CN116032616A - Identity verification method and related equipment - Google Patents
Identity verification method and related equipment Download PDFInfo
- Publication number
- CN116032616A CN116032616A CN202211715373.8A CN202211715373A CN116032616A CN 116032616 A CN116032616 A CN 116032616A CN 202211715373 A CN202211715373 A CN 202211715373A CN 116032616 A CN116032616 A CN 116032616A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- identity information
- identity
- identity verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Computer And Data Communications (AREA)
Abstract
本申请实施例公开了身份验证方法以及相关设备,用于提升身份验证效率。本申请实施例方法包括:接收客户端发送的身份验证令牌;所述身份验证令牌由发放服务器向所述客户端发放;所述身份验证令牌由所述发放服务器,基于预设密钥处理所述客户端的身份信息生成;所述发放服务器与所述应用服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致;基于所述预设密钥,确定所述身份验证令牌包括的已验证身份信息以及待验证身份信息是否一致;若所述待验证身份信息与所述已验证身份信息一致,则确定所述客户端通过身份验证,并允许所述客户端调用所述应用服务器。
The embodiment of the present application discloses an identity verification method and related equipment, which are used to improve the efficiency of identity verification. The method in this embodiment of the application includes: receiving the identity verification token sent by the client; the identity verification token is issued to the client by the issuing server; the identity verification token is issued by the issuing server based on a preset key Processing the generation of identity information of the client; the issuing server and the application server belong to the same mutual trust server cluster, wherein the preset key of each server in the same mutual trust server cluster is consistent; based on the preset key, determine the Whether the verified identity information included in the identity verification token and the identity information to be verified are consistent; if the identity information to be verified is consistent with the verified identity information, it is determined that the client has passed the identity verification, and the client is allowed to The terminal invokes the application server.
Description
技术领域technical field
本申请实施例涉及云服务领域,尤其涉及身份验证方法以及相关设备。The embodiment of the present application relates to the field of cloud services, and in particular to an identity verification method and related devices.
背景技术Background technique
在网络通信中,对客户端的本地数据以及服务器的本地数据的保护尤为重要。因此,如今的网络环境中,用户无论是接入网络还是登录应用,都需要进行身份验证。In network communication, the protection of the local data of the client and the local data of the server is particularly important. Therefore, in today's network environment, whether a user accesses the network or logs in to an application, authentication is required.
现在用户需要访问某个云服务时,客户端会向对应的应用服务器发送调用指令以及用户信息,应用服务器会向远程服务器发送包括客户端身份信息的身份校验请求,其中远程服务器保存有允许访问该应用服务器的所有用户的用户信息。远程服务器确定本地是否存在与接收到的客户端的身份信息一致的身份信息,若存在则确定客户端通过身份校验,告知应用服务器允许客户端的调用。Now when a user needs to access a certain cloud service, the client will send a call command and user information to the corresponding application server, and the application server will send an identity verification request including the client’s identity information to the remote server, where the remote server saves the access permission User information of all users of the application server. The remote server determines whether there is identity information consistent with the received identity information of the client locally, and if so, determines that the client passes the identity verification, and informs the application server that the client is allowed to call.
但是,基于远程服务器的身份校验因为网络时延等原因会十分耗时,在客户端频繁的产生业务需求,需要访问应用服务器的时候,每次访问都需要由相应的应用服务器向远程服务器发起身份校验,且校验通过后才允许客户端访问,会耗费大量时间,且会成为相应业务性能提升的瓶颈。However, the identity verification based on the remote server will be very time-consuming due to network delay and other reasons. When the client frequently generates business needs and needs to access the application server, each access needs to be initiated by the corresponding application server to the remote server. Identity verification, and allowing client access only after the verification is passed, will consume a lot of time and will become a bottleneck for the improvement of corresponding business performance.
发明内容Contents of the invention
本申请实施例提供了身份验证方法以及相关设备,用于提升身份验证效率。The embodiment of the present application provides an identity verification method and related equipment, which are used to improve the efficiency of identity verification.
本申请实施例第一方面提供一种身份验证方法,应用于应用服务器,所述方法包括:The first aspect of the embodiment of the present application provides an identity verification method, which is applied to an application server, and the method includes:
接收客户端发送的身份验证令牌;所述身份验证令牌由发放服务器向所述客户端发放;所述身份验证令牌由所述发放服务器,基于预设密钥处理所述客户端的身份信息生成;所述发放服务器与所述应用服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致;Receive the identity verification token sent by the client; the identity verification token is issued to the client by the issuing server; the identity verification token is processed by the issuing server based on a preset key to the identity information of the client Generate; the distribution server and the application server belong to the same mutual trust server cluster, wherein the preset key of each server in the same mutual trust server cluster is consistent;
基于所述预设密钥,确定所述身份验证令牌包括的已验证身份信息以及待验证身份信息是否一致;Based on the preset key, determine whether the verified identity information included in the identity verification token and the identity information to be verified are consistent;
若所述待验证身份信息与所述已验证身份信息一致,则确定所述客户端通过身份验证,并允许所述客户端调用所述应用服务器。If the identity information to be verified is consistent with the verified identity information, it is determined that the client has passed the identity verification, and the client is allowed to call the application server.
在一种具体实现方式中,在允许所述客户端调用所述应用服务器之后,所述方法还包括:In a specific implementation manner, after allowing the client to call the application server, the method further includes:
响应于针对其他业务的业务调用请求,向部署所述其他业务的其他服务器发送所述客户端的身份验证令牌,所述其他服务器与所述应用服务器属于同一互信服务器集群;In response to a service invocation request for other services, sending the identity verification token of the client to other servers deploying the other services, the other servers and the application server belong to the same mutual trust server cluster;
若未接收到所述其他服务器发送的校验失败信息,则访问所述其他服务器部署的所述其他业务。If the verification failure information sent by the other server is not received, access the other services deployed by the other server.
在一种具体实现方式中,所述预设密钥包括预设私钥与预设公钥;所述基于所述预设密钥,确定所述身份验证令牌包括的已验证身份信息以及待验证身份信息是否一致,包括:In a specific implementation manner, the preset key includes a preset private key and a preset public key; based on the preset key, determining the verified identity information included in the identity verification token and the pending Verify identity information is consistent, including:
基于所述预设公钥解密所述身份验证令牌中的已验证身份信息,获得对应的解密身份信息;所述已验证身份信息为所述发放服务器,基于所述预设私钥加密所述客户端的身份信息摘要获得;所述客户端的身份信息摘要为所述发放服务器,基于预设摘要算法处理所述客户端的身份信息获得;Decrypt the verified identity information in the identity verification token based on the preset public key to obtain corresponding decrypted identity information; the verified identity information is the issuing server, and encrypt the Obtaining the summary of the client's identity information; the summary of the client's identity information is obtained by processing the client's identity information based on a preset summary algorithm by the issuing server;
基于所述预设摘要算法处理所述身份验证令牌中的待验证身份信息,获得待验证身份信息摘要;processing the identity information to be verified in the identity verification token based on the preset digest algorithm to obtain a digest of the identity information to be verified;
若所述待验证身份信息摘要与所述解密身份信息一致,则确定所述待验证身份信息与所述已验证身份信息一致。If the digest of the identity information to be verified is consistent with the decrypted identity information, it is determined that the identity information to be verified is consistent with the verified identity information.
本申请实施例第二方面提供一种身份验证方法,应用于客户端,所述方法包括:The second aspect of the embodiment of the present application provides an identity verification method applied to a client, and the method includes:
响应于针对目标业务的业务调用指令,向部署所述目标业务的应用服务器发送身份验证令牌;所述身份验证令牌由发放服务器向所述客户端发放;所述身份验证令牌由所述发放服务器,基于预设密钥处理所述客户端的身份信息生成;所述发放服务器与所述应用服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致;In response to a service invocation instruction for the target service, an identity verification token is sent to the application server deploying the target business; the identity verification token is issued to the client by the issuing server; the identity verification token is issued by the The distribution server processes the generation of the identity information of the client based on a preset key; the distribution server and the application server belong to the same mutual trust server cluster, wherein the preset key of each server in the same mutual trust server cluster is consistent;
若未接收到所述应用服务器发送的校验失败信息,则访问所述应用服务器部署的所述目标业务。If the verification failure information sent by the application server is not received, access the target service deployed by the application server.
在一种具体实现方式中,在所述向部署所述目标业务的应用服务器发送身份验证令牌之前,所述方法还包括:In a specific implementation manner, before sending the identity verification token to the application server deploying the target service, the method further includes:
响应于针对任一业务的业务调用指令,向部署所述任一业务的发放服务器发送业务初始化请求,以使得所述发放服务器向远程服务器发起针对所述客户端的身份校验;In response to a service call instruction for any service, send a service initialization request to the distribution server deploying the any service, so that the distribution server initiates an identity verification for the client to the remote server;
接收并保存所述发放服务器发送的所述身份验证令牌,并基于所述身份验证令牌访问所述发放服务器部署的任一业务;所述身份验证令牌由所述发放服务器,在所述远程服务器确定所述客户端通过身份验证后生成的。Receive and save the identity verification token sent by the issuing server, and access any service deployed by the issuing server based on the identity verification token; the identity verification token is issued by the issuing server in the Generated after the remote server determines that the client is authenticated.
在一种具体实现方式中,所述保存所述发放服务器发送的所述身份验证令牌,包括:In a specific implementation manner, the storing the identity verification token sent by the issuing server includes:
将所述身份验证令牌保存在,所述客户端本地线程的安全上下文中。The authentication token is saved in the security context of the local thread of the client.
本申请实施例第三方面提供一种身份验证方法,应用于发放服务器,所述方法包括:The third aspect of the embodiment of the present application provides an identity verification method, which is applied to the issuing server, and the method includes:
响应于客户端发送的业务调用请求,向远程服务器发起针对所述客户端的身份校验;Responding to the service invocation request sent by the client, initiate identity verification for the client to the remote server;
若接收到所述远程服务器发送的,针对所述客户端的校验通过信息,则基于预设密钥处理所述客户端的身份信息,生成所述客户端的身份验证令牌;If receiving the verification information sent by the remote server for the client, processing the identity information of the client based on a preset key to generate an identity verification token of the client;
向所述客户端发送所述身份验证令牌,以使得所述客户端根据所述身份验证令牌向部署目标业务的应用服务器发送业务调用请求,并使得所述应用服务器根据所述身份验证令牌,在本地对所述客户端执行身份验证,所述应用服务器与所述发放服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致。Send the identity verification token to the client, so that the client sends a service call request to the application server deploying the target service according to the identity verification token, and make the application server send a service call request according to the identity verification token identity verification for the client locally, the application server and the issuing server belong to the same mutual trust server cluster, and the preset keys of each server in the same mutual trust server cluster are consistent.
在一种具体实现方式中,所述预设密钥包括预设私钥与预设公钥;所述基于预设密钥处理所述客户端的身份信息,生成所述客户端的身份验证令牌,包括:In a specific implementation manner, the preset key includes a preset private key and a preset public key; processing the identity information of the client based on the preset key to generate an identity verification token of the client, include:
基于预设摘要算法处理所述客户端的身份信息,得到所述客户端的身份信息摘要;processing the identity information of the client based on a preset digest algorithm to obtain a digest of the client's identity information;
基于预设私钥加密所述客户端的身份信息摘要,得到加密身份信息;Encrypting the identity information digest of the client based on a preset private key to obtain encrypted identity information;
生成包括所述客户端的身份信息,以及所述加密身份信息的身份验证令牌。An identity verification token including the identity information of the client and the encrypted identity information is generated.
本申请实施例第四方面提供一种应用服务器,包括:The fourth aspect of the embodiment of the present application provides an application server, including:
接收单元,用于接收客户端发送的身份验证令牌;所述身份验证令牌由发放服务器向所述客户端发放;所述身份验证令牌由所述发放服务器,基于预设密钥处理所述客户端的身份信息生成;所述发放服务器与所述应用服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致;The receiving unit is configured to receive the identity verification token sent by the client; the identity verification token is issued to the client by the issuing server; the identity verification token is processed by the issuing server based on a preset key Generating the identity information of the client; the distribution server and the application server belong to the same mutual trust server cluster, wherein the preset key of each server in the same mutual trust server cluster is consistent;
确定单元,用于基于所述预设密钥,确定所述身份验证令牌包括的已验证身份信息以及待验证身份信息是否一致;A determination unit, configured to determine whether the verified identity information and the identity information to be verified included in the identity verification token are consistent based on the preset key;
所述确定单元,还用于若所述待验证身份信息与所述已验证身份信息一致,则确定所述客户端通过身份验证,并允许所述客户端调用所述应用服务器。The determining unit is further configured to, if the identity information to be verified is consistent with the verified identity information, determine that the client has passed the identity verification, and allow the client to call the application server.
在一种具体实现方式中,在允许所述客户端调用所述应用服务器之后,所述应用服务器还包括:发送单元以及访问单元;In a specific implementation manner, after the client is allowed to call the application server, the application server further includes: a sending unit and an access unit;
所述发送单元,用于响应于针对其他业务的业务调用请求,向部署所述其他业务的其他服务器发送所述客户端的身份验证令牌,所述其他服务器与所述应用服务器属于同一互信服务器集群;The sending unit is configured to send the identity verification token of the client to other servers deploying the other services in response to service invocation requests for other services, and the other servers belong to the same mutual trust server cluster as the application server ;
所述访问单元,用于若未接收到所述其他服务器发送的校验失败信息,则访问所述其他服务器部署的所述其他业务。The access unit is configured to access the other services deployed by the other servers if the verification failure information sent by the other servers is not received.
在一种具体实现方式中,所述预设密钥包括预设私钥与预设公钥;所述确定单元,具体用于基于所述预设公钥解密所述身份验证令牌中的已验证身份信息,获得对应的解密身份信息;所述已验证身份信息为所述发放服务器,基于所述预设私钥加密所述客户端的身份信息摘要获得;所述客户端的身份信息摘要为所述发放服务器,基于预设摘要算法处理所述客户端的身份信息获得;In a specific implementation manner, the preset key includes a preset private key and a preset public key; the determining unit is specifically configured to decrypt, based on the preset public key, the Verifying the identity information to obtain corresponding decrypted identity information; the verified identity information is obtained by encrypting the identity information digest of the client based on the preset private key by the issuing server; the identity information digest of the client is the The issuing server processes the acquisition of the client's identity information based on a preset digest algorithm;
基于所述预设摘要算法处理所述身份验证令牌中的待验证身份信息,获得待验证身份信息摘要;processing the identity information to be verified in the identity verification token based on the preset digest algorithm to obtain a digest of the identity information to be verified;
若所述待验证身份信息摘要与所述解密身份信息一致,则确定所述待验证身份信息与所述已验证身份信息一致。If the digest of the identity information to be verified is consistent with the decrypted identity information, it is determined that the identity information to be verified is consistent with the verified identity information.
本申请实施例第五方面提供一种客户端,包括:The fifth aspect of the embodiment of the present application provides a client, including:
发送单元,用于响应于针对目标业务的业务调用指令,向部署所述目标业务的应用服务器发送身份验证令牌;所述身份验证令牌由发放服务器向所述客户端发放;所述身份验证令牌由所述发放服务器,基于预设密钥处理所述客户端的身份信息生成;所述发放服务器与所述应用服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致;a sending unit, configured to send an identity verification token to an application server deploying the target business in response to a service call instruction for the target business; the identity verification token is issued to the client by the issuing server; the identity verification The token is generated by the issuing server processing the identity information of the client based on a preset key; the issuing server and the application server belong to the same mutual trust server cluster, wherein the preset key of each server in the same mutual trust server cluster key match;
所述访问单元,用于若未接收到所述应用服务器发送的校验失败信息,则访问所述应用服务器部署的所述目标业务。The access unit is configured to access the target service deployed by the application server if the verification failure information sent by the application server is not received.
在一种具体实现方式中,在所述向部署所述目标业务的应用服务器发送身份验证令牌之前,所述发送单元,还用于响应于针对任一业务的业务调用指令,向部署所述任一业务的发放服务器发送业务初始化请求,以使得所述发放服务器向远程服务器发起针对所述客户端的身份校验;In a specific implementation manner, before sending the identity verification token to the application server that deploys the target service, the sending unit is further configured to, in response to a service call instruction for any service, send the The issuing server of any service sends a service initialization request, so that the issuing server initiates identity verification for the client to the remote server;
所述访问单元,还用于接收并保存所述发放服务器发送的所述身份验证令牌,并基于所述身份验证令牌访问所述发放服务器部署的任一业务;所述身份验证令牌由所述发放服务器,在所述远程服务器确定所述客户端通过身份验证后生成的。The access unit is further configured to receive and save the identity verification token sent by the issuing server, and access any service deployed by the issuing server based on the identity verification token; the identity verification token is provided by The issuing server is generated after the remote server determines that the client has passed the authentication.
在一种具体实现方式中,所述访问单元,具体用于将所述身份验证令牌保存在,所述客户端本地线程的安全上下文中。In a specific implementation manner, the access unit is specifically configured to save the identity verification token in the security context of the local thread of the client.
本申请实施例第六方面提供一种发放服务器,包括:The sixth aspect of the embodiment of the present application provides a distribution server, including:
发起单元,用于响应于客户端发送的业务调用请求,向远程服务器发起针对所述客户端的身份校验;An initiating unit, configured to initiate identity verification for the client to a remote server in response to a service invocation request sent by the client;
处理单元,用于若接收到所述远程服务器发送的,针对所述客户端的校验通过信息,则基于预设密钥处理所述客户端的身份信息,生成所述客户端的身份验证令牌;The processing unit is configured to process the identity information of the client based on a preset key and generate an identity verification token of the client if the verification pass information for the client sent by the remote server is received;
发送单元,用于向所述客户端发送所述身份验证令牌,以使得所述客户端根据所述身份验证令牌向部署目标业务的应用服务器发送业务调用请求,并使得所述应用服务器根据所述身份验证令牌,在本地对所述客户端执行身份验证,所述应用服务器与所述发放服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致。a sending unit, configured to send the identity verification token to the client, so that the client sends a service invocation request to the application server deploying the target service according to the identity verification token, and makes the application server send a service call request according to the The identity verification token performs identity verification on the client locally, the application server and the issuing server belong to the same mutual trust server cluster, and the preset key of each server in the same mutual trust server cluster is consistent.
在一种具体实现方式中,所述预设密钥包括预设私钥与预设公钥;所述处理单元,具体用于基于预设摘要算法处理所述客户端的身份信息,得到所述客户端的身份信息摘要;In a specific implementation manner, the preset key includes a preset private key and a preset public key; the processing unit is specifically configured to process the identity information of the client based on a preset digest algorithm to obtain the client Summary of the identity information of the terminal;
基于预设私钥加密所述客户端的身份信息摘要,得到加密身份信息;Encrypting the identity information digest of the client based on a preset private key to obtain encrypted identity information;
生成包括所述客户端的身份信息,以及所述加密身份信息的身份验证令牌。An identity verification token including the identity information of the client and the encrypted identity information is generated.
本申请实施例第七方面提供一种计算机设备,包括:The seventh aspect of the embodiment of the present application provides a computer device, including:
中央处理器,存储器以及输入输出接口;Central processing unit, memory and input and output interfaces;
所述存储器为短暂存储存储器或持久存储存储器;The memory is a temporary storage memory or a persistent storage memory;
所述中央处理器配置为与所述存储器通信,并执行所述存储器中的指令操作以执行第一方面、第二方面或第三方面所述的方法。The central processing unit is configured to communicate with the memory, and execute instructions in the memory to perform the method described in the first aspect, the second aspect or the third aspect.
本申请实施例第八方面提供一种包含指令的计算机程序产品,当所述计算机程序产品在计算机上运行时,使得计算机执行如第一方面、第二方面或第三方面所述的方法。The eighth aspect of the embodiment of the present application provides a computer program product containing instructions, and when the computer program product is run on a computer, it causes the computer to execute the method described in the first aspect, the second aspect or the third aspect.
本申请实施例第九方面提供一种计算机存储介质,所述计算机存储介质中存储有指令,所述指令在计算机上执行时,使得所述计算机执行如第一方面、第二方面或第三方面所述的方法。The ninth aspect of the embodiment of the present application provides a computer storage medium, where instructions are stored in the computer storage medium, and when the instructions are executed on the computer, the computer executes the computer according to the first aspect, the second aspect or the third aspect. the method described.
从以上技术方案可以看出,本申请实施例具有以下优点:通过对允许访问的用户信息一致的每个应用服务器配置相同的预设密钥,构成一个互信服务器集群。客户端只要向一个互信服务器集群的任一应用服务器(即发放服务器)发起过一次业务请求,该发放服务器就会在身份验证通过后,向该客户端发送基于预设密钥,处理所述客户端的身份信息得到的身份验证令牌。客户端在接收到一个互信服务器集群中任一应用服务器(即发放服务器)发送的身份验证令牌后,再针对该互信服务器集群中任一应用服务器发送业务调用请求时,可以向对应的应用服务器发送身份验证令牌,以使得应用服务器可以根据身份验证令牌以及预设密钥在本地对客户端执行身份验证,而无需借助远程服务器完成身份验证,可以很大程度上提升身份验证效率。It can be seen from the above technical solutions that the embodiment of the present application has the following advantages: by configuring the same preset key for each application server with the same user information that is allowed to access, a mutual trust server cluster is formed. As long as the client initiates a service request to any application server (i.e., the issuing server) of a mutual trust server cluster, the issuing server will send the client an application based on the preset key to process the client after the identity verification is passed. The authentication token obtained from the identity information of the client. After receiving the authentication token sent by any application server in a mutual trust server cluster (that is, the issuing server), the client can send a service call request to any application server in the mutual trust server cluster. The authentication token is sent so that the application server can perform authentication on the client locally according to the authentication token and the preset key without using a remote server to complete the authentication, which can greatly improve the authentication efficiency.
附图说明Description of drawings
图1为本申请实施例公开的身份验证方法的一种系统架构图;FIG. 1 is a system architecture diagram of the identity verification method disclosed in the embodiment of the present application;
图2为本申请实施例公开的身份验证方法的一种流程示意图;FIG. 2 is a schematic flow diagram of an identity verification method disclosed in an embodiment of the present application;
图3为本申请实施例公开的身份验证方法的另一流程示意图;FIG. 3 is another schematic flowchart of the identity verification method disclosed in the embodiment of the present application;
图4为本申请实施例公开的应用服务器的一个结构示意图;FIG. 4 is a schematic structural diagram of an application server disclosed in an embodiment of the present application;
图5为本申请实施例公开的客户端的一个结构示意图;FIG. 5 is a schematic structural diagram of a client disclosed in an embodiment of the present application;
图6为本申请实施例公开的发放服务器的一个结构示意图;FIG. 6 is a schematic structural diagram of the distribution server disclosed in the embodiment of the present application;
图7为本申请实施例公开的计算机设备的一个结构示意图。FIG. 7 is a schematic structural diagram of a computer device disclosed in an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
EJB承载应用的业务逻辑,往往对访问者(或者说用户和/或客户端)的身份有特定的要求,在每次调用这种有安全需求的EJB的业务方法的时候,都需要验证访问者的身份,目前常用的方式是允许访问的用户的身份信息保存在位于远程的单独的LDAP服务器(也就是远程服务器)中,验证时需要连接到远程LDAP服务器去验证。The business logic of the EJB hosting application often has specific requirements for the identity of the visitor (or user and/or client), and the visitor needs to be authenticated every time the business method of the EJB with security requirements is invoked The current common way is to allow the identity information of the user to access to be stored in a remote separate LDAP server (that is, a remote server), and it needs to be connected to the remote LDAP server to verify during verification.
因为,每次调用EJB的业务方法时都需要依赖于远程服务器进行验证,网络时延或远程服务器的处理能力的限制等因素会带来时间损耗,同时限制EJB业务的性能提升。Because, every time the business method of EJB is invoked, it needs to rely on the remote server for verification. Factors such as network delay or the limitation of the processing capacity of the remote server will bring time loss and limit the performance improvement of EJB business.
为了解决现有技术的上述问题,本申请实施例提供了身份验证方法以及相关设备,用于提升身份验证效率。In order to solve the above-mentioned problems in the prior art, embodiments of the present application provide an identity verification method and related equipment for improving identity verification efficiency.
为了更好的说明本申请实施例的技术方案,下面预先对后文会出现的部门技术概念进行解释说明。In order to better illustrate the technical solutions of the embodiments of the present application, the technical concepts of the departments that will appear later will be explained in advance.
EJB(Enterprise JavaBeans)技术是Java EE(Java Platform,EnterpriseEdition)的服务器端组件架构。EJB技术支持基于Java技术的分布式、事务性、安全和可移植应用程序的快速和简化开发。EJB (Enterprise JavaBeans) technology is the server-side component architecture of Java EE (Java Platform, Enterprise Edition). EJB technology supports rapid and simplified development of distributed, transactional, secure and portable applications based on Java technology.
集群:多个分布式计算机节点作为一个统一的整体对外提供服务,这一整体称为集群,集群可提供比单个节点更强的服务能力。Cluster: Multiple distributed computer nodes provide external services as a unified whole. This whole is called a cluster. The cluster can provide stronger service capabilities than a single node.
JNDI(Java Naming and Directory Interface)是一个应用程序编程接口,它为使用Java编程语言编写的应用程序提供命名和目录功能,它被定义为独立于任何特定的目录服务实现。JNDI (Java Naming and Directory Interface) is an application programming interface that provides naming and directory functions for applications written in the Java programming language. It is defined to be independent of any specific directory service implementation.
JNDI名称上下文,或者称之为Context,由一系列“名字-对象”绑定组成,并提供方法用于查找、新建、删除这些绑定。The JNDI name context, or Context, consists of a series of "name-object" bindings, and provides methods for finding, creating, and deleting these bindings.
LDAP(Lightweight Directory Access Protocol)是一种开放的、供应商中立的、行业标准的应用协议,用于通过Internet协议网络访问和维护分布式目录信息服务。例如,目录服务可以提供任何有组织的记录集,通常具有层次结构,例如公司电子邮件目录,用户信息等。LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over Internet Protocol networks. For example, a directory service can provide any organized set of records, usually with a hierarchical structure, such as a corporate email directory, user information, and so on.
应用服务器是位于操作系统之上的一种基础软件,因其位于操作系统和业务的应用程序之间,所以也称为是一种中间件。用于为应用程序提供执行的环境,以及安全、事务、数据等独立于各应用的共性的底层服务,使开发人员可以专注于业务逻辑的开发。The application server is a kind of basic software located on the operating system, because it is located between the operating system and the application program of the business, so it is also called a kind of middleware. It is used to provide an execution environment for applications, as well as common underlying services such as security, transactions, and data that are independent of each application, so that developers can focus on the development of business logic.
域(domain)是应用服务器中管理应用和进程的一种方式,每个应用服务器的安装中可以建立多个域,每个域通常对应为一个单独的进程,可以理解为应用服务器的一个实例,具有应用服务器完整的功能,上面可部署某些应用,对外提供服务。Domain (domain) is a way to manage applications and processes in the application server. Multiple domains can be established in the installation of each application server. Each domain usually corresponds to a separate process, which can be understood as an instance of the application server. It has the complete functions of the application server, and some applications can be deployed on it to provide external services.
下面请参阅图1,本申请实施例提供一种身份验证系统,该身份验证系统包括:客户端101、发放服务器102、远程服务器103以及应用服务器104。其中,发放服务器102和应用服务器104属于同一互信服务器集群,也就是说发放服务器102的预设密钥与应用服务器104的预设密钥一致。在客户端101首次向图中所示互信服务器集群中的任一应用服务器104发起业务调用请求前,会先向发放服务器102发起业务初始化请求。发放服务器102接收到业务初始化请求后,会向远程服务器103发起针对客户端101的身份验证请求。远程服务器103包括允许访问前述互信服务器集群的每个用户的身份信息,若远程服务器103查询发现客户端101的身份信息是允许访问前述互信服务器集群的,则会向发放服务器102发送校验通过信息,以告知发放服务器102允许客户端101访问相关业务。发放服务器102在接收到校验通过信息后,会基于预设密钥处理客户端101的身份信息,生成身份验证令牌,并将生成的身份验证令牌发送给客户端101。客户端101在之后向前述互信服务器集群内的任一应用服务器104发送业务调用请求时,会一同向应用服务器104发送之前获得的身份验证令牌。应用服务器104便可以根据基于身份验证令牌,对客户端101执行身份验证。若校验不通过,则向客户端101发送校验失败信息:若校验通过,则允许客户端101访问相关业务。Referring to FIG. 1 , an embodiment of the present application provides an identity verification system, which includes: a
需要说明的是,前述互信服务器集群还可以包括除发放服务器102以及应用服务器104之外的任意其他服务器,只要保证该互信服务器集群内各服务器允许访问的用户的身份信息一致。另外,在实际应用中,发放服务器102以及应用服务器104可以是前述互信服务器集群中的同一或不同服务器;区别仅在于客户端101访问的前述互信服务器集群中的首个服务器只能是发放服务器102,客户端101访问的前述互信服务器集群中的任一非首个服务器都可以是应用服务器104;区分发放服务器102以及应用服务器104的目的是为了更好地说明,本申请实施例的身份验证流程。It should be noted that the aforementioned mutual trust server cluster may also include any other servers except the
其中,客户端101可以但不限于是各种个人计算机、笔记本电脑、智能手机、平板电脑和便携式可穿戴设备。便携式可穿戴设备可为智能手表、智能手环、头戴设备等。服务器(包括发放服务器102、远程服务器103以及应用服务器104)可以用独立的服务器或者是多个服务器组成的服务器集群来实现。Wherein, the
在前述身份验证系统的基础上,请参阅图2,本申请实施例提供一种身份验证方法,可以由前述客户端101、发放服务器102、远程服务器103和/或应用服务器104执行,本实施例方法包括以下步骤:On the basis of the aforementioned identity verification system, please refer to FIG. 2. The embodiment of the present application provides an identity verification method, which can be executed by the
201、客户端响应于针对目标业务的业务调用指令,向部署目标业务的应用服务器发送身份验证令牌。201. The client sends an identity verification token to an application server deploying the target service in response to a service invocation instruction for the target service.
当用户需要访问目标业务时,会通过客户端发起针对目标业务的业务调用指令。然后,向部署目标业务的应用服务器发送身份验证令牌,应用服务器便可以基于身份验证令牌,验证客户端是否有访问目标业务的权限,其中,部署目标业务的应用服务器可以是部署目标业务的任一服务器。When the user needs to access the target service, a service call instruction for the target service will be initiated through the client. Then, send the identity verification token to the application server deploying the target business, and the application server can verify whether the client has the right to access the target business based on the identity verification token, wherein the application server deploying the target business can be the any server.
需要说明的是,身份验证令牌是由与应用服务器属于同一互信服务器集群发放服务器发送给客户端的,且是由发放服务器基于预设密钥处理客户端的身份信息(此处的身份信息是通过远程服务器的身份校验的身份信息)生成。其中,同一互信服务器集群内每个服务器(包括应用服务器和/或发放服务器)的预设密钥一致。It should be noted that the identity verification token is sent to the client by the issuing server belonging to the same mutual trust server cluster as the application server, and the identity information of the client is processed by the issuing server based on the preset key (the identity information here is obtained through remote The identity information of the identity verification of the server) is generated. Wherein, the preset keys of each server (including the application server and/or distribution server) in the same mutual trust server cluster are the same.
可以理解的是,在实际应用中,为同一互信服务器集群内每个服务器配置相同的预设密钥可以通过包括但不限于以下方式实现:1)为同一互信服务器集群内每个服务器配置相同的身份密码,每个服务器基于相同的身份密码可以生成相同的预设密钥;2)直接为同一互信服务器集群内每个服务器配置相同的预设密钥。另外,针对方法1,进一步的为同一互信服务器集群内每个服务器配置相同的身份密码后,每个服务器可以任意加密方式加密身份密码保存在本地,仅在需要生成预设密钥时将身份密码解密。这样,即使两个服务器拥有相同的身份密码,加密后得到的密文也完全不同,外界无法根据加密后的身份密码判断两个服务器是否属于同一互信服务器集群。It can be understood that, in practical applications, configuring the same preset key for each server in the same mutual trust server cluster can be achieved by including but not limited to the following methods: 1) configuring the same preset key for each server in the same mutual trust server cluster Identity password, each server can generate the same preset key based on the same identity password; 2) directly configure the same preset key for each server in the same mutual trust server cluster. In addition, for method 1, after further configuring the same identity password for each server in the same mutual trust server cluster, each server can encrypt the identity password with any encryption method and save it locally, and only store the identity password when a preset key needs to be generated. decrypt. In this way, even if the two servers have the same identity password, the encrypted ciphertext is completely different, and the outside world cannot judge whether the two servers belong to the same mutual trust server cluster based on the encrypted identity password.
202、应用服务器基于预设密钥,确定身份验证令牌包括的已验证身份信息以及待验证身份信息是否一致。202. The application server determines whether the verified identity information and the identity information to be verified included in the identity verification token are consistent based on the preset key.
因为应用服务器与发放服务器同属于一个互信服务器集群,应用服务器中预设密钥与发放服务器的预设密钥一致。同时,身份验证令牌是由发放服务器基于预设密钥处理客户端的身份信息生成。所以,通过预设密钥处理身份验证令牌,可以确定身份验证令牌包括的已验证身份信息以及待验证身份信息是否一致。需要说明的是,身份验证令牌中记录的已验证身份信息是加密处理过的,所以无法被篡改;而身份验证令牌中记录的待验证身份信息是明文记录的客户端的身份信息。身份信息包括但不限于:用户信息(如用户名以及用户标识)和/或客户端IP等。Because the application server and the distribution server belong to the same mutual trust server cluster, the preset key in the application server is consistent with the preset key of the distribution server. At the same time, the authentication token is generated by the issuing server processing the client's identity information based on the preset key. Therefore, by processing the identity verification token with a preset key, it can be determined whether the verified identity information included in the identity verification token is consistent with the identity information to be verified. It should be noted that the verified identity information recorded in the authentication token is encrypted, so it cannot be tampered with; while the identity information to be verified recorded in the authentication token is the identity information of the client recorded in plain text. Identity information includes, but is not limited to: user information (such as user name and user ID) and/or client IP, etc.
在实际应用中,待验证身份信息通常是客户端的身份信息的原文,而已验证身份信息可以是,基于预设密钥加密处理后的客户端的身份信息的原文、或基于预设密钥加密处理后的客户端的身份信息的摘要。比如,若客户端的身份信息为A,则对应的身份验证令牌中的待验证身份信息可以是A,而对应的身份验证令牌中的已验证身份信息可以是基于预设密钥加密处理后的A或者基于预设密钥加密处理后的A的摘要(其中A的摘要指基于预设摘要算法处理A之后得到的数据)。In practical applications, the identity information to be verified is usually the original text of the client’s identity information, and the verified identity information can be the original text of the client’s identity information encrypted based on a preset key, or the original text of the client’s identity information encrypted based on a preset key. A digest of the client's identity information. For example, if the identity information of the client is A, the identity information to be verified in the corresponding identity verification token can be A, and the verified identity information in the corresponding identity verification token can be encrypted based on the preset key A or the digest of A encrypted based on the preset key (the digest of A refers to the data obtained after processing A based on the preset digest algorithm).
203、若待验证身份信息与已验证身份信息一致,则应用服务器确定客户端通过身份验证,并允许客户端调用应用服务器。203. If the identity information to be verified is consistent with the verified identity information, the application server determines that the client passes the identity verification, and allows the client to call the application server.
步骤202中获得的已验证身份信息是通过远程服务器的身份校验的身份信息,也就是说已验证身份信息对应的客户端是允许访问目标业务的。所以,若待验证身份信息与已验证身份信息一致,则说明身份验证令牌是应用服务器所述的任一互信服务器集群生成的,也就是说,步骤201中持有身份验证令牌的客户端是允许访问部署目标业务的应用服务器以及应用服务器部署的目标业务的。The verified identity information obtained in step 202 is the identity information that has passed the identity verification of the remote server, that is to say, the client corresponding to the verified identity information is allowed to access the target service. Therefore, if the identity information to be verified is consistent with the verified identity information, it means that the identity verification token is generated by any mutual trust server cluster described by the application server, that is, the client holding the identity verification token in step 201 It is allowed to access the application server where the target service is deployed and the target service deployed by the application server.
204、若客户端未接收到应用服务器发送的校验失败信息,则访问应用服务器部署的目标业务。204. If the client does not receive the verification failure information sent by the application server, access the target service deployed by the application server.
若应用服务器发现待验证身份信息与已验证身份信息不一致,则应用服务器会向客户端发送校验失败信息,以告知客户端无法继续访问部署在应用服务器的目标业务。在实际应用中,客户端可以在未接收到校验失败信息之前,保持访问部署在应用服务器的目标业务;或者客户端若在一定时间内未接收到校验失败信息,则可以认为校验成功,并继续访问部署在应用服务器的目标业务。If the application server finds that the identity information to be verified is inconsistent with the verified identity information, the application server will send a verification failure message to the client to inform the client that it cannot continue to access the target business deployed on the application server. In practical applications, the client can keep accessing the target business deployed on the application server before receiving the verification failure information; or if the client does not receive the verification failure information within a certain period of time, the verification can be considered successful , and continue to access the target business deployed on the application server.
本申请实施例中,通过对允许访问的用户信息一致的每个应用服务器配置相同的预设密钥,构成一个互信服务器集群。客户端只要向一个互信服务器集群的任一应用服务器(即发放服务器)发起过一次业务请求,该发放服务器就会在身份验证通过后,向该客户端发送基于预设密钥,处理所述客户端的身份信息得到的身份验证令牌。客户端在接收到一个互信服务器集群中任一应用服务器(即发放服务器)发送的身份验证令牌后,再针对该互信服务器集群中任一应用服务器发送业务调用请求时,可以向对应的应用服务器发送身份验证令牌,以使得应用服务器可以根据前述内容对在本地对客户端执行身份验证,而无需借助远程服务器完成身份验证,可以很大程度上提升身份验证效率。也就是说,在同一个服务器集群内的服务器可互认对方发放的身份验证令牌,从而在本地即可快速完成身份验证,避免了调用远程服务器的认证方法,从而提高了性能。In the embodiment of the present application, a mutual trust server cluster is formed by configuring the same preset key for each application server whose access user information is consistent. As long as the client initiates a service request to any application server (i.e., the issuing server) of a mutual trust server cluster, the issuing server will send the client an application based on the preset key to process the client after the identity verification is passed. The authentication token obtained from the identity information of the client. After receiving the authentication token sent by any application server in a mutual trust server cluster (that is, the issuing server), the client can send a service call request to any application server in the mutual trust server cluster. The authentication token is sent so that the application server can perform authentication on the client locally according to the aforementioned content without using a remote server to complete the authentication, which can greatly improve the efficiency of authentication. That is to say, the servers in the same server cluster can mutually recognize the authentication token issued by the other party, so that the identity authentication can be quickly completed locally, avoiding calling the authentication method of the remote server, thereby improving performance.
在一些具体实现方式中,预设密钥通常包括预设公钥和预设私钥,前述步骤202具体可以通过以下方式实现:基于预设公钥解密身份验证令牌中的已验证身份信息,获得对应的解密身份信息;已验证身份信息为发放服务器,基于预设私钥加密客户端的身份信息摘要获得;客户端的身份信息摘要为发放服务器,基于预设摘要算法处理客户端的身份信息获得;基于预设摘要算法处理身份验证令牌中的待验证身份信息,获得待验证身份信息摘要;若待验证身份信息摘要与解密身份信息一致,则确定待验证身份信息与已验证身份信息一致。In some specific implementations, the preset key usually includes a preset public key and a preset private key, and the aforementioned step 202 can be specifically implemented in the following manner: decrypting the verified identity information in the identity verification token based on the preset public key, Obtain the corresponding decrypted identity information; the verified identity information is the issuing server, which is obtained by encrypting the client's identity information summary based on the preset private key; the client's identity information summary is the issuing server, which is obtained by processing the client's identity information based on the preset summary algorithm; The preset digest algorithm processes the identity information to be verified in the authentication token to obtain a summary of the identity information to be verified; if the summary of the identity information to be verified is consistent with the decrypted identity information, it is determined that the identity information to be verified is consistent with the verified identity information.
具体的,就是采用预设摘要算法处理身份验证令牌中的待验证身份信息,获得待验证身份信息摘要。并且,使用预设公钥解密身份验证令牌中的已验证身份信息,获得对应的解密身份信息。最后,通过比较待验证身份信息摘要以及解密身份信息的一致性,可以确定待验证身份信息与已验证身份信息的一致性。另外,若身份验证令牌中的已验证身份信息是基于预设私钥加密客户端的身份信息获得,则可以通过预设公钥解密已验证身份信息,得到客户端的身份信息,并通过比较待验证身份信息与客户端的身份信息的一致性,确定待验证身份信息与已验证身份信息的一致性。Specifically, a preset digest algorithm is used to process the identity information to be verified in the identity verification token to obtain a digest of the identity information to be verified. And, the verified identity information in the identity verification token is decrypted by using the preset public key to obtain corresponding decrypted identity information. Finally, by comparing the digest of the identity information to be verified and the consistency of the decrypted identity information, the consistency of the identity information to be verified and the verified identity information can be determined. In addition, if the verified identity information in the authentication token is obtained by encrypting the client's identity information based on the preset private key, the verified identity information can be decrypted by the preset public key to obtain the client's identity information, and compare the The consistency of the identity information and the identity information of the client determines the consistency of the identity information to be verified and the verified identity information.
请参阅图3,在前述实施例的基础上,在客户端向应用服务器发送业务调用请求之前,客户端还需要通过向对应的互信服务器集群内的任一应用服务器,即发放服务器发送针对该互信服务器集群内任意服务器的首次业务调用请求,以生成身份验证令牌,本申请实施例还包括以下步骤:Please refer to Figure 3. On the basis of the foregoing embodiments, before the client sends a service call request to the application server, the client also needs to send a request for the mutual trust to any application server in the corresponding mutual trust server cluster, that is, the distribution server. The first service call request of any server in the server cluster to generate an identity verification token, this embodiment of the application also includes the following steps:
301、客户端响应于针对任一业务的业务调用指令,向部署任一业务的发放服务器发送业务初始化请求。301. In response to a service invocation instruction for any service, the client sends a service initialization request to the distribution server deploying any service.
身份验证令牌可以通过针对应用服务器所在的互信服务器集群中,任一服务发起的,首次业务调用请求获取。具体的,接收该首次业务调用请求的服务器即为发放服务器,该发放服务器部署的业务即为前述任一业务。因为,接受客户端发送的业务调用请求的服务器是不确定的,所以客户端发起针对任一业务的业务调用指令都可能是针对该互信服务器集群中任意服务器发起的。The authentication token can be obtained through the first business call request initiated by any service in the mutual trust server cluster where the application server is located. Specifically, the server that receives the first service invocation request is the distribution server, and the service deployed by the distribution server is any one of the aforementioned services. Because the server that accepts the service invocation request sent by the client is uncertain, the service invocation instruction for any service initiated by the client may be initiated for any server in the mutual trust server cluster.
需要说明的是,在客户端首次接收到用户发起的针对某互信服务器集群内,任一服务器的业务调用指令(该指令是由用户向客户端发起的)时,客户端首先会向部署任一业务的发放服务器发送业务初始化请求,以验证客户端是否有访问服务器的权限,只有在确定客户端具有访问该任一业务的权限后,客户端才会发起针对发送服务器部署的任一业务的业务调用请求,以访问该任一业务。It should be noted that when the client first receives a user-initiated service invocation instruction for any server in a certain mutual trust server cluster (the instruction is initiated by the user to the client), the client will first send a call to any The service issuing server sends a service initialization request to verify whether the client has the right to access the server. Only after confirming that the client has the right to access any service will the client initiate a service for any service deployed by the sending server Invoke the request to access either service.
302、发放服务器响应于客户端发送的业务初始化请求,向远程服务器发起针对客户端的身份校验。302. In response to the service initialization request sent by the client, the distribution server initiates identity verification for the client to the remote server.
客户端针对某互信服务器集群中任一服务器发送业务初始化请求时,本地是不存在经过该互信服务器集群中任一服务器加密处理的身份验证令牌的,因此,首次发送业务初始化请求时,发放服务器需要通过远程服务器的帮助完成身份校验。When the client sends a service initialization request to any server in a mutual trust server cluster, there is no local authentication token that has been encrypted by any server in the mutual trust server cluster. Therefore, when sending a service initialization request for the first time, the issuing server Authentication needs to be done with the help of a remote server.
303、若客户端通过身份校验,则远程服务器向发放服务器发送校验通过信息。303. If the client passes the identity verification, the remote server sends verification passing information to the distribution server.
若客户端的身份信息是允许访问发放服务器部署的前述任一业务的,则远程服务器向发放服务器发送校验通过信息,以告知发放服务器客户端的身份校验结果。If the identity information of the client is allowed to access any of the aforementioned services deployed by the distribution server, the remote server sends a verification pass message to the distribution server to inform the distribution server of the identity verification result of the client.
304、若接收到远程服务器发送的,针对客户端的校验通过信息,则发放服务器基于预设密钥处理客户端的身份信息,生成客户端的身份验证令牌。304. If receiving the verification passing information for the client from the remote server, the issuing server processes the identity information of the client based on the preset key, and generates an identity verification token of the client.
若接收到远程服务器发送的,针对客户端的校验通过信息,则说明客户端通过身份校验。那么发放服务器就可以通过预设密钥针对经过验证的客户端的身份信息执行处理,以生成客户端的身份验证令牌。If the verification information sent by the remote server is received for the client, it means that the client has passed the identity verification. Then, the issuing server can perform processing on the authenticated identity information of the client through the preset key, so as to generate an authentication token of the client.
在一些具体实现方式中,本步骤可以通过以下方式实现:基于预设摘要算法处理客户端的身份信息,得到客户端的身份信息摘要;基于预设私钥加密客户端的身份信息摘要,得到已验证身份信息;生成包括客户端的身份信息,以及已验证身份信息的身份验证令牌。In some specific implementations, this step can be implemented in the following ways: process the identity information of the client based on a preset digest algorithm to obtain a digest of the client's identity information; encrypt the digest of the client's identity information based on a preset private key to obtain verified identity information ; Generate an authentication token that includes the client's identity information, as well as the authenticated identity information.
具体的,首先,基于预设摘要算法处理客户端的身份信息,获得对应的身份信息摘要。然后,基于预设私钥以及预设加密算法对前述对应的身份信息摘要执行加密处理,获得加密身份信息(也就是前述实施例所述已验证身份信息)。最后,可以将客户端的身份信息以及加密身份信息组合起来,作为身份验证令牌。其中,加密身份信息可以用于确定发放服务器与应用服务器是否属于同一个互信服务器集群(若不属于同一互信服务器集群,则应用服务器无法使用预设公钥解密前述加密身份信息);客户端的身份信息也就是前述实施例所述待验证身份信息,因为客户端的身份信息是以明文形式存在于身份验证令牌中,无法保证其内容不被篡改,因此称之为待验证身份信息。Specifically, first, the identity information of the client is processed based on a preset digest algorithm to obtain a corresponding digest of the identity information. Then, based on the preset private key and the preset encryption algorithm, encryption processing is performed on the aforementioned corresponding identity information abstract to obtain encrypted identity information (that is, the verified identity information described in the aforementioned embodiments). Finally, the client's identity information and encrypted identity information can be combined as an authentication token. Among them, the encrypted identity information can be used to determine whether the issuing server and the application server belong to the same mutual trust server cluster (if they do not belong to the same mutual trust server cluster, the application server cannot use the preset public key to decrypt the aforementioned encrypted identity information); the identity information of the client That is, the identity information to be verified in the foregoing embodiments, because the identity information of the client exists in the identity verification token in plain text, and its content cannot be guaranteed not to be tampered with, so it is called the identity information to be verified.
另外,身份验证令牌还可以采用以下方式生成:首先,基于预设私钥以及预设加密算法对客户端的身份信息执行加密处理,获得加密身份信息(也就是前述实施例所述已验证设身份信息)。也就是说,直接对客户端的身份信息执行加密处理,获得加密身份信息。最后,可以将客户端的身份信息以及加密身份信息组合起来,作为身份验证令牌。本申请实施例不对身份验证令牌的生成方式作具体限定。In addition, the identity verification token can also be generated in the following manner: First, perform encryption processing on the identity information of the client based on the preset private key and the preset encryption algorithm to obtain the encrypted identity information (that is, the authenticated identity as described in the preceding embodiments information). That is to say, the identity information of the client is directly encrypted to obtain the encrypted identity information. Finally, the client's identity information and encrypted identity information can be combined as an authentication token. The embodiment of the present application does not specifically limit the way of generating the identity verification token.
需要注意的是,根据身份验证令牌的生成方式的不同,应当适应性采用不同的方式对待验证身份信息以及已验证身份方式的一致性做验证。It should be noted that, according to the different ways of generating the identity verification token, different methods should be adaptively used to verify the identity information to be verified and the consistency of the verified identity method.
305、发放服务器向客户端发送身份验证令牌。305. The issuing server sends the identity verification token to the client.
306、客户端接收并保存发放服务器发送的身份验证令牌。306. The client receives and saves the identity verification token sent by the issuing server.
具体的,客户端可以将身份验证令牌保存在客户端本地的任意位置。但为了方便身份验证令牌的调用,可以选择将身份验证令牌保存在本地线程的安全上下文字段中。因为,安全上下文字段是保存在ThreadLocal中的,即同一个线程中,使用起来特别方便,不需要特别显式传递,在任何地方想用都可以直接拿到。Specifically, the client can save the authentication token in any local location of the client. However, in order to facilitate the call of the authentication token, you can choose to save the authentication token in the security context field of the local thread. Because the security context field is saved in ThreadLocal, that is, in the same thread, it is very convenient to use and does not need to be passed explicitly, and it can be directly obtained anywhere you want to use it.
本申请实施例中,提供了身份验证令牌的多种实施方式,提升了方案的可实现性。In the embodiment of this application, various implementation modes of identity verification tokens are provided, which improves the feasibility of the solution.
在前述实施例的基础上,在应用服务器接收针对其部署的目标业务的业务调用请求后,应用服务器还可以依据业务逻辑的需要发起针对同一互信服务器集群内的,其他服务器所部署的其他业务的业务调用请求,代替客户端向部署其他服务器发送客户端的身份验证令牌,以供其他服务器在本地执行身份校验。On the basis of the foregoing embodiments, after the application server receives a service invocation request for the target service it deploys, the application server can also initiate an invocation request for other services deployed by other servers in the same mutual trust server cluster according to the needs of the business logic. A business call request, instead of the client, sends the client's authentication token to other servers for deployment, so that other servers can perform identity verification locally.
前面描述了本申请身份验证方法的多种实施例,下面在一个具体场景下,描述本申请实施例的身份验证方法。Various embodiments of the identity verification method of the present application have been described above, and the identity verification method of the embodiment of the present application will be described below in a specific scenario.
客户端在发送业务初始化请求时,会在Context ctx=new InitialContext(env)生成JNDI名称上下文时,把用户名和密码放在env中传递给传递给发放服务器,发放服务器校验通过后会向客户端返回一个AccessToken(也就是身份验证令牌),客户端在拿到这个身份验证令牌后,保存在本地线程的安全上下文中。以后可以在这个安全上下文的范围内,拿着EJB对象不断地进行业务方法的调用,每次调用不再传递身份信息到应用服务器,而是可以暗中传递这个身份验证令牌,应用服务器拿到这个身份验证令牌后要在本地校验,校验通过后,允许继续访问;如果不通过,则报告校验失败无权访问。When the client sends a service initialization request, when Context ctx=new InitialContext(env) generates the JNDI name context, it will put the user name and password in env and pass it to the issuing server. After the issuing server passes the verification, it will send the client Return an AccessToken (that is, an authentication token). After the client gets the authentication token, it saves it in the security context of the local thread. In the future, within the scope of this security context, the EJB object can be used to continuously call business methods. Each call no longer passes identity information to the application server, but can secretly pass the authentication token, and the application server gets this The authentication token needs to be verified locally. After the verification is passed, the access is allowed to continue;
因为,应用服务器与发放服务器属于同一个互信服务器集群,而同一个互信服务器集群内任意服务器之间会互相认可对方发放的身份验证令牌。除了用在EJB集群的场景,在EJB集群成员之间建立互信服务器集群之外,还有一种场景,比如某Web域通过登录页面接收到用户输入的身份信息,经过特定的方式验证通过以后,也会生成身份验证令牌并保存在本地线程的安全上下文中,此时如果该Web域直接去调用另一个EJB域中的EJB,只要Web域和EJB域互信任,那么也可以调用成功。需要说明的是,两种域(即EJB域和Web域)没有本质区别,只是通常把部署EJB应用的叫做EJB域,部署Web应用的叫做Web域,其实也可以把EJB和Web部署在同一个域上,没有强制要求,分开部署也是因为管理的需要,比如说职责划分更清晰,或不同的域可以形成规模大小不同的集群。Because the application server and the issuing server belong to the same mutual trust server cluster, and any servers in the same mutual trust server cluster will mutually recognize the authentication tokens issued by each other. In addition to the scenario used in EJB clusters, in addition to establishing mutual trust server clusters among EJB cluster members, there is another scenario, such as a Web domain that receives the identity information entered by the user through the login page, and after passing the verification in a specific way, also The authentication token will be generated and saved in the security context of the local thread. At this time, if the Web domain directly calls the EJB in another EJB domain, as long as the Web domain and the EJB domain trust each other, the call can also be successful. It should be noted that there is no essential difference between the two domains (that is, the EJB domain and the Web domain), but usually the deployment of EJB applications is called the EJB domain, and the deployment of Web applications is called the Web domain. In fact, EJB and Web can also be deployed in the same domain. There is no mandatory requirement for the domain, and separate deployment is also due to management needs, such as clearer division of responsibilities, or different domains can form clusters of different sizes.
请参阅图4,本申请实施例提供一种应用服务器,包括:Please refer to Figure 4, the embodiment of the present application provides an application server, including:
接收单元401,用于接收客户端发送的身份验证令牌;身份验证令牌由发放服务器向客户端发放;身份验证令牌由发放服务器,基于预设密钥处理客户端的身份信息生成;发放服务器与应用服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致;The receiving
确定单元402,用于基于预设密钥,确定身份验证令牌包括的已验证身份信息以及待验证身份信息是否一致;A determining
确定单元402,还用于若待验证身份信息与已验证身份信息一致,则确定客户端通过身份验证,并允许客户端调用应用服务器。The determining
在一种具体实现方式中,在允许客户端调用应用服务器之后,应用服务器还包括:发送单元以及访问单元;In a specific implementation manner, after the client is allowed to call the application server, the application server further includes: a sending unit and an access unit;
发送单元,用于响应于针对其他业务的业务调用请求,向部署其他业务的其他服务器发送客户端的身份验证令牌,其他服务器与应用服务器属于同一互信服务器集群;The sending unit is configured to send the authentication token of the client to other servers deploying other services in response to service call requests for other services, and the other servers and the application server belong to the same mutual trust server cluster;
访问单元,用于若未接收到其他服务器发送的校验失败信息,则访问其他服务器部署的其他业务。The access unit is configured to access other services deployed by other servers if no verification failure information sent by other servers is received.
在一种具体实现方式中,预设密钥包括预设私钥与预设公钥;确定单元402,具体用于基于预设公钥解密身份验证令牌中的已验证身份信息,获得对应的解密身份信息;已验证身份信息为发放服务器,基于预设私钥加密客户端的身份信息摘要获得;客户端的身份信息摘要为发放服务器,基于预设摘要算法处理客户端的身份信息获得;In a specific implementation manner, the preset key includes a preset private key and a preset public key; the determining
基于预设摘要算法处理身份验证令牌中的待验证身份信息,获得待验证身份信息摘要;Process the identity information to be verified in the identity verification token based on a preset digest algorithm to obtain a digest of the identity information to be verified;
若待验证身份信息摘要与解密身份信息一致,则确定待验证身份信息与已验证身份信息一致。If the digest of the identity information to be verified is consistent with the decrypted identity information, it is determined that the identity information to be verified is consistent with the verified identity information.
请参阅图5,本申请实施例提供一种客户端,包括:Please refer to Figure 5, the embodiment of this application provides a client, including:
发送单元501,用于响应于针对目标业务的业务调用指令,向部署目标业务的应用服务器发送身份验证令牌;身份验证令牌由发放服务器向客户端发放;身份验证令牌由发放服务器,基于预设密钥处理客户端的身份信息生成;发放服务器与应用服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致;The sending
访问单元502,用于若未接收到应用服务器发送的校验失败信息,则访问应用服务器部署的目标业务。The
在一种具体实现方式中,在向部署目标业务的应用服务器发送身份验证令牌之前,发送单元501,还用于响应于针对任一业务的业务调用指令,向部署任一业务的发放服务器发送业务初始化请求,以使得发放服务器向远程服务器发起针对客户端的身份校验;In a specific implementation manner, before sending the identity verification token to the application server deploying the target service, the sending
访问单元502,还用于接收并保存发放服务器发送的身份验证令牌,并基于身份验证令牌访问发放服务器部署的任一业务;身份验证令牌由发放服务器,在远程服务器确定客户端通过身份验证后生成的。The
在一种具体实现方式中,访问单元502,具体用于将身份验证令牌保存在,客户端本地线程的安全上下文中。In a specific implementation manner, the
请参阅图6,本申请实施例提供一种发放服务器,包括:Please refer to Figure 6, the embodiment of the present application provides a distribution server, including:
发起单元601,用于响应于客户端发送的业务调用请求,向远程服务器发起针对客户端的身份校验;Initiating
处理单元602,用于若接收到远程服务器发送的,针对客户端的校验通过信息,则基于预设密钥处理客户端的身份信息,生成客户端的身份验证令牌;The
发送单元603,用于向客户端发送身份验证令牌,以使得客户端根据身份验证令牌向部署目标业务的应用服务器发送业务调用请求,并使得应用服务器根据身份验证令牌,在本地对客户端执行身份验证,应用服务器与发放服务器属于同一互信服务器集群,其中同一互信服务器集群内每个服务器的预设密钥一致。The sending
在一种具体实现方式中,预设密钥包括预设私钥与预设公钥;处理单元602,具体用于基于预设摘要算法处理客户端的身份信息,得到客户端的身份信息摘要;In a specific implementation manner, the preset key includes a preset private key and a preset public key; the
基于预设私钥加密客户端的身份信息摘要,得到加密身份信息;Encrypt the identity information summary of the client based on the preset private key to obtain encrypted identity information;
生成包括客户端的身份信息,以及加密身份信息的身份验证令牌。Generate an authentication token that includes the client's identity information, as well as encrypted identity information.
图7是本申请实施例提供的一种计算机设备结构示意图,该计算机设备700可以包括一个或一个以上中央处理器(central processing units,CPU)701和存储器705,该存储器705中存储有一个或一个以上的应用程序或数据。7 is a schematic structural diagram of a computer device provided by an embodiment of the present application. The
其中,存储器705可以是易失性存储或持久存储。存储在存储器705的程序可以包括一个或一个以上模块,每个模块可以包括对计算机设备中的一系列指令操作。更进一步地,中央处理器701可以设置为与存储器705通信,在计算机设备700上执行存储器705中的一系列指令操作。Wherein, the
计算机设备700还可以包括一个或一个以上电源702,一个或一个以上有线或无线网络接口703,一个或一个以上输入输出接口704,和/或,一个或一个以上操作系统,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM等。The
该中央处理器701可以执行前述图1至图6所示实施例中计算机设备所执行的操作,具体此处不再赘述。其中,计算机设备可以是客户端、发放服务器、应用服务器和/或远程服务器。The
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,read-onlymemory)、随机存取存储器(RAM,random access memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disk or optical disc and other media that can store program codes.
本申请实施例还提供一种包含指令的计算机程序产品,当计算机程序产品在计算机上运行时,使得计算机执行如上述的身份验证方法。The embodiment of the present application also provides a computer program product containing instructions, which, when the computer program product runs on a computer, causes the computer to execute the above-mentioned identity verification method.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211715373.8A CN116032616A (en) | 2022-12-29 | 2022-12-29 | Identity verification method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211715373.8A CN116032616A (en) | 2022-12-29 | 2022-12-29 | Identity verification method and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116032616A true CN116032616A (en) | 2023-04-28 |
Family
ID=86073466
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211715373.8A Pending CN116032616A (en) | 2022-12-29 | 2022-12-29 | Identity verification method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032616A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431410A (en) * | 2007-11-09 | 2009-05-13 | 康佳集团股份有限公司 | Authentication method for network game client and server cluster |
| CN107579817A (en) * | 2017-09-12 | 2018-01-12 | 广州广电运通金融电子股份有限公司 | Block chain-based user authentication method, device and system |
| CN110071808A (en) * | 2019-04-09 | 2019-07-30 | 郭浩 | A kind of the secure digital identity verification method and device of block chain user |
| CN110276197A (en) * | 2019-06-25 | 2019-09-24 | 四川长虹电器股份有限公司 | The method to be come into force in real time based on shared blacklist revocation JWT token |
| CN110535851A (en) * | 2019-08-27 | 2019-12-03 | 浪潮云信息技术有限公司 | A kind of customer certification system based on oauth2 agreement |
| CN110912700A (en) * | 2019-11-13 | 2020-03-24 | 上汽大通汽车有限公司 | JWT (just-before-wt) -based distributed system security authentication method |
| CN111092727A (en) * | 2020-03-18 | 2020-05-01 | 支付宝(杭州)信息技术有限公司 | Method and device for sharing cluster key |
| CN112613008A (en) * | 2020-12-26 | 2021-04-06 | 西安科锐盛创新科技有限公司 | Student identity online authentication method and system |
| CN115085999A (en) * | 2022-06-09 | 2022-09-20 | 北京奇艺世纪科技有限公司 | Identity authentication method, system, computer device and storage medium |
-
2022
- 2022-12-29 CN CN202211715373.8A patent/CN116032616A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431410A (en) * | 2007-11-09 | 2009-05-13 | 康佳集团股份有限公司 | Authentication method for network game client and server cluster |
| CN107579817A (en) * | 2017-09-12 | 2018-01-12 | 广州广电运通金融电子股份有限公司 | Block chain-based user authentication method, device and system |
| CN110071808A (en) * | 2019-04-09 | 2019-07-30 | 郭浩 | A kind of the secure digital identity verification method and device of block chain user |
| CN110276197A (en) * | 2019-06-25 | 2019-09-24 | 四川长虹电器股份有限公司 | The method to be come into force in real time based on shared blacklist revocation JWT token |
| CN110535851A (en) * | 2019-08-27 | 2019-12-03 | 浪潮云信息技术有限公司 | A kind of customer certification system based on oauth2 agreement |
| CN110912700A (en) * | 2019-11-13 | 2020-03-24 | 上汽大通汽车有限公司 | JWT (just-before-wt) -based distributed system security authentication method |
| CN111092727A (en) * | 2020-03-18 | 2020-05-01 | 支付宝(杭州)信息技术有限公司 | Method and device for sharing cluster key |
| CN112613008A (en) * | 2020-12-26 | 2021-04-06 | 西安科锐盛创新科技有限公司 | Student identity online authentication method and system |
| CN115085999A (en) * | 2022-06-09 | 2022-09-20 | 北京奇艺世纪科技有限公司 | Identity authentication method, system, computer device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10402578B2 (en) | Management of encrypted data storage | |
| US8732805B2 (en) | Re-authentication in secure web service conversations | |
| US8621587B2 (en) | Systems and methods for facilitating distributed authentication | |
| US20210326513A1 (en) | Enabling File Attachments in Calendar Events | |
| US7533265B2 (en) | Establishment of security context | |
| US10263855B2 (en) | Authenticating connections and program identity in a messaging system | |
| CN111541785A (en) | Block chain data processing method and device based on cloud computing | |
| Cox et al. | Security in plan 9 | |
| KR20010041365A (en) | Per-method designation of security requirements | |
| CN114372245B (en) | Internet of Things terminal authentication method, system, device and medium based on blockchain | |
| CN112153038A (en) | A method, device, verification terminal and readable storage medium for secure login | |
| US10621111B2 (en) | System and method for unified secure remote configuration and management of multiple applications on embedded device platform | |
| JP7145308B2 (en) | A secure way to replicate on-premises secrets in your compute environment | |
| CN114817957B (en) | Encrypted partition access control method, system and computing device based on domain management platform | |
| US8826000B2 (en) | Method and apparatus for supporting cryptographic-related activities in a public key infrastructure | |
| CN115473648A (en) | A certificate issuing system and related equipment | |
| JP6185934B2 (en) | Integrate server applications with many authentication providers | |
| CN118627045A (en) | Identity authentication method, device and electronic device based on file sharing system | |
| WO2024234936A1 (en) | Service providing method and apparatus for third-party applet | |
| CN116032616A (en) | Identity verification method and related equipment | |
| CN120677685A (en) | Enable SSO for embedded applications | |
| CN114640505A (en) | FTP user authentication method and system and construction method thereof | |
| CN114282235A (en) | System and server for butting hardware security modules | |
| CN117278323B (en) | Method for obtaining third-party information, electronic device and readable storage medium | |
| US20100180329A1 (en) | Authenticated Identity Propagation and Translation within a Multiple Computing Unit Environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |