CN112367321B - Method for quickly constructing service call and middle station API gateway - Google Patents
Method for quickly constructing service call and middle station API gateway Download PDFInfo
- Publication number
- CN112367321B CN112367321B CN202011247508.3A CN202011247508A CN112367321B CN 112367321 B CN112367321 B CN 112367321B CN 202011247508 A CN202011247508 A CN 202011247508A CN 112367321 B CN112367321 B CN 112367321B
- Authority
- CN
- China
- Prior art keywords
- client
- api
- request
- message header
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2453—Query optimisation
- G06F16/24534—Query rewriting; Transformation
- G06F16/24539—Query rewriting; Transformation using cached or materialised query results
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24552—Database cache management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
- G06F16/275—Synchronous replication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computational Linguistics (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for quickly constructing service call and a middle station API gateway, wherein all API calls are uniformly processed through the middle station API gateway, a service call request is initiated, and a client generates a message header _ sig parameter to be uploaded; inquiring client permission information and api configuration; carrying out validity check on the identity of the client; carrying out reverse signature verification after the verification is passed; after the reverse signature verification is passed, time validity check and re-verification prevention are carried out; calling the service after the re-proof verification is passed; and returning the structural object with the fixed format through the anticorrosive layer treatment. All API calls are uniformly processed through the middle station API gateway, so that on one hand, the middle station API gateway provides support of various signature algorithms, data is encrypted and verified, and data management and control and safety capacity can be enhanced; on the other hand, the middle station API gateway can reduce coupling among systems, reduce response time of the whole system and quickly construct service call.
Description
Technical Field
The invention relates to the technical field of micro-service architecture, in particular to a method for quickly constructing service call and a middle station API gateway.
Background
With the rapid development of the internet, the era of mobile internet and internet of things is currently stepped. The access of users to the system entrance is changed into various modes from an original single PC client to a PC client, various browsers, a mobile terminal of a mobile phone, an intelligent terminal and the like. Meanwhile, most of the systems do not operate independently, and the requirements of interfacing with other systems and sharing data are often involved. The gateway is used as an inlet of traffic, and common functions include routing forwarding, authority verification, current limiting control and the like. At present, in a scene of using a micro-service architecture, when a client calls a background micro-service, each service call needs to perform login authentication, authority authentication, flow control, load balancing, health check and other operations which are necessary for calling each micro-service, so that each service call needs to have logics of authentication, current limiting, authority, fusing and the like, and if each service call is realized once, a code is redundant and bloated. Moreover, services become more and more complex and diversified, for example, opening one page by kyoto and naughty may involve hundreds of micro-services in cooperation, which may result in a long response time of the whole system and a failure to quickly construct a service call.
Disclosure of Invention
To solve the above technical problems. One object of the present invention is to provide a method for quickly constructing service calls, all API calls are processed uniformly by a middlebox API gateway, comprising:
a web browser or app initiates a service call request, and a client generates a message header _ sig parameter according to a signature rule, uploads the message header _ sig parameter together with other message header parameters and all service parameters and submits the message header _ sig parameter to an inlet of a gateway routing center;
after receiving the service calling request, the gateway service inquires the client permission information and API configuration;
after inquiring the authority information of the client, carrying out validity check on the identity of the client, and judging whether the current request exceeds QPS limit or not according to the current limiting configuration of the client after the validity check is passed;
after the identity and the current-limiting verification of the client pass, performing reverse signature verification on the message header parameters transmitted by the client, and matching whether the transmitted message header _ sig parameters are consistent with the token generated by the reverse signature;
after the reverse signature verification is passed, according to the current API configuration, by checking a message header _ timestamp parameter and a duplication prevention _ nonce field, when the life cycle of the specified API configuration is configured and exists, performing duplication prevention verification on the API request;
after the re-verification is passed, acquiring a real routing address of the API, packaging the service parameters transmitted by the client into a request object for calling http, and taking real return data of the API after the calling is successful;
and uniformly processing the data returned by the API through the anticorrosive layer processing, and then returning the structural object with the fixed format.
By adopting the technical scheme, when the client permission information and the API configuration are inquired, the client permission information and the API configuration are preferentially loaded in the secondary cache, and after the related data cannot be inquired in the secondary cache, the data is inquired from the primary cache; when the related data can not be inquired by the two-level cache, the data is inquired from the database, and the database synchronously updates the data to the first-level cache and the second-level cache in a data reloading mode; when the database cannot inquire related data, the API which represents the current service call request is not configured or the client side authority information does not exist, and then the current request can be intercepted.
By adopting the technical scheme, the deleted or non-existent second-level cache can be automatically filled by the next correct service call request on the basis of lazy loading of the second-level cache.
By adopting the technical scheme, the client permission information comprises the global QPS limit of the configuration client, the method level QPS limit of the configuration client and whether the configuration client belongs to a black and white list.
By adopting the technical scheme, the API configuration comprises interface configuration, the interface configuration comprises configuration of a message header _ mt parameter, a message header _ version parameter, a message header _ requestMode parameter and a message header _ sm parameter, and the message header _ mt parameter and the message header _ version parameter are combined together to form the unique API.
By adopting the technical scheme, the reverse signature verification of the message header _ sig parameter transmitted from the client comprises the following steps:
comparing and judging a message header _ sig parameter value transmitted from the client with a signature token generated reversely;
when the message header _ sig parameter value transmitted by the client is consistent with the signature token generated reversely, judging that the message header _ sig parameter value is a legal signature, namely the reverse signature passes verification;
when the message header _ sig parameter value transmitted by the client is inconsistent with the signature token generated reversely, judging that the message header _ sig parameter value is an illegal signature, namely that the reverse signature verification fails, and intercepting the current request.
By adopting the technical scheme, the verifying the API request against the replay comprises the following steps:
verifying whether the same request attack exists within set time;
when the same request attack does not exist, the re-verification is prevented from passing;
when the same request attacks, the anti-re-authentication is not passed, and the current request is intercepted.
By adopting the technical scheme, the method also comprises the step of collecting and reporting the request parameters, the request method, the request result, the caller identity information, the geographic information and the time-consuming information in the whole calling process after the whole calling chain process is finished, and using the collected and reported request parameters, request method, request result, caller identity information, geographic information and time-consuming information for the later retrospective investigation.
Another object of the present invention is to provide a middlebox API gateway, comprising:
the system comprises a uniform authentication module, a web browser or app sends a service calling request to the uniform authentication module, and a client generates a message header _ sig parameter according to a signature rule, uploads the message header _ sig parameter together with other message header parameters and all service parameters to an inlet of a gateway routing center and submits the message header _ sig parameter to the inlet of the gateway routing center;
the gateway configuration module is used for inquiring the client permission information and API configuration after receiving the service calling request;
the validity check module is used for checking the validity of the identity of the client after inquiring the client permission information, and judging whether the current request exceeds QPS limit or not according to the current limiting configuration of the client after the validity check is passed;
the signature verification module is used for performing reverse signature verification on the message header parameters transmitted by the client after the identity and the current-limiting verification of the client are passed, and matching whether the transmitted message header _ sig parameters are consistent with the token generated by the reverse signature;
the anti-replay verification module is used for verifying a message header _ timestamp parameter and an anti-replay _ nonce field according to the current API configuration after the reverse signature verification is passed, and performing anti-replay verification on the API request when the specified life cycle of the API configuration is configured and exists;
the service calling module is used for acquiring the real routing address configured by the API after the re-verification passes, packaging the service parameters transmitted by the client into a request object for calling the http, and taking the real return data of the API after the calling is successful;
and the field driving module is used for uniformly processing the data returned by the API through anticorrosive layer processing and then returning the structural object with a fixed format.
By adopting the technical scheme, the system further comprises a data acquisition module, and after the whole calling chain process is completed, the data acquisition module can report request parameters, request methods, request results, caller identity information, geographic information and time consumption information in the whole calling process and is used for later-stage tracing and investigation.
The invention has the beneficial effects that: all API calls are processed uniformly through the middle station API gateway, on one hand, the middle station API gateway provides support of various signature algorithms, encryption verification is carried out on data, secondary requests and other effective interception are carried out on each data interface, and data management and control and safety capacity can be enhanced; on the other hand, the middle platform API gateway can reduce coupling among systems, enables micro services to be more concentrated on business logic processing, reduces response time of the whole system, and enables validity check of all calling requests to be uniformly controlled by the middle platform API gateway, so that service calling can be quickly established.
Drawings
Fig. 1 is a network schematic diagram of a middlebox API gateway provided by the present invention.
FIG. 2 is a schematic flow chart of example 1 of the present invention.
Fig. 3 is a block diagram of the structure of embodiment 2 of the present invention.
The reference numbers are as follows: 1. a middle station API gateway; 11. a unified authentication module; 12. a gateway configuration module; 13. A validity checking module; 14. a signature verification module; 15. a re-proof verification module; 16. a service calling module; 17. a domain driver module; 18. a data acquisition module; 2. a micro-service architecture; 3. and accessing the client.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
Examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
Example 1
Fig. 1 is a network schematic diagram of a middlebox API gateway 1 according to embodiment 1 of the present invention. As shown in fig. 1, a middleware API gateway 1 is deployed between an access client 3 and a micro service architecture 2, all API calls are switched in and out uniformly through the middleware API gateway 1, so that coupling between the entire network systems is reduced, the micro service architecture 2 is more focused on business logic processing, validity checks of all call requests are uniformly managed and controlled by the middleware API gateway 1, and service calls can be constructed quickly.
The technical solution of the present invention will be described in detail with reference to fig. 1.
Referring to fig. 2, embodiment 1 of the present invention provides a method for a middle API gateway 1 to quickly construct a service call, where all API calls are uniformly processed through the middle API gateway 1, and the method includes the following steps:
in step S101, the web browser or app initiates a service invocation request, and the client generates a header _ sig parameter according to the signature rule, and uploads the header _ sig parameter together with other header parameters and all service parameters to the entry of the gateway routing center.
In step S102, after receiving the service call request, the gateway service queries the client permission information and the API configuration.
Illustratively, the client permission information and the API configuration are pre-jobs, all interfaces called through the middlebox API gateway 1 need to perform API configuration jobs, the API configuration includes interface configuration, and the interface configuration includes configuring a header _ mt parameter (i.e., a method name for configuring the API), a header _ version parameter (i.e., a version number), a header _ requestMode parameter (i.e., a request type), a header _ sm parameter (i.e., an interface encryption rule), a real interface address, a limitation parameter of an interface request, whether the interface needs to perform anti-replay check, an anti-replay check rule, and a status code definition returned by the interface, and so on. And all clients called by the middle API gateway 1 need to perform permission configuration work, and permission configuration comprises global QPS (QPS) limitation of the configuration client, method level QPS limitation of the configuration client and whether the configuration client belongs to a black-and-white list.
Illustratively, when interface configuration and authority configuration are carried out, configuration data are synchronously updated to the first-level cache and the second-level cache while being stored in the database.
In step S103, after the client authority information is queried, validity check is performed on the identity of the client, and after the validity check is passed, whether the current request exceeds the QPS limit is determined according to the current limiting configuration for the client.
Illustratively, whether the identity of the client is legal or not is checked, if the identity is legal, the check is passed, and the next operation is carried out, otherwise, the service calling request is intercepted.
For example, the flow limiting configuration of the client is implemented based on redis + lua, and flow control may be performed on fine-grained maintenance such as a certain method level of a certain user. For example, when the maximum flow limited by the platform application a method (getUser method) of the third developer per second is 5, and the flow exceeds 6 concurrently per second, the probability that the flow is limited is provided when the system is called, and at this time, the service interface is not actually forwarded to the getUser method, so that the load of the service system is reduced.
In step S104, after the client identity and the current limit check pass, the message header parameters transmitted from the client are subjected to reverse signature verification, and whether the transmitted message header _ sig parameters are matched with the token generated by the reverse signature is consistent.
Exemplarily, comparing and judging a message header _ sig parameter value transmitted by a client with a reversely generated signature token, and when the message header _ sig parameter value transmitted by the client is inconsistent with the reversely generated signature token, judging that the message header _ sig parameter value is an illegal signature, namely that the reverse signature verification fails, and intercepting a current request; when the message header _ sig parameter value transmitted by the client is consistent with the signature token generated reversely, judging that the message header _ sig parameter value is a legal signature, namely the reverse signature passes verification, and performing the next operation;
in step S105, after the reverse signature verification is passed, the API request is re-verified when the specified API configuration lifecycle is already configured and exists by checking the message header _ timestamp parameter and the anti-replay _ nonce field according to the current API configuration.
Illustratively, the API request is checked for time validity by verifying a message header _ timestamp parameter (i.e., a timestamp field), and if the timestamp field is within the configured validity period, it is determined that the API request is a valid service call request, and a next operation is performed, otherwise, the service call request is intercepted.
Illustratively, when the life cycle of the specified API configuration is configured and exists, performing anti-replay verification according to the configuration of the anti-replay rule, an anti-replay _ nonce field transmitted by the client and a header _ sig parameter transmitted by the client, specifically, verifying whether the same interface attack exists within the set time, and when the same interface attack does not exist, passing the anti-replay verification and performing the next operation; when the same interface attacks, the anti-re-authentication is not passed, the current request is intercepted, and the interface is added to the blacklist. For example, it may be set whether the same interface attack is present within 1 minute.
In step S106, after the re-verification is passed, the real routing address of the API is obtained, the service parameter transmitted from the client is encapsulated into a request object to perform http call, and the real return data of the API is taken after the call is successful.
In step S107, the data returned by the API is subjected to the unified processing by the anti-corrosion layer processing, and thereafter, the structure object in the fixed format is returned.
Illustratively, each microservice of the backend may be written in different languages, providing diversified protocol support, such as HTTP, Dubbo, GRPC, etc., but it is impossible to require the client to adapt to such multiple protocols, so that the middleware gateway routing center is unified to intervene through the HTTP protocol, and then processes such as HTTP forwarding or Dubbo, GRPC remote invocation are performed according to the configuration of the API. After the calling is successful, the anti-corrosion layer is processed and returned to a structural object with a fixed format, such as a JSON or XML object, so that different protocols are compatible, and different returned results are used as an optimal technical scheme.
In step 102, when the client permission information and the API configuration are inquired, the client permission information and the API configuration are preferentially loaded in the secondary cache, and after the related data cannot be inquired in the secondary cache, the data is inquired from the primary cache; when the related data cannot be inquired by the two-level cache, the data is inquired from the database, and the database synchronously updates the data to the two-level cache in a data reloading mode; when the database cannot inquire related data, the API which represents the current service call request is not configured or the client side authority information does not exist, and then the current request can be intercepted.
The primary cache is realized based on Redis, the derivative service is edas-bus-Redis, and the method can support various functions, including supporting single machines, sentinels, Cluster clusters and Redis instantiation; support for dynamic instantiation; supporting abnormal alarm and service degradation; the Redis is supported to be on or off line at any time; supporting cluster deployment, horizontal expansion and saving resources.
In addition, the second-level cache is realized based on the ConcurrentHashMap of jdk, the second-level cache is realized by subscribing and publishing events of apolo in a cluster mode, and when the API is changed, the second-level cache generates publishing events through publishNamespace of an apolo client; the client listens for message notifications through an onChange event of ApolloConfigChangelistener. In order to prevent the dirty read condition, the second level cache is based on the lazy load, and the deleted second level cache is automatically filled by the next service call request.
As a preferred technical solution, the present invention further includes step S108, in step S108, after the whole call chain process is completed, the request parameters, the request method, the request result, the caller identity information, the geographic information, and the time consumption information in the whole call process are collected and reported for later-stage trace back investigation, so as to enhance the transparency between service calls, clearly know the performance indexes of each service, such as flow, concurrency, time consumption, and the like, through service call analysis, and provide powerful data support for optimization and improvement of subsequent services.
Example 2
Referring to fig. 3, the middle API gateway provided in embodiment 2 of the present invention is used to implement the method for quickly constructing a service call by the middle API gateway 1 in embodiment 1 of the present invention. As shown in fig. 3, the middlebox API gateway 1 includes:
the unified authentication module 11, the web browser or the app sends a service call request to the unified authentication module 11, and the client generates a message header _ sig parameter according to the signature rule, and uploads the message header _ sig parameter together with other message header parameters and all service parameters to an entrance of the gateway routing center.
The gateway configuration module 12 is configured to query the client permission information and the API configuration after receiving the service call request, and the specific details of the client permission information and the API configuration refer to those shown in embodiment 1, which are not described herein again.
And the validity checking module 13 is used for checking the validity of the identity of the client after inquiring the client permission information, and judging whether the current request exceeds QPS (quick Path aggregation) limit or not according to the current limiting configuration of the client after the validity checking is passed. For specific details of the verification, reference is made to embodiment 1, and the present invention is not described herein again.
And the signature verification module 14 is used for performing reverse signature verification on the message header parameter transmitted by the client after the client identity and the current limit verification pass, and matching whether the transmitted message header _ sig parameter is consistent with the token generated by the reverse signature. For specific details of signature verification, reference is made to embodiment 1, and the present invention is not described herein again.
And the anti-replay verification module 15 checks the message header _ timestamp parameter and the anti-replay _ nonce field according to the current API configuration after the reverse signature verification is passed, and performs anti-replay verification on the API request when the specified configured life cycle exists in time. For specific details of the anti-replay verification, reference is made to embodiment 1, and the present invention is not described herein again.
And the service calling module 16 is used for acquiring the true routing address configured by the API after the re-verification passes, packaging the service parameters transmitted by the client into a request object for http calling, and taking the true return data of the API after the call is successful.
And the domain driving module 17 is used for uniformly processing the data returned by the API through anticorrosive layer processing and then returning the structural object with a fixed format. For specific details of data processing, reference is made to embodiment 1, and the detailed description of the present invention is omitted here.
After the whole call chain process is completed, the data acquisition module 18 reports request parameters, request methods, request results, caller identity information, geographic information and time consumption information in the whole call process for later-stage tracing and investigation, transparency between service calls is enhanced, performance indexes such as flow, concurrency and time consumption of each service can be clearly known through service call analysis, and powerful data support is provided for optimization and improvement of subsequent services.
All API calls are processed uniformly through the middle station API gateway, on one hand, the middle station API gateway provides support of various signature algorithms, encryption verification is carried out on data, secondary requests and other effective interception are carried out on each data interface, and data management and control and safety capacity can be enhanced; on the other hand, the middle API gateway can reduce coupling among systems, enables micro-services to be more concentrated on business logic processing, reduces response time of the whole system, and can quickly construct service call.
The above-mentioned embodiments are merely preferred embodiments for fully illustrating the present invention, and the scope of the present invention is not limited thereto. The equivalent substitution or change made by the technical personnel in the technical field on the basis of the invention is all within the protection scope of the invention. The protection scope of the invention is subject to the claims.
Claims (10)
1. A method for quickly constructing service call is characterized in that all Application Program Interface (API) calls are uniformly processed through a middle station API gateway, and the method comprises the following steps:
a web browser or app initiates a service call request, and a client generates a message header _ sig parameter according to a signature rule, uploads the message header _ sig parameter together with other message header parameters and all service parameters and submits the message header _ sig parameter to an inlet of a gateway routing center;
after receiving the service calling request, the gateway service inquires the client permission information and API configuration;
after inquiring the client authority information, carrying out validity check on the identity of the client, and after the validity check is passed, judging whether the current request exceeds the QPS limit of the query rate per second or not according to the current limiting configuration of the client;
after the identity and the current-limiting verification of the client pass, performing reverse signature verification on the message header parameters transmitted by the client, and matching whether the transmitted message header _ sig parameters are consistent with the token generated by the reverse signature;
after the reverse signature verification is passed, according to the current API configuration, by checking a message header _ timestamp parameter and a duplication prevention _ nonce field, when the life cycle of the specified API configuration is configured and exists, performing duplication prevention verification on the API request;
after the re-verification is passed, acquiring a real routing address of the API, packaging the service parameters transmitted from the client into a request object for calling http, and taking real return data of the API after the http call is successful;
and uniformly processing the data returned by the API through the anticorrosive layer processing, and then returning the structural object with the fixed format.
2. The method for quickly constructing a service call as recited in claim 1, wherein: when inquiring the client side authority information and the API configuration, preferentially loading the client side authority information and the API configuration in the second-level cache, and inquiring the data from the first-level cache after inquiring the related data in the second-level cache;
when the related data can not be inquired by the two-level cache, the data is inquired from the database, and the database synchronously updates the data to the first-level cache and the second-level cache in a data reloading mode;
when the database cannot inquire related data, the API which represents the current service call request is not configured or the client side authority information does not exist, and then the current request can be intercepted.
3. The method for quickly constructing a service call as recited in claim 2, wherein: the second level cache is automatically filled by the next correct service call request on the basis of lazy loading, wherein the deleted or non-existent second level cache is automatically filled by the next correct service call request.
4. The method for quickly constructing a service call as recited in claim 2, wherein: the client permission information includes a global QPS restriction for configuring the client, a method level QPS restriction for configuring the client, and whether the configured client belongs to a black and white list.
5. The method for quickly constructing a service call as recited in claim 2, wherein: the API configuration comprises interface configuration, the interface configuration comprises configuration of a message header _ mt parameter, a message header _ version parameter, a message header _ requestMode parameter and a message header _ sm parameter, and the message header _ mt parameter and the message header _ version parameter are combined to form the unique API.
6. The method for quickly constructing a service call as recited in claim 1, wherein: the reverse signature verification of the message header _ sig parameter transmitted from the client comprises the following steps:
comparing and judging a message header _ sig parameter value transmitted from the client with a signature token generated reversely;
when the message header _ sig parameter value transmitted by the client is consistent with the signature token generated reversely, judging that the message header _ sig parameter value is a legal signature, namely the reverse signature passes verification;
when the message header _ sig parameter value transmitted by the client is inconsistent with the signature token generated reversely, judging that the message header _ sig parameter value is an illegal signature, namely that the reverse signature verification fails, and intercepting the current request.
7. The method for quickly constructing a service call as recited in claim 1, wherein: the anti-replay verification of the API request comprises:
verifying whether the same request attack exists within set time;
when the same request attack does not exist, the re-verification is prevented from passing;
when the same request attacks, the anti-re-authentication is not passed, and the current request is intercepted.
8. The method for quickly constructing a service call as recited in claim 1, wherein: further comprising: after the whole calling chain process is completed, request parameters, request methods, request results, caller identity information, geographic information and time-consuming information in the whole calling process are collected and reported for later retrospective investigation.
9. A middlebox API gateway, comprising:
the system comprises a uniform authentication module, a web browser or app sends a service calling request to the uniform authentication module, a client generates a message header _ sig parameter according to a signature rule, and the message header _ sig parameter, other message header parameters and all service parameters are uploaded and submitted to an inlet of a gateway routing center;
the gateway configuration module is used for inquiring the client permission information and API configuration after receiving the service calling request;
the validity check module is used for checking the validity of the identity of the client after inquiring the client permission information, and judging whether the current request exceeds QPS limit or not according to the current limiting configuration of the client after the validity check is passed;
the signature verification module is used for performing reverse signature verification on the message header parameters transmitted by the client after the identity and the current-limiting verification of the client are passed, and matching whether the transmitted message header _ sig parameters are consistent with the token generated by the reverse signature;
the anti-replay verification module is used for verifying a message header _ timestamp parameter and an anti-replay _ nonce field according to the current API configuration after the reverse signature verification is passed, and performing anti-replay verification on the API request when the specified API configuration life cycle is configured and exists;
the service calling module is used for acquiring the real routing address configured by the API after the re-verification passes, packaging the service parameters transmitted by the client into a request object for calling the http, and taking the real return data of the API after the calling is successful;
and the field driving module is used for uniformly processing the data returned by the API through the anticorrosive layer processing and then returning the structural object with the fixed format.
10. The middlebox API gateway of claim 9, wherein: further comprising: and after the whole calling chain process is completed, the data acquisition module can report request parameters, request methods, request results, caller identity information, geographic information and time consumption information in the whole calling process and is used for later-stage tracing and investigation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011247508.3A CN112367321B (en) | 2020-11-10 | 2020-11-10 | Method for quickly constructing service call and middle station API gateway |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011247508.3A CN112367321B (en) | 2020-11-10 | 2020-11-10 | Method for quickly constructing service call and middle station API gateway |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112367321A CN112367321A (en) | 2021-02-12 |
CN112367321B true CN112367321B (en) | 2021-11-02 |
Family
ID=74508637
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011247508.3A Active CN112367321B (en) | 2020-11-10 | 2020-11-10 | Method for quickly constructing service call and middle station API gateway |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112367321B (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112910770B (en) * | 2021-03-23 | 2022-11-29 | 深圳前海联动云软件科技有限公司 | Distributed service gateway design method and system based on generalization call |
CN113395269B (en) * | 2021-06-04 | 2023-02-17 | 上海浦东发展银行股份有限公司 | Data interaction method and device |
CN113781202B (en) * | 2021-08-24 | 2024-04-12 | 上海数禾信息科技有限公司 | Data processing method, device, computer equipment and storage medium |
CN114615073A (en) * | 2022-03-22 | 2022-06-10 | 广州方硅信息技术有限公司 | Access flow control method, device, equipment and medium |
CN114785578B (en) * | 2022-04-13 | 2023-09-29 | 福建天晴数码有限公司 | Rpc service authority management method and system |
CN114826612B (en) * | 2022-04-20 | 2024-01-30 | 微位(深圳)网络科技有限公司 | Data interaction method, device, equipment and storage medium |
CN114697131A (en) * | 2022-04-27 | 2022-07-01 | 京东科技控股股份有限公司 | Data calling method and device, storage medium and electronic equipment |
CN115134113B (en) * | 2022-05-13 | 2024-04-09 | 山东鲁软数字科技有限公司 | Platform data security authentication method, system, terminal and storage medium |
CN115174502A (en) * | 2022-06-30 | 2022-10-11 | 广东亿迅科技有限公司 | Flow control method, device, equipment and medium of API gateway |
CN116405573B (en) * | 2023-06-07 | 2023-08-15 | 北京集度科技有限公司 | Service-oriented architecture based system, communication method and computer program product |
CN117194593A (en) * | 2023-07-18 | 2023-12-08 | 博智安全科技股份有限公司 | GIS application management system and method based on micro-service architecture |
CN117221374B (en) * | 2023-09-11 | 2024-05-24 | 广州Tcl互联网小额贷款有限公司 | API (application program interface) calling method and system based on API gateway |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109802835A (en) * | 2019-01-25 | 2019-05-24 | 北京中电普华信息技术有限公司 | A kind of safety certifying method, system and API gateway |
CN111865920A (en) * | 2020-06-18 | 2020-10-30 | 多加网络科技(北京)有限公司 | Gateway authentication and identity authentication platform and method thereof |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616136B (en) * | 2008-06-26 | 2013-05-01 | 阿里巴巴集团控股有限公司 | Method for supplying internet service and service integrated platform system |
-
2020
- 2020-11-10 CN CN202011247508.3A patent/CN112367321B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109802835A (en) * | 2019-01-25 | 2019-05-24 | 北京中电普华信息技术有限公司 | A kind of safety certifying method, system and API gateway |
CN111865920A (en) * | 2020-06-18 | 2020-10-30 | 多加网络科技(北京)有限公司 | Gateway authentication and identity authentication platform and method thereof |
Non-Patent Citations (1)
Title |
---|
基于OpenResty平台的API网关***的设计与实现;温馨等;《信息化研究》;20200620(第03期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN112367321A (en) | 2021-02-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112367321B (en) | Method for quickly constructing service call and middle station API gateway | |
CN111290865A (en) | Service calling method and device, electronic equipment and storage medium | |
US10798218B2 (en) | Environment isolation method and device | |
CN110554927A (en) | Micro-service calling method based on block chain | |
US20130066965A1 (en) | Systems and methods for optimization of subscriptions to resource changes in machine-to-machine (m2m) systems | |
CN110765484A (en) | Credit investigation data processing method and electronic equipment | |
KR102417742B1 (en) | API Data Aggregation System And Method Of The Same | |
CN112612629A (en) | Method and system for realizing component type data interface | |
EP3062544B1 (en) | Method, node and system for managing resources of machine type communication application | |
CN105550584A (en) | RBAC based malicious program interception and processing method in Android platform | |
CN113872940B (en) | Access control method, device and equipment based on NC-Link | |
CN113973275A (en) | Data processing method, apparatus and medium | |
CN115695139A (en) | Method for enhancing micro-service system architecture based on distributed robust | |
WO2023056713A1 (en) | Cloud platform binding method and system for internet of things card, and device and medium | |
US9374710B2 (en) | Mediation server, control method therefor, communication device, control method therefor, communication system, and computer program | |
CN111309691A (en) | Data sharing exchange system and exchange method based on bus architecture | |
EP3972199B1 (en) | Open interface management method, electronic device, and storage medium | |
US20170366512A1 (en) | System and Method for Machine-to-Machine Privacy and Security Brokered Transactions | |
CN114884964A (en) | Service wind control method and system based on Tuxedo architecture | |
CN115296866A (en) | Access method and device for edge node | |
CN114615073A (en) | Access flow control method, device, equipment and medium | |
US20180270236A1 (en) | Method for protecting machine type communication device, network entity and mtc device | |
CN113420336A (en) | Method and system for realizing distributed prediction machine | |
CN116029729B (en) | Cross-link method and system based on dynamic access application link management contract mode | |
AU2015100641A4 (en) | System and method for machine-to-machine privacy and security brokered transactions |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |