[go: up one dir, main page]

TWI839911B - System and method for invoking microservice - Google Patents

System and method for invoking microservice Download PDF

Info

Publication number
TWI839911B
TWI839911B TW111140453A TW111140453A TWI839911B TW I839911 B TWI839911 B TW I839911B TW 111140453 A TW111140453 A TW 111140453A TW 111140453 A TW111140453 A TW 111140453A TW I839911 B TWI839911 B TW I839911B
Authority
TW
Taiwan
Prior art keywords
module
microservice
user
permission
service module
Prior art date
Application number
TW111140453A
Other languages
Chinese (zh)
Other versions
TW202414252A (en
Inventor
洪士軒
方祥任
陳俊良
馬超
孫國鑫
Original Assignee
大陸商鼎捷軟件股份有限公司
鼎新電腦股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 大陸商鼎捷軟件股份有限公司, 鼎新電腦股份有限公司 filed Critical 大陸商鼎捷軟件股份有限公司
Publication of TW202414252A publication Critical patent/TW202414252A/en
Application granted granted Critical
Publication of TWI839911B publication Critical patent/TWI839911B/en

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

A system and a method for invoking microservice are provided. The method includes: generating a security token by a trust-chain-element-module; and after a first microservice module runs a business logic, using the security token by the first microservice module to invoke a second microservice module via the trust-chain-element-module.

Description

用於調用微服務的系統及方法System and method for invoking microservices

本發明涉及一種軟體系統技術,尤其是一種用於調用微服務的系統及方法。The present invention relates to a software system technology, and more particularly to a system and method for calling microservices.

在軟體即服務(Software as a Service,SaaS)的環境下,微服務需要面對發自多個使用者的調用請求。這些調用請求可能來自使用者操作的網頁、移動端設備、其它應用服務…等各種不同類型。因此,針對調用請求的來源進行授權認證與權限認證成為一個不可避免的議題。In the Software as a Service (SaaS) environment, microservices need to face call requests from multiple users. These call requests may come from various types of users, such as web pages, mobile devices, other application services, etc. Therefore, authorization and permission authentication for the source of the call request becomes an inevitable issue.

微服務調用存在多種不同的場景。特別是,一次微服務調用可能產生多個微服務串列的鏈式運作,若過程中的每個微服務都進行授權認證與權限認證,則將多出數倍的微服務調用,造成效能減損以及額外資源消耗,並降低使用者體驗。There are many different scenarios for microservice calls. In particular, a microservice call may generate a chain operation of multiple microservices. If each microservice in the process is authorized and authenticated, there will be several times more microservice calls, resulting in performance degradation, additional resource consumption, and reduced user experience.

本發明是針對一種用於調用微服務的系統及方法,可減低微服務的調用次數以提升系統效能及使用者體驗。The present invention is directed to a system and method for calling microservices, which can reduce the number of microservice calls to improve system performance and user experience.

根據本發明的實施例,本發明的用於調用微服務的系統包括儲存裝置以及處理器。儲存裝置儲存多個微服務模組以及信任鏈元件模組,其中多個微服務模組包括第一微服務模組以及第二微服務模組。處理器耦接儲存裝置,其中信任鏈元件模組產生安全權杖;在第一微服務模組運行業務邏輯之後,第一微服務模組利用安全權杖來經由信任鏈元件模組調用第二微服務模組。According to an embodiment of the present invention, the system for calling microservices of the present invention includes a storage device and a processor. The storage device stores multiple microservice modules and a trust chain component module, wherein the multiple microservice modules include a first microservice module and a second microservice module. The processor is coupled to the storage device, wherein the trust chain component module generates a security token; after the first microservice module runs the business logic, the first microservice module uses the security token to call the second microservice module via the trust chain component module.

根據本發明的實施例,本發明的用於調用微服務的方法包括:由信任鏈元件模組產生安全權杖;以及在第一微服務模組運行業務邏輯之後,由第一微服務模組利用安全權杖來經由信任鏈元件模組調用第二微服務模組。According to an embodiment of the present invention, the method for calling a microservice of the present invention includes: generating a security token by a trust chain component module; and after the first microservice module runs the business logic, the first microservice module uses the security token to call the second microservice module via the trust chain component module.

基於上述,本發明的用於調用微服務的系統及方法可由微服務模組利用安全權杖來(依序)串列地調用其後續的微服務模組,而不需每個微服務模組都進行授權認證與權限認證,從而減低微服務的調用次數並且提升系統效能及使用者體驗。Based on the above, the system and method for calling microservices of the present invention can use a security token to serially call subsequent microservice modules by a microservice module without the need for each microservice module to perform authorization authentication and permission authentication, thereby reducing the number of microservice calls and improving system performance and user experience.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above features and advantages of the present invention more clearly understood, embodiments are specifically cited below and described in detail with reference to the accompanying drawings.

現將詳細地參考本發明的示範性實施例,示範性實施例的實例說明於附圖中。只要有可能,相同元件符號在圖式和描述中用來表示相同或相似部分。Reference will now be made in detail to exemplary embodiments of the present invention, examples of which are illustrated in the accompanying drawings. Whenever possible, the same reference numerals are used in the drawings and description to represent the same or similar parts.

圖1是本發明的一實施例的用於調用微服務的系統100的示意圖。參考圖1,系統100包括儲存裝置110以及處理器120。系統100可通訊連接至使用者電子裝置200。處理器120耦接儲存裝置110。FIG1 is a schematic diagram of a system 100 for invoking microservices according to an embodiment of the present invention. Referring to FIG1 , the system 100 includes a storage device 110 and a processor 120. The system 100 can be communicatively connected to a user electronic device 200. The processor 120 is coupled to the storage device 110.

在本實施例中,儲存裝置110可包括記憶體(Memory)及/或資料庫(database),其中記憶體可例如非揮發性記憶體(Non-Volatile Memory,NVM)。處理器120可包括中央處理單元(Central Processing Unit,CPU),或是其他可程式設計之一般用途或特殊用途的微處理器(Microprocessor)、數位訊號處理器(Digital Signal Processor,DSP)、特殊應用積體電路(Application Specific Integrated Circuits,ASIC)、可程式設計邏輯器件(Programmable Logic Device,PLD)、其他類似處理電路或這些裝置的組合。儲存裝置110可儲存有用於實現本發明各實施例的相關程式、模組、系統或演算法,以供處理器120存取並執行而實現本發明各實施例所描述的相關功能及操作。在本實施例中,儲存裝置110可儲存多個微服務模組以及信任鏈元件模組112,其中所述多個微服務模組包括第一微服務模組111a、第二微服務模組111b以及第三微服務模組111c。除此之外,儲存裝置110可儲存服務權限元件模組113、權限服務模組114以及授權服務模組115,後續將說明其功能。需說明的是,圖1所示的微服務模組的數量僅為示意,本發明不對此限制。In this embodiment, the storage device 110 may include a memory and/or a database, wherein the memory may be, for example, a non-volatile memory (NVM). The processor 120 may include a central processing unit (CPU), or other programmable general-purpose or special-purpose microprocessors, digital signal processors (DSP), application specific integrated circuits (ASIC), programmable logic devices (PLD), other similar processing circuits, or a combination of these devices. The storage device 110 can store relevant programs, modules, systems or algorithms useful for implementing various embodiments of the present invention, so that the processor 120 can access and execute to implement the relevant functions and operations described in various embodiments of the present invention. In this embodiment, the storage device 110 can store multiple microservice modules and a trust chain component module 112, wherein the multiple microservice modules include a first microservice module 111a, a second microservice module 111b, and a third microservice module 111c. In addition, the storage device 110 can store a service permission component module 113, a permission service module 114, and an authorization service module 115, and their functions will be described later. It should be noted that the number of microservice modules shown in Figure 1 is for illustration only, and the present invention is not limited thereto.

圖2是本發明的一實施例的用於調用微服務的方法的流程圖。參考圖1及圖2,圖1的系統100可執行如以下步驟S210以及S220。在步驟S210,信任鏈元件模組112可產生安全權杖(Security Token)。在步驟S220,在第一微服務模組111a運行業務邏輯之後,第一微服務模組111a可利用安全權杖來經由信任鏈元件模組112調用第二微服務模組111b。換言之,在信任鏈元件模組112產生安全權杖之後,各微服務模組可利用同一個安全權杖,來(依序)串列地調用其後續的微服務模組。以下將進一步說明。FIG2 is a flow chart of a method for calling microservices according to an embodiment of the present invention. Referring to FIG1 and FIG2 , the system 100 of FIG1 may execute the following steps S210 and S220. In step S210, the trust chain component module 112 may generate a security token. In step S220, after the first microservice module 111a runs the business logic, the first microservice module 111a may use the security token to call the second microservice module 111b via the trust chain component module 112. In other words, after the trust chain component module 112 generates the security token, each microservice module may use the same security token to (sequentially) call its subsequent microservice module in series. This will be further explained below.

圖3是本發明的一實施例的多個微服務模組的信任鏈架構的示意圖。參考圖1及圖3。在本實施例中,第一微服務模組111a可基於信任鏈元件模組112以及服務權限元件模組113運行(例如,信任鏈元件模組112及服務權限元件模組113可實作於第一微服務模組111a的底層),且第一微服務模組111a可包括其業務邏輯。相似地,第二微服務模組111b可基於信任鏈元件模組112以及服務權限元件模組113運行(例如,信任鏈元件模組112以及服務權限元件模組113可實作於第二微服務模組111b的底層),且第二微服務模組111b可包括其業務邏輯。FIG3 is a schematic diagram of a trust chain architecture of multiple microservice modules of an embodiment of the present invention. Refer to FIG1 and FIG3. In this embodiment, the first microservice module 111a can be operated based on the trust chain component module 112 and the service authority component module 113 (for example, the trust chain component module 112 and the service authority component module 113 can be implemented at the bottom layer of the first microservice module 111a), and the first microservice module 111a can include its business logic. Similarly, the second microservice module 111b may run based on the trust chain component module 112 and the service authority component module 113 (for example, the trust chain component module 112 and the service authority component module 113 may be implemented at the bottom layer of the second microservice module 111b), and the second microservice module 111b may include its business logic.

在本實施例中,信任鏈元件模組112可用於產生安全權杖及驗證安全權杖。詳細而言,在信任鏈元件模組112產生安全權杖之後,第一微服務模組111a可利用安全權杖來(串列地)調用第二微服務模組111b。後續的各微服務模組(例如第二微服務模組111b)則可經由信任鏈元件模組112來驗證安全權杖是否為合法。另一方面,第一微服務模組111a可經由服務權限元件模組113調用權限服務模組114,以由權限服務模組114及授權服務模組115判斷使用者電子裝置200是否為合法(即,由權限服務模組114執行使用者認證,並且由授權服務模組115執行授權認證)。在判斷使用者電子裝置200為合法之後,權限服務模組114可產生使用者權杖(User Token),且第一微服務模組111a可經由服務權限元件模組113從權限服務模組114接收使用者權杖。In this embodiment, the trust chain component module 112 can be used to generate and verify the security token. Specifically, after the trust chain component module 112 generates the security token, the first microservice module 111a can use the security token to (in series) call the second microservice module 111b. Subsequent microservice modules (such as the second microservice module 111b) can verify whether the security token is legitimate through the trust chain component module 112. On the other hand, the first microservice module 111a can call the permission service module 114 via the service permission component module 113, so that the permission service module 114 and the authorization service module 115 can determine whether the user electronic device 200 is legal (that is, the permission service module 114 performs user authentication, and the authorization service module 115 performs authorization authentication). After determining that the user electronic device 200 is legal, the permission service module 114 can generate a user token, and the first microservice module 111a can receive the user token from the permission service module 114 via the service permission component module 113.

圖4是本發明的一實施例的多個微服務模組的信任鏈運作的流程圖。參考圖1、圖3及圖4。在步驟S401,使用者電子裝置200可傳送微服務調用請求(遠端調用)至第一微服務模組111a。在步驟S402,第一微服務模組111a可從使用者電子裝置200接收第一微服務模組111a的微服務調用請求,並且確認所述微服務調用請求之中無使用者權杖且無安全權杖。在第一微服務模組111a確認所述微服務調用請求之中無使用者權杖且無安全權杖之後,在步驟S403,第一微服務模組111a可(經由服務權限元件模組113)調用權限服務模組114,以由權限服務模組114判斷使用者電子裝置200是否為合法(即,進行使用者認證)。FIG4 is a flow chart of the trust chain operation of multiple microservice modules of an embodiment of the present invention. Refer to FIG1, FIG3 and FIG4. In step S401, the user electronic device 200 can send a microservice call request (remote call) to the first microservice module 111a. In step S402, the first microservice module 111a can receive the microservice call request of the first microservice module 111a from the user electronic device 200, and confirm that there is no user token and no security token in the microservice call request. After the first microservice module 111a confirms that there is no user token and no security token in the microservice call request, in step S403, the first microservice module 111a can call the permission service module 114 (via the service permission component module 113) so that the permission service module 114 can determine whether the user electronic device 200 is legal (i.e., perform user authentication).

在步驟S404,權限服務模組114可進行使用者認證。在權限服務模組114判斷使用者認證已通過之後,在步驟S405,權限服務模組114可調用授權服務模組115,以由授權服務模組115判斷使用者電子裝置200是否為合法(即,進行授權認證)。在步驟S406,授權服務模組115可進行授權認證。In step S404, the authorization service module 114 may perform user authentication. After the authorization service module 114 determines that the user authentication has been passed, in step S405, the authorization service module 114 may call the authorization service module 115, so that the authorization service module 115 determines whether the user electronic device 200 is legal (i.e., performs authorization authentication). In step S406, the authorization service module 115 may perform authorization authentication.

在授權服務模組115判斷授權認證已通過之後,在步驟S407,權限服務模組114可從授權服務模組115接收授權認證成功通知,並且產生使用者權杖。在步驟S408,第一微服務模組111a可經由服務權限元件模組113從權限服務模組114接收使用者權杖,並且經由信任鏈元件模組112產生安全權杖。After the authorization service module 115 determines that the authorization authentication has passed, in step S407, the permission service module 114 can receive a notification of successful authorization authentication from the authorization service module 115 and generate a user token. In step S408, the first microservice module 111a can receive the user token from the permission service module 114 via the service permission component module 113, and generate a security token via the trust chain component module 112.

在步驟S409,第一微服務模組111a可運行其業務邏輯,並且將包括安全權杖的調用請求傳送至第二微服務模組111b,來調用第二微服務模組111b。In step S409, the first microservice module 111a may run its business logic and transmit a call request including a security token to the second microservice module 111b to call the second microservice module 111b.

在步驟S410,第二微服務模組111b可接收調用請求並且經由信任鏈元件模組112判斷/驗證安全權杖是否為合法。在第二微服務模組111b經由信任鏈元件模組112確認安全權杖為合法之後,在步驟S411,第二微服務模組111b可運行其業務邏輯,並且將包括安全權杖的調用請求傳送至第三微服務模組111c,來調用第三微服務模組111c。在步驟S412,第三微服務模組111c可接收調用請求並且經由信任鏈元件模組112判斷/驗證安全權杖是否為合法。在第三微服務模組111c經由信任鏈元件模組112確認安全權杖為合法之後,在步驟S413,第三微服務模組111c可運行其業務邏輯。In step S410, the second microservice module 111b may receive the call request and determine/verify whether the security token is legitimate through the trust chain component module 112. After the second microservice module 111b confirms that the security token is legitimate through the trust chain component module 112, in step S411, the second microservice module 111b may run its business logic and transmit the call request including the security token to the third microservice module 111c to call the third microservice module 111c. In step S412, the third microservice module 111c may receive the call request and determine/verify whether the security token is legitimate through the trust chain component module 112. After the third microservice module 111c confirms that the security token is legitimate through the trust chain component module 112, in step S413, the third microservice module 111c can run its business logic.

在步驟S414,第二微服務模組111b可從第三微服務模組111c接收調用回應訊息,並且繼續完成第二微服務模組111b的業務邏輯。在步驟S415,第一微服務模組111a可從第二微服務模組111b接收調用回應訊息,並且繼續完成第二微服務模組111b的業務邏輯。在步驟S416,第一微服務模組111a可傳送微服務調用回應至使用者電子裝置200。In step S414, the second microservice module 111b may receive a call response message from the third microservice module 111c and continue to complete the business logic of the second microservice module 111b. In step S415, the first microservice module 111a may receive a call response message from the second microservice module 111b and continue to complete the business logic of the second microservice module 111b. In step S416, the first microservice module 111a may transmit the microservice call response to the user electronic device 200.

需說明的是,圖4所示的微服務模組的數量僅為示意。換言之,各微服務模組可利用安全權杖來(依序)串列地調用其後續的微服務模組,且僅有第一微服務模組111a需要向權限服務模組114以及授權服務模組115進行授權認證與權限認證。It should be noted that the number of microservice modules shown in FIG4 is for illustration only. In other words, each microservice module can use the security token to call its subsequent microservice modules in series (sequentially), and only the first microservice module 111a needs to perform authorization authentication and permission authentication with the permission service module 114 and the authorization service module 115.

圖5是本發明的一實施例的多個微服務模組的信任鏈運作場景的示意圖。參考圖1及圖5。信任鏈元件模組112可產生安全權杖及驗證安全權杖,以讓各微服務模組完成串列的微服務調用。另一方面,權限服務模組114可執行使用者認證,接著,授權服務模組115可執行授權認證,以讓第一微服務模組111a完成必要的認證調用。FIG5 is a schematic diagram of a trust chain operation scenario of multiple microservice modules of an embodiment of the present invention. Referring to FIG1 and FIG5 . The trust chain component module 112 can generate a security token and verify the security token to allow each microservice module to complete the serial microservice call. On the other hand, the permission service module 114 can perform user authentication, and then the authorization service module 115 can perform authorization authentication to allow the first microservice module 111a to complete the necessary authentication call.

圖6是本發明的一實施例的信任鏈運作場景中的產生使用者權杖的流程圖。參考圖1、圖5及圖6。在步驟S601,權限服務模組114可從使用者電子裝置200接收使用者登入資訊。FIG6 is a flow chart of generating a user token in a trust chain operation scenario according to an embodiment of the present invention. Referring to FIG1 , FIG5 and FIG6 , in step S601 , the authorization service module 114 may receive user login information from the user electronic device 200 .

在本實施例中,權限服務模組114可儲存對應於使用者登入資訊的租戶資訊。除此之外,授權服務模組115可儲存(合法的)租戶資訊。當權限服務模組114判斷使用者登入資訊為合法,且授權服務模組115判斷對應於使用者登入資訊的租戶資訊為合法時,權限服務模組114可產生使用者權杖。In this embodiment, the permission service module 114 can store the tenant information corresponding to the user login information. In addition, the authorization service module 115 can store (legitimate) tenant information. When the permission service module 114 determines that the user login information is legitimate, and the authorization service module 115 determines that the tenant information corresponding to the user login information is legitimate, the permission service module 114 can generate a user token.

詳細而言,在步驟S602,權限服務模組114可判斷使用者登入資訊是否為合法(執行使用者認證)。當權限服務模組114判斷使用者登入資訊為合法時,權限服務模組114可取得權限服務模組114所儲存的,對應於使用者登入資訊的租戶資訊。Specifically, in step S602, the authorization service module 114 may determine whether the user login information is valid (perform user authentication). When the authorization service module 114 determines that the user login information is valid, the authorization service module 114 may obtain the tenant information corresponding to the user login information stored by the authorization service module 114.

在步驟S603,權限服務模組114可傳送對應於使用者登入資訊的租戶資訊至授權服務模組115。在步驟S604,授權服務模組115可判斷租戶資訊是否為合法(即,判斷租戶是否為授權租戶)。在授權服務模組115判斷授權認證已通過之後,在步驟S605,授權服務模組115可傳送授權認證成功通知至權限服務模組114。In step S603, the authority service module 114 may transmit tenant information corresponding to the user login information to the authorization service module 115. In step S604, the authorization service module 115 may determine whether the tenant information is legal (i.e., determine whether the tenant is an authorized tenant). After the authorization service module 115 determines that the authorization authentication has passed, in step S605, the authorization service module 115 may transmit an authorization authentication success notification to the authority service module 114.

在步驟S606,權限服務模組114可產生使用者權杖。在步驟S607,權限服務模組114可傳送使用者權杖至使用者電子裝置200。In step S606 , the authorization service module 114 may generate a user token. In step S607 , the authorization service module 114 may transmit the user token to the user electronic device 200 .

圖7是本發明的一實施例的信任鏈運作場景中的調用第一微服務模組111a的示意圖。參考圖1、圖5及圖7。值得說明的是,圖7與圖6的差異在於,在圖6的實施例中,由於使用者尚未獲得使用者權杖,故使用者需先向權限服務模組114 及授權服務模組115 執行權限驗證以及授權驗證,以獲得使用者權杖。另一方面,在圖7的實施例中,由於使用者已有使用者權杖,因此使用者可利用使用者權杖調用第一微服務模組111a。FIG7 is a schematic diagram of calling the first microservice module 111a in the trust chain operation scenario of an embodiment of the present invention. Refer to FIG1, FIG5 and FIG7. It is worth noting that the difference between FIG7 and FIG6 is that, in the embodiment of FIG6, since the user has not yet obtained the user token, the user must first perform permission verification and authorization verification on the permission service module 114 and the authorization service module 115 to obtain the user token. On the other hand, in the embodiment of FIG7, since the user already has the user token, the user can use the user token to call the first microservice module 111a.

在步驟S701,第一微服務模組111a可從使用者電子裝置200接收第一微服務模組111a的微服務調用請求,其中微服務調用請求包括使用者權杖。在步驟S702,第一微服務模組111a可經由服務權限元件模組113調用權限服務模組114,以判斷使用者權杖是否為合法。詳細而言,第一微服務模組111a可經由服務權限元件模組113傳送使用者權杖至權限服務模組114。In step S701, the first microservice module 111a may receive a microservice call request of the first microservice module 111a from the user electronic device 200, wherein the microservice call request includes a user token. In step S702, the first microservice module 111a may call the permission service module 114 via the service permission component module 113 to determine whether the user token is legal. In detail, the first microservice module 111a may transmit the user token to the permission service module 114 via the service permission component module 113.

在步驟S703,當權限服務模組114判斷使用者權杖為合法時,權限服務模組114可傳送認證成功通知至服務權限元件模組113。在步驟S704,第一微服務模組111a可經由信任鏈元件模組112產生安全權杖。In step S703, when the authorization service module 114 determines that the user token is legitimate, the authorization service module 114 may send a successful authentication notification to the service authorization component module 113. In step S704, the first microservice module 111a may generate a security token via the trust chain component module 112.

圖8是本發明的一實施例的信任鏈運作場景中的調用第二微服務模組111b及後續的微服務模組的流程圖。參考圖1、圖5及圖8。如前述實施例所說明的,第一微服務模組111a可利用安全權杖來經由信任鏈元件模組112調用第二微服務模組111b。接著,當第二微服務模組111b經由信任鏈元件模組112判斷安全權杖為合法時,第二微服務模組111b可運行業務邏輯,並且利用安全權杖來經由信任鏈元件模組112調用第三微服務模組111c。FIG8 is a flow chart of calling the second microservice module 111b and subsequent microservice modules in the trust chain operation scenario of an embodiment of the present invention. Refer to FIG1, FIG5 and FIG8. As described in the above embodiments, the first microservice module 111a can use the security token to call the second microservice module 111b via the trust chain component module 112. Then, when the second microservice module 111b determines that the security token is legitimate via the trust chain component module 112, the second microservice module 111b can run the business logic and use the security token to call the third microservice module 111c via the trust chain component module 112.

詳細而言,在步驟S801,第一微服務模組111a可運行其業務邏輯。在步驟S802,第一微服務模組111a可傳送包括安全權杖的調用請求至第二微服務模組111b以調用第二微服務模組111b。Specifically, in step S801, the first microservice module 111a may run its business logic. In step S802, the first microservice module 111a may transmit a call request including a security token to the second microservice module 111b to call the second microservice module 111b.

在步驟S803,第二微服務模組111b可接收調用請求並且經由信任鏈元件模組112判斷安全權杖是否為合法。在第二微服務模組111b經由信任鏈元件模組112判斷安全權杖為合法之後,第二微服務模組111b可運行其業務邏輯。在步驟S804,第二微服務模組111b可傳送包括安全權杖的調用請求至第三微服務模組111c。In step S803, the second microservice module 111b may receive the call request and determine whether the security token is legitimate through the trust chain component module 112. After the second microservice module 111b determines that the security token is legitimate through the trust chain component module 112, the second microservice module 111b may run its business logic. In step S804, the second microservice module 111b may transmit the call request including the security token to the third microservice module 111c.

在步驟S805,第三微服務模組111c可接收調用請求並且經由信任鏈元件模組112判斷安全權杖是否為合法。在第三微服務模組111c經由信任鏈元件模組112判斷安全權杖為合法之後,第三微服務模組111c可運行其業務邏輯。In step S805, the third microservice module 111c may receive the call request and determine whether the security token is legitimate through the trust chain component module 112. After the third microservice module 111c determines that the security token is legitimate through the trust chain component module 112, the third microservice module 111c may run its business logic.

在步驟S806,第三微服務模組111c可完成第三微服務模組111c的業務邏輯,並且傳送調用回應訊息至第二微服務模組111b。在步驟S807,第二微服務模組111b可完成第二微服務模組111b的業務邏輯,並且傳送調用回應訊息至第一微服務模組111a。In step S806, the third microservice module 111c can complete the business logic of the third microservice module 111c and send a call response message to the second microservice module 111b. In step S807, the second microservice module 111b can complete the business logic of the second microservice module 111b and send a call response message to the first microservice module 111a.

在一實施例中,安全權杖可包括租戶識別、使用者識別以及到期日。表1是安全權杖的一個實例。在信任鏈元件模組112產生安全權杖之後,信任鏈元件模組112可利用金鑰加密安全權杖。所述金鑰例如可對應於到期日,且信任鏈元件模組112可在到期日逾期之後更新所述金鑰。 表1(安全權杖的一個實例) 租戶識別 使用者識別 到期日 tenant2 user1 Service1 In one embodiment, the security token may include a tenant identification, a user identification, and an expiration date. Table 1 is an example of a security token. After the trust chain component module 112 generates the security token, the trust chain component module 112 may encrypt the security token using a key. The key may correspond to an expiration date, for example, and the trust chain component module 112 may update the key after the expiration date has expired. Table 1 (an example of a security token) Tenant Identification User Identification expiry date tenant2 user1 Service1

值得說明的是,本實施例中的各微服務模組可分別對應于多個應用程式。舉例來說,第一微服務模組111a可屬於第一應用程式、第二微服務模組111b可屬於第二應用程式以及第三微服務模組111c可屬於第三應用程式。進一步而言,所述第一應用程式、所述第二應用程式以及所述第三應用程式可為相同的應用程式。或者,所述第一應用程式、所述第二應用程式以及所述第三應用程式可為不同的應用程式。It is worth noting that each microservice module in this embodiment may correspond to multiple applications. For example, the first microservice module 111a may belong to a first application, the second microservice module 111b may belong to a second application, and the third microservice module 111c may belong to a third application. Further, the first application, the second application, and the third application may be the same application. Alternatively, the first application, the second application, and the third application may be different applications.

綜上所述,本發明的用於調用微服務的系統及方法可由微服務模組利用安全權杖來(依序)串列地調用其後續的微服務模組,而不需每個微服務模組都進行授權認證與權限認證。特別是,僅有串列的各微服務模組中的第一微服務模組才需執行授權認證與權限認證,後續的各微服務模組則可經由安全權杖確保,調用第一微服務模組的使用者已通過授權認證與權限認證。基此,可避免額外的授權認證與權限認證,也不會在串列微服務模組調用時出現,因特定微服務模組認證失敗而無法成功調用的情況,從而提升了系統效能及使用者體驗。In summary, the system and method for calling microservices of the present invention can be used by a microservice module to use a security token to (sequentially) call its subsequent microservice modules in series, without the need for each microservice module to perform authorization authentication and permission authentication. In particular, only the first microservice module in the serial microservice modules needs to perform authorization authentication and permission authentication, and the subsequent microservice modules can be ensured by the security token that the user who calls the first microservice module has passed the authorization authentication and permission authentication. On this basis, additional authorization authentication and permission authentication can be avoided, and there will be no situation in which a specific microservice module cannot be successfully called due to authentication failure when calling a serial microservice module, thereby improving system performance and user experience.

最後應說明的是:以上各實施例僅用以說明本發明的技術方案,而非對其限制;儘管參照前述各實施例對本發明進行了詳細的說明,本領域的普通技術人員應當理解:其依然可以對前述各實施例所記載的技術方案進行修改,或者對其中部分或者全部技術特徵進行等同替換;而這些修改或者替換,並不使相應技術方案的本質脫離本發明各實施例技術方案的範圍。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit it. Although the present invention has been described in detail with reference to the above embodiments, ordinary technical personnel in this field should understand that they can still modify the technical solutions described in the above embodiments, or replace part or all of the technical features therein with equivalents. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present invention.

100:用於調用微服務的系統 110:儲存裝置 111a:第一微服務模組 111b:第二微服務模組 111c:第三微服務模組 112:信任鏈元件模組 113:服務權限元件模組 114:權限服務模組 115:授權服務模組 120:處理器 200:使用者電子裝置 S210~S220、S401~S416、S601~S606、S701~S704、S801~S807:步驟 100: System for calling microservices 110: Storage device 111a: First microservice module 111b: Second microservice module 111c: Third microservice module 112: Trust chain component module 113: Service authority component module 114: Authority service module 115: Authorization service module 120: Processor 200: User electronic device S210~S220, S401~S416, S601~S606, S701~S704, S801~S807: Steps

圖1是本發明的一實施例的用於調用微服務的系統的示意圖。 圖2是本發明的一實施例的用於調用微服務的方法的流程圖。 圖3是本發明的一實施例的多個微服務模組的信任鏈架構的示意圖。 圖4是本發明的一實施例的多個微服務模組的信任鏈運作的流程圖。 圖5是本發明的一實施例的多個微服務模組的信任鏈運作場景的示意圖。 圖6是本發明的一實施例的信任鏈運作場景的產生使用者權杖的流程圖。 圖7是本發明的一實施例的信任鏈運作場景中的調用第一微服務模組的示意圖。 圖8是本發明的一實施例的信任鏈運作場景中的調用第二微服務模組及後續的微服務模組的流程圖。 Figure 1 is a schematic diagram of a system for calling microservices in an embodiment of the present invention. Figure 2 is a flow chart of a method for calling microservices in an embodiment of the present invention. Figure 3 is a schematic diagram of a trust chain architecture of multiple microservice modules in an embodiment of the present invention. Figure 4 is a flow chart of the trust chain operation of multiple microservice modules in an embodiment of the present invention. Figure 5 is a schematic diagram of a trust chain operation scenario of multiple microservice modules in an embodiment of the present invention. Figure 6 is a flow chart of generating a user token in a trust chain operation scenario in an embodiment of the present invention. Figure 7 is a schematic diagram of calling a first microservice module in a trust chain operation scenario in an embodiment of the present invention. Figure 8 is a flow chart of calling the second microservice module and subsequent microservice modules in the trust chain operation scenario of an embodiment of the present invention.

S210、S220:步驟S210, S220: Step

Claims (14)

一種用於調用微服務的系統,包括:儲存裝置,儲存多個微服務模組以及信任鏈元件模組,其中所述多個微服務模組包括第一微服務模組以及第二微服務模組;以及處理器,耦接所述儲存裝置,其中所述信任鏈元件模組產生安全權杖;在所述第一微服務模組運行業務邏輯之後,所述第一微服務模組利用所述安全權杖來經由所述信任鏈元件模組調用所述第二微服務模組,其中所述多個微服務模組更包括第三微服務模組,其中當所述第二微服務模組經由所述信任鏈元件模組判斷所述安全權杖為合法時,所述第二微服務模組運行所述業務邏輯,並且利用所述安全權杖來經由所述信任鏈元件模組調用所述第三微服務模組。 A system for calling microservices includes: a storage device storing multiple microservice modules and a trust chain component module, wherein the multiple microservice modules include a first microservice module and a second microservice module; and a processor coupled to the storage device, wherein the trust chain component module generates a security token; after the first microservice module runs the business logic, the first microservice module uses the security token to call the second microservice module via the trust chain component module, wherein the multiple microservice modules further include a third microservice module, wherein when the second microservice module determines that the security token is legal via the trust chain component module, the second microservice module runs the business logic and uses the security token to call the third microservice module via the trust chain component module. 如請求項1所述的系統,其中所述儲存裝置更儲存服務權限元件模組以及權限服務模組,其中所述權限服務模組從使用者電子裝置接收使用者登入資訊;當所述權限服務模組判斷所述使用者登入資訊為合法時,所述權限服務模組傳送使用者權杖至所述使用者電子裝置。 The system as described in claim 1, wherein the storage device further stores a service permission component module and a permission service module, wherein the permission service module receives user login information from a user electronic device; when the permission service module determines that the user login information is legitimate, the permission service module transmits a user token to the user electronic device. 如請求項2所述的系統,其中所述儲存裝置更儲存授權服務模組,其中 當所述權限服務模組判斷所述使用者登入資訊為合法,且所述授權服務模組判斷對應於所述使用者登入資訊的租戶資訊為合法時,所述權限服務模組產生所述使用者權杖。 A system as described in claim 2, wherein the storage device further stores an authorization service module, wherein When the permission service module determines that the user login information is legal, and the authorization service module determines that the tenant information corresponding to the user login information is legal, the permission service module generates the user token. 如請求項3所述的系統,其中所述權限服務模組儲存對應於所述使用者登入資訊的所述租戶資訊,其中當所述權限服務模組判斷所述使用者登入資訊為合法時,所述權限服務模組傳送對應於所述使用者登入資訊的所述租戶資訊至所述授權服務模組。 A system as described in claim 3, wherein the permission service module stores the tenant information corresponding to the user login information, and when the permission service module determines that the user login information is legal, the permission service module transmits the tenant information corresponding to the user login information to the authorization service module. 如請求項1所述的系統,其中所述儲存裝置更儲存服務權限元件模組以及權限服務模組,其中所述第一微服務模組從使用者電子裝置接收所述第一微服務模組的微服務調用請求,其中所述微服務調用請求包括使用者權杖;所述第一微服務模組經由所述服務權限元件模組調用所述權限服務模組,以判斷所述使用者權杖是否為合法;當所述權限服務模組判斷所述使用者權杖為合法時,所述第一微服務模組經由所述信任鏈元件模組產生所述安全權杖。 The system as described in claim 1, wherein the storage device further stores a service permission component module and a permission service module, wherein the first microservice module receives a microservice call request of the first microservice module from a user electronic device, wherein the microservice call request includes a user token; the first microservice module calls the permission service module via the service permission component module to determine whether the user token is legal; when the permission service module determines that the user token is legal, the first microservice module generates the security token via the trust chain component module. 如請求項1所述的系統,其中所述安全權杖包括租戶識別、使用者識別以及到期日。 A system as described in claim 1, wherein the security token includes a tenant identification, a user identification, and an expiration date. 如請求項1所述的系統,其中所述第一微服務模組以及所述第二微服務模組分別對應于第一應用程式以及第二應用程 式,其中所述第一應用程式以及所述第二應用程式為相同,或者所述第一應用程式以及所述第二應用程式為不同。 A system as described in claim 1, wherein the first microservice module and the second microservice module correspond to a first application and a second application respectively, wherein the first application and the second application are the same, or the first application and the second application are different. 一種用於調用微服務的方法,適用於儲存多個微服務模組以及信任鏈元件模組的系統,其中所述多個微服務模組包括第一微服務模組以及第二微服務模組,其中所述方法包括:由所述信任鏈元件模組產生安全權杖;以及在所述第一微服務模組運行業務邏輯之後,由所述第一微服務模組利用所述安全權杖來經由所述信任鏈元件模組調用所述第二微服務模組,其中所述多個微服務模組更包括第三微服務模組,其中所述方法更包括:當所述第二微服務模組經由所述信任鏈元件模組判斷所述安全權杖為合法時,由所述第二微服務模組運行所述業務邏輯,並且利用所述安全權杖來經由所述信任鏈元件模組調用所述第三微服務模組。 A method for calling a microservice is applicable to a system storing multiple microservice modules and a trust chain component module, wherein the multiple microservice modules include a first microservice module and a second microservice module, wherein the method includes: generating a security token by the trust chain component module; and after the first microservice module runs the business logic, the first microservice module uses the security token to call the second microservice module via the trust chain component module, wherein the multiple microservice modules further include a third microservice module, wherein the method further includes: when the second microservice module determines that the security token is legitimate via the trust chain component module, the second microservice module runs the business logic and uses the security token to call the third microservice module via the trust chain component module. 如請求項8所述的方法,其中所述系統更儲存服務權限元件模組以及權限服務模組,其中所述方法更包括:由所述權限服務模組從使用者電子裝置接收使用者登入資訊;當所述權限服務模組判斷所述使用者登入資訊為合法時,由所述權限服務模組傳送使用者權杖至所述使用者電子裝置。 As described in claim 8, the system further stores a service permission component module and a permission service module, wherein the method further includes: the permission service module receives user login information from a user electronic device; when the permission service module determines that the user login information is legitimate, the permission service module transmits a user token to the user electronic device. 如請求項9所述的方法,其中所述系統更儲存授權服務模組,其中所述方法更包括: 當所述權限服務模組判斷所述使用者登入資訊為合法,且所述授權服務模組判斷對應於所述使用者登入資訊的租戶資訊為合法時,由所述權限服務模組產生所述使用者權杖。 As described in claim 9, the system further stores an authorization service module, wherein the method further includes: When the permission service module determines that the user login information is legal, and the authorization service module determines that the tenant information corresponding to the user login information is legal, the permission service module generates the user token. 如請求項10所述的方法,其中所述權限服務模組儲存對應於所述使用者登入資訊的所述租戶資訊,其中所述方法更包括:當所述權限服務模組判斷所述使用者登入資訊為合法時,由所述權限服務模組傳送對應於所述使用者登入資訊的所述租戶資訊至所述授權服務模組。 The method of claim 10, wherein the permission service module stores the tenant information corresponding to the user login information, wherein the method further comprises: when the permission service module determines that the user login information is legal, the permission service module transmits the tenant information corresponding to the user login information to the authorization service module. 如請求項8所述的方法,其中所述系統更儲存服務權限元件模組以及權限服務模組,其中所述方法更包括:由所述第一微服務模組從使用者電子裝置接收所述第一微服務模組的微服務調用請求,其中所述微服務調用請求包括使用者權杖;由所述第一微服務模組經由所述服務權限元件模組調用所述權限服務模組,以判斷所述使用者權杖是否為合法;當所述權限服務模組判斷所述使用者權杖為合法時,由所述第一微服務模組經由所述信任鏈元件模組產生所述安全權杖。 As described in claim 8, the system further stores a service permission component module and a permission service module, wherein the method further comprises: the first microservice module receives a microservice call request of the first microservice module from a user electronic device, wherein the microservice call request includes a user token; the first microservice module calls the permission service module via the service permission component module to determine whether the user token is legal; when the permission service module determines that the user token is legal, the first microservice module generates the security token via the trust chain component module. 如請求項8所述的方法,其中所述安全權杖包括租戶識別、使用者識別以及到期日。 A method as claimed in claim 8, wherein the security token includes a tenant identification, a user identification, and an expiration date. 如請求項8所述的方法,其中所述第一微服務模組以及所述第二微服務模組分別對應于第一應用程式以及第二應 用程式,其中所述第一應用程式以及所述第二應用程式為相同,或者所述第一應用程式以及所述第二應用程式為不同。The method of claim 8, wherein the first microservice module and the second microservice module correspond to a first application and a second application, respectively, wherein the first application and the second application are the same, or the first application and the second application are different.
TW111140453A 2022-09-26 2022-10-25 System and method for invoking microservice TWI839911B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211177251.8A CN115865399A (en) 2022-09-26 2022-09-26 System and method for invoking microservices
CN202211177251.8 2022-09-26

Publications (2)

Publication Number Publication Date
TW202414252A TW202414252A (en) 2024-04-01
TWI839911B true TWI839911B (en) 2024-04-21

Family

ID=85661156

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111140453A TWI839911B (en) 2022-09-26 2022-10-25 System and method for invoking microservice

Country Status (2)

Country Link
CN (1) CN115865399A (en)
TW (1) TWI839911B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118586872A (en) * 2024-08-05 2024-09-03 国网山东省电力公司滨州供电公司 Power grid business middle-end control system, method, device and medium based on microservices
CN119402567A (en) * 2024-11-08 2025-02-07 亚信货云(北京)科技有限公司 Information transmission method, device and electronic device based on SpringCloud microservice

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190149592A1 (en) * 2016-05-11 2019-05-16 Oracle International Corporation Security Tokens for a Multi-Tenant Identity and Data Security Management Cloud Service
CN112653556A (en) * 2020-12-24 2021-04-13 光大兴陇信托有限责任公司 TOKEN-based micro-service security authentication method, device and storage medium
TWI728445B (en) * 2019-08-28 2021-05-21 中華電信股份有限公司 Message redirecting method and application programming interface gateway

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3382991A1 (en) * 2009-09-14 2018-10-03 InterDigital Patent Holdings, Inc. Method and apparatus for trusted authentication and logon
CN113302893B (en) * 2019-01-08 2022-11-18 华为云计算技术有限公司 Method and device for trust verification
US11057778B2 (en) * 2019-02-28 2021-07-06 Ebay Inc. Complex composite tokens
CN110851278A (en) * 2019-11-08 2020-02-28 南京国电南自电网自动化有限公司 Distribution network automation master station mobile application service management method and system based on micro-service architecture
CN111030828B (en) * 2019-12-19 2022-04-19 中国电建集团华东勘测设计研究院有限公司 Authority control method and system under micro-service architecture
CN112416616B (en) * 2020-11-12 2023-12-12 北京字跳网络技术有限公司 Micro-service calling method and device, electronic equipment and storage medium
CN114692172A (en) * 2020-12-25 2022-07-01 北京千里日成科技有限公司 Method and device for processing user request
CN113742714A (en) * 2021-07-28 2021-12-03 深圳兆日科技股份有限公司 Method, device and apparatus for managing access between microservices and storage medium
CN114513344B (en) * 2022-01-26 2024-05-24 鼎捷软件股份有限公司 Integration system and method between cloud applications
CN119496653A (en) * 2024-11-19 2025-02-21 天翼云科技有限公司 Microservice authentication method, device, computer equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190149592A1 (en) * 2016-05-11 2019-05-16 Oracle International Corporation Security Tokens for a Multi-Tenant Identity and Data Security Management Cloud Service
TWI728445B (en) * 2019-08-28 2021-05-21 中華電信股份有限公司 Message redirecting method and application programming interface gateway
CN112653556A (en) * 2020-12-24 2021-04-13 光大兴陇信托有限责任公司 TOKEN-based micro-service security authentication method, device and storage medium

Also Published As

Publication number Publication date
CN115865399A (en) 2023-03-28
TW202414252A (en) 2024-04-01

Similar Documents

Publication Publication Date Title
CN113743921B (en) Digital asset processing method, device, equipment and storage medium
CN112016106B (en) Authentication calling method, device and equipment of open interface and readable storage medium
CN109845188B (en) Secure handling of an attestation request
WO2022095244A1 (en) Cross-chain transaction method, system and apparatus, device, and storage medium
TWI839911B (en) System and method for invoking microservice
US20170099148A1 (en) Securely authorizing client applications on devices to hosted services
KR20190127676A (en) Authentication method and blockchain-based authentication data processing method and device
KR20190118561A (en) Digital Certificate Management Methods, Devices, and Systems
CN111353903A (en) Network identity protection method and device, electronic equipment and storage medium
CN109981646B (en) Blockchain-based resource transfer method and device and electronic device
US20190356494A1 (en) Identity management for software components
CN114401091B (en) Device cross-domain authentication management method and device based on block chain
JP2020074578A (en) Methods and devices to register and authenticate information
US11483162B1 (en) Security settlement using group signatures
US7958548B2 (en) Method for provision of access
US20230403254A1 (en) Decentralized identifier determination by a registry operator or registrar
WO2021031741A1 (en) Voip processing method, device, and terminal
CN115065542A (en) Permission verification method and device, processor and electronic equipment
CN113647080A (en) Provide digital certificates in a password-protected manner
US12413426B2 (en) Providing a proof of origin for a digital key pair
US11888987B2 (en) Method and system for digital voting using a trusted digital voting platform
CN109150857B (en) Method and device for information authentication
CN115174099A (en) Copyright asset authorization method and device based on block chain and electronic equipment
CN115131029A (en) Block chain-based digital file signing method and device
Hölzl et al. Real-world identification: towards a privacy-aware mobile eID for physical and offline verification