WO2010072158A1

WO2010072158A1 - Method, device and system for authenticating user identity in service chain

Info

Publication number: WO2010072158A1
Application number: PCT/CN2009/075961
Authority: WO
Inventors: 常恒; 石晓旻; 马其锋; 陈维亮; 王环; 李彦
Original assignee: 华为技术有限公司
Priority date: 2008-12-24
Filing date: 2009-12-24
Publication date: 2010-07-01
Also published as: CN101764791B; CN101764791A

Abstract

A method, device and system for authenticating user identity in a service chain is provided in the embodiment of the invention, wherein, the method includes that: a service node in the service chain receives a service chain invoking request, which includes the identifier of user identity in the service chain; the service node transmits a user identity analysis request to the service chain manager, and the user identity analysis request comprises the identifier of user identity in the service chain and the service node identifier of the service node; when the service node receives the first identity analysis result information transmitted by the service chain manager, it determines that the user corresponding to the identifier of user identity in the service chain is authenticated, and the first identity analysis result information comprises the account and login warrant information for the user, which corresponds to the identifier of user identity in the service chain, to access the service node. The invention has the advantage of realizing user identity authentication by using simple procedure.

Description

说明书 Description

一种业^^中的用户身份验证方法、设备及*** 本申请要求 2008年 12月 24日递交的申请号为 200810220345.2、发明名称为 "一种业务链中的用户身份验证方法、设备及***" 的中国专利申请的优先权，其全部内容通过引用结合在本申请中。技术领域 User authentication method, device and system in industry ^^ This application claims that the application number submitted on December 24, 2008 is 200810220345.2, and the invention name is "a user authentication method, device and system in a service chain" Priority of the Chinese Patent Application, the entire contents of which is incorporated herein by reference. Technical field

本发明涉及通信领域，尤其涉及一种用户身份验证方法、身份标识创建请求方法、设备及***。背景技术 The present invention relates to the field of communications, and in particular, to a user identity verification method, an identity identification creation request method, a device, and a system. Background technique

随着电信网络能力的增强，需要由第三方甚至是普通业务使用者来创建业务。如果任何一个业务，都需要从头开发，这将导致非常低下的效率。 As telecom network capabilities increase, it is necessary for third parties and even ordinary business users to create services. If any business needs to be developed from scratch, this will result in very low efficiency.

对此，提出了开放业务架构规范 Parlay API接口，通过这种接口屏蔽了底层电信网络协议的复杂性，使得第三方业务开发者在不需要掌握专业电信网络知识的前提下也具有开发使用基电信网络能力的业务。此外，随着 Web技术的迅速发展，面向业务架构 (SOA, Service-oriented architecture)成为业务***的发展趋势。业务对外暴露的接口与其内部实现完全分离，通过标准的方式，不同业务之间相互调用共同完成特定的业务逻辑，这就是业务组合技术。 In this regard, the Open Service Architecture Specification Parlay API interface is proposed, which shields the complexity of the underlying telecommunication network protocol, enabling third-party service developers to develop and use telecom networks without the need to master the knowledge of professional telecommunication networks. Network capacity business. In addition, with the rapid development of Web technologies, Service-oriented Architecture (SOA) has become a development trend of business systems. The externally exposed interface of the service is completely separated from its internal implementation. In a standard way, different services call each other to complete a specific business logic. This is the business combination technology.

业务组合是指将若干个已有的业务通过编排与集成，组合成一个新的业务。业务组合可以分为集中方式和分布式方式两种。集中方式一般存在一个集中控制的组合引擎，通过该组合引擎分别调用各业务来将这些业务组合在一起。而分布式方式，业务组合不存在集中控制的组合引擎，而是每个业务作为一个业务节点，业务节点之间彼此调用，形成业务调用链（称为业务链）而将这些业务组合在一起。在一个业务链上，前一个业务节点是业务请求者，后一个业务节点则是对应的业务提供者。 Business combination refers to the integration and integration of several existing businesses into a new business. Business combinations can be divided into centralized mode and distributed mode. Centralized mode generally has a centralized control combination engine, through which each service is called to combine these services. In the distributed mode, the business portfolio does not have a centralized control combination engine, but each service acts as a business node, and the service nodes call each other to form a business call chain (called a business chain) and combine these services. In a service chain, the former service node is the service requester, and the latter service node is the corresponding service provider.

当前对业务访问的一种方式为匿名访问，即无需鉴权，任何用户都能访问业务。另外一种方式，业务需要鉴别用户的身份，验证通过之后才会授权用户使用业务。对于一个业务链，如果用户在每个业务节点上都分别有帐号以及对应的帐号登录凭证，则该用户在调用该业务链时，业务链中每个业务节点都需要对该用户进行身份帐号验证才能被调用。在实际调用时，用户通过用户客户端直接调用业务链第一个业务节点，但之后的业务链调用，都是由前一业务节点来调用后一业务节点，而不是由该用户的客户端来进行直接的调用。 One way of currently accessing a service is anonymous access, ie no authentication is required and any user can access the service. In another way, the service needs to authenticate the identity of the user, and the user is authorized to use the service after the verification is passed. For a service chain, if the user has an account and a pair on each service node The account login credentials, when the user invokes the service chain, each service node in the service chain needs to authenticate the identity account to be called. In the actual call, the user directly calls the first service node of the service chain through the user client, but after the service chain is called, the previous service node calls the latter service node instead of the client of the user. Make a direct call.

从业务链第一个业务节点开始，为了提供用户对后继业务节点的身份验证，用户可以预先告知该业务节点其在后一业务节点处的用户帐号和登录凭证，则该业务节点直接以用户的身份，即其获得的用户帐号和登录凭证来访问后继业务节点。这种方式能实现业务链身份验证，但是流程却很繁瑣，每个业务节点都需要知道用户在后一业务节点处的帐号和登录凭证，在业务链调用过程中，访问不同业务节点需要使用用户的不同帐号和登录凭证。并且这种方法还存在很大的安全隐患，因为需要用户向业务节点暴露其帐号和登录凭证，则该业务节点即使在非业务链调用时也能以用户身份访问其后一业务节点，无法保证用户使用业务的安全性。 Starting from the first service node of the service chain, in order to provide the user with the identity verification of the subsequent service node, the user can inform the service node of the user account and the login credentials at the latter service node in advance, and the service node directly uses the user's Identity, that is, the user account and login credentials it obtains to access the successor business node. This method can implement service chain authentication, but the process is very cumbersome. Each service node needs to know the account and login credentials of the user at the next service node. In the process of calling the service chain, users need to use different service nodes. Different account and login credentials. Moreover, this method still has a great security risk. Because the user needs to expose his account and login credentials to the service node, the service node can access the latter service node as the user even when the non-service chain is called. The security of the user's use of the business.

另外一种方法中，从业务链第一个业务节点开始，用户只是预先告知该业务节点其在后一业务节点处的用户帐号，该业务节点以用户帐号访问后继业务节点。为了对该用户帐号进行身份验证，由该后继业务节点直接与用户进行通信交互，由用户向该后继业务节点直接提供登录凭证。相比前一种方法，这种方法降低了安全隐患，因为对每个业务节点进行调用，最终都需要用户本人经过确认之后来提供登录凭证，避免了用户的业务被非法使用。但是每个业务节点仍然需要知道用户在后一业务节点处的帐号，在业务链调用过程中，访问不同业务节点需要使用用户的不同帐号，用户要频繁的进行通信交互，提供登录各业务节点的登录凭证，处理流程仍然非常繁瑣，并且给用户带来极大的不方便。发明内容 In another method, starting from the first service node of the service chain, the user only informs the service node of the user account at the latter service node in advance, and the service node accesses the subsequent service node with the user account. In order to authenticate the user account, the subsequent service node directly communicates with the user, and the user directly provides the login credentials to the subsequent service node. Compared with the former method, this method reduces the security risk, because calling each service node ultimately requires the user to confirm the login credentials to avoid the user's business being illegally used. However, each service node still needs to know the account of the user at the next service node. In the process of calling the service chain, different user nodes need to use different account numbers of the user, and the user should frequently perform communication interaction to provide login to each service node. The login process, the processing flow is still very cumbersome, and brings great inconvenience to the user. Summary of the invention

鉴于此，本发明实施例提供一种用户身份验证方法、身份标识创建请求方法、设备及***，可采用简单的流程实现用户身份^ i正。 In view of this, an embodiment of the present invention provides a user identity verification method, an identity identification creation request method, a device, and a system, and a simple process can be used to implement a user identity.

本发明实施例提供的一种业务链中的用户身份验证方法，包括： A user identity verification method in a service chain according to an embodiment of the present invention includes:

业务节点接收到包含业务链用户身份标识的业务链调用请求； The service node receives a service chain call request including a service chain user identity;

所述业务节点向业务链管理器发送用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识；所述业务节点根据接收到的所述业务链管理器发送的第一身份解析结果信息，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 Transmitting, by the service node, a user identity resolution request to the service chain manager, where the user identity is resolved The request includes the service chain user identity and the service node identifier of the service node; the service node determines the service chain user identity according to the received first identity resolution result information sent by the service chain manager. The corresponding user is authenticated, and the first identity resolution result information includes an account number and login credential information of the user accessing the service node.

本发明实施例提供的另一种业务链中的用户身份^ ί正方法，包括：接收到业务节点发送的用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识； The user identity authentication method in another service chain provided by the embodiment of the present invention includes: receiving a user identity resolution request sent by a service node, where the user identity resolution request includes the service chain user identity identifier and the The service node identifier of the service node;

根据所述业务链用户身份标识和所述业务节点标识查询所述业务链用户身份标识对应的用户访问所述业务节点的帐号，根据查询到的所述帐号获得所述帐号对应的登录凭证信息，并向所述业务节点发送包括所述帐号和登录凭证信息的第一身份解析结果信息；以使所述业务节点根据接收到的所述第一身份解析结果信息，确定所述业务链用户身份标识对应的用户通过身份验证。 Querying, according to the service chain user identity and the service node identifier, the user corresponding to the service chain user identity to access the account of the service node, and obtaining the login credential information corresponding to the account according to the queried account. And sending the first identity resolution result information including the account number and the login credential information to the service node, so that the service node determines the service chain user identity identifier according to the received first identity resolution result information. The corresponding user is authenticated.

本发明实施例提供的另一种业务链中的用户身份^ ί正方法，包括：向业务节点发送包含业务链用户身份标识的业务链调用请求；以便于所述业务节点向业务链管理器发送包含所述业务链用户身份标识和所述业务节点的业务节点标识的用户身份解析请求，根据接收到的所述业务链管理器发送的第一身份解析结果信息，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 The user identity authentication method in another service chain provided by the embodiment of the present invention includes: sending a service chain invocation request including a service chain user identity to a service node; so that the service node sends the service node to the service chain manager. a user identity resolution request including the service chain user identity and the service node identifier of the service node, and determining the service chain user identity according to the received first identity resolution result information sent by the service chain manager The corresponding user is authenticated, and the first identity resolution result information includes an account number and login credential information of the user accessing the service node.

本发明实施例提供的一种业务链中的业务节点，包括： A service node in a service chain provided by the embodiment of the present invention includes:

接收单元，用于接收包含业务链用户身份标识的业务链调用请求和接收业务链管理器发送的身份解析结果信息； a receiving unit, configured to receive a service chain invocation request including a service chain user identity and receive identity analysis result information sent by the service chain manager;

身份解析请求单元，用于向业务链管理器发送用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识； An identity resolution requesting unit, configured to send a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and a service node identity of the service node;

验证结果确定单元，用于根据所述接收单元接收到的所述业务链管理器发送的第一身份解析结果信息时，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 a verification result determining unit, configured to determine, according to the first identity analysis result information sent by the service chain manager that is received by the receiving unit, that the user corresponding to the service chain user identity is authenticated, the first The identity resolution result information includes an account number and login credential information of the user accessing the service node.

本发明实施例提供的一种业务链管理器，包括：接收单元，用于接收业务节点发送的用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识； A service chain manager provided by an embodiment of the present invention includes: a receiving unit, configured to receive a user identity resolution request sent by the service node, where the user identity resolution request includes the service chain user identity identifier and a service node identifier of the service node;

身份解析管理单元，用于根据所述业务链用户身份标识和所述业务节点标识查询所述业务链用户身份标识对应的用户访问所述业务节点的帐号，并当查询到所述帐号时，获得所述帐号对应的登录凭证信息； An identity resolution management unit, configured to query, according to the service chain user identity and the service node identifier, a user corresponding to the service chain user identity to access an account of the service node, and obtain an account when the account is queried Login credential information corresponding to the account;

发送单元，用于向所述业务节点发送第一身份解析结果信息，所述第一身份解析结果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 And a sending unit, configured to send the first identity resolution result information to the service node, where the first identity resolution result information includes an account number and login credential information of the user accessing the service node.

本发明实施例提供的一种业务链通信***，包括：组成业务链的多个业务节点和业务链管理器，其中： A service chain communication system provided by an embodiment of the present invention includes: a plurality of service nodes and a service chain manager constituting a service chain, where:

所述业务节点，用于接收包含业务链用户身份标识的业务链调用请求后，向业务链管理器发送用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识；并当接收到所述业务链管理器发送的第一身份解析结果信息时，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 The service node is configured to send a user identity resolution request to the service chain manager after receiving the service chain invocation request including the service chain user identity, where the user identity resolution request includes the service chain user identity and the service a service node identifier of the node; and when receiving the first identity resolution result information sent by the service chain manager, determining that the user corresponding to the service chain user identity is authenticated, and the first identity resolution result information includes The user accesses an account number and login credential information of the service node.

所述业务链管理器，用于接收业务节点发送的所述用户身份解析请求后，根据所述业务链用户身份标识和所述业务节点标识获得所述用户访问所述业务节点的帐号和登录凭证信息，并向所述业务节点发送第一身份解析结果信息。本发明实施例，当业务节点接收到通过业务链用户身份标识来调用所述业务节点的调用请求时，由所述业务节点从业务链管理器处请求用户身份解析，当所述业务节点从所述业务链管理器处获得所述用户在所述业务节点处的用户帐号和登录凭证时，确定所述用户身份验证通过，由于进行用户身份验证均基于统一的业务链用户身份标识，并统一由业务链管理器进行用户身份解析，与现有技术方案相比，简化了流程。附图说明 The service chain manager is configured to: after receiving the user identity resolution request sent by the service node, obtain an account and a login credential of the user accessing the service node according to the service chain user identity and the service node identifier. Information, and sending the first identity resolution result information to the service node. In the embodiment of the present invention, when the service node receives the call request of the service node by using the service chain user identity, the service node requests the user identity resolution from the service chain manager, when the service node is When the user chain and the login credential of the user at the service node are obtained, the service chain manager determines that the user identity verification is passed, and the user identity verification is based on a unified service chain user identity identifier, and is unified by The service chain manager performs user identity resolution, which simplifies the process compared to prior art solutions. DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。图 1 是本发明实施例中的业务链中的用户身份验证的方法的一个实施例流程示意图； In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work. 1 is a schematic flow chart of an embodiment of a method for user identity verification in a service chain according to an embodiment of the present invention;

图 2是本发明实施例中的业务链中的用户身份解析的方法的又一实施例流程示意图；程示意图； 2 is a schematic flow chart of still another embodiment of a method for analyzing user identity in a service chain according to an embodiment of the present invention;

图 4是本发明实施例中的业务链中的用户身份验证的方法的另一实施例流程示意图； - 图 5是本发明实施例中的业务链通信***的一个实施例的架构组成示意图；图 6是本发明实施例中的业务节点的一个实施例结构组成示意图；图 7是本发明实施例中的业务链管理器的一个实施例结构组成示意图；图 8是本发明实施例中的用户访问业务链的方法的一个实施例流程示意图；图 9是业务链管理器为用户创建业务链用户身份标识的方法一个实施例流程示意图； 4 is a schematic flowchart of another embodiment of a method for user identity verification in a service chain according to an embodiment of the present invention; FIG. 5 is a schematic structural diagram of an embodiment of a service chain communication system according to an embodiment of the present invention; 6 is a schematic structural diagram of an embodiment of a service node in an embodiment of the present invention; FIG. 7 is a schematic structural diagram of an embodiment of a service chain manager in an embodiment of the present invention; FIG. 8 is a user access in an embodiment of the present invention; Schematic diagram of an embodiment of a method for a service chain; FIG. 9 is a schematic flowchart of a method for a service chain manager to create a service chain user identity for a user;

图 10是业务链管理器删除业务链用户身份标识的方法的一个实施例流程示意图。具体实施方式 Figure 10 is a flow diagram of one embodiment of a method for a service chain manager to delete a service chain user identity. detailed description

下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。 BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail with reference to the accompanying drawings. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative work are within the scope of the present invention.

本发明实施例在对同一业务链的调用过程中，用户客户端和每个业务节点均采用同一业务链用户身份标识来调用业务链中的业务节点 , 由所述业务节点从业务链管理器处请求用户身份解析，当所述业务节点从所述业务链管理器处获得所述用户访问所述业务节点处的用户帐号和登录凭证时 , 确定所述用户身份验证通过。下面以业务链中的一个业务节点对用户身份验证的方法为例对本发明实施例的方法进行说明。 In the calling process of the same service chain, the user client and each service node use the same service chain user identity to invoke the service node in the service chain, and the service node is from the service chain manager. Requesting user identity resolution, when the service node obtains the user account and the login credential at the service node from the service chain manager, determining that the user identity verification passes. The method of the embodiment of the present invention is described below by taking a method of user identity verification by a service node in the service chain as an example.

图 1 是本发明实施例中的业务链中的用户身份验证的方法的一个实施例流程示意图；如图 1所示，本实施例的方法包括： 1 is a schematic flowchart of an embodiment of a method for user identity verification in a service chain according to an embodiment of the present invention; as shown in FIG. 1, the method in this embodiment includes:

5 5

更正页（细则第 91条）步驟 S100，业务节点接收到包含业务链用户身份标识的业务链调用请求；具体实现中，所述业务链用户身份标识可用于唯一区分一个业务链用户身份、比如为一个业务链用户 ID, 并可由业务链管理器为用户创建。具体实现中，业务链中业务节点可接收到用户客户端发送的包含业务链用户身份标识的业务链调用请求；或，可接收到业务链管理器发送的包含业务链用户身份标识的业务链调用请求；或可接收到另一业务节点（业务链中的前一业务节点）发送的包含业务链用户身份标识的业务链调用请求。 Correction page (Article 91) Step S100: The service node receives a service chain call request that includes a service chain user identity. In a specific implementation, the service chain user identity may be used to uniquely distinguish a service chain user identity, such as a service chain user ID, and may be The business chain manager is created for the user. In a specific implementation, the service node in the service chain may receive a service chain call request that is sent by the user client and includes a service chain user identity; or, may receive a service chain call that is sent by the service chain manager and includes a service chain user identity. Request; or may receive a service chain call request containing a service chain user identity sent by another service node (previous service node in the service chain).

步骤 S102, 所述业务节点向业务链管理器发送用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识；具体实现中，所述业务节点标识可用于唯一区分一个业务节点，比如业务节点名称。 Step S102, the service node sends a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and the service node identifier of the service node. In a specific implementation, the service node The identity can be used to uniquely distinguish a business node, such as a business node name.

步骤 S104, 所述业务节点才艮据接收到的所述业务链管理器发送的第一身份解析结果信息，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述业务链用户身份标识对应的用户访问所述业务节点的帐号和登录凭证信息。具体的，当所述业务节点发现所述第一身份解析结果信息中包含所述帐号及登录凭证信息，则可确定所述业务链用户链身份标识对应的用户通过身份验证。具体实现中，所述登录凭证信息可为用户访问业务节点所需的密码信息，或者数字签名信息等。 Step S104, the service node determines, according to the received first identity analysis result information sent by the service chain manager, that the user corresponding to the service chain user identity identifies the user, and the first identity analysis result The information includes an account number and login credential information of a user corresponding to the service chain user identity accessing the service node. Specifically, when the service node finds that the first identity resolution result information includes the account number and the login credential information, the user corresponding to the service chain user chain identity identifier may be determined to pass the identity verification. In a specific implementation, the login credential information may be password information, or digital signature information, required by the user to access the service node.

本实施例当业务节点接收到通过业务链用户身份标识来调用所述业务节点的调用请求时，由所述业务节点从业务链管理器处请求用户身份解析，当所述业务节点从所述业务链管理器处获得所述用户在所述业务节点处的用户帐号和登录凭证时，确定所述用户身份验证通过，由于进行用户身份验证均基于统一的业务链用户身份标识，并统一由业务链管理器进行用户身份解析，与现有技术方案相比，简化了流程。并且业务链中的业务节点只从业务链管理器处获得用户在所述业务节点处的帐号和登录凭证，而不知道用户在其它业务节点处的帐号和登录凭证。避免了用户访问不同业务时的身份关联，有效的实现了用户多个身份帐号的隔离。 In this embodiment, when the service node receives the call request of the service node by using the service chain user identity, the service node requests the user identity resolution from the service chain manager, when the service node is from the service. When the user account and the login credential of the user at the service node are obtained, the chain manager determines that the user identity verification is passed, because the user identity verification is based on a unified service chain user identity, and is unified by the service chain. The manager performs user identity resolution, which simplifies the process compared to prior art solutions. And the service node in the service chain only obtains the account and login credentials of the user at the service node from the service chain manager, and does not know the account and login credentials of the user at other service nodes. It avoids the identity association when users access different services, and effectively realizes the isolation of multiple identity accounts of users.

图 2是本发明实施例中的业务链中的用户身份解析的方法的又一实施例流程示意图；如图 2所示，本实施例的方法包括： FIG. 2 is a schematic flowchart of still another embodiment of a method for analyzing user identity in a service chain according to an embodiment of the present invention; as shown in FIG. 2, the method in this embodiment includes:

步骤 S110, 业务链管理器接收到业务节点发送的用户身份解析请求，所述 Step S110: The service chain manager receives a user identity resolution request sent by the service node, where

6 6

更正页（细则第 91条）用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识； Correction page (Article 91) The user identity resolution request includes the service chain user identity and the service node identifier of the service node;

步骤 S112, 所述业务链管理器根据所述业务链用户身份标识和所述业务节点标识查询所述业务链用户身份标识对应的用户访问所述业务节点的帐号，根据查询到的所述帐号获得所述帐号对应的登录凭证信息； Step S112, the service chain manager queries the user corresponding to the service chain user identity to access the account of the service node according to the service chain user identity and the service node identifier, and obtains the account according to the queried account. Login credential information corresponding to the account;

步骤 S114, 向所述业务节点发送包括所述帐号和登录凭证信息的第一身份解析结果信息；以使所述业务节点根据接收到的所述第一身份解析结果信息，确定所述业务链用户身份标识对应的用户通过身份验证。 Step S114: Send, to the service node, first identity analysis result information including the account number and login credential information, so that the service node determines the service chain user according to the received first identity resolution result information. The user corresponding to the identity is authenticated.

本实施例，业务链管理接收到业务节点发送的请求用户身份解析的请求后，进行用户身份解析，后将解析结果发送给对应的业务节点，由所述业务节点确定所述用户是否通过身份验证，与现有技术方案相比，无需用户参与身份验证流程，筒化了流程。 In this embodiment, after receiving the request for the user identity analysis sent by the service node, the service chain management performs the user identity resolution, and then sends the analysis result to the corresponding service node, where the service node determines whether the user passes the identity verification. Compared with the prior art solution, the user is not involved in the authentication process, and the process is centralized.

图 3是本发明实施例中的业务链中的用户身份解析的方法的再一实施例流程示意图；如图 3所示，本实施例的方法包括 S121,用户终端向业务节点发送包含业务链用户身份标识的业务链调用请求；以便于所述业务节点向业务链管理器发送包含所述业务链用户身份标识和所述业务节点的业务节点标识的用户身份解析请求，根据接收到的所述业务链管理器发送的第一身份解析结果信息，果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 FIG. 3 is a schematic flowchart of still another embodiment of a method for analyzing user identity in a service chain according to an embodiment of the present invention; as shown in FIG. 3, the method in this embodiment includes S121, and a user terminal sends a user including a service chain to a service node. The service chain of the identity invokes the request; so that the service node sends a user identity resolution request including the service chain user identity and the service node identity of the service node to the service chain manager, according to the received service The first identity resolution result information sent by the chain manager, and the information includes an account number and login credential information of the user accessing the service node.

图 4是本发明实施例中的业务链中的用户身份验证的方法的另一实施例流程示意图；如图 4所示，本实施例的方法包括： FIG. 4 is a schematic flowchart of another embodiment of a method for user identity verification in a service chain according to an embodiment of the present invention; as shown in FIG. 4, the method in this embodiment includes:

步骤 S200, 业务链中业务节点接收到包含业务链用户身份标识的业务链调用请求； Step S200: The service node in the service chain receives a service chain call request that includes a service chain user identity.

步骤 S202, 所述业务节点向业务链管理器发送用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标 Step S202, the service node sends a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and the service node identifier of the service node.

*ΐ只； *ΐ only;

步驟 S204，所述业务链管理器根据接收的业务链用户身份标识，查询确定调用所述业务链的用户的用户名； Step S204, the service chain manager queries, according to the received service chain user identity, the user name of the user who invokes the service chain.

具体实现中，业务链管理器中可存储业务链使用信息，所述业务链使用信息用于指示各用户访问各业务链时使用的业务链用户身份标识以及各用户对各更正页（细则第 91条) 业务链的调用状态，包括用户名、业务链标识、业务链用户身份标识以及调用状态间的对应关系，具体的所述业务链使用信息可采用图表形式进行存储，下表 1即为一张用于指示业务链使用信息的业务链使用表， In a specific implementation, the service chain manager may store the service chain usage information, where the service chain usage information is used to indicate the service chain user identity used by each user to access each service chain, and each user corrects each page (Details 91) article) The call status of the service chain includes the user name, the service chain identifier, the service chain user identity, and the corresponding relationship between the call states. The specific service chain usage information may be stored in a graph form, and the following Table 1 is used for one. a service chain usage table indicating the use of business chain information,

表 1 Table 1

其中，所述用户名用于唯一区分一个用户；所述业务链名称为业务链标识；所述业务链用户 ID为业务链用户身份标识；所述 ID使用状态用于表征所述业务链用户 ID的状态，具体的所述 ID使用状态包括指示所述业务链用户 ID可用的正常状态、指示所述业务链用户 ID不可用的暂停等状态，所述 ID使用状态为所述业务链使用表的可选内容；所述调用状态用于指示用户对某个特定业务链的调用情况, 比如，当前用户 Userl对业务链 A的调用状态是, 已经调用完业务链 A中的业务节点 S1和业务节点 S2，并且是先调用业务节点 S1再调用业务节点 S2。所述调用状态的表示方式可是序列方式，即描述业务链当前调用过程中已被调用的业务节点之间的调用序列，例如 S1->S2的形式。另一种是集合方式，即描述业务链当前调用过程中已被调用的业务节点的集合，以及每个业务节点已被调用的次数。当然，还可以采用其它形式的调用状态表示。

The user name is used to uniquely distinguish one user; the service chain name is a service chain identifier; the service chain user ID is a service chain user identity identifier; and the ID usage status is used to represent the service chain user ID. a state in which the ID usage state includes a normal state indicating that the service chain user ID is available, a pause indicating that the service chain user ID is unavailable, and the like, and the ID usage status is the service chain usage table. The call status is used to indicate the user's call to a specific service chain. For example, the current user User1 call status of the service chain A is that the service node S1 and the service node in the service chain A have been called. S2, and first call the service node S1 and then call the service node S2. The representation state of the call state may be a sequence mode, that is, a sequence of calls between service nodes that have been called during a current call of the service chain, such as a form of S1->S2. The other is the collection method, which describes the set of service nodes that have been called during the current call of the service chain, and the number of times each service node has been called. Of course, other forms of call state representation can also be employed.

这样在步骤 S204, 所述业务链管理器根据接收的业务链用户身份标识，查询上述业务链使用信息来确定调用所述业务链的用户的用户名，比如，结合表 1，当业务链用户身份标识为 Ua 时，查询表 1 后确定调用业务链 A 的用户名为 Userl In step S204, the service chain manager queries the service chain usage information according to the received service chain user identity to determine the user name of the user who invokes the service chain, for example, in conjunction with Table 1, when the service chain user identity When the identifier is Ua, after querying Table 1, it is determined that the user name of the service chain A is called Userl.

步骤 S206, 所述业务链管理器根据所述接收的业务链用户身份标识查询所述用户对所述业务链的调用状态；具体实现中，在用户未调用某一业务链时，业务链管理器通过设置用户对所述业务链的调用状态为空来初始化所述用户对所述业务链的调用状态。因此，当用户访问业务链中的第一个业务节点时，在步驟 S206, 查询的结果是所述用户对所述业务链的调用状态为空，比如查询结果为代表空的 "NULL" 标识。 Step S206, the service chain manager queries the call status of the user to the service chain according to the received service chain user identity identifier. In a specific implementation, when the user does not invoke a service chain, the service chain manager The calling state of the user to the service chain is initialized by setting a calling state of the user to the service chain to be empty. Therefore, when the user accesses the first service node in the service chain, in step S206, the result of the query is that the calling state of the user to the service chain is empty, for example, the query result is an empty "NULL" identifier.

8 8

更正页（细则第 91条）相应的，在步骤 S206, 所述业务链管理器可进一步查询业务链使用信息来确定用户对业务链的调用状态，比如结合表 1，在步骤 S206, 根据 Ua可查询确定用户 Userl对业务链 A的当前调用状态为 S1->S2。 Correction page (Article 91) Correspondingly, in step S206, the service chain manager may further query the service chain usage information to determine the calling state of the user to the service chain, for example, in conjunction with Table 1, in step S206, according to Ua, the user User1 may be queried to determine the service chain A. The current calling state is S1->S2.

步骤 S208, 所述业务链管理器根据所述业务节点标识、所述调用状态以及预先定义的业务链调用规则，判断对所述业务节点的调用是否符合所述预先定义的业务链调用规则，当判断结果为是时，执行步骤 S210; 当判断结果为否时，执行步驟 S220; Step S208, the service chain manager determines, according to the service node identifier, the calling state, and a predefined service chain calling rule, whether the call to the service node meets the predefined service chain calling rule. When the determination result is yes, step S210 is performed; when the determination result is no, step S220 is performed;

具体实现中，业务链管理器中可存储预先定义的业务链调用规则，所述业务链调用规则用于指示业务链中各业务节点之间的调用关系，包括业务链标识和调用关系定义，并可选地还可包括使用策略，所述调用关系定义即用于指示所述业务链中各业务节点之间的调用关系，可采用序列方式，即描述整个业务链的业务节点之间的完整调用序列，例如 S1->S2->S3->S4的形式。还可釆用集合方式，即描述整个业务链的业务节点集合，以及每个业务节点所被调用的次数。当然，还可以采用其它形式的调用关系定义。使用策略则是对该业务链使用的一些策略，例如哪些用户能够使用该业务链等。 In a specific implementation, the service chain manager may store a predefined service chain calling rule, where the service chain calling rule is used to indicate a calling relationship between each service node in the service chain, including a service chain identifier and a calling relationship definition, and Optionally, the method further includes a usage policy, where the calling relationship definition is used to indicate a calling relationship between each service node in the service chain, and may be in a sequence manner, that is, a complete call between service nodes describing the entire service chain. A sequence, such as the form of S1->S2->S3->S4. It is also possible to use a collection method, that is, a set of service nodes describing the entire service chain, and the number of times each service node is called. Of course, other forms of call relationship definitions can also be used. The usage policy is some of the policies used for the business chain, such as which users can use the service chain.

具体的所述业务链调用规则也可采用图表的形式进行存储，下表 2 即为一张用于指示业务链调用规则的业务链描述表。 The specific service chain calling rules may also be stored in the form of a chart. Table 2 below is a service chain description table for indicating the service chain calling rules.

表 2 Table 2

步骤 S210, 业务链管理器将所述业务节点加入所述调用状态；

Step S210, the service chain manager adds the service node to the calling state;

结合表 1和表 2对步骤 S208和步骤 S210进行说明。比如，当前用户 Userl 采用 Ua对业务链 A进行调用的过程中，业务节点 S1采用 Ua向业务节点 S2发送业务链调用请求，所述业务节点 S2接受到所述调用请求之后，向业务链管理器发送身份解析请求，所述身份解析请求中包括 Ua和业务节点标识 S2, 设在表 1中当前对业务链 A的调用状态为 Sl，在步驟 S208所述业务链管理器根据调用状态知道用户 Userl的当次业务链 A的调用已经完成对业务节点 S1的调用， Steps S208 and S210 are described in conjunction with Tables 1 and 2. For example, in the process that the current user User1 invokes the service chain A by using Ua, the service node S1 sends a service chain call request to the service node S2 by using Ua, and after receiving the call request, the service node S2 sends the service chain manager to the service chain manager. Sending an identity resolution request, the identity resolution request includes a Ua and a service node identifier S2, and the current call state of the service chain A in Table 1 is S1, and the service chain manager knows the user Userl according to the call state in step S208. The call of the current service chain A has completed the call to the service node S1,

9 9

更正页（细则第 91条）根据接收的业务节点标识知道当前调用的业务节点为 S2, 根据表 2的调用关系定义核对知道 S1之后即应该调用 S2, 因此可得出判断为是的判断结果，这样在步骤 S210, 将业务节点 S2加入到调用状态，至此，生成的调用状态即由 S1 , 变成 S1->S2。 Correction page (Article 91) According to the received service node identifier, it is known that the currently invoked service node is S2. According to the call relationship definition of Table 2, the checksum should be called after S1 is known, so that the judgment result of the determination is yes, so that the service node is determined in step S210. S2 is added to the calling state, and thus the generated calling state is changed from S1 to S1->S2.

