WO2023104117A1 - Resource access method and system, electronic device, and computer-readable storage medium - Google Patents

Resource access method and system, electronic device, and computer-readable storage medium Download PDF

Info

Publication number
WO2023104117A1
WO2023104117A1 PCT/CN2022/137334 CN2022137334W WO2023104117A1 WO 2023104117 A1 WO2023104117 A1 WO 2023104117A1 CN 2022137334 W CN2022137334 W CN 2022137334W WO 2023104117 A1 WO2023104117 A1 WO 2023104117A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource access
identification value
authentication
user
server
Prior art date
Application number
PCT/CN2022/137334
Other languages
French (fr)
Chinese (zh)
Inventor
刘京龙
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2023104117A1 publication Critical patent/WO2023104117A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the embodiments of the present application relate to the technical field of communications, and in particular, to a resource access method, system, electronic device, and computer-readable storage medium.
  • Static resources are an important part of website resources, if access control is not performed on them, a large number of resources will be stolen and abused.
  • the current static resource anti-theft technology is mainly divided into two categories: one is through the temporary uniform resource locator address (Uniform Resource Locator, url).
  • the temporary url generated by the method will become invalid after it expires and needs to be regenerated.
  • the server needs to distribute a large number of temporary urls, which increases the burden on the server and affects the performance of the server.
  • the other is to add risky source addresses to the blacklist in advance. Every time a user initiates a resource access request, it is judged whether the source address of the resource access request is in the preset blacklist. This method requires pre-setting the blacklist. For configuration, the flexibility is poor, and when there are many users, a large amount of storage space needs to be consumed.
  • Embodiments of the present application propose a resource access method, system, electronic device, and computer-readable storage medium, so that resource theft can be prevented while reducing server processing load, improving flexibility, and eliminating the need to consume a large amount of storage space.
  • An embodiment of the present application provides a method for accessing resources, which is applied to an authentication server, including: receiving a user's login request; wherein, the login request carries the user's identity information; verifying the user's identity information, and then After the verification is passed, store the user's authentication information and the identification value corresponding to the authentication information in the preset storage space, and store the identification value in the client; receive the resource access request sent by the front-end server The identification value carried in; wherein, the carried identification value is carried in the resource access request when the client sends the resource access request to the front-end server; according to the carried identification value and the stored The identification value corresponding to the authentication information stored in the space authenticates the resource access request, and allows resource access when it is determined that the authentication is passed.
  • the embodiment of the present application also provides a resource access method, which is applied to the client, including: sending a login request to the authentication server, so that the authentication server can verify the identity information of the user carried in the login request , after the verification is passed, store the user's authentication information and the identification value corresponding to the authentication information into a preset storage space, and store the identification value in the client; carrying the stored identification value in the resource access request when sending the resource access request, so that the front-end server can send the identification value carried in the resource access request to the authentication server; wherein, the authentication The server is configured to perform authentication on the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and when it is determined that the authentication passes, allow Access resources.
  • the embodiment of the present application also provides a resource access method applied to a front-end server, including: receiving a resource access request carrying an identification value sent by a client; wherein, the identification value carried in the resource access request Store the user's identity information to the client after passing the verification, the user's identity information is carried in the login request received by the authentication server, and the authentication server verifies the user's identity information After passing the verification, store the user's authentication information and the identification value corresponding to the authentication information in the preset storage space; send the identification value carried in the resource access request to the authentication server , for the authentication server to authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and determine that the authentication has passed In the case, access to the resource is allowed.
  • the embodiment of the present application also provides a resource access system, including: a client, an authentication server, and a front-end server; the client is configured to send a login request to the authentication server; wherein, the login request carries the user the identity information of the user; the authentication server is configured to verify the identity information of the user, and store the authentication information of the user and the identification value corresponding to the authentication information in the preset storage space, and store the identification value in the client; the client is configured to carry the stored identification value in the resource access request when sending the resource access request to the front-end server; the The front-end server is configured to send the identification value carried in the resource access request to the authentication server; The identification value corresponding to the authentication information is used to authenticate the resource access request, and when it is determined that the authentication is passed, access to the resource is allowed.
  • a resource access system including: a client, an authentication server, and a front-end server; the client is configured to send a login request to the authentication server; wherein, the login request carries the user the identity information
  • the embodiment of the present application also provides an electronic device, including: at least one processor; and a memory connected in communication with the at least one processor; wherein, the memory stores information that can be executed by the at least one processor.
  • Instructions when the electronic device is an authentication server, the instructions are executed by the at least one processor, so that the at least one processor can execute a resource access method applied to the authentication server; in the When the electronic device is a client, the instructions are executed by the at least one processor, so that the at least one processor can execute a resource access method applied to the client; when the electronic device is a front-end server, The instructions are executed by the at least one processor, so that the at least one processor can execute the resource access method applied to the front-end server.
  • the embodiment of the present application also provides a computer-readable storage medium storing a computer program, and implementing the above resource access method when the computer program is executed by a processor.
  • the resource access method provided by the embodiment of the present application verifies the user's identity information carried in the received login request, and stores the user's authentication information and the identification value corresponding to the authentication information in the preset storage space, and store the identification value to the client; receive the identification value carried in the resource access request sent by the front-end server; the carried identification value is carried in the resource access request when the client sends the resource access request to the front-end server; According to the identification value carried and the identification value corresponding to the authentication information stored in the storage space, the resource access request is authenticated, and when it is determined that the authentication is passed, access to the resource is allowed.
  • login verification and resource anti-theft are combined to realize multiplexing of authentication information, without additional temporary url distribution operations and other interactions performed by the authentication server or front-end server, reducing the burden on the server.
  • the user's identity information after the user's identity information has passed the verification, it indicates that the user is a legitimate user, which is equivalent to using the authentication information of the legitimate user to authenticate the resource access request, and there is no need to preset a blacklist. Maintain strong association, realize user-level resource access control, improve system flexibility and do not require additional storage space.
  • FIG. 1 is a flowchart of a resource access method applied to an authentication server mentioned in the embodiment of the present application
  • FIG. 2 is an interactive schematic diagram of the resource access method mentioned in the embodiment of the present application.
  • Fig. 3 is a flow chart of the resource access method applied to the client mentioned in the embodiment of the present application.
  • Fig. 4 is a flow chart of the resource access method applied to the front-end server mentioned in the embodiment of the present application;
  • Fig. 5 is a schematic diagram of the resource access system mentioned in the embodiment of the present application.
  • Fig. 6 is a schematic structural diagram of the electronic device mentioned in the embodiment of the present application.
  • a resource access method is provided, which is applied to an authentication server.
  • the authentication server can be understood as a background server corresponding to the foreground server.
  • This embodiment can be applied to the problem of resource misappropriation in the field of network resource security, such as the scene of anti-theft of static resources, where the static resources can be pictures, fonts, and the like.
  • the implementation details of the resource access method of this embodiment are described in detail below, and the following content is only implementation details provided for easy understanding, and is not necessary for implementing this solution.
  • Step 101 receiving a login request from a user
  • the login request carries the identity information of the user
  • Step 102 Verifying the identity information of the user, storing the authentication information of the user and the identification value corresponding to the authentication information in a preset storage space after the verification is passed, and storing the identification value to the client;
  • Step 103 receiving the identification value carried in the resource access request sent by the front-end server;
  • the carried identification value is carried in the resource access request when the client sends the resource access request to the front-end server;
  • Step 104 Authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and allow access to the resource when it is determined that the authentication passes.
  • login verification is combined with resource anti-theft to realize multiplexing of authentication information, and no additional temporary url distribution operation and other interactions are required by the authentication server or front-end server, reducing the burden on the server.
  • the user's identity information after the user's identity information has passed the verification, it indicates that the user is a legitimate user, which is equivalent to using the authentication information of the legitimate user to authenticate the resource access request, and there is no need to preset a blacklist. Maintain strong association, realize user-level resource access control, improve system flexibility and do not require additional storage space.
  • the user's identity information carried in the login request may include: a user name and a user password.
  • the user can use the user name and user password to log in to the authentication server. For example, the user can enter the user name and user password through the login interface of the client to initiate a login request.
  • a user can log in using a user name and a user password through a global wide area network (World Wide Web, web) page, so that a login request carrying the user name and user password can reach the authentication server.
  • a global wide area network World Wide Web, web
  • the browser in the client can directly send a login request to the authentication server, or the browser in the client can send a login request to the authentication server through the front-end server, that is, the browser sends a login request to the front-end server , the front-end server forwards the login request to the authentication server.
  • the authentication server can verify the user's identity information according to the user name and user password carried in the user's identity information, and after the verification is passed, the user's authentication information and the identification value corresponding to the authentication information Store in the preset storage space, and store the identification value to the client.
  • the preset storage space can be a storage tool with storage function, such as Remote Dictionary Server (Redis), Redis is a high-performance key-value database, which is convenient for efficient storage and reading of data It is beneficial to improve the efficiency and reliability of resource access.
  • the storage tool is not limited to Redis.
  • the user's authentication information may include: the user's authority information for different websites and different applications, and the identification value corresponding to the authentication information can be understood as a small file text cookie uniquely used to identify the user's authentication information.
  • the authentication information of different users corresponds to different identification values, and the identification value corresponds to the authentication information one by one.
  • the authentication information can be understood as a value, and the identification value can be understood as a key. Both the value and the key are stored in Redis.
  • the authentication server will also store the identification value to the client. For example, the authentication server can directly send the identification value to the client for storage by the client; or, the authentication server can send the identification value to the front-end server, and the front-end server Then send the identification value to the client, so that the client stores the identification value.
  • the front-end server can be a server capable of resource access and request forwarding, such as any one of the following: Nginx, open source web server (Apache HTTP Server, apache), Internet Information Server (Internet Information Server, IIS) server .
  • Nginx is a high-performance Hypertext Transfer Protocol (Hyper Text Transfer Protocol, HTTP) and reverse proxy web server.
  • the tomcat server is a free and open source web application server, which is a lightweight application server.
  • storing the identification value in the client after the verification of the user's identity information is passed may be: storing the identification value in a browsing tool on the client, such as storing in a browser.
  • step 103 when the client determines that it needs to initiate a resource access request to the front-end server, it may carry the stored identification value in the resource access request and send it to the front-end server.
  • the front-end server receives the resource access request, it obtains the identification value carried in the resource access request, and sends the carried identification value to the authentication server, so that the authentication server can receive the identification value and respond to the resource access request. Authenticate.
  • the authentication server authenticates the resource access request according to the identification value carried in the resource access request and the identification value corresponding to the authentication information stored in the storage space, and may send the authentication result to the front-end server , for the front-end server to respond to the authentication result.
  • the front-end server determines that the authentication result is passed, the resource is allowed to be accessed. For example, the resource requested by the resource access request can be sent to the client, and the requested resource is displayed on the client interface.
  • the authentication server can query and read the same identification value as the identification value carried in the access request among the identification values stored in the storage space, and record the queried identification value as the target identification value.
  • the authentication server queries the authentication information corresponding to the target identification value in the storage space, and the queried authentication information is recorded as the target authentication information.
  • the authentication server can obtain the authentication result of the access request according to the target authentication information.
  • the resource access request can carry the information of the website to be visited. If the target authentication information includes the permission information of the website to be visited by the user, and the permission information is to allow access, then the authentication result of the resource access request is authentication pass.
  • the target authentication information does not include the authority information of the website to be visited by the user, or although the target authentication information includes the authority information of the website to be visited by the user, but the authority information is not allowed to be used, the authentication of the resource access request The result is authentication failed.
  • the authentication server After the authentication server authenticates the resource access request, it can send the authentication result whether the authentication passes or fails to the front-end server, so that the front-end server can respond to the authentication result. Wherein, when it is determined that the authentication result is that the authentication is passed, the response is to allow access to the resource, and when it is determined that the authentication result is that the authentication is not passed, the response may be to not allow access to the resource. That is, access to resources is allowed only through authentication, so that resource theft can be prevented.
  • the current static resource anti-theft technology that is, the way of temporary URLs and the way of adding risky source addresses to the blacklist in advance can only achieve website-level access control, and cannot perform finer-grained control based on user permissions.
  • a finer-grained user-level resource access control is provided, and access requests are authenticated by using authentication information of legitimate users, without additional interaction logic, which is simple and easy to implement.
  • the page of the client is controlled to jump to a login page, so as to instruct the user to log in again. That is to say, when it is determined that the authentication result is that the authentication fails, the response of the front-end server to the authentication result may be to control the current page of the client to jump to the login page, so as to instruct the user to log in again. For example, if the authentication fails, you can jump to the login page and prompt the user to re-enter the user name and password to log in again. It is convenient for users to log in again to access resources smoothly when the authentication fails due to entering the wrong user name or user password.
  • the authentication information and the identification value corresponding to the authentication information are set with a valid period, and the authentication information and the identification value corresponding to the authentication information stored in the storage space
  • the storage period is longer than the validity period, the authentication information stored in the storage space and the identification value corresponding to the authentication information become invalid; the storage of the identification value stored in the client If the duration is longer than the validity period, the identification value stored in the client is invalid.
  • the validity period can be set according to actual needs. For example, in the case of high security requirements for authentication, the validity period can be set relatively short; The deadline can be set relatively long. That is to say, the authentication information and identification value stored in the storage space and the identification value stored in the client are all set with an expiration date, which will automatically become invalid after the expiration date, which is conducive to improving the security of authentication to a certain extent.
  • the authentication information stored in the storage space and the identification value corresponding to the authentication information become invalid, which may be: after the authentication information and the identification value corresponding to the authentication information expire, the storage space automatically deletes the authentication information and the identification value corresponding to the authentication information.
  • the invalidation of the identification value stored in the client may be: after the identification value stored in the client expires, the client automatically deletes the stored identification value. If the identification value is stored in the browser in the client, the browser may automatically delete the stored identification value after the identification value expires.
  • the above valid period can be refreshed by using the keep-alive mechanism of the user login.
  • the front-end server can periodically call the keep-alive interface, and periodically refresh the effective duration through the keep-alive interface.
  • the keep-alive mechanism can be understood as: after the user logs in, the front-end server or client monitors the user's operation behavior, and when it is determined that the user's operation behavior is detected, the validity period will be updated once, that is, every time a user's operation behavior is detected, the validity period will be changed. The starting point of is updated to the time point when the user's operation behavior is detected.
  • the validity period of resource access can be kept highly consistent with the validity period of user sessions, and the validity period of authentication information can be refreshed by using the keep-alive mechanism of user login, without requiring the authentication server to perform additional operations. cleanup and keepalive operations.
  • web static resources are split into resources required for login and resources required for accessing services.
  • the resources required for login do not need to be authenticated, and the resources required for accessing services need to be authenticated.
  • access to the static resources of a specific project is allowed only after the authentication is passed.
  • a user logs in using a user name and a user password through a browser in the client, and the login request reaches the authentication server.
  • the authentication server verifies the identity information of the user, and stores the authentication information and the cookie corresponding to the authentication information into Redis after the verification is passed.
  • Resource access request When a user needs to access or download a static resource, the browser sends the stored cookie to the front-end server in the resource access request.
  • the cookie can be carried in the request header of the resource access request.
  • the front-end server obtains the carried cookie from the resource access request, and sends the cookie to the authentication server for authentication.
  • the authentication server obtains the authentication information corresponding to the cookie from Redis according to the received cookie, so as to judge whether the current user authority meets the access requirements, and obtain the authentication result.
  • the authentication server sends the authentication result to the front-end server.
  • the resource will be obtained; if the authentication fails, the login page will be redirected. That is, the front-end server receives the authentication result and makes a response. If the authentication passes, the access is allowed, and the resources accessed by the resource access request are obtained and sent to the browser for display by the browser. If the authentication fails, jump to the login page and prompt the user to log in.
  • the embodiment of this application combines login verification with resource anti-theft to realize the multiplexing of authentication information, and does not require authentication servers or front-end servers to perform additional temporary url distribution operations and other interactions, reducing the number of servers burden.
  • the user's identity information after the user's identity information has passed the verification, it indicates that the user is a legitimate user, which is equivalent to using the authentication information of the legitimate user to authenticate the access request.
  • this embodiment can not only realize the access control to the picture resource, but also can realize the access control of many types of static resources except the picture resource, and has a wide application range.
  • a resource access method is also provided, which is applied to the client, referring to FIG. 3 , including:
  • Step 301 Send a login request to the authentication server, so that the authentication server can verify the user's identity information carried in the login request, and after the verification is passed, the user's authentication information and the identification value corresponding to the authentication information Store in the preset storage space, and store the identification value to the client;
  • Step 302 Carry the stored identification value in the resource access request when sending the resource access request to the front-end server, so that the front-end server can send the identification value carried in the resource access request to the authentication server;
  • the authentication server is set to authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and allow access to the resource when the authentication is determined to pass.
  • this embodiment is an embodiment corresponding to the above-mentioned embodiment of the resource access method applied to the authentication server, and this embodiment can be implemented in cooperation with the above-mentioned embodiment of the resource access method applied to the authentication server.
  • the relevant technical details and technical effects mentioned in the above embodiment of the resource access method applied to the authentication server are still valid in this embodiment, and will not be repeated here to reduce repetition.
  • the relevant technical details mentioned in this embodiment can also be applied to the above embodiment of the resource access method applied to the authentication server.
  • a resource access method is also provided, which is applied to the front-end server, referring to FIG. 4 , including:
  • Step 401 Receive the resource access request carrying the identification value sent by the client; wherein, the identification value carried in the resource access request is stored in the client after the authentication server passes the verification of the user's identity information, and the user's identity information is In the login request received by the authentication server, the authentication server will also store the user's authentication information and the identification value corresponding to the authentication information into the preset storage space after passing the verification of the user's identity information;
  • Step 402 Send the identification value carried in the resource access request to the authentication server, so that the authentication server can authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space , and when it is determined that the authentication is passed, access to the resource is allowed.
  • this embodiment is an embodiment corresponding to the above-mentioned embodiment of the resource access method applied to the authentication server and the client, and this embodiment can be compared with the above-mentioned resource access method applied to the authentication server and the client.
  • the embodiments of the method are implemented in cooperation with each other.
  • the relevant technical details and technical effects mentioned in the above embodiments of the resource access method applied to the authentication server and the client are still valid in this embodiment, and will not be repeated here to reduce repetition.
  • the relevant technical details mentioned in this embodiment can also be applied to the above embodiments of the resource access method applied to the authentication server and the client.
  • step division of the above various methods is only for the sake of clarity of description. During implementation, it can be combined into one step or some steps can be split and decomposed into multiple steps. As long as they include the same logical relationship, they are all within the scope of protection of this patent. ; Adding insignificant modifications or introducing insignificant designs to the algorithm or process, but not changing the core design of the algorithm and process are all within the scope of protection of this patent.
  • the embodiment of the present application also provides a resource access system, as shown in FIG. 5 , including: a client 501, an authentication server 502, and a front-end server 503;
  • the client 501 is configured to send a login request to the authentication server 502; wherein the login request carries the identity information of the user;
  • the authentication server 502 is configured to verify the identity information of the user, and store the user's authentication information and the identification value corresponding to the authentication information into a preset storage space after the verification is passed, and store the identification value in the client 501;
  • the client 501 is configured to carry the stored identification value in the resource access request when sending the resource access request to the front-end server 503;
  • the front-end server 503 is configured to send the identification value carried in the resource access request to the authentication server 502;
  • the authentication server 502 is configured to perform authentication on the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and allow access to the resource when it is determined that the authentication is passed.
  • this embodiment is a system embodiment corresponding to the above embodiments of resource access methods, and this embodiment can be implemented in cooperation with the above embodiments of resource access methods.
  • the relevant technical details and technical effects mentioned in the embodiments of the resource access methods above are still valid in this embodiment, and will not be repeated here to reduce repetition.
  • the relevant technical details mentioned in this embodiment can also be applied to the embodiments of the above resource access methods.
  • the embodiment of the present application also provides an electronic device, as shown in FIG. 6 , including: at least one processor 601; and a memory 602 communicatively connected to the at least one processor 601; wherein, the memory 602 stores information that can be instructions executed by the at least one processor 601;
  • the instructions are executed by at least one processor 601, so that the at least one processor 601 can execute a resource access method applied to the authentication server;
  • the instructions are executed by at least one processor 601, so that the at least one processor 601 can execute a resource access method applied to the client;
  • the instructions are executed by at least one processor 601, so that the at least one processor 601 can execute the resource access method applied to the front-end server.
  • the memory 602 and the processor 601 are connected by a bus, and the bus may include any number of interconnected buses and bridges, and the bus connects one or more processors 601 and various circuits of the memory 602 together.
  • the bus may also connect together various other circuits such as peripherals, voltage regulators, and power management circuits, all of which are well known in the art and therefore will not be further described herein.
  • the bus interface provides an interface between the bus and the transceivers.
  • a transceiver may be a single element or multiple elements, such as multiple receivers and transmitters, providing means for communicating with various other devices over a transmission medium.
  • the data processed by the processor 601 is transmitted on the wireless medium through the antenna, and further, the antenna also receives the data and transmits the data to the processor 601 .
  • Processor 601 is responsible for managing the bus and general processing, and may also provide various functions including timing, peripheral interface, voltage regulation, power management, and other control functions. And the memory 602 may be used to store data used by the processor 601 when performing operations.
  • the embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the above method embodiments are implemented when the computer program is executed by the processor.
  • a storage medium includes several instructions to make a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the present application relate to the technical field of communications, and disclose a resource access method and system, an electronic device and a computer-readable storage medium. The resource access method comprises: receiving a login request of a user, the login request carrying the identity information of the user; authenticating the identity information of the user and, after the authentication is passed, storing the authentication information of the user and an identification value corresponding to the authentication information in a preset storage space, and storing the identification value in a client; receiving an identification value carried in a resource access request sent by a front-end server, wherein the carried identification value is carried in the resource access request when the client sends a resource access request to the front-end server; authenticating the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and permitting the resource to be accessed if it is determined that authentication is passed. Therefore, the processing burden of the server can be reduced, the flexibility is improved, and the method does not require a large amount of storage space to be consumed.

Description

资源访问方法、系统、电子设备和计算机可读存储介质Resource access method, system, electronic device and computer readable storage medium 技术领域technical field
本申请实施例涉及通信技术领域,特别涉及一种资源访问方法、系统、电子设备和计算机可读存储介质。The embodiments of the present application relate to the technical field of communications, and in particular, to a resource access method, system, electronic device, and computer-readable storage medium.
背景技术Background technique
静态资源作为网站资源的重要组成部分,如果不对其进行访问控制,将会导致大量资源被盗用和滥用。目前的静态资源防盗技术主要分为两类:一种是通过临时统一资源定位符地址(Uniform Resource Locator,url)的方式,用户在进行资源访问时使用服务器下发的临时url进行访问,这种方式生成的临时url过期后就会失效,需要重新生成,且当大量用户同时访问时需要服务器进行大量临时url的分发,增加服务器负担,影响服务器的性能。另一种是预先将有风险的源地址加入黑名单中,用户每次发起资源访问请求时,判断该资源访问请求的源地址是否在预置的黑名单中,这种方式需要预先对黑名单进行配置,灵活性差,而且当用户较多时,需要消耗大量的存储空间。Static resources are an important part of website resources, if access control is not performed on them, a large number of resources will be stolen and abused. The current static resource anti-theft technology is mainly divided into two categories: one is through the temporary uniform resource locator address (Uniform Resource Locator, url). The temporary url generated by the method will become invalid after it expires and needs to be regenerated. When a large number of users visit at the same time, the server needs to distribute a large number of temporary urls, which increases the burden on the server and affects the performance of the server. The other is to add risky source addresses to the blacklist in advance. Every time a user initiates a resource access request, it is judged whether the source address of the resource access request is in the preset blacklist. This method requires pre-setting the blacklist. For configuration, the flexibility is poor, and when there are many users, a large amount of storage space needs to be consumed.
由此可见,目前的静态资源防盗技术容易增加服务器处理负担且灵活性差,需要消耗大量的存储空间。It can be seen that the current static resource anti-theft technology tends to increase the processing load of the server, has poor flexibility, and consumes a large amount of storage space.
发明内容Contents of the invention
本申请实施例提出一种资源访问方法、系统、电子设备和计算机可读存储介质,使得可以在实现资源防盗的同时,减少服务器处理负担,提高灵活性且无需消耗大量的存储空间。Embodiments of the present application propose a resource access method, system, electronic device, and computer-readable storage medium, so that resource theft can be prevented while reducing server processing load, improving flexibility, and eliminating the need to consume a large amount of storage space.
本申请实施例提供了一种资源访问方法,应用于鉴权服务器,包括:接收用户的登录请求;其中,所述登录请求携带用户的身份信息;对所述用户的身份信息进行校验,在校验通过后将所述用户的鉴权信息和与所述鉴权信息对应的标识值存入预设的存储空间,并将所述标识值存储至客户端;接收前端服务器发送的资源访问请求中携带的标识值;其中,所述携带的标识值为所述客户端向所述前端服务器发送资源访问请求时携带在所述资源访问请求中的;根据所述携带的标识值和所述存储空间中存储的所述与鉴权信息对应的标识值,对所述资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。An embodiment of the present application provides a method for accessing resources, which is applied to an authentication server, including: receiving a user's login request; wherein, the login request carries the user's identity information; verifying the user's identity information, and then After the verification is passed, store the user's authentication information and the identification value corresponding to the authentication information in the preset storage space, and store the identification value in the client; receive the resource access request sent by the front-end server The identification value carried in; wherein, the carried identification value is carried in the resource access request when the client sends the resource access request to the front-end server; according to the carried identification value and the stored The identification value corresponding to the authentication information stored in the space authenticates the resource access request, and allows resource access when it is determined that the authentication is passed.
本申请实施例还提供了一种资源访问方法,应用于客户端,包括:向鉴权服务器发送登录请求,以供所述鉴权服务器对所述登录请求中携带的用户的身份信息进行校验,在校验通过后将所述用户的鉴权信息和与所述鉴权信息对应的标识值存入预设的存储空间,并将所述标识值存储至所述客户端;在向前端服务器发送资源访问请求时将存储的标识值携带在所述资源访问请求中,以供所述前端服务器将所述资源访问请求中携带的标识值发送至所述鉴权服务器;其中,所述鉴权服务器设置为根据所述携带的标识值和所述存储空间中存储的所述与鉴权信息对应的标识值,对所述资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。The embodiment of the present application also provides a resource access method, which is applied to the client, including: sending a login request to the authentication server, so that the authentication server can verify the identity information of the user carried in the login request , after the verification is passed, store the user's authentication information and the identification value corresponding to the authentication information into a preset storage space, and store the identification value in the client; carrying the stored identification value in the resource access request when sending the resource access request, so that the front-end server can send the identification value carried in the resource access request to the authentication server; wherein, the authentication The server is configured to perform authentication on the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and when it is determined that the authentication passes, allow Access resources.
本申请实施例还提供了一种资源访问方法,应用于前端服务器,包括:接收客户端发送 的携带标识值的资源访问请求;其中,所述资源访问请求中携带的标识值为鉴权服务器在对用户的身份信息校验通过后存储至所述客户端的,所述用户的身份信息为所述鉴权服务器接收的登录请求中携带的,所述鉴权服务器在对所述用户的身份信息校验通过后,还将所述用户的鉴权信息和与所述鉴权信息对应的标识值存入预设的存储空间;将所述资源访问请求中携带的标识值发送至所述鉴权服务器,以供所述鉴权服务器根据所述携带的标识值和所述存储空间中存储的所述与鉴权信息对应的标识值,对所述资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。The embodiment of the present application also provides a resource access method applied to a front-end server, including: receiving a resource access request carrying an identification value sent by a client; wherein, the identification value carried in the resource access request Store the user's identity information to the client after passing the verification, the user's identity information is carried in the login request received by the authentication server, and the authentication server verifies the user's identity information After passing the verification, store the user's authentication information and the identification value corresponding to the authentication information in the preset storage space; send the identification value carried in the resource access request to the authentication server , for the authentication server to authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and determine that the authentication has passed In the case, access to the resource is allowed.
本申请实施例还提供了一种资源访问系统,包括:客户端、鉴权服务器和前端服务器;所述客户端,设置为向所述鉴权服务器发送登录请求;其中,所述登录请求携带用户的身份信息;所述鉴权服务器,设置为对所述用户的身份信息进行校验,在校验通过后将所述用户的鉴权信息和与所述鉴权信息对应的标识值存入预设的存储空间,并将所述标识值存储至客户端;所述客户端,设置为在向所述前端服务器发送资源访问请求时将存储的标识值携带在所述资源访问请求中;所述前端服务器,设置为将所述资源访问请求中携带的标识值发送至所述鉴权服务器;所述鉴权服务器,设置为根据所述携带的标识值和所述存储空间中存储的所述与鉴权信息对应的标识值,对所述资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。The embodiment of the present application also provides a resource access system, including: a client, an authentication server, and a front-end server; the client is configured to send a login request to the authentication server; wherein, the login request carries the user the identity information of the user; the authentication server is configured to verify the identity information of the user, and store the authentication information of the user and the identification value corresponding to the authentication information in the preset storage space, and store the identification value in the client; the client is configured to carry the stored identification value in the resource access request when sending the resource access request to the front-end server; the The front-end server is configured to send the identification value carried in the resource access request to the authentication server; The identification value corresponding to the authentication information is used to authenticate the resource access request, and when it is determined that the authentication is passed, access to the resource is allowed.
本申请实施例还提供了一种电子设备,包括:至少一个处理器;以及,与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令;在所述电子设备为鉴权服务器的情况下,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行应用于鉴权服务器的资源访问方法;在所述电子设备为客户端的情况下,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行应用于客户端的资源访问方法;在所述电子设备为前端服务器的情况下,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行应用于前端服务器的资源访问方法。The embodiment of the present application also provides an electronic device, including: at least one processor; and a memory connected in communication with the at least one processor; wherein, the memory stores information that can be executed by the at least one processor. Instructions; when the electronic device is an authentication server, the instructions are executed by the at least one processor, so that the at least one processor can execute a resource access method applied to the authentication server; in the When the electronic device is a client, the instructions are executed by the at least one processor, so that the at least one processor can execute a resource access method applied to the client; when the electronic device is a front-end server, The instructions are executed by the at least one processor, so that the at least one processor can execute the resource access method applied to the front-end server.
本申请实施例还提供了一种计算机可读存储介质,存储有计算机程序,所述计算机程序被处理器执行时实现上述的资源访问方法。The embodiment of the present application also provides a computer-readable storage medium storing a computer program, and implementing the above resource access method when the computer program is executed by a processor.
本申请实施例提供的资源访问方法,对接收的登录请求中携带的用户的身份信息进行校验,在校验通过后将用户的鉴权信息和与鉴权信息对应的标识值存入预设的存储空间,并将标识值存储至客户端;接收前端服务器发送的资源访问请求中携带的标识值;携带的标识值为客户端向前端服务器发送资源访问请求时携带在资源访问请求中的;根据携带的标识值和存储空间中存储的与鉴权信息对应的标识值,对资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。即本申请实施例中将登录校验与资源防盗相结合,实现对鉴权信息的复用,无需鉴权服务器或是前端服务器进行额外的临时url分发操作以及其他交互,减少服务器的负担。而且,本申请实施例中在用户的身份信息通过校验后,说明该用户为合法用户,即相当于是利用合法用户的鉴权信息对资源访问请求进行鉴权,无需预置黑名单,与用户保持强关联,实现用户级资源访问控制,提高了系统的灵活性且无需额外的存储空间。The resource access method provided by the embodiment of the present application verifies the user's identity information carried in the received login request, and stores the user's authentication information and the identification value corresponding to the authentication information in the preset storage space, and store the identification value to the client; receive the identification value carried in the resource access request sent by the front-end server; the carried identification value is carried in the resource access request when the client sends the resource access request to the front-end server; According to the identification value carried and the identification value corresponding to the authentication information stored in the storage space, the resource access request is authenticated, and when it is determined that the authentication is passed, access to the resource is allowed. That is to say, in the embodiment of this application, login verification and resource anti-theft are combined to realize multiplexing of authentication information, without additional temporary url distribution operations and other interactions performed by the authentication server or front-end server, reducing the burden on the server. Moreover, in the embodiment of the present application, after the user's identity information has passed the verification, it indicates that the user is a legitimate user, which is equivalent to using the authentication information of the legitimate user to authenticate the resource access request, and there is no need to preset a blacklist. Maintain strong association, realize user-level resource access control, improve system flexibility and do not require additional storage space.
附图说明Description of drawings
图1是本申请实施例中提到的应用于鉴权服务器的资源访问方法的流程图;FIG. 1 is a flowchart of a resource access method applied to an authentication server mentioned in the embodiment of the present application;
图2是本申请实施例中提到的资源访问方法的交互示意图;FIG. 2 is an interactive schematic diagram of the resource access method mentioned in the embodiment of the present application;
图3是本申请实施例中提到的应用于客户端的资源访问方法的流程图;Fig. 3 is a flow chart of the resource access method applied to the client mentioned in the embodiment of the present application;
图4是本申请实施例中提到的应用于前端服务器的资源访问方法的流程图;Fig. 4 is a flow chart of the resource access method applied to the front-end server mentioned in the embodiment of the present application;
图5是本申请实施例中提到的资源访问系统的示意图;Fig. 5 is a schematic diagram of the resource access system mentioned in the embodiment of the present application;
图6是本申请实施例中提到的电子设备的结构示意图。Fig. 6 is a schematic structural diagram of the electronic device mentioned in the embodiment of the present application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请的各实施例进行详细的阐述。然而,本领域的普通技术人员可以理解,在本申请各实施例中,为了使读者更好地理解本申请实施例而提出了许多技术细节。但是,即使没有这些技术细节和基于以下各实施例的种种变化和修改,也可以实现本申请实施例所要求保护的技术方案。以下各个实施例的划分是为了描述方便,不应对本申请实施例的具体实现方式构成任何限定,各个实施例在不矛盾的前提下可以相互结合相互引用。In order to make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the embodiments of the present application will be described in detail below with reference to the accompanying drawings. However, those of ordinary skill in the art can understand that, in each embodiment of the present application, many technical details are provided for readers to better understand the embodiments of the present application. However, even without these technical details and various changes and modifications based on the following embodiments, the technical solutions claimed in the embodiments of the present application can be realized. The division of the following embodiments is for the convenience of description, and should not constitute any limitation to the specific implementation of the embodiments of the present application, and the embodiments can be combined and referred to each other on the premise of no contradiction.
本申请的一个实施例中,提供了一种资源访问方法,应用于鉴权服务器。该鉴权服务器可以理解为与前台服务器对应的后台服务器。本实施例可以应用于网络资源安全领域的资源盗用问题,比如对静态资源进行防盗的场景,静态资源可以为图片、字体等。下面对本实施例的资源访问方法的实现细节进行具体的说明,以下内容仅为方便理解提供的实现细节,并非实施本方案的必须。In one embodiment of the present application, a resource access method is provided, which is applied to an authentication server. The authentication server can be understood as a background server corresponding to the foreground server. This embodiment can be applied to the problem of resource misappropriation in the field of network resource security, such as the scene of anti-theft of static resources, where the static resources can be pictures, fonts, and the like. The implementation details of the resource access method of this embodiment are described in detail below, and the following content is only implementation details provided for easy understanding, and is not necessary for implementing this solution.
本实施方式中的资源访问方法的流程图可以如图1所示,包括:The flowchart of the resource access method in this embodiment can be shown in Figure 1, including:
步骤101:接收用户的登录请求;Step 101: receiving a login request from a user;
其中,登录请求携带用户的身份信息;Among them, the login request carries the identity information of the user;
步骤102:对用户的身份信息进行校验,在校验通过后将用户的鉴权信息和与鉴权信息对应的标识值存入预设的存储空间,并将标识值存储至客户端;Step 102: Verifying the identity information of the user, storing the authentication information of the user and the identification value corresponding to the authentication information in a preset storage space after the verification is passed, and storing the identification value to the client;
步骤103:接收前端服务器发送的资源访问请求中携带的标识值;Step 103: receiving the identification value carried in the resource access request sent by the front-end server;
其中,携带的标识值为客户端向前端服务器发送资源访问请求时携带在资源访问请求中的;Wherein, the carried identification value is carried in the resource access request when the client sends the resource access request to the front-end server;
步骤104:根据携带的标识值和存储空间中存储的与鉴权信息对应的标识值,对资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。Step 104: Authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and allow access to the resource when it is determined that the authentication passes.
本申请实施例中,将登录校验与资源防盗相结合,实现对鉴权信息的复用,无需鉴权服务器或是前端服务器进行额外的临时url分发操作以及其他交互,减少服务器的负担。而且,本申请实施例中在用户的身份信息通过校验后,说明该用户为合法用户,即相当于是利用合法用户的鉴权信息对资源访问请求进行鉴权,无需预置黑名单,与用户保持强关联,实现用户级资源访问控制,提高了系统的灵活性且无需额外的存储空间。In the embodiment of the present application, login verification is combined with resource anti-theft to realize multiplexing of authentication information, and no additional temporary url distribution operation and other interactions are required by the authentication server or front-end server, reducing the burden on the server. Moreover, in the embodiment of the present application, after the user's identity information has passed the verification, it indicates that the user is a legitimate user, which is equivalent to using the authentication information of the legitimate user to authenticate the resource access request, and there is no need to preset a blacklist. Maintain strong association, realize user-level resource access control, improve system flexibility and do not require additional storage space.
在步骤101中,登录请求中携带的用户的身份信息可以包括:用户名和用户密码。用户可以使用用户名和用户密码登录鉴权服务器,比如用可以通过客户端的登录界面输入用户名和用户密码,从而发起登录请求。In step 101, the user's identity information carried in the login request may include: a user name and a user password. The user can use the user name and user password to log in to the authentication server. For example, the user can enter the user name and user password through the login interface of the client to initiate a login request.
在一个例子中,用户可以通过全球广域网(World Wide Web,web)页面使用用户名和用户密码进行登录,从而携带该用户名和用户密码的登录请求可以到达鉴权服务器。In an example, a user can log in using a user name and a user password through a global wide area network (World Wide Web, web) page, so that a login request carrying the user name and user password can reach the authentication server.
在一个例子中,客户端中的浏览器可以直接向鉴权服务器发送登录请求,或者,客户端中的浏览器可以通过前端服务器向鉴权服务器发送登录请求,即浏览器向前端服务器发送登录请求,前端服务器将登录请求转发至鉴权服务器。In an example, the browser in the client can directly send a login request to the authentication server, or the browser in the client can send a login request to the authentication server through the front-end server, that is, the browser sends a login request to the front-end server , the front-end server forwards the login request to the authentication server.
在步骤102中,鉴权服务器可以根据用户的身份信息中携带的用户名和用户密码对用户的身份信息进行校验,在校验通过后将用户的鉴权信息和与鉴权信息对应的标识值存入预设的存储空间,并将标识值存储至客户端。其中,预设的存储空间可以为具有存储功能的存储工具,比如可以为远程字典服务(Remote Dictionary Server,Redis),Redis是一个高性能的key-value数据库,便于对数据进行高效的存储和读取,有利于提高资源访问的效率和可靠性。然而在具体实现中,存储工具并不以Redis为限。用户的鉴权信息可以包括:用户对不同网站、不同应用的权限信息,与鉴权信息对应的标识值可以理解为唯一用来标识该用户的鉴权信息的小型文件文本cookie。不同用户的鉴权信息对应不同的标识值,标识值与鉴权信息一一对应,鉴权信息可以理解为value,标识值可以理解为key,将value和key均存储到Redis中。鉴权服务器还会将标识值存储至客户端,比如,鉴权服务器可以直接将标识值发送至客户端,以供客户端存储;或者,鉴权服务器可以将标识值发送给前端服务器,前端服务器再将该标识值发送给客户端,从而客户端存储该标识值。In step 102, the authentication server can verify the user's identity information according to the user name and user password carried in the user's identity information, and after the verification is passed, the user's authentication information and the identification value corresponding to the authentication information Store in the preset storage space, and store the identification value to the client. Among them, the preset storage space can be a storage tool with storage function, such as Remote Dictionary Server (Redis), Redis is a high-performance key-value database, which is convenient for efficient storage and reading of data It is beneficial to improve the efficiency and reliability of resource access. However, in the specific implementation, the storage tool is not limited to Redis. The user's authentication information may include: the user's authority information for different websites and different applications, and the identification value corresponding to the authentication information can be understood as a small file text cookie uniquely used to identify the user's authentication information. The authentication information of different users corresponds to different identification values, and the identification value corresponds to the authentication information one by one. The authentication information can be understood as a value, and the identification value can be understood as a key. Both the value and the key are stored in Redis. The authentication server will also store the identification value to the client. For example, the authentication server can directly send the identification value to the client for storage by the client; or, the authentication server can send the identification value to the front-end server, and the front-end server Then send the identification value to the client, so that the client stores the identification value.
其中,前端服务器可以为能够实现资源访问和请求转发的服务器,比如可以为以下任意之一:Nginx、开放源码的网页服务器(Apache HTTP Server,apache)、网络信息服务器(Internet Information Server,IIS)服务器。Nginx是一个高性能的超文本传输协议(Hyper Text Transfer Protocol,HTTP)和反向代理web服务器。tomcat服务器是一个免费的开放源代码的Web应用服务器,属于轻量级应用服务器。Wherein, the front-end server can be a server capable of resource access and request forwarding, such as any one of the following: Nginx, open source web server (Apache HTTP Server, apache), Internet Information Server (Internet Information Server, IIS) server . Nginx is a high-performance Hypertext Transfer Protocol (Hyper Text Transfer Protocol, HTTP) and reverse proxy web server. The tomcat server is a free and open source web application server, which is a lightweight application server.
在一个例子中,在对用户的身份信息校验通过后将标识值存储在客户端中,可以为:将标识值存储在客户端中的浏览工具中,比如存储在浏览器中。In an example, storing the identification value in the client after the verification of the user's identity information is passed may be: storing the identification value in a browsing tool on the client, such as storing in a browser.
在步骤103中,客户端在确定需要向前端服务器发起资源访问请求时,可以将存储的标识值携带在资源访问请求中发送至前端服务器。前端服务器在接收到资源访问请求时,获取资源访问请求中携带的标识值,并将该携带的标识值发送至鉴权服务器,从而鉴权服务器能够接收到该标识值,以对该资源访问请求进行鉴权。In step 103, when the client determines that it needs to initiate a resource access request to the front-end server, it may carry the stored identification value in the resource access request and send it to the front-end server. When the front-end server receives the resource access request, it obtains the identification value carried in the resource access request, and sends the carried identification value to the authentication server, so that the authentication server can receive the identification value and respond to the resource access request. Authenticate.
在步骤104中,鉴权服务器根据资源访问请求中携带的标识值和存储空间中存储的与鉴权信息对应的标识值,对资源访问请求进行鉴权,并可以将鉴权结果发送至前端服务器,以供前端服务器对鉴权结果进行响应。前端服务器在确定鉴权结果为鉴权通过的情况下,允许访问资源,比如可以将资源访问请求所请求访问的资源发送至客户端,客户端的界面上显示请求到的该资源。In step 104, the authentication server authenticates the resource access request according to the identification value carried in the resource access request and the identification value corresponding to the authentication information stored in the storage space, and may send the authentication result to the front-end server , for the front-end server to respond to the authentication result. When the front-end server determines that the authentication result is passed, the resource is allowed to be accessed. For example, the resource requested by the resource access request can be sent to the client, and the requested resource is displayed on the client interface.
其中,鉴权服务器可以在存储空间中存储的各标识值中查询并读取与访问请求中携带的标识值相同的标识值,查询到的该标识值记为目标标识值。鉴权服务器在存储空间中查询与该目标标识值对应的鉴权信息,查询到的该鉴权信息记为目标鉴权信息。鉴权服务器可以根据该目标鉴权信息,得到对访问请求的鉴权结果。比如,资源访问请求中可以携带待访问的网站信息,如果该目标鉴权信息包括用户对待访问的网站的权限信息,且该权限信息为允许访问,则对资源访问请求的鉴权结果为鉴权通过。如果该目标鉴权信息不包括用户对待访问 的网站的权限信息,或者目标鉴权信息虽然包括用户对待访问的网站的权限信息,但该权限信息为不允许使用,则对资源访问请求的鉴权结果为鉴权不通过。Wherein, the authentication server can query and read the same identification value as the identification value carried in the access request among the identification values stored in the storage space, and record the queried identification value as the target identification value. The authentication server queries the authentication information corresponding to the target identification value in the storage space, and the queried authentication information is recorded as the target authentication information. The authentication server can obtain the authentication result of the access request according to the target authentication information. For example, the resource access request can carry the information of the website to be visited. If the target authentication information includes the permission information of the website to be visited by the user, and the permission information is to allow access, then the authentication result of the resource access request is authentication pass. If the target authentication information does not include the authority information of the website to be visited by the user, or although the target authentication information includes the authority information of the website to be visited by the user, but the authority information is not allowed to be used, the authentication of the resource access request The result is authentication failed.
鉴权服务器在对资源访问请求进行鉴权后,可以将鉴权通过或是鉴权不通过的鉴权结果发送给前端服务器,以供前端服务器对鉴权结果进行响应。其中,在确定鉴权结果为鉴权通过的情况下,响应为允许访问资源,在确定鉴权结果为鉴权不通过的情况下,响应可以为不允许访问资源。即只有通过鉴权才允许访问资源,从而可以实现资源防盗。After the authentication server authenticates the resource access request, it can send the authentication result whether the authentication passes or fails to the front-end server, so that the front-end server can respond to the authentication result. Wherein, when it is determined that the authentication result is that the authentication is passed, the response is to allow access to the resource, and when it is determined that the authentication result is that the authentication is not passed, the response may be to not allow access to the resource. That is, access to resources is allowed only through authentication, so that resource theft can be prevented.
目前的静态资源防盗技术,即通过临时url的方式以及预先将有风险的源地址加入黑名单的方式均仅可以实现网站级的访问控制,无法根据用户的权限进行更细粒度的控制。本实施例中,提供了更细粒度的用户级资源访问控制,利用合法用户的鉴权信息对访问请求进行鉴权,无需额外的交互逻辑,简单易行。The current static resource anti-theft technology, that is, the way of temporary URLs and the way of adding risky source addresses to the blacklist in advance can only achieve website-level access control, and cannot perform finer-grained control based on user permissions. In this embodiment, a finer-grained user-level resource access control is provided, and access requests are authenticated by using authentication information of legitimate users, without additional interaction logic, which is simple and easy to implement.
在一个实施例中,在确定鉴权不通过的情况下,控制所述客户端的页面跳转到登录页面,以指示所述用户重新登录。也就是说,在确定鉴权结果为鉴权不通过的情况下,前端服务器对鉴权结果的响应可以为控制客户端当前的页面跳转到登录页面,以指示用户重新登录。比如,在鉴权不通过的情况下,可以跳转到登录页面,提示用户重新输入用户名和用户密码,以重新登录。方便了用户因输错用户名或用户密码而导致鉴权不通过的情况下,可以通过重新登录以顺利进行资源访问。In one embodiment, when it is determined that the authentication fails, the page of the client is controlled to jump to a login page, so as to instruct the user to log in again. That is to say, when it is determined that the authentication result is that the authentication fails, the response of the front-end server to the authentication result may be to control the current page of the client to jump to the login page, so as to instruct the user to log in again. For example, if the authentication fails, you can jump to the login page and prompt the user to re-enter the user name and password to log in again. It is convenient for users to log in again to access resources smoothly when the authentication fails due to entering the wrong user name or user password.
在一个实施例中,鉴权信息和与所述鉴权信息对应的标识值设置有有效期限,在所述存储空间中存储的所述鉴权信息和与所述鉴权信息对应的标识值的存储时长大于所述有效期限的情况下,所述存储空间中存储的所述鉴权信息和与所述鉴权信息对应的标识值失效;在所述客户端中存储的所述标识值的存储时长大于所述有效期限的情况下,所述客户端中存储的所述标识值失效。其中,有效期限可以根据实际需要进行设置,比如在对鉴权的安全性要求较高的情况下,有效期限可以设置的相对较短,在对鉴权的安全性要求较低的情况下,有效期限可以设置的相对较长。也就是说,存储空间中存储的鉴权信息和标识值以及客户端中存储的标识值均设置有有效期限,超过有效期限后自动失效,有利于在一定程度上提高鉴权的安全性。In one embodiment, the authentication information and the identification value corresponding to the authentication information are set with a valid period, and the authentication information and the identification value corresponding to the authentication information stored in the storage space When the storage period is longer than the validity period, the authentication information stored in the storage space and the identification value corresponding to the authentication information become invalid; the storage of the identification value stored in the client If the duration is longer than the validity period, the identification value stored in the client is invalid. Among them, the validity period can be set according to actual needs. For example, in the case of high security requirements for authentication, the validity period can be set relatively short; The deadline can be set relatively long. That is to say, the authentication information and identification value stored in the storage space and the identification value stored in the client are all set with an expiration date, which will automatically become invalid after the expiration date, which is conducive to improving the security of authentication to a certain extent.
在一个例子中,存储空间中存储的鉴权信息和与鉴权信息对应的标识值失效,可以为:鉴权信息和与鉴权信息对应的标识值过期后,存储空间自动删除鉴权信息和与鉴权信息对应的标识值。客户端中存储的标识值失效,可以为:客户端中存储的标识值过期后,客户端自动删除存储的标识值。如果标识值存储在客户端中的浏览器中,则标识值过期后,浏览器可以自动删除存储的标识值。In an example, the authentication information stored in the storage space and the identification value corresponding to the authentication information become invalid, which may be: after the authentication information and the identification value corresponding to the authentication information expire, the storage space automatically deletes the authentication information and the identification value corresponding to the authentication information. The identification value corresponding to the authentication information. The invalidation of the identification value stored in the client may be: after the identification value stored in the client expires, the client automatically deletes the stored identification value. If the identification value is stored in the browser in the client, the browser may automatically delete the stored identification value after the identification value expires.
在一个实施例中,上述有效期限可以利用所述用户登录的保活机制刷新。比如,前端服务器可以定期调用保活接口,通过保活接口定期刷新有效时长。保活机制可以理解为:在用户登录后,前端服务器或客户端监控用户的操作行为,当确定检测到用户的操作行为则更新一次有效期限,即每检测到一次用户的操作行为,将有效期限的起始点更新为检测到用户的操作行为的时间点。本实施例中通过将登录鉴权与资源防盗整合,可以使得资源访问的有效期限与用户会话有效期保持高度一致,利用用户登录的保活机制刷新鉴权信息的有效时长, 无需鉴权服务器进行额外的清理和保活操作。In an embodiment, the above valid period can be refreshed by using the keep-alive mechanism of the user login. For example, the front-end server can periodically call the keep-alive interface, and periodically refresh the effective duration through the keep-alive interface. The keep-alive mechanism can be understood as: after the user logs in, the front-end server or client monitors the user's operation behavior, and when it is determined that the user's operation behavior is detected, the validity period will be updated once, that is, every time a user's operation behavior is detected, the validity period will be changed. The starting point of is updated to the time point when the user's operation behavior is detected. In this embodiment, by integrating login authentication and resource anti-theft, the validity period of resource access can be kept highly consistent with the validity period of user sessions, and the validity period of authentication information can be refreshed by using the keep-alive mechanism of user login, without requiring the authentication server to perform additional operations. cleanup and keepalive operations.
在一个实施例中,将web静态资源拆分为登录所需资源和访问业务所需资源。登录所需的资源不需要鉴权,访问业务所需资源需进行鉴权。本实施例中,在接收到访问请求后,只有鉴权通过,才允许访问特定项目的静态资源。资源访问方法的交互示意图可以参考图2,包括:In one embodiment, web static resources are split into resources required for login and resources required for accessing services. The resources required for login do not need to be authenticated, and the resources required for accessing services need to be authenticated. In this embodiment, after the access request is received, access to the static resources of a specific project is allowed only after the authentication is passed. Refer to Figure 2 for an interactive diagram of resource access methods, including:
1.用户登录。比如,用户通过客户端中的浏览器使用用户名和用户密码进行登录,登录请求到达鉴权服务器。1. User login. For example, a user logs in using a user name and a user password through a browser in the client, and the login request reaches the authentication server.
2.校验、存储鉴权信息。鉴权服务器对用户的身份信息进行校验,校验通过后将鉴权信息和与该鉴权信息对应的cookie存入Redis中。2. Verify and store authentication information. The authentication server verifies the identity information of the user, and stores the authentication information and the cookie corresponding to the authentication information into Redis after the verification is passed.
3.检验通过,返回cookie。鉴权服务器对用户的身份信息检验通过后,返回cookie给浏览器,浏览器将cookie存储到本地。3. Pass the test and return the cookie. After the authentication server passes the verification of the user's identity information, it returns the cookie to the browser, and the browser stores the cookie locally.
4.资源访问请求。当用户需要访问或下载静态资源时,浏览器将存储的cookie携带在资源访问请求中发送给前端服务器。比如,可以将cookie携带在资源访问请求的请求头中。4. Resource access request. When a user needs to access or download a static resource, the browser sends the stored cookie to the front-end server in the resource access request. For example, the cookie can be carried in the request header of the resource access request.
5.携带cookie校验。前端服务器从资源访问请求中获取携带的cookie,并将该cookie发送至鉴权服务器进行鉴权。5. Carry cookie verification. The front-end server obtains the carried cookie from the resource access request, and sends the cookie to the authentication server for authentication.
6.获取鉴权信息并校验。鉴权服务器接收到cookie后,根据接收到的cookie从Redis中获取于该cookie对应的鉴权信息,从而判断当前用户权限是否满足访问要求,得到鉴权结果。6. Obtain authentication information and verify it. After receiving the cookie, the authentication server obtains the authentication information corresponding to the cookie from Redis according to the received cookie, so as to judge whether the current user authority meets the access requirements, and obtain the authentication result.
7.返回鉴权结果。鉴权服务器将鉴权结果发送至前端服务器。7. Return the authentication result. The authentication server sends the authentication result to the front-end server.
8.鉴权通过,获取资源,鉴权失败,跳转登录页面。即,前端服务器接收鉴权结果并做出响应,鉴权通过,则允许访问,获取资源访问请求所访问的资源,并发送至浏览器,以供浏览器显示。鉴权不通过,跳转到登录页面,提示用户进行登录。8. If the authentication is passed, the resource will be obtained; if the authentication fails, the login page will be redirected. That is, the front-end server receives the authentication result and makes a response. If the authentication passes, the access is allowed, and the resources accessed by the resource access request are obtained and sent to the browser for display by the browser. If the authentication fails, jump to the login page and prompt the user to log in.
本实施例中,本申请实施例中将登录校验与资源防盗相结合,实现对鉴权信息的复用,无需鉴权服务器或是前端服务器进行额外的临时url分发操作以及其他交互,减少服务器的负担。而且,本申请实施例中在用户的身份信息通过校验后,说明该用户为合法用户,即相当于是利用合法用户的鉴权信息对访问请求进行鉴权,无需预置黑名单,与用户保持强关联,实现用户级资源访问控制,提高了系统的灵活性且无需额外的存储空间。通过将登录校验与资源防盗整合,可以使得资源访问的有效期与用户会话有效期保持高度一致,利用用户登录的保活机制刷新资源请求鉴权信息的有效期,无需鉴权服务器进行额外的清理和保活操作。同时,本实施例不仅可以实现对图片资源的访问控制,而且可以实现除图片资源外多类静态资源的访问控制,适用范围广。In this embodiment, the embodiment of this application combines login verification with resource anti-theft to realize the multiplexing of authentication information, and does not require authentication servers or front-end servers to perform additional temporary url distribution operations and other interactions, reducing the number of servers burden. Moreover, in the embodiment of the present application, after the user's identity information has passed the verification, it indicates that the user is a legitimate user, which is equivalent to using the authentication information of the legitimate user to authenticate the access request. There is no need to preset a blacklist, and the user keeps Strong association, user-level resource access control, improved system flexibility and no additional storage space. By integrating login verification with resource anti-theft, the validity period of resource access can be kept highly consistent with the validity period of user sessions, and the validity period of resource request authentication information can be refreshed by using the user login keep-alive mechanism, without additional cleaning and preservation by the authentication server. live operation. At the same time, this embodiment can not only realize the access control to the picture resource, but also can realize the access control of many types of static resources except the picture resource, and has a wide application range.
本申请的一个实施例中,还提供了一种资源访问方法,应用于客户端,参考图3,包括:In one embodiment of the present application, a resource access method is also provided, which is applied to the client, referring to FIG. 3 , including:
步骤301:向鉴权服务器发送登录请求,以供鉴权服务器对登录请求中携带的用户的身份信息进行校验,在校验通过后将用户的鉴权信息和与鉴权信息对应的标识值存入预设的存储空间,并将标识值存储至客户端;Step 301: Send a login request to the authentication server, so that the authentication server can verify the user's identity information carried in the login request, and after the verification is passed, the user's authentication information and the identification value corresponding to the authentication information Store in the preset storage space, and store the identification value to the client;
步骤302:在向前端服务器发送资源访问请求时将存储的标识值携带在资源访问请求中,以供前端服务器将资源访问请求中携带的标识值发送至鉴权服务器;Step 302: Carry the stored identification value in the resource access request when sending the resource access request to the front-end server, so that the front-end server can send the identification value carried in the resource access request to the authentication server;
其中,鉴权服务器设置为根据携带的标识值和存储空间中存储的与鉴权信息对应的标识 值,对资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。Wherein, the authentication server is set to authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and allow access to the resource when the authentication is determined to pass.
不难发现,本实施例为与上述应用于鉴权服务器的资源访问方法的实施例相对应的实施例,本实施例可与上述应用于鉴权服务器的资源访问方法的实施例互相配合实施。上述应用于鉴权服务器的资源访问方法的实施例中提到的相关技术细节和技术效果在本实施例中依然有效,为了减少重复,这里不再赘述。相应地,本实施例中提到的相关技术细节也可应用在上述应用于鉴权服务器的资源访问方法的实施例中。It is not difficult to find that this embodiment is an embodiment corresponding to the above-mentioned embodiment of the resource access method applied to the authentication server, and this embodiment can be implemented in cooperation with the above-mentioned embodiment of the resource access method applied to the authentication server. The relevant technical details and technical effects mentioned in the above embodiment of the resource access method applied to the authentication server are still valid in this embodiment, and will not be repeated here to reduce repetition. Correspondingly, the relevant technical details mentioned in this embodiment can also be applied to the above embodiment of the resource access method applied to the authentication server.
本申请的一个实施例中,还提供了一种资源访问方法,应用于前端服务器,参考图4,包括:In one embodiment of the present application, a resource access method is also provided, which is applied to the front-end server, referring to FIG. 4 , including:
步骤401:接收客户端发送的携带标识值的资源访问请求;其中,资源访问请求中携带的标识值为鉴权服务器在对用户的身份信息校验通过后存储至客户端的,用户的身份信息为鉴权服务器接收的登录请求中携带的,鉴权服务器在对用户的身份信息校验通过后,还将用户的鉴权信息和与鉴权信息对应的标识值存入预设的存储空间;Step 401: Receive the resource access request carrying the identification value sent by the client; wherein, the identification value carried in the resource access request is stored in the client after the authentication server passes the verification of the user's identity information, and the user's identity information is In the login request received by the authentication server, the authentication server will also store the user's authentication information and the identification value corresponding to the authentication information into the preset storage space after passing the verification of the user's identity information;
步骤402:将资源访问请求中携带的标识值发送至鉴权服务器,以供鉴权服务器根据携带的标识值和存储空间中存储的与鉴权信息对应的标识值,对资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。Step 402: Send the identification value carried in the resource access request to the authentication server, so that the authentication server can authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space , and when it is determined that the authentication is passed, access to the resource is allowed.
不难发现,本实施例为与上述应用于鉴权服务器以及应用于客户端的资源访问方法的实施例相对应的实施例,本实施例可与上述应用于鉴权服务器和应用于客户端的资源访问方法的实施例互相配合实施。上述应用于鉴权服务器和应用于客户端的资源访问方法的实施例中提到的相关技术细节和技术效果在本实施例中依然有效,为了减少重复,这里不再赘述。相应地,本实施例中提到的相关技术细节也可应用在上述应用于鉴权服务器和客户端的资源访问方法的实施例中。It is not difficult to find that this embodiment is an embodiment corresponding to the above-mentioned embodiment of the resource access method applied to the authentication server and the client, and this embodiment can be compared with the above-mentioned resource access method applied to the authentication server and the client. The embodiments of the method are implemented in cooperation with each other. The relevant technical details and technical effects mentioned in the above embodiments of the resource access method applied to the authentication server and the client are still valid in this embodiment, and will not be repeated here to reduce repetition. Correspondingly, the relevant technical details mentioned in this embodiment can also be applied to the above embodiments of the resource access method applied to the authentication server and the client.
需要说明的是,本申请实施例中的上述各示例均为为方便理解进行的举例说明,并不对本申请实施例的技术方案构成限定。It should be noted that the above examples in the embodiments of the present application are illustrations for the convenience of understanding, and do not limit the technical solutions of the embodiments of the present application.
上面各种方法的步骤划分,只是为了描述清楚,实现时可以合并为一个步骤或者对某些步骤进行拆分,分解为多个步骤,只要包括相同的逻辑关系,都在本专利的保护范围内;对算法中或者流程中添加无关紧要的修改或者引入无关紧要的设计,但不改变其算法和流程的核心设计都在该专利的保护范围内。The step division of the above various methods is only for the sake of clarity of description. During implementation, it can be combined into one step or some steps can be split and decomposed into multiple steps. As long as they include the same logical relationship, they are all within the scope of protection of this patent. ; Adding insignificant modifications or introducing insignificant designs to the algorithm or process, but not changing the core design of the algorithm and process are all within the scope of protection of this patent.
本申请实施例还提供了一种资源访问系统,如图5所示,包括:客户端501、鉴权服务器502和前端服务器503;The embodiment of the present application also provides a resource access system, as shown in FIG. 5 , including: a client 501, an authentication server 502, and a front-end server 503;
客户端501,设置为向鉴权服务器502发送登录请求;其中,登录请求携带用户的身份信息;The client 501 is configured to send a login request to the authentication server 502; wherein the login request carries the identity information of the user;
鉴权服务器502,设置为对用户的身份信息进行校验,在校验通过后将用户的鉴权信息和与鉴权信息对应的标识值存入预设的存储空间,并将标识值存储至客户端501;The authentication server 502 is configured to verify the identity information of the user, and store the user's authentication information and the identification value corresponding to the authentication information into a preset storage space after the verification is passed, and store the identification value in the client 501;
客户端501,设置为在向前端服务器503发送资源访问请求时将存储的标识值携带在资源访问请求中;The client 501 is configured to carry the stored identification value in the resource access request when sending the resource access request to the front-end server 503;
前端服务器503,设置为将资源访问请求中携带的标识值发送至鉴权服务器502;The front-end server 503 is configured to send the identification value carried in the resource access request to the authentication server 502;
鉴权服务器502,设置为根据携带的标识值和存储空间中存储的与鉴权信息对应的标识值,对资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。The authentication server 502 is configured to perform authentication on the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and allow access to the resource when it is determined that the authentication is passed.
不难发现,本实施例为与上述各个资源访问方法的实施例相对应的系统实施例,本实施例可与上述各个资源访问方法的实施例互相配合实施。上述各个资源访问方法的实施例中提到的相关技术细节和技术效果在本实施例中依然有效,为了减少重复,这里不再赘述。相应地,本实施例中提到的相关技术细节也可应用在上述各个资源访问方法的实施例中。It is not difficult to find that this embodiment is a system embodiment corresponding to the above embodiments of resource access methods, and this embodiment can be implemented in cooperation with the above embodiments of resource access methods. The relevant technical details and technical effects mentioned in the embodiments of the resource access methods above are still valid in this embodiment, and will not be repeated here to reduce repetition. Correspondingly, the relevant technical details mentioned in this embodiment can also be applied to the embodiments of the above resource access methods.
本申请实施例还提供了一种电子设备,如图6所示,包括:至少一个处理器601;以及,与所述至少一个处理器601通信连接的存储器602;其中,存储器602存储有可被所述至少一个处理器601执行的指令;The embodiment of the present application also provides an electronic device, as shown in FIG. 6 , including: at least one processor 601; and a memory 602 communicatively connected to the at least one processor 601; wherein, the memory 602 stores information that can be instructions executed by the at least one processor 601;
在电子设备为鉴权服务器的情况下,指令被至少一个处理器601执行,以使至少一个处理器601能够执行应用于鉴权服务器的资源访问方法;In the case where the electronic device is an authentication server, the instructions are executed by at least one processor 601, so that the at least one processor 601 can execute a resource access method applied to the authentication server;
在电子设备为客户端的情况下,指令被至少一个处理器601执行,以使所述至少一个处理器601能够执行应用于客户端的资源访问方法;In the case where the electronic device is a client, the instructions are executed by at least one processor 601, so that the at least one processor 601 can execute a resource access method applied to the client;
在电子设备为前端服务器的情况下,指令被至少一个处理器601执行,以使至少一个处理器601能够执行应用于前端服务器的资源访问方法。In the case that the electronic device is a front-end server, the instructions are executed by at least one processor 601, so that the at least one processor 601 can execute the resource access method applied to the front-end server.
其中,存储器602和处理器601采用总线方式连接,总线可以包括任意数量的互联的总线和桥,总线将一个或多个处理器601和存储器602的各种电路连接在一起。总线还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路连接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口在总线和收发机之间提供接口。收发机可以是一个元件,也可以是多个元件,比如多个接收器和发送器,提供用于在传输介质上与各种其他装置通信的单元。经处理器601处理的数据通过天线在无线介质上进行传输,进一步,天线还接收数据并将数据传送给处理器601。Wherein, the memory 602 and the processor 601 are connected by a bus, and the bus may include any number of interconnected buses and bridges, and the bus connects one or more processors 601 and various circuits of the memory 602 together. The bus may also connect together various other circuits such as peripherals, voltage regulators, and power management circuits, all of which are well known in the art and therefore will not be further described herein. The bus interface provides an interface between the bus and the transceivers. A transceiver may be a single element or multiple elements, such as multiple receivers and transmitters, providing means for communicating with various other devices over a transmission medium. The data processed by the processor 601 is transmitted on the wireless medium through the antenna, and further, the antenna also receives the data and transmits the data to the processor 601 .
处理器601负责管理总线和通常的处理,还可以提供各种功能,包括定时,外围接口,电压调节、电源管理以及其他控制功能。而存储器602可以被用于存储处理器601在执行操作时所使用的数据。 Processor 601 is responsible for managing the bus and general processing, and may also provide various functions including timing, peripheral interface, voltage regulation, power management, and other control functions. And the memory 602 may be used to store data used by the processor 601 when performing operations.
本申请实施例还提供了一种计算机可读存储介质,存储有计算机程序。计算机程序被处理器执行时实现上述方法实施例。The embodiment of the present application also provides a computer-readable storage medium storing a computer program. The above method embodiments are implemented when the computer program is executed by the processor.
即,本领域技术人员可以理解,实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。That is, those skilled in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, the program is stored in a storage medium, and includes several instructions to make a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
本领域的普通技术人员可以理解,上述各实施方式是实现本申请的具体实施例,而在实际应用中,可以在形式上和细节上对其作各种改变,而不偏离本申请实施例的精神和范围。Those of ordinary skill in the art can understand that the above-mentioned implementation modes are specific examples for realizing the present application, and in practical applications, various changes can be made to it in form and details without departing from the principles of the present application examples. spirit and scope.

Claims (10)

  1. 一种资源访问方法,应用于鉴权服务器,包括:A resource access method applied to an authentication server, including:
    接收用户的登录请求;其中,所述登录请求携带用户的身份信息;Receive a login request from the user; wherein, the login request carries the identity information of the user;
    对所述用户的身份信息进行校验,在校验通过后将所述用户的鉴权信息和与所述鉴权信息对应的标识值存入预设的存储空间,并将所述标识值存储至客户端;Verifying the user's identity information, storing the user's authentication information and the identification value corresponding to the authentication information in a preset storage space after the verification is passed, and storing the identification value to the client;
    接收前端服务器发送的资源访问请求中携带的标识值;其中,所述携带的标识值为所述客户端向所述前端服务器发送资源访问请求时携带在所述资源访问请求中的;Receiving the identification value carried in the resource access request sent by the front-end server; wherein, the carried identification value is carried in the resource access request when the client sends the resource access request to the front-end server;
    根据所述携带的标识值和所述存储空间中存储的所述与鉴权信息对应的标识值,对所述资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。Perform authentication on the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and allow access to the resource when it is determined that the authentication is passed.
  2. 根据权利要求1所述的资源访问方法,其中,所述鉴权信息和与所述鉴权信息对应的标识值设置有有效期限,The resource access method according to claim 1, wherein the authentication information and the identification value corresponding to the authentication information are set with an expiration date,
    在所述存储空间中存储的所述鉴权信息和与所述鉴权信息对应的标识值的存储时长大于所述有效期限的情况下,所述存储空间中存储的所述鉴权信息和与所述鉴权信息对应的标识值失效;When the storage period of the authentication information and the identification value corresponding to the authentication information stored in the storage space is longer than the validity period, the authentication information and the identification value stored in the storage space The identification value corresponding to the authentication information becomes invalid;
    在所述客户端中存储的所述标识值的存储时长大于所述有效期限的情况下,所述客户端中存储的所述标识值失效。If the storage period of the identification value stored in the client is longer than the validity period, the identification value stored in the client becomes invalid.
  3. 根据权利要求2所述的资源访问方法,其中,所述有效期限利用所述用户登录的保活机制刷新。The resource access method according to claim 2, wherein the validity period is refreshed using a keep-alive mechanism of the user login.
  4. 根据权利要求1至3任一项所述的资源访问方法,其中,所述方法还包括:在确定鉴权不通过的情况下,控制所述客户端的页面跳转到登录页面,以指示所述用户重新登录。The resource access method according to any one of claims 1 to 3, wherein the method further includes: when it is determined that the authentication fails, controlling the page of the client to jump to the login page to indicate the The user logs back in.
  5. 根据权利要求1至3任一项所述的资源访问方法,其中,所述存储空间为远程字典服务。The resource access method according to any one of claims 1 to 3, wherein the storage space is a remote dictionary service.
  6. 一种资源访问方法,应用于客户端,包括:A resource access method, applied to the client, including:
    向鉴权服务器发送登录请求,以供所述鉴权服务器对所述登录请求中携带的用户的身份信息进行校验,在校验通过后将所述用户的鉴权信息和与所述鉴权信息对应的标识值存入预设的存储空间,并将所述标识值存储至所述客户端;Send a login request to the authentication server, so that the authentication server can verify the identity information of the user carried in the login request, and combine the authentication information of the user with the authentication information after the verification is passed. The identification value corresponding to the information is stored in a preset storage space, and the identification value is stored in the client;
    在向前端服务器发送资源访问请求时将存储的标识值携带在所述资源访问请求中,以供所述前端服务器将所述资源访问请求中携带的标识值发送至所述鉴权服务器;carrying the stored identification value in the resource access request when sending the resource access request to the front-end server, so that the front-end server can send the identification value carried in the resource access request to the authentication server;
    其中,所述鉴权服务器设置为根据所述携带的标识值和所述存储空间中存储的所述与鉴权信息对应的标识值,对所述资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。Wherein, the authentication server is configured to authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and determine the authentication If passed, access to the resource is allowed.
  7. 一种资源访问方法,应用于前端服务器,包括:A resource access method, applied to a front-end server, comprising:
    接收客户端发送的携带标识值的资源访问请求;其中,所述资源访问请求中携带的标识值为鉴权服务器在对用户的身份信息校验通过后存储至所述客户端的,所述用户的身份信息为所述鉴权服务器接收的登录请求中携带的,所述鉴权服务器在对所述用户的身份信息校验通过后,还将所述用户的鉴权信息和与所述鉴权信息对应的标识值存入预设的存储空间;Receiving a resource access request with an identification value sent by the client; wherein, the identification value carried in the resource access request is stored in the client after the authentication server passes the verification of the user's identity information, and the user's The identity information is carried in the login request received by the authentication server. After the authentication server passes the verification of the identity information of the user, it also combines the authentication information of the user with the authentication information The corresponding identification value is stored in the preset storage space;
    将所述资源访问请求中携带的标识值发送至所述鉴权服务器,以供所述鉴权服务器根据所述携带的标识值和所述存储空间中存储的所述与鉴权信息对应的标识值,对所述资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。Sending the identification value carried in the resource access request to the authentication server, so that the authentication server can use the identification value carried in the resource access request and the identification corresponding to the authentication information stored in the storage space value, authenticate the resource access request, and allow access to the resource when it is determined that the authentication is passed.
  8. 一种资源访问系统,包括:客户端、鉴权服务器和前端服务器;A resource access system, including: a client, an authentication server and a front-end server;
    所述客户端,设置为向所述鉴权服务器发送登录请求;其中,所述登录请求携带用户的身份信息;The client is configured to send a login request to the authentication server; wherein the login request carries user identity information;
    所述鉴权服务器,设置为对所述用户的身份信息进行校验,在校验通过后将所述用户的鉴权信息和与所述鉴权信息对应的标识值存入预设的存储空间,并将所述标识值存储至客户端;The authentication server is configured to verify the user's identity information, and store the user's authentication information and the identification value corresponding to the authentication information into a preset storage space after the verification is passed , and store the identification value to the client;
    所述客户端,设置为在向所述前端服务器发送资源访问请求时将存储的标识值携带在所述资源访问请求中;The client is configured to carry the stored identification value in the resource access request when sending the resource access request to the front-end server;
    所述前端服务器,设置为将所述资源访问请求中携带的标识值发送至所述鉴权服务器;The front-end server is configured to send the identification value carried in the resource access request to the authentication server;
    所述鉴权服务器,设置为根据所述携带的标识值和所述存储空间中存储的所述与鉴权信息对应的标识值,对所述资源访问请求进行鉴权,并在确定鉴权通过的情况下,允许访问资源。The authentication server is configured to authenticate the resource access request according to the carried identification value and the identification value corresponding to the authentication information stored in the storage space, and determine that the authentication has passed In the case, access to the resource is allowed.
  9. 一种电子设备,包括:至少一个处理器;以及,An electronic device comprising: at least one processor; and,
    与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令;a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor;
    在所述电子设备为鉴权服务器的情况下,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如权利要求1至5中任一所述的资源访问方法;When the electronic device is an authentication server, the instructions are executed by the at least one processor, so that the at least one processor can execute the resource access method according to any one of claims 1 to 5 ;
    在所述电子设备为客户端的情况下,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如权利要求6所述的资源访问方法;When the electronic device is a client, the instructions are executed by the at least one processor, so that the at least one processor can execute the resource access method as claimed in claim 6;
    在所述电子设备为前端服务器的情况下,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如权利要求7所述的资源访问方法。When the electronic device is a front-end server, the instructions are executed by the at least one processor, so that the at least one processor can execute the resource access method as claimed in claim 7 .
  10. 一种计算机可读存储介质,存储有计算机程序,其中,所述计算机程序被处理器执行时实现权利要求1至5中任一所述的资源访问方法,或者实现权利要求6所述的资源访问方法,或者实现权利要求7所述的资源访问方法。A computer-readable storage medium storing a computer program, wherein, when the computer program is executed by a processor, the resource access method according to any one of claims 1 to 5 is realized, or the resource access method according to claim 6 is realized method, or implement the resource access method described in claim 7.
PCT/CN2022/137334 2021-12-09 2022-12-07 Resource access method and system, electronic device, and computer-readable storage medium WO2023104117A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111498441.5 2021-12-09
CN202111498441.5A CN116305020A (en) 2021-12-09 2021-12-09 Resource access method, system, electronic device and computer readable storage medium

Publications (1)

Publication Number Publication Date
WO2023104117A1 true WO2023104117A1 (en) 2023-06-15

Family

ID=86729633

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/137334 WO2023104117A1 (en) 2021-12-09 2022-12-07 Resource access method and system, electronic device, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN116305020A (en)
WO (1) WO2023104117A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015078170A1 (en) * 2013-11-26 2015-06-04 中兴通讯股份有限公司 Resource access method and apparatus, and server and terminal
CN110727935A (en) * 2019-10-11 2020-01-24 深圳追一科技有限公司 Single sign-on method, system, computer device and storage medium
CN112597472A (en) * 2021-03-03 2021-04-02 北京视界云天科技有限公司 Single sign-on method, device and storage medium
CN112883357A (en) * 2021-03-11 2021-06-01 中科三清科技有限公司 Stateless login authentication method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015078170A1 (en) * 2013-11-26 2015-06-04 中兴通讯股份有限公司 Resource access method and apparatus, and server and terminal
CN110727935A (en) * 2019-10-11 2020-01-24 深圳追一科技有限公司 Single sign-on method, system, computer device and storage medium
CN112597472A (en) * 2021-03-03 2021-04-02 北京视界云天科技有限公司 Single sign-on method, device and storage medium
CN112883357A (en) * 2021-03-11 2021-06-01 中科三清科技有限公司 Stateless login authentication method and device

Also Published As

Publication number Publication date
CN116305020A (en) 2023-06-23

Similar Documents

Publication Publication Date Title
US11665146B2 (en) Migrating authenticated content towards content consumer
US10484385B2 (en) Accessing an application through application clients and web browsers
US7827318B2 (en) User enrollment in an e-community
KR101850677B1 (en) Method and system for determining whether a terminal logging into a website is a mobile terminal
US7237030B2 (en) System and method for preserving post data on a server system
US7716469B2 (en) Method and system for providing a circle of trust on a network
US10356153B2 (en) Transferring session data between network applications accessible via different DNS domains
US9043891B2 (en) Preserving privacy with digital identities
CN105354451B (en) Access authentication method and system
US20100077467A1 (en) Authentication service for seamless application operation
JPH11212912A (en) Session management system and method
US7540020B1 (en) Method and apparatus for facilitating single sign-on to applications
JP2005512247A (en) Network user authentication system and method
CN111581631B (en) Single sign-on method based on redis
CN110445615B (en) Network request security verification method, device, medium and electronic equipment
CN112468481A (en) Single-page and multi-page web application identity integrated authentication method based on CAS
CN113821784A (en) Multi-system single sign-on method and device and computer readable storage medium
US20090249461A1 (en) Business management system
US11075922B2 (en) Decentralized method of tracking user login status
EP2077019B1 (en) Secure access
US20140007197A1 (en) Delegation within a computing environment
WO2012162952A1 (en) Credential authentication method and single sign-on server
WO2023104117A1 (en) Resource access method and system, electronic device, and computer-readable storage medium
US11750684B2 (en) Restore URL context for proxies
CN107343028B (en) Communication method and system based on HTTP (hyper text transport protocol)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22903537

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE