[go: up one dir, main page]

CN114091077A - Authentication method, device, equipment and storage medium - Google Patents

Authentication method, device, equipment and storage medium Download PDF

Info

Publication number
CN114091077A
CN114091077A CN202111422040.1A CN202111422040A CN114091077A CN 114091077 A CN114091077 A CN 114091077A CN 202111422040 A CN202111422040 A CN 202111422040A CN 114091077 A CN114091077 A CN 114091077A
Authority
CN
China
Prior art keywords
authority
request
authentication
verification information
url
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111422040.1A
Other languages
Chinese (zh)
Inventor
陈泽昆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ByteDance Network Technology Co Ltd
Original Assignee
Beijing ByteDance Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ByteDance Network Technology Co Ltd filed Critical Beijing ByteDance Network Technology Co Ltd
Priority to CN202111422040.1A priority Critical patent/CN114091077A/en
Publication of CN114091077A publication Critical patent/CN114091077A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Human Resources & Organizations (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Computer Security & Cryptography (AREA)
  • Economics (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Computer Hardware Design (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure provides an authentication method, apparatus, device and storage medium, the method comprising: when a URL request of a first user is received, permission verification information carried by the URL request is extracted, then the permission corresponding to the permission verification information is determined by inquiring an authentication configuration table, and the permission is further sent to a permission management center, so that the permission management center determines whether the first user has the permission, and the authentication aiming at the URL request is completed. It can be seen that, in the authentication method provided in the embodiment of the present disclosure, the authentication access is serviced to provide the directly invoked authentication service for the service system, so that the front end of the service system can implement the authentication of the URL request for accessing the service system by invoking the authentication service to query the authentication configuration table, and the service system and the authentication function are decoupled without implementing authentication related logic in the service system.

Description

Authentication method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of data processing, and in particular, to an authentication method, apparatus, device, and storage medium.
Background
With the rapid development of the internet, the complexity of the service system is higher and higher, and in order to reduce the probability of security accidents occurring in the service system, each page in the service system, even each request, should be limited to a user with a corresponding right to be able to access.
For this purpose, each company or team has its own rights management platform, and the business system of the company or team is required to access the rights management platform to ensure the access security of each business system. The authority management platform is responsible for authentication of each service system, and specifically, the authentication means verifying whether a user has a right to access the system. After the authentication function is confirmed, each page in the service system and even each request can be ensured to only allow the user with corresponding authority to access.
However, before the service system accesses the right management platform to implement authentication, the service system needs to know the authentication process in the right management system in advance, and then develop and design the relevant access logic of the service system for the authentication process. Once the authentication process and the like in the authority management platform are changed, the service system serving as the access party needs to be upgraded or even re-accessed.
Disclosure of Invention
In order to solve the above technical problem or at least partially solve the above technical problem, an embodiment of the present disclosure provides an authentication method, in which an authentication function is serviced, so that a front end of a service system may authenticate a URL request for accessing the service system by calling an authentication service to query an authentication configuration table, and an authentication related logic does not need to be implemented in the service system, thereby truly decoupling the service system from the authentication function.
In a first aspect, the present disclosure provides an authentication method, including:
when a URL request of a first user is received, authority verification information carried by the URL request is extracted; the authority verification information comprises a request method, a request path and a request parameter;
determining the authority corresponding to the authority verification information by inquiring an authentication configuration table; the authentication configuration table is used for storing authority configuration information, and the authority configuration information comprises a request method, a request path and/or a corresponding relation between request parameters and authority;
sending the authority corresponding to the authority verification information to an authority management center; the authority management center is used for determining whether the first user has the authority corresponding to the authority verification information.
In an optional implementation manner, before extracting the authorization verification information carried in the URL request when the URL request of the first user is received, the method further includes:
based on the URL authority access interface, acquiring URL configuration information and authority identification; the URL configuration information comprises a request method, a request path and/or request parameters;
establishing a corresponding relation between the URL configuration information and the authority corresponding to the authority identifier to serve as authority configuration information;
and storing the authority configuration information in an authentication configuration table.
In an optional implementation manner, the determining, by querying an authentication configuration table, the right corresponding to the right verification information includes:
matching the authority verification information with authority configuration information in the authentication configuration table respectively;
and determining the authority in the authority configuration information successfully matched with the authority verification information as the authority corresponding to the authority verification information.
In an optional implementation manner, the right verification information includes a plurality of request parameters, and the matching the right verification information with the right configuration information in the authentication configuration table respectively includes:
determining a to-be-verified request corresponding to the authority verification information based on the combination of any one or more of the request parameters included in the authority verification information;
matching the to-be-verified requests corresponding to the authority verification information with the authority configuration information in the authentication configuration table respectively;
correspondingly, the determining the right in the right configuration information successfully matched with the right verification information as the right corresponding to the right verification information includes:
and determining each permission in the permission configuration information successfully matched with the request to be verified as the permission corresponding to the permission verification information.
In an optional implementation manner, before extracting the authorization verification information carried in the URL request when the URL request of the first user is received, the method further includes:
after receiving an authentication service call request of a client, intercepting a URL request from the client.
In an alternative embodiment, the method is applied to an authentication service.
In a second aspect, the present disclosure provides an authentication apparatus, the apparatus comprising:
the device comprises an extraction unit, a verification unit and a verification unit, wherein the extraction unit is used for extracting authority verification information carried by a URL request when the URL request of a first user is received; the authority verification information comprises a request method, a request path and a request parameter;
the first determining unit is used for determining the authority corresponding to the authority verification information by inquiring an authentication configuration table; the authentication configuration table is used for storing authority configuration information, and the authority configuration information comprises a request method, a request path and/or a corresponding relation between request parameters and authority;
the sending unit is used for sending the authority corresponding to the authority verification information to an authority management center; the authority management center is used for determining whether the first user has the authority corresponding to the authority verification information.
In an optional embodiment, the apparatus further comprises an intercepting unit;
the interception unit is used for intercepting the URL request from the client after receiving the authentication service call request of the client.
In a third aspect, the present disclosure provides a computer-readable storage medium having stored therein instructions that, when run on a terminal device, cause the terminal device to implement the above-mentioned method.
In a fourth aspect, the present disclosure provides an apparatus comprising: the system comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the method.
In a fifth aspect, the present disclosure provides a computer program product comprising computer programs/instructions which, when executed by a processor, implement the method described above.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
the disclosed embodiment provides an authentication method, which realizes the service of an authentication function, and specifically, when a URL request of a first user is received, permission verification information carried by the URL request is extracted, then a permission corresponding to the permission verification information is determined by inquiring an authentication configuration table, and the permission is further sent to a permission management center, so that the permission management center determines whether the first user has the permission, and the authentication for the URL request is completed. It can be seen that, in the authentication method provided in the embodiment of the present disclosure, the authentication access is serviced to provide the directly invoked authentication service for the service system, so that the front end of the service system can implement the authentication of the URL request for accessing the service system by invoking the authentication service to query the authentication configuration table, and the service system and the authentication function are decoupled without implementing authentication related logic in the service system.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
FIG. 1 is a diagram illustrating a current authentication implementation;
fig. 2 is a schematic diagram of an authentication implementation provided in an embodiment of the present disclosure;
fig. 3 is a flowchart of an authentication method provided by an embodiment of the present disclosure;
fig. 4 is a schematic diagram of a URL permission access interface of an authentication configuration table according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an authentication device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Authentication means to verify whether a user has a right to access a certain page or a certain request in a system, so as to reduce the probability of security accidents occurring in a service system.
At present, service logic and authentication logic are not decoupled, once the authentication logic is adjusted, the logic of a service system needs to be upgraded accordingly, so that the cost of accessing the authentication function of the service system is high. In addition, the current right management system for implementing authentication logic only supports access of limited authentication access users (i.e. service systems) in several development languages, and cannot simultaneously meet the authentication requirements of more service systems.
Referring to fig. 1, it is a schematic diagram of a current authentication implementation manner, where a reverse proxy server nginx is configured to forward a uniform resource locator URL request from an external network client to a backend server of a service system for processing after receiving the URL request, and the backend server of the service system first performs authentication processing on the URL request after receiving the URL request, so as to ensure access security of the service system. Therefore, the back-end server of the service system authenticates the URL request based on the accessed authority management platform, and after receiving the authentication result from the authority management platform, the back-end server of the service system processes the URL based on the authentication result. Specifically, if the authentication result is that the URL request is authenticated or not, the back-end server of the service system allows the URL request to be accessed, and if the authentication result is that the URL request is not authenticated, the back-end server of the service system returns the authentication result that the URL request is not authenticated to nginx, so as to notify that the user does not have the access right.
It can be seen that the authentication implementation in fig. 1 needs to involve the logic related to authentication access in the backend server of the service system, and the decoupling of the service code and the authentication access code in the service system is not implemented.
Due to the coupling and intrusion between the service code and the authentication access code in the service system, the difficulty of developing and debugging the service and the API of the service system is greatly increased, developers need to find the function of realizing the development and debugging of the service code by bypassing the authentication access code in the service system, and the time cost is certainly increased for the developers.
Based on the above problems, the embodiments of the present disclosure provide an authentication method, which provides an authentication service that can be directly invoked for a service system by serving an authentication access service, so that the front end of the service system can authenticate a URL request for accessing the service system by invoking the authentication service to query an authentication configuration table, and does not need to implement authentication related logic in the service system, thereby truly implementing decoupling of the service system and the authentication function.
Referring to fig. 2, a schematic diagram of an authentication implementation manner provided for the embodiment of the present disclosure is shown, where nginx is configured to invoke an authentication service after receiving a URL request from an external network client, and send the URL request to the authentication service, the authentication service determines, by querying an authentication configuration table, a right required to access the URL request, and then sends the determined right required to access the URL request to a right management platform, and the right management platform verifies whether a user corresponding to the URL request has the right required to access the URL request, so as to finally implement authentication. Then, the authority management center returns the authentication result to nginx, and the nginx processes the URL request based on the authentication result. Specifically, if the authentication result is that the authentication is passed or authentication is not required, the nginx sends the URL request to a back-end server of the service system, and the back-end server processes the access service of the URL request; if the authentication result is not authenticated, the nginx directly informs the user of the authentication result which is not authenticated.
Therefore, the authentication method provided by the embodiment of the disclosure realizes the decoupling of the service code and the authentication function in the service system, is not limited by the development language of the service system, and the front end of the service system can realize the authentication of the URL request for accessing the service system by calling the authentication service.
Based on this, the disclosed embodiment provides an authentication method, and referring to fig. 3, it is a flowchart of the authentication method provided by the disclosed embodiment, and the method includes:
s301: when a URL request of a first user is received, authority verification information carried by the URL request is extracted.
The authority verification information comprises a request method, a request path and a request parameter.
The authentication method provided by the embodiment of the disclosure is applied to authentication services, wherein the authentication services are an implementation form of the authentication function, the authentication services are network services, the network services refer to software modules which run on the network, are service-oriented and are based on a distributed program, and the network services adopt internet universal standards such as Http and XML (subset of standard universal markup language), so that users can access data on the network through different terminal devices in different places.
The authentication function is served by the client side in the embodiment of the disclosure, which may also be referred to as a service client side, and the client side in the embodiment of the disclosure may send an authentication service call request to the authentication service, and intercept the URL request from the service client side after the authentication service receives the call request, so that the authentication service can authenticate the URL request. The embodiment of the disclosure realizes the authentication function of the URL request by using the authentication service, so that the service code in the service system is decoupled from the authentication function, and meanwhile, the calling of the authentication function is not limited by the development language of the service system.
In practical applications, the access rights are usually related to the information carried in the URL request, for example, it is assumed that the URL request is GET http:// api. b. com/users/1type normal, where the rights required for carrying/users/1 or/users/2 may be different, and likewise, the rights required for carrying type normal or type xxx may be different. Therefore, after any URL request is acquired, the embodiment of the present disclosure first extracts information (hereinafter referred to as permission verification information) carried by the URL request, and is used to authenticate access of the URL request.
The authority verification information in the embodiment of the present disclosure includes a request method, a request path, a request parameter, and the like carried in the URL request. Taking URL request as GET http:// a.b.com/api/usera ═ 1& b ═ 2& c ═ 3 as an example, the request method carried in the URL request is "GET" method, and the request path includes "a.b.com/api/users", where the request path includes a domain name and a specific path, the domain name is, for example, "a.b.com" in the request path, and the specific path is, for example, "/api/users" in the request path. The request parameters include "a ═ 1 ═ b ═ 2 ═ c ═ 3".
In an optional application scenario, when a user opens a browser to input a website http:// a.b. com/api/usera ═ 1& b ═ 2& c ═ 3 to access a service system, firstly, a URL request is sent to a reverse proxy server nginx, and if nginx determines that the URL request accesses a static file, nginx directly returns accessed content as a web server; if nginx determines that the URL request accesses the background service logic of the service system, nginx invokes an authentication service, and sends the URL request to the authentication service, so that the authentication service authenticates the URL request.
S302: and determining the authority corresponding to the authority verification information by inquiring an authentication configuration table.
The authentication configuration table is used for storing authority configuration information, and the authority configuration information comprises a request method, a request path and/or a corresponding relation between request parameters and authority.
In the embodiment of the present disclosure, the service system with the authentication requirement may store the authority configuration information in the authentication service in advance. The authority configuration information may include a corresponding relationship between the URL configuration information and the authority, and is used to characterize which authority the URL request with the corresponding characteristics needs to have for the user to access. The URL configuration information may include a request method, a request path, and/or request parameters, among others.
In an optional implementation manner, the URL configuration information and the authority identifier may be obtained based on a URL authority access interface, then, a corresponding relationship is established between the received URL configuration information and the authority corresponding to the authority identifier, the obtained URL configuration information is used as the authority configuration information, and the authority configuration information is stored in an authentication configuration table.
Referring to fig. 4, a schematic diagram of a URL permission access interface of an authentication configuration table according to an embodiment of the present disclosure is provided. As shown in fig. 4, one piece of permission configuration information may include a request method "GET" method, a request path "http:// a.b. com/api/users/: ID ", request parameters" a & b & 2& c & 3 ", and permission ID" 1002 ", the permission configuration information being used to characterize a message carrying a" GET "method," http:// a.b. com/api/users/: the URL request with ID "request path and" a ═ 1& b ═ 2& c ═ 3 "request parameters needs to be accessible to the user with the authority ID" 1002 ". Based on the URL right access interface shown in fig. 4, the configuration of the content in the authentication configuration table of the service system may be implemented.
In practical application, after the authority verification information carried by the received URL request is extracted from the received URL request, the authentication configuration table is inquired to determine the authority corresponding to the authority verification information. Specifically, the authority verification information may be respectively matched with authority configuration information in the authentication configuration table, and the authority in the authority configuration information that is successfully matched is determined as the authority corresponding to the authority verification information.
In an alternative embodiment, the permission verification information may include a plurality of request parameters, for example, the URL request is GET http:// a.b.com/api/usera ═ 1& b ═ 2& c ═ 3, and the permission verification information includes the request parameters a ═ 1& b ═ 2& c ═ 3, that is, includes three request parameters. The embodiment of the disclosure can determine the to-be-verified request corresponding to the authority verification information based on the combination of any one or more of the request parameters included in the authority verification information. For example, the to-be-verified request corresponding to the authority verification information may include the following 7 requests:
GET http://a.b.com/api/usersa=1;
GET http://a.b.com/api/usersb=2;
GET http://a.b.com/api/usersc=3;
GET http://a.b.com/api/usersa=1&b=2;
GET http://a.b.com/api/usersa=1&c=3;
GET http://a.b.com/api/usersb=2&c=3;
GET http://a.b.com/api/usersa=1&b=2&c=3;
the embodiment of the disclosure can match the to-be-verified requests corresponding to the authority verification information with the authority configuration information in the authentication configuration table respectively, and determine the authority in the authority configuration information successfully matched with any to-be-verified request as the authority corresponding to the authority verification information.
For example, the 7 requests to be verified are respectively matched with authority configuration information in the authentication configuration table, assuming that the authority in the authority configuration information successfully matched with GET http:// a.b.com/api/usersa ═ 1 is authority x, the authority in the authority configuration information successfully matched with GET http:// a.b.com/api/usersa ═ 1& b ═ 2 is authority y, and none of the other 5 requests to be verified are successfully matched with any one of the authority configuration information, then both the authority x and the authority y may be determined as the authority corresponding to the authority verification information. That is, at least users with permission x and permission y can access the URL request: GET http:// a.b. com/api/usera ═ 1& b ═ 2& c ═ 3.
S303: and sending the authority corresponding to the authority verification information to an authority management center.
The authority management center is used for determining whether the first user has the authority corresponding to the authority verification information.
In the embodiment of the disclosure, after determining the authority required for accessing the URL request by querying the authentication configuration table, the determined authority is sent to the authority management center, so that the authority management center determines whether the first user sending the URL request has the authority required for accessing the URL request, and returns the determination result to the service client as the authentication result for the URL request.
And if the service client determines that the first user has the authority required for accessing the URL request based on the authentication result, the service client sends the URL request to a back-end server of the service system, and the back-end server performs service processing on the URL request. If the service client determines that the first user does not have the authority required for accessing the URL request based on the authentication result, the service client notifies the first user of the authentication result.
The authentication method provided by the embodiment of the disclosure services an authentication function, specifically, when a URL request of a first user is received, rights verification information carried by the URL request is extracted, and then, by querying an authentication configuration table, a right corresponding to the rights verification information is determined, and the right is further sent to a rights management center, so that the rights management center determines whether the first user has the right, thereby completing authentication for the URL request. It can be seen that, in the authentication method provided in the embodiment of the present disclosure, the authentication access is serviced to provide the directly invoked authentication service for the service system, so that the front end of the service system can implement the authentication of the URL request for accessing the service system by invoking the authentication service to query the authentication configuration table, and the service system and the authentication function are decoupled without implementing authentication related logic in the service system.
Based on the above method embodiment, the present disclosure further provides an authentication device, and referring to fig. 5, the structure diagram of the authentication device provided in the embodiment of the present disclosure is shown, where the authentication device includes:
the extraction unit 501 is configured to, when receiving a URL request of a first user, extract permission verification information carried in the URL request; the authority verification information comprises a request method, a request path and a request parameter;
a first determining unit 502, configured to determine, by querying an authentication configuration table, a right corresponding to the right verification information; the authentication configuration table is used for storing authority configuration information, and the authority configuration information comprises a request method, a request path and/or a corresponding relation between request parameters and authority;
a sending unit 503, configured to send the right corresponding to the right verification information to a right management center; the authority management center is used for determining whether the first user has the authority corresponding to the authority verification information.
In an alternative embodiment, the apparatus further comprises:
the acquisition unit is used for acquiring URL configuration information and authority identification based on the URL authority access interface; the URL configuration information comprises a request method, a request path and/or request parameters;
the establishing unit is used for establishing a corresponding relation between the URL configuration information and the authority corresponding to the authority identification to be used as authority configuration information;
and the storage unit is used for storing the authority configuration information in an authentication configuration table.
In an optional implementation, the first determining unit includes:
the first matching subunit is used for respectively matching the authority verification information with the authority configuration information in the authentication configuration table;
and the first determining subunit is used for determining the authority in the authority configuration information successfully matched with the authority verification information as the authority corresponding to the authority verification information.
In an optional implementation manner, the permission verification information includes a plurality of request parameters, and the first matching subunit includes:
the second determining subunit is configured to determine, based on a combination of any one or more of the plurality of request parameters included in the permission verification information, a to-be-verified request corresponding to the permission verification information;
the second matching subunit is used for respectively matching the to-be-verified requests corresponding to the authority verification information with the authority configuration information in the authentication configuration table;
correspondingly, the first determining subunit is specifically configured to:
and determining each permission in the permission configuration information successfully matched with the request to be verified as the permission corresponding to the permission verification information.
In an optional embodiment, the apparatus further comprises an intercepting unit;
the interception unit is used for intercepting the URL request from the client after receiving the authentication service call request of the client.
The authentication device provided by the embodiment of the disclosure is applied to an authentication service, and specifically, when a URL request of a first user is received, authority verification information carried by the URL request is extracted, then, by querying an authentication configuration table, an authority corresponding to the authority verification information is determined, and the authority is further sent to an authority management center, so that the authority management center determines whether the first user has the authority, thereby completing authentication for the URL request. It can be seen that, in the authentication method provided in the embodiment of the present disclosure, the authentication access is serviced to provide the directly invoked authentication service for the service system, so that the front end of the service system can implement the authentication of the URL request for accessing the service system by invoking the authentication service to query the authentication configuration table, and the service system and the authentication function are decoupled without implementing authentication related logic in the service system.
In addition to the above method and apparatus, the present disclosure also provides a computer-readable storage medium, where instructions are stored, and when the instructions are executed on a terminal device, the terminal device is caused to implement the authentication method according to the present disclosure.
The disclosed embodiments also provide a computer program product comprising a computer program/instructions that, when executed by a processor, implement the authentication method described in the disclosed embodiments.
In addition, an embodiment of the present disclosure further provides an authentication device, as shown in fig. 6, which may include:
a processor 601, a memory 602, an input device 603, and an output device 604. The number of processors 601 in the authentication device may be one or more, and one processor is taken as an example in fig. 6. In some embodiments of the present disclosure, the processor 601, the memory 602, the input device 603 and the output device 604 may be connected through a bus or other means, wherein the connection through the bus is exemplified in fig. 6.
The memory 602 may be used to store software programs and modules, and the processor 601 executes various functional applications and data processing of the authentication apparatus by operating the software programs and modules stored in the memory 602. The memory 602 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like. Further, the memory 602 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. The input means 603 may be used to receive entered numerical or character information and to generate signal inputs relating to user settings and function control of the authentication device.
Specifically, in this embodiment, the processor 601 loads an executable file corresponding to one or more processes of the application program into the memory 602 according to the following instructions, and the processor 601 runs the application program stored in the memory 602, thereby implementing various functions of the authentication device.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method of authentication, the method comprising:
when a Uniform Resource Locator (URL) request of a first user is received, authority verification information carried by the URL request is extracted; the authority verification information comprises a request method, a request path and a request parameter;
determining the authority corresponding to the authority verification information by inquiring an authentication configuration table; the authentication configuration table is used for storing authority configuration information, and the authority configuration information comprises a request method, a request path and/or a corresponding relation between request parameters and authority;
sending the authority corresponding to the authority verification information to an authority management center; the authority management center is used for determining whether the first user has the authority corresponding to the authority verification information.
2. The method according to claim 1, wherein before extracting the authorization verification information carried by the URL request when receiving the URL request of the first user, the method further comprises:
based on the URL authority access interface, acquiring URL configuration information and authority identification; the URL configuration information comprises a request method, a request path and/or request parameters;
establishing a corresponding relation between the URL configuration information and the authority corresponding to the authority identifier to serve as authority configuration information;
and storing the authority configuration information in an authentication configuration table.
3. The method of claim 1, wherein the determining the right corresponding to the right verification information by querying an authentication configuration table comprises:
matching the authority verification information with authority configuration information in the authentication configuration table respectively;
and determining the authority in the authority configuration information successfully matched with the authority verification information as the authority corresponding to the authority verification information.
4. The method according to claim 3, wherein the right verification information includes a plurality of request parameters, and the matching the right verification information with the right configuration information in the authentication configuration table respectively includes:
determining a to-be-verified request corresponding to the authority verification information based on the combination of any one or more of the request parameters included in the authority verification information;
matching the to-be-verified requests corresponding to the authority verification information with the authority configuration information in the authentication configuration table respectively;
correspondingly, the determining the right in the right configuration information successfully matched with the right verification information as the right corresponding to the right verification information includes:
and determining each permission in the permission configuration information successfully matched with the request to be verified as the permission corresponding to the permission verification information.
5. The method according to claim 1, wherein before extracting the authorization verification information carried by the URL request when receiving the URL request of the first user, the method further comprises:
after receiving an authentication service call request of a client, intercepting a URL request from the client.
6. The method according to any of claims 1-5, characterized in that the method is applied to authentication services.
7. An authentication apparatus, characterized in that the apparatus comprises:
the device comprises an extraction unit, a verification unit and a verification unit, wherein the extraction unit is used for extracting authority verification information carried by a URL request when the URL request of a first user is received; the authority verification information comprises a request method, a request path and a request parameter;
the first determining unit is used for determining the authority corresponding to the authority verification information by inquiring an authentication configuration table; the authentication configuration table is used for storing authority configuration information, and the authority configuration information comprises a request method, a request path and/or a corresponding relation between request parameters and authority;
the sending unit is used for sending the authority corresponding to the authority verification information to an authority management center; the authority management center is used for determining whether the first user has the authority corresponding to the authority verification information.
8. A computer-readable storage medium having stored therein instructions that, when run on a terminal device, cause the terminal device to implement the method of any one of claims 1-6.
9. An apparatus, comprising: memory, a processor, and a computer program stored on the memory and executable on the processor, when executing the computer program, implementing the method of any of claims 1-6.
10. A computer program product, characterized in that the computer program product comprises a computer program/instructions which, when executed by a processor, implements the method according to any of claims 1-6.
CN202111422040.1A 2021-11-26 2021-11-26 Authentication method, device, equipment and storage medium Pending CN114091077A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111422040.1A CN114091077A (en) 2021-11-26 2021-11-26 Authentication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111422040.1A CN114091077A (en) 2021-11-26 2021-11-26 Authentication method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114091077A true CN114091077A (en) 2022-02-25

Family

ID=80304928

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111422040.1A Pending CN114091077A (en) 2021-11-26 2021-11-26 Authentication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114091077A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115225401A (en) * 2022-07-25 2022-10-21 北京天融信网络安全技术有限公司 Access control method, device, electronic equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090288149A1 (en) * 2008-05-13 2009-11-19 Raju Venkata Kolluru System and method for pool-based identity authentication for service access without use of stored credentials
US20150121484A1 (en) * 2013-10-28 2015-04-30 Futurewei Technologies Inc. System and method for signaling and verifying url signatures for both url authentication and url-based content access authorization in adaptive streaming
CN105354451A (en) * 2014-08-20 2016-02-24 腾讯科技(深圳)有限公司 Access authentication method and system
CN110225039A (en) * 2019-06-14 2019-09-10 无锡华云数据技术服务有限公司 Authority models acquisition, method for authenticating, gateway, server and storage medium
CN112055024A (en) * 2020-09-09 2020-12-08 深圳市欢太科技有限公司 Authority verification method and device, storage medium and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090288149A1 (en) * 2008-05-13 2009-11-19 Raju Venkata Kolluru System and method for pool-based identity authentication for service access without use of stored credentials
US20150121484A1 (en) * 2013-10-28 2015-04-30 Futurewei Technologies Inc. System and method for signaling and verifying url signatures for both url authentication and url-based content access authorization in adaptive streaming
CN105354451A (en) * 2014-08-20 2016-02-24 腾讯科技(深圳)有限公司 Access authentication method and system
CN110225039A (en) * 2019-06-14 2019-09-10 无锡华云数据技术服务有限公司 Authority models acquisition, method for authenticating, gateway, server and storage medium
CN112055024A (en) * 2020-09-09 2020-12-08 深圳市欢太科技有限公司 Authority verification method and device, storage medium and electronic equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115225401A (en) * 2022-07-25 2022-10-21 北京天融信网络安全技术有限公司 Access control method, device, electronic equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN112995166B (en) Authentication method and device for resource access, storage medium and electronic equipment
CN109587133B (en) A single sign-on system and method
CN104735066B (en) A kind of single-point logging method of object web page application, device and system
CN112564916A (en) Access client authentication system applied to micro-service architecture
US20170346805A1 (en) Login method and apparatus, and open platform system
CN112995163B (en) Authentication method and device for resource access, storage medium and electronic equipment
JP2018536232A (en) System and method for controlling sign-on to a web application
US20170187705A1 (en) Method of controlling access to business cloud service
CN113014593B (en) Access request authentication method and device, storage medium and electronic equipment
CN112995165A (en) Resource access authentication method and device, storage medium and electronic equipment
CN104954330A (en) Method of accessing data resources, device and system
US11165768B2 (en) Technique for connecting to a service
CN110708335A (en) Access authentication method and device and terminal equipment
CN104158818A (en) Single sign-on method and system
CN111201527B (en) Client server system
US9210155B2 (en) System and method of extending a host website
CN109936579A (en) Single sign-on method, device, equipment and computer readable storage medium
CN113271289A (en) Method, system and computer storage medium for resource authorization and access
CN114444058A (en) Authentication system and method for micro-service, electronic equipment and storage medium
CN114091077A (en) Authentication method, device, equipment and storage medium
CN114338060B (en) Authority verification method, device, system, equipment and storage medium
CN113765876B (en) Report processing software access method and device
US6895510B1 (en) Mutual internet authentication between a client and server utilizing a dummy IOP request
US20190222582A1 (en) Decentralized method of tracking user login status
CN118300872A (en) Resource access method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination