限地址集包括至少一个有权限访问所述内部服务的地址,所述源地址为发起所述调用请求的所述调用方的地址;The source address obtaining unit is configured to obtain the authority address set corresponding to each of the internal services in the intranet platform, and obtain the source address in the call request, wherein the authority address set includes at least one authority An address for accessing the internal service, where the source address is the address of the caller who initiated the call request;
执行单元,用于若所述源地址位于所述目标服务对应的所述权限地址集中,则执行所述根据所述内网平台中预设的平台转发规则对所述调用请求进行配置的操作;An execution unit, configured to execute the operation of configuring the call request according to a platform forwarding rule preset in the intranet platform if the source address is in the authority address set corresponding to the target service;
拦截单元,用于若所述源地址不位于所述目标服务对应的所述权限地址集中,则拦截所述调用请求,并向发起所述调用请求的所述调用方输出无权访问的提示。The interception unit is configured to intercept the call request if the source address is not located in the authority address set corresponding to the target service, and output a prompt of unauthorized access to the caller who initiated the call request.
因此,本发明实施例提供的基于网关的内部服务调用装置通过设置网关层,减少了人工的配置操作,并通过在缓存中分配令牌信息的方式,简化了令牌分配流程,提升了调用内部服务的便利性和效率。Therefore, the gateway-based internal service invocation device provided by the embodiment of the present invention reduces manual configuration operations by setting the gateway layer, and simplifies the token distribution process by distributing token information in the cache, and improves the internal The convenience and efficiency of the service.
图6是本申请实施例提供的终端设备的示意图。如图6所示,该实施例的终端设备6包括:处理器60、存储器61以及存储在所述存储器61中并可在所述处理器60上运行的计算机程序62,例如基于网关的内部服务调用程序。所述处理器60执行所述计算机程序62时实现上述各个基于网关的内部服务调用方法实施例中的步骤,所述步骤包括:S101.将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;S102.确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;S103.若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;S104.判断缓存中是否存在与所述待转发请求对应的令牌信息;S105.若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;S106.对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。Fig. 6 is a schematic diagram of a terminal device provided by an embodiment of the present application. As shown in FIG. 6, the terminal device 6 of this embodiment includes: a processor 60, a memory 61, and a computer program 62 stored in the memory 61 and running on the processor 60, such as a gateway-based internal service Call the program. When the processor 60 executes the computer program 62, the steps in the above embodiments of the gateway-based internal service invoking method are implemented, and the steps include: S101. Setting the calling object called by the caller as a preset gateway layer Address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address; S102. Determine all internal services that have been exposed to services on the internal network platform, in the gateway layer All the exposure information of the internal service is stored in the internal service, and the exposure information includes the address of the internal service; S103. If a call request is received in the gateway layer, the call request is performed according to all the exposure information After the verification is passed, the internal service requested by the invocation request is determined as the target service, and the invocation request is configured according to the platform forwarding rules corresponding to the intranet platform, and the configured all The calling request is determined to be a request to be forwarded; S104. Determine whether there is token information corresponding to the request to be forwarded in the cache; S105. If the token information corresponding to the request to be forwarded exists in the cache, Then, in the gateway layer, the token information is spliced with the request to be forwarded, and the spliced request to be forwarded is sent to the intranet platform; S106. For the spliced request to be forwarded The token information in the request is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
示例性的,所述计算机程序62可以被分割成一个或多个单元,所述一个或者多个单元被存储在所述存储器61中,并由所述处理器60执行,以完成本申请。所述一个或多个单元可以是能够完成特定功能的一系列计算机程序指令段,该指令段用于描述所述计算机程序62在所述终端设备6中的执行过程。例如,所述计算机程序62可以被分割成设置单元、存储单元、配置单元、判断单元、拼接单元以及转发单元,各单元具体功能如下:Exemplarily, the computer program 62 may be divided into one or more units, and the one or more units are stored in the memory 61 and executed by the processor 60 to complete the application. The one or more units may be a series of computer program instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer program 62 in the terminal device 6. For example, the computer program 62 can be divided into a setting unit, a storage unit, a configuration unit, a judgment unit, a splicing unit, and a forwarding unit. The specific functions of each unit are as follows:
设置单元,用于将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;The setting unit is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
存储单元,用于确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;The storage unit is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
配置单元,用于若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;The configuration unit is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal service requested by the call request Determine it as a target service, configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
判断单元,用于判断缓存中是否存在与所述待转发请求对应的令牌信息;A judging unit, configured to judge whether there is token information corresponding to the request to be forwarded in the cache;
拼接单元,用于若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;The splicing unit is configured to, if the token information corresponding to the request to be forwarded exists in the cache, splicing the token information with the request to be forwarded in the gateway layer, and splicing The subsequent request to be forwarded is sent to the intranet platform;
转发单元,用于对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The forwarding unit is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
所述终端设备6可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。所述终端设备可包括,但不仅限于,处理器60、存储器61。本领域技术人员可以理解,图6仅仅是终端设备6的示例,并不构成对终端设备6的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如所述终端设备还可以包括输入输出设备、网络接入设备、总线等。The terminal device 6 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The terminal device may include, but is not limited to, a processor 60 and a memory 61. Those skilled in the art can understand that FIG. 6 is only an example of the terminal device 6 and does not constitute a limitation on the terminal device 6. It may include more or less components than shown in the figure, or a combination of certain components, or different components. For example, the terminal device may also include input and output devices, network access devices, buses, etc.
所称处理器60可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器 (Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The so-called processor 60 may be a central processing unit (Central Processing Unit, CPU), it can also be other general-purpose processors, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
所述存储器61可以是所述终端设备6的内部存储单元,例如终端设备6的硬盘或内存。所述存储器61也可以是所述终端设备6的外部存储设备,例如所述终端设备6上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,所述存储器61还可以既包括所述终端设备6的内部存储单元也包括外部存储设备。所述存储器61用于存储所述计算机程序以及所述终端设备所需的其他程序和数据。所述存储器61还可以用于暂时地存储已经输出或者将要输出的数据。The memory 61 may be an internal storage unit of the terminal device 6, such as a hard disk or memory of the terminal device 6. The memory 61 may also be an external storage device of the terminal device 6, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), or a secure digital (Secure Digital, SD) equipped on the terminal device 6. Card, Flash Card, etc. Further, the memory 61 may also include both an internal storage unit of the terminal device 6 and an external storage device. The memory 61 is used to store the computer program and other programs and data required by the terminal device. The memory 61 can also be used to temporarily store data that has been output or will be output.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各功能单元的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能单元完成,即将所述终端设备的内部结构划分成不同的功能单元,以完成以上描述的全部或者部分功能。实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中,上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。另外,各功能单元的具体名称也只是为了便于相互区分,并不用于限制本申请的保护范围。上述系统中单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and conciseness of description, only the division of the above-mentioned functional units is used as an example. In practical applications, the above-mentioned function allocation can be completed by different functional units as required, namely The internal structure of the terminal device is divided into different functional units to complete all or part of the functions described above. The functional units in the embodiments can be integrated in one processing unit, or each unit can exist alone physically, or two or more units can be integrated in one unit. The above-mentioned integrated units can be implemented in the form of hardware. It can also be implemented in the form of software functional units. In addition, the specific names of the functional units are only used to facilitate distinguishing from each other, and are not used to limit the protection scope of this application. For the specific working process of the units in the foregoing system, reference may be made to the corresponding process in the foregoing method embodiment, which is not repeated here.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述或记载的部分,可以参见其它实施例的相关描述。In the above-mentioned embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail or recorded in an embodiment, reference may be made to related descriptions of other embodiments.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。A person of ordinary skill in the art may be aware that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the present invention.
在本发明所提供的实施例中,应该理解到,所揭露的终端设备和方法,可以通过其它的方式实现。例如,以上所描述的终端设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通讯连接可以是通过一些接口,装置或单元的间接耦合或通讯连接,可以是电性,机械或其它的形式。In the embodiments provided by the present invention, it should be understood that the disclosed terminal device and method may be implemented in other ways. For example, the terminal device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be combined. Or it can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中,该计算机可读取存储介质可以是易失性的,也可以是非易失性的。基于这样的理解,本申请实现上述实施例方法中的全部或部分流程,也可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器执行时,可实现上述各个方法实施例的步骤。所述步骤包括:S101.将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;S102.确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;S103.若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;S104.判断缓存中是否存在与所述待转发请求对应的令牌信息;S105.若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;S106.对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。其中,所述计算机程序包括计算机程序代码,所述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、电载波信号、电信信号以及软件分发介质等。需要说明的是,所述计算机可读介质包含的内容可以根据司法管辖区内立法和专利实践的要求进行适当的增减,例如在某些司法管辖区,根据立法和专利实践,计算机可读介质不包括电载波信号和电信信号。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. The computer-readable storage medium may be volatile or It can be non-volatile. Based on this understanding, this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through a computer program. The computer program can be stored in a computer-readable storage medium. When the program is executed by the processor, the steps of the foregoing method embodiments can be implemented. The steps include: S101. Setting the calling object called by the caller to a preset gateway layer address, wherein the caller is located in an internal network, and the gateway layer address is a preset gateway layer address; S102. Determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, where the exposure information includes the address of the internal service; S103. If the call request is received in the gateway layer, the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed. The platform forwarding rule corresponding to the intranet platform configures the call request, and determines the configured call request as a request to be forwarded; S104. Determine whether there is token information corresponding to the request to be forwarded in the cache; S105. If the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced all The request to be forwarded is sent to the intranet platform; S106. The token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the The target service. Wherein, the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file, or some intermediate forms. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (Read-Only Memory, ROM) , Random Access Memory (Random Access Memory, RAM), electrical carrier signal, telecommunications signal, and software distribution media. It should be noted that the content contained in the computer-readable medium can be appropriately added or deleted according to the requirements of the legislation and patent practice in the jurisdiction. For example, in some jurisdictions, according to the legislation and patent practice, the computer-readable medium Does not include electrical carrier signals and telecommunication signals.
以上所述实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围,均应包含在本发明的保护范围之内。The above-mentioned embodiments are only used to illustrate the technical solutions of the present invention, not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still implement the foregoing The technical solutions recorded in the examples are modified, or some of the technical features are equivalently replaced; these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention, and should be included Within the protection scope of the present invention.

Claims (20)

  1. 一种基于网关的内部服务调用方法,其中,包括: A gateway-based internal service invocation method, which includes:
    将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;Setting the calling object called by the caller as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
    确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;Determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, where the exposure information includes the address of the internal service;
    若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;If a call request is received in the gateway layer, the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
    判断缓存中是否存在与所述待转发请求对应的令牌信息;Judging whether there is token information corresponding to the request to be forwarded in the cache;
    若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
    对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  2. 如权利要求1所述的内部服务调用方法,其中,所述根据所有所述暴露信息对所述调用请求进行校验,包括: The method for invoking internal services according to claim 1, wherein said verifying said invoking request according to all said exposure information comprises:
    获取所述调用请求中的目标地址,并判断是否存在包含所述目标地址的所述暴露信息;Acquiring the target address in the call request, and determining whether there is the exposed information including the target address;
    若存在包含所述目标地址的所述暴露信息,则确定所述调用请求校验通过,并将所述暴露信息所对应的所述内部服务确定为所述调用请求所请求的所述内部服务;If the exposure information including the target address exists, determining that the call request is verified, and the internal service corresponding to the exposure information is determined as the internal service requested by the call request;
    若不存在包含所述目标地址的所述暴露信息,则丢弃所述调用请求,并输出错误提示。If the exposure information including the target address does not exist, discard the call request and output an error prompt.
  3. 如权利要求1所述的内部服务调用方法,其中,所述网关层中还存储所有所述内部服务对应的服务访问规则,所述服务访问规则用于指示所述内部服务的访问格式; The method for invoking internal services according to claim 1, wherein the gateway layer also stores all service access rules corresponding to the internal services, and the service access rules are used to indicate the access format of the internal services;
    所述在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台,包括:The splicing the token information with the request to be forwarded in the gateway layer, and sending the spliced request to be forwarded to the intranet platform includes:
    根据所述目标服务对应的所述服务访问规则对拼接后的所述待转发请求进行配置,将配置后的所述待转发请求发送至所述内网平台。Configure the spliced request to be forwarded according to the service access rule corresponding to the target service, and send the configured request to be forwarded to the intranet platform.
  4. 如权利要求1所述的内部服务调用方法,其中,所述判断缓存中是否存在与所述待转发请求对应的令牌信息之后,还包括: The method for invoking an internal service according to claim 1, wherein after determining whether there is token information corresponding to the request to be forwarded in the cache, the method further comprises:
    若所述缓存中不存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded does not exist in the cache, sending the request to be forwarded to the intranet platform in the gateway layer;
    为所述待转发请求创建所述令牌信息,将创建的所述令牌信息与所述待转发请求进行拼接。The token information is created for the request to be forwarded, and the created token information is spliced with the request to be forwarded.
  5. 如权利要求1所述的内部服务调用方法,其中,所述将调用方所调用的调用对象设置为预设的网关层地址,包括: The method for invoking internal services according to claim 1, wherein said setting the calling object called by the caller as a preset gateway layer address comprises:
    根据平台地址在所述调用方的底层代码中进行查找,并将含有所述平台地址的每一行所述底层代码均确定为调用代码,其中,所述平台地址为所述内网平台的地址;Searching in the bottom-level code of the caller according to the platform address, and determining each line of the bottom-level code containing the platform address as the calling code, where the platform address is the address of the intranet platform;
    将所有所述调用代码中的所述平台地址均替换为所述网关层地址。Replace the platform address in all the calling codes with the gateway layer address.
  6. 如权利要求1所述的内部服务调用方法,其中,所述根据所述内网平台对应的平台转发规则对所述调用请求进行配置之前,还包括: The method for invoking internal services according to claim 1, wherein before the configuring the invoking request according to the platform forwarding rules corresponding to the intranet platform, the method further comprises:
    获取所述内网平台中与每个所述内部服务对应的权限地址集,并获取所述调用请求中的源地址,其中,所述权限地址集包括至少一个有权限访问所述内部服务的地址,所述源地址为发起所述调用请求的所述调用方的地址;Obtain the authority address set corresponding to each of the internal services in the intranet platform, and obtain the source address in the call request, wherein the authority address set includes at least one address that has the authority to access the internal service , The source address is the address of the caller who initiated the call request;
    若所述源地址位于所述目标服务对应的所述权限地址集中,则执行所述根据所述内网平台中预设的平台转发规则对所述调用请求进行配置的操作;If the source address is in the authority address set corresponding to the target service, perform the operation of configuring the call request according to the platform forwarding rules preset in the intranet platform;
    若所述源地址不位于所述目标服务对应的所述权限地址集中,则拦截所述调用请求,并向发起所述调用请求的所述调用方输出无权访问的提示。If the source address is not located in the authority address set corresponding to the target service, intercept the call request, and output a prompt of unauthorized access to the caller who initiated the call request.
  7. 一种基于网关的内部服务调用装置,其中,包括: A gateway-based internal service invocation device, which includes:
    设置单元,用于将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;The setting unit is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
    存储单元,用于确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;The storage unit is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
    配置单元,用于若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;The configuration unit is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal service requested by the call request Determine it as a target service, configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
    判断单元,用于判断缓存中是否存在与所述待转发请求对应的令牌信息;A judging unit, configured to judge whether there is token information corresponding to the request to be forwarded in the cache;
    拼接单元,用于若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;The splicing unit is configured to, if the token information corresponding to the request to be forwarded exists in the cache, splicing the token information with the request to be forwarded in the gateway layer, and splicing The subsequent request to be forwarded is sent to the intranet platform;
    转发单元,用于对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The forwarding unit is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
  8. 一种终端设备,其中,所述终端设备包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如下步骤: A terminal device, wherein the terminal device includes a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor implements the following steps when the processor executes the computer program:
    将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;Setting the calling object called by the caller as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
    确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;Determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, where the exposure information includes the address of the internal service;
    若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;If a call request is received in the gateway layer, the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
    判断缓存中是否存在与所述待转发请求对应的令牌信息;Judging whether there is token information corresponding to the request to be forwarded in the cache;
    若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
    对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  9. 如权利要求8所述的终端设备,其中,所述根据所有所述暴露信息对所述调用请求进行校验,包括: The terminal device according to claim 8, wherein the verifying the call request according to all the exposure information includes:
    获取所述调用请求中的目标地址,并判断是否存在包含所述目标地址的所述暴露信息;Acquiring the target address in the call request, and determining whether there is the exposed information including the target address;
    若存在包含所述目标地址的所述暴露信息,则确定所述调用请求校验通过,并将所述暴露信息所对应的所述内部服务确定为所述调用请求所请求的所述内部服务;If the exposure information including the target address exists, determining that the call request is verified, and the internal service corresponding to the exposure information is determined as the internal service requested by the call request;
    若不存在包含所述目标地址的所述暴露信息,则丢弃所述调用请求,并输出错误提示。If the exposure information including the target address does not exist, discard the call request and output an error prompt.
  10. 如权利要求8所述的终端设备,其中,所述网关层中还存储所有所述内部服务对应的服务访问规则,所述服务访问规则用于指示所述内部服务的访问格式;8. The terminal device according to claim 8, wherein the gateway layer also stores all service access rules corresponding to the internal services, and the service access rules are used to indicate the access format of the internal services;
    所述在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台,包括:The splicing the token information with the request to be forwarded in the gateway layer, and sending the spliced request to be forwarded to the intranet platform includes:
    根据所述目标服务对应的所述服务访问规则对拼接后的所述待转发请求进行配置,将配置后的所述待转发请求发送至所述内网平台。Configure the spliced request to be forwarded according to the service access rule corresponding to the target service, and send the configured request to be forwarded to the intranet platform.
  11. 如权利要求8所述的终端设备,其中,所述判断缓存中是否存在与所述待转发请求对应的令牌信息之后,还包括:The terminal device according to claim 8, wherein, after determining whether there is token information corresponding to the request to be forwarded in the cache, the method further comprises:
    若所述缓存中不存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded does not exist in the cache, sending the request to be forwarded to the intranet platform in the gateway layer;
    为所述待转发请求创建所述令牌信息,将创建的所述令牌信息与所述待转发请求进行拼接。The token information is created for the request to be forwarded, and the created token information is spliced with the request to be forwarded.
  12. 如权利要求8所述的终端设备,其中,所述将调用方所调用的调用对象设置为预设的网关层地址,包括:The terminal device according to claim 8, wherein said setting the calling object called by the caller as a preset gateway layer address comprises:
    根据平台地址在所述调用方的底层代码中进行查找,并将含有所述平台地址的每一行所述底层代码均确定为调用代码,其中,所述平台地址为所述内网平台的地址;Searching in the bottom-level code of the caller according to the platform address, and determining each line of the bottom-level code containing the platform address as the calling code, where the platform address is the address of the intranet platform;
    将所有所述调用代码中的所述平台地址均替换为所述网关层地址。Replace the platform address in all the calling codes with the gateway layer address.
  13. 如权利要求8所述的终端设备,其中,所述根据所述内网平台对应的平台转发规则对所述调用请求进行配置之前,还包括:The terminal device according to claim 8, wherein, before the configuration of the call request according to the platform forwarding rules corresponding to the intranet platform, the method further comprises:
    获取所述内网平台中与每个所述内部服务对应的权限地址集,并获取所述调用请求中的源地址,其中,所述权限地址集包括至少一个有权限访问所述内部服务的地址,所述源地址为发起所述调用请求的所述调用方的地址;Obtain the authority address set corresponding to each of the internal services in the intranet platform, and obtain the source address in the call request, wherein the authority address set includes at least one address that has the authority to access the internal service , The source address is the address of the caller who initiated the call request;
    若所述源地址位于所述目标服务对应的所述权限地址集中,则执行所述根据所述内网平台中预设的平台转发规则对所述调用请求进行配置的操作;If the source address is in the authority address set corresponding to the target service, perform the operation of configuring the call request according to the platform forwarding rules preset in the intranet platform;
    若所述源地址不位于所述目标服务对应的所述权限地址集中,则拦截所述调用请求,并向发起所述调用请求的所述调用方输出无权访问的提示。If the source address is not located in the authority address set corresponding to the target service, intercept the call request, and output a prompt of unauthorized access to the caller who initiated the call request.
  14. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其中,所述计算机程序被处理器执行时实现如下步骤: A computer-readable storage medium storing a computer program, wherein the computer program is executed by a processor to implement the following steps:
    将调用方所调用的调用对象设置为预设的网关层地址,其中,所述调用方位于一个内部网络中,所述网关层地址为预设的网关层的地址;Setting the calling object called by the caller as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
    确定已在内网平台上进行服务暴露的所有内部服务,在所述网关层中存储所有所述内部服务的暴露信息,所述暴露信息包括所述内部服务的地址;Determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, where the exposure information includes the address of the internal service;
    若在所述网关层中接收到调用请求,则根据所有所述暴露信息对所述调用请求进行校验,在校验通过后将所述调用请求所请求的所述内部服务确定为目标服务,并根据所述内网平台对应的平台转发规则对所述调用请求进行配置,将配置完成的所述调用请求确定为待转发请求;If a call request is received in the gateway layer, the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
    判断缓存中是否存在与所述待转发请求对应的令牌信息;Judging whether there is token information corresponding to the request to be forwarded in the cache;
    若所述缓存中存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
    对拼接后的所述待转发请求中的所述令牌信息进行鉴权,并在鉴权通过后,将所述待转发请求转发至所述目标服务。The token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  15. 如权利要求14所述的计算机可读存储介质,其中,所述根据所有所述暴露信息对所述调用请求进行校验,包括:15. The computer-readable storage medium of claim 14, wherein the verifying the call request according to all the exposure information comprises:
    获取所述调用请求中的目标地址,并判断是否存在包含所述目标地址的所述暴露信息;Acquiring the target address in the call request, and determining whether there is the exposed information including the target address;
    若存在包含所述目标地址的所述暴露信息,则确定所述调用请求校验通过,并将所述暴露信息所对应的所述内部服务确定为所述调用请求所请求的所述内部服务;If the exposure information including the target address exists, determining that the call request is verified, and the internal service corresponding to the exposure information is determined as the internal service requested by the call request;
    若不存在包含所述目标地址的所述暴露信息,则丢弃所述调用请求,并输出错误提示。If the exposure information including the target address does not exist, discard the call request and output an error prompt.
  16. 如权利要求14所述的计算机可读存储介质,其中,所述网关层中还存储所有所述内部服务对应的服务访问规则,所述服务访问规则用于指示所述内部服务的访问格式;14. The computer-readable storage medium of claim 14, wherein the gateway layer also stores all service access rules corresponding to the internal services, and the service access rules are used to indicate the access format of the internal services;
    所述在所述网关层中将所述令牌信息与所述待转发请求进行拼接,并将拼接后的所述待转发请求发送至所述内网平台,包括:The splicing the token information with the request to be forwarded in the gateway layer, and sending the spliced request to be forwarded to the intranet platform includes:
    根据所述目标服务对应的所述服务访问规则对拼接后的所述待转发请求进行配置,将配置后的所述待转发请求发送至所述内网平台。Configure the spliced request to be forwarded according to the service access rule corresponding to the target service, and send the configured request to be forwarded to the intranet platform.
  17. 如权利要求14所述的计算机可读存储介质,其中,所述判断缓存中是否存在与所述待转发请求对应的令牌信息之后,还包括:15. The computer-readable storage medium according to claim 14, wherein after determining whether there is token information corresponding to the request to be forwarded in the cache, the method further comprises:
    若所述缓存中不存在与所述待转发请求对应的所述令牌信息,则在所述网关层中将所述待转发请求发送至所述内网平台;If the token information corresponding to the request to be forwarded does not exist in the cache, sending the request to be forwarded to the intranet platform in the gateway layer;
    为所述待转发请求创建所述令牌信息,将创建的所述令牌信息与所述待转发请求进行拼接。The token information is created for the request to be forwarded, and the created token information is spliced with the request to be forwarded.
  18. 如权利要求14所述的计算机可读存储介质,其中,所述将调用方所调用的调用对象设置为预设的网关层地址,包括:15. The computer-readable storage medium of claim 14, wherein the setting the calling object called by the caller as a preset gateway layer address comprises:
    根据平台地址在所述调用方的底层代码中进行查找,并将含有所述平台地址的每一行所述底层代码均确定为调用代码,其中,所述平台地址为所述内网平台的地址;Searching in the bottom-level code of the caller according to the platform address, and determining each line of the bottom-level code containing the platform address as the calling code, where the platform address is the address of the intranet platform;
    将所有所述调用代码中的所述平台地址均替换为所述网关层地址。Replace the platform address in all the calling codes with the gateway layer address.
  19. 如权利要求14所述的计算机可读存储介质,其中,所述根据所述内网平台对应的平台转发规则对所述调用请求进行配置之前,还包括:The computer-readable storage medium according to claim 14, wherein before the configuring the call request according to the platform forwarding rule corresponding to the intranet platform, the method further comprises:
    获取所述内网平台中与每个所述内部服务对应的权限地址集,并获取所述调用请求中的源地址,其中,所述权限地址集包括至少一个有权限访问所述内部服务的地址,所述源地址为发起所述调用请求的所述调用方的地址;Obtain the authority address set corresponding to each of the internal services in the intranet platform, and obtain the source address in the call request, wherein the authority address set includes at least one address that has the authority to access the internal service , The source address is the address of the caller who initiated the call request;
    若所述源地址位于所述目标服务对应的所述权限地址集中,则执行所述根据所述内网平台中预设的平台转发规则对所述调用请求进行配置的操作;If the source address is in the authority address set corresponding to the target service, perform the operation of configuring the call request according to the platform forwarding rules preset in the intranet platform;
    若所述源地址不位于所述目标服务对应的所述权限地址集中,则拦截所述调用请求,并向发起所述调用请求的所述调用方输出无权访问的提示。If the source address is not located in the authority address set corresponding to the target service, intercept the call request, and output a prompt of unauthorized access to the caller who initiated the call request.
  20. 如权利要求14至19任一项所述的计算机可读存储介质,其中,所述计算机可读存储介质为易失性计算机可读存储介质或者非易失性计算机可读存储介质。The computer-readable storage medium according to any one of claims 14 to 19, wherein the computer-readable storage medium is a volatile computer-readable storage medium or a non-volatile computer-readable storage medium.
PCT/CN2020/087383 2019-05-21 2020-04-28 Internal service invoking method and apparatus based on gateway, and terminal device WO2020233361A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910422745.XA CN110266764B (en) 2019-05-21 2019-05-21 Gateway-based internal service calling method and device and terminal equipment
CN201910422745.X 2019-05-21

Publications (1)

Publication Number Publication Date
WO2020233361A1 true WO2020233361A1 (en) 2020-11-26

Family

ID=67914943

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/087383 WO2020233361A1 (en) 2019-05-21 2020-04-28 Internal service invoking method and apparatus based on gateway, and terminal device

Country Status (2)

Country Link
CN (1) CN110266764B (en)
WO (1) WO2020233361A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114221946A (en) * 2021-12-17 2022-03-22 平安壹钱包电子商务有限公司 Method, device and equipment for managing files based on object gateway and storage medium
CN115567603A (en) * 2022-08-17 2023-01-03 海南凤凰木科技有限公司 Proxy route forwarding method, device, intelligent terminal and storage medium
CN115733837A (en) * 2021-08-30 2023-03-03 中移物联网有限公司 Information processing method, gateway, system and storage medium

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266764B (en) * 2019-05-21 2021-10-26 深圳壹账通智能科技有限公司 Gateway-based internal service calling method and device and terminal equipment
CN113179243B (en) * 2021-03-10 2022-11-18 中国人民财产保险股份有限公司 Authentication method, device, equipment and storage medium for interface call
CN113572759B (en) * 2021-07-21 2023-05-23 华控清交信息科技(北京)有限公司 Data management method and device, electronic equipment and storage medium
CN113923203B (en) * 2021-10-29 2023-07-11 中国平安财产保险股份有限公司 Network request verification method, device, equipment and storage medium
CN114285582B (en) * 2021-12-22 2024-04-05 中国电信股份有限公司 Information validity checking method and device, storage medium and electronic equipment
CN114285852B (en) * 2021-12-28 2023-12-26 杭州数梦工场科技有限公司 Service calling method and device based on multi-stage service platform
CN115118705B (en) * 2022-06-28 2024-03-15 重庆大学 Industrial edge management and control platform based on micro-service
CN115396276A (en) * 2022-08-04 2022-11-25 重庆长安汽车股份有限公司 Method, device, equipment and medium for processing internet platform interface document

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108901022A (en) * 2018-06-28 2018-11-27 深圳云之家网络有限公司 A kind of micro services universal retrieval method and gateway
CN109309666A (en) * 2018-08-22 2019-02-05 中国平安财产保险股份有限公司 Interface security control method and terminal device in a kind of network security
IN201911007700A (en) * 2019-02-27 2019-03-22
CN110266764A (en) * 2019-05-21 2019-09-20 深圳壹账通智能科技有限公司 Internal services call method, device and terminal device based on gateway

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2157759B1 (en) * 2004-09-07 2013-01-09 Research In Motion Limited System and method for updating message trust status
CN100592720C (en) * 2006-12-22 2010-02-24 腾讯科技(深圳)有限公司 Method and system for implementing instant communication between external network user and LAN user
CN102215154B (en) * 2010-04-06 2016-05-25 中兴通讯股份有限公司 The access control method of Network and terminal
CN104869101B (en) * 2014-02-21 2018-02-23 华为技术有限公司 A kind of method and apparatus of Path Setup
CN109597854A (en) * 2018-10-31 2019-04-09 深圳壹账通智能科技有限公司 A kind of method for routing of service request, device, computer equipment and computer storage medium
CN109617907B (en) * 2019-01-04 2022-04-08 平安科技(深圳)有限公司 Authentication method, electronic device, and computer-readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108901022A (en) * 2018-06-28 2018-11-27 深圳云之家网络有限公司 A kind of micro services universal retrieval method and gateway
CN109309666A (en) * 2018-08-22 2019-02-05 中国平安财产保险股份有限公司 Interface security control method and terminal device in a kind of network security
IN201911007700A (en) * 2019-02-27 2019-03-22
CN110266764A (en) * 2019-05-21 2019-09-20 深圳壹账通智能科技有限公司 Internal services call method, device and terminal device based on gateway

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谭一鸣 (TAN, YIMING): "基于微服务架构的平台化服务框架的设计与实现 (Design and Development of Platformization Service Framework Based on Microservice Architecture)", 中国优秀硕士学位论文全文数据库信息科技辑 (INFORMATION & TECHNOLOGY, CHINA MASTER'S THESES FULL-TEXT DATABASE), 15 January 2018 (2018-01-15), DOI: 20200710093123A *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115733837A (en) * 2021-08-30 2023-03-03 中移物联网有限公司 Information processing method, gateway, system and storage medium
CN115733837B (en) * 2021-08-30 2024-06-11 中移物联网有限公司 Information processing method, gateway, system and storage medium
CN114221946A (en) * 2021-12-17 2022-03-22 平安壹钱包电子商务有限公司 Method, device and equipment for managing files based on object gateway and storage medium
CN114221946B (en) * 2021-12-17 2023-09-29 平安壹钱包电子商务有限公司 Method, device, equipment and storage medium for managing files based on object gateway
CN115567603A (en) * 2022-08-17 2023-01-03 海南凤凰木科技有限公司 Proxy route forwarding method, device, intelligent terminal and storage medium

Also Published As

Publication number Publication date
CN110266764B (en) 2021-10-26
CN110266764A (en) 2019-09-20

Similar Documents

Publication Publication Date Title
WO2020233361A1 (en) Internal service invoking method and apparatus based on gateway, and terminal device
WO2021003980A1 (en) Blacklist sharing method and apparatus, computer device and storage medium
WO2020163083A1 (en) System and method for hardening security between web services using protected forwarded access tokens
KR102119449B1 (en) Aggregation open api platform system, method for prividing financial services using the same and computer program for the same
US11595384B2 (en) Digital identity network interface system
CN104580316A (en) Software authorization management method and software authorization management system
AU2020305390B2 (en) Cryptographic key orchestration between trusted containers in a multi-node cluster
CN112788031A (en) Envoy architecture-based micro-service interface authentication system, method and device
WO2023241366A1 (en) Data processing method and system, and electronic device and computer-readable storage medium
WO2023239849A1 (en) Internet protocol (ip) whitelisting for signed uniform resource locators (urls)
WO2023202214A1 (en) Communication method, apparatus and system, terminal, and server
EP3070906A1 (en) Multifaceted assertion directory system
US10972455B2 (en) Secure authentication in TLS sessions
WO2022193494A1 (en) Permission control method, server, terminal, storage medium, and computer program
CN106534047A (en) Information transmitting method and apparatus based on Trust application
US20240020412A1 (en) Cloud Service System and Data Processing Method Based on Cloud Service
TWI795148B (en) Device, method and system of handling access control
CN112511565B (en) Request response method and device, computer readable storage medium and electronic equipment
US11983580B2 (en) Real-time modification of application programming interface behavior
US20240048361A1 (en) Key Management for Cryptography-as-a-service and Data Governance Systems
WO2023160632A1 (en) Method for setting cloud service access permissions of enclave instance, and cloud management platform
US20240048380A1 (en) Cryptography-as-a-Service
US20240048551A1 (en) Computer access control using registration and communication secrets
WO2024030308A1 (en) Data exchange protection and governance system
CN117729036A (en) Cloud resource access method, system, equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20809752

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 01.03.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20809752

Country of ref document: EP

Kind code of ref document: A1