CN117675309A - Data access method and device, storage medium and electronic equipment - Google Patents
Data access method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN117675309A CN117675309A CN202311611271.6A CN202311611271A CN117675309A CN 117675309 A CN117675309 A CN 117675309A CN 202311611271 A CN202311611271 A CN 202311611271A CN 117675309 A CN117675309 A CN 117675309A
- Authority
- CN
- China
- Prior art keywords
- user
- token
- user token
- key
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000012795 verification Methods 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims description 11
- 230000006870 function Effects 0.000 claims description 8
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000013475 authorization Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The application discloses a data access method, a device, a storage medium and electronic equipment, wherein the method is applied to a server side and comprises the following steps: receiving a data access request sent by a client, wherein the data access request comprises an encrypted user token; decrypting the user token based on the private key of the user token key pair to obtain token information of the user token; under the condition that the port address of the client is different from the user address in the token information, acquiring a preset user identity verification rule; and allowing the client to access the server under the condition that the user of the client passes the user authentication rule and the user token is valid. The method and the device provided by the application improve the security of the user token and the security of data access.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a data access method, a data access device, a storage medium, and an electronic device.
Background
User tokens are a specialized authentication and authorization mechanism for confirming the identity of a user and authorizing it to access a particular resource or perform a particular operation. User tokens typically include a session timeliness, i.e., tokens may be used frequently for data access during an active time. This provides a degree of convenience but also reduces the security of data access. For example, other people steal the user token and use the user token to acquire information, or maliciously tamper the token information to acquire information outside the current user token authority, thereby causing information leakage.
Therefore, how to prevent information leakage caused by theft of token information and improve security of data access is a technical problem to be solved in the industry.
Disclosure of Invention
The application provides a data access method, a device, a storage medium and electronic equipment, which are used for solving the technical problem of how to prevent information leakage caused by theft of token information in the prior art and improving the security of data access.
In a first aspect, the present application provides a data access method, applied to a server, where the method includes:
receiving a data access request sent by a client, wherein the data access request comprises an encrypted user token;
decrypting the user token based on a private key of a user token key pair to obtain token information of the user token;
acquiring a preset user identity authentication rule under the condition that the port address of the client is different from the user address in the token information;
and allowing the client to access the server under the condition that the user of the client passes the user authentication rule and the user token is valid.
In some embodiments, the allowing the client to access the server if the user of the client passes the user authentication rule and the user token is valid includes:
under the condition that a user of the client passes through the user identity verification rule, cache token information in a local cache is obtained;
and under the condition that the cache token information comprises the token information and the access time of the data access request is within the valid time of the user token, confirming that the user token is valid, and allowing the client to access the server.
In some embodiments, the user token is constructed based on the steps of:
obtaining the token information of the user token and generating a key pair of the user token;
encrypting the token information based on an elliptic curve numerical signature algorithm and a public key of the key pair;
the user token is generated based on the encrypted token information.
In some embodiments, after the generating the user token, further comprises:
generating a first key value pair by taking the token information as a key and the user token as a value;
generating a second key value pair by taking the token information as a key and the token effective time of the user token as a value;
and caching the first key value pair and the second key value locally.
In some embodiments, after obtaining the token information of the user token, the method further includes:
acquiring a first key value pair of the user token and a second key value pair of the user token in the local cache;
determining if the user token matches the token information in the first key-value pair and determining if the current access time is within the validity time of the second key-value pair.
In some embodiments, the user token key pair is determined based on the steps of:
generating two different prime numbers based on a random number generator, wherein the prime numbers are larger than a preset threshold value;
the user token key pair is generated based on the prime numbers and the euler function.
In some embodiments, after the allowing the client to access the server, the method further includes:
and updating the effective time of the user token in the local cache based on the set effective time length of the user token and the set access time.
In a second aspect, the present application provides a user token authentication apparatus, applied to a server, where the apparatus includes:
the receiving module is used for receiving a data access request sent by the client, wherein the data access request comprises an encrypted user token;
the decryption module is used for decrypting the user token based on the private key of the user token key pair to obtain the token information of the user token;
the acquisition module is used for acquiring a preset user identity verification rule under the condition that the port address of the client is different from the user address in the token information;
and the access module is used for allowing the client to access the server side under the condition that the user of the client passes the user authentication rule and the user token is valid.
In a third aspect, the present application provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method described above.
