WO2020233361A1 - Procédé et appareil d'invocation de service interne basés sur une passerelle, et dispositif terminal - Google Patents

Procédé et appareil d'invocation de service interne basés sur une passerelle, et dispositif terminal Download PDF

Info

Publication number
WO2020233361A1
WO2020233361A1 PCT/CN2020/087383 CN2020087383W WO2020233361A1 WO 2020233361 A1 WO2020233361 A1 WO 2020233361A1 CN 2020087383 W CN2020087383 W CN 2020087383W WO 2020233361 A1 WO2020233361 A1 WO 2020233361A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
forwarded
address
platform
call request
Prior art date
Application number
PCT/CN2020/087383
Other languages
English (en)
Chinese (zh)
Inventor
李晨光
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2020233361A1 publication Critical patent/WO2020233361A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Definitions

  • This application belongs to the technical field of massive data processing, and particularly relates to a gateway-based internal service invocation method, device, terminal device, and computer-readable storage medium.
  • network isolation solutions are usually applied in the network architecture of the unit or government department, making different sub-units (internal network areas) ) Are isolated from each other to ensure that users cannot disclose secrets privately.
  • internal network A needs to obtain statistical data from internal network B for program development. Therefore, based on the applied network isolation scheme, it is usually built An intranet platform for data exchange.
  • an internal network wants to access the internal services provided by another internal network, it must pass the authentication and forwarding of the internal network platform.
  • the internal network platform often has special format requirements.
  • the intranet platform receives the request, it will allocate a token to the request to verify whether the request has the authority to access internal services.
  • the caller of the internal service Based on the access characteristics of the intranet platform, the caller of the internal service must manually configure the request according to the format requirements, and then wait for the intranet platform to allocate a token for the request before successfully accessing the internal service.
  • the inventor found that the existing process of invoking internal services is cumbersome, has a long operation time, and has low invocation efficiency.
  • the embodiments of the present application provide a gateway-based method, device, terminal device, and computer-readable storage medium for invoking internal services to solve the cumbersome process of invoking internal services in the prior art, complicated manual operations, and low invocation efficiency.
  • the problem is a gateway-based method, device, terminal device, and computer-readable storage medium for invoking internal services to solve the cumbersome process of invoking internal services in the prior art, complicated manual operations, and low invocation efficiency.
  • the first aspect of the embodiments of the present application provides a gateway-based internal service invocation method, including:
  • the gateway layer address is the preset gateway layer address
  • the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the second aspect of the embodiments of the present application provides a gateway-based internal service invocation device, including:
  • the setting unit is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
  • the storage unit is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
  • the configuration unit is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal service requested by the call request Determine it as a target service, configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • a judging unit configured to judge whether there is token information corresponding to the request to be forwarded in the cache
  • the splicing unit is configured to, if the token information corresponding to the request to be forwarded exists in the cache, splicing the token information with the request to be forwarded in the gateway layer, and splicing The subsequent request to be forwarded is sent to the intranet platform;
  • the forwarding unit is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
  • a third aspect of the embodiments of the present application provides a terminal device.
  • the terminal device includes a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor executes all When the computer program is described, the following steps are implemented:
  • the gateway layer address is the preset gateway layer address
  • the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the fourth aspect of the embodiments of the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the following steps are implemented:
  • the gateway layer address is the preset gateway layer address
  • the call request is verified according to all the exposure information, and the internal service requested by the call request is determined as the target service after the verification is passed, And configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced request to be forwarded The forwarding request is sent to the intranet platform;
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the calling object is set to the gateway layer address, and the exposure information of all internal services is stored in the gateway layer. If the calling request is received in the gateway layer, the calling request is verified according to all the exposure information, and the After the verification is passed, configure the format of the transfer request to obtain the request to be forwarded, and then find the token information corresponding to the request to be forwarded in the cache, splice the token information with the request to be forwarded, and finally combine the spliced request to be forwarded Send to the intranet platform. If the authentication of the spliced request to be forwarded is passed, the request to be forwarded is forwarded to the target service.
  • the embodiment of the present invention configures the gateway layer, thereby realizing the automatic format configuration of the call request and reducing Manual operation simplifies the process of allocating tokens and improves the efficiency of calling internal services.
  • FIG. 1 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 1 of the present application;
  • FIG. 2 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 2 of the present application;
  • FIG. 3 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 3 of the present application;
  • FIG. 4 is an implementation flowchart of a gateway-based internal service invocation method provided by Embodiment 4 of the present application;
  • FIG. 5 is a structural block diagram of a gateway-based internal service invoking device provided by Embodiment 5 of the present application;
  • FIG. 6 is a schematic diagram of a terminal device provided in Embodiment 6 of the present application.
  • FIG 1 shows the implementation process of the gateway-based internal service invocation method provided by the embodiment of the present application, which is detailed as follows:
  • the calling object called by the caller is set as a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address.
  • the network isolation solution is usually applied in the organization, such as The machines of the development department are divided into one internal network, the machines of the business department are divided into another internal network, and different internal networks are set up to isolate each other. Specifically, firewalls or hardware isolation can be used to achieve isolation.
  • firewalls or hardware isolation can be used to achieve isolation.
  • the development department needs to obtain business department data as background data for application development, so an intranet platform is usually set up to implement different internal networks Communication between.
  • the embodiment of this application is aimed at the above scenario.
  • a gateway layer is set between the internal network and the internal network platform.
  • the gateway layer refers to an intermediate module that packages requests and forwards requests according to specific routing rules.
  • the specific architecture of the intranet platform and gateway layer is not limited, as long as the intranet platform and gateway layer that can implement the corresponding functions can be applied in the embodiments of the present application
  • the manually configured call request is directly sent to the intranet platform, which is forwarded by the intranet platform.
  • the call object called by the caller is set to the preset gateway layer address , So that the call request initiated by the caller can be sent to the gateway layer, where the caller refers to the subject that initiates the call from an internal network, and the caller is an abstract name, which can be a certain piece of code in a machine located in the internal network Or a certain file, etc.
  • the gateway layer address is the Internet protocol address of the set gateway layer, which can be customized in advance.
  • S102 determine all internal services that have been exposed to services on the intranet platform, and store exposure information of all internal services in the gateway layer, and the exposure information includes the address of the internal service.
  • Service exposure can enable the intranet platform to display and call the internal service.
  • Service exposure refers to uploading the exposure information of the internal service to the intranet platform for registration. Only after the internal service registration is successful, the intranet platform can call the internal service. Requests for internal services are forwarded.
  • the embodiments of this application do not limit the service exposure requirements and the format of the exposed information, but the exposure information is limited to include at least the Internet Protocol address of the internal service. For example, in a practical application scenario, the exposed information also includes the port number and the name of the internal service. Wait.
  • While setting up the gateway layer determine all internal services that have been exposed on the internal network platform, and store the exposure information of all internal services in the gateway layer. In order to facilitate subsequent request forwarding, the exposure information can also be stored in the gateway layer Establish the mapping relationship between the gateway layer address and all exposed information.
  • the call request is verified according to all the exposure information, and the internal service requested by the call request is determined after the verification is passed.
  • the call request is configured according to the platform forwarding rule corresponding to the intranet platform, and the configured call request is determined as a request to be forwarded.
  • the caller directly configures the original The unconfigured call request is sent to the gateway layer, and the call request is configured in the gateway layer. Specifically, if a call request is received in the gateway layer, the call request is verified according to all the exposed information, and the internal service requested by the call request is determined as the target service after the verification is passed.
  • the verification process can be It depends on the format of the exposure information and the call request. For example, when the call request carries the name of the internal service, the call request can be verified according to the name of the internal service in all the exposed information to determine whether the call request contains one of the exposed information. The name of the internal service.
  • obtain the target address in the call request and determine whether there is exposure information containing the target address; if there is exposure information containing the target address, it is determined that the call request verification is passed, and the internal service corresponding to the exposed information is determined The internal service requested for the call request; if there is no exposed information containing the target address, the call request is discarded and an error message is output.
  • the call request initiated by the caller it usually contains the source address (usually the address of the caller) and the target address (the target address indicates the address of the internal service requested by the call request, and the aforementioned call object is only used to indicate the caller Initiating a call to the calling object has different meanings), so in this step, the target address in the call request can be obtained, and the acquisition location of the target address is related to the underlying protocol of the call request, which is not repeated in the embodiment of the application. For the obtained target address, compare it with the address of the internal service in all exposed information.
  • the target address is the same as the address of one of the internal services, it is determined that the call request is verified and the address of the internal service is The corresponding internal service is determined as the internal service requested by the call request; on the contrary, if the target address is different from the addresses of all internal services, the call request is discarded, and an error message is output to the caller, indicating that the caller does not exist and the call Request the corresponding internal service. Since the address is exclusive, that is, the addresses of different internal services are usually different, the accuracy of the verification based on the target address in the call request in the above method is relatively high.
  • the platform forwarding rule is a common rule for all requests that can be recognized by the intranet platform. It is related to the characteristics of the intranet platform and can be set according to actual application scenarios. For example, the platform forwarding rule can be set to the field "ESG". That is, only the request whose name contains the field "ESG" can be successfully recognized by the intranet platform. In this step, the field "ESG" is added to the name of the call request to complete the configuration of the call request.
  • the configuration process based on platform forwarding rules can be pre-stored in the gateway layer in code form, so as to realize the automatic configuration of the call request that passes the verification. In order to facilitate the distinction, the configured call request is determined as the request to be forwarded.
  • token authentication is performed on the request to be forwarded, specifically, the verification information in the request to be forwarded is extracted and viewed Whether there is token information corresponding to the verification information in the cache, the token information is used to indicate that the request to be forwarded has the right to call the target service.
  • the type of verification information can be determined according to the actual application scenario.
  • the verification information can be The username and password in the request to be forwarded.
  • the cache stores the token information corresponding to the verification information of the request that has successfully accessed the target service.
  • the token information is usually set with an expiration time (such as one hour), and a new token information is added to the cache.
  • the token information is discarded.
  • the embodiment of the application does not limit the generation of token information.
  • the token can be generated based on the user name, password, and timestamp through MD5 encryption algorithm or other irreversible encryption algorithm information.
  • the cached token information corresponding to different internal services may also be different. Therefore, in the embodiment of the present application, when the token information is stored in the cache, The internal service corresponding to the token information is also marked, and in this step, the token information corresponding to the target service in the cache is determined, and it is determined whether there is token information corresponding to the request to be forwarded. The accuracy of judgment.
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced The request to be forwarded is sent to the intranet platform.
  • the token information corresponding to the request to be forwarded exists in the cache, it proves that the same request has been used to call the target service, and for the request that has already called the target service, the corresponding token information will also be stored in the database, then
  • the token information is spliced with the request to be forwarded in the gateway layer, and the spliced call request is sent to the intranet platform, where the token information is spliced in the request header of the request to be forwarded.
  • the mapping relationship from the gateway layer address to the address of the intranet platform is stored in the gateway layer in advance.
  • the service access rules corresponding to all internal services are also stored in the gateway layer, the service access rules are used to indicate the access format of the internal services, then the spliced request to be forwarded is configured according to the service access rules corresponding to the target service , Send the configured request to be forwarded to the intranet platform.
  • the The service access rules corresponding to each internal service are stored at the gateway layer.
  • the gateway layer stores the service access rules corresponding to each internal service
  • the spliced request to be forwarded is configured according to the service access rule corresponding to the target service , And send the configured request to be forwarded to the intranet platform.
  • the embodiments of this application do not limit the types of service access rules.
  • the target service can only recognize requests sent from a specific address, and the service access rules can be set to replace the source address in the spliced request to be forwarded with the above
  • the target service can only recognize requests using the Hypertext Transfer Protocol Secure (HTTPS) protocol, you can set the service access rule to encapsulate the spliced request to be forwarded according to the HTTPS protocol; for example, the target
  • HTTPS Hypertext Transfer Protocol Secure
  • the service can only identify requests encrypted according to a specific key and a specific encryption algorithm, and the service access rule can be set to encrypt the spliced request to be forwarded according to the specific key and the specific encryption algorithm.
  • the above method configures the request according to the pre-stored service access rule, so that the configured request conforms to the access specification of the target service, which improves the success rate of internal service invocation.
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the verification information and token information therein are extracted for authentication, and it is specifically determined whether the verification information and token information are consistent with those in the database. If it is judged to be consistent, the authentication is passed, the request to be forwarded is forwarded to the target service, the target service is called according to the specific content of the request to be forwarded, and the entire internal service invocation process is completed; if it is inconsistent, it is the to be forwarded in the intranet platform Request to reallocate a token information.
  • the calling object is set to the gateway layer address and the exposure information of all internal services is stored in the gateway layer. If the calling request is received in the gateway layer, then The call request is verified according to all the exposed information, and after the verification is passed, the transfer request is formatted to obtain the request to be forwarded, and then the token information corresponding to the request to be forwarded is found in the cache, and the token information is compared with the request to be forwarded. The forwarding request is spliced, and the spliced request to be forwarded is finally sent to the intranet platform. If the spliced request to be forwarded is authenticated, the forwarded request is forwarded to the target service.
  • the embodiment of the application configures the gateway layer , Intercept the call request in the gateway layer, and automatically configure the call request, reducing manual configuration operations, and simplifying the process of assigning tokens in the follow-up, and improving the efficiency of calling internal services.
  • Figure 2 shows an internal service invocation method obtained by extending the process of judging whether the token information corresponding to the request to be forwarded exists in the cache based on the first embodiment of the present application.
  • the embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method. As shown in FIG. 2, the internal service invocation method may include the following steps:
  • the forwarding request is not spliced in the gateway layer, but the request to be forwarded is directly sent to the intranet platform.
  • the token information is created and allocated for the request to be forwarded, and the allocated token information is spliced with the request to be forwarded.
  • the pending forwarding request sent to the intranet platform For the pending forwarding request sent to the intranet platform, extract the verification information in the pending forwarding request, determine whether the verification information is valid, and after determining that the verification information is valid, generate token information based on the verification information, for example, when the verification information is In the case of the user name and password in the request to be forwarded, if it is determined that the user name is stored in the database, and the password matches the user name and is valid, based on the user name, the password and the timestamp, the MD5 encryption algorithm is used Or other irreversible encryption algorithms to generate token information. For the generated token information, it is spliced with the request to be forwarded.
  • the request to be forwarded is sent to the intranet platform in the gateway layer, which is the request to be forwarded Create token information, and splice the created token information with the request to be forwarded.
  • the embodiment of the application creates new token information in the intranet platform, completes the token information distribution mechanism, and improves the service call Comprehensiveness.
  • Figure 3 shows an internal service invoking method obtained after refining the process of setting the calling object called by the caller to the preset gateway layer address on the basis of the first embodiment of the present application.
  • the embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method.
  • the internal service invocation method may include the following steps:
  • the call object of the caller is the address of the intranet platform (for the sake of distinction, the address is named the platform address), so in this application embodiment
  • the traditional method is improved, the caller's bottom code is searched according to the platform address, and each line of bottom code containing the platform address is determined as the calling code.
  • the platform address is the calling object of the calling code. Therefore, in this step, the platform address in all calling codes is replaced with the gateway layer address to complete the replacement of the calling object. After the replacement is completed, when the calling code is run, the calling request can be automatically sent to the gateway layer.
  • the caller’s underlying code is searched according to the platform address, and each line of underlying code containing the platform address is determined as the calling code, and all the calling codes are
  • the platform addresses of are replaced with gateway-layer addresses.
  • the embodiment of the present application improves the convenience of setting call objects by performing batch replacement of platform addresses.
  • Figure 4 shows an internal service invoking method obtained by extending the process before configuring the invocation request according to the platform forwarding rules corresponding to the intranet platform on the basis of the first embodiment of the present application.
  • the embodiment of the present application provides an implementation flowchart of a gateway-based internal service invocation method. As shown in FIG. 4, the internal service invocation method may include the following steps:
  • a permission address set corresponding to each internal service in the intranet platform is obtained, and the source address in the call request is obtained, wherein the permission address set includes at least one permission to access the The address of the internal service, where the source address is the address of the caller that initiated the call request.
  • the authority address set corresponding to the internal service can also be stored together.
  • the authority address set includes at least one authorized access to the internal service.
  • the address and authority address set can be set by the internal service manager.
  • the source address in the call request is obtained to facilitate subsequent analysis.
  • the source address is the address of the caller who initiated the call request.
  • the source address in the call request is located in the permission address set corresponding to the target service, it proves that the call request has the permission to access the target service, then continue to perform the subsequent operation of configuring the call request according to the platform forwarding rules preset in the intranet platform .
  • the gateway layer intercepts the call request, and outputs a prompt of unauthorized access to the caller who initiated the call request.
  • the prompt can be sent in a front-end prompt box, SMS, or email, which is not limited in the embodiment of the application.
  • the embodiment of this application it is determined whether the source address in the call request is located in the authority address set corresponding to the target service. If the source address is located in the authority address set, the subsequent steps according to the intranet platform will be executed normally.
  • the platform forwarding rules preset in the platform configure the operation of the call request; if the source address is not located in the authority address set, the call request is intercepted, and the caller is notified that there is no right to access.
  • the embodiment of this application has no right to access according to the call request Intercept the call request in time when accessing the target service, saving computing resources.
  • FIG. 5 shows a structural block diagram of the gateway-based internal service invocation device provided in an embodiment of the present application.
  • the internal service invocation device includes:
  • the setting unit 51 is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address;
  • the storage unit 52 is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
  • the configuration unit 53 is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal information requested by the call request.
  • the service is determined as the target service, and the invocation request is configured according to the platform forwarding rules corresponding to the intranet platform, and the configured invocation request is determined as the request to be forwarded;
  • the judging unit 54 is configured to judge whether there is token information corresponding to the request to be forwarded in the cache;
  • the splicing unit 55 is configured to splice the token information with the request to be forwarded in the gateway layer if the token information corresponding to the request to be forwarded exists in the cache, and Sending the spliced request to be forwarded to the intranet platform;
  • the forwarding unit 56 is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
  • the configuration unit 53 includes:
  • the target address obtaining unit is configured to obtain the target address in the call request, and determine whether the exposure information including the target address exists;
  • the verification passing unit is configured to, if the exposure information including the target address exists, determine that the invocation request has passed the verification, and determine that the internal service corresponding to the exposure information is the source of the invocation request The internal service requested;
  • the discarding unit is configured to discard the call request and output an error prompt if the exposed information including the target address does not exist.
  • the gateway layer also stores service access rules corresponding to all internal services, and the service access rules are used to indicate the access format of the internal services, and the splicing unit 55 includes:
  • the rule configuration unit is configured to configure the spliced request to be forwarded according to the service access rule corresponding to the target service, and send the configured request to be forwarded to the intranet platform.
  • the judging unit 54 further includes:
  • a sending unit configured to send the request to be forwarded to the intranet platform in the gateway layer if the token information corresponding to the request to be forwarded does not exist in the cache;
  • the creation unit is configured to create the token information for the request to be forwarded, and to splice the created token information with the request to be forwarded.
  • the setting unit 51 includes:
  • the search unit is configured to search in the bottom-level code of the caller according to the platform address, and determine that each line of the bottom-level code containing the platform address is the calling code, where the platform address is the internal The address of the network platform;
  • the replacement unit is used to replace the platform address in all the calling codes with the gateway layer address.
  • the configuration unit 53 further includes:
  • the source address obtaining unit is configured to obtain the authority address set corresponding to each of the internal services in the intranet platform, and obtain the source address in the call request, wherein the authority address set includes at least one authority An address for accessing the internal service, where the source address is the address of the caller who initiated the call request;
  • An execution unit configured to execute the operation of configuring the call request according to a platform forwarding rule preset in the intranet platform if the source address is in the authority address set corresponding to the target service;
  • the interception unit is configured to intercept the call request if the source address is not located in the authority address set corresponding to the target service, and output a prompt of unauthorized access to the caller who initiated the call request.
  • the gateway-based internal service invocation device provided by the embodiment of the present invention reduces manual configuration operations by setting the gateway layer, and simplifies the token distribution process by distributing token information in the cache, and improves the internal The convenience and efficiency of the service.
  • Fig. 6 is a schematic diagram of a terminal device provided by an embodiment of the present application.
  • the terminal device 6 of this embodiment includes: a processor 60, a memory 61, and a computer program 62 stored in the memory 61 and running on the processor 60, such as a gateway-based internal service Call the program.
  • the processor 60 executes the computer program 62, the steps in the above embodiments of the gateway-based internal service invoking method are implemented, and the steps include: S101. Setting the calling object called by the caller as a preset gateway layer Address, where the caller is located in an internal network, and the gateway layer address is a preset gateway layer address; S102.
  • the token information corresponding to the request to be forwarded exists in the cache, Then, in the gateway layer, the token information is spliced with the request to be forwarded, and the spliced request to be forwarded is sent to the intranet platform; S106.
  • the spliced request to be forwarded The token information in the request is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the target service.
  • the computer program 62 may be divided into one or more units, and the one or more units are stored in the memory 61 and executed by the processor 60 to complete the application.
  • the one or more units may be a series of computer program instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer program 62 in the terminal device 6.
  • the computer program 62 can be divided into a setting unit, a storage unit, a configuration unit, a judgment unit, a splicing unit, and a forwarding unit.
  • the specific functions of each unit are as follows:
  • the setting unit is configured to set the calling object called by the caller to a preset gateway layer address, where the caller is located in an internal network, and the gateway layer address is the preset gateway layer address;
  • the storage unit is configured to determine all internal services that have been exposed to services on the intranet platform, and store the exposure information of all the internal services in the gateway layer, and the exposure information includes the address of the internal service;
  • the configuration unit is configured to, if a call request is received in the gateway layer, verify the call request according to all the exposure information, and after the verification is passed, the internal service requested by the call request Determine it as a target service, configure the call request according to the platform forwarding rules corresponding to the intranet platform, and determine the configured call request as a request to be forwarded;
  • a judging unit configured to judge whether there is token information corresponding to the request to be forwarded in the cache
  • the splicing unit is configured to, if the token information corresponding to the request to be forwarded exists in the cache, splicing the token information with the request to be forwarded in the gateway layer, and splicing The subsequent request to be forwarded is sent to the intranet platform;
  • the forwarding unit is configured to authenticate the token information in the spliced request to be forwarded, and after the authentication is passed, forward the request to be forwarded to the target service.
  • the terminal device 6 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the terminal device may include, but is not limited to, a processor 60 and a memory 61.
  • FIG. 6 is only an example of the terminal device 6 and does not constitute a limitation on the terminal device 6. It may include more or less components than shown in the figure, or a combination of certain components, or different components.
  • the terminal device may also include input and output devices, network access devices, buses, etc.
  • the so-called processor 60 may be a central processing unit (Central Processing Unit, CPU), it can also be other general-purpose processors, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory 61 may be an internal storage unit of the terminal device 6, such as a hard disk or memory of the terminal device 6.
  • the memory 61 may also be an external storage device of the terminal device 6, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), or a secure digital (Secure Digital, SD) equipped on the terminal device 6. Card, Flash Card, etc.
  • the memory 61 may also include both an internal storage unit of the terminal device 6 and an external storage device.
  • the memory 61 is used to store the computer program and other programs and data required by the terminal device.
  • the memory 61 can also be used to temporarily store data that has been output or will be output.
  • the disclosed terminal device and method may be implemented in other ways.
  • the terminal device embodiments described above are only illustrative.
  • the division of the units is only a logical function division.
  • there may be other division methods for example, multiple units or components may be combined. Or it can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the computer-readable storage medium may be volatile or It can be non-volatile.
  • this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through a computer program.
  • the computer program can be stored in a computer-readable storage medium.
  • the steps of the foregoing method embodiments can be implemented. The steps include: S101. Setting the calling object called by the caller to a preset gateway layer address, wherein the caller is located in an internal network, and the gateway layer address is a preset gateway layer address; S102.
  • the platform forwarding rule corresponding to the intranet platform configures the call request, and determines the configured call request as a request to be forwarded; S104. Determine whether there is token information corresponding to the request to be forwarded in the cache; S105.
  • the token information corresponding to the request to be forwarded exists in the cache, the token information and the request to be forwarded are spliced in the gateway layer, and the spliced all The request to be forwarded is sent to the intranet platform; S106.
  • the token information in the spliced request to be forwarded is authenticated, and after the authentication is passed, the request to be forwarded is forwarded to the The target service.
  • the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file, or some intermediate forms.
  • the computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (Read-Only Memory, ROM) , Random Access Memory (Random Access Memory, RAM), electrical carrier signal, telecommunications signal, and software distribution media.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • electrical carrier signal telecommunications signal
  • software distribution media any entity or device capable of carrying the computer program code
  • recording medium U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (Read-Only Memory, ROM) , Random Access Memory (Random Access Memory, RAM), electrical carrier signal, telecommunications signal, and software distribution media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention est applicable au domaine technique du traitement de données massives, et concerne un procédé et un appareil d'invocation de service interne basés sur une passerelle, et un dispositif terminal et un support d'informations lisible par ordinateur. Le procédé consiste à : régler un objet d'invocation invoqué par un appelant en tant qu'adresse de couche de passerelle ; mémoriser des informations d'exposition de tous les services internes dans une couche de passerelle ; vérifier, conformément à l'ensemble des informations d'exposition, une demande d'invocation reçue par la couche de passerelle, et une fois la vérification réussie, déterminer un service interne correspondant en tant que service cible, et configurer la demande d'invocation selon une règle de transfert de plateforme pour obtenir une demande à transférer ; en cas de présence d'informations de jeton correspondant à la demande à transférer, dans une mémoire cache, épisser les informations de jeton avec la demande à transférer, et envoyer une demande épissée devant être transférée à une plateforme de réseau interne ; et authentifier les informations de jeton, et une fois l'authentification réussie, transférer la demande à transmettre au service cible. Selon la présente invention, au moyen de la configuration de la couche de passerelle, une opération manuelle est réduite, et l'efficacité d'invocation du service interne est améliorée.
PCT/CN2020/087383 2019-05-21 2020-04-28 Procédé et appareil d'invocation de service interne basés sur une passerelle, et dispositif terminal WO2020233361A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910422745.XA CN110266764B (zh) 2019-05-21 2019-05-21 基于网关的内部服务调用方法、装置及终端设备
CN201910422745.X 2019-05-21

Publications (1)

Publication Number Publication Date
WO2020233361A1 true WO2020233361A1 (fr) 2020-11-26

Family

ID=67914943

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/087383 WO2020233361A1 (fr) 2019-05-21 2020-04-28 Procédé et appareil d'invocation de service interne basés sur une passerelle, et dispositif terminal

Country Status (2)

Country Link
CN (1) CN110266764B (fr)
WO (1) WO2020233361A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114221946A (zh) * 2021-12-17 2022-03-22 平安壹钱包电子商务有限公司 基于对象网关管理文件的方法、装置、设备及存储介质
CN115567603A (zh) * 2022-08-17 2023-01-03 海南凤凰木科技有限公司 一种代理路由转发方法、装置、智能终端及存储介质
CN115733837A (zh) * 2021-08-30 2023-03-03 中移物联网有限公司 一种信息处理方法、网关、系统和存储介质

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266764B (zh) * 2019-05-21 2021-10-26 深圳壹账通智能科技有限公司 基于网关的内部服务调用方法、装置及终端设备
CN113179243B (zh) * 2021-03-10 2022-11-18 中国人民财产保险股份有限公司 一种接口调用的鉴权方法、装置、设备及存储介质
CN113572759B (zh) * 2021-07-21 2023-05-23 华控清交信息科技(北京)有限公司 一种数据管理方法、装置、电子设备及存储介质
CN113923203B (zh) * 2021-10-29 2023-07-11 中国平安财产保险股份有限公司 网络请求校验方法、装置、设备及存储介质
CN114285582B (zh) * 2021-12-22 2024-04-05 中国电信股份有限公司 信息合法性的校验方法及装置、存储介质、电子设备
CN114285852B (zh) * 2021-12-28 2023-12-26 杭州数梦工场科技有限公司 基于多级服务平台的服务调用方法及装置
CN115118705B (zh) * 2022-06-28 2024-03-15 重庆大学 一种基于微服务的工业边缘管控平台
CN115396276A (zh) * 2022-08-04 2022-11-25 重庆长安汽车股份有限公司 一种互联网平台接口文档的处理方法、装置、设备及介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108901022A (zh) * 2018-06-28 2018-11-27 深圳云之家网络有限公司 一种微服务统一鉴权方法及网关
CN109309666A (zh) * 2018-08-22 2019-02-05 中国平安财产保险股份有限公司 一种网络安全中的接口安全控制方法及终端设备
IN201911007700A (fr) * 2019-02-27 2019-03-22
CN110266764A (zh) * 2019-05-21 2019-09-20 深圳壹账通智能科技有限公司 基于网关的内部服务调用方法、装置及终端设备

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2157759B1 (fr) * 2004-09-07 2013-01-09 Research In Motion Limited Système et procédé d'actualisation de l'état de confiance d'un message
CN100592720C (zh) * 2006-12-22 2010-02-24 腾讯科技(深圳)有限公司 实现外网用户与局域网用户即时通信的方法及系统
CN102215154B (zh) * 2010-04-06 2016-05-25 中兴通讯股份有限公司 网络业务的访问控制方法及终端
CN104869101B (zh) * 2014-02-21 2018-02-23 华为技术有限公司 一种通道建立的方法和设备
CN109597854A (zh) * 2018-10-31 2019-04-09 深圳壹账通智能科技有限公司 一种服务请求的路由方法、装置、计算机设备及计算机存储介质
CN109617907B (zh) * 2019-01-04 2022-04-08 平安科技(深圳)有限公司 认证方法、电子装置及计算机可读存储介质

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108901022A (zh) * 2018-06-28 2018-11-27 深圳云之家网络有限公司 一种微服务统一鉴权方法及网关
CN109309666A (zh) * 2018-08-22 2019-02-05 中国平安财产保险股份有限公司 一种网络安全中的接口安全控制方法及终端设备
IN201911007700A (fr) * 2019-02-27 2019-03-22
CN110266764A (zh) * 2019-05-21 2019-09-20 深圳壹账通智能科技有限公司 基于网关的内部服务调用方法、装置及终端设备

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谭一鸣 (TAN, YIMING): "基于微服务架构的平台化服务框架的设计与实现 (Design and Development of Platformization Service Framework Based on Microservice Architecture)", 中国优秀硕士学位论文全文数据库信息科技辑 (INFORMATION & TECHNOLOGY, CHINA MASTER'S THESES FULL-TEXT DATABASE), 15 January 2018 (2018-01-15), DOI: 20200710093123A *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115733837A (zh) * 2021-08-30 2023-03-03 中移物联网有限公司 一种信息处理方法、网关、系统和存储介质
CN115733837B (zh) * 2021-08-30 2024-06-11 中移物联网有限公司 一种信息处理方法、网关、系统和存储介质
CN114221946A (zh) * 2021-12-17 2022-03-22 平安壹钱包电子商务有限公司 基于对象网关管理文件的方法、装置、设备及存储介质
CN114221946B (zh) * 2021-12-17 2023-09-29 平安壹钱包电子商务有限公司 基于对象网关管理文件的方法、装置、设备及存储介质
CN115567603A (zh) * 2022-08-17 2023-01-03 海南凤凰木科技有限公司 一种代理路由转发方法、装置、智能终端及存储介质

Also Published As

Publication number Publication date
CN110266764B (zh) 2021-10-26
CN110266764A (zh) 2019-09-20

Similar Documents

Publication Publication Date Title
WO2020233361A1 (fr) Procédé et appareil d'invocation de service interne basés sur une passerelle, et dispositif terminal
WO2021003980A1 (fr) Procédé et appareil de partage de liste noire, dispositif informatique et support de stockage
WO2020163083A1 (fr) Système et procédé de durcissement de la sécurité entre des services web à l'aide de jetons d'accès transférés protégés
KR102119449B1 (ko) 통합 오픈 api 플랫폼 시스템, 이를 이용한 금융 서비스 방법 및 이를 위한 컴퓨터 프로그램
US11595384B2 (en) Digital identity network interface system
CN104580316A (zh) 软件授权管理方法及系统
AU2020305390B2 (en) Cryptographic key orchestration between trusted containers in a multi-node cluster
CN112788031A (zh) 基于Envoy架构的微服务接口认证系统、方法及装置
WO2023241366A1 (fr) Procédé et système de traitement de données, ainsi que dispositif électronique et support de stockage lisible par ordinateur
WO2023239849A1 (fr) Liste blanche de protocole internet (ip) pour adresses universelles (url) signées
WO2023202214A1 (fr) Procédé, appareil et système de communication, terminal et serveur
EP3070906A1 (fr) Système de répertoire d'assertion multifacette
US10972455B2 (en) Secure authentication in TLS sessions
WO2022193494A1 (fr) Procédé de commande de permission, serveur, terminal, support de stockage et programme d'ordinateur
CN106534047A (zh) 一种基于Trust应用的信息传输方法及装置
US20240020412A1 (en) Cloud Service System and Data Processing Method Based on Cloud Service
TWI795148B (zh) 處理存取控制的裝置、方法及系統
CN112511565B (zh) 请求响应方法、装置、计算机可读存储介质及电子设备
US11983580B2 (en) Real-time modification of application programming interface behavior
US20240048361A1 (en) Key Management for Cryptography-as-a-service and Data Governance Systems
WO2023160632A1 (fr) Procédé de définition d'autorisations d'accès à un service en nuage d'instance d'enclave, et plateforme de gestion en nuage
US20240048380A1 (en) Cryptography-as-a-Service
US20240048551A1 (en) Computer access control using registration and communication secrets
WO2024030308A1 (fr) Système de protection et de gouvernance d'échange de données
CN117729036A (zh) 一种云资源访问方法、系统、设备及介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20809752

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 01.03.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20809752

Country of ref document: EP

Kind code of ref document: A1