Background technique
Many application programs use the data of isomery to store behind.Most of business needs to carry out safety by Data Mart
, managed data access, data service affairs, data transmission and verifying.In SOA, the data of enterprise are exposed into clothes
Business is exactly data service from bottom storage decoupling.
WSO2 DSS(Data Services Server, data access servers) make SOA(Service-Oriented
Architecture, Enterprise SOA) exploitation become to be particularly easy to, provide a platform easy to use: integrated
Data storage, creation complex data view, trustship separate sources data (such as web services or REST class of WS-* type
The web resource of type).
DSS is mainly by different data sources (such as relevant database, csv file, Excel table, Google
Spreadsheet etc.) data generate and issue into service interface, it can be achieved that Zero-code can be quickly generated service interface.
In addition, DSS system carries efficient container, the operation of supporting interface can be stablized, and there is good oncurrent processing ability.
Browser or program means access service interface can be used to obtain data for client.DSS can provide based on user name
With the safe access control and safe transmission of password authentification.Based on this security control, the data of enterprise can pass through service interface
Form authorization a certain user access, reach the target of data access range-controllable.If but authorized user accidentally connects service
Port address, user name and password are spread to other users, then this parameter access service interface can also be used in other users, it is clear that clothes
Business interface is spread in this course, and enterprise is ignorant.
The case where having issued, and having been spread in service interface for this proposes a kind of service herein for property and connects
The effective ways of mouth non-proliferation, can be obviously improved the access safety of business data.
Summary of the invention
The purpose of the present invention is to propose to a kind of methods based on service interface access history authentication.
For achieving the above object, the technical scheme is that a kind of data-interface non-proliferation method, comprising:
During by service interface of the client request using server end,
Using account to the history such as an access address, preceding primary access password, preceding access time before the service interface
Factor generates dynamic password;
It is accessed safety check using the dynamic password;
Expendable characteristic is only capable of using the dynamic password to judge whether the service interface allows to be used.
Preferably, a time dynamic password generator is arranged for DSS in the server end, including DSS, and the dynamic password is raw
It grows up to be a useful person on the basis of not changing existing DSS framework, the account access password of service interface is modified by DSS control interface.
Preferably, the time dynamic password generator modification account access password includes:
Account initialization generates an actual use by Encryption Algorithm according to account information " initial password+address+time "
Password;
The Access Events information of the service interface, access time, access address are obtained by server end DSS control interface
Deng, in conjunction with access when access password, pass through Encryption Algorithm generate an actual use password.
Preferably, an account manager is arranged for applications client, to answer in the client-side, including applications client
Account service is provided with client;When applications client needs to access service, access corresponding server is obtained from account manager
Account information, including account and password;After applications client accesses application success, it is close that notice account manager calculates update dynamic
Code.
Preferably, the account manager calculating update dynamic password includes:
Account initialization, it is close by Encryption Algorithm one actual use of generation according to account information " initial password+address+time "
Code;
After applications client access services successfully, according to access time, access address, access password, generated by Encryption Algorithm
One actual use password
Account information is imported by UKey, and import information mainly includes last access address, access time, accesses password,
Use when access encrypted message will be used to access service next time.
The beneficial effects of the present invention are:
Data-interface non-proliferation method of the invention has prevented bring service interface after service interface password is passively revealed and has spread
Problem;It greatly improves authorized user and actively reveals the cost of service interface password, so that the diffusion for reducing service interface is asked
Topic.
Specific embodiment
Below in conjunction with attached drawing, technical scheme in the embodiment of the invention is clearly and completely described.
As shown in Figure 1, a kind of data-interface non-proliferation embodiment of the method for the present invention, comprising:
During by service interface of the client request using server end,
Using account to the history such as an access address, preceding primary access password, preceding access time before the service interface
Factor generates dynamic password;
It is accessed safety check using the dynamic password;
Expendable characteristic is only capable of using the dynamic password to judge whether the service interface allows to be used.
One, server end, including DSS, the time dynamic password generator for DSS setting is an independent program, not
On the basis of changing existing DSS framework, the account access password of special services interface can be modified by DSS control interface
Time dynamic password generator modifies account access password, and there are two links:
Account initialization passes through encryption according to account information " address initial password+0.0.0.0()+19700101(time) "
Algorithm generates an actual use password.
Can by DSS control interface obtain special services interface Access Events information, access time, access address etc.,
Access password when in conjunction with access generates an actual use password by Encryption Algorithm.
After dynamic password generates, generator can modify the account access password of special services interface by DSS control interface,
Come into force the dynamic password of service interface.
Two, client-side, including one " account manager " is set for applications client, account is provided for applications client
Service.Applications client is for DSS, and applications client is the CLIENT PROGRAM using data service.
When client needs to access service, access corresponding server account information, including account are obtained from " account manager "
Family and password.After applications client accesses application success, it is also necessary to notify " account manager " calculates to update dynamic password.
Applications client, " account manager " modify link there are three account informations:
Account initialization passes through encryption according to account information " address initial password+0.0.0.0()+19700101(time) "
Algorithm generates an actual use password.
After applications client access services successfully, according to access time, access address, access password, pass through Encryption Algorithm
Generate an actual use password.
Account information can import (accordingly having export function) by media such as UKey, and import information mainly includes upper one
Secondary access address, access time, access password, practical only access encrypted message will be used to make when accessing service next time
With.
Three, dynamic password change procedure is as follows
Server end and client have same change procedure, as shown in table 1 below
|
Last password |
Last client address |
Last access time |
More new password |
Before accessing for the first time |
LnitKey |
0.0.0.0 |
19700101 |
X89C05 |
After accessing for the first time |
X89C05 |
10.2.3.1 |
20180608 |
FCD0X3 |
Before back-call |
FCD0X3 |
10.2.3.1 |
20180609 |
47XGF6 |
After third time accesses |
47XGF6 |
10.8.55.6 |
20180610 |
89XGV3 |
…… |
|
|
|
|
(1) after account initialization, dynamic password is calculated by initial password, such as " the 1st access before " the 1st article in table, after calculating
Password is " X89C05 ", and the client address used when calculating is " 0.0.0.0 ", and the time is " 19700101 ", last close
Code is account initial password.
(2) password " X89C05 ", after access, account information are used by client 10.2.3.1 access service for the first time
2nd article is updated in table, and updated password is " FCD0X3 ".
(3) second is also 10.2.3.1 access, and using password " FCD0X3 ", after access, account information is updated in table
3rd article, updated password is " 47XGF6 ".
(4) client variation is 10.8.55.6 access (in table after the 3rd access, client address) when third time accesses, and is made
With password " 47XGF6 ", after access, account information is updated in table the 3rd article, and updated password is " 89XGV3 ".
Third time access is somewhat special: the client address that account uses is changed:
Client: it needs the account information of " after the 2nd access " means are imported by the export that private client provides, by account
Family information moves to new client from frequent customer end, considers for secrecy, and transition process account information does not have readability.
Server end: from service access password angle not client perception end address transfer, but server end is in service access
Afterwards, during dynamic more new password, this variation can be perceived, server end keeps a record as maintenance information convenient for audit.
Four, dynamic password calculation method
(1) password generation algorithm can configure optional in server and client side, such as MD5, DES, AES function;
(2) address used when calculating and temporal information, as shown in process above, first time access address is full zero-address, i.e.,
0.0.0.0;Access time is 19700101.Subsequent calculating takes actual parameter.
(3) parameter used in cryptographic calculations, it is above-mentioned to simply facilitate description and be exemplified as address and time and last close
Code, when realization, can have more actual conditions and determine that main principle is: server end and client can equity obtain identical value
Parameter.
Cause specific leads to server end and client account information difference, and when causing service that cannot access, it needs
Server and client side reverts to init state, i.e., first recording status in upper table respectively.Its synchronization means is not at this
Case range, such as pass through service request WorkForm System.
Described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the present invention
In embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall within the protection scope of the present invention.