CN112333167A - Unified authentication system - Google Patents
Unified authentication system Download PDFInfo
- Publication number
- CN112333167A CN112333167A CN202011164454.4A CN202011164454A CN112333167A CN 112333167 A CN112333167 A CN 112333167A CN 202011164454 A CN202011164454 A CN 202011164454A CN 112333167 A CN112333167 A CN 112333167A
- Authority
- CN
- China
- Prior art keywords
- server
- interface
- basic
- application
- management unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 claims abstract description 13
- 238000004891 communication Methods 0.000 claims abstract description 6
- 238000011161 development Methods 0.000 claims description 7
- 238000013475 authorization Methods 0.000 claims description 6
- 238000000034 method Methods 0.000 abstract description 7
- 238000012545 processing Methods 0.000 abstract description 3
- 238000013461 design Methods 0.000 description 4
- 238000003032 molecular docking Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the technical field of authentication, in particular to a unified authentication system, which comprises a user side and a server side, wherein the user side and the server side are in communication connection through an API gateway; the back-end server end comprises a verification server, a basic server, a resource server and a database which are respectively connected with the API gateway; the verification server is connected with the basic server and transmits data to the basic server, the basic server is connected with the resource server and transmits data to the resource server, and the resource server receives the data and stores the data in the database; the invention has high flexibility and extensible property, can provide a uniform business process management platform for enterprise users in various industries, can be integrated with an application system of an enterprise, and realizes systematization, automation and standardization of the internal processing process of the enterprise.
Description
Technical Field
The invention belongs to the technical field of authentication communication, and particularly relates to a unified authentication system.
Background
The unified certification products and technologies in the market are very mature, such as IBM Tivoli Identity Manager, Microsoft Active Directory and many open-source products, and many companies develop and implement secondary development based on these products or similar ideas, so as to realize unified certification. The products can easily realize the unified login authentication of a plurality of systems, but for different resources in each subsystem of the unified login authentication, a means for further safely controlling the specific service system resources is lacked, and particularly, effective management and control are lacked for the access rights of different users in different industries to different expensive and data resources. And the existing authentication system has complex structure, non-distributed layout, low complexity and low efficiency.
Therefore, improvements are needed.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a unified authentication system.
The technical scheme of the invention is realized as follows:
a unified authentication system comprises a user side and a server side, wherein the user side and the server side are in communication connection through an API gateway; the back-end server end comprises a verification server, a basic server, a resource server and a database which are respectively connected with the API gateway; the verification server is connected with the basic server and transmits data to the basic server, the basic server is connected with the resource server and transmits data to the resource server, and the resource server receives the data and stores the data in the database.
Further, the system also comprises a Nacos server which is in communication connection with the verification server, the basic server and the resource server respectively.
Furthermore, the user side comprises an application management unit, a gateway routing management unit, an interface management unit, a flow control unit and an access control unit;
the application management unit mainly manages basic information, development information and application permission of the application; wherein the basic information mainly comprises: description of application icon, appid, application type, name; the development information mainly contains the following information: managing apiKey, secreteKey, authorization type, authorization range and token validity period information; application permissions control of the application accessible interface.
Further, the gateway route management unit is configured to manage gateway routes in a unified manner, and control each route corresponding to a service name.
Furthermore, the interface management unit provides all interface management of services, controls the address of the interface, whether to start authentication, whether to allow public network access, and the like, and ensures the safety of the interface.
Further, the flow control unit is used for concurrent control of the allowable access of the interfaces, and the main function is to define a flow control policy and bind the relevant interfaces to the policy.
Furthermore, the access control sheet controls the black and white list of the allowable access of the interface, and the main function is to define an access control policy and bind the relevant interface under the policy.
The working principle and the beneficial effects of the invention are as follows:
the unified authentication system is an independently developed authentication system and is used in the scenes of system user login and interface authentication. By using the uniform authentication service, the success and the failure of authentication can be reflected in the subsystem or the calling system through an interface mode or a uniform authentication interface.
The core of the uniform authentication system is a distributed authentication system which is written by pure JAVA and is based on springCloud, high availability and expandability.
The system mainly adopts the design ideas of layering and componentization, and the hierarchical structure is clear. The design and implementation of the system follow the workflow management specification established by the international workflow management alliance, and the system is subjected to custom extension aiming at business practice. The system has high flexibility and extensible property, can provide a uniform business process management platform for enterprise users in various industries, can be integrated with an application system of an enterprise, and realizes systematization, automation and standardization of the internal processing process of the enterprise.
The system builds an open platform based on OAuth2, provides a unified interface control platform for an APP terminal, and provides a credit-controlled technology docking platform for service docking of third-party partners.
The system adopts a unified API gateway, and is safer in access authentication, parameter signature verification and external calling.
The system adopts a distributed architecture, and is more convenient and faster based on service discovery and internal calling in a Fegin (pseudo RPC) mode.
The system deeply integrates SpringCloud + SpringSecurity + Oauth2, and has finer granularity and more flexible ABAC authority control.
The system provides REST integrated interface and message mechanism, and is convenient to integrate with other systems
The system adopts the management and the monitoring of the operation of the graphical workflow.
The system adopts a front-end and back-end separation mode to develop and apply, and the work division and cooperation are more efficient.
The system adopts reasonable code packaging and is simple and easy to understand.
The system adopts multi-database support, supports mainstream databases such as Oracle and SQL Server, open source databases such as My SQL and PostGres, and supports No-SQL databases such as MongoDB and Redis.
Drawings
FIG. 1 is an architecture diagram of a unified authentication system according to the present invention;
fig. 2 is an architecture diagram of the client side of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that all the directional indicators (such as upper, lower, left, right, front and rear … …) in the embodiment of the present invention are only used to explain the relative position relationship between the components, the movement situation, etc. in a specific posture (as shown in the drawing), and if the specific posture is changed, the directional indicator is changed accordingly.
In addition, the descriptions related to "first", "second", etc. in the present invention are for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
Example 1
As shown in fig. 1-2, a unified authentication system includes a user side and a server side, where the user side and the server side are communicatively connected through an API gateway; the back-end server end comprises a verification server, a basic server, a resource server and a database which are respectively connected with the API gateway; the verification server is connected with the basic server and transmits data to the basic server, the basic server is connected with the resource server and transmits data to the resource server, and the resource server receives the data and stores the data in the database.
The system further comprises a Nacos server which is in communication connection with the verification server, the basic server and the resource server respectively.
The user side comprises an application management unit, a gateway routing management unit, an interface management unit, a flow control unit and an access control unit;
the application management unit mainly manages basic information, development information and application permission of the application; wherein the basic information mainly comprises: description of application icon, appid, application type, name; the development information mainly contains the following information: managing apiKey, secreteKey, authorization type, authorization range and token validity period information; application permissions control of the application accessible interface.
The gateway route management unit is used for managing gateway routes in a unified mode and controlling each route corresponding to the service name.
The interface management unit provides all interface management of service, controls the address of the interface, whether to start authentication, whether to allow public network access, and the like, and ensures the safety of the interface.
The flow control unit is used for controlling the allowable access of the interfaces in a concurrent mode, and the main function of the flow control unit is to define a flow control strategy and bind the related interfaces to the strategy.
The access control list controls the black and white list of the allowable access of the interface, and the main function is to define an access control strategy and bind the relevant interface under the strategy.
Specifically, the method comprises the following steps:
the unified authentication system is an independently developed authentication system and is used in the scenes of system user login and interface authentication. By using the uniform authentication service, the success and the failure of authentication can be reflected in the subsystem or the calling system through an interface mode or a uniform authentication interface.
The core of the uniform authentication system is a distributed authentication system which is written by pure JAVA and is based on springCloud, high availability and expandability.
The system mainly adopts the design ideas of layering and componentization, and the hierarchical structure is clear. The design and implementation of the system follow the workflow management specification established by the international workflow management alliance, and the system is subjected to custom extension aiming at business practice. The system has high flexibility and extensible property, can provide a uniform business process management platform for enterprise users in various industries, can be integrated with an application system of an enterprise, and realizes systematization, automation and standardization of the internal processing process of the enterprise.
The system builds an open platform based on OAuth2, provides a unified interface control platform for an APP terminal, and provides a credit-controlled technology docking platform for service docking of third-party partners.
The system adopts a unified API gateway, and is safer in access authentication, parameter signature verification and external calling.
The system adopts a distributed architecture, and is more convenient and faster based on service discovery and internal calling in a Fegin (pseudo RPC) mode.
The system deeply integrates SpringCloud + SpringSecurity + Oauth2, and has finer granularity and more flexible ABAC authority control.
The system provides REST integrated interface and message mechanism, and is convenient to integrate with other systems
The system adopts the management and the monitoring of the operation of the graphical workflow.
The system adopts a front-end and back-end separation mode to develop and apply, and the work division and cooperation are more efficient.
The system adopts reasonable code packaging and is simple and easy to understand.
The system adopts multi-database support, supports mainstream databases such as Oracle and SQL Server, open source databases such as My SQL and PostGres, and supports No-SQL databases such as MongoDB and Redis.
Finally, the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all of them should be covered in the claims of the present invention.
Claims (7)
1. The unified authentication system is characterized by comprising a user side and a server side, wherein the user side and the server side are in communication connection through an API gateway; the back-end server end comprises a verification server, a basic server, a resource server and a database which are respectively connected with the API gateway; the verification server is connected with the basic server and transmits data to the basic server, the basic server is connected with the resource server and transmits data to the resource server, and the resource server receives the data and stores the data in the database.
2. The unified authentication system according to claim 1, further comprising a Nacos server, wherein the Nacos server is communicatively connected to the verification server, the base server, and the resource server, respectively.
3. The unified authentication system according to claim 2, wherein the user side comprises an application management unit, a gateway routing management unit, an interface management unit, a flow control unit, and an access control unit;
the application management unit mainly manages basic information, development information and application permission of the application; wherein the basic information mainly comprises: description of application icon, appid, application type, name; the development information mainly contains the following information: managing apiKey, secreteKey, authorization type, authorization range and token validity period information; application permissions control of the application accessible interface.
4. The unified authentication system according to claim 3, wherein said gateway route management unit is configured to manage gateway routes uniformly, and control each route corresponding to a service name.
5. The unified certification system according to claim 3, wherein the interface management unit provides all interface management of services, controls the address of the interface, whether to start certification, whether to allow public network access, and the like, and ensures the security of the interface.
6. A unified certification system according to claim 3, wherein the traffic control unit is used to control the concurrency of the allowable access to the interfaces, and the main function is to define a traffic control policy under which the relevant interfaces are bound.
7. The unified authentication system according to claim 3, wherein the access control list controls the black and white list of the allowable access of the interface, and the main function is to define an access control policy, and bind the related interface under the policy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011164454.4A CN112333167A (en) | 2020-10-27 | 2020-10-27 | Unified authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011164454.4A CN112333167A (en) | 2020-10-27 | 2020-10-27 | Unified authentication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112333167A true CN112333167A (en) | 2021-02-05 |
Family
ID=74296522
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011164454.4A Pending CN112333167A (en) | 2020-10-27 | 2020-10-27 | Unified authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112333167A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160124742A1 (en) * | 2014-10-30 | 2016-05-05 | Equinix, Inc. | Microservice-based application development framework |
| CN109218212A (en) * | 2018-09-03 | 2019-01-15 | 四川长虹电器股份有限公司 | Method for limiting flow through API gateway |
| CN109728974A (en) * | 2018-12-27 | 2019-05-07 | 北京航天智造科技发展有限公司 | Online interface debugging platform |
| US20190273746A1 (en) * | 2018-03-02 | 2019-09-05 | Syntegrity Networks Inc. | Microservice architecture for identity and access management |
| CN110995450A (en) * | 2020-02-27 | 2020-04-10 | 中科星图股份有限公司 | Authentication and authorization method and system based on Kubernetes |
| CN111600899A (en) * | 2020-05-25 | 2020-08-28 | 华人运通(上海)云计算科技有限公司 | Micro-service access control method and device, electronic equipment and storage medium |
-
2020
- 2020-10-27 CN CN202011164454.4A patent/CN112333167A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160124742A1 (en) * | 2014-10-30 | 2016-05-05 | Equinix, Inc. | Microservice-based application development framework |
| US20190273746A1 (en) * | 2018-03-02 | 2019-09-05 | Syntegrity Networks Inc. | Microservice architecture for identity and access management |
| CN109218212A (en) * | 2018-09-03 | 2019-01-15 | 四川长虹电器股份有限公司 | Method for limiting flow through API gateway |
| CN109728974A (en) * | 2018-12-27 | 2019-05-07 | 北京航天智造科技发展有限公司 | Online interface debugging platform |
| CN110995450A (en) * | 2020-02-27 | 2020-04-10 | 中科星图股份有限公司 | Authentication and authorization method and system based on Kubernetes |
| CN111600899A (en) * | 2020-05-25 | 2020-08-28 | 华人运通(上海)云计算科技有限公司 | Micro-service access control method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113169952B (en) | Container cloud management system based on block chain technology | |
| US5754763A (en) | Software auditing mechanism for a distributed computer enterprise environment | |
| US8745223B2 (en) | System and method of distributed license management | |
| JP2018109975A (en) | Management of vehicle charging point infrastructure and system of the same | |
| CN110086652B (en) | Management system and method for service network element in 5G core network | |
| US20110126275A1 (en) | System and method for discovery enrichment in an intelligent workload management system | |
| CN101217368A (en) | A network logging on system and the corresponding configuration method and methods for logging on the application system | |
| CN104168333A (en) | Working method of PROXZONE service platform | |
| JP2018124987A (en) | Management of vehicle charging point infrastructure and system therefor | |
| US20130144633A1 (en) | Enforcement and assignment of usage rights | |
| CN102075339A (en) | VPN management platform, and implementation method and system for VPN service | |
| CN110289965B (en) | Application program service management method and device | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| CN105225072A (en) | A kind of access management method of multi-application system and system | |
| CN101548263B (en) | Method and system for modeling options for opaque management data for a user and/or an owner | |
| CN108306972A (en) | A kind of cloud cryptographic service method, platform, system and computer readable storage medium | |
| CN110881039B (en) | Cloud security management system | |
| CN101594386B (en) | Method and device for constructing reliable virtual organization based on distributed strategy verification | |
| CN113992406A (en) | Authority access control method for alliance chain cross-chain | |
| CN111970162B (en) | Heterogeneous GIS platform service central control system under super-integration framework | |
| WO2016045042A1 (en) | Method and device for managing content in secure element | |
| CN112333167A (en) | Unified authentication system | |
| CN110708298A (en) | Method and device for centralized management of dynamic instance identity and access | |
| CN202059439U (en) | Cross-service-platform comprehensive authentication system | |
| CN114282132A (en) | Terminal management and control system based on cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210205 |