In a fourth aspect, the present application provides an electronic device comprising a memory having a computer program stored therein and a processor arranged to implement the above-described method when the program is executed by the computer program.
According to the data access method, the device, the storage medium and the electronic equipment, the user token is encrypted, only the private key is known when the user token is used, so that the token information of the user token can be prevented from being tampered, and when the port address of the client is different from the user address in the token information, the identity of the user of the current client is verified, so that the user token can be prevented from being stolen by others, the risk of information leakage is reduced, and the security of data access of the user to the server side in the validity period of the user token is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the technical solutions of the present application or the prior art, the following description will briefly introduce the drawings used in the embodiments or the description of the prior art, and it is obvious that, in the following description, the drawings are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a data access method according to an embodiment of the present application;
FIG. 2 is a second flow chart of a data access method according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of a user token authentication apparatus according to an embodiment of the present application;
FIG. 4 is a second schematic diagram of a user token authentication apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like herein are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules that are expressly listed or inherent to such process, method, article, or apparatus.
The data access method provided by the embodiment of the application is suitable for a server side, and the server side can be various electronic devices with a display screen and supporting web browsing, including but not limited to servers, smart phones, tablet computers, laptop portable computers, desktop computers and the like.
In the technical scheme of the application, the related processes of personal information collection, storage, use, processing, transmission, provision, disclosure and the like all accord with the regulations of related laws and regulations, necessary security measures are adopted, and the public order harmony is not violated.
Fig. 1 is a schematic flow chart of a data access method according to an embodiment of the present application, as shown in fig. 1, the method includes step 110, step 120, step 130 and step 140. The method flow steps are only one possible implementation of the present application.
Step 110, a data access request sent by a client is received, wherein the data access request comprises an encrypted user token.
Specifically, the execution body of the data access method provided in the embodiment of the present application is a user token verification device, and the device may be a hardware device independently set in a server side, or may be a software program running in the server side.
In the embodiment of the application, the client is used for providing the port for inquiring the data for the user, the user sends the data access request to the server through the client, and the server sends the corresponding data to the client after verifying the user identity, so that the user obtains the related data.
The data access request is a request generated according to the behavior of a user or program requesting a data operation from the server side. The data access request may be an HTTP request.
The user token is a credential used to verify the identity of the user and to authorize the user to access the server side. The user token has session timeliness, namely, the user can access the server side at any time by using the user token in the validity period of the user token without repeated login. The effective duration of the user token can be set through EXPIRE_TIME, and repeated login of access data for example in a short TIME of the user is avoided.
In order to ensure that the user token is not tampered with at will, embodiments of the present application encrypt the user token.
The data access request comprises an encrypted user token, when a user wants to acquire data from the server side, the data access request can be sent to the server side through the client side, and when the server side receives the data access request, the user can be allowed to frequently access the data within the effective time of the user token.
And 120, decrypting the user token based on the private key of the user token key pair to obtain the token information of the user token.
Specifically, a key pair is a pair of associated encryption keys, including a public key and a private key. The public key is used to encrypt data or verify digital signatures. The private key is used to decrypt data or generate a digital signature. A party holding a private key may use its private key to decrypt data encrypted using the public key.
The public key in the key pair is used in the encryption of the user token, so that the user token can be decrypted by using the private key corresponding to the public key, and token information is obtained.
The token information includes an issue object, issue time, validity time, payload, and the like of the token. The issuing object is the identity of the user when the token is first created, and can be the port address of the client used by the user. The issue time is the time at which the token was created. The validity time is the length of time that the token can be used for data access. The payload may include a user identification, a user name, and an access-enabled system number, etc.
When the client sends a data access request each time, an Authorization field is added in the data access request, and an Authorization value is set as user token information;
the server receives the data access request sent by the client, decrypts the user token, analyzes the request header information of the data access request, and obtains the Authorization field value, thereby obtaining the user token information.
And 130, acquiring a preset user identity authentication rule under the condition that the port address of the client is different from the user address in the token information.
Specifically, the token information includes a user address used when the user token is first constructed, if the port address of the current client is inconsistent with the user address, the user is indicated to replace the client, or other people steal the user token, and in order to ensure the security of data access, the user using the current client needs to be authenticated.
User authentication rules may be preset. User authentication rules define rules and procedures that need to be followed in authenticating a user's identity. These rules are used to ensure that only authorized users can access certain resources at the server side.
The user authentication rule can be a face authentication rule, a fingerprint identification rule, a voice identification rule, a short message authentication rule and the like.
When the port address is different from the user address, a preset user authentication rule can be called, and the user of the current client is authenticated.
And 140, allowing the client to access the server under the condition that the user of the client passes the user authentication rule and the user token is valid.
Specifically, whether the user token is valid or not can be judged by the valid time of the current user token and whether the token information is cached in a local cache of the server side. If the token information of the user token is cached in the local cache, the current user token is also in the effective time, and the user token is indicated to be effective.
If the user of the current client passes the user authentication rule, the current user is indicated to replace the client only, so that the user can be allowed to access the data of the server by using the current client under the condition that the user token is valid.
According to the data access method, the user token is encrypted, when the user token is used, the user token can be decrypted only by knowing the private key, so that the token information of the user token can be prevented from being tampered, and when the port address of the client is different from the user address in the token information, the identity of the user of the current client is verified, so that the user token can be prevented from being stolen by others, the risk of information leakage is reduced, and the security of data access to the server side by the user in the validity period of the user token is improved.
It should be noted that each embodiment of the present application may be freely combined, permuted, or executed separately, and does not need to rely on or rely on a fixed execution sequence.
In some embodiments, step 140 comprises:
under the condition that a user of the client passes through a user identity verification rule, cache token information in a local cache is obtained;
and under the condition that the cache token information comprises token information and the access time of the data access request is within the valid time of the user token, confirming that the user token is valid, and allowing the client to access the server.
After step 140, the method further includes:
based on the set effective duration and access time of the user token, the effective time of the user token is updated in the local cache.
Specifically, each user token is created by the server, and when the server creates the user token for the first time, the information related to the user token is buffered in the local buffer. After the user passes the user authentication rule, the cache token information of the local cache needs to be acquired.
The cached token information is the token information cached in the local cache of the server side. By comparing the token information of the current user token with the cached token information, it can be determined whether the current user token is valid.
And obtaining the cache TOKEN information corresponding to the current USER TOKEN from the local cache through the TOKEN information of the custom PREFIX PREFIX_USER_TOKEN. The effective TIME of the user token can be obtained by analyzing the cache token information, wherein the effective TIME is obtained by identifying an EXPIRE_TIME field;
if the access TIME of the current data access request exceeds the valid TIME set by the corresponding value of the EXPIRE_TIME field, returning the login failure information of the client user, and if the access TIME is within the valid TIME, releasing the access request and allowing the access to the server.
Meanwhile, the token information of the user token needs to be verified, whether the user token information transmitted by the client is consistent with the token information in the cache or not is judged, if so, the client is released, and if not, invalid information of the user token is returned.
The effective time of the user token in the local cache can be updated according to the preset effective time of the user token and the current sniffing time.
For example, the effective duration is 30 minutes, the user token is created to be 9 points, the effective time of the buffer is 9 points to 9 points half, the user uses the user token at 9 points 20, and the effective time of the buffer is updated to be 9 points 50.
According to the data access method, the user token and the user identity are verified through the user identity verification rule, the token information and the multiple angles of effective time, and the safety of data access is improved.
In some embodiments, the user token is constructed based on the following steps:
obtaining token information of a user token and generating a key pair of the user token;
encrypting the token information based on an elliptic curve numerical signature algorithm and a public key of a key pair;
a user token is generated based on the encrypted token information.
The user token key pair is determined based on the steps of:
generating two different prime numbers based on a random number generator, wherein the prime numbers are larger than a preset threshold value;
based on prime numbers and euler functions, a user token key pair is generated.
Specifically, when a user token is created for the first time, a client address used by a user is obtained as an issuing object, and the current server time setting issuing time is obtained; the payload is constructed using the unique user identification, the user name and the system number with access rights. The issuing object, issuing time, payload, etc. constitute the token information of the user token.
The server side generates two different large prime numbers by using a random number generator, calculates an Euler function value by the product of the two large prime numbers, selects a smaller positive integer E which is mutually prime with the Euler function value, obtains a public key index in the key by the product of the positive integer E and the two large prime numbers, calculates a private key index in the key by the reciprocal D of the coefficient theory of the positive integer E in the modulus of the Euler function value, obtains a public key and a private key according to the public key index and the private key index, and obtains a user token key pair.
And carrying out data signature on the token information through a public key according to an elliptic curve digital signature algorithm to obtain the encrypted user token. After the server side constructs the user token, the user token is sent to the client side so that the user can use the user token to access data.
According to the data access method, the security of the user token is improved by encrypting the user token, and the security of the user token in the using process is improved.
In some embodiments, after generating the user token, further comprising:
using token information as a key and a user token as a value to generate a first key value pair;
using the token information as a key and the token effective time of the user token as a value to generate a second key value pair;
the first key value pair and the second key value pair are cached locally.
After obtaining the token information of the user token, the method further comprises the following steps:
acquiring a first key value pair of a user token and a second key value pair of the user token in a local cache;
it is determined whether the user token matches the token information in the first key-value pair and whether the current access time is within the validity time of the second key-value pair.
Specifically, the relevant information of the user token can be cached in a local cache of the server side in a key value pair mode.
The Redis may be used to store information about the user token, associating the user token as a value with its unique custom key, stored in the Redis cache as a key-value pair, where the unique key is set by the custom prefix in combination with the user token information. The TOKEN USER TOKEN information may be concatenated as a key through the pre_user_token field to generate a first key-value pair.
The user token information may be used as a key by combining the user token information with the user token valid time as a value to obtain a second key-value pair. Setting the maximum expiration time in the form of a key-value pair may ensure that user tokens that are no longer valid are automatically purged after expiration to ensure that the Redis cache does not become too large.
And storing the generated first key value pair and the generated second key value pair in a local cache. By determining whether the token information of the current user token matches the token information in the first key-value pair and determining whether the current access time is within the validity time of the second key-value pair, it can be determined whether the current user token is valid.
According to the data access method, related information of the user token is stored in a key value pair mode, so that effective judgment of a subsequent user token can be facilitated, and invalid tokens can be cleared timely.
Fig. 2 is a second flowchart of a data access method according to an embodiment of the present application, as shown in fig. 2, where the method includes:
when the server side generates the token, the issuing object, the issuing time, the token validity period and the load are set, and the elliptic curve digital signature algorithm and the public key are used for generating the user token.
And storing the generated user token in a buffer memory in the form of key value pairs, setting the maximum expiration time, and returning the user token to the client.
The client needs to carry user token information in the access request every time the client accesses the server resource.
The server receives an access request sent by the client, judges whether the user token exists in the cache, whether the user token is effective, and judges whether a key value corresponding to the user token exists in the cache;
and if the user token is verified to be invalid, returning login timeout information, otherwise, releasing the request and updating the effective time of the user token in the cache.
The data access method provided by the embodiment of the application makes up the defect of the conventional method in the aspect of security when the user token is generated and verified, and fully considers the improvement of the security of the user token by asymmetric digital encryption; the server side can be accessed without repeated login of the user in a period of time, and meanwhile, the timeliness of user access can be controlled through the cache of the server side.
The user token verifying apparatus provided in the embodiments of the present application will be described below, and the user token verifying apparatus described below and the data access method described above may be referred to correspondingly to each other.
Fig. 3 is a schematic structural diagram of a user token verifying apparatus according to an embodiment of the present application, where, as shown in fig. 3, the apparatus is applied to a server, and the apparatus includes a receiving module 310, a decrypting module 320, an obtaining module 330, and an accessing module 340.
The receiving module is used for receiving a data access request sent by the client, wherein the data access request comprises an encrypted user token;
the decryption module is used for decrypting the user token based on the private key of the user token key pair to obtain token information of the user token;
the acquisition module is used for acquiring a preset user identity authentication rule under the condition that the port address of the client is different from the user address in the token information;
and the access module is used for allowing the client to access the server under the condition that the user of the client passes the user authentication rule and the user token is valid.
Specifically, according to an embodiment of the present application, any of the receiving module, the decrypting module, the acquiring module, and the accessing module may be combined and implemented in one module, or any of the modules may be split into a plurality of modules.
Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module.
According to embodiments of the present application, at least one of the receiving module, the decrypting module, the obtaining module and the accessing module may be implemented at least partially as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware such as any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware and firmware.
Alternatively, at least one of the receiving module, the decrypting module, the obtaining module and the accessing module may be at least partly implemented as a computer program module, which when executed may perform the respective functions.
According to the user token verification device, the user token is encrypted, when the user token is used, the user token can be decrypted only by knowing the private key, so that the token information of the user token can be prevented from being tampered, and when the port address of the client is different from the user address in the token information, the identity of the user of the current client is verified, so that the user token can be prevented from being stolen by others, the risk of information leakage is reduced, and the security of data access to the server side by the user in the validity period of the user token is improved.
In some embodiments, the access module is specifically configured to:
under the condition that a user of the client passes through a user identity verification rule, cache token information in a local cache is obtained;
and under the condition that the cache token information comprises token information and the access time of the data access request is within the valid time of the user token, confirming that the user token is valid, and allowing the client to access the server.
In some embodiments, the user token authentication apparatus further comprises a construction module for:
obtaining token information of a user token and generating a key pair of the user token;
encrypting the token information based on an elliptic curve numerical signature algorithm and a public key of a key pair;
a user token is generated based on the encrypted token information.
In some embodiments, the user token authentication apparatus further comprises a caching module, the caching module configured to:
using token information as a key and a user token as a value to generate a first key value pair;
using the token information as a key and the token effective time of the user token as a value to generate a second key value pair;
the first key value pair and the second key value pair are cached locally.
In some embodiments, the user token authentication apparatus further comprises a matching module for:
acquiring a first key value pair of a user token and a second key value pair of the user token in a local cache;
it is determined whether the user token matches the token information in the first key-value pair and whether the current access time is within the validity time of the second key-value pair.
In some embodiments, the user token authentication apparatus further comprises a generation module for:
generating two different prime numbers based on a random number generator, wherein the prime numbers are larger than a preset threshold value;
based on prime numbers and euler functions, a user token key pair is generated.
In some embodiments, the user token authentication apparatus further comprises an update module for:
based on the set effective duration and access time of the user token, the effective time of the user token is updated in the local cache.
Fig. 4 is a second schematic structural diagram of a user token verifying apparatus according to an embodiment of the present application. As shown in fig. 4, the apparatus includes a token generation module 410, a token transmission module 420, a token storage module 430, and a token verification module 440:
and the token generation module is used for generating user token information, encrypting the user token information through an elliptic curve digital signature algorithm and generating a user token.
The token sending module is used for sending the generated user token to the client, and the server side sends the user token to the client through a JSON format;
the token storage module is used for the server side to store the user token into the Redis cache for the subsequent verification work of the token, and setting the maximum storage time;
the token verification module is used for verifying that the client sends a user token and a user identity carried in an access request, the server obtains user token information through an Authorization field value in the HTTP request of the client, and the public key is used for decryption based on an elliptic curve digital signature algorithm to verify the correctness of the user token information; and verifying the user identity through the port address, the user address and the user identity verification rule.
It should be noted that, the user token verification device provided in this embodiment of the present application can implement all the method steps implemented in the data access method embodiment, and can achieve the same technical effects, and detailed descriptions of the same parts and beneficial effects as those in the method embodiment in this embodiment are omitted.
Fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present application, and as shown in fig. 5, the electronic device may include: processor (Processor) 510, communication interface (Communications Interface) 520, memory (Memory) 530, and communication bus (Communications Bus) 540, wherein Processor 510, communication interface 520, memory 530 complete communication with each other via communication bus 540. Processor 510 may invoke logic commands in memory 530 to perform the method described above, the method being applied to a server side, the method comprising:
receiving a data access request sent by a client, wherein the data access request comprises an encrypted user token;
decrypting the user token based on the private key of the user token key pair to obtain token information of the user token;
under the condition that the port address of the client is different from the user address in the token information, acquiring a preset user identity verification rule;
and allowing the client to access the server under the condition that the user of the client passes the user authentication rule and the user token is valid.
In addition, the logic commands in the memory described above may be implemented in the form of software functional modules and stored in a computer readable storage medium when sold or used as a stand alone product. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several commands for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The processor in the electronic device provided by the embodiment of the present application may call the logic instruction in the memory to implement the above method, and the specific implementation manner of the processor is consistent with the implementation manner of the foregoing method, and may achieve the same beneficial effects, which are not described herein again.
The present application also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the methods provided by the above embodiments.
The specific embodiment is consistent with the foregoing method embodiment, and the same beneficial effects can be achieved, and will not be described herein.
Embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements a method as described above.
The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (10)
1. A data access method, applied to a server, the method comprising:
receiving a data access request sent by a client, wherein the data access request comprises an encrypted user token;
decrypting the user token based on a private key of a user token key pair to obtain token information of the user token;
acquiring a preset user identity authentication rule under the condition that the port address of the client is different from the user address in the token information;
and allowing the client to access the server under the condition that the user of the client passes the user authentication rule and the user token is valid.
2. The data access method according to claim 1, wherein the allowing the client to access the server in the case that the user of the client passes the user authentication rule and the user token is valid includes:
under the condition that a user of the client passes through the user identity verification rule, cache token information in a local cache is obtained;
and under the condition that the cache token information comprises the token information and the access time of the data access request is within the valid time of the user token, confirming that the user token is valid, and allowing the client to access the server.
3. The data access method of claim 2, wherein the user token is constructed based on the steps of:
obtaining the token information of the user token and generating a key pair of the user token;
encrypting the token information based on an elliptic curve numerical signature algorithm and a public key of the key pair;
the user token is generated based on the encrypted token information.
4. A data access method according to claim 3, wherein after said generating said user token, further comprising:
generating a first key value pair by taking the token information as a key and the user token as a value;
generating a second key value pair by taking the token information as a key and the token effective time of the user token as a value;
and caching the first key value pair and the second key value locally.
5. The method for accessing data according to claim 4, wherein after obtaining the token information of the user token, further comprising:
acquiring a first key value pair of the user token and a second key value pair of the user token in the local cache;
determining if the user token matches the token information in the first key-value pair and determining if the current access time is within the validity time of the second key-value pair.
6. The data access method of claim 1, wherein the user token key pair is determined based on the steps of:
generating two different prime numbers based on a random number generator, wherein the prime numbers are larger than a preset threshold value;
the user token key pair is generated based on the prime numbers and the euler function.
7. The method for accessing data according to claim 2, further comprising, after said allowing said client to access said server, the steps of:
and updating the effective time of the user token in the local cache based on the set effective time length of the user token and the set access time.
8. A user token authentication apparatus for use at a server, the apparatus comprising:
the receiving module is used for receiving a data access request sent by the client, wherein the data access request comprises an encrypted user token;
the decryption module is used for decrypting the user token based on the private key of the user token key pair to obtain the token information of the user token;
the acquisition module is used for acquiring a preset user identity verification rule under the condition that the port address of the client is different from the user address in the token information;
and the access module is used for allowing the client to access the server side under the condition that the user of the client passes the user authentication rule and the user token is valid.
9. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the data access method according to any one of claims 1 to 7.
10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the data access method according to any of claims 1 to 7 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311611271.6A CN117675309A (en) | 2023-11-28 | 2023-11-28 | Data access method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311611271.6A CN117675309A (en) | 2023-11-28 | 2023-11-28 | Data access method and device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117675309A true CN117675309A (en) | 2024-03-08 |
Family
ID=90085694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311611271.6A Pending CN117675309A (en) | 2023-11-28 | 2023-11-28 | Data access method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117675309A (en) |
-
2023
- 2023-11-28 CN CN202311611271.6A patent/CN117675309A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10798087B2 (en) | Apparatus and method for implementing composite authenticators | |
| CN103685282B (en) | A kind of identity identifying method based on single-sign-on | |
| US8214890B2 (en) | Login authentication using a trusted device | |
| CN109005155B (en) | Identity authentication method and device | |
| US20070192829A1 (en) | Authenticated communication using a shared unpredictable secret | |
| US20160125180A1 (en) | Near Field Communication Authentication Mechanism | |
| US8788836B1 (en) | Method and apparatus for providing identity claim validation | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CN109714176B (en) | Password authentication method, device and storage medium | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| CN107918731A (en) | Method and apparatus for controlling the authority to access to open interface | |
| US20130067217A1 (en) | System and method for protecting access to authentication systems | |
| CN106936588A (en) | A kind of trustship method, the apparatus and system of hardware controls lock | |
| DK2414983T3 (en) | Secure computer system | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| WO2021190197A1 (en) | Method and apparatus for authenticating biometric payment device, computer device and storage medium | |
| CN110035035B (en) | Secondary authentication method and system for single sign-on | |
| CN107347073A (en) | A kind of resource information processing method | |
| CN116049802B (en) | Application single sign-on method, system, computer equipment and storage medium | |
| CN117675309A (en) | Data access method and device, storage medium and electronic equipment | |
| KR20170111809A (en) | Bidirectional authentication method using security token based on symmetric key | |
| US20220191023A1 (en) | Systems and methods for registering or authenticating a user with a relying party | |
| JP2002328905A (en) | Client authentication method, authentication device, program and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |