CN112367321B - Method for quickly constructing service call and middle station API gateway - Google Patents

Method for quickly constructing service call and middle station API gateway Download PDF

Info

Publication number
CN112367321B
CN112367321B CN202011247508.3A CN202011247508A CN112367321B CN 112367321 B CN112367321 B CN 112367321B CN 202011247508 A CN202011247508 A CN 202011247508A CN 112367321 B CN112367321 B CN 112367321B
Authority
CN
China
Prior art keywords
client
api
request
message header
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011247508.3A
Other languages
Chinese (zh)
Other versions
CN112367321A (en
Inventor
薛飞
徐星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
OP Retail Suzhou Technology Co Ltd
Original Assignee
OP Retail Suzhou Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by OP Retail Suzhou Technology Co Ltd filed Critical OP Retail Suzhou Technology Co Ltd
Priority to CN202011247508.3A priority Critical patent/CN112367321B/en
Publication of CN112367321A publication Critical patent/CN112367321A/en
Application granted granted Critical
Publication of CN112367321B publication Critical patent/CN112367321B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2453Query optimisation
    • G06F16/24534Query rewriting; Transformation
    • G06F16/24539Query rewriting; Transformation using cached or materialised query results
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24552Database cache management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • G06F16/275Synchronous replication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for quickly constructing service call and a middle station API gateway, wherein all API calls are uniformly processed through the middle station API gateway, a service call request is initiated, and a client generates a message header _ sig parameter to be uploaded; inquiring client permission information and api configuration; carrying out validity check on the identity of the client; carrying out reverse signature verification after the verification is passed; after the reverse signature verification is passed, time validity check and re-verification prevention are carried out; calling the service after the re-proof verification is passed; and returning the structural object with the fixed format through the anticorrosive layer treatment. All API calls are uniformly processed through the middle station API gateway, so that on one hand, the middle station API gateway provides support of various signature algorithms, data is encrypted and verified, and data management and control and safety capacity can be enhanced; on the other hand, the middle station API gateway can reduce coupling among systems, reduce response time of the whole system and quickly construct service call.

Description

Method for quickly constructing service call and middle station API gateway
Technical Field
The invention relates to the technical field of micro-service architecture, in particular to a method for quickly constructing service call and a middle station API gateway.
Background
With the rapid development of the internet, the era of mobile internet and internet of things is currently stepped. The access of users to the system entrance is changed into various modes from an original single PC client to a PC client, various browsers, a mobile terminal of a mobile phone, an intelligent terminal and the like. Meanwhile, most of the systems do not operate independently, and the requirements of interfacing with other systems and sharing data are often involved. The gateway is used as an inlet of traffic, and common functions include routing forwarding, authority verification, current limiting control and the like. At present, in a scene of using a micro-service architecture, when a client calls a background micro-service, each service call needs to perform login authentication, authority authentication, flow control, load balancing, health check and other operations which are necessary for calling each micro-service, so that each service call needs to have logics of authentication, current limiting, authority, fusing and the like, and if each service call is realized once, a code is redundant and bloated. Moreover, services become more and more complex and diversified, for example, opening one page by kyoto and naughty may involve hundreds of micro-services in cooperation, which may result in a long response time of the whole system and a failure to quickly construct a service call.
Disclosure of Invention
To solve the above technical problems. One object of the present invention is to provide a method for quickly constructing service calls, all API calls are processed uniformly by a middlebox API gateway, comprising:
a web browser or app initiates a service call request, and a client generates a message header _ sig parameter according to a signature rule, uploads the message header _ sig parameter together with other message header parameters and all service parameters and submits the message header _ sig parameter to an inlet of a gateway routing center;
after receiving the service calling request, the gateway service inquires the client permission information and API configuration;
after inquiring the authority information of the client, carrying out validity check on the identity of the client, and judging whether the current request exceeds QPS limit or not according to the current limiting configuration of the client after the validity check is passed;
after the identity and the current-limiting verification of the client pass, performing reverse signature verification on the message header parameters transmitted by the client, and matching whether the transmitted message header _ sig parameters are consistent with the token generated by the reverse signature;
after the reverse signature verification is passed, according to the current API configuration, by checking a message header _ timestamp parameter and a duplication prevention _ nonce field, when the life cycle of the specified API configuration is configured and exists, performing duplication prevention verification on the API request;
after the re-verification is passed, acquiring a real routing address of the API, packaging the service parameters transmitted by the client into a request object for calling http, and taking real return data of the API after the calling is successful;
and uniformly processing the data returned by the API through the anticorrosive layer processing, and then returning the structural object with the fixed format.
By adopting the technical scheme, when the client permission information and the API configuration are inquired, the client permission information and the API configuration are preferentially loaded in the secondary cache, and after the related data cannot be inquired in the secondary cache, the data is inquired from the primary cache; when the related data can not be inquired by the two-level cache, the data is inquired from the database, and the database synchronously updates the data to the first-level cache and the second-level cache in a data reloading mode; when the database cannot inquire related data, the API which represents the current service call request is not configured or the client side authority information does not exist, and then the current request can be intercepted.
By adopting the technical scheme, the deleted or non-existent second-level cache can be automatically filled by the next correct service call request on the basis of lazy loading of the second-level cache.
By adopting the technical scheme, the client permission information comprises the global QPS limit of the configuration client, the method level QPS limit of the configuration client and whether the configuration client belongs to a black and white list.
By adopting the technical scheme, the API configuration comprises interface configuration, the interface configuration comprises configuration of a message header _ mt parameter, a message header _ version parameter, a message header _ requestMode parameter and a message header _ sm parameter, and the message header _ mt parameter and the message header _ version parameter are combined together to form the unique API.
By adopting the technical scheme, the reverse signature verification of the message header _ sig parameter transmitted from the client comprises the following steps:
comparing and judging a message header _ sig parameter value transmitted from the client with a signature token generated reversely;
when the message header _ sig parameter value transmitted by the client is consistent with the signature token generated reversely, judging that the message header _ sig parameter value is a legal signature, namely the reverse signature passes verification;
when the message header _ sig parameter value transmitted by the client is inconsistent with the signature token generated reversely, judging that the message header _ sig parameter value is an illegal signature, namely that the reverse signature verification fails, and intercepting the current request.
By adopting the technical scheme, the verifying the API request against the replay comprises the following steps:
verifying whether the same request attack exists within set time;
when the same request attack does not exist, the re-verification is prevented from passing;
when the same request attacks, the anti-re-authentication is not passed, and the current request is intercepted.
By adopting the technical scheme, the method also comprises the step of collecting and reporting the request parameters, the request method, the request result, the caller identity information, the geographic information and the time-consuming information in the whole calling process after the whole calling chain process is finished, and using the collected and reported request parameters, request method, request result, caller identity information, geographic information and time-consuming information for the later retrospective investigation.
Another object of the present invention is to provide a middlebox API gateway, comprising:
the system comprises a uniform authentication module, a web browser or app sends a service calling request to the uniform authentication module, and a client generates a message header _ sig parameter according to a signature rule, uploads the message header _ sig parameter together with other message header parameters and all service parameters to an inlet of a gateway routing center and submits the message header _ sig parameter to the inlet of the gateway routing center;
the gateway configuration module is used for inquiring the client permission information and API configuration after receiving the service calling request;
the validity check module is used for checking the validity of the identity of the client after inquiring the client permission information, and judging whether the current request exceeds QPS limit or not according to the current limiting configuration of the client after the validity check is passed;
the signature verification module is used for performing reverse signature verification on the message header parameters transmitted by the client after the identity and the current-limiting verification of the client are passed, and matching whether the transmitted message header _ sig parameters are consistent with the token generated by the reverse signature;
the anti-replay verification module is used for verifying a message header _ timestamp parameter and an anti-replay _ nonce field according to the current API configuration after the reverse signature verification is passed, and performing anti-replay verification on the API request when the specified life cycle of the API configuration is configured and exists;
the service calling module is used for acquiring the real routing address configured by the API after the re-verification passes, packaging the service parameters transmitted by the client into a request object for calling the http, and taking the real return data of the API after the calling is successful;
and the field driving module is used for uniformly processing the data returned by the API through anticorrosive layer processing and then returning the structural object with a fixed format.
By adopting the technical scheme, the system further comprises a data acquisition module, and after the whole calling chain process is completed, the data acquisition module can report request parameters, request methods, request results, caller identity information, geographic information and time consumption information in the whole calling process and is used for later-stage tracing and investigation.
The invention has the beneficial effects that: all API calls are processed uniformly through the middle station API gateway, on one hand, the middle station API gateway provides support of various signature algorithms, encryption verification is carried out on data, secondary requests and other effective interception are carried out on each data interface, and data management and control and safety capacity can be enhanced; on the other hand, the middle platform API gateway can reduce coupling among systems, enables micro services to be more concentrated on business logic processing, reduces response time of the whole system, and enables validity check of all calling requests to be uniformly controlled by the middle platform API gateway, so that service calling can be quickly established.
Drawings
Fig. 1 is a network schematic diagram of a middlebox API gateway provided by the present invention.
FIG. 2 is a schematic flow chart of example 1 of the present invention.
Fig. 3 is a block diagram of the structure of embodiment 2 of the present invention.
The reference numbers are as follows: 1. a middle station API gateway; 11. a unified authentication module; 12. a gateway configuration module; 13. A validity checking module; 14. a signature verification module; 15. a re-proof verification module; 16. a service calling module; 17. a domain driver module; 18. a data acquisition module; 2. a micro-service architecture; 3. and accessing the client.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
Examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
Example 1
Fig. 1 is a network schematic diagram of a middlebox API gateway 1 according to embodiment 1 of the present invention. As shown in fig. 1, a middleware API gateway 1 is deployed between an access client 3 and a micro service architecture 2, all API calls are switched in and out uniformly through the middleware API gateway 1, so that coupling between the entire network systems is reduced, the micro service architecture 2 is more focused on business logic processing, validity checks of all call requests are uniformly managed and controlled by the middleware API gateway 1, and service calls can be constructed quickly.
The technical solution of the present invention will be described in detail with reference to fig. 1.
Referring to fig. 2, embodiment 1 of the present invention provides a method for a middle API gateway 1 to quickly construct a service call, where all API calls are uniformly processed through the middle API gateway 1, and the method includes the following steps:
in step S101, the web browser or app initiates a service invocation request, and the client generates a header _ sig parameter according to the signature rule, and uploads the header _ sig parameter together with other header parameters and all service parameters to the entry of the gateway routing center.
In step S102, after receiving the service call request, the gateway service queries the client permission information and the API configuration.
Illustratively, the client permission information and the API configuration are pre-jobs, all interfaces called through the middlebox API gateway 1 need to perform API configuration jobs, the API configuration includes interface configuration, and the interface configuration includes configuring a header _ mt parameter (i.e., a method name for configuring the API), a header _ version parameter (i.e., a version number), a header _ requestMode parameter (i.e., a request type), a header _ sm parameter (i.e., an interface encryption rule), a real interface address, a limitation parameter of an interface request, whether the interface needs to perform anti-replay check, an anti-replay check rule, and a status code definition returned by the interface, and so on. And all clients called by the middle API gateway 1 need to perform permission configuration work, and permission configuration comprises global QPS (QPS) limitation of the configuration client, method level QPS limitation of the configuration client and whether the configuration client belongs to a black-and-white list.
Illustratively, when interface configuration and authority configuration are carried out, configuration data are synchronously updated to the first-level cache and the second-level cache while being stored in the database.
In step S103, after the client authority information is queried, validity check is performed on the identity of the client, and after the validity check is passed, whether the current request exceeds the QPS limit is determined according to the current limiting configuration for the client.
Illustratively, whether the identity of the client is legal or not is checked, if the identity is legal, the check is passed, and the next operation is carried out, otherwise, the service calling request is intercepted.
For example, the flow limiting configuration of the client is implemented based on redis + lua, and flow control may be performed on fine-grained maintenance such as a certain method level of a certain user. For example, when the maximum flow limited by the platform application a method (getUser method) of the third developer per second is 5, and the flow exceeds 6 concurrently per second, the probability that the flow is limited is provided when the system is called, and at this time, the service interface is not actually forwarded to the getUser method, so that the load of the service system is reduced.
In step S104, after the client identity and the current limit check pass, the message header parameters transmitted from the client are subjected to reverse signature verification, and whether the transmitted message header _ sig parameters are matched with the token generated by the reverse signature is consistent.
Exemplarily, comparing and judging a message header _ sig parameter value transmitted by a client with a reversely generated signature token, and when the message header _ sig parameter value transmitted by the client is inconsistent with the reversely generated signature token, judging that the message header _ sig parameter value is an illegal signature, namely that the reverse signature verification fails, and intercepting a current request; when the message header _ sig parameter value transmitted by the client is consistent with the signature token generated reversely, judging that the message header _ sig parameter value is a legal signature, namely the reverse signature passes verification, and performing the next operation;
in step S105, after the reverse signature verification is passed, the API request is re-verified when the specified API configuration lifecycle is already configured and exists by checking the message header _ timestamp parameter and the anti-replay _ nonce field according to the current API configuration.
Illustratively, the API request is checked for time validity by verifying a message header _ timestamp parameter (i.e., a timestamp field), and if the timestamp field is within the configured validity period, it is determined that the API request is a valid service call request, and a next operation is performed, otherwise, the service call request is intercepted.
Illustratively, when the life cycle of the specified API configuration is configured and exists, performing anti-replay verification according to the configuration of the anti-replay rule, an anti-replay _ nonce field transmitted by the client and a header _ sig parameter transmitted by the client, specifically, verifying whether the same interface attack exists within the set time, and when the same interface attack does not exist, passing the anti-replay verification and performing the next operation; when the same interface attacks, the anti-re-authentication is not passed, the current request is intercepted, and the interface is added to the blacklist. For example, it may be set whether the same interface attack is present within 1 minute.
In step S106, after the re-verification is passed, the real routing address of the API is obtained, the service parameter transmitted from the client is encapsulated into a request object to perform http call, and the real return data of the API is taken after the call is successful.
In step S107, the data returned by the API is subjected to the unified processing by the anti-corrosion layer processing, and thereafter, the structure object in the fixed format is returned.
Illustratively, each microservice of the backend may be written in different languages, providing diversified protocol support, such as HTTP, Dubbo, GRPC, etc., but it is impossible to require the client to adapt to such multiple protocols, so that the middleware gateway routing center is unified to intervene through the HTTP protocol, and then processes such as HTTP forwarding or Dubbo, GRPC remote invocation are performed according to the configuration of the API. After the calling is successful, the anti-corrosion layer is processed and returned to a structural object with a fixed format, such as a JSON or XML object, so that different protocols are compatible, and different returned results are used as an optimal technical scheme.
In step 102, when the client permission information and the API configuration are inquired, the client permission information and the API configuration are preferentially loaded in the secondary cache, and after the related data cannot be inquired in the secondary cache, the data is inquired from the primary cache; when the related data cannot be inquired by the two-level cache, the data is inquired from the database, and the database synchronously updates the data to the two-level cache in a data reloading mode; when the database cannot inquire related data, the API which represents the current service call request is not configured or the client side authority information does not exist, and then the current request can be intercepted.
The primary cache is realized based on Redis, the derivative service is edas-bus-Redis, and the method can support various functions, including supporting single machines, sentinels, Cluster clusters and Redis instantiation; support for dynamic instantiation; supporting abnormal alarm and service degradation; the Redis is supported to be on or off line at any time; supporting cluster deployment, horizontal expansion and saving resources.
In addition, the second-level cache is realized based on the ConcurrentHashMap of jdk, the second-level cache is realized by subscribing and publishing events of apolo in a cluster mode, and when the API is changed, the second-level cache generates publishing events through publishNamespace of an apolo client; the client listens for message notifications through an onChange event of ApolloConfigChangelistener. In order to prevent the dirty read condition, the second level cache is based on the lazy load, and the deleted second level cache is automatically filled by the next service call request.
As a preferred technical solution, the present invention further includes step S108, in step S108, after the whole call chain process is completed, the request parameters, the request method, the request result, the caller identity information, the geographic information, and the time consumption information in the whole call process are collected and reported for later-stage trace back investigation, so as to enhance the transparency between service calls, clearly know the performance indexes of each service, such as flow, concurrency, time consumption, and the like, through service call analysis, and provide powerful data support for optimization and improvement of subsequent services.
Example 2
Referring to fig. 3, the middle API gateway provided in embodiment 2 of the present invention is used to implement the method for quickly constructing a service call by the middle API gateway 1 in embodiment 1 of the present invention. As shown in fig. 3, the middlebox API gateway 1 includes:
the unified authentication module 11, the web browser or the app sends a service call request to the unified authentication module 11, and the client generates a message header _ sig parameter according to the signature rule, and uploads the message header _ sig parameter together with other message header parameters and all service parameters to an entrance of the gateway routing center.
The gateway configuration module 12 is configured to query the client permission information and the API configuration after receiving the service call request, and the specific details of the client permission information and the API configuration refer to those shown in embodiment 1, which are not described herein again.
And the validity checking module 13 is used for checking the validity of the identity of the client after inquiring the client permission information, and judging whether the current request exceeds QPS (quick Path aggregation) limit or not according to the current limiting configuration of the client after the validity checking is passed. For specific details of the verification, reference is made to embodiment 1, and the present invention is not described herein again.
And the signature verification module 14 is used for performing reverse signature verification on the message header parameter transmitted by the client after the client identity and the current limit verification pass, and matching whether the transmitted message header _ sig parameter is consistent with the token generated by the reverse signature. For specific details of signature verification, reference is made to embodiment 1, and the present invention is not described herein again.
And the anti-replay verification module 15 checks the message header _ timestamp parameter and the anti-replay _ nonce field according to the current API configuration after the reverse signature verification is passed, and performs anti-replay verification on the API request when the specified configured life cycle exists in time. For specific details of the anti-replay verification, reference is made to embodiment 1, and the present invention is not described herein again.
And the service calling module 16 is used for acquiring the true routing address configured by the API after the re-verification passes, packaging the service parameters transmitted by the client into a request object for http calling, and taking the true return data of the API after the call is successful.
And the domain driving module 17 is used for uniformly processing the data returned by the API through anticorrosive layer processing and then returning the structural object with a fixed format. For specific details of data processing, reference is made to embodiment 1, and the detailed description of the present invention is omitted here.
After the whole call chain process is completed, the data acquisition module 18 reports request parameters, request methods, request results, caller identity information, geographic information and time consumption information in the whole call process for later-stage tracing and investigation, transparency between service calls is enhanced, performance indexes such as flow, concurrency and time consumption of each service can be clearly known through service call analysis, and powerful data support is provided for optimization and improvement of subsequent services.
All API calls are processed uniformly through the middle station API gateway, on one hand, the middle station API gateway provides support of various signature algorithms, encryption verification is carried out on data, secondary requests and other effective interception are carried out on each data interface, and data management and control and safety capacity can be enhanced; on the other hand, the middle API gateway can reduce coupling among systems, enables micro-services to be more concentrated on business logic processing, reduces response time of the whole system, and can quickly construct service call.
The above-mentioned embodiments are merely preferred embodiments for fully illustrating the present invention, and the scope of the present invention is not limited thereto. The equivalent substitution or change made by the technical personnel in the technical field on the basis of the invention is all within the protection scope of the invention. The protection scope of the invention is subject to the claims.

Claims (10)

1. A method for quickly constructing service call is characterized in that all Application Program Interface (API) calls are uniformly processed through a middle station API gateway, and the method comprises the following steps:
a web browser or app initiates a service call request, and a client generates a message header _ sig parameter according to a signature rule, uploads the message header _ sig parameter together with other message header parameters and all service parameters and submits the message header _ sig parameter to an inlet of a gateway routing center;
after receiving the service calling request, the gateway service inquires the client permission information and API configuration;
after inquiring the client authority information, carrying out validity check on the identity of the client, and after the validity check is passed, judging whether the current request exceeds the QPS limit of the query rate per second or not according to the current limiting configuration of the client;
after the identity and the current-limiting verification of the client pass, performing reverse signature verification on the message header parameters transmitted by the client, and matching whether the transmitted message header _ sig parameters are consistent with the token generated by the reverse signature;
after the reverse signature verification is passed, according to the current API configuration, by checking a message header _ timestamp parameter and a duplication prevention _ nonce field, when the life cycle of the specified API configuration is configured and exists, performing duplication prevention verification on the API request;
after the re-verification is passed, acquiring a real routing address of the API, packaging the service parameters transmitted from the client into a request object for calling http, and taking real return data of the API after the http call is successful;
and uniformly processing the data returned by the API through the anticorrosive layer processing, and then returning the structural object with the fixed format.
2. The method for quickly constructing a service call as recited in claim 1, wherein: when inquiring the client side authority information and the API configuration, preferentially loading the client side authority information and the API configuration in the second-level cache, and inquiring the data from the first-level cache after inquiring the related data in the second-level cache;
when the related data can not be inquired by the two-level cache, the data is inquired from the database, and the database synchronously updates the data to the first-level cache and the second-level cache in a data reloading mode;
when the database cannot inquire related data, the API which represents the current service call request is not configured or the client side authority information does not exist, and then the current request can be intercepted.
3. The method for quickly constructing a service call as recited in claim 2, wherein: the second level cache is automatically filled by the next correct service call request on the basis of lazy loading, wherein the deleted or non-existent second level cache is automatically filled by the next correct service call request.
4. The method for quickly constructing a service call as recited in claim 2, wherein: the client permission information includes a global QPS restriction for configuring the client, a method level QPS restriction for configuring the client, and whether the configured client belongs to a black and white list.
5. The method for quickly constructing a service call as recited in claim 2, wherein: the API configuration comprises interface configuration, the interface configuration comprises configuration of a message header _ mt parameter, a message header _ version parameter, a message header _ requestMode parameter and a message header _ sm parameter, and the message header _ mt parameter and the message header _ version parameter are combined to form the unique API.
6. The method for quickly constructing a service call as recited in claim 1, wherein: the reverse signature verification of the message header _ sig parameter transmitted from the client comprises the following steps:
comparing and judging a message header _ sig parameter value transmitted from the client with a signature token generated reversely;
when the message header _ sig parameter value transmitted by the client is consistent with the signature token generated reversely, judging that the message header _ sig parameter value is a legal signature, namely the reverse signature passes verification;
when the message header _ sig parameter value transmitted by the client is inconsistent with the signature token generated reversely, judging that the message header _ sig parameter value is an illegal signature, namely that the reverse signature verification fails, and intercepting the current request.
7. The method for quickly constructing a service call as recited in claim 1, wherein: the anti-replay verification of the API request comprises:
verifying whether the same request attack exists within set time;
when the same request attack does not exist, the re-verification is prevented from passing;
when the same request attacks, the anti-re-authentication is not passed, and the current request is intercepted.
8. The method for quickly constructing a service call as recited in claim 1, wherein: further comprising: after the whole calling chain process is completed, request parameters, request methods, request results, caller identity information, geographic information and time-consuming information in the whole calling process are collected and reported for later retrospective investigation.
9. A middlebox API gateway, comprising:
the system comprises a uniform authentication module, a web browser or app sends a service calling request to the uniform authentication module, a client generates a message header _ sig parameter according to a signature rule, and the message header _ sig parameter, other message header parameters and all service parameters are uploaded and submitted to an inlet of a gateway routing center;
the gateway configuration module is used for inquiring the client permission information and API configuration after receiving the service calling request;
the validity check module is used for checking the validity of the identity of the client after inquiring the client permission information, and judging whether the current request exceeds QPS limit or not according to the current limiting configuration of the client after the validity check is passed;
the signature verification module is used for performing reverse signature verification on the message header parameters transmitted by the client after the identity and the current-limiting verification of the client are passed, and matching whether the transmitted message header _ sig parameters are consistent with the token generated by the reverse signature;
the anti-replay verification module is used for verifying a message header _ timestamp parameter and an anti-replay _ nonce field according to the current API configuration after the reverse signature verification is passed, and performing anti-replay verification on the API request when the specified API configuration life cycle is configured and exists;
the service calling module is used for acquiring the real routing address configured by the API after the re-verification passes, packaging the service parameters transmitted by the client into a request object for calling the http, and taking the real return data of the API after the calling is successful;
and the field driving module is used for uniformly processing the data returned by the API through the anticorrosive layer processing and then returning the structural object with the fixed format.
10. The middlebox API gateway of claim 9, wherein: further comprising: and after the whole calling chain process is completed, the data acquisition module can report request parameters, request methods, request results, caller identity information, geographic information and time consumption information in the whole calling process and is used for later-stage tracing and investigation.
CN202011247508.3A 2020-11-10 2020-11-10 Method for quickly constructing service call and middle station API gateway Active CN112367321B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011247508.3A CN112367321B (en) 2020-11-10 2020-11-10 Method for quickly constructing service call and middle station API gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011247508.3A CN112367321B (en) 2020-11-10 2020-11-10 Method for quickly constructing service call and middle station API gateway

Publications (2)

Publication Number Publication Date
CN112367321A CN112367321A (en) 2021-02-12
CN112367321B true CN112367321B (en) 2021-11-02

Family

ID=74508637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011247508.3A Active CN112367321B (en) 2020-11-10 2020-11-10 Method for quickly constructing service call and middle station API gateway

Country Status (1)

Country Link
CN (1) CN112367321B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112910770B (en) * 2021-03-23 2022-11-29 深圳前海联动云软件科技有限公司 Distributed service gateway design method and system based on generalization call
CN113395269B (en) * 2021-06-04 2023-02-17 上海浦东发展银行股份有限公司 Data interaction method and device
CN113781202B (en) * 2021-08-24 2024-04-12 上海数禾信息科技有限公司 Data processing method, device, computer equipment and storage medium
CN114615073A (en) * 2022-03-22 2022-06-10 广州方硅信息技术有限公司 Access flow control method, device, equipment and medium
CN114785578B (en) * 2022-04-13 2023-09-29 福建天晴数码有限公司 Rpc service authority management method and system
CN114826612B (en) * 2022-04-20 2024-01-30 微位(深圳)网络科技有限公司 Data interaction method, device, equipment and storage medium
CN114697131A (en) * 2022-04-27 2022-07-01 京东科技控股股份有限公司 Data calling method and device, storage medium and electronic equipment
CN115134113B (en) * 2022-05-13 2024-04-09 山东鲁软数字科技有限公司 Platform data security authentication method, system, terminal and storage medium
CN115174502A (en) * 2022-06-30 2022-10-11 广东亿迅科技有限公司 Flow control method, device, equipment and medium of API gateway
CN116405573B (en) * 2023-06-07 2023-08-15 北京集度科技有限公司 Service-oriented architecture based system, communication method and computer program product
CN117194593A (en) * 2023-07-18 2023-12-08 博智安全科技股份有限公司 GIS application management system and method based on micro-service architecture
CN117221374B (en) * 2023-09-11 2024-05-24 广州Tcl互联网小额贷款有限公司 API (application program interface) calling method and system based on API gateway

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109802835A (en) * 2019-01-25 2019-05-24 北京中电普华信息技术有限公司 A kind of safety certifying method, system and API gateway
CN111865920A (en) * 2020-06-18 2020-10-30 多加网络科技(北京)有限公司 Gateway authentication and identity authentication platform and method thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616136B (en) * 2008-06-26 2013-05-01 阿里巴巴集团控股有限公司 Method for supplying internet service and service integrated platform system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109802835A (en) * 2019-01-25 2019-05-24 北京中电普华信息技术有限公司 A kind of safety certifying method, system and API gateway
CN111865920A (en) * 2020-06-18 2020-10-30 多加网络科技(北京)有限公司 Gateway authentication and identity authentication platform and method thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于OpenResty平台的API网关***的设计与实现;温馨等;《信息化研究》;20200620(第03期);全文 *

Also Published As

Publication number Publication date
CN112367321A (en) 2021-02-12

Similar Documents

Publication Publication Date Title
CN112367321B (en) Method for quickly constructing service call and middle station API gateway
CN111290865A (en) Service calling method and device, electronic equipment and storage medium
US10798218B2 (en) Environment isolation method and device
CN110554927A (en) Micro-service calling method based on block chain
US20130066965A1 (en) Systems and methods for optimization of subscriptions to resource changes in machine-to-machine (m2m) systems
CN110765484A (en) Credit investigation data processing method and electronic equipment
KR102417742B1 (en) API Data Aggregation System And Method Of The Same
CN112612629A (en) Method and system for realizing component type data interface
EP3062544B1 (en) Method, node and system for managing resources of machine type communication application
CN105550584A (en) RBAC based malicious program interception and processing method in Android platform
CN113872940B (en) Access control method, device and equipment based on NC-Link
CN113973275A (en) Data processing method, apparatus and medium
CN115695139A (en) Method for enhancing micro-service system architecture based on distributed robust
WO2023056713A1 (en) Cloud platform binding method and system for internet of things card, and device and medium
US9374710B2 (en) Mediation server, control method therefor, communication device, control method therefor, communication system, and computer program
CN111309691A (en) Data sharing exchange system and exchange method based on bus architecture
EP3972199B1 (en) Open interface management method, electronic device, and storage medium
US20170366512A1 (en) System and Method for Machine-to-Machine Privacy and Security Brokered Transactions
CN114884964A (en) Service wind control method and system based on Tuxedo architecture
CN115296866A (en) Access method and device for edge node
CN114615073A (en) Access flow control method, device, equipment and medium
US20180270236A1 (en) Method for protecting machine type communication device, network entity and mtc device
CN113420336A (en) Method and system for realizing distributed prediction machine
CN116029729B (en) Cross-link method and system based on dynamic access application link management contract mode
AU2015100641A4 (en) System and method for machine-to-machine privacy and security brokered transactions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant