CN115828309B - Service calling method and system - Google Patents
Service calling method and system Download PDFInfo
- Publication number
- CN115828309B CN115828309B CN202310111684.1A CN202310111684A CN115828309B CN 115828309 B CN115828309 B CN 115828309B CN 202310111684 A CN202310111684 A CN 202310111684A CN 115828309 B CN115828309 B CN 115828309B
- Authority
- CN
- China
- Prior art keywords
- service
- token
- self
- caller
- calling party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000004458 analytical method Methods 0.000 claims abstract description 85
- 238000012795 verification Methods 0.000 claims abstract description 34
- 230000004044 response Effects 0.000 claims abstract description 7
- 238000004364 calculation method Methods 0.000 claims description 18
- 238000004891 communication Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a service calling method and a service calling system, and relates to the technical field of computers. One embodiment of the method comprises the following steps: a service calling party sends a service calling request to a service provider according to the self-analysis token; the self-analysis token is generated by a security center according to the identity information of the service calling party and the authority information of the accessible service; determining, with the service provider, whether a token feature value of the service caller is stored locally; if the token characteristic value exists, verifying the self-analysis token according to the token characteristic value so as to verify the identity of the service calling party and the accessible service authority; in the case of verification passing, the service provider determines a target service accessible to the service caller and allows the service caller to access the target service in response to the service call request. The implementation reduces the occupation of system resources and further improves the service performance.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a service calling method and system.
Background
In a distributed micro-service architecture, in order to ensure the security of information exchange between a service caller and a service provider, the service provider accesses a security center after receiving a call request, so as to verify the identity and authority of the service caller through the security center.
In the process of implementing the present invention, the inventor finds that at least the following problems exist in the prior art:
under the micro-service architecture, each application provides services to the outside in a fine-grained micro-service, the number of service invoker and service provider is exponentially increased relative to the traditional single architecture, and accordingly, the frequency of initiating invocation requests is greatly increased. Therefore, the security center is used for verification after receiving the call request each time, so that the security center becomes a center node for processing a large number of call requests, which causes that the security center is likely to become a performance bottleneck of the micro-service architecture and seriously delays service performance.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a service invocation method and system, where a service caller carries a self-resolving token that is generated in advance by a security center when sending an invocation request to a service provider. After receiving the call request, the service provider can verify the self-analysis token according to the locally stored token characteristic value, and under the condition that the self-analysis token passes the verification, the service provider determines the target service accessible by the service caller and allows the service caller to access the target service, so that the service caller responds to the service call request. Therefore, through the method for verifying the self-analysis token, the service provider does not need to access the security center after receiving the call request each time, so that the security center verifies the call request, frequent access to the security center server is reduced, occupation of system resources is reduced, and service performance is improved.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a service invocation method.
The service calling method of the embodiment of the invention comprises the following steps: a service calling party sends a service calling request to a service provider according to the self-analysis token; the self-analysis token is generated by a security center according to the identity information of the service calling party and the authority information of the accessible service;
determining, with the service provider, whether a token feature value of the service caller is stored locally;
if the token characteristic value exists, verifying the self-analysis token according to the token characteristic value so as to verify the identity of the service calling party and the accessible service authority;
in the case of verification passing, the service provider determines a target service accessible to the service caller and allows the service caller to access the target service in response to the service call request.
Optionally, the method further comprises: the service calling party sends a token generation request to the security center according to the identity information of the service calling party;
the security center responds to the token generation request to verify the identity information;
And under the condition that verification is passed, the security center generates the self-analysis token according to the identity information, the prestored access authority list of the service calling party and the private key of the security center, and sends the self-analysis token to the service calling party.
Optionally, the identity information of the service caller includes an application name and an application type; the security center generates the self-analysis token according to the identity information, the prestored access authority list of the service calling party and the private key of the security center, and the self-analysis token comprises the following steps:
the security center calculates a hash value of the access authority list and generates a random number corresponding to the token generation request;
calculating a first token signature value according to the application name, the application type, the hash value and the random number;
and signing the first token signature value by utilizing the private key to generate the self-analysis token.
Optionally, the method further comprises:
the security center determines the failure time and the token version information;
said calculating a first token signature value from said application name, said application type, said hash value and said random number, comprising:
And performing digest calculation on the expiration time, the token version information, the application name, the application type, the hash value and the random number to obtain the first token signature value.
Optionally, the service caller sends the token generation request to the security center based on an SSL communication link;
optionally, the security center sends the self-resolving token to the service caller based on an SSL communication link.
Optionally, the verifying the self-resolved token according to the token feature value includes:
and determining whether the value of the self-analysis token is the same as the token characteristic value, and if so, determining that the self-analysis token passes verification.
Optionally, in the case where the token feature value does not exist locally by the service provider, the method further includes:
the service provider obtains the application name and the application type of the service caller, the expiration time, the token version information, the hash value, the random number and the public key of the security center from the security center;
calculating a second token signature value according to the application name and the application type of the service calling party, the expiration time, the token version information, the hash value and the random number;
And verifying the self-analysis token according to the second token signature value and the public key.
Optionally, after determining that the self-resolving token passes verification according to the second token signature value and the public key, further comprising:
and storing the value of the self-analysis token locally as a token characteristic value of the service calling party.
Optionally, the service provider determining a target service accessible to the service caller includes:
the service provider performs hash calculation on the service provided by the service provider, and determines a target service accessible by the service caller according to a hash calculation result and an access authority list of the service caller.
To achieve the above object, according to still another aspect of the embodiments of the present invention, there is provided a service invocation system.
The service calling system of the embodiment of the invention comprises the following components: a service caller, a security center and a service provider; wherein,
the security center is used for generating a self-analysis token corresponding to the service calling party according to the identity information of the service calling party and the authority information of the accessible service;
the service calling party is used for sending a service calling request to the service provider according to the self-analysis token;
The service provider is used for determining whether the token characteristic value of the service calling party is locally stored; if the token characteristic value exists, verifying the self-analysis token according to the token characteristic value so as to verify the identity of the service calling party and the accessible service authority; and in the case of passing the verification, determining a target service accessible to the service calling party, and allowing the service calling party to access the target service to respond to the service calling request.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an electronic device for service invocation.
The electronic equipment for service call in the embodiment of the invention comprises: one or more processors; and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the method for calling the service.
To achieve the above object, according to still another aspect of the embodiments of the present invention, there is provided a computer-readable storage medium.
A computer readable storage medium of an embodiment of the present invention has stored thereon a computer program which, when executed by a processor, implements a method of service invocation of an embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: the service caller carries a self-resolving token pre-generated by the security center when sending a call request to the service provider. After receiving the call request, the service provider can verify the self-analysis token according to the locally stored token characteristic value, and under the condition that the self-analysis token passes the verification, the service provider determines the target service accessible by the service caller and allows the service caller to access the target service, so that the service caller responds to the service call request. Therefore, through the method for verifying the self-analysis token, the service provider does not need to access the security center after receiving the call request each time, so that the security center verifies the call request, frequent access to the security center server is reduced, occupation of system resources is reduced, and service performance is improved.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main steps of a service invocation method according to an embodiment of the invention;
FIG. 2 is a schematic diagram of the main architecture of a service invocation system according to an embodiment of the invention;
FIG. 3 is a schematic diagram of the main steps of another service invocation method according to an embodiment of the invention;
FIG. 4 is a schematic diagram of the major modules of a service invocation system according to an embodiment of the invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 6 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
It should be noted that the embodiments of the present invention and the technical features in the embodiments may be combined with each other without collision.
Fig. 1 is a schematic diagram of main steps of a service invocation method according to an embodiment of the present invention.
As shown in fig. 1, a service calling method in an embodiment of the present invention mainly includes the following steps:
step S101: a service calling party sends a service calling request to a service provider according to the self-analysis token; the self-analysis token is generated by a security center according to the identity information of the service calling party and the authority information of the accessible service;
step S102: determining, with the service provider, whether a token feature value of the service caller is stored locally; step S103 is performed in the presence of a trigger.
Step S103: and verifying the self-analysis token according to the token characteristic value to verify the identity of the service calling party and the accessible service authority, and executing step S104 when the verification is passed.
Step S104: the service provider determines a target service accessible to the service caller and allows the service caller to access the target service in response to the service call request.
In the embodiment of the invention, the service calling party can establish a mutual trust relationship with the security center in advance, and the security center stores identity information and authority information of all the service calling parties establishing the mutual trust relationship; the identity information comprises an application name and an application type of the service calling party, and the authority information comprises service list information which can be authorized to be accessed by the service calling party. The service invoker may initiate a token generation request to the security center before invoking the service for the first time (e.g., after startup) or after expiration of the last applied self-resolved token. Specifically, a service calling party sends a token generation request to a security center according to self identity information; the security center responds to the token generation request to verify the identity information; and under the condition that verification is passed, the security center generates the self-analysis token according to the identity information, the prestored access authority list of the service calling party and the private key of the security center, and sends the self-analysis token to the service calling party.
When sending the token generation request, the service calling party can send the token generation request carrying the identity information and the password to the security center according to the communication link based on SSL (Secure Socket Layer ), so that the data encryption transmission is facilitated, and the data security is ensured. After the security center acquires the token generation request of the service calling party, the security center verifies the identity information of the service calling party, for example, verifies the identity information and the password carried in the token generation request, determines whether the service calling party belongs to the service calling party with a pre-established mutual trust relationship (such as pre-registered in the security center), and if so, determines that the identity information of the service calling party passes the verification.
After the identity information passes verification, the security center generates a self-analysis token according to the identity information of the service calling party, a pre-stored access authority list of the service calling party and a private key of the security center. Specifically, the security center calculates a hash value of the access authority list and generates a random number corresponding to the token generation request; calculating a first token signature value according to the application name, the application type, the hash value of the access authority list and the random number of the service caller; and signing the first token signature value by utilizing the private key to generate the self-analysis token.
Further, in an embodiment of the present invention, the security center may further determine a dead time and token version information of the self-resolved token, and then perform digest calculation on the dead time, the token version information, an application name and an application type of the service caller, a hash value, and a random number, to obtain the first token signature value.
In this embodiment, after obtaining the token generation request of the service caller, the security center creates a self-resolved token specific to the service caller according to the pre-stored authority information of the service caller, where the self-resolved token includes fields as shown in table 1 below:
TABLE 1
Wherein the access authority list is service list information to which the service caller is authorized to access, and the security center may calculate a hash value thereof so as to generate the self-resolving token according to the hash value. In addition, the token aging time is set by the security center, for example, is a random time within 6-8 hours after the token is generated by self-analysis. The first token signature value is obtained by carrying out abstract calculation on the application name, the application type, the hash value of the access authority list, the random number, the token aging time and the token version information of the service calling party, and finally, the private key special for the security center is utilized to sign the first token signature value, so that the self-analysis token is obtained. That is, the self-resolving token is essentially a character string composed of two layers of information, the inner layer (first token signature value) is identity information, authority information and the like of the service caller, the part is obtained by encrypting by using a hash algorithm, and the outer layer is obtained by encrypting the inner layer information again by using an asymmetric key algorithm by using a security center. After the security center generates the self-resolving token, the self-resolving token can be sent to the service caller based on the SSL communication link to ensure data security. After the service caller obtains the self-analysis token from the security center, the self-analysis token is stored in the memory, the re-application is not needed in the effective period of the token, and the service caller can initiate a service call request to the service provider according to the self-analysis token when the subsequent service is called.
After receiving the service invocation request, the service provider needs to verify the self-resolving token to verify the identity and the accessible rights of the service caller. In one embodiment of the present invention, if the service provider locally stores the token feature value of the service caller, it is determined whether the value of the self-resolving token is the same as the token feature value, and if so, it is determined that the self-resolving token passes verification. As described above, the self-resolving token is obtained by signing the first token signature value with its private key by the security center, and is essentially a character string, so that when the self-resolving token is verified, it can be directly verified whether the character string is identical to the token feature value stored locally in the service provider. The token feature value may be a value that the service provider stored locally after verification passes the last time the service caller initiated a service call request according to the self-resolved token.
Based on this, in another embodiment of the present invention, if the service caller initiates the service call request based on the self-resolving token for the first time, the service provider does not have the token feature value of the self-resolving token locally, in which case the service provider can obtain the application name and application type of the service caller, and the expiration time, the token version information, the hash value, the random number and the public key of the security center from the security center, and calculate the second token signature value according to the application name and application type of the service caller, and the expiration time, the token version information, the hash value, and the random number; and then verifying the self-analysis token according to the second token signature value and the public key.
Here, the service provider may obtain an application name and an application type corresponding to the self-resolved token, and a dead time, token version information, a hash value, a random number from the security center, then calculate to obtain a second token signature value using the same hash algorithm as that used to generate the self-resolved token, and decrypt the self-resolved token sent by the service caller using the public key of the security center to obtain the first token signature value. If the newly generated second token signature value and the decrypted first token signature value are the same, then the self-resolving token can be determined to be issued by the security center, and thus the identity verification of the service caller can be determined to pass.
The service provider may then further access verification of the service rights based on the self-resolving token to determine a target service accessible to the service caller. In one embodiment of the invention, the service provider performs hash calculation on the service provided by the service provider, and determines a target service accessible by the service caller according to a hash calculation result and an access authority list of the service caller.
The service provider performs hash calculation on the service provided by the service provider, then compares the hash result with the hash result of the access authority list of the service caller, and considers that the service caller has the authority to access the service if the service provided by the service provider exists in the accessible access authority list of the caller; if the service caller does not exist, the service caller is considered to have no authority to access the service, and therefore the target service accessible to the service caller can be determined. If the service called by the service caller belongs to the target service, the service provider allows the service caller to access the target service so as to respond to the service calling request; if the service called by the service caller does not belong to the target service, that is, the service caller does not have the authority to access the corresponding service, the service provider can directly return the result of the token authority verification error to the service caller.
In addition, after the authentication and the accessible service authority authentication pass, the service provider can store the value of the self-analysis token locally as the token characteristic value of the self-analysis token, so that when the subsequent service caller initiates the service call request again according to the self-analysis token, the service provider can directly authenticate the self-analysis token according to the local token characteristic value. When the token characteristic value is stored locally, the expiration time of the token characteristic value can be set according to the expiration time of the self-analysis token, so that after a service call request initiated according to the self-analysis token is received again, whether the valid token characteristic value exists locally or not can be determined, and under the condition that the token characteristic value is valid, the self-analysis token is verified according to the token characteristic value. Therefore, after the service provider obtains the service call request initiated according to the self-analysis token for the first time, the self-analysis token can be analyzed by only obtaining the decryption key of the self-analysis token from the security center, so that the identity and the accessible right of the service caller are verified, and the security center is not required to be accessed for multiple times, thereby not only reducing the possibility of account password leakage in the service call process, but also reducing frequent access to the server, reducing occupation of system resources, and further improving service performance.
The service invocation method provided by the embodiment of the present invention is further described below according to the architecture diagram shown in fig. 2, and as shown in fig. 3, the method may include the following steps:
step S301: and the service calling party sends a token generation request to the security center according to the identity information of the service calling party.
This step corresponds to the first step in the architecture diagram of fig. 2, namely the service invocation requesting a self-resolving token from the security center.
Step S302: and the security center verifies the identity of the service calling party according to the token generation request. Step S303 is executed if the authentication is passed, and if the authentication is not passed, the token generation request is rejected, and the current flow is ended.
Step S303: the security center determines the failure time and the token version information and generates a random number; and performing digest calculation on the expiration time, the token version information, the random number, the application name of the service caller, the application type and the hash value of the access authority list to obtain a first token signature value.
Step S304: the security center signs the first token signature value by using the private key to obtain a self-analysis token, and sends the self-analysis token to the service caller.
Step S302 to step S304 are processes of generating a self-resolved token by the security center, and correspond to the step of returning the self-resolved token to the service caller by the security center in fig. 2.
Step S305: the service calling party sends a service calling request to the service provider according to the self-analysis token.
Step S306: the service provider determines whether the token characteristic value of the service caller is stored locally, if so, performs step S307, otherwise performs step S308.
Here, if the service provider locally stores the token feature value, it indicates that the service caller does not initiate the service call request according to the self-resolved token for the first time, otherwise, if the service provider does not locally store the token feature value, it indicates that the service caller initiates the service call request according to the self-resolved token for the first time or the self-resolved token applied before has expired.
Step S307: and verifying the self-analysis token according to the token characteristic value, executing step S309 if the verification is passed, otherwise rejecting the service call request and ending the current flow.
Step S308: the service provider acquires the application name and the application type of the service caller, the expiration time, the token version information, the hash value, the random number and the public key of the security center from the security center, and calculates a second token signature value; and verifying the self-analysis token according to the second token signature value and the public key. Step S309 is executed if the verification is passed, otherwise the service call request is rejected and the current flow is ended.
The service provider and the security center can also establish a mutual trust relationship in advance, so that when the service caller initiates a service call request according to the self-analysis token for the first time, the service provider can acquire the public key of the security center according to the mutual trust relationship so as to verify the self-analysis token to confirm the authenticity of the token.
Step S309: the service provider performs hash calculation on the service provided by the service provider, and determines a target service accessible by the service caller according to a hash calculation result and an access authority list of the service caller.
Step S310: a service provider allows the service caller to access the target service in response to the service call request.
The service provider performs hash calculation on the service provided by the service provider, then compares the hash result with the hash result of the access authority list of the service caller, and considers that the service caller has the authority to access the service if the service provided by the service provider exists in the accessible access authority list of the caller; if the service caller does not exist, the service caller is considered to have no authority to access the service, and therefore the target service accessible to the service caller can be determined. If the service called by the service caller belongs to the target service, the service provider allows the service caller to access the target service so as to respond to the service calling request; if the service called by the service caller does not belong to the target service, that is, the service caller does not have the authority to access the corresponding service, the service provider can directly return the result of the token authority verification error to the service caller.
According to the service calling method, when the service calling party sends the calling request to the service provider, the service calling party carries the self-analysis token which is generated in advance by the security center. After receiving the call request, the service provider can verify the self-analysis token according to the locally stored token characteristic value, and under the condition that the self-analysis token passes the verification, the service provider determines the target service accessible by the service caller and allows the service caller to access the target service, so that the service caller responds to the service call request. Therefore, through the method for verifying the self-analysis token, the service provider does not need to access the security center after receiving the call request each time, so that the security center verifies the call request, frequent access to the security center server is reduced, occupation of system resources is reduced, and service performance is improved.
Fig. 4 is a schematic diagram of the main modules of a service invocation system according to an embodiment of the invention.
As shown in fig. 4, a service invocation system 400 according to an embodiment of the present invention includes: a service caller 401, a security center 402, and a service provider 403; wherein,
the security center 402 is configured to generate a self-resolved token corresponding to the service caller 401 according to the identity information of the service caller 401 and the authority information of the accessible service;
The service caller 401 is configured to send a service call request to the service provider 403 according to the self-resolving token;
the service provider 403 is configured to determine whether a token feature value of the service caller is locally stored; if the token characteristic value exists, verifying the self-analysis token according to the token characteristic value so as to verify the identity of the service calling party and the accessible service authority; in case the verification is passed, a target service accessible to the service invoker 401 is determined and the service invoker 401 is allowed to access the target service in response to the service invocation request.
In one embodiment of the present invention, the service caller 401 is configured to send a token generation request to the security center 402 according to its own identity information;
the security center is used for responding to the token generation request and verifying the identity information; in the case that the verification is passed, the self-resolving token is generated according to the identity information, the prestored access authority list of the service caller 401 and the private key thereof, and the self-resolving token is sent to the service caller 401.
In one embodiment of the present invention, the identity information of the service caller includes an application name and an application type; the security center 402 is configured to calculate a hash value of the access authority list and generate a random number corresponding to the token generation request; calculating a first token signature value according to the application name, the application type, the hash value and the random number; and signing the first token signature value by utilizing the private key to generate the self-analysis token.
In one embodiment of the present invention, the security center 402 is configured to determine expiration time and token version information; and performing digest calculation on the expiration time, the token version information, the application name, the application type, the hash value and the random number to obtain the first token signature value.
In one embodiment of the invention, the service caller sends the token generation request to the security center based on an SSL communication link.
In one embodiment of the invention, the security center sends the self-resolving token to the service caller based on an SSL communication link.
In one embodiment of the present invention, the service provider 403 is configured to determine whether the value of the self-resolved token is the same as the token feature value, and in the same case, determine that the self-resolved token passes verification.
In one embodiment of the present invention, the service provider 403 is configured to obtain, from the security center 402, the application name and the application type of the service caller 401, the expiration time, the token version information, the hash value, the random number, and the public key of the security center, in the case that the token feature value does not exist locally by the service provider; calculating a second token signature value according to the application name and the application type of the service calling party, the expiration time, the token version information, the hash value and the random number; and verifying the self-analysis token according to the second token signature value and the public key.
In one embodiment of the present invention, the service provider 403 is further configured to store the value of the self-resolving token locally as the token feature value of the service caller.
In one embodiment of the present invention, the service provider 403 is configured to perform hash calculation on a service provided by itself, and determine, according to a result of the hash calculation and an access authority list of the service caller 401, a target service accessible to the service caller 401.
According to the service calling system provided by the embodiment of the invention, the service calling party carries the self-analysis token which is pre-generated by the security center when sending the calling request to the service provider. After receiving the call request, the service provider can verify the self-analysis token according to the locally stored token characteristic value, and under the condition that the self-analysis token passes the verification, the service provider determines the target service accessible by the service caller and allows the service caller to access the target service, so that the service caller responds to the service call request. Therefore, through the method for verifying the self-analysis token, the service provider does not need to access the security center after receiving the call request each time, so that the security center verifies the call request, frequent access to the security center server is reduced, occupation of system resources is reduced, and service performance is improved.
Fig. 5 illustrates an exemplary system architecture 500 for a service invocation method or a service invocation system to which embodiments of the present invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505. The network 504 is used as a medium to provide communication links between the terminal devices 501, 502, 503 and the server 505. The network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 505 via the network 504 using the terminal devices 501, 502, 503 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc., may be installed on the terminal devices 501, 502, 503.
The terminal devices 501, 502, 503 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server providing support for service requests initiated by users using the terminal devices 501, 502, 503. The background management server may analyze and process the received data such as the service request, and feed back the processing result (for example, accessible target service) to the terminal device.
It should be noted that, the service invocation method provided by the embodiment of the present invention is generally executed by the server 505, and accordingly, the service invocation system is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, there is illustrated a schematic diagram of a computer system 600 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 6 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 601.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present invention may be implemented in software or in hardware.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include: a service calling party sends a service calling request to a service provider according to the self-analysis token; the self-analysis token is generated by a security center according to the identity information of the service calling party and the authority information of the accessible service;
determining, with the service provider, whether a token feature value of the service caller is stored locally;
if the token characteristic value exists, verifying the self-analysis token according to the token characteristic value so as to verify the identity of the service calling party and the accessible service authority;
in the case of verification passing, the service provider determines a target service accessible to the service caller and allows the service caller to access the target service in response to the service call request.
According to the technical scheme of the embodiment of the invention, the service calling party carries the self-analysis token which is pre-generated by the security center when sending the calling request to the service provider. After receiving the call request, the service provider can verify the self-analysis token according to the locally stored token characteristic value, and under the condition that the self-analysis token passes the verification, the service provider determines the target service accessible by the service caller and allows the service caller to access the target service, so that the service caller responds to the service call request. Therefore, through the method for verifying the self-analysis token, the service provider does not need to access the security center after receiving the call request each time, so that the security center verifies the call request, frequent access to the security center server is reduced, occupation of system resources is reduced, and service performance is improved.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (8)
1. A service invocation method, comprising:
a service calling party sends a service calling request to a service provider according to the self-analysis token; the self-analysis token is generated by a security center according to the identity information of the service calling party and the authority information of the accessible service; the method specifically comprises the following steps: the service caller sends the token generation request to the security center based on an SSL communication link; the security center calculates a hash value of a prestored access authority list of the service calling party according to the token generation request and generates a random number corresponding to the token generation request; calculating a first token signature value through a hash algorithm according to an application name and an application type, the hash value and the random number included in the identity information of the service calling party; asymmetrically encrypting the first token value by utilizing a private key of the self to sign the first token value so as to generate the self-analysis token; the security center sends the self-resolved token to the service caller based on an SSL communication link;
determining, with the service provider, whether a token feature value of the service caller is stored locally; the token characteristic value is stored locally after verification is passed when a service calling party initiates a service calling request according to the self-analysis token;
If the token characteristic value exists, verifying the self-analysis token according to the token characteristic value so as to verify the identity of the service calling party and the accessible service authority;
in the event that the token feature value does not exist locally at the service provider: the service provider obtains the application name and the application type of the service caller, the expiration time, the token version information, the hash value, the random number and the public key of the security center from the security center; calculating a second token signature value according to the application name and the application type of the service calling party, the expiration time, the token version information, the hash value and the random number; verifying the self-parsing token according to the second token signature value and the public key;
in the case of verification passing, the service provider determines a target service accessible to the service caller and allows the service caller to access the target service in response to the service call request; wherein the service provider determining a target service accessible to the service caller comprises: the service provider performs hash calculation on the service provided by the service provider and compares the hash result with the hash result of the access authority list of the service caller, and if the service provided by the service provider exists in the access authority list of the caller, the service caller is considered to have the authority to access the service; if not, the service caller is deemed to have no rights to access the service.
2. The method of claim 1, further comprising, prior to the security center generating the self-resolving token:
the service calling party sends a token generation request to the security center according to the identity information of the service calling party;
and the security center responds to the token generation request, verifies the identity information and determines that the identity information is verified.
3. The method as recited in claim 2, further comprising:
the security center determines the failure time and the token version information;
said calculating a first token signature value from said application name, said application type, said hash value and said random number, comprising:
and performing digest calculation on the expiration time, the token version information, the application name, the application type, the hash value and the random number to obtain the first token signature value.
4. The method of claim 1, wherein said validating the self-resolving token according to the token feature value comprises:
and determining whether the value of the self-analysis token is the same as the token characteristic value, and if so, determining that the self-analysis token passes verification.
5. The method of claim 1, further comprising, after determining that the self-resolving token verification passes based on the second token signature value and the public key:
and storing the value of the self-analysis token locally as a token characteristic value of the service calling party.
6. A service invocation system, comprising: a service caller, a security center and a service provider; wherein,
the security center is used for generating a self-analysis token corresponding to the service calling party according to the identity information of the service calling party and the authority information of the accessible service; the method comprises the steps of calculating a hash value of a pre-stored access authority list of a service calling party according to a token generation request sent by the service calling party, and generating a random number corresponding to the token generation request; calculating a first token signature value according to an application name and an application type, the hash value and the random number included in the identity information of the service calling party; signing the first token value by using a private key of the self to generate the self-analysis token; and further configured to send the self-resolving token to the service caller based on an SSL communication link;
The service caller is configured to send the token generation request to the security center based on an SSL communication link; sending a service call request to a service provider according to the self-analysis token;
the service provider is used for determining whether the token characteristic value of the service calling party is locally stored; if the token characteristic value exists, verifying the self-analysis token according to the token characteristic value so as to verify the identity of the service calling party and the accessible service authority; in the event that the token feature value does not exist locally at the service provider: the service provider obtains the application name and the application type of the service caller, the expiration time, the token version information, the hash value, the random number and the public key of the security center from the security center; calculating a second token signature value according to the application name and the application type of the service calling party, the expiration time, the token version information, the hash value and the random number; verifying the self-parsing token according to the second token signature value and the public key; determining a target service accessible to the service calling party under the condition that verification is passed, and allowing the service calling party to access the target service so as to respond to the service calling request; the token characteristic value is stored locally after verification is passed when a service calling party initiates a service calling request according to the self-analysis token; the service provider determining a target service accessible to the service caller, comprising: the service provider performs hash calculation on the service provided by the service provider and compares the hash result with the hash result of the access authority list of the service caller, and if the service provided by the service provider exists in the access authority list of the caller, the service caller is considered to have the authority to access the service; if not, the service caller is deemed to have no rights to access the service.
7. An electronic device for service invocation, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-5.
8. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310111684.1A CN115828309B (en) | 2023-02-09 | 2023-02-09 | Service calling method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310111684.1A CN115828309B (en) | 2023-02-09 | 2023-02-09 | Service calling method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115828309A CN115828309A (en) | 2023-03-21 |
| CN115828309B true CN115828309B (en) | 2023-11-07 |
Family
ID=85521290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310111684.1A Active CN115828309B (en) | 2023-02-09 | 2023-02-09 | Service calling method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115828309B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577691A (en) * | 2016-02-03 | 2016-05-11 | 飞天诚信科技股份有限公司 | Security access method and server |
| CN106664294A (en) * | 2014-06-20 | 2017-05-10 | 标致·雪铁龙汽车公司 | Method and system for authentication by means of tokens |
| CN107395648A (en) * | 2017-09-06 | 2017-11-24 | 深圳峰创智诚科技有限公司 | Authority control method and service end |
| CN108243188A (en) * | 2017-12-29 | 2018-07-03 | 中链科技有限公司 | A kind of interface access, interface calling and interface authentication processing method and device |
| CN109639730A (en) * | 2019-01-21 | 2019-04-16 | 北京工业大学 | Information system data interface authentication method under HTTP stateless protocol based on token |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
| CN110958119A (en) * | 2019-10-25 | 2020-04-03 | 泰康保险集团股份有限公司 | Identity verification method and device |
| WO2022126968A1 (en) * | 2020-12-15 | 2022-06-23 | 平安科技(深圳)有限公司 | Micro-service access method, apparatus and device, and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR3015168A1 (en) * | 2013-12-12 | 2015-06-19 | Orange | TOKEN AUTHENTICATION METHOD |
| US11121873B2 (en) * | 2019-02-08 | 2021-09-14 | Microsoft Technology Licensing, Llc | System and method for hardening security between web services using protected forwarded access tokens |
| US11658983B2 (en) * | 2020-02-07 | 2023-05-23 | Microsoft Technology Licensing, Llc | Authentication and authorization across microservices |
-
2023
- 2023-02-09 CN CN202310111684.1A patent/CN115828309B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106664294A (en) * | 2014-06-20 | 2017-05-10 | 标致·雪铁龙汽车公司 | Method and system for authentication by means of tokens |
| CN105577691A (en) * | 2016-02-03 | 2016-05-11 | 飞天诚信科技股份有限公司 | Security access method and server |
| CN107395648A (en) * | 2017-09-06 | 2017-11-24 | 深圳峰创智诚科技有限公司 | Authority control method and service end |
| CN108243188A (en) * | 2017-12-29 | 2018-07-03 | 中链科技有限公司 | A kind of interface access, interface calling and interface authentication processing method and device |
| CN109639730A (en) * | 2019-01-21 | 2019-04-16 | 北京工业大学 | Information system data interface authentication method under HTTP stateless protocol based on token |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
| CN110958119A (en) * | 2019-10-25 | 2020-04-03 | 泰康保险集团股份有限公司 | Identity verification method and device |
| WO2022126968A1 (en) * | 2020-12-15 | 2022-06-23 | 平安科技(深圳)有限公司 | Micro-service access method, apparatus and device, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115828309A (en) | 2023-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10505916B2 (en) | Authentication token with client key | |
| WO2022262078A1 (en) | Access control method based on zero-trust security, and device and storage medium | |
| CN110336833B (en) | Picture content consensus method based on block chain and server | |
| CN113347206B (en) | Network access method and device | |
| CN111355726B (en) | Identity authorization login method and device, electronic equipment and storage medium | |
| CN112039826B (en) | Login method and device applied to applet end, electronic equipment and readable medium | |
| CN108923925B (en) | Data storage method and device applied to block chain | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| CN110958119A (en) | Identity verification method and device | |
| CN111784887A (en) | Authorization releasing method, device and system for user access | |
| EP4350556A1 (en) | Information verification method and apparatus | |
| CN113783829A (en) | Method and device for realizing equipment access in cross-platform manner | |
| CN111814131A (en) | Method and device for equipment registration and configuration management | |
| CN115828309B (en) | Service calling method and system | |
| CN112966286B (en) | Method, system, device and computer readable medium for user login | |
| CN113055186B (en) | Cross-system service processing method, device and system | |
| CN113242132B (en) | Digital certificate management method and device | |
| CN113765876B (en) | Report processing software access method and device | |
| CN113381853B (en) | Method and device for generating random password and client authentication | |
| CN110166226B (en) | Method and device for generating secret key | |
| CN110611656B (en) | Identity management method, device and system based on master identity multiple mapping | |
| CN113452771B (en) | Interface calling method, device and system | |
| US11977620B2 (en) | Attestation of application identity for inter-app communications | |
| CN110602074B (en) | Service identity using method, device and system based on master-slave association | |
| CN116418586A (en) | Data docking method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |