CN111131308A - Calling system and method based on service - Google Patents

Calling system and method based on service Download PDF

Info

Publication number
CN111131308A
CN111131308A CN201911414885.9A CN201911414885A CN111131308A CN 111131308 A CN111131308 A CN 111131308A CN 201911414885 A CN201911414885 A CN 201911414885A CN 111131308 A CN111131308 A CN 111131308A
Authority
CN
China
Prior art keywords
service
user
configuration
center
secret key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911414885.9A
Other languages
Chinese (zh)
Other versions
CN111131308B (en
Inventor
徐晓飞
张恒阳
孙蓉蓉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Weimeng Chuangke Network Technology China Co Ltd
Original Assignee
Weimeng Chuangke Network Technology China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Weimeng Chuangke Network Technology China Co Ltd filed Critical Weimeng Chuangke Network Technology China Co Ltd
Priority to CN201911414885.9A priority Critical patent/CN111131308B/en
Publication of CN111131308A publication Critical patent/CN111131308A/en
Application granted granted Critical
Publication of CN111131308B publication Critical patent/CN111131308B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5041Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5058Service discovery by the service manager
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a service calling safety system and a method, comprising the following steps: the configuration center is used for receiving the service provided by the producer and setting configuration information of the service, encrypting the service provided by the producer and sending the encrypted service to the registration center; the registration center is used for receiving and issuing the service encrypted by the configuration center, decrypting the issued encrypted service and providing the decrypted service to users with different affiliate groups and having calling authority, and/or decrypting the issued encrypted service and providing the decrypted service to the users in the affiliate groups; the user with authority is: the user who obtains the configuration information of the service and the service decryption authority can obtain the service calling safety system and the service calling safety method, the user who really needs the service can obtain the service through authentication through the encryption service provided by a producer, the safety of a service provider is provided, the abnormal access amount is reduced, and the obtaining speed is improved.

Description

Calling system and method based on service
Technical Field
The invention relates to network security, in particular to a service-based calling system and a service-based calling method.
Background
For service invocation, dubbo, rpc, which is a kind of SOA framework, is a popular way nowadays, and there are both service producers and service consumers when invoking through the service layer of the time program. The consumer calls the producer's service directly.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
the existing framework has the defects that services can be called as long as interface information of producer services is known, so that the problem of increasing the concurrency of the producer services and the problem of increasing the safety certification of the services are inevitable.
Disclosure of Invention
The embodiment of the invention provides a calling system and a calling method based on service, which can ensure that a user really needed for the service can be obtained through authentication by an encryption service provided for a producer, provide the safety of a service provider, reduce abnormal access amount and improve the obtaining speed.
To achieve the above object, in one aspect, an embodiment of the present invention provides a service-based calling system, including:
the configuration center is used for receiving the service provided by the producer and setting configuration information of the service, encrypting the service provided by the producer and sending the encrypted service to the registration center; wherein the configuration information of the service includes: the user public configuration UC, the unique identification ID of the service, and the affiliation group of the producer or the affiliation group of the user;
the registration center is used for receiving and issuing the service encrypted by the configuration center, decrypting the issued encrypted service and providing the decrypted service to users with different affiliate groups and having calling authority, and/or decrypting the issued encrypted service and providing the decrypted service to the users in the affiliate groups; the user with authority is: and obtaining the configuration information of the service and the user of the service decryption authority.
On the other hand, an embodiment of the present invention further provides a service-based calling method, including:
a service-based calling method, comprising:
the method comprises the steps of storing the service provided by a producer in a configuration center, setting configuration information for the service by the configuration center, encrypting the service provided by the producer, and sending the encrypted service to a registration center, wherein the configuration information of the service comprises the following steps: the user public configuration UC, the unique identification ID of the service, and the affiliation group of the producer or the affiliation group of the user;
the registration center receives and releases the encryption service sent by the configuration center; and the number of the first and second groups,
when the user calls the service, the registration center decrypts the issued encrypted service and then sends the decrypted service to the user with the calling authority, and/or decrypts the issued encrypted service and then provides the decrypted service to the user in the affiliation group; the user with authority is: and obtaining the configuration information of the service and the user of the service decryption authority.
The technical scheme has the following beneficial effects: the invention aims to realize the decoupling of safety authentication, service release and service registration, realize the purpose of service automation by changing certain configuration of a configuration center, for example, another database needs to be connected, only the address of the database needs to be modified at a service end of the configuration center instead of directly modifying a configuration file of the service, and then restart the database. The most important is to realize the black box operation of the service, hide the specific details inside the service (corresponding to a black box with an inlet and an outlet for the outside world), and then add a layer of security filter outside the boxes. Thereby ensuring that all applications entering the service are secure.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of a service-based calling system according to an embodiment of the present invention;
FIG. 2 is a flow chart of a service-based calling method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an asynchronous service call based embodiment of the present invention;
FIG. 4 is a framework diagram of a service-based invocation system of an embodiment of the present invention;
fig. 5 is a schematic diagram of another asynchronous service call-based embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, in conjunction with the embodiment of the present invention, there is provided a service-based calling system, including:
the configuration center 11: the system comprises a registry, a data processing system and a data processing system, wherein the registry is used for receiving a service provided by a producer and setting configuration information of the service, encrypting the service provided by the producer and sending the encrypted service to the registry; wherein the configuration information of the service includes: the user public configuration UC, the unique identification ID of the service, and the affiliation group of the producer or the affiliation group of the user;
the registration center 12 is used for receiving and issuing the service encrypted by the configuration center, decrypting the issued encrypted service and providing the decrypted service to users with different affiliate groups and having calling authority, and/or decrypting the issued encrypted service and providing the decrypted service to users in the affiliate groups; the user with authority is: and obtaining the configuration information of the service and the user of the service decryption authority.
Preferably, the configuration center 11 is specifically configured to encrypt a service provided by a producer, generate an authentication key of the service, store the authentication key in the user public configuration UC, and generate a first key belonging to the producer; and the number of the first and second groups,
when the user calls the service, a second secret key belonging to the user is generated, the second secret key and the first secret key are calculated through a security algorithm to obtain a collaborative secret key, whether the collaborative secret key is matched with the verification secret key or not is judged, and if the collaborative secret key is matched with the verification secret key, the configuration information provided for the service by the configuration center is provided for the user;
the registry 12 is specifically configured to receive configuration information and a second key of the service provided by the configuration center to the user, decrypt the service, and provide the service to the user.
Preferably, the configuration center 11 is further configured to receive the message of the service and the content of the service, encrypt the message of the service by using a first encryption algorithm, and then place the encrypted message in the message queue mq, encrypt the content of the service by using a second encryption algorithm, and transmit the message queue mq and the encrypted content of the service to the registration center; and the number of the first and second groups,
the registry 12 is further configured to receive the message queue mq and the encrypted service content, and,
the user monitors the message queue mq in the registration center, when the message queue mq is monitored to have the message of the required service, the message queue mq is decrypted through a decryption algorithm, and corresponding service content is obtained and decrypted according to the message of the service in the message queue mq.
Preferably, the configuration center 11 is specifically configured to set the encryption service as a micro service mode; the micro service is to independently package and transmit a certain service;
the registry 12 is specifically configured to decrypt the encrypted service and provide the decrypted service to the user in a micro-service manner.
Preferably, an external security authentication framework 13 is further included for providing the user or producer with security authentication information before entering the configuration center or registry, by which it is verified whether the access parameters of the user or producer to the service based invocation system are correct, and if so, the login is allowed, and if not, the login is denied.
As shown in fig. 2, in combination with the embodiment of the present invention, there is also provided a service-based calling method, including:
s201: the method comprises the steps of storing the service provided by a producer in a configuration center, setting configuration information for the service by the configuration center, encrypting the service provided by the producer, and sending the encrypted service to a registration center, wherein the configuration information of the service comprises the following steps: the user public configuration UC, the unique identification ID of the service, and the affiliation group of the producer or the affiliation group of the user;
s202: the registration center receives and releases the encryption service sent by the configuration center;
s203: when the user calls the service, the registration center decrypts the issued encrypted service and then sends the decrypted service to the user with the calling authority, and/or decrypts the issued encrypted service and then provides the decrypted service to the user in the affiliation group; the user with authority is: and obtaining the configuration information of the service and the user of the service decryption authority.
Preferably, the service-based calling method includes:
in step 201, the configuration center encrypts a service provided by a producer, generates a verification key of the service, stores the verification key in the user public configuration UC, and generates a first key belonging to the producer; and the number of the first and second groups,
s204: when the user calls the service, the configuration center generates a second secret key belonging to the user, calculates the second secret key and the first secret key through a security algorithm to obtain a collaborative secret key, judges whether the collaborative secret key is matched with the verification secret key or not, and if the collaborative secret key is matched with the verification secret key, the configuration center provides configuration information of the service for the user;
s205: the registration center receives the configuration information and the second secret key which are provided by the configuration center for the service of the user, decrypts the service and provides the service to the user.
Preferably, the service-based calling method includes:
in step 201, storing the message of the service provided by the producer and the content of the service in the configuration center, the configuration center encrypting the message of the service by a first encryption algorithm and then setting the message in a message queue mq, encrypting the content of the service by a second encryption algorithm, and transmitting the message queue mq and the encrypted content of the service to the registration center; and the number of the first and second groups,
s206: the registry receives the encrypted message queue mq and the encrypted service contents, and,
s207: the user monitors the message queue mq in the registration center, when the message queue mq is monitored to have the message of the required service, the message queue mq is decrypted through a decryption algorithm, and corresponding service content is obtained and decrypted according to the message of the service in the message queue mq.
Preferably, the service-based calling method includes: in step 201, the configuration center sets the encrypted service as a micro service mode;
in step 201, the micro service means that a certain service is individually encapsulated and individually transmitted;
in step 203, the registry decrypts the encrypted service and provides it to the user in the form of a microservice.
Preferably, the service-based calling method further includes:
s208: before entering the configuration center or the registration center, providing safety authentication information for a user or a producer through an external safety authentication framework, verifying whether the access parameters of the user or the producer logged in the service-based calling system are correct through the safety authentication information, if so, allowing the logging, and if not, refusing the logging.
The invention has the beneficial effects that: the invention aims to realize the decoupling of safety authentication, service release and service registration, realize the purpose of service automation by changing certain configuration of a configuration center, for example, another database needs to be connected, only the address of the database needs to be modified at a service end of the configuration center instead of directly modifying a configuration file of the service, and then restart the database. The most important is to realize the black box operation of the service, hide the specific details inside the service (corresponding to a black box with an inlet and an outlet for the outside world), and then add a layer of security filter outside the boxes. Thereby ensuring that all applications entering the service are secure.
The technical solutions of the above embodiments of the present invention are described in detail below with reference to specific application examples, and please refer to the related descriptions above for technical details that are not described in the implementation process.
Abbreviations and key term definitions appearing in the present invention:
calling a process: a calls B, B responds to A, and there is a return, which is a calling process.
In the service-based calling system, a configuration center is firstly owned, namely all configurations are managed by the configuration center. This configuration center must contain the user common configuration UC, the affiliate group, the unique identification ID of each service and this several user related information must be unique. The User common configuration UC is an abbreviation of User CommonConfig and is information that can be obtained by belonging to each genus group. The main group is the first level under UC, and is to divide users into different groups, and information between each main group is not shared.
Of course, the configuration of the configuration center also includes: the secret key logged by the user and the salt added value salt + UC in the family group are only allowed to acquire the user Id and the password outside, and the salt of the family group and the UC and the secret key logged by the server SSH are all closed in the configuration center and only allow background operation and maintenance management. In the configuration center, some configuration information belonging to the configuration center can be added, such as: the user name and password of the user database or the user adopts the secret way to encrypt. In the configuration center, there may be an encrypted file (the service provided by the service producer forms an encrypted file after being encrypted by the configuration center through a security algorithm), encrypted data information (for example, a single piece of data information such as a character string, a number, and the like), and the like. The users who need to use the files upload the files themselves and then deliver the files to the configuration center for management, and the files can be used as local caches without requesting the configuration center every time. Different data is submitted or modifications are exposed in versions. The data can be rolled back and the version can be selected.
There is then a registry for managing the release and deregistration of services and the invocation of services. The encrypted service issues registration and is called as much as possible by a micro-service method, and the micro-service mode is as follows: the method encapsulates specific details of a single or few functions, publishes the details as a service, exposes the details to the outside in an HTTP mode, and has special maintenance for a special person. Compared with other services, the micro-service mode is relatively simple and has high transmission rate. Of course, distribution in other forms is also possible.
That is, before the service is called, the consumer (which can be understood as the producer and the user of the service) first needs to register a unique account information of the consumer in the configuration center, and select the uc and the affiliation group corresponding to the consumer (uc and the affiliation group can be added, and needs the authority). Each section allows the respective operation and maintenance persons (or systems) of the two parties to authenticate and then allow the service call, the cooperation key called between the subordinate group and the subordinate group (that is, the two keys can match with the key in UC under the security algorithm) is placed in UC, and the cooperation key called between the groups is placed in the subordinate group. UC allows group-to-group inter-call. UC stores public and private keys among various groups. The generic group allows individual services within the group to invoke each other. The A call B is the same group, and only needs to judge whether the A call B is a group or not, and the A call B and the B call can be mutually called in the group. The out-of-group a calls B, before a calls B, requires an AB two-way handshake (the configuration centre administrator of B, allowing a calls, adds a in B's whitelist), which is placed in UC, only one-way B allows a calls.
In the present application, service-oriented means that all modules or functions are a service. The safety of calling between services is realized, and in the process of calling the services, the SSH is divided into three sections, namely UC, an attribute group and the services. The information is placed in a configuration center, each UC and each affiliation group have their own administrator in the configuration center to manage which services can be called, and hierarchical verification is performed at one level.
When synchronous calling service is adopted: the service user registers an account number in the configuration center, acquires server login authentication through the login account number, then obtains login authentication of the configuration center and the registration center, then the configuration center returns a receipt secret key to a consumer (user), one secret key corresponds to one service, if the secret key is lost, the secret key needs to be reapplied, the consumer holds the receipt secret key, configuration information belonging to own service is acquired in the configuration center, and the configuration information specifically comprises: the address of the registry, the parameter information necessary to invoke the service (which is necessary for the parameter verification after invoking the service), and the encryption algorithm allowed by the provider for the user (these are returned after the successful handshake between the two at the first time), now require that the caller's key and the callee's key (receipt key) can match the key in UC under the security algorithm. Then according to the configuration information and the receipt secret key, the registry is connected, and the service is called.
Asynchronous calling is adopted: the message of the service needs to be put into the message queue mq for packaging, and the packaged message is packaged into the sftp server with login authentication authority. And the sftp server is adopted, so that the occupied bandwidth is less, and the transmission rate is high. By adopting the sftp server externally, the leakage of a login password of the server can be avoided, and inestimable harmful results are generated. Of course, the service provider needs to have the right of the server to log in the sftp server, and a specific example is which ip or id is allowed to log in the sftp server. The encryption algorithm is at least two, specifically, the key used in the asynchronous call is to push a message to the message queue mq, and put the message of the service provided by the provider into the message queue mq. The first encryption algorithm encrypts the message sent to the message queue mq, wherein the information sent to the message queue mq comprises the ip, the password, the file path, the file name and the permutation and combination of the server of the sftp stored in the mq. The second encryption algorithm encrypts the file contents (i.e., the contents of the service provided) corresponding to the messages in the message queue mq, and the file contents corresponding to the messages in the message queue mq are placed in a configuration center on the sftp server.
When a service user monitors messages in the queue messages mq and monitors the messages of the service required by the user, the messages in the message queue mq are decrypted by a common decryption algorithm used by both parties (a calling party and a called party obey an encryption rule allowed by both parties), then a file (file content corresponding to the message queue mq information, namely service content) put on the sftp is obtained, and the obtained file is decrypted. Suppose that A calls B, A and B firstly share a decryption method and a decryption rule, A encrypts an ip, a password, a path and a file name of an sftp server storing service content to form encrypted information, and the encrypted information is split into a plurality of sections (possibly, a few strings are arranged in a certain place, a plurality of strings are arranged in a certain place, and possibly, a certain place is disordered) and then pushed to mq. B monitors the mq, decrypts the service message in the mq, and finally obtains the service content stored in sftp according to permutation and combination.
That is, an asynchronous call requires a message queue mq, and the asynchronous call can be divided into two synchronous calls: firstly, calling process: a message queue of the calling party monitoring service; message queues for the callee to provide services. Second, response process: the message queue of the service provided by the called party; the caller obtains the message queue of the service. Each step requires a configuration center and a registry. Wherein, the queue has two: the calling party monitors a message queue of the service provided by the called party; and a message queue for the callee to service the caller. The services of these two queues need to be published in a microservice fashion, rather than just a default unpackaged MQ.
As described above, the consumer only needs to connect mq encryption, send information encryption and store file information encryption, so that encryption is performed three times, and encryption and decryption are performed asynchronously, thereby improving efficiency. It is mainly considered that on kafka, different groups in the same kafka cluster listen to the same topic, and each group listens, and encryption is only effective for one group.
In addition, before entering the configuration center or the registration center, the server needs to be authenticated for login connection, that is, when logging in, the server needs to be authenticated first, and then the configuration center needs to be authenticated (or the registration center needs to be authenticated), and even if the configuration center is in the local area network, the login connection authentication should be set. And then, accessing a configuration center, a registration center, an mq queue service, and the like to called services, wherein the called services need login authentication, namely server authentication as long as external service connection is realized, the server internally supports SSH because internally adopting SSH service is relatively safe, and externally adopting an sftp server to place other files because the service of the previous stage calls the service of the next stage in the whole service calling process, and the required message is very large. For example, an evaluation task has many evaluation modules in the middle, each evaluation module has many evaluation items, and at the beginning of the evaluation task, the module id, the evaluation item id, and the whole selected evaluation structure need to be transferred to the next level for the next level of analysis. This amount of data is large and not well suited for http transfer. Thus, after encryption, the file is placed in a file, and the file is placed on the sftp server. Is simply a number id, so there should be no compromise.
In addition, the registry itself needs to have a security authentication framework for protecting the security of the registry itself and only allowing the services allowed by the registry to enter, such as invoking the services inside the registry. Each service can be understood as corresponding to a user, and when the user calls the service in the registry, the user needs to be authenticated by a security authentication framework owned by the registry, so that the user can obtain the authorization of the registry according to the key of the corresponding user generated in the configuration center, and then the service of the registry is allowed to be called.
The configuration center is provided with security certification and is used for a producer or a user with authority qualification to enter the configuration center or the registration center. When the external service is accessed, firstly, a configuration center is required to apply for obtaining a key for entering authentication, namely, a user or a provider enters the configuration center, firstly, security authentication is required to pass, the security authentication is required to be realized through an external security authentication framework, the security authentication through the external security authentication framework is used for protecting the configuration center, and simply, the verification of an access parameter is carried out. One service is a key and is not duplicated. Then, a verification key can be set for the service of the producer through the internal security authentication framework, a first key is provided for the producer, a second key is provided for the user, and the user can call the required service by taking the address of the service to the registration center. There is a service return, thus completing a calling procedure.
For asynchronous calls, it may happen that, in the actual running process, as shown in fig. 5, if service a needs the result in service B, and service B also needs the parameters of service a to run? Therefore, combining the above mentioned synchronous call and asynchronous call, the final result is that all requests and responses are completed by using the message queue mq as middleware, and for the same large call item, the caller may also be called, which looks like a synchronous call, and is actually an asynchronous call. The whole calling process is that the service A acquires authentication from the configuration center and the registration center, then encrypted information is sent to the mq, some service information is encrypted and stored on the sftp server, and after storage is successful, the service A can wait for entering the next service process, and does not need to wait for the response of entering the service B all the time. And the service B decrypts the message taken from the mq and then takes the service information of the A from the sftp service, so that the service B can be started, and the returned result and the service information are put into the mq and the sftp server by the service B. Service a and service B are as if they were symmetrical in principle but not symmetrical in order.
The service-based safe calling system and method have the following beneficial effects:
the prior art is as follows: the service A calls the service B, the security risk can exist only through the security framework connection authentication, the specific service is encrypted, the security of the service content is provided, and the risk in the calling process is reduced.
By adopting synchronous calling, before entering a server system, a user and a caller needing service respectively need to pass through the safety certification of an external safety certification framework and then have the qualification of providing service or obtaining service, when the service is called specifically, the service is encrypted, the safety of the service is improved, and only the caller qualified to call the service is allowed to call the corresponding service, so that the frequency of calling concurrency is reduced, the application performance of the service system is indirectly improved, and the user experience effect is good.
The method adopts asynchronous calling, A does not directly call B, but monitors the message of A in mq in B, and then obtains the service required by B according to the message of A taken from mq, therefore, in the whole process, like A calls B, but does not wait for the response of B, A and B can complete the self condition by themselves, thus improving the flexibility of service calling, under the condition that at least two encryption and decryption algorithms are very fast, the calling party has no substantial influence on the response speed and the time for obtaining service or obtains the required service very fast, and the decoupling of safety authentication, service registration and service release is realized. In addition, some configurations of the configuration center can be changed to realize the purpose of service automation, such as: another database needs to be connected, and only the address url of the database needs to be modified at the server side of the configuration center. Rather than modifying the configuration file of the service directly and then restarting. The most important is to realize the black box operation of the service, hide the specific details inside the service (corresponding to a black box with an inlet and an outlet for the outside world), and then add a layer of security filter outside the boxes. Thereby ensuring that all applications entering the service are secure.
The hidden safety hazard that anyone can call the service without safety certification is avoided, and the complicated situation that different servers adopt different encryption algorithms to cause too many encryption algorithms and one user needs to have multiple decryption algorithms is also avoided.
It should be understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not intended to be limited to the specific order or hierarchy presented.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. To those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".
Those of skill in the art will further appreciate that the various illustrative logical blocks, units, and steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate the interchangeability of hardware and software, various illustrative components, elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.
The various illustrative logical blocks, or elements, described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may be located in a user terminal. In the alternative, the processor and the storage medium may reside in different components in a user terminal.
In one or more exemplary designs, the functions described above in connection with the embodiments of the invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media that facilitate transfer of a computer program from one place to another. Storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store program code in the form of instructions or data structures and which can be read by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Additionally, any connection is properly termed a computer-readable medium, and, thus, is included if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wirelessly, e.g., infrared, radio, and microwave. Such discs (disk) and disks (disc) include compact disks, laser disks, optical disks, DVDs, floppy disks and blu-ray disks where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included in the computer-readable medium.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A service based invocation system, comprising:
the configuration center is used for receiving the service provided by the producer and setting configuration information of the service, encrypting the service provided by the producer and sending the encrypted service to the registration center; wherein the configuration information of the service includes: the user public configuration UC, the unique identification ID of the service, and the affiliation group of the producer or the affiliation group of the user;
the registration center is used for receiving and issuing the service encrypted by the configuration center, decrypting the issued encrypted service and providing the decrypted service to users with different affiliate groups and having calling authority, and/or decrypting the issued encrypted service and providing the decrypted service to the users in the affiliate groups; the user with authority is: and obtaining the configuration information of the service and the user of the service decryption authority.
2. The service based invocation system according to claim 1, further comprising:
the configuration center is specifically configured to encrypt a service provided by a producer, generate a verification key of the service, store the verification key in a user public configuration UC, and generate a first key belonging to the producer; and the number of the first and second groups,
when the user calls the service, a second secret key belonging to the user is generated, the second secret key and the first secret key are calculated through a security algorithm to obtain a collaborative secret key, whether the collaborative secret key is matched with the verification secret key or not is judged, and if the collaborative secret key is matched with the verification secret key, the configuration information provided for the service by the configuration center is provided for the user;
the registry is specifically configured to receive configuration information and a second key of the service provided by the configuration center to the user, decrypt the service, and provide the service to the user.
3. The service based invocation system according to claim 2, further comprising:
the configuration center is also used for receiving the service message and the service content, encrypting the service message through a first encryption algorithm and then arranging the service message in the message queue mq, encrypting the service content through a second encryption algorithm, and transmitting the message queue mq and the encrypted service content to the registration center; and the number of the first and second groups,
the registry is further configured to receive the message queue mq and the encrypted service content, and,
the user monitors the message queue mq in the registration center, when the message queue mq is monitored to have the message of the required service, the message queue mq is decrypted through a decryption algorithm, and corresponding service content is obtained and decrypted according to the message of the service in the message queue mq.
4. The service based invocation system according to claim 1, further comprising:
the configuration center is specifically used for setting the encryption service as a micro service mode; the micro service is to independently package and transmit a certain service;
the registry is specifically used for decrypting the encrypted service and then providing the decrypted encrypted service to the user in a micro-service mode.
5. The service-based calling system of claim 1, further comprising:
and the external security authentication framework is used for providing security authentication information for a user or a producer before entering the configuration center or the registration center, verifying whether the access parameters of the user or the producer logged in the service-based calling system are correct or not through the security authentication information, allowing the logging in if the access parameters are correct, and refusing the logging in if the access parameters are incorrect.
6. A service-based calling method, comprising:
the method comprises the steps of storing the service provided by a producer in a configuration center, setting configuration information for the service by the configuration center, encrypting the service provided by the producer, and sending the encrypted service to a registration center, wherein the configuration information of the service comprises the following steps: the user public configuration UC, the unique identification ID of the service, and the affiliation group of the producer or the affiliation group of the user;
the registration center receives and releases the encryption service sent by the configuration center; and the number of the first and second groups,
when the user calls the service, the registration center decrypts the issued encrypted service and then sends the decrypted service to the user with the calling authority, and/or decrypts the issued encrypted service and then provides the decrypted service to the user in the affiliation group; the user with authority is: and obtaining the configuration information of the service and the user of the service decryption authority.
7. The service-based calling method according to claim 6, comprising:
the configuration center encrypts a service provided by a producer, generates a verification secret key of the service, stores the verification secret key in a user public configuration UC, and generates a first secret key belonging to the producer; and the number of the first and second groups,
when the user calls the service, the configuration center generates a second secret key belonging to the user, calculates the second secret key and the first secret key through a security algorithm to obtain a collaborative secret key, judges whether the collaborative secret key is matched with the verification secret key or not, and if the collaborative secret key is matched with the verification secret key, the configuration center provides configuration information of the service for the user;
the registration center receives the configuration information and the second secret key which are provided by the configuration center for the service of the user, decrypts the service and provides the service to the user.
8. The service-based calling method according to claim 7, comprising:
storing the service message provided by the producer and the content of the service in the configuration center, encrypting the service message by a first encryption algorithm and then arranging the service message in a message queue mq by the configuration center, encrypting the service content by a second encryption algorithm, and transmitting the message queue mq and the encrypted service content to the registration center; and the number of the first and second groups,
the registry receives the encrypted message queue mq and the encrypted service contents, and,
the user monitors the message queue mq in the registration center, when the message queue mq is monitored to have the message of the required service, the message queue mq is decrypted through a decryption algorithm, and corresponding service content is obtained and decrypted according to the message of the service in the message queue mq.
9. The service-based calling method according to claim 6, comprising:
the configuration center sets the encryption service as a micro service mode; the micro service is to independently package and transmit a certain service;
the registry decrypts the encrypted service and provides the decrypted encrypted service to the user in a micro-service mode.
10. The service-based calling method of claim 6, further comprising:
before entering the configuration center or the registration center, providing safety authentication information for a user or a producer through an external safety authentication framework, verifying whether the access parameters of the user or the producer logged in the service-based calling system are correct through the safety authentication information, if so, allowing the logging, and if not, refusing the logging.
CN201911414885.9A 2019-12-31 2019-12-31 Calling system and method based on service Active CN111131308B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911414885.9A CN111131308B (en) 2019-12-31 2019-12-31 Calling system and method based on service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911414885.9A CN111131308B (en) 2019-12-31 2019-12-31 Calling system and method based on service

Publications (2)

Publication Number Publication Date
CN111131308A true CN111131308A (en) 2020-05-08
CN111131308B CN111131308B (en) 2022-04-12

Family

ID=70506623

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911414885.9A Active CN111131308B (en) 2019-12-31 2019-12-31 Calling system and method based on service

Country Status (1)

Country Link
CN (1) CN111131308B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055367A (en) * 2021-03-08 2021-06-29 浪潮云信息技术股份公司 Method and system for realizing micro-service gateway authentication
CN115904361A (en) * 2022-09-28 2023-04-04 建信金融科技有限责任公司 Data processing method, device, equipment and medium applied to microservice

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102668503A (en) * 2009-12-21 2012-09-12 国际商业机器公司 Secure kerberized access of encrypted file system
CN102833747A (en) * 2012-09-17 2012-12-19 北京交通大学 Method for distributing secret keys realizing authentication for access in separation mechanism mobility management system
CN109948356A (en) * 2019-03-25 2019-06-28 江苏电力信息技术有限公司 One kind is based on service call authority control method under micro services framework
CN110322940A (en) * 2019-07-15 2019-10-11 山东健康医疗大数据有限公司 A kind of access authorization methods and system that medical data is shared

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102668503A (en) * 2009-12-21 2012-09-12 国际商业机器公司 Secure kerberized access of encrypted file system
CN102833747A (en) * 2012-09-17 2012-12-19 北京交通大学 Method for distributing secret keys realizing authentication for access in separation mechanism mobility management system
CN109948356A (en) * 2019-03-25 2019-06-28 江苏电力信息技术有限公司 One kind is based on service call authority control method under micro services framework
CN110322940A (en) * 2019-07-15 2019-10-11 山东健康医疗大数据有限公司 A kind of access authorization methods and system that medical data is shared

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055367A (en) * 2021-03-08 2021-06-29 浪潮云信息技术股份公司 Method and system for realizing micro-service gateway authentication
CN115904361A (en) * 2022-09-28 2023-04-04 建信金融科技有限责任公司 Data processing method, device, equipment and medium applied to microservice
CN115904361B (en) * 2022-09-28 2023-09-22 建信金融科技有限责任公司 Data processing method, device, equipment and medium applied to micro-service

Also Published As

Publication number Publication date
CN111131308B (en) 2022-04-12

Similar Documents

Publication Publication Date Title
AU2017204853B2 (en) Data security service
US10911457B2 (en) Immediate policy effectiveness in eventually consistent systems
US10484359B2 (en) Device-level authentication with unique device identifiers
US11676133B2 (en) Method and system for mobile cryptocurrency wallet connectivity
CN104113534B (en) The login system and method for application APP
US9547771B2 (en) Policy enforcement with associated data
US9680872B1 (en) Trusted-code generated requests
US20220166631A1 (en) Complete forward access sessions
US8984295B2 (en) Secure access to electronic devices
US11372993B2 (en) Automatic key rotation
Pradeep et al. An efficient framework for sharing a file in a secure manner using asymmetric key distribution management in cloud environment
US20140229732A1 (en) Data security service
CN108616540B (en) Platform authentication method and system based on cross-platform encryption algorithm and declarative filtering authentication
CN111131308B (en) Calling system and method based on service
KR101839048B1 (en) End-to-End Security Platform of Internet of Things
CN107920060A (en) Data access method and device based on account
CN117118640A (en) Data processing method, device, computer equipment and readable storage medium
Souza et al. Privacy‐ensuring electronic health records in the cloud
WO2020154791A1 (en) Method and system for digital rights management
CN114500031B (en) System, method, electronic equipment and medium for acquiring BI report based on single sign-on
CN118233167A (en) User login method, device, equipment, medium and product
CN115134113A (en) Platform data security authentication method, system, terminal and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant