WO2021238990A1 - 认证方法、装置、电子设备和服务端、程序及存储介质 - Google Patents

认证方法、装置、电子设备和服务端、程序及存储介质 Download PDF

Info

Publication number
WO2021238990A1
WO2021238990A1 PCT/CN2021/096101 CN2021096101W WO2021238990A1 WO 2021238990 A1 WO2021238990 A1 WO 2021238990A1 CN 2021096101 W CN2021096101 W CN 2021096101W WO 2021238990 A1 WO2021238990 A1 WO 2021238990A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
verified
access request
identification
port
Prior art date
Application number
PCT/CN2021/096101
Other languages
English (en)
French (fr)
Inventor
施剑峰
Original Assignee
杭州海康威视数字技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杭州海康威视数字技术股份有限公司 filed Critical 杭州海康威视数字技术股份有限公司
Priority to EP21811788.5A priority Critical patent/EP4161012A4/en
Publication of WO2021238990A1 publication Critical patent/WO2021238990A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3215Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels

Definitions

  • This application relates to the field of computer communication, and in particular to an authentication method, device, electronic equipment, server, program, and storage medium.
  • a server management platform for managing all the servers is usually deployed in the network architecture.
  • the client When the client needs to access the network resources on the server, the client needs to log in to the server management platform first, and then log in to the server to access the network resources on the server.
  • the client needs to submit the user information of the client to the server management platform, so that the server management platform can authenticate the user information of the client.
  • the server management platform authenticates the user information of the client
  • the client also needs to submit the user information to the server so that the server authenticates the user information of the client.
  • the service The client will return to the client the network resources accessed by the client.
  • the user needs to submit user information multiple times, which not only greatly reduces the authentication efficiency, but also causes great inconvenience to the user.
  • this application provides an authentication method, device, electronic device, server, program, and storage medium to improve user authentication efficiency.
  • an authentication method comprising: in the case of receiving an access request from a client, generating identification information to be carried in the access request, and sending the identification information to the first server on the server.
  • the designated port sends an access request that carries the identification information; obtains the identifier to be verified returned by the first designated port; the identifier to be verified is that the server listens to the first designated port to receive the access In the case of a request, it is returned based on the identification information carried in the access request; the identification to be verified is verified, and in the case that the identification to be verified is verified, the to-be-verified port is sent to the second designated port on the server. Identify the first message that has passed the verification, so that the server responds to the access request when the second designated port receives the first message.
  • the method is executed by an electronic device, and the electronic device is a device that is on the access path through which the client accesses the server and is connected to the server; the first designated port is the service The first port of the electronic device is connected to the terminal; the second designated port is the second port of the electronic device connected to the server; or, the method is executed by the server; the first designated port Is the port corresponding to the first designated protocol on the server; the second designated port is the port corresponding to the second designated protocol on the server.
  • the server includes a legal verification module and a business module.
  • the method is executed by the server, the method is executed by the legal verification module of the server, and the legal verification module passes the The first port sends an access request to the service module, the first message is sent to the service module through the second port, and the service module responds to the access request.
  • the method further includes: recording the identification information; and the verifying the identification to be verified includes: in the recorded identification information , Find out whether there is identification information that matches the identification to be verified; if it exists, it is determined that the identification to be verified has passed the verification; if it does not exist, it is determined that the identification to be verified does not pass the verification.
  • the method further includes: after determining that the identification to be verified passes the verification, deleting the identification information that matches the identification to be verified; and/or, deleting when it is detected that the aging time of the identification information is reached The identification information.
  • the method further includes: in a case where the identification to be verified fails the verification, sending a second message that the identification to be verified fails to be verified to the second designated port, so that the server is monitoring
  • the client is instructed to provide verification information, and the verification information provided by the client is verified, and after the verification is passed Respond to the access request.
  • an authentication method the method is executed by a server, and the method includes: in the case of monitoring that a first designated port on the server receives an access request, based on the The identification information carried in the access request returns the identification to be verified to the peer that sent the access request; in the case of listening to the second designated port on the server and receiving the first message that the identification to be verified is verified , Respond to the access request.
  • the first designated port is the first port on the server connected to the opposite end; the second designated port is the second port on the server connected to the opposite end; the opposite end is The client accesses the electronic device on the access path of the server and connected to the server; or, the first designated port is a port on the server corresponding to the first designated protocol; the second designated port Is the port corresponding to the second designated protocol on the server.
  • the method further includes: in the case of listening to the second designated port receiving the second message that the identification to be verified fails the verification, instructing the client to provide verification information, and reporting to the client The verification information provided by the terminal is verified, and the access request is responded to after the verification is passed.
  • the server includes a legal verification module and a business module
  • the method is specifically executed by the business module of the server
  • the legal verification module is the opposite end
  • the business module passes the first A first connection is established between a designated port and the legal check module
  • the service module establishes a second connection with the legal check module through the second designated port.
  • an authentication device comprising: a generating unit configured to generate identification information to be carried in the access request in the case of receiving an access request from a client, and send the identification information to the service
  • the first designated port on the terminal sends an access request carrying the identification information
  • the obtaining unit is configured to obtain the identifier to be verified returned by the first designated port
  • the identifier to be verified means that the server is monitoring all
  • the verification unit is configured to verify the identification to be verified, and in the case that the identification to be verified is verified Next, send the first message that the identification to be verified passes the verification to the second designated port on the server, so that the server responds when the first message is received by the second designated port The access request.
  • an authentication device comprising: a sending unit configured to, in the case of monitoring that a first designated port on the server receives an access request, based on the access request carrying The identification information of the to-be-verified identity is returned to the peer that sent the access request; the response unit is configured to listen to the second designated port on the server and receive the first message that the to-be-verified identity is verified In case, respond to the access request.
  • an electronic device including a readable storage medium and a processor; wherein the readable storage medium is used for storing machine-executable instructions; the processor is used for The machine executable instructions on the readable storage medium are read, and the instructions are executed to implement the steps of the authentication method in the first aspect described above.
  • a server the device includes a readable storage medium and a processor; wherein the readable storage medium is used for storing machine executable instructions; the processor is used for Read the machine executable instructions on the readable storage medium, and execute the instructions to implement the steps of the authentication method in the second aspect described above.
  • a computer program is provided, the computer program is stored in a machine-readable storage medium, and when the processor executes the computer program, the processor is prompted to implement the authentication method in the first aspect.
  • a computer program is provided, the computer program is stored in a machine-readable storage medium, and when the processor executes the computer program, the processor is prompted to implement the authentication method in the second aspect.
  • a machine-readable storage medium stores machine-executable instructions. When called and executed by a processor, the machine-executable instructions prompt the processing The device executes the authentication method in the first aspect.
  • a machine-readable storage medium stores machine-executable instructions, and when called and executed by a processor, the machine-executable instructions prompt the processing
  • the device executes the authentication method in the second aspect.
  • identification information is added to the access request received from the client, and then the access request with the identification information added is sent to the server, and the server receives the identification based on the identification information.
  • the identity to be verified is returned by the information
  • the legitimacy of the user is authenticated by verifying the identity to be verified instead of verifying the user information, so that the server does not require the user to input user information multiple times when authenticating the user, so the user is greatly improved
  • the efficiency of authentication facilitates user operations.
  • Fig. 1 is a schematic diagram of an authentication networking shown in an exemplary embodiment of the present application
  • Figure 2 is a flow chart of the traditional method for accessing network resources shown in this application;
  • Fig. 3 is a flowchart of an authentication method shown in an exemplary embodiment of the present application.
  • Fig. 4 is a flowchart of another authentication method shown in an exemplary embodiment of the present application.
  • Fig. 5 is an interaction diagram of an authentication method shown in an exemplary embodiment of the present application.
  • Fig. 6 is a hardware structure diagram of an electronic device shown in an exemplary embodiment of the present application.
  • Fig. 7 is a block diagram of an authentication device shown in an exemplary embodiment of the present application.
  • Fig. 8 is a hardware structure diagram of a server shown in an exemplary embodiment of the present application.
  • Fig. 9 is a block diagram of another authentication device shown in an exemplary embodiment of the present application.
  • first, second, third, etc. may be used in this application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other.
  • first information may also be referred to as second information, and similarly, the second information may also be referred to as first information.
  • word “if” as used herein can be interpreted as "when” or “when” or “in response to a certainty”.
  • FIG. 1 is a schematic diagram of an authentication networking shown in an exemplary embodiment of the present application.
  • the authentication network includes: a client, a server management platform, and at least one server.
  • the server has been certified by the server management platform in advance, and the server management platform can manage the server.
  • the traditional way for a client to access the network resources of the server is: the client needs to log in to the server management platform first, and then log in to the server to access the network resources on the server.
  • FIG. 2 is a flowchart of the traditional method for accessing network resources shown in this application.
  • Step 201 The client sends a first authentication request carrying user information to the server management platform.
  • the client displays the login interface of the server management platform to the user, and the user can input user information on the login interface of the server management platform. After obtaining the user information input by the user, the client can send a first authentication request carrying the user information to the server management platform.
  • Step 202 After receiving the first authentication request, the server management platform authenticates the user information carried in the first authentication request.
  • Step 203 The server management platform returns to the client a message indicating that the authentication is successful or that the authentication fails.
  • the server management platform can also return to the client a message indicating that the authentication is successful or that the authentication fails.
  • Step 204 The client sends an access request to the server management platform.
  • Step 205 After determining that the client is successfully authenticated on the server management platform, the server management platform forwards the access request to the server.
  • Step 206 The server sends an unauthenticated message to the server management platform when determining that the client is not authenticated on the server.
  • Step 207 The server management platform forwards the unauthenticated message to the client.
  • Step 208 The client sends a second authentication request carrying user information to the server management platform.
  • the client after receiving the unauthenticated message, displays the server login interface to the user, and the user can input user information on the server login interface. After obtaining the user information input by the user, the client can send a second authentication request carrying the user information to the server management platform.
  • Step 209 The server management platform forwards the second authentication request carrying user information to the server.
  • Step 210 The server obtains the user information carried in the second authentication request, and authenticates the client based on the user information.
  • Step 211 The server returns a message indicating that the authentication is successful or that the authentication fails to the server management platform.
  • Step 212 The server management platform returns to the client a message indicating that the authentication is successful or that the authentication fails.
  • Step 213 The client sends an access request to the server management platform.
  • Step 214 The server management platform forwards the access request to the server.
  • Step 215 After determining that the client is successfully authenticated, the server returns the network resource requested by the access request to the server management platform.
  • Step 216 The server management platform forwards the network resources to the client.
  • this application provides an authentication method.
  • the identification information to be carried in the access request is generated, and the identification information is sent to the first designated port on the server.
  • the server monitors that the designated port receives the access request, it returns the identification to be verified based on the identification information carried in the access request.
  • the identification to be verified is verified, and in the case that the identification to be verified is verified, the verification of the identification to be verified is sent to the second designated port on the server.
  • the first message so that the server responds to the access request when the second designated port receives the first message.
  • identification information is added to the access request received from the client, and then the access request with the identification information added is sent to the server, and the server receives the identification based on the identification information.
  • the identity to be verified is returned by the information
  • the legitimacy of the user is authenticated by verifying the identity to be verified instead of verifying the user information, so that the server does not require the user to input user information multiple times when authenticating the user, so the user is greatly improved
  • the efficiency of authentication facilitates user operations.
  • FIG. 3 is a flowchart of an authentication method shown in an exemplary embodiment of the present application. The method may include the following steps.
  • Step 301 In the case of receiving an access request from the client, generating identification information to be carried in the access request, and sending the access request carrying the identification information to a first designated port on the server.
  • Step 302 Obtain a to-be-verified identifier returned by the first designated port; the to-be-verified identifier is that when the server monitors that the first designated port receives the access request, it is based on the access request carrying The identification information is returned.
  • Step 303 The identification to be verified is verified, and in the case that the identification to be verified is verified, a first message indicating that the identification to be verified is verified is sent to a second designated port on the server, so that the service The terminal responds to the access request in the case that it monitors that the second designated port receives the first message.
  • the identification information may correspond to the access request, and the identification information may be randomly generated, of course, it may also be generated based on the characteristic information of the access request, and the manner of generating the identification information is not specifically limited here.
  • the identification information can be a Token (token), of course, it can also be other information, and the identification information is not specifically limited here.
  • the method shown in FIG. 3 may be executed by an electronic device, and the electronic device may be a device connected to the server on the access path through which the client accesses the server.
  • the above-mentioned first designated port is the first port on the server connected to the electronic device.
  • the above-mentioned second designated port is the first port on the server connected to the electronic device.
  • the above-mentioned first designated port and second designated port can be the same port on the server side, or different ports on the server side.
  • the first designated port and the second designated port are exemplified, and they are not described here. Specifically defined.
  • the electronic device may be the server management platform shown in FIG. 1.
  • the electronic device can also be a newly-added device between the server management platform shown in FIG. 1 and the server (not shown in FIG. 1).
  • the electronic device is only exemplified and not specifically described. limited.
  • the method shown in FIG. 3 may be executed by the server, and the first designated port is the first port corresponding to the designated protocol on the server.
  • the second designated port is a second port corresponding to the designated protocol on the server.
  • the first designated protocol and the second designated protocol can be the same protocol or different protocols. Therefore, the first designated port and the second designated port can be the same port or different ports.
  • the first designated port and the second designated port are exemplarily described, and they are not specifically limited.
  • the server may include a first module and a second module, which may be referred to as a legal verification module and a service module, respectively.
  • the server can also include modules related to the actual application, and the modules included on the server are not specifically limited here.
  • the method shown in FIG. 3 may be executed by the legal verification module of the server, and the first designated port may be the first port corresponding to the designated protocol on the server.
  • the service module is connected to the legal verification module through the first port.
  • the second designated port may be a second port corresponding to the designated protocol on the server.
  • the service module is connected to the legal verification module through the second port.
  • the above-mentioned first designated port and the second designated port may be the same port or different ports.
  • the first designated port and the second designated port are only exemplified, and they are not specifically limited.
  • step 301 to step 303 are described below.
  • step 301 and step 303 Way one to implement step 301 and step 303:
  • the first designated port is the first port on the server used to connect to the server management platform.
  • the second designated port is a second port on the server connected to the electronic device.
  • the client can send an access request to the server management platform.
  • the server management platform receives the access request sent by the client, it can generate identification information for the access request, and add the identification information to the access request. Then, the server management platform can send the access request to the first designated port on the server.
  • the server After listening to the first designated port and receiving the access request, the server can obtain the identification information carried in the access request, and return the identification to be verified to the server management platform based on the identification information.
  • the identification to be verified may be identification information or an identification generated based on identification information.
  • the identification to be verified is only exemplified and not specifically limited.
  • the server management platform upon receiving the identifier to be verified returned by the server, verifies the identifier to be verified.
  • the server management platform sends a first message that the identification to be verified is verified to the second designated port on the server, so that the server is listening to the second designated port.
  • the port responds to the access request (for example, returning the network resource accessed by the access request).
  • the server management platform sends a second message indicating that the identification to be verified does not pass the verification to the second designated port on the server, so that the server
  • the client is instructed to provide verification information, to verify the verification information provided by the client, and to respond after the verification is passed
  • the access request may be user information (such as user name, password, etc.).
  • the verification information may also be other information.
  • the verification information is only exemplified and not specifically limited.
  • the identification information may also be recorded.
  • the recorded identification information for example, in all the identification information that has been recorded, search for whether there is identification information that matches the identification to be verified;
  • the identification to be verified is identification information
  • the identification information that matches the identification to be verified is the identification to be verified.
  • identification to be verified is an identification generated by identification information based on the first rule
  • identification information matching the identification to be verified is designated identification information
  • the identification generated by the designated identification information based on the first rule is the same as the identification to be verified.
  • the identification information matching the identification to be verified may also be deleted.
  • the identification information is deleted when a predetermined period of time (referred to as the aging time) for detecting the identification information arrives.
  • an aging time is added to the identification information. Then, it is possible to periodically detect whether the aging time of the recorded identification information is overtime, and delete the overtime identification information.
  • step 301 and step 303 Way two to implement step 301 and step 303:
  • the method is executed by an electronic device newly added between the server management platform and the server, and the first designated port is a first port on the server for connecting the electronic device.
  • the second designated port is a second port connected to the electronic device on the server end.
  • the client can send an access request to the server management platform.
  • the server management platform receives the access request sent by the client, it can send the access request to the newly-added electronic device (here, for the convenience of description, it is recorded as the target electronic device).
  • the target electronic device may generate identification information for the access request, and add the identification information to the access request. Then, the target electronic device can send the access request to the first port on the server.
  • the server After listening to the first port and receiving the access request, the server can obtain the identification information carried in the access request, and based on the identification information, return the identification to be verified to the target electronic device.
  • the target electronic device After receiving the identification to be verified returned by the server, the target electronic device verifies the identification to be verified.
  • the target electronic device sends a first message indicating that the identification to be verified is verified to the second designated port on the server, so that the server can monitor the second designated port Responding to the access request when the first message is received.
  • the target electronic device in the case that the identification to be verified fails the verification, sends a second message indicating that the identification to be verified fails the verification to the second designated port on the server, so that the server is When the second designated port is monitored to receive the second message, the client is instructed to provide verification information, to verify the verification information provided by the client, and to respond to the access request after the verification is passed.
  • the server includes: a legal verification module and a business module.
  • the server management platform establishes a connection with the legal verification module of the server, and the legal verification module establishes a connection with the business module (such as a socket connection, etc.).
  • the method shown in FIG. 3 is executed by the legal verification module of the server, and the first designated port is a port on the server corresponding to the first designated protocol.
  • the first designated port is the first port corresponding to the HTTP protocol on the server, for example, the port is port 80.
  • the second designated port is a port on the server corresponding to the second designated protocol.
  • the service module establishes a first socket connection with the legal verification module through the first designated port.
  • the service module may also establish a second socket connection with the legal verification module through the second designated port.
  • the port where the first socket is connected to the service module is the first designated port, and the service module can communicate with the legal verification module through the first designated port.
  • the port to which the second socket is connected to the service module is the second designated port, and the service module can communicate with the legal verification module through the second designated port.
  • the second designated port and the first designated port may be the same or different. Therefore, the first socket connection and the second socket connection may be the same or different.
  • the client can send an access request to the server management platform.
  • the server management platform receives the access request sent by the client, it can send the access request to the legal verification module of the server.
  • the legality verification module can generate identification information for the access request, and add the identification information to the access request. Then, the legal verification module can send the access request to the first designated port on the server.
  • the service module can monitor the first designated port. After the service module monitors that the first designated port receives the access request, it can obtain the identification information carried in the access request, and return the identification to be verified to the legal verification module based on the identification information.
  • the legal verification module After receiving the identification to be verified returned by the service module, the legal verification module verifies the identification to be verified.
  • the legality verification module sends a first message indicating that the identification to be verified has passed the verification to the second designated port on the server, so that the service module is listening to the second The designated port responds to the access request when receiving the first message.
  • the legal verification module sends a second message indicating that the identification to be verified does not pass the verification to the second designated port on the server, so that the service module
  • the client is instructed to provide verification information, the verification information provided by the client is verified, and the verification information is responded to after the verification is passed.
  • the access request in the case that the identification to be verified fails the verification.
  • the access request can be sent to the first designated port on the server side, so that the The business module listens to the first designated port and obtains the access request", which can connect the client and the server in a non-direct connection mode (that is, the client is connected to the server management platform, and the server management platform is connected to the server) , Modified to imitate direct connection (that is, the client is directly connected to the server), so that the access request forwarded by the server management platform received by the server business module is the same as the access request sent directly from the client, so that the server’s
  • the business module believes that the access request is sent directly from the client, so that it can ignore the processing of the server management platform protocol-related matters as much as possible, thereby simplifying the server's processing flow for the access request.
  • the identification information is added to the received access request from the client, and then the access request with the identification information added is sent to the server, and the server returns the information based on the identification information after receiving it.
  • the identification is to be verified, the legality of the user is verified by verifying the identification to be verified instead of verifying the user information, so that the server does not require the user to input user information multiple times when authenticating the user, so the user authentication efficiency is greatly improved , It is convenient for users to operate.
  • the server management platform is usually re-developed, so that the server management platform has the ability to authenticate users to whether they can access the network resources of the server.
  • Function, as shown in Figure 2 after successful authentication, the network resources provided by the server can be provided.
  • the client accesses the server, the client can log in to the server management platform first. After a successful login, the client can send an access request for accessing network resources on the server to the server management platform, and the server management platform can respond to the access request and return to the client the network resource accessed by the access request . It can be seen that this method requires secondary development of the server management platform, which greatly increases the workload of developers.
  • the server management platform transparently transmits the access request to the server, and the server responds to the client's access request, in this application, it is not necessary for the server management platform to provide whether the user can be authenticated or not.
  • the function of accessing network resources on the server side eliminates the need for secondary development of the server side management platform, which greatly reduces the workload of developers.
  • FIG. 4 is a flowchart of another authentication method shown in an exemplary embodiment of the present application. The method may include the following steps.
  • Step 401 In the case of monitoring that the first designated port on the server receives the access request, based on the identification information carried in the access request, return the identification to be verified to the peer that sent the access request;
  • Step 402 Respond to the access request when it is monitored that the second designated port on the server receives the first message that the identification to be verified is verified.
  • the method shown in FIG. 4 may be executed by the server, or may be executed by the legal verification module of the server, and the execution device or module of the method shown in FIG. 4 is not specifically limited here.
  • step 401 and step 402 are described below.
  • step 401 and step 402 Way one to implement step 401 and step 402:
  • the method shown in FIG. 4 is executed by the server, the opposite end is the server management platform, and the first designated port is the first port on the server used to connect to the electronic device.
  • the second designated port is a second port on the server that is used to connect to the electronic device.
  • the above-mentioned first designated port and the second designated port may be the same port or different ports.
  • the first designated port and the second designated port are only exemplified, and they are not specifically limited.
  • the client can send an access request to the server management platform.
  • the server management platform receives the access request sent by the client, it can generate identification information for the access request, and add the identification information to the access request. Then, the server management platform can send the access request to the first designated port on the server.
  • the server After listening to the first designated port and receiving the access request, the server can obtain the identification information carried in the access request, and return the identification to be verified to the server management platform based on the identification information.
  • the server management platform upon receiving the identifier to be verified returned by the server, verifies the identifier to be verified.
  • the server management platform sends a first message that the identification to be verified is verified to the second designated port on the server, so that the server is listening to the second designated port.
  • the port responds to the access request (for example, returning the network resource accessed by the access request).
  • the server management platform sends a second message indicating that the identification to be verified does not pass the verification to the second designated port on the server, so that the server When the second designated port is monitored to receive the second message, the client is instructed to provide verification information, to verify the verification information provided by the client, and to respond after the verification is passed The access request.
  • step 401 and step 402 The second way of implementing step 401 and step 402:
  • the method shown in Figure 4 is executed by the server, the opposite end is the new electronic device between the server management platform and the server, and the first designated port is the first on the server connected to the newly added electronic device. port.
  • the second designated port is a second port on the server that is connected to the newly added electronic device.
  • the client can send an access request to the server management platform.
  • the server management platform receives the access request sent by the client, it can send the access request to the newly-added electronic device (here, for the convenience of description, it is recorded as the target electronic device).
  • the target electronic device may generate identification information for the access request, and add the identification information to the access request. Then, the target electronic device can send the access request to the first port on the server.
  • the server After listening to the first port and receiving the access request, the server can obtain the identification information carried in the access request, and based on the identification information, return the identification to be verified to the target electronic device.
  • the target electronic device After receiving the identification to be verified returned by the server, the target electronic device verifies the identification to be verified.
  • the target electronic device sends a first message indicating that the identification to be verified is verified to the second designated port on the server, so that the server can monitor the second designated port Responding to the access request when the first message is received.
  • the target electronic device in the case that the identification to be verified fails the verification, sends a second message indicating that the identification to be verified fails the verification to the second designated port on the server, so that the server is When the second designated port is monitored to receive the second message, the client is instructed to provide verification information, to verify the verification information provided by the client, and to respond to the access request after the verification is passed.
  • step 401 and step 402
  • the server includes a legal verification module and a business module.
  • the server management platform establishes a connection with the legal verification module of the server.
  • the legal verification module establishes a connection with the service module (such as a socket connection, etc.).
  • the method shown in Figure 4 is executed by the service module of the server, and the opposite end is the legality verification module of the server.
  • the first designated port is a port on the server corresponding to the first designated protocol.
  • the first designated port is the first port corresponding to the HTTP protocol on the server, for example, the port is port 80.
  • the second designated port is a port on the server corresponding to the second designated protocol.
  • the service module establishes a first socket connection with the legal verification module through the first designated port.
  • the service module may also establish a second socket connection with the legal verification module through the second designated port.
  • the port where the first socket is connected to the service module is the first designated port, and the service module can communicate with the legal verification module through the first designated port.
  • the port to which the second socket is connected to the service module is the second designated port, and the service module can communicate with the legal verification module through the second designated port.
  • the client can send an access request to the server management platform.
  • the server management platform receives the access request sent by the client, it can send the access request to the legal verification module of the server.
  • the legality verification module can generate identification information for the access request, and add the identification information to the access request. Then, the legal verification module can send the access request to the first designated port on the server.
  • the service module can monitor the first designated port. After the service module monitors that the first designated port receives the access request, it can obtain the identification information carried in the access request, and return the identification to be verified to the legal verification module based on the identification information.
  • the legal verification module After receiving the identification to be verified returned by the service module, the legal verification module verifies the identification to be verified.
  • the legality verification module sends a first message indicating that the identification to be verified has passed the verification to the second designated port on the server, so that the service module is listening to the second The designated port responds to the access request when receiving the first message.
  • the legal verification module sends a second message indicating that the identification to be verified does not pass the verification to the second designated port on the server, so that the service module
  • the client is instructed to provide verification information, the verification information provided by the client is verified, and the verification information is responded to after the verification is passed.
  • the access request in the case that the identification to be verified fails the verification.
  • FIG. 5 is an interaction diagram of an authentication method shown in an exemplary embodiment of the present application.
  • Step 501 The client sends a first authentication request carrying user information to the server management platform.
  • the client displays the login interface of the server management platform to the user, and the user can input user information on the login interface of the server management platform. After obtaining the user information input by the user, the client can send a first authentication request carrying the user information to the server management platform.
  • Step 502 After receiving the first authentication request, the server management platform authenticates the user based on the user information.
  • Step 503 The server management platform returns a message indicating that the authentication is successful or that the authentication fails to the client.
  • Step 504 The client sends an access request to the server management platform.
  • Step 505 After determining that the user is successfully authenticated on the server management platform, the server management platform forwards the access request to the legal verification module of the server.
  • Step 506 The legal verification module allocates a Token for the access request, adds the allocated Token to the access request, and records the Token allocated for the access request locally.
  • Step 507 The legal verification module sends an access request carrying the Token to the target port corresponding to the HTTP protocol on the server.
  • Step 508 When the service module monitors that the target port receives the access request, it obtains the Token in the access request.
  • Step 509 The service module sends the Token to the legal verification module.
  • Step 510 The legal verification module detects whether there is a Token matching the Token returned by the service module among all the Tokens that have been recorded locally.
  • step 511 If there is a Token that matches the Token returned by the service module among all the Tokens that have been recorded locally, perform step 511 to step 513
  • step 514 to step 521 are executed.
  • Step 511 If it exists, the legal verification module sends the first message that the Token is verified to the target port.
  • Step 512 When the service module monitors that the target port receives the first message, it returns the network resource requested by the access request to the server management platform.
  • Step 513 The server management platform forwards network resources to the client.
  • Step 514 If it does not exist, the legal verification module sends a second message that the Token has not passed the verification to the target port.
  • Step 515 When the service module monitors that the target port receives the second message, it returns an unauthenticated message to the server management platform.
  • Step 516 The server management platform returns an unauthenticated message to the client.
  • Step 517 The client sends a second authentication request carrying user information to the server management platform.
  • the client after receiving the unauthenticated message, displays the server login interface to the user, and the user can input user information on the server login interface. After obtaining the user information input by the user, the client can send a second authentication request carrying the user information to the server management platform.
  • Step 518 The server management platform forwards the second authentication request carrying user information to the legal verification module.
  • Step 519 The legal verification module verifies the legality of the user based on the user information.
  • Step 520 After determining that the user is legal, send a third message that the user is legal to the target port.
  • Step 521 After monitoring that the target port receives the third message, the service module returns the network resource requested by the access request to the server management platform.
  • Step 522 The server management platform forwards the network resource to the client.
  • the Token is added to the access request from the client, and the Token-added access request is sent to the server.
  • the Token returned by the server is received, the token is verified.
  • the non-verified user information is used to realize the legitimacy authentication of the client, so that the server does not require the user to input user information multiple times when authenticating the client, which greatly improves the efficiency of verification and facilitates user operations.
  • the server management platform transparently transmits the access request to the server, and the server responds to the access request of the client, instead of the server management platform responsible for responding to the access request sent by the client, in this application In the middle, there is no need for secondary development of the server management platform, so the workload of developers is greatly reduced.
  • FIG. 6 is a hardware structure diagram of an electronic device according to an exemplary embodiment of the present application.
  • the electronic device may be a server management platform, or a device newly added between the server management platform and the server, and of course the electronic device may also be a server.
  • the electronic device is not specifically limited here.
  • the electronic device may include: a readable storage medium and a processor; wherein the readable storage medium is used to store machine-executable instructions; the processor is used to read the The machine can execute instructions and execute the instructions to implement the steps of the authentication method described above.
  • the electronic device may also include: a communication interface 601 and a bus 604; wherein the communication interface 601, the processor 602, and the machine-readable storage medium 603 pass through the bus 604 complete the communication between each other.
  • the processor 602 can execute the authentication method described above by reading and executing the machine executable instructions corresponding to the authentication control logic in the machine-readable storage medium 603.
  • the machine-readable storage medium 603 mentioned herein may be any electronic, magnetic, optical, or other physical storage device, and may contain or store information, such as executable instructions, data, and so on.
  • the machine-readable storage medium may be: volatile memory, non-volatile memory or similar storage medium.
  • the machine-readable storage medium 603 may be RAM (Radom Access Memory, random access memory), flash memory, storage drive (such as hard disk drive), solid state drive, any type of storage disk (such as optical disk, DVD, etc.), or Similar storage media, or a combination of them.
  • Fig. 7 is a block diagram of an authentication device shown in an exemplary embodiment of the present application.
  • the device may be a part of the electronic device described in FIG. 6 or installed in the electronic device, or the device may be a part of the legal verification module of the server or installed in the legal verification module of the server, and may include the following ⁇ unit.
  • the generating unit 701 is configured to generate identification information to be carried in the access request when an access request from the client is received, and send the access request carrying the identification information to the first designated port on the server;
  • the obtaining unit 702 is configured to obtain the identifier to be verified returned by the first designated port; the identifier to be verified is that the server monitors that the first designated port receives the access request based on the The identification information carried in the access request is returned;
  • the verification unit 703 is configured to verify the identification to be verified, and if the identification to be verified passes the verification, send a first message indicating that the identification to be verified passes the verification to a second designated port on the server, so that The server responds to the access request in a case where it monitors that the second designated port receives the first message.
  • the device is a part of or installed in an electronic device, and the electronic device is a device that is on an access path for the client to access the server and connected to the server;
  • the first designated port is the first port on the server that connects to the electronic device;
  • the second designated port is the second port on the server that connects to the electronic device; or, the device is of the server Part of it or installed in the server;
  • the first designated port is the port on the server corresponding to the first designated protocol;
  • the second designated port is the port on the server corresponding to the second designated protocol .
  • the electronic device is a server management platform for managing the server; or, the electronic device is a newly added device between the server management platform and the server.
  • the generating unit 701 is further configured to generate the identification information to be carried in the access request, and then record the identification information; the verification unit 702, when verifying the identification to be verified, uses In the recorded identification information, for example, in all the recorded identification information, find out whether there is identification information that matches the identification to be verified; if it exists, it is determined that the identification to be verified has passed the verification; if it does not exist, It is determined that the identification to be verified fails the verification.
  • the device further includes: a deletion unit 704 (not shown in FIG. 7), configured to delete the identification information that matches the identification to be verified after it is determined that the identification to be verified is verified; and/or, When it is detected that the aging time of the identification information has reached, the identification information is deleted.
  • a deletion unit 704 (not shown in FIG. 7), configured to delete the identification information that matches the identification to be verified after it is determined that the identification to be verified is verified; and/or, When it is detected that the aging time of the identification information has reached, the identification information is deleted.
  • the verification unit 703 is further configured to send a second message indicating that the identification to be verified fails the verification to the second designated port in the case that the identification to be verified fails the verification, so that the service
  • the terminal monitors that the second designated port receives the second message instructs the client to provide verification information, verifies the verification information provided by the client, and performs verification Respond to the access request after passing the verification.
  • an exemplary embodiment of the present application also provides a server.
  • the server may include: a readable storage medium and a processor; wherein the readable storage medium is used to store machine-executable instructions; the processor is used to read the The machine can execute instructions and execute the instructions to implement the steps of the authentication method described above.
  • the server may also include a communication interface 801, and a bus 804; among them, the communication interface 801, the processor 802 and the machine
  • the readable storage medium 803 communicates with each other through the bus 804.
  • the processor 802 can execute the authentication method described above by reading and executing the machine executable instructions corresponding to the authentication control logic in the machine-readable storage medium 803.
  • the machine-readable storage medium 803 mentioned herein may be any electronic, magnetic, optical, or other physical storage device, and may contain or store information, such as executable instructions, data, and so on.
  • the machine-readable storage medium may be: volatile memory, non-volatile memory or similar storage medium.
  • the machine-readable storage medium 803 may be RAM (Radom Access Memory, random access memory), flash memory, storage drive (such as hard disk drive), solid state drive, any type of storage disk (such as optical disk, DVD, etc.), or Similar storage media, or a combination of them.
  • FIG. 9 is a block diagram of another authentication device shown in an exemplary embodiment of the present application.
  • the device may be part of the server shown in FIG. 8 or installed in the server, and may also be a part of or installed in the service module of the server, which is not specifically limited here.
  • the device may include the units shown below.
  • the sending unit 901 is configured to return an identification to be verified to the peer that sent the access request based on the identification information carried in the access request in the case of monitoring that the first designated port on the server receives the access request;
  • the response unit 902 is configured to respond to the access request in the case where it is monitored that the second designated port on the server receives the first message that the identification to be verified has passed the verification.
  • the first designated port is a first port on the server connected to the opposite end;
  • the second designated port is a second port on the server connected to the opposite end;
  • the opposite end is an electronic device that is on the access path through which the client accesses the server and is connected to the server; or, the first designated port is a port on the server that corresponds to a first designated protocol; The second designated port is a port corresponding to a second designated protocol on the server.
  • the response unit 902 is further configured to instruct the client to provide verification information when it monitors that the second designated port receives the second message that the identification to be verified fails the verification, and The verification information provided by the client is verified, and the access request is responded to after the verification is passed.
  • the present application also provides a computer program, the computer program is stored in a machine-readable storage medium, and when the processor executes the computer program, the processor is prompted to implement the authentication method shown in FIG. 3 above.
  • the present application also provides a computer program, the computer program is stored in a machine-readable storage medium, and when the processor executes the computer program, the processor is prompted to implement the authentication method shown in FIG. 4 above.
  • the present application also provides a machine-readable storage medium.
  • the machine-readable storage medium stores machine-executable instructions. When called and executed by a processor, the machine-executable instructions prompt the implementation of the authentication method shown in FIG. 3 above. .
  • this application also provides a machine-readable storage medium, which stores machine-executable instructions. When called and executed by a processor, the machine-executable instructions prompt the implementation of the authentication method shown in FIG. 4 above. .
  • the device embodiment since it basically corresponds to the method embodiment, the relevant part can refer to the part of the description of the method embodiment.
  • the device embodiments described above are merely illustrative, where the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of the present application. Those of ordinary skill in the art can understand and implement without creative work.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

本申请提供一种认证方法、装置、电子设备和服务端、程序及存储介质,包括:在接收到来自客户端的访问请求的情况下,生成待携带在所述访问请求的标识信息,向服务端上的第一指定端口发送携带了所述标识信息的访问请求;获得第一指定端口返回的待验证标识;所述待验证标识为所述服务端在监听到第一指定端口收到所述访问请求的情况下,基于该访问请求携带的标识信息返回的;对待验证标识进行验证,在待验证标识通过验证的情况下,向服务端上的第二指定端口发送该待验证标识通过验证的第一消息,以使服务端在监听到第二指定端口接收到所述第一消息的情况下,响应所述访问请求。使用本申请提供的方法,可以实现高效的用户认证。

Description

认证方法、装置、电子设备和服务端、程序及存储介质 技术领域
本申请涉及计算机通信领域,尤其涉及一种认证方法、装置、电子设备和服务端、程序及存储介质。
背景技术
在客户端和至少一个服务端的网络架构中,为了方便对服务端的管理,通常在该网络架构中部署用于管理所有服务端的服务端管理平台。
在客户端需要访问服务端上的网络资源时,客户端需要先登录服务端管理平台,再登录该服务端,才能访问该服务端上的网络资源。
具体地,客户端需要向服务端管理平台提交客户端的用户信息,以由服务端管理平台对客户端的用户信息进行认证。在服务端管理平台对客户端的用户信息进行认证后,客户端还需要向服务端提交用户信息,以由服务端对客户端的用户信息进行认证,在服务端对客户端的用户信息进行认证后,服务端才会向客户端返回客户端所访问的网络资源。
由于在认证过程中,用户需要多次提交用户信息,所以不仅大大降低了认证效率,而且还给用户造成了极大的不便。
发明内容
有鉴于此,本申请提供一种认证方法、装置、电子设备和服务端、程序及存储介质,用于提高用户的认证效率。
具体地,本申请是通过如下技术方案实现的:
根据本申请的第一方面,提供一种认证方法,所述方法包括:在接收到来自客户端的访问请求的情况下,生成待携带在所述访问请求的标识信息,向服务端上的第一指定端口发送携带了所述标识信息的访问请求;获得所述第一指定端口返回的待验证标识;所述待验证标识为所述服务端在监听到所述第一指定端口收到所述访问请求的情况下,基于该访问请求携带的标识信息返回的;对所述待验证标识进行验证,在所述待验证标识通过验证的情况下,向服务端上的第二指定端口发送该待验证标识通过验证的第一消息,以使所述服务端在监听到所述第二指定端口接收到所述第一消息的情况下,响应所述访问请求。
可选的,所述方法由电子设备执行,所述电子设备为处于所述客户端访问所述服务端的访问路径上且与所述服务端连接的设备;所述第一指定端口为所述服务端上连接所述电子设备的第一端口;所述第二指定端口为所述服务端上连接所述电子设备的第二端口;或者,所述方法由服务端执行;所述第一指定端口为所述服务端上与第一指定协议对应的端口;所述第二指定端口为所述服务端上与第二指定协议对应的端口。
可选的,所述服务端包括合法校验模块和业务模块,当所述方法由服务端执行时,所述方法由服务端的所述合法校验模块执行,所述合法校验模块通过所述第一端口将访问请求发至所述业务模块,通过所述第二端口将所述第一消息发至所述业务模块,所述 业务模块响应所述访问请求。
可选的,所述生成待携带在所述访问请求的标识信息之后,所述方法还包括:记录所述标识信息;所述对所述待验证标识进行验证,包括:在已记录的标识信息中,查找是否存在与所述待验证标识匹配的标识信息;若存在,则确定所述待验证标识通过验证;若不存在,则确定所述待验证标识未通过验证。可选的,所述方法还包括:在确定所述待验证标识通过验证后,删除与该待验证标识匹配的标识信息;和/或,在检测到所述标识信息的老化时间到达时,删除所述标识信息。
可选的,所述方法还包括:在所述待验证标识未通过验证的情况下,向所述第二指定端口发送待验证标识未通过验证的第二消息,以使所述服务端在监听到所述第二指定端口接收到所述第二消息的情况下指示所述客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
根据本申请的第二方面,提供一种认证方法,所述方法由服务端执行,所述方法包括:在监听到所述服务端上的第一指定端口接收到访问请求的情况下,基于该访问请求携带的标识信息,返回待验证标识至发送所述访问请求的对端;在监听到所述服务端上的第二指定端口接收到所述待验证标识通过验证的第一消息的情况下,响应所述访问请求。
可选的,所述第一指定端口为所述服务端上连接所述对端的第一端口;第二指定端口为所述服务端上连接所述对端的第二端口;所述对端为处于客户端访问所述服务端的访问路径上且与所述服务端连接的电子设备;或者,所述第一指定端口为所述服务端上与第一指定协议对应的端口;所述第二指定端口为所述服务端上与第二指定协议对应的端口。
可选的,所述方法还包括:在监听到所述第二指定端口接收到所述待验证标识未通过验证的第二消息的情况下,指示客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
可选的,所述服务端包括合法校验模块和业务模块,所述方法具体由服务端的所述业务模块执行,所述合法校验模块是所述对端,所述业务模块通过所述第一指定端口与所述合法校验模块之间建立第一连接,所述业务模块通过所述第二指定端口与所述合法校验模块之间建立第二连接。根据本申请的第三方面,提供一种认证装置,所述装置包括:生成单元,用于在接收到来自客户端的访问请求的情况下,生成待携带在所述访问请求的标识信息,向服务端上的第一指定端口发送携带了所述标识信息的访问请求;获得单元,用于获得所述第一指定端口返回的待验证标识;所述待验证标识为所述服务端在监听到所述第一指定端口收到所述访问请求的情况下,基于该访问请求携带的标识信息返回的;验证单元,用于对所述待验证标识进行验证,在所述待验证标识通过验证的情况下,向服务端上的第二指定端口发送该待验证标识通过验证的第一消息,以使所述服务端在监听到所述第二指定端口接收到所述第一消息的情况下,响应所述访问请求。
根据本申请的第四方面,提供一种认证装置,所述装置包括:发送单元,用于在监听到所述服务端上的第一指定端口接收到访问请求的情况下,基于该访问请求携带的标识信息,返回待验证标识至发送所述访问请求的对端;响应单元,用于在监听到所述服 务端上的第二指定端口接收到所述待验证标识通过验证的第一消息的情况下,响应所述访问请求。根据本申请的第五方面,提供一种电子设备,所述设备包括可读存储介质和处理器;其中,所述可读存储介质,用于存储机器可执行指令;所述处理器,用于读取所述可读存储介质上的所述机器可执行指令,并执行所述指令以实现上述第一方面中的认证方法步骤。
根据本申请的第六方面,提供一种服务端,所述设备包括可读存储介质和处理器;其中,所述可读存储介质,用于存储机器可执行指令;所述处理器,用于读取所述可读存储介质上的所述机器可执行指令,并执行所述指令以实现上述第二方面中的认证方法步骤。
根据本申请的第七方面,提供一种计算机程序,计算机程序存储于机器可读存储介质,并且当处理器执行计算机程序时,促使处理器实现上述第一方面中的认证方法。
根据本申请的第八方面,提供一种计算机程序,计算机程序存储于机器可读存储介质,并且当处理器执行计算机程序时,促使处理器实现上述第二方面中的认证方法。
根据本申请的第九方面,提供一种机器可读存储介质,所述机器可读存储介质存储有机器可执行指令,在被处理器调用和执行时,所述机器可执行指令促使所述处理器执行第一方面中的认证方法。
根据本申请的第十方面,提供一种机器可读存储介质,所述机器可读存储介质存储有机器可执行指令,在被处理器调用和执行时,所述机器可执行指令促使所述处理器执行第二方面中的认证方法。
由于在本申请提供的访问网络资源的机制中,在接收到的来自于客户端的访问请求中添加标识信息,再将添加了标识信息的访问请求发送给服务端,在接收到服务端基于该标识信息返回的待验证标识时,通过验证待验证标识而非验证用户信息来实现对用户的合法性认证,使得服务端在对用户进行认证时不需要用户多次输入用户信息,所以大大提高了用户的认证效率,方便了用户操作。
附图说明
图1是本申请一示例性实施例示出的认证组网的示意图;
图2是本申请示出的传统的网络资源访问方法的流程图;
图3是本申请一示例性实施例示出的一种认证方法的流程图;
图4是本申请一示例性实施例示出的另一种认证方法的流程图;
图5是本申请一示例性实施例示出的一种认证方法的交互图;
图6是本申请一示例性实施例示出的一种电子设备的硬件结构图;
图7是本申请一示例性实施例示出的一种认证装置的框图;
图8是本申请一示例性实施例示出的一种服务端的硬件结构图;
图9是本申请一示例性实施例示出的另一种认证装置的框图。
具体实施方式
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。
在本申请使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。
应当理解,尽管在本申请可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本申请范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。
参见图1,图1是本申请一示例性实施例示出的认证组网的示意图。
该认证组网包括:客户端、服务端管理平台和至少一个服务端。
服务端已提前经过了服务端管理平台的认证,服务端管理平台可以管理服务端。
在这种组网架构下,传统的客户端访问服务端的网络资源的方式是:客户端需要先登录服务端管理平台,再登录该服务端,才能访问该服务端上的网络资源。
参见图2,图2是本申请示出的传统的网络资源访问方法的流程图。
步骤201:客户端向服务端管理平台发送携带有用户信息的第一认证请求。
在实现时,客户端向用户展示服务端管理平台登录界面,用户可以在服务端管理平台登录界面上输入用户信息。客户端在获取到用户输入的用户信息后,可向服务端管理平台发送携带有该用户信息的第一认证请求。
步骤202:服务端管理平台在接收到该第一认证请求后,对该第一认证请求携带的用户信息进行认证。
步骤203:服务端管理平台向客户端返回认证成功或者认证失败的消息。
服务端管理平台还可向客户端返回认证成功或者认证失败的消息。
步骤204:客户端向服务端管理平台发送访问请求。
步骤205:服务端管理平台在确定该客户端在服务端管理平台上认证成功后,将访问请求转发给服务端。
步骤206:服务端在确定该客户端未在服务端进行认证时,向服务端管理平台发送未认证消息。
步骤207:服务端管理平台将该未认证消息转发给客户端。
步骤208:客户端向服务端管理平台发送携带有用户信息的第二认证请求。
在实现时,客户端在接收到未认证消息后,向用户展示服务端登录界面,用户可以在服务端登录界面上输入用户信息。客户端在获取到用户输入的用户信息后,可向服务端管理平台发送携带有该用户信息的第二认证请求。
步骤209:服务端管理平台向服务端转发携带有用户信息的第二认证请求。
步骤210:服务端获取第二认证请求中携带的用户信息,并基于用户信息对该客户端进行认证。
步骤211:服务端向服务端管理平台返回认证成功或者认证失败的消息。
步骤212:服务端管理平台向客户端返回认证成功或者认证失败的消息。
步骤213:客户端向服务端管理平台发送访问请求。
步骤214:服务端管理平台将该访问请求转发给服务端。
步骤215:服务端在确定对客户端认证成功后,向服务端管理平台返回该访问请求所请求的网络资源。
步骤216:服务端管理平台将网络资源转发给客户端。
由此可以看出,在传统的客户端访问服务端的网络资源的技术中,用户需要多次提交用户信息来完成服务端管理平台的登录和服务端的登录,所以在大大降低了认证效率的同时,还给用户访问网络资源造成了极大的不便。
有鉴于此,本申请提供一种认证方法,在接收到来自客户端的访问请求的情况下,生成待携带在该访问请求的标识信息,向服务端上的第一指定端口发送携带了该标识信息的访问请求,以由服务端在监听到该指定端口收到该访问请求时,基于该访问请求携带的标识信息返回待验证标识。在接收到该服务端返回的待验证标识的情况下,对该待验证标识进行验证,在该待验证标识通过验证的情况下,向服务端上的第二指定端口发送待验证标识通过验证的第一消息,以使该服务端在监听到该第二指定端口接收到该第一消息的情况下响应该访问请求。
由于在本申请提供的访问网络资源的机制中,在接收到的来自于客户端的访问请求中添加标识信息,再将添加了标识信息的访问请求发送给服务端,在接收到服务端基于该标识信息返回的待验证标识时,通过验证待验证标识而非验证用户信息来实现对用户的合法性认证,使得服务端在对用户进行认证时不需要用户多次输入用户信息,所以大大提高了用户的认证效率,方便了用户操作。
参见图3,图3是本申请一示例性实施例示出的一种认证方法的流程图,该方法可包括如下所示步骤。
步骤301:在接收到来自客户端的访问请求的情况下,生成待携带在所述访问请求的标识信息,向服务端上的第一指定端口发送携带了所述标识信息的访问请求。
步骤302:获得所述第一指定端口返回的待验证标识;所述待验证标识为所述服务端在监听到所述第一指定端口收到所述访问请求的情况下,基于该访问请求携带的标识 信息返回的。
步骤303:对所述待验证标识进行验证,在所述待验证标识通过验证的情况下,向服务端上的第二指定端口发送该待验证标识通过验证的第一消息,以使所述服务端在监听到所述第二指定端口接收到所述第一消息的情况下,响应所述访问请求。
其中,标识信息可以与访问请求对应,标识信息可以随机生成,当然也可以基于访问请求的特征信息生成,这里不对该标识信息的生成方式进行具体地限定。
该标识信息可以是Token(令牌),当然也可以是其他信息,这里不对标识信息进行具体地限定。
在本申请实施例中,图3所示的方法可由电子设备执行,该电子设备可以是客户端访问服务端上的访问路径上的、且与该服务端相连的设备。上述第一指定端口为所述服务端上连接所述电子设备的第一端口。上述第二指定端口为所述服务端上连接所述电子设备的第一端口。上述第一指定端口和第二指定端口可以是服务端上的同一端口,也可以是服务端上的不同端口,这里只是对第一指定端口和第二指定端口进行示例性地说明,不对其进行具体地限定。
比如,该电子设备可以是图1所示的服务端管理平台。当然,该电子设备还可以是图1所示的服务端管理平台和服务端之间新增的设备(图1未示出),这里只是对电子设备进行示例性地说明,不对其进行具体地限定。
可选的,在本申请实施例中,图3所示的方法可由服务端执行,该第一指定端口为所述服务端上与指定协议对应的第一端口。该第二指定端口为所述服务端上与指定协议对应的第二端口。其中,上述第一指定协议和第二指定协议可以是同一协议,也可以是不同的协议,因此上述第一指定端口和第二指定端口可以是同一端口也可以是不同的端口,这里只是对第一指定端口和第二指定端口进行示例性地说明,不对其进行具体地限定。
在实现时,例如服务端上可包括第一模块和第二模块,可分别称为合法校验模块和业务模块。当然,在实际应用中,服务端还可包括与实际应用相关的模块,这里不对服务端上所包含的模块进行具体地限定。
图3所示的方法可以由服务端的合法校验模块上执行,该第一指定端口可以是服务端上与指定协议对应的第一端口。业务模块通过所述第一端口连接所述合法校验模块。
该第二指定端口可以是服务端上与指定协议对应的第二端口。业务模块通过所述第二端口连接所述合法校验模块。上述第一指定端口和第二指定端口可以是同一端口也可以是不同的端口,这里只是对第一指定端口和第二指定端口进行示例性地说明,不对其进行具体地限定。
下面介绍实现步骤301至步骤303的几种方式。
实现步骤301和步骤303的方式一:
该方法由服务端管理平台执行时,该第一指定端口为服务端上的、用于连接该服务端管理平台的第一端口。第二指定端口为所述服务端上连接所述电子设备的第二端口。
在实现步骤301和步骤303时,客户端可将访问请求发送给服务端管理平台。服务端管理平台在接收到客户端发送的访问请求时,可为该访问请求生成标识信息,并将该标识信息添加在该访问请求中。然后,服务端管理平台可将该访问请求发送给服务端上的第一指定端口。
服务端在监听到第一指定端口接收到该访问请求后,可获取该访问请求携带的标识信息,并基于该标识信息向服务端管理平台返回待验证标识。
其中,该待验证标识可以是标识信息,也可以是基于标识信息生成的标识,这里只是对待验证标识进行示例性地说明,不对其进行具体地限定。
服务端管理平台在接收到所述服务端返回的待验证标识,对所述待验证标识进行验证。
在所述待验证标识通过验证的情况下,服务端管理平台向该服务端上的第二指定端口发送待验证标识通过验证的第一消息,以使所述服务端在监听到该第二指定端口接收到第一消息时响应所述访问请求(比如返回该访问请求所访问的网络资源等)。
在一个实施例中,在该待验证标识未通过校验的情况下,服务端管理平台向服务端上的第二指定端口发送待验证标识未通过验证的第二消息,以使所述服务端在监听到该第二指定端口接收到所述第二消息时指示所述客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。其中,该校验信息可以是用户信息(比如用户名、密码等),当然该校验信息也可以是其他信息,这里只是对校验信息进行示例性地说明,不对其进行具体地限定。
下面介绍下“对待验证标识进行验证”的方式。
在本申请实施例中,在生成待携带在所述访问请求的标识信息后,还可记录该标识信息。
在对待验证标识进行验证时,可在已记录的标识信息中,例如在已记录的所有标识信息中,查找是否存在与所述待验证标识匹配的标识信息;
若存在与该待验证标识匹配的标识信息,则确定所述待验证标识通过验证;
若不存在与该待验证标识匹配的标识信息,则确定所述待验证标识未通过验证。
需要说明的是,当该待验证标识是标识信息时,与该待验证标识匹配的标识信息为该待验证标识。
当该待验证标识是由标识信息基于第一规则生成的标识时,与该待验证标识匹配的标识信息为指定标识信息,该指定标识信息基于第一规则生成的标识与该待验证标识相同。
这里只是对“标识信息”、“待验证标识”、“对待验证标识进行验证”的示例性说明,不对其进行具体地限定。
此外,在本申请实施例中,为了保证对待验证标识进行验证的有效性,在确定待验证标识验证通过后,还可将与该待验证标识匹配的标识信息删除。
此外,在本申请实施例中,为了保证对待验证标识进行验证的有效性,在检测到所述标识信息的预定的一时间段(称为老化时间)到达时,删除所述标识信息。
在一种可选的实现方式中,在记录所述标识信息后,为所述标识信息添加老化时间。然后,可定期检测已记录的标识信息的老化时间是否超时,并将超时的标识信息删除。
实现步骤301和步骤303的方式二:
该方法由在服务端管理平台与服务端之间新增的电子设备执行,该第一指定端口为服务端上的、用于连接该电子设备的第一端口。第二指定端口为服务端上连接所述电子设备的第二端口。
在实现步骤301和步骤303时,客户端可将访问请求发送给服务端管理平台。服务端管理平台在接收到客户端发送的访问请求时,可将该访问请求发送给该新增的电子设备(这里为了方便叙述,记为目标电子设备)。目标电子设备可为该访问请求生成标识信息,并将该标识信息添加在该访问请求中。然后,目标电子设备可将该访问请求发送给服务端上的第一端口。
服务端在监听到第一端口接收到该访问请求后,可获取该访问请求携带的标识信息,并基于该标识信息,向目标电子设备返回待验证标识。
目标电子设备在接收到所述服务端返回的待验证标识,对所述待验证标识进行验证。
在所述待验证标识通过验证的情况下,目标电子设备向该服务端上的第二指定端口发送待验证标识通过验证的第一消息,以使所述服务端在监听到该第二指定端口接收到所述第一消息时响应所述访问请求。
在一个实施例中,在该待验证标识未通过校验的情况下,目标电子设备向服务端上的第二指定端口发送待验证标识未通过验证的第二消息,以使所述服务端在监听到该第二指定端口接收到所述第二消息时指示所述客户端提供校验信息,并对客户端提供的校验信息进行校验,并在校验通过后响应所述访问请求。
需要说明的是,对于“对待验证标识进行验证”的方式,可参见上文所述,这里不再赘述。
实现步骤301至步骤303的方式三:
服务端包括:合法校验模块和业务模块。服务端管理平台与服务端的合法校验模块建立连接,合法校验模块与业务模块建立连接(如socket连接等)。
图3所示的方法由服务端的合法校验模块执行,该第一指定端口为服务端上的与第一指定协议对应的端口。比如该第一指定端口为服务端上与HTTP协议对应的第一端口,例如该端口为80端口。该第二指定端口为服务端上的与第二指定协议对应的端口。
业务模块通过该第一指定端口与合法校验模块之间建立第一socket连接。业务模块也可以通过第二指定端口与合法校验模块之间建立第二socket连接。换句话来说,该第一socket连接在业务模块上的端口为该第一指定端口,业务模块可以通过第一指定端口与合法校验模块进行通信。该第二socket连接在业务模块上的端口为该第二指定端 口,业务模块可以通过第二指定端口与合法校验模块进行通信。
需要说明的是,第二指定端口与第一指定端口可以相同,也可以不同。因此,第一socket连接和第二socket连接可以相同也可以不同。
在实现步骤301和步骤303时,客户端可将访问请求发送给服务端管理平台。服务端管理平台在接收到客户端发送的访问请求时,可将该访问请求发送给该服务端的合法校验模块。合法校验模块可为该访问请求生成标识信息,并将该标识信息添加在该访问请求中。然后,合法校验模块可将该访问请求发送给服务端上的第一指定端口。
业务模块可监听第一指定端口,在业务模块监听到第一指定端口接收到该访问请求后,可获取该访问请求携带的标识信息,并基于标识信息向合法校验模块返回待验证标识。
合法校验模块在接收到业务模块返回的待验证标识,对所述待验证标识进行验证。
在所述待验证标识通过验证的情况下,合法校验模块向该服务端上的第二指定端口发送待验证标识通过验证的第一消息,以使所述业务模块在监听到所述第二指定端口接收到所述第一消息时响应所述访问请求。
在一个实施例中,在该待验证标识未通过校验的情况下,合法校验模块向服务端上的第二指定端口发送待验证标识未通过验证的第二消息,以使所述业务模块在监听到第二指定端口接收到所述第二消息时指示所述客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
需要说明的是,采用这种“服务端的合法校验模块在接收到服务端管理平台发送的访问请求后,可将该访问请求发送至服务端上的第一指定端口,以由服务端上的业务模块监听第一指定端口,获取该访问请求”的方式,可以将客户端与服务端之间的非直连方式(即客户端与服务端管理平台相连,服务端管理平台与服务端相连),修改为仿直连方式(即客户端与服务端直连),使得服务端业务模块接收到的经由服务端管理平台转发的访问请求与从客户端直接发送的访问请求相同,从而使得服务端的业务模块认为访问请求是从客户端直接发送的,从而可以尽可能地忽略处理服务端管理平台协议相关的事项,从而简化服务端对于该访问请求的处理流程。
还需要说明的是,对于“对待验证标识进行验证”的方式,可参见上文所述,这里不再赘述。
由上述描述可以看出,一方面,在接收到的来自于客户端的访问请求中添加标识信息,再将添加了标识信息的访问请求发送给服务端,在接收到服务端基于该标识信息返回的待验证标识时,通过验证待验证标识而非验证用户信息来实现对用户的合法性认证,使得服务端在对用户进行认证时不需要用户多次输入用户信息,所以大大提高了用户的认证效率,方便了用户操作。
另一方面,在现有的客户端、服务端管理平台和服务端的架构下,通常是对服务端管理平台进行二次开发,使得服务端管理平台具有对用户认证是否能够访问服务端的网络资源的功能,如图2的所示,认证成功后可以提供服务端所提供的网络资源。在 客户端访问服务端时,客户端可先登录服务端管理平台。在登录成功后,客户端可向服务端管理平台发送用于访问服务端上的网络资源的访问请求,服务端管理平台可响应该访问请求,并向客户端返回该访问请求所访问的网络资源。由此可以看出,这种方式,需要对服务端管理平台进行二次开发,大大增加了开发人员的工作量。
而在本申请中,由于服务端管理平台是将访问请求透传给服务端,由服务端来响应客户端的访问请求的,所以在本申请中,不需要服务端管理平台提供对用户认证是否能够访问服务端的网络资源的功能,即无需对服务端管理平台进行二次开发,所以大大降低了开发人员的工作量。
参见图4,图4是本申请一示例性实施例示出的另一种认证方法的流程图,该方法可包括如下所示步骤。
步骤401:在监听到所述服务端上的第一指定端口接收到访问请求的情况下,基于该访问请求携带的标识信息,返回待验证标识至发送所述访问请求的对端;
步骤402:在监听到所述服务端上的第二指定端口接收到所述待验证标识通过验证的第一消息的情况下,响应所述访问请求。
在本申请实施例中,图4所示的方法可由服务端执行,也可以由服务端的合法校验模块执行,这里不对图4所示的方法的执行设备或者模块进行具体地限定。
下面介绍实现步骤401和步骤402的几种方式。
实现步骤401和步骤402的方式一:
图4所示的方法由服务端执行,对端为服务端管理平台,第一指定端口为服务端上的、用于连接该电子设备的第一端口。第二指定端口为服务端上的、用于连接该电子设备的第二端口。上述第一指定端口和第二指定端口可以是同一端口也可以是不同的端口,这里只是对第一指定端口和第二指定端口进行示例性地说明,不对其进行具体地限定。
在实现步骤401和步骤402时,客户端可将访问请求发送给服务端管理平台。服务端管理平台在接收到客户端发送的访问请求时,可为该访问请求生成标识信息,并将该标识信息添加在该访问请求中。然后,服务端管理平台可将该访问请求发送给服务端上的第一指定端口。
服务端在监听到第一指定端口接收到该访问请求后,可获取该访问请求携带的标识信息,并基于该标识信息向服务端管理平台返回待验证标识。
服务端管理平台在接收到所述服务端返回的待验证标识,对所述待验证标识进行验证。
在所述待验证标识通过验证的情况下,服务端管理平台向该服务端上的第二指定端口发送待验证标识通过验证的第一消息,以使所述服务端在监听到该第二指定端口接收到第一消息时响应所述访问请求(比如返回该访问请求所访问的网络资源等)。
在一个实施例中,在该待验证标识未通过校验的情况下,服务端管理平台向服务端上的第二指定端口发送待验证标识未通过验证的第二消息,以使所述服务端在监听 到该第二指定端口接收到所述第二消息时指示所述客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
实现步骤401和步骤402的方式二:
图4所示的方法由服务端执行,对端为服务端管理平台和服务端之间新增的电子设备,第一指定端口为服务端上的、与该新增的电子设备相连的第一端口。第二指定端口为服务端上的、与该新增的电子设备相连的第二端口。
在实现步骤401和步骤402时,客户端可将访问请求发送给服务端管理平台。服务端管理平台在接收到客户端发送的访问请求时,可将该访问请求发送给该新增的电子设备(这里为了方便叙述,记为目标电子设备)。目标电子设备可为该访问请求生成标识信息,并将该标识信息添加在该访问请求中。然后,目标电子设备可将该访问请求发送给服务端上的第一端口。
服务端在监听到第一端口接收到该访问请求后,可获取该访问请求携带的标识信息,并基于该标识信息,向目标电子设备返回待验证标识。
目标电子设备在接收到所述服务端返回的待验证标识,对所述待验证标识进行验证。
在所述待验证标识通过验证的情况下,目标电子设备向该服务端上的第二指定端口发送待验证标识通过验证的第一消息,以使所述服务端在监听到该第二指定端口接收到所述第一消息时响应所述访问请求。
在一个实施例中,在该待验证标识未通过校验的情况下,目标电子设备向服务端上的第二指定端口发送待验证标识未通过验证的第二消息,以使所述服务端在监听到该第二指定端口接收到所述第二消息时指示所述客户端提供校验信息,并对客户端提供的校验信息进行校验,并在校验通过后响应所述访问请求。
实现步骤401和步骤402的方式三:
服务端包括合法校验模块和业务模块。服务端管理平台与服务端的合法校验模块建立连接。合法校验模块与业务模块建立连接(如socket连接等)。
图4所示的方法由服务端的业务模块执行,对端为服务端的合法性校验模块。该第一指定端口为服务端上的与第一指定协议对应的端口。比如该第一指定端口为服务端上与HTTP协议对应的第一端口,例如该端口为80端口。该第二指定端口为服务端上的与第二指定协议对应的端口。
在实现时,业务模块通过该第一指定端口与合法校验模块之间建立第一socket连接。业务模块也可以通过第二指定端口与合法校验模块之间建立第二socket连接。换句话来说,该第一socket连接在业务模块上的端口为该第一指定端口,业务模块可以通过第一指定端口与合法校验模块进行通信。该第二socket连接在业务模块上的端口为该第二指定端口,业务模块可以通过第二指定端口与合法校验模块进行通信。
在实现步骤401和步骤402时,客户端可将访问请求发送给服务端管理平台。服务端管理平台在接收到客户端发送的访问请求时,可将该访问请求发送给该服务端的 合法校验模块。合法校验模块可为该访问请求生成标识信息,并将该标识信息添加在该访问请求中。然后,合法校验模块可将该访问请求发送给服务端上的第一指定端口。
业务模块可监听第一指定端口,在业务模块监听到第一指定端口接收到该访问请求后,可获取该访问请求携带的标识信息,并基于标识信息向合法校验模块返回待验证标识。
合法校验模块在接收到业务模块返回的待验证标识,对所述待验证标识进行验证。
在所述待验证标识通过验证的情况下,合法校验模块向该服务端上的第二指定端口发送待验证标识通过验证的第一消息,以使所述业务模块在监听到所述第二指定端口接收到所述第一消息时响应所述访问请求。
在一个实施例中,在该待验证标识未通过校验的情况下,合法校验模块向服务端上的第二指定端口发送待验证标识未通过验证的第二消息,以使所述业务模块在监听到第二指定端口接收到所述第二消息时指示所述客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
以上完成图4的介绍。
下面以标识信息为Token,待验证标识为标识信息为例,介绍下本申请的一优选实施例。
参见图5,图5是本申请一示例性实施例示出的一种认证方法的交互图。
步骤501:客户端向服务端管理平台发送携带有用户信息的第一认证请求。
在实现时,客户端向用户展示服务端管理平台登录界面,用户可以在服务端管理平台登录界面上输入用户信息。客户端在获取到用户输入的用户信息后,可向服务端管理平台发送携带有该用户信息的第一认证请求。
步骤502:服务端管理平台在接收到第一认证请求后,基于用户信息,对用户进行认证。
步骤503:服务端管理平台向客户端返回认证成功或者认证失败的消息。
步骤504:客户端向服务端管理平台发送访问请求。
步骤505:服务端管理平台在确定用户在服务端管理平台上认证成功后,将访问请求转发给服务端的合法校验模块。
步骤506:合法校验模块为访问请求分配Token,将分配的Token添加在访问请求中,并在本地记录为该访问请求分配的Token。
步骤507:合法校验模块向服务端上的与HTTP协议对应的目标端口发送携带有Token的访问请求。
步骤508:业务模块在监听到该目标端口接收到访问请求时,获取该访问请求中的Token。
步骤509:业务模块向合法校验模块发送Token。
步骤510:合法校验模块检测本地已记录的所有Token中,是否存在与该业务模块返回的Token匹配的Token。
若本地已记录的所有Token中存在与该业务模块返回的Token匹配的Token,则执行步骤511至步骤513
若本地已记录的所有Token中不存在与该业务模块返回的Token匹配的Token,则执行步骤514至步骤521。
步骤511:若存在,合法校验模块向目标端口发送Token通过验证的第一消息。
步骤512:业务模块在监听到目标端口接收到该第一消息时,向服务端管理平台返回该访问请求所请求的网络资源。
步骤513:服务端管理平台向客户端转发网络资源。
步骤514:若不存在,合法校验模块向目标端口发送Token未通过验证的第二消息。
步骤515:业务模块在监听到目标端口接收到该第二消息时,向服务端管理平台返回未认证消息。
步骤516:服务端管理平台向客户端返回未认证消息。
步骤517:客户端向服务端管理平台发送携带有用户信息的第二认证请求。
在实现时,客户端在接收到未认证消息后,向用户展示服务端登录界面,用户可以在服务端登录界面上输入用户信息。客户端在获取到用户输入的用户信息后,可向服务端管理平台发送携带有该用户信息的第二认证请求。
步骤518:服务端管理平台向合法校验模块转发携带有用户信息的第二认证请求。
步骤519:合法校验模块基于用户信息,对用户的合法性进行校验。
步骤520:在确定用户合法后,向目标端口发送用户合法的第三消息。
步骤521:业务模块在监听到该目标端口接收到第三消息后,向服务端管理平台返回该访问请求所请求的网络资源。
步骤522:服务端管理平台将该网络资源转发给客户端。
由上述描述可以看出,一方面,在接收到来自于客户端的访问请求中添加Token,再将添加了Token的访问请求发送给服务端,在接收到服务端返回的Token时,通过验证Token而非验证用户信息来实现对客户端的合法性认证,使得服务端在对客户端进行认证时不需要用户多次输入用户信息,所以大大提高了验证效率,方便了用户操作。
另一方面,由于服务端管理平台是将访问请求透传给服务端,由服务端来响应客户端的访问请求的,而不是服务端管理平台负责响应客户端发送的访问请求的,所以在本申请中,不需要对服务端管理平台进行二次开发,所以大大降低了开发人员的工作 量。
参见图6,图6是本申请一示例性实施例示出的一种电子设备的硬件结构图。该电子设备可以是服务端管理平台,也可以是服务端管理平台与服务端之间新增的设备、当然该电子设备也可以是服务端。这里不对该电子设备进行具体地限定。
该电子设备可包括:可读存储介质和处理器;其中,所述可读存储介质,用于存储机器可执行指令;所述处理器,用于读取所述可读存储介质上的所述机器可执行指令,并执行所述指令以实现上述认证方法步骤。
可选的,该电子设备除了包括处理器602、机器可读存储介质603外,还可包括:通信接口601、总线604;其中,通信接口601、处理器602和机器可读存储介质603通过总线604完成相互间的通信。处理器602通过读取并执行机器可读存储介质603中与认证控制逻辑对应的机器可执行指令,可执行上文描述的认证方法。
本文中提到的机器可读存储介质603可以是任何电子、磁性、光学或其它物理存储装置,可以包含或存储信息,如可执行指令、数据,等等。例如,机器可读存储介质可以是:易失存储器、非易失性存储器或者类似的存储介质。具体地,机器可读存储介质603可以是RAM(Radom Access Memory,随机存取存储器)、闪存、存储驱动器(如硬盘驱动器)、固态硬盘、任何类型的存储盘(如光盘、DVD等),或者类似的存储介质,或者它们的组合。
参见图7,图7是本申请一示例性实施例示出的一种认证装置的框图。该装置可为图6所述的电子设备的一部分或安装在该电子设备中,或者该装置可为服务端的合法校验模块的一部分或安装在该服务端的合法校验模块中,可包括如下所示单元。
生成单元701,用于在接收到来自客户端的访问请求的情况下,生成待携带在所述访问请求的标识信息,向服务端上的第一指定端口发送携带了所述标识信息的访问请求;
获得单元702,用于获得所述第一指定端口返回的待验证标识;所述待验证标识为所述服务端在监听到所述第一指定端口收到所述访问请求的情况下,基于该访问请求携带的标识信息返回的;
验证单元703,用于对所述待验证标识进行验证,在所述待验证标识通过验证的情况下,向服务端上的第二指定端口发送该待验证标识通过验证的第一消息,以使所述服务端在监听到所述第二指定端口接收到所述第一消息的情况下,响应所述访问请求。
可选的,所述装置是电子设备的一部分或安装在该电子设备中,所述电子设备为处于所述客户端访问所述服务端的访问路径上且与所述服务端连接的设备;所述第一指定端口为所述服务端上连接所述电子设备的第一端口;所述第二指定端口为所述服务端上连接所述电子设备的第二端口;或者,所述装置是服务端的一部分或安装在该服务端中;所述第一指定端口为所述服务端上与第一指定协议对应的端口;所述第二指定端口为所述服务端上与第二指定协议对应的端口。
可选的,所述电子设备为用于管理所述服务端的服务端管理平台;或者,所述电子设备为新增加的介于所述服务端管理平台与所述服务端之间的设备。
可选的,所述生成单元701,还用于生成待携带在所述访问请求的标识信息之后,记录所述标识信息;所述验证单元702,在对所述待验证标识进行验证时,用于在已记录的标识信息中,例如在已记录的所有标识信息中,查找是否存在与所述待验证标识匹配的标识信息;若存在,则确定所述待验证标识通过验证;若不存在,则确定所述待验证标识未通过验证。
可选的,所述装置还包括:删除单元704(图7中未示出),用于在确定所述待验证标识通过验证后,删除与该待验证标识匹配的标识信息;和/或,在检测到所述标识信息的老化时间到达时,删除所述标识信息。
可选的,所述验证单元703,还用于在所述待验证标识未通过验证的情况下,向所述第二指定端口发送待验证标识未通过验证的第二消息,以使所述服务端在监听到所述第二指定端口接收到所述第二消息的情况下指示所述客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
此外,本申请一示例性实施例还提供了一种服务端。
该服务端可包括:可读存储介质和处理器;其中,所述可读存储介质,用于存储机器可执行指令;所述处理器,用于读取所述可读存储介质上的所述机器可执行指令,并执行所述指令以实现上述认证方法步骤。
可选的,如图8所示,该服务端除了包括:处理器802、机器可读存储介质803外,还可包括通信接口801、和总线804;其中,通信接口801、处理器802和机器可读存储介质803通过总线804完成相互间的通信。处理器802通过读取并执行机器可读存储介质803中与认证控制逻辑对应的机器可执行指令,可执行上文描述的认证方法。
本文中提到的机器可读存储介质803可以是任何电子、磁性、光学或其它物理存储装置,可以包含或存储信息,如可执行指令、数据,等等。例如,机器可读存储介质可以是:易失存储器、非易失性存储器或者类似的存储介质。具体地,机器可读存储介质803可以是RAM(Radom Access Memory,随机存取存储器)、闪存、存储驱动器(如硬盘驱动器)、固态硬盘、任何类型的存储盘(如光盘、DVD等),或者类似的存储介质,或者它们的组合。
参见图9,图9是本申请一示例性实施例示出的另一种认证装置的框图。该装置可以是图8所示的服务端的一部分或安装在该服务端中,也可以是服务端的业务模块的一部分或安装在该服务端的业务模块中,这里不对其进行具体地限定。该装置可包括如下所示单元。
发送单元901,用于在监听到所述服务端上的第一指定端口接收到访问请求的情况下,基于该访问请求携带的标识信息,返回待验证标识至发送所述访问请求的对端;
响应单元902,用于在监听到所述服务端上的第二指定端口接收到所述待验证标识通过验证的第一消息的情况下,响应所述访问请求。
可选的,所述第一指定端口为所述服务端上连接所述对端的第一端口;第二指定端口为所述服务端上连接所述对端的第二端口;
所述对端为处于客户端访问所述服务端的访问路径上且与所述服务端连接的电子设备;或者,所述第一指定端口为所述服务端上与第一指定协议对应的端口;所述第二指定端口为所述服务端上与第二指定协议对应的端口。
可选的,所述响应单元902,还用于在监听到所述第二指定端口接收到所述待验证标识未通过验证的第二消息的情况下,指示客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
此外,本申请还提供一种计算机程序,计算机程序存储于机器可读存储介质,并且当处理器执行计算机程序时,促使处理器实现上述图3所示的认证方法。
此外,本申请还提供一种计算机程序,计算机程序存储于机器可读存储介质,并且当处理器执行计算机程序时,促使处理器实现上述图4所示的认证方法。此外,本申请还提供一种机器可读存储介质,机器可读存储介质存储有机器可执行指令,在被处理器调用和执行时,该机器可执行指令促使实现上述图3所示的认证方法。
此外,本申请还提供一种机器可读存储介质,机器可读存储介质存储有机器可执行指令,在被处理器调用和执行时,该机器可执行指令促使实现上述图4所示的认证方法。
上述装置中各个单元的功能和作用的实现过程具体详见上述方法中对应步骤的实现过程,在此不再赘述。对于装置实施例而言,由于其基本对应于方法实施例,所以相关之处参见方法实施例的部分说明即可。以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本申请方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。
以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。

Claims (18)

  1. 一种认证方法,其特征在于,所述方法包括:
    在接收到来自客户端的访问请求的情况下,生成待携带在所述访问请求的标识信息,向服务端上的第一指定端口发送携带了所述标识信息的访问请求;
    获得所述第一指定端口返回的待验证标识;所述待验证标识为所述服务端在监听到所述第一指定端口收到所述访问请求的情况下,基于该访问请求携带的标识信息返回的;
    对所述待验证标识进行验证,在所述待验证标识通过验证的情况下,向服务端上的第二指定端口发送该待验证标识通过验证的第一消息,以使所述服务端在监听到所述第二指定端口接收到所述第一消息的情况下,响应所述访问请求。
  2. 根据权利要求1所述的方法,其特征在于,所述方法由电子设备执行,所述电子设备为处于所述客户端访问所述服务端的访问路径上且与所述服务端连接的设备;所述第一指定端口为所述服务端上连接所述电子设备的第一端口;
    所述第二指定端口为所述服务端上连接所述电子设备的第二端口;
    或者,
    所述方法由服务端执行;所述第一指定端口为所述服务端上与第一指定协议对应的端口;所述第二指定端口为所述服务端上与第二指定协议对应的端口。
  3. 根据权利要求2所述的方法,其特征在于,所述服务端包括合法校验模块和业务模块,当所述方法由服务端执行时,所述方法由服务端的所述合法校验模块执行,所述合法校验模块通过所述第一端口将访问请求发至所述业务模块,通过所述第二端口将所述第一消息发至所述业务模块,所述业务模块响应所述访问请求。
  4. 根据权利要求1所述的方法,其特征在于,所述生成待携带在所述访问请求的标识信息之后,所述方法还包括:
    记录所述标识信息;
    所述对所述待验证标识进行验证,包括:
    在已记录的标识信息中,查找是否存在与所述待验证标识匹配的标识信息;
    若存在,则确定所述待验证标识通过验证;
    若不存在,则确定所述待验证标识未通过验证。
  5. 根据权利要求4所述的方法,其特征在于,所述方法还包括:
    在确定所述待验证标识通过验证后,删除与该待验证标识匹配的标识信息;和/或,
    在检测到所述标识信息的老化时间到达时,删除所述标识信息。
  6. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    在所述待验证标识未通过验证的情况下,向所述第二指定端口发送待验证标识未通过验证的第二消息,以使所述服务端在监听到所述第二指定端口接收到所述第二消息的情况下指示所述客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
  7. 一种认证方法,其特征在于,所述方法由服务端执行,所述方法包括:
    在监听到所述服务端上的第一指定端口接收到访问请求的情况下,基于该访问请求携带的标识信息,返回待验证标识至发送所述访问请求的对端;
    在监听到所述服务端上的第二指定端口接收到所述待验证标识通过验证的第一消 息的情况下,响应所述访问请求。
  8. 根据权利要求7所述的方法,其特征在于,所述第一指定端口为所述服务端上连接所述对端的第一端口;第二指定端口为所述服务端上连接所述对端的第二端口;
    所述对端为处于客户端访问所述服务端的访问路径上且与所述服务端连接的电子设备;
    或者,
    所述第一指定端口为所述服务端上与第一指定协议对应的端口;所述第二指定端口为所述服务端上与第二指定协议对应的端口。
  9. 根据权利要求8所述的方法,其特征在于,所述服务端包括合法校验模块和业务模块,所述方法具体由服务端的所述业务模块执行,所述合法校验模块是所述对端,所述业务模块通过所述第一指定端口与所述合法校验模块之间建立第一连接,所述业务模块通过所述第二指定端口与所述合法校验模块之间建立第二连接。
  10. 根据权利要求7所述的方法,其特征在于,所述方法还包括:
    在监听到所述第二指定端口接收到所述待验证标识未通过验证的第二消息的情况下,指示客户端提供校验信息,并对所述客户端提供的所述校验信息进行校验,并在校验通过后响应所述访问请求。
  11. 一种认证装置,其特征在于,所述装置包括:
    生成单元,用于在接收到来自客户端的访问请求的情况下,生成待携带在所述访问请求的标识信息,向服务端上的第一指定端口发送携带了所述标识信息的访问请求;
    获得单元,用于获得所述第一指定端口返回的待验证标识;所述待验证标识为所述服务端在监听到所述第一指定端口收到所述访问请求的情况下,基于该访问请求携带的标识信息返回的;
    验证单元,用于对所述待验证标识进行验证,在所述待验证标识通过验证的情况下,向服务端上的第二指定端口发送该待验证标识通过验证的第一消息,以使所述服务端在监听到所述第二指定端口接收到所述第一消息的情况下,响应所述访问请求。
  12. 一种认证装置,其特征在于,所述装置包括:
    发送单元,用于在监听到所述服务端上的第一指定端口接收到访问请求的情况下,基于该访问请求携带的标识信息,返回待验证标识至发送所述访问请求的对端;
    响应单元,用于在监听到所述服务端上的第二指定端口接收到所述待验证标识通过验证的第一消息的情况下,响应所述访问请求。
  13. 一种电子设备,其特征在于,所述设备包括可读存储介质和处理器;
    其中,所述可读存储介质,用于存储机器可执行指令;
    所述处理器,用于读取所述可读存储介质上的所述机器可执行指令,并执行所述指令以实现权利要求1-6任一所述方法的步骤。
  14. 一种服务端,其特征在于,所述设备包括可读存储介质和处理器;
    其中,所述可读存储介质,用于存储机器可执行指令;
    所述处理器,用于读取所述可读存储介质上的所述机器可执行指令,并执行所述指令以实现权利要求7-10任一所述方法的步骤。
  15. 一种计算机程序,所述计算机程序存储于机器可读存储介质,并且当处理器执行计算机程序时,促使处理器实现根据权利要求1-6中任一项所述的方法。
  16. 一种计算机程序,所述计算机程序存储于机器可读存储介质,并且当处理器执行计算机程序时,促使处理器实现根据权利要求7-10中任一项所述的方法。
  17. 一种机器可读存储介质,所述机器可读存储介质存储有机器可执行指令,在被处理器调用和执行时,所述机器可执行指令促使所述处理器执行根据权利要求1-6中任一项所述的方法。
  18. 一种机器可读存储介质,所述机器可读存储介质存储有机器可执行指令,在被处理器调用和执行时,所述机器可执行指令促使所述处理器执行根据权利要求7-10中任一项所述的方法。
PCT/CN2021/096101 2020-05-27 2021-05-26 认证方法、装置、电子设备和服务端、程序及存储介质 WO2021238990A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP21811788.5A EP4161012A4 (en) 2020-05-27 2021-05-26 AUTHENTICATION METHOD AND APPARATUS, ELECTRONIC DEVICE, SERVER, PROGRAM AND STORAGE MEDIUM

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010464223.9A CN111447245A (zh) 2020-05-27 2020-05-27 一种认证方法、装置、电子设备和服务端
CN202010464223.9 2020-05-27

Publications (1)

Publication Number Publication Date
WO2021238990A1 true WO2021238990A1 (zh) 2021-12-02

Family

ID=71655460

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/096101 WO2021238990A1 (zh) 2020-05-27 2021-05-26 认证方法、装置、电子设备和服务端、程序及存储介质

Country Status (3)

Country Link
EP (1) EP4161012A4 (zh)
CN (1) CN111447245A (zh)
WO (1) WO2021238990A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114390049A (zh) * 2021-12-29 2022-04-22 中国电信股份有限公司 一种应用数据获取方法及装置
CN114390457A (zh) * 2022-01-17 2022-04-22 百果园技术(新加坡)有限公司 一种短信验证方法、装置、设备及存储介质
CN114615242A (zh) * 2022-03-10 2022-06-10 北京沃东天骏信息技术有限公司 数据交互方法、服务器、终端及计算机可读存储介质

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447245A (zh) * 2020-05-27 2020-07-24 杭州海康威视数字技术股份有限公司 一种认证方法、装置、电子设备和服务端
CN114257393A (zh) * 2020-09-25 2022-03-29 中国移动通信有限公司研究院 一种终端设备认证方法、装置和计算机可读存储介质
CN114697396A (zh) * 2020-12-29 2022-07-01 北京国双科技有限公司 请求处理方法、装置、电子设备及可读存储介质
CN112956156B (zh) * 2021-03-08 2023-05-02 华为技术有限公司 一种证书申请方法及装置
CN114257578B (zh) * 2021-12-16 2024-04-02 上海幻电信息科技有限公司 信息验证方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150350186A1 (en) * 2014-05-30 2015-12-03 Oracle International Corporation Authorization token cache system and method
CN108769041A (zh) * 2018-06-06 2018-11-06 深圳壹账通智能科技有限公司 登录方法、系统、计算机设备和存储介质
CN109510802A (zh) * 2017-09-15 2019-03-22 华为技术有限公司 鉴权方法、装置及系统
CN109587133A (zh) * 2018-11-30 2019-04-05 武汉烽火众智智慧之星科技有限公司 一种单点登录系统及方法
CN111447245A (zh) * 2020-05-27 2020-07-24 杭州海康威视数字技术股份有限公司 一种认证方法、装置、电子设备和服务端

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882835B (zh) * 2011-07-13 2015-09-09 中国科学院声学研究所 一种实现单点登录的方法及系统
CN104038490B (zh) * 2014-06-09 2018-01-12 可牛网络技术(北京)有限公司 一种通信安全校验方法及其装置
CN107770140A (zh) * 2016-08-22 2018-03-06 南京中兴软件有限责任公司 一种单点登录认证方法及装置
CN106790194B (zh) * 2016-12-30 2020-06-19 中国银联股份有限公司 一种基于ssl协议的访问控制方法及装置
CN109815656A (zh) * 2018-12-11 2019-05-28 平安科技(深圳)有限公司 登录认证方法、装置、设备及计算机可读存储介质
CN110213223B (zh) * 2019-03-21 2022-03-01 腾讯科技(深圳)有限公司 业务管理方法、装置、系统、计算机设备和存储介质
CN110519240B (zh) * 2019-08-09 2021-04-27 浙江大搜车软件技术有限公司 一种单点登录方法、装置及系统
CN111143814B (zh) * 2019-12-30 2022-06-21 武汉佰钧成技术有限责任公司 单点登录方法、微服务接入平台及存储介质

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150350186A1 (en) * 2014-05-30 2015-12-03 Oracle International Corporation Authorization token cache system and method
CN109510802A (zh) * 2017-09-15 2019-03-22 华为技术有限公司 鉴权方法、装置及系统
CN108769041A (zh) * 2018-06-06 2018-11-06 深圳壹账通智能科技有限公司 登录方法、系统、计算机设备和存储介质
CN109587133A (zh) * 2018-11-30 2019-04-05 武汉烽火众智智慧之星科技有限公司 一种单点登录系统及方法
CN111447245A (zh) * 2020-05-27 2020-07-24 杭州海康威视数字技术股份有限公司 一种认证方法、装置、电子设备和服务端

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114390049A (zh) * 2021-12-29 2022-04-22 中国电信股份有限公司 一种应用数据获取方法及装置
CN114390457A (zh) * 2022-01-17 2022-04-22 百果园技术(新加坡)有限公司 一种短信验证方法、装置、设备及存储介质
CN114390457B (zh) * 2022-01-17 2023-11-07 百果园技术(新加坡)有限公司 一种短信验证方法、装置、设备及存储介质
CN114615242A (zh) * 2022-03-10 2022-06-10 北京沃东天骏信息技术有限公司 数据交互方法、服务器、终端及计算机可读存储介质

Also Published As

Publication number Publication date
EP4161012A4 (en) 2023-11-08
CN111447245A (zh) 2020-07-24
EP4161012A1 (en) 2023-04-05

Similar Documents

Publication Publication Date Title
WO2021238990A1 (zh) 认证方法、装置、电子设备和服务端、程序及存储介质
CN107948203B (zh) 一种容器登录方法、应用服务器、系统及存储介质
US10834086B1 (en) Hybrid cloud-based authentication for flash storage array access
WO2019036012A1 (en) SINGLE SIGNATURE OF A USER OF AN APPLICATION
JP4512179B2 (ja) ストレージ装置及びそのアクセス管理方法
US20100325710A1 (en) Network Access Protection
KR20100029098A (ko) 비보안 네트워크들을 통한 장치 프로비저닝 및 도메인 조인 에뮬레이션
US20170019394A1 (en) Using Temporary Credentials in Guest Mode
US20090300168A1 (en) Device-specific identity
US20110231901A1 (en) Management system, program recording medium, and program distribution apparatus
CN101534192B (zh) 一种提供跨域令牌的系统和方法
CN102271133B (zh) 认证方法、装置和系统
CN108289074B (zh) 用户账号登录方法及装置
CN109981680A (zh) 一种访问控制实现方法、装置、计算机设备及存储介质
CN111694743A (zh) 业务系统的检测方法及装置
WO2024212512A1 (zh) 一种远程证明方法、装置、设备及可读存储介质
CN107566329A (zh) 一种访问控制方法及装置
CN111241523B (zh) 认证处理方法、装置、设备和存储介质
TW201335777A (zh) 分散式資料存取系統及方法
US20190132304A1 (en) Loopback verification of multi-factor authentication
JP2009518883A (ja) 分散サービスサイトの登録方法および登録システム
CN107172082B (zh) 一种文件共享方法及系统
CN107105046B (zh) 远程访问大数据的方法及系统
CN115589333B (zh) 一种访问请求认证方法、装置、系统及电子设备
JP5053756B2 (ja) 証明書検証サーバ、証明書検証方法、および証明書検証プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21811788

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2021811788

Country of ref document: EP

Effective date: 20230102