步驟 S212, 业务链管理器根据所述查询确定的用户的用户名和所述业务节点标识，查询确定所述用户访问所述业务节点的帐号，并根据所述帐号生成登录凭证信息； Step S212: The service chain manager determines, according to the user name and the service node identifier determined by the query, the account that the user accesses the service node, and generates login credential information according to the account;

具体实现中，业务链管理器中可存储用户业务帐号信息，用于指示各用户在各业务节点中的帐号，包括用户名，业务节点标识，帐号。 In a specific implementation, the service chain manager may store user service account information, which is used to indicate an account of each user in each service node, including a user name, a service node identifier, and an account number.

具体的所述用户业务帐号信息也可采用图表的形式进行存储，下表 3 即为一张用于指示用户业务帐号信息的业务帐号列表。 The specific user service account information may also be stored in the form of a chart. Table 3 below is a list of service accounts used to indicate user service account information.

表 3 table 3

相应的，在步驟 S212, 所述业务链管理器可查询用户业务帐号信息来确定用户在业务节点中帐号，比如，结合表 3, 根据用户名 Userl 和业务节点名称 S1查询确定 Userl在 S1中的帐号为 Idl。

Correspondingly, in step S212, the service chain manager can query the user service account information to determine the account of the user in the service node. For example, according to the table 3, the user name is determined according to the user name User1 and the service node name S1. The account number is Idl.

步骤 S214，所述业务链管理器向所述业务节点发送第一身份解析结果信息，所述第一身份解析结果信息包括所述业务链用户身份标识对应的用户访问所述业务节点的帐号和登录凭证信息； Step S214, the service chain manager sends the first identity resolution result information to the service node, where the first identity resolution result information includes an account and a login of the user corresponding to the service chain user identity to access the service node. Voucher information;

步驟 S216, 当所述业务节点接收到所述业务链管理器发送的第一身份解析结果信息时，确定所述业务链用户身份标识对应的用户通过身份验证，后结束所述业务节点对用户身份验证的流程； Step S216, when the service node receives the first identity resolution result information sent by the service chain manager, determining that the user corresponding to the service chain user identity identifies the user, and then ends the service node to the user identity. Process of verification;

步骤 S220, 所述业务链管理器向所述业务节点发送用户身份验证失败的第二身份解析结果信息； Step S220, the service chain manager sends, to the service node, second identity analysis result information that the user identity verification fails;

10 10

更正页（细则第 91条）步骤 S222, 当所述业务节点接收到所述业务链管理器发送的第二身份解析结果信息时，确定所述业务链用户身份标识对应的用户未通过身份验证，身份验证失败，后结束所述业务链的调用过程。 Correction page (Article 91) Step S222, when the service node receives the second identity resolution result information sent by the service chain manager, determining that the user corresponding to the service chain user identity does not pass the identity verification, the identity verification fails, and then the end The calling process of the business chain.

本实施例中当业务节点接收到通过业务链用户身份标识来调用所述业务节点的调用请求时，由所述业务节点从业务链管理器处请求用户身份解析，当所述业务节点从所述业务链管理器处获得所述用户在所述业务节点处的用户帐号和登录凭证时，确定所述用户身份验证通过，由于进行用户身份验证均基于统一的业务链用户身份标识，并统一由业务链管理器进行用户身份解析，与现有技术方案相比，筒化了流程。并且业务链中的业务节点只从业务链管理器处获得用户在所述业务节点处的帐号和登录凭证，而不知道用户在其它业务节点处的帐号和登录凭证。避免了用户访问不同业务时的身份关联，有效的实现了用户多个身份帐号的隔离。并且本实施例业务链管理器在进行身份解析时，要验证业务链的调用是否符合业务链的调用规则，只有符合调用规则的情况下才发送用户在相应业务节点处的用户帐号和登录凭证，保证了业务节点调用的有效性。 In this embodiment, when the service node receives the call request of the service node by using the service chain user identity, the service node requests the user identity resolution from the service chain manager, when the service node is from the service node. When the user chain and the login credential of the user at the service node are obtained, the service chain manager determines that the user identity verification is passed, and the user identity verification is based on a unified service chain user identity identifier, and is unified by the service. The chain manager performs user identity analysis and compares the process with the prior art solution. And the service node in the service chain only obtains the account and login credentials of the user at the service node from the service chain manager, and does not know the account and login credentials of the user at other service nodes. It avoids the identity association when users access different services, and effectively realizes the isolation of multiple identity accounts of users. In the embodiment, the service chain manager needs to verify whether the call of the service chain conforms to the calling rule of the service chain when the identity is resolved, and only sends the user account and the login credential of the user at the corresponding service node if the calling rule is met. The validity of the service node call is guaranteed.

相应的，本发明实施例提供了一种业务链通信***、一种业务链中的业务节点以及一种业务链管理器，下面结合图 5至图 7对本发明实施例的装置进行说明。 Correspondingly, the embodiment of the present invention provides a service chain communication system, a service node in a service chain, and a service chain manager. The device according to the embodiment of the present invention is described below with reference to FIG. 5 to FIG.

图 5是本发明实施例中的业务链通信***的一个实施例的架构组成示意图，如图 5所示，本实施例的***包括组成业务链的多个业务节点（具体实现中，一个业务链通信***中可包括多个业务链，本实施例仅以一个业务链举例说明 ) 和业务链管理器，用户客户端分别与所述业务链中的业务节点（首节点）和所述业务链管理器相连。本实施例在对同一业务链的调用过程中，用户客户端和每个业务节点均采用同一业务链用户身份标识来调用业务链中的业务节点，具体的， 5 is a schematic structural diagram of an embodiment of a service chain communication system according to an embodiment of the present invention. As shown in FIG. 5, the system in this embodiment includes multiple service nodes constituting a service chain (in a specific implementation, a service chain) The communication system may include multiple service chains, which is illustrated by only one service chain) and the service chain manager, and the user client and the service node (the first node) in the service chain and the service chain management respectively. Connected. In the calling process of the same service chain, the user client and each service node use the same service chain user identity to invoke the service node in the service chain, specifically,

所述业务节点，用于接收包含业务链用户身份标识的业务链调用请求后，向业务链管理器发送用户身份解析倚求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识；并当接收到所述业务链管理器发送的第一身份解析结果信息时，确定所迷业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述业务链用户身份标识对应 After the service node receives the service chain invocation request including the service chain user identity, the service node sends a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and the The service node identifier of the service node; and when receiving the first identity resolution result information sent by the service chain manager, determining that the user corresponding to the identity identifier of the service chain passes the identity verification, and the first identity analysis result information Including the service chain user identity corresponding to

11 11

更正页（细则第 91条）的用户访问所述业务节点的帐号和登录凭证信息。 Correction page (Article 91) The user accesses the account number and login credential information of the service node.

所述业务链管理器，用于接收业务节点发送的所述用户身份解析请求后，根据所述业务链用户身份标识和所述业务节点标识获得所述业务链用户身份标识对应的用户访问所述业务节点的帐号和登录凭证信息 , 并向所述业务节点发送第一身份解析结果信息。 The service chain manager is configured to: after receiving the user identity resolution request sent by the service node, obtain the user access corresponding to the service chain user identity according to the service chain user identity and the service node identifier. The account of the service node and the login credential information, and send the first identity resolution result information to the service node.

本实施例中采用业务链用户身份标识来调用业务链中的业务节点，由所述业务节点从业务链管理器处请求用户身份解析，当所述业务节点从所述业务链管理器处获得所述用户在所述业务节点处的用户帐号和登录凭证时，确定所述用户身份验证通过，由于釆用同一业务链用户身份标识进行调用，并统一到业务链管理器处进行用户身份解析，与现有技术方案相比，采用简单的流程实现了用户身份验证。并且业务链中的业务节点只从业务链管理器处获得用户在所述业务节点处的帐号和登录凭证，而不知道用户在其它业务节点处的帐号和登录凭证。避免了用户访问不同业务时的身份关联，有效的实现了用户多个身份帐号的隔离。 In this embodiment, the service chain user identity is used to invoke the service node in the service chain, and the service node requests the user identity resolution from the service chain manager, and the service node obtains the location from the service chain manager. Determining, by the user, the user account and the login credential at the service node, the user identity verification is passed, because the user identity identifier of the same service chain is used for calling, and unified to the service chain manager for user identity resolution, and Compared with the prior art solution, user authentication is implemented by a simple process. And the service node in the service chain only obtains the account and login credentials of the user at the service node from the service chain manager, and does not know the account and login credentials of the user at other service nodes. It avoids the identity association when users access different services, and effectively realizes the isolation of multiple identity accounts of users.

图 6是本发明实施例中的业务节点（比如，可为图 5中业务节点 1、业务节点 2或业务节点 3 )的一个实施例结构组成示意图，如图 6所示，本实施例的业务节点包括接收单元 40、身份解析请求单元 42以及验证结果确定单元 44，其中： 6 is a schematic structural diagram of an embodiment of a service node (for example, the service node 1, the service node 2, or the service node 3 in FIG. 5) in the embodiment of the present invention. As shown in FIG. 6, the service in this embodiment is shown in FIG. The node includes a receiving unit 40, an identity resolution requesting unit 42, and a verification result determining unit 44, where:

所述接收单元 40, 用于接收包含业务链用户身份标识的业务链调用请求；具体实现中，业务链中业务节点可接收到用户客户端发送的包含业务链用户身份标识的业务链调用请求（业务链中的首节点，比如图 5中的业务节点 1 ); 或，可接收到业务链管理器发送的包含业务链用户身份标识的业务链调用请求（业务链中的首节点，由业务链管理器代替用户发起业务链调用）；或可接收到另一业务节点（业务链中的前一业务节点，比如图 5中的业务节点 2接收到业务节点 1发送的业务链调用倩求）发送的包含业务链用户身份标识的业务链调用请求。 The receiving unit 40 is configured to receive a service chain call request that includes a service chain user identity identifier. In a specific implementation, the service node in the service chain may receive a service chain call request that is sent by the user client and includes a service chain user identity identifier ( The first node in the service chain, such as the service node 1 in FIG. 5; or, can receive the service chain call request sent by the service chain manager including the service chain user identity (the first node in the service chain, by the service chain) The manager initiates the service chain call instead of the user; or can receive another service node (the previous service node in the service chain, for example, the service node 2 in FIG. 5 receives the service chain call sent by the service node 1) A service chain call request that contains the identity of the business chain user.

所述身份解析请求单元 42，用于向业务链管理器发送用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识； The identity resolution requesting unit 42 is configured to send a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and a service node identifier of the service node;

所述验证结果确定单元 44，用于当接收到所述业务链管理器发送的第一身 The verification result determining unit 44 is configured to receive the first body sent by the service chain manager

12 12

更正页（细则第 91条）份解析结果信息时，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述业务链用户身份标识对应的用户访问所述业务节点的帐号和登录凭证信息。 Correction page (Article 91) When the result information is parsed, the user corresponding to the service chain user identity is determined to be authenticated, and the first identity resolution result information includes an account corresponding to the service chain user identity and a login certificate of the user accessing the service node. information.

本实施例中采用业务链用户身份标识来调用业务链中的业务节点，由所述业务节点从业务链管理器处请求用户身份解析，当所述业务节点从所述业务链管理器处获得所述用户在所述业务节点处的用户帐号和登录凭证时，确定所述用户身份验证通过，由于采用同一业务链用户身份标识进行调用，并统一到业务链管理器处进行用户身份解析，与现有技术方案相比，采用筒单的流程实现了用户身份验证。并且业务链中的业务节点只从业务链管理器处获得用户在所述业务节点处的帐号和登录凭证，而不知道用户在其它业务节点处的帐号和登录凭证。避免了用户访问不同业务时的身份关联, 有效的实现了用户多个身份帐号的隔离。 In this embodiment, the service chain user identity is used to invoke the service node in the service chain, and the service node requests the user identity resolution from the service chain manager, and the service node obtains the location from the service chain manager. When the user account and the login credential at the service node are determined, the user identity verification is determined, and the call is performed by using the same service chain user identity, and unified to the service chain manager for user identity resolution, and Compared with the technical solution, the process of using the single ticket realizes user authentication. And the service node in the service chain only obtains the account and login credentials of the user at the service node from the service chain manager, and does not know the account and login credentials of the user at other service nodes. It avoids the identity association when users access different services, and effectively realizes the isolation of multiple identity accounts of users.

图 7是本发明实施例中的业务链管理器的一个实施例结构组成示意图，如图 7所示，本实施例的业务链管理器包括接收单元 50、身份解析管理单元 52、发送单元 54, 其中： FIG. 7 is a schematic structural diagram of an embodiment of a service chain manager according to an embodiment of the present invention. As shown in FIG. 7, the service chain manager of this embodiment includes a receiving unit 50, an identity resolution management unit 52, and a sending unit 54, among them:

所述接收单元 50, 用于接收业务节点发送的用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识；所述身份解析管理单元 52，用于根据所述业务链用户身份标识和所述业务节点标识查询所述业务链用户身份标识对应的用户访问所述业务节点的帐号，并当查询到所述帐号时，获得所述帐号对应的登录凭证信息； The receiving unit 50 is configured to receive a user identity resolution request sent by the service node, where the user identity resolution request includes the service chain user identity identifier and a service node identifier of the service node; the identity resolution management unit 52, And the user corresponding to the service chain user identity is queried according to the service chain user identity and the service node identifier to access an account of the service node, and when the account is queried, the account corresponding to the account is obtained. Login voucher information;

所述发送单元 54，用于向所述业务节点发送第一身份解析结果信息，所述第一身份解析结果信息包括所述业务链用户身份标识对应的用户访问所述业务节点的帐号和登录凭证信息。 The sending unit 54 is configured to send the first identity resolution result information to the service node, where the first identity resolution result information includes an account and a login credential of a user corresponding to the service chain user identity to access the service node. information.

进一步，所述身份解析管理单元 52包括存储单元 520、第一身份管理单元 522、第二身份管理单元 524以及凭证生成单元 526, 其中： Further, the identity resolution management unit 52 includes a storage unit 520, a first identity management unit 522, a second identity management unit 524, and a credential generation unit 526, where:

所述存储单元 520，用于存储业务链使用信息、用户业务帐号信息，其中，所述业务链使用信息用于指示各用户访问各业务链时使用的业务链用户身份标识以及各用户对各业务链的调用状态；所述用户业务帐号信息用于指示各用户在各业务节点中的帐号；本实施例中的业务链使用信息和用户业务帐号信息包括的具体内容和存储形式与前述方法一致，在此不赘述。 The storage unit 520 is configured to store service chain usage information and user service account information, where the service chain usage information is used to indicate a service chain user identity used by each user to access each service chain, and each user is used for each service. The user service account information is used to indicate the account number of each user in each service node; the specific content and storage form included in the service chain usage information and the user service account information in this embodiment are consistent with the foregoing method. I will not go into details here.

13 13

更正页（细则第 91条）所述第一身份管理单元 522, 用于根据所述接收单元 50接收的业务链用户身份标识，查询所述存储单元 520 中的业务链使用信息，确定调用所述业务链的用户； Correction page (Article 91) The first identity management unit 522 is configured to query, according to the service chain user identity received by the receiving unit 50, the service chain usage information in the storage unit 520, and determine a user that invokes the service chain;

所述第二身份管理单元 524,用于根据所述第一验证管理单元 522查询所确定的用户的用户名和所述接收单元 50接收的所述业务节点标识，查询所述存储单元 520中的用户业务帐号信息，确定所述用户访问所述业务节点的帐号；所述凭证生成单元 526，用于根据所述第二身份管理单元 524查询确定的帐号生成登录凭证信息。 The second identity management unit 524 is configured to query, according to the first verification management unit 522, the determined user name of the user and the service node identifier received by the receiving unit 50, and query the user in the storage unit 520. The service account information is used to determine the account number of the user accessing the service node. The voucher generation unit 526 is configured to generate login voucher information according to the account determined by the second identity management unit 524.

可选的，本实施例的存储单元 520还用于存储预先定义的业务链调用规则 , 所述业务链调用规则用于指示业务链中各业务节点之间的调用关系；本实施例中的业务链调用规则包括的具体内容和存储形式与前述方法一致 , 在此不赘述。 Optionally, the storage unit 520 of the embodiment is further configured to store a predefined service chain calling rule, where the service chain calling rule is used to indicate a calling relationship between service nodes in the service chain; The specific content and storage form included in the chain calling rule are consistent with the foregoing methods, and are not described herein.

所述身份解析管理单元 52还包括： The identity resolution management unit 52 further includes:

第三身份管理单元 523，用于根据所述接收单元 50接收的业务链用户身份标识查询所述存储单元 520 中存储的业务链使用信息，确定所述用户对所述业务链的调用状态；并根据所述接收单元 50接收的业务节点标识、所述查询确定的调用状态以及所述存储单元中存储的预先定义的业务链调用规则 , 判断对所述业务节点的调用是否符合预先定义的调用规则，当判断结果为是时，将所述业务节点加入所述调用状态; The third identity management unit 523 is configured to query the service chain usage information stored in the storage unit 520 according to the service chain user identity received by the receiving unit 50, and determine the calling state of the service chain by the user; Determining whether the call to the service node meets a predefined calling rule according to the service node identifier received by the receiving unit 50, the call status determined by the query, and a predefined service chain calling rule stored in the storage unit. And when the judgment result is yes, adding the service node to the calling state;

所述第二身份管理单元 524在所述第三身份管理单元 523的判断结果为是时，根据所述第一验证管理单元 522查询所确定的用户的用户名和所述接收单元 50接收的所述业务节点标识，查询所述存储单元 520中的用户业务帐号信息，确定所述用户访问所述业务节点的帐号。 When the determination result of the third identity management unit 523 is YES, the second identity management unit 524 queries the determined user name of the user and the received by the receiving unit 50 according to the first verification management unit 522. The service node identifier is used to query the user service account information in the storage unit 520, and determine the account that the user accesses the service node.

可选的，本实施例的发送单元 54还用于当所述第三身份管理单元 523的判断结果为否时，向所述业务节点发送用户身份验证失败的第二身份解析结果信可选的，本实施例的业务链管理器还包括： Optionally, the sending unit 54 of the embodiment is further configured to: when the determining result of the third identity management unit 523 is negative, send, to the service node, a second identity resolution result message that the user identity verification fails. The service chain manager of this embodiment further includes:

业务链身份管理单元 56，用于管理业务链用户身份标识。该业务链身份管理单元 56中可包括一业务链用户身份标识创建单元，用于为用户创建业务链用户身份标识，除此之外，所述业务链身份管理单元还可对创建的业务链用户身份标识进行暂停、恢复以及删除等管理操作。 The service chain identity management unit 56 is configured to manage the service chain user identity. The service chain identity management unit 56 may include a service chain user identity creation unit for creating a service chain user identity for the user. In addition, the service chain identity management unit may also create a service chain user. The identity is managed, such as pause, resume, and delete.

14 14

更正页（细则第 91条）可选的，本实施例的业务链管理器还包括： Correction page (Article 91) Optionally, the service chain manager of this embodiment further includes:

调用状态初始化单元，用于设置所述用户对所述业务链的调用状态为空。具体实现中，本实施例的接收单元 50和发送单元 54可集成设置为一个接口模块，用于负责业务链管理器与其他设备的通信交互，接收并发送各种请求和响应消息。所述第一身份管理单元 522、第二身份管理单元 524以及第三身份管理单元 523 以及所述业务链身份管理单元 56可集成设置为一个身份管理模块。 The calling state initializing unit is configured to set the calling state of the user to the service chain to be empty. In a specific implementation, the receiving unit 50 and the sending unit 54 of the embodiment may be integrally configured as an interface module for performing communication interaction between the service chain manager and other devices, and receiving and transmitting various request and response messages. The first identity management unit 522, the second identity management unit 524, and the third identity management unit 523 and the service chain identity management unit 56 can be integrally configured as an identity management module.

下面通过一个业务链的完整调用实例来对本发明实施例进一步进行说明。图 8是本发明实施例中的用户访问业务链的方法的一个实施例流程示意图；本实施例以用户 Userl调用业务链 A为例，并结合表 1、表 2和表 3进行说明，如图 8所示，本实施例的方法包括： The embodiments of the present invention are further described below through a complete invocation example of a service chain. FIG. 8 is a schematic flowchart of a method for a user to access a service chain according to an embodiment of the present invention; this embodiment uses a user User1 to invoke the service chain A as an example, and combines Table 1, Table 2, and Table 3 to illustrate As shown in FIG. 8, the method of this embodiment includes:

步骤 S600, 用户通过用户客户端以他的用户名 Userl登录业务链管理器，请求调用一次业务链 A。 Step S600: The user logs in to the service chain manager with his user name Userl through the user client, and requests to call the service chain A once.

步骤 S601 , 业务链管理器通过接口模块接收到该业务链 A的调用请求，由身份管理模块根据用户名 Userl ,业务链 A的名称 A查询业务链使用表，确定对应的业务链用户 ID为 Ua。若查询到多个业务链用户 ID, 则由用户确定该次业务链调用所使用的这个 Ua。若 Ua的 ID使用状态为正常，则设置其调用状态为 NULL, 表示 Userl以业务链用户 ID Ua初始化了一次业务链 A的调用过程。然后通知 Step S601, the service chain manager receives the call request of the service chain A through the interface module, and the identity management module queries the service chain usage table according to the user name Userl, the name A of the service chain A, and determines that the corresponding service chain user ID is Ua. . If multiple service chain user IDs are queried, the user determines the Ua used by the service chain call. If the ID usage status of Ua is normal, set its calling state to NULL, indicating that Userl initializes the calling process of service chain A with the service chain user ID Ua. Then notify

Userl能够执行该次业务链 A的调用。否则通知 Userl ,不能执行该次业务链调用。 Userl is able to execute the call of this service chain A. Otherwise, notify Userl that the service chain call cannot be executed.

步骤 S602, 若能够执行，用户 Userl的客户端请求以 Ua调用业务链 A, 该请求被发送到业务链 A的第一个业务节点 S 1。 Step S602, if it can be executed, the client of the user User1 requests to invoke the service chain A with Ua, and the request is sent to the first service node S1 of the service chain A.

步骤 S603，业务节点 SI向业务链管理器发送用户身份解析请求，该请求包含业务链用户 ID Ua以及业务节点名称 Sl。若 SI不知道它在业务链 A中的后继业务节点，则同时向业务链管理器请求它的后继业务节点及其访问方式。 Step S603, the service node SI sends a user identity resolution request to the service chain manager, where the request includes the service chain user ID Ua and the service node name Sl. If the SI does not know its successor service node in service chain A, it also requests its subsequent service node and its access mode from the service chain manager.

步骤 S604, 业务链管理器通过接口模块接收到该请求，由身份管理模块根据业务链用户 ID Ua查询业务链使用表，确定通过 Ua来调用业务链 A的用户为 Userl。 Step S604, the service chain manager receives the request through the interface module, and the identity management module queries the service chain usage table according to the service chain user ID Ua, and determines that the user that invokes the service chain A through Ua is Userl.

步骤 S605,身份管理模块查询业务链描述表，获得业务链 A的调用关系定义。 Step S605: The identity management module queries the service chain description table to obtain the call relationship definition of the service chain A.

15 15

更正页（细则第 91条）然后通过查询业务链使用表判断 Ua的调用状态是否符合业务链 A的调用关系定义。由于是初始调用，所以此时业务链使用表中 Ua对业务链 A的调用状态为 NULL,当前请求身份解析的业务节点为 S1 , 对于序列方式的调用关系定义，若 S1为序列中第一个业务节点则符合调用关系定义。对于集合方式的调用关系定义，若 S1属于节点集合则符合调用关系定义。 Correction page (Article 91) Then, by querying the service chain usage table, it is judged whether the calling state of Ua conforms to the calling relationship definition of the service chain A. Because it is the initial call, the call state of Ua to service chain A in the service chain usage table is NULL, and the service node that currently requests identity resolution is S1. For the call relationship definition of the sequence mode, if S1 is the first one in the sequence. The business node is eligible for the call relationship definition. For the call relationship definition of the collection mode, if S1 belongs to the node set, the call relationship definition is met.

步骤 S606，若对 SI的调用符合业务链 A的调用关系定义，则身份管理模块查询业务帐号列表，获知 Userl在 S1中的帐号为 Idl , 后执行步骤 S607。若 SI不符合调用关系定义，则业务链管理器拒绝该次身份解析请求，向 S1发送用户身份验证失败的第二身份解析结果信息。当在步骤 S606发送的是第二身份解析结果信息，则下述步骤 S607、 S608和 S609均不执行，直接执行步骤 S610。 Step S606: If the call to the SI is in accordance with the call relationship definition of the service chain A, the identity management module queries the service account list, and learns that the account of Userl in S1 is Idl, and then performs step S607. If the SI does not meet the calling relationship definition, the service chain manager rejects the identity resolution request and sends the second identity resolution result information that the user identity verification failed to S1. When the second identity analysis result information is sent in step S606, the following steps S607, S608, and S609 are not performed, and step S610 is directly executed.

步骤 S607,身份管理模块调用凭证生成单元为 Userl在 S1中的帐号 Idl生成登录 S1的帐号验证凭据 Auth(Idl), 所述 Auth(Idl)中包含用户在 S1中帐号 Idl和登录凭证。 Step S607, the identity management module invokes the credential generating unit to generate the account authentication credential Auth(Idl) of the login S1 for the account ID Idl of the user1 in S1, where the Auth(Idl) includes the account ID1 and the login credential of the user in S1.

步驟 S608, 身份管理模块将 S1增加到 Ua的调用状态中。对于序列方式，即将 S1增加为第一个已调用的业务节点。对于集合方式，即增加 S1到已调用的业务节点集合。 Step S608, the identity management module adds S1 to the calling state of Ua. For the sequential mode, S1 is added to the first called service node. For the collection mode, S1 is added to the called service node set.

步骤 S609, 接口模块将帐号验证凭据 Auth(Idl)作为第一身份解析结果发送到 Sl。若 SI不知道它在业务链 A中的后继业务节点，则第一身份解析结果中还将指定 S1在业务链 A中的后继业务节点及其访问方式（比如包含业务节点 2的节点名 S2和调用业务节点 2的访问方式）。 Step S609, the interface module sends the account verification credential Auth(Idl) as the first identity resolution result to the Sl. If the SI does not know its successor service node in the service chain A, the first identity analysis result will also specify the subsequent service node of the S1 in the service chain A and its access mode (for example, the node name S2 containing the service node 2 and Call the access method of service node 2).

步骤 S610, S1接收到 Auth(Idl)时，可确定 Userl在 S1处的帐号 Idl的身份验证通过，则 S1正常执行业务逻辑，然后以 Ua调用业务链 A上 S1的下一业务节点 S2, 即，向 S2发送包含 Ua的业务链调用请求， S2成为用户该次调用业务链 A的过程中新的被调用业务节点。若 S1接收到验证失败的第二身份解析结果信息，则确定身份验证不能通过， S1不执行业务逻辑, 业务链 A执行流程在此处将被终止，后续步骤均不会执行。 Step S610, when S1 receives Auth(Id1), it can be determined that the identity verification of the account ID of the User1 at S1 is passed, then S1 normally executes the service logic, and then calls the next service node S2 of S1 on the service chain A with Ua, ie Sending a service chain invocation request containing Ua to S2, and S2 becomes a new called service node in the process of calling the service chain A by the user. If S1 receives the second identity resolution result information of the verification failure, it is determined that the identity verification cannot pass, S1 does not execute the service logic, and the service chain A execution process is terminated here, and the subsequent steps are not executed.

步骤 S611 ,业务节点 S2向业务链管理器发送身份解析请求，该请求包含业务 Step S611, the service node S2 sends an identity resolution request to the service chain manager, where the request includes a service.

16 16

更正页（细则第 91条）链用户 ID Ua以及业务节点名称 S2。若 S2不知道它在业务链 A中的后继业务节点，则同时请求它的后继业务节点及其访问方式。 Correction page (Article 91) Chain user ID Ua and service node name S2. If S2 does not know its successor service node in service chain A, it simultaneously requests its successor service node and its access mode.

步骤 S612, 业务链管理器通过接口模块接受到该请求，同样的，由身份管理模块根据业务链用户 ID Ua查询业务链使用表，确定通过 Ua来调用业务链 A的用户为 Userl。 Step S612, the service chain manager receives the request through the interface module. Similarly, the identity management module queries the service chain usage table according to the service chain user ID Ua, and determines that the user who invokes the service chain A through Ua is Userl.

步骤 S613 , 身份管理模块查询业务链使用表判断 Ua的调用状态是否符合业务链 A的调用关系定义。此时调用状态为只有 S 1已被调用，而当前请求身份解析的业务节点为 S2，对于序列方式的调用关系定义，若 S2为序列中 S1后继的业务节点则符合调用关系定义。对于集合方式的调用关系定义，若 S2属于节点集合则符合调用关系定义。 Step S613, the identity management module queries the service chain usage table to determine whether the calling state of Ua conforms to the calling relationship definition of the service chain A. At this time, the calling state is that only S 1 has been called, and the current service node for requesting identity resolution is S2. For the calling relationship definition of the sequence mode, if S2 is the subsequent business node of S1 in the sequence, the calling relationship definition is met. For the call relationship definition of the collection mode, if S2 belongs to the node set, it conforms to the call relationship definition.

步骤 S614, 若对 S2的调用符合业务链 A的调用关系定义，则身份管理模块查询业务帐号列表，获知 Userl在 S2中的帐号为 Id2, 然后执行步驟 S615。若 S2不符合调用关系定义，则业务链管理器拒绝该次身份解析请求，向 S1发送用户身份验证失败的第二身份解析结果信息 , 则下述步骤 S615、 S616和 S617均不执行，直接跳到步骤 S618。 Step S614: If the call to S2 is consistent with the call relationship definition of the service chain A, the identity management module queries the service account list, learns that the account of Userl in S2 is Id2, and then performs step S615. If the S2 does not meet the call relationship definition, the service chain manager rejects the identity resolution request, and sends the second identity resolution result information of the user identity verification failure to S1, and the following steps S615, S616, and S617 are not performed, and the direct jump is performed. Go to step S618.

步骤 S615,身份管理模块调用凭证生成单元为 Userl在 S2中的帐号 Id2生成登录 S2的帐号验证凭据 Auth(Id2), 所述 Auth(Id2)中包含用户在 S2中帐号 2和登录凭证。 Step S615, the identity management module invokes the credential generating unit to generate the account authentication credential Auth(Id2) of the login S2 for the account ID Id2 of the userl in S2, where the Auth(Id2) includes the account 2 and the login credential of the user in S2.

步驟 S616, 身份管理模块将 S2增加到 Ua的调用状态中。对于序列方式，即将 S2增加为 S1后继的已调用业务节点。对于集合方式，即增加 S2到已调用的业务节点集合。 Step S616, the identity management module adds S2 to the calling state of Ua. For the sequential mode, S2 is added to the invoked service node of S1. For the collection mode, S2 is added to the called service node set.

步骤 S617，接口模块将帐号验证凭据 Auth(Id2)作为第一身份解析结果发送到 S2。若 S2不知道它在业务链 A中的后继业务节点，则第一身份解析结果中还将指定 S2在业务链 A中的后继业务节点及其访问方式。 Step S617, the interface module sends the account verification credential Auth(Id2) as the first identity resolution result to S2. If S2 does not know its successor service node in service chain A, the first identity resolution result will also specify the subsequent service node of S2 in service chain A and its access mode.

后续， S2接收到 Auth(Id2)时，可确定 Userl在 S2处的帐号 Id2的身份验证通过，则 S2正常执行业务逻辑，然后以 Ua调用业务链 A上 S2的下一业务节点，该业务节点成为用户该次调用业务链 A的过程中新的被调用业务节点。若 S2接收到验证 Subsequently, when S2 receives the Auth (Id2), it can be determined that the identity verification of the account ID2 of User1 at S2 is passed, then S2 normally executes the service logic, and then calls the next service node of S2 on the service chain A with Ua, the service node Become the new called service node in the process of calling the service chain A by the user. If S2 receives verification

17 17

更正页（细则第 91条）失败的第二身份解析结果信息，则确定身份验证不能通过， S2不执行业务逻辑，业务链 A执行流程在此处将被终止 , 后续步驟均不会执行。 Correction page (Article 91) If the failed second identity analysis result information determines that the identity verification cannot pass, S2 does not execute the service logic, and the service chain A execution process is terminated here, and the subsequent steps are not executed.

用户该次调用业务链 A的过程中，各业务节点都将依次向业务链管理器请求用户身份解析，请求中包含业务链用户 ID Ua和业务节点名称。若业务节点不知道它在业务链 A中的后继业务节点，则同时请求它的后继业务节点及其访问方式，直到执行到业务链 A的最后一个业务节点。而业务链管理器进行相似的处理过程：若业务节点符合业务链 A的调用关系定义，为用户 Userl在业务节点的帐号生成登录业务节点的帐号验证凭据，并增加该业务节点到业务链使用表中 Ua的调用状态中。对于序列方式，即将业务节点增加到已调用的业务节点序列尾部，对于集合方式，即增加业务节点到已调用的业务节点集合，或者是增加业务节点的已调用次数。此外，若业务节点不知道它在业务链 A中的后继业务节点，则第一身份解析结果中还将指定业务节点在业务链 A中的后继业务节点及其访问方式。最终到达业务链 A的最后一个业务节点，此时业务链使用表中 Ua的调用状态等价于业务链 A的调用关系定义，表示业务链 A的所有业务节点都已经被调用过了 , 则 Userl的该次业务链 A的调用正常结束。 During the user's call to service chain A, each service node will request user identity resolution from the service chain manager in turn. The request includes the service chain user ID Ua and the service node name. If the service node does not know its successor service node in service chain A, it simultaneously requests its successor service node and its access mode until the last service node to service chain A is executed. The service chain manager performs a similar process: If the service node meets the call relationship definition of the service chain A, the user Userl generates the account authentication credentials of the login service node in the account of the service node, and increases the service node to the service chain usage table. In the call state of Ua. For the sequence mode, the service node is added to the tail of the called service node sequence. For the aggregation mode, the service node is added to the called service node set, or the number of times the service node has been called is increased. In addition, if the service node does not know its successor service node in service chain A, the first identity resolution result will also specify the successor service node of the service node in service chain A and its access mode. Finally, the last service node of the service chain A is reached. At this time, the calling state of the Ua in the service chain usage table is equivalent to the calling relationship definition of the service chain A, indicating that all the service nodes of the service chain A have been called, then Userl The call of this service chain A ends normally.

图 9是业务链管理器为用户创建业务链用户身份标识的方法的一个实施例流程示意图；如图 9所示，该实施例包括： FIG. 9 is a schematic flowchart of a method for a service chain manager to create a service chain user identity for a user. As shown in FIG. 9, the embodiment includes:

步驟 S700,用户 User登录业务链管理器，请求为其创建业务链 A的业务链用户 ID。 Step S700: The user user logs in to the service chain manager and requests to create a service chain user ID of the service chain A.

步骤 S701，业务链管理器通过接口模块接收到该请求。若业务链 A符合能够以业务链用户 ID方式进行调用的有关策略，则身份管理模块能够在业务链描述表中查询到业务链 A的业务链描述。若用户 User符合业务链描述中的使用策略，则身份管理模块为 User分配业务链用户 ID，或者也可以由用户 User自己生成符合要求的业务链用户 ID。 Step S701, the service chain manager receives the request through the interface module. If the service chain A meets the relevant policies that can be invoked in the way of the service chain user ID, the identity management module can query the service chain description of the service chain A in the service chain description table. If the user user meets the usage policy in the service chain description, the identity management module assigns the service chain user ID to the user, or the user user can generate the service chain user ID that meets the requirements.

步骤 S702, 身份管理模块访问业务链使用表，为 User在业务链使用表中增加一条记录，登记 User的用户名，业务链 A的名称，为 User分配的业务链用户 ID, 并标记该业务链用户 ID的 ID使用状态为正常。 Step S702, the identity management module accesses the service chain usage table, adds a record to the user in the service chain usage table, registers the user name of the user, the name of the service chain A, the service chain user ID assigned to the user, and marks the service chain. The ID usage status of the user ID is normal.

步骤 S703, 接口模块通知用户 User其业务链用户 ID创建过程的结果；若 Step S703, the interface module notifies the user of the result of the user ID creation process of the service chain;

18 18

更正页（细则第 91条）创建成功则返回生成的业务链用户 ID, 否则通知 User创建失败。 Correction page (Article 91) If the creation is successful, the generated service chain user ID is returned, otherwise the user creation failure is notified.

相应的，本发明实施例还提供了一种业务链用户身边标识创建请求方法，包括：用户终端向业务链管理器发送业务链用户身份标识创建请求，以使所述业务链管理器为所述用户创建业务链用户身边标识，并当接收到业务节点发送的用户身份解析请求时，根据所述业务链用户身份标识和所述业务节点标识查询所述业务链用户身份标识对应的用户访问所述业务节点的帐号，根据查询到的所述帐号获得所述帐号对应的登录凭证信息，并向所述业务节点发送包括所述帐号和登录凭证信息的第一身份解析结果信息；所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识。 Correspondingly, the embodiment of the present invention further provides a service chain user identification creation request method, including: the user terminal sends a service chain user identity creation request to the service chain manager, so that the service chain manager is The user creates the identity of the user of the service chain, and when receiving the user identity resolution request sent by the service node, queries the user access corresponding to the service chain user identity according to the service chain user identity and the service node identifier. The account of the service node obtains the login credential information corresponding to the account according to the queried account, and sends the first identity resolution result information including the account and the login credential information to the service node; The request includes the service chain user identity and a service node identity of the service node.

图 10是业务链管理器删除业务链用户身份标识的方法的一个实施例流程示意图；如图 10所示，该实施例包括： FIG. 10 is a schematic flowchart of a method for a service chain manager to delete a service chain user identity; as shown in FIG. 10, the embodiment includes:

步骤 S800, 用户 User登录业务链管理器，请求删除某业务链用户 ID。步骤 S801 , 业务链管理器通过接口模块接收到该请求，由身份管理模块查询业务链使用表中该业务链用户 ID对应的记录：删除业务链使用表中的这条记录 , 则该业务链用户 ID将不能被继续使用。 Step S800: The user user logs in to the service chain manager to request to delete a service chain user ID. Step S801, the service chain manager receives the request through the interface module, and the identity management module queries the record corresponding to the service chain user ID in the service chain usage table: deleting the record in the service chain usage table, the service chain user The ID will not be used anymore.

步骤 S802, 接口模块通知用户 User该次请求的处理结果。具体实现中，对业务链用户 ID进行暂停、恢复等操作与删除操作相同，不同之处在于，对于暂停请求，则设置该记录的 ID使用状态为暂停。对于暂停状态的业务链用户 ID, 业务链管理器拒绝对它的所有身份解析请求；对于恢复请求，则设置该记录的 ID使用状态为正常；而对于删除操作，则删除业务链使用表中的这条记录，则该业务链用户 ID将不能被继续使用。 Step S802, the interface module notifies the user of the processing result of the request. In the specific implementation, the operations such as suspending and restoring the service chain user ID are the same as the deletion operation, except that, for the suspension request, the ID usage status of the record is set to be suspended. For the service chain user ID in the suspended state, the service chain manager rejects all identity resolution requests for it; for the recovery request, sets the ID usage status of the record to be normal; and for the delete operation, deletes the service chain usage table. For this record, the service chain user ID will not be used.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程，是可以通过计算机程序来指令相关的硬件来完成，所述的程序可存储于一计算机可读取存储介盾中，该程序在执行时，可包括如上述各方法的实施例的流程。其中，所述的存储介可为磁碟、光盘、只读存储记忆体（Read-Only Memory, ROM )或随机存储记忆体 ( Random Access Memory, RAM )等。 A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium shield. The program, when executed, may include the flow of an embodiment of the methods as described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

以上所揭露的仅为本发明较佳实施例而已，当然不能以此来限定本发明之权利范围，因此依本发明权利要求所作的等同变化，仍属本发明所涵盖的范围。 The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and the equivalent changes made by the claims of the present invention are still within the scope of the present invention.

19 19

更正页（细则第 91条) Correction page (Article 91)

Claims

1、一种业务链中的用户身份验证方法，其特征在于，包括： A user identity verification method in a service chain, which is characterized in that:

所述业务节点向业务链管理器发送用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识； The service node sends a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and the service node identifier of the service node;

所述业务节点根据接收到的所述业务链管理器发送的第一身份解析结果信息，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 Determining, by the service node, that the user corresponding to the service chain user identity is authenticated by the first identity analysis result information sent by the service chain manager, where the first identity resolution result information includes the user Access the account number and login credential information of the service node.

2、如权利要求 1所述的方法，其特征在于，所述业务节点根据接收到的所述业务链管理器发送的第一身份解析结果信息之前，还包括： 2. The method according to claim 1, wherein the service node further comprises: according to the received first identity resolution result information sent by the service chain manager,

业务链管理器根据接收的业务链用户身份标识，查询确定所述业务链用户身份标识对应的用户名； The service chain manager determines, according to the received service chain user identity, the user name corresponding to the service chain user identity.

所述业务链管理器 ^居所述业务节点标识和所述查询确定的所述用户名，查询确定所述用户访问所述业务节点的帐号，并根据所述帐号生成登录凭证信息； The service chain manager is located in the service node identifier and the user name determined by the query, and the query determines that the user accesses the account of the service node, and generates login credential information according to the account;

所述业务链管理器向所述业务节点发送携带所述帐号和登录凭证信息的第一身份解析结果信息。 The service chain manager sends the first identity resolution result information carrying the account number and login credential information to the service node.

3、如权利要求 2所述的方法，其特征在于，所述业务链管理器根据所述业务节点标识和所述查询确定的所述用户名，查询确定所述用户访问所述业务节点的帐号之前，还包括： The method according to claim 2, wherein the service chain manager determines, according to the service node identifier and the user name determined by the query, the account that the user accesses the service node. Previously, it also included:

所述业务链管理器根据所述接收的业务链用户身份标识查询所述用户对所述业务链的调用状态； The service chain manager queries the call status of the user to the service chain according to the received service chain user identity identifier;

根据所述业务节点标识、所述调用状态以及预先定义的业务链调用规则，判断对所述业务节点的调用是否符合预先定义的调用规则，当判断结果为是时，将所述业务节点加入所述调用状态。 Determining, according to the service node identifier, the calling state, and the predefined service chain calling rule, whether the call to the service node meets a predefined calling rule, and when the determining result is yes, adding the service node to the Call the state.

4、如权利要求 3所述的方法，其特征在于，所述业务节点为所述业务链中的第一个业务节点，所述业务节点接收到包含业务链用户身份标识的业务链调用请求之前，还包括： The method according to claim 3, wherein the service node is a first service node in the service chain, and the service node receives a service chain call request including a service chain user identity identifier. , Also includes:

业务链管理器通过设置用户对所述业务链的调用状态为空。 The service chain manager sets the user's call state to the service chain to be empty.

5、如权利要求 3所述的方法，其特征在于，当根据所述业务节点标识、所述调用状态以及预先定义的所述业务链调用规则，判断对所述业务节点的调用是否符合预先定义的调用规则的判断结果为否时，所述业务链管理器向所述业务节点发送用户身份验证失败的第二身份解析结果信息。 The method according to claim 3, wherein, according to the service node identifier, the calling state, and the predefined service chain calling rule, determining whether the call to the service node meets a predefined definition When the judgment result of the calling rule is no, the service chain manager sends the second identity analysis result information that the user identity verification fails to the service node.

6、如权利要求 5所述的业务链中的用户身份 3 正方法，其特征在于：当所述业务节点接收到所述第二身份解析结果信息，确定所述用户身份验证失败，并结束所述业务链的调用过程。 The user identity 3 positive method in the service chain according to claim 5, wherein: when the service node receives the second identity resolution result information, determining that the user identity verification fails, and ending the The calling process of the business chain.

7、如权利要求 1所述的方法，其特征在于，所述业务链中业务节点接收到包含业务链用户身份标识的业务链调用请求包括： The method according to claim 1, wherein the service node in the service chain receives the service chain invocation request including the service chain user identity identifier, including:

业务链中业务节点接收到用户客户端发送的包含业务链用户身份标识的业周用请求；或， The service node in the service chain receives the service request sent by the user client and includes the service chain user identity; or

业务链中业务节点接收到业务链管理器发送的包含业务链用户身份标识的业务链调用请求；或 The service node in the service chain receives the service chain call request sent by the service chain manager and includes the service chain user identity; or

业务链中业务节点接收到另一业务节点发送的包含业务链用户身份标识的业务链调用请求。 The service node in the service chain receives a service chain call request sent by another service node that includes the identity of the service chain user.

8、一种业务链中的用户身份验证方法，其特征在于，包括： 8. A user identity verification method in a service chain, characterized in that:

业务链管理器接收到业务节点发送的用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识； The service chain manager receives the user identity resolution request sent by the service node, where the user identity analysis request includes the service chain user identity and the service node identifier of the service node;

所述业务链管理器根据所述业务链用户身份标识和所述业务节点标识查询所述业务链用户身份标识对应的用户访问所述业务节点的帐号，根据查询到的所述帐号获得所述帐号对应的登录凭证信息，并向所述业务节点发送包括所述帐号和登录凭证信息的第一身份解析结果信息；以使所述业务节点根据接收到的所述第一身份解析结果信息，确定所述业务链用户身份标识对应的用户通过身份马正。 The service chain manager queries the user corresponding to the service chain user identity to access the account of the service node according to the service chain user identity and the service node identifier, and obtains the account according to the queried account. Corresponding login credential information, and sending the first identity resolution result information including the account number and the login credential information to the service node, so that the service node determines, according to the received first identity parsing result information, The user corresponding to the user identity of the service chain passes the identity of the horse.

9、如权利要求 8所述的方法，其特征在于，所述根据所述业务链用户身份标识和所述业务节点标识查询所述业务链用户身份标识对应的用户访问所述业务节点的帐号，获得所述帐号对应的登录凭证信息包括： The method according to claim 8, wherein the user corresponding to the service chain user identity is queried according to the service chain user identity and the service node identifier, and the account of the service node is accessed by the user. Obtaining login credential information corresponding to the account includes:

业务链管理器根据接收的业务链用户身份标识，查询确定调用所述业务链的用户的用户名； The service chain manager queries the user name of the user who invokes the service chain according to the received service chain user identity;

所述业务链管理器据所述业务节点标识和所述查询确定的用户名，查询确定所述用户访问所述业务节点的帐号，并根据所述帐号生成登录凭证信息。The service chain manager queries according to the service node identifier and the username determined by the query Determining that the user accesses an account of the service node, and generating login credential information according to the account.

10、如权利要求 9所述的方法，其特征在于，所述业务链管理器根据所述业务节点标识和所述查询确定的所述用户名，查询确定所述用户访问所述业务节点的帐号之前，还包括： The method according to claim 9, wherein the service chain manager determines, according to the service node identifier and the user name determined by the query, an account of the user accessing the service node. Previously, it also included:

11、如权利要求 10所述的方法，其特征在于，所述业务节点为所述业务链中的第一个业务节点，所述接收到业务节点发送的用户身份解析请求之前，还包括： The method according to claim 10, wherein the service node is the first service node in the service chain, and before receiving the user identity resolution request sent by the service node, the method further includes:

业务链管理器设置所述用户对所述业务链的调用状态为空。 The service chain manager sets the calling state of the user to the service chain to be empty.

12、如权利要求 10所述的方法，其特征在于，当根据所述业务节点标识、所述调用状态以及预先定义的所述业务链调用规则，判断对所述业务节点的调用是否符合预先定义的调用规则的判断结果为否时，所述业务链管理器向所述业务节点发送用户身份验证失败的第二身份解析结果信息。 The method according to claim 10, wherein, according to the service node identifier, the calling state, and the predefined service chain calling rule, determining whether the call to the service node meets a predefined definition When the judgment result of the calling rule is no, the service chain manager sends the second identity analysis result information that the user identity verification fails to the service node.

13、如权利要求 8 所述的方法，其特征在于，所述接收到业务节点发送的用户身份解析请求之前，还包括： The method according to claim 8, wherein before receiving the user identity resolution request sent by the service node, the method further includes:

根据用户发送的业务链用户身份标识创建请求，为所述用户创建业务链用户身份标识。 A service chain user identity creation request is generated according to the user chain, and a service chain user identity is created for the user.

14、一种业务链中的用户身份验证方法，其特征在于，包括： 14. A method for authenticating a user in a service chain, comprising:

用户终端向业务节点发送包含业务链用户身份标识的业务链调用请求；以便于所述业务节点向业务链管理器发送包含所述业务链用户身份标识和所述业务节点的业务节点标识的用户身份解析请求，根据接收到的所述业务链管理器发送的第一身份解析结果信息，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 The user terminal sends a service chain invocation request including the service chain user identity to the service node, so that the service node sends the user identity including the service chain user identity and the service node identity of the service node to the service chain manager. Parsing the request, determining, according to the received first identity analysis result information sent by the service chain manager, that the user corresponding to the service chain user identity is authenticated, and the first identity resolution result information includes the user access The account number and login credential information of the service node.

15、如权利要求 14所述的方法，其特征在于，该方法进一步包括：用户终端向业务链管理器发送业务链用户身份标识创建请求，以使所述业务链管理器为所述用户创建业务链用户身边标识；以及接收业务节点发送的用户身份解析请求。 15. The method according to claim 14, wherein the method further comprises: the user terminal transmitting a service chain user identity creation request to the service chain manager to enable the industry The service chain manager creates a service chain user identification identifier for the user; and receives a user identity resolution request sent by the service node.

16、一种业务链中的业务节点，其特征在于，包括： 16. A service node in a service chain, characterized by comprising:

17、如权利要求 16所述的业务链中的业务节点，其特征在于，所述验证结果确定单元还用于当所述接收单元接收到指示用户身份验证失败的第二身份解析结果信息时，确定所述业务链用户身份标识对应的用户未通过身份验证。 The service node in the service chain according to claim 16, wherein the verification result determining unit is further configured to: when the receiving unit receives the second identity resolution result information indicating that the user identity verification fails, Determining that the user corresponding to the service chain user identity is not authenticated.

18、一种业务链管理器，其特征在于，包括： 18. A service chain manager, comprising:

接收单元，用于接收业务节点发送的用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识； a receiving unit, configured to receive a user identity resolution request sent by the service node, where the user identity analysis request includes the service chain user identity identifier and a service node identifier of the service node;

19、如权利要求 18所述的业务链管理器，其特征在于，所述身份解析管理单元包括： The service chain management unit according to claim 18, wherein the identity resolution management unit comprises:

存储单元，用于存储业务链使用信息、用户业务帐号信息，其中，所述业务链使用信息用于指示各用户访问各业务链时使用的业务链用户身份标识以及各用户对各业务链的调用状态；所述用户业务帐号信息用于指示各用户在各业务节点中的帐号； a storage unit, configured to store service chain usage information and user service account information, where the service chain usage information is used to indicate a service chain user identity used by each user to access each service chain, and each user invokes each service chain. The user service account information is used to indicate an account of each user in each service node;

第一身份管理单元，用于根据所述接收单元接收的业务链用户身份标识，查询所述存储单元中的业务链使用信息，确定调用所述业务链的用户；第二身份管理单元，用于根据所述第一身份管理单元查询所确定的用户的用户名和所述接收单元接收的所述业务节点标识，查询所述存储单元中的用户业务帐号信息，确定所述用户访问所述业务节点的帐号； a first identity management unit, configured to determine, according to the service chain user identity received by the receiving unit, Querying the service chain usage information in the storage unit to determine a user that invokes the service chain; the second identity management unit is configured to query, according to the first identity management unit, the determined user name of the user and the receiving unit to receive The service node identifier, querying user service account information in the storage unit, and determining an account of the user accessing the service node;

凭证生成单元，用于根据所述第二身份管理单元查询确定的帐号生成登录凭证信息。 And a voucher generating unit, configured to generate login voucher information according to the account determined by the second identity management unit query.

20、如权利要求 19所述的业务链管理器，其特征在于，所述存储单元还用于存储预先定义的业务链调用规则，所述业务链调用规则用于指示业务链中各业务节点之间的调用关系； The service chain manager according to claim 19, wherein the storage unit is further configured to store a predefined service chain calling rule, where the service chain calling rule is used to indicate each service node in the service chain. Invocation relationship between;

所述身份解析管理单元还包括： The identity resolution management unit further includes:

第三身份管理单元，用于根据所述接收单元接收的业务链用户身份标识查询所述存储单元中存储的业务链使用信息，确定所述用户对所述业务链的调用状态；并根据所述接收单元接收的业务节点标识、所述查询确定的调用状态以及所述存储单元中存储的预先定义的业务链调用规则，判断对所述业务节点的调用是否符合预先定义的调用规则，当判断结果为是时，将所述业务节点加入所述调用状态； a third identity management unit, configured to query, according to the service chain user identity received by the receiving unit, the service chain usage information stored in the storage unit, to determine a calling state of the service chain by the user; Determining a service node identifier received by the receiving unit, a call status determined by the query, and a predefined service chain calling rule stored in the storage unit, determining whether the call to the service node meets a predefined calling rule, and determining a result When yes, the service node is added to the calling state;

所述第二身份管理单元在所述第三身份管理单元的判断结果为是时，根据所述第一身份管理单元查询所确定的用户的用户名和所述接收单元接收的所述业务节点标识，查询所述存储单元中的用户业务帐号信息，确定所述用户访问所述业务节点的帐号。 When the determination result of the third identity management unit is YES, the second identity management unit queries the determined user name of the user and the service node identifier received by the receiving unit according to the first identity management unit, Querying user service account information in the storage unit, and determining an account of the user accessing the service node.

21、如权利要求 20所述的业务链管理器，其特征在于，所述发送单元还用于当所述第三身份管理单元的判断结果为否时，向所述业务节点发送用户身份验证失败的第二身份解析结果信息。 The service chain manager according to claim 20, wherein the sending unit is further configured to: when the judgment result of the third identity management unit is negative, send a user identity verification failure to the service node. The second identity resolves the result information.

22、如权利要求 18所述的业务链管理器，其特征在于，还包括：业务链用户身份标识创建单元，用于为用户创建业务链用户身份标识。 The service chain manager of claim 18, further comprising: a service chain user identity creation unit, configured to create a service chain user identity for the user.

23、如权利要求 20所述的业务链管理器，其特征在于，还包括：调用状态初始化单元，用于设置所述用户对所述业务链的调用状态为空。The service chain manager according to claim 20, further comprising: a call state initializing unit, configured to set the calling state of the user to the service chain to be empty.

24、一种业务链通信***，其特征在于，包括：组成业务链的多个业务节点和业务链管理器，其中： 24. A service chain communication system, comprising: a plurality of service nodes and a service chain manager constituting a service chain, wherein:

所述业务节点，用于接收包含业务链用户身份标识的业务链调用请求后，向业务链管理器发送用户身份解析请求，所述用户身份解析请求包括所述业务链用户身份标识和所述业务节点的业务节点标识；并当接收到所述业务链管理器发送的第一身份解析结果信息时，确定所述业务链用户身份标识对应的用户通过身份验证，所述第一身份解析结果信息包括所述用户访问所述业务节点的帐号和登录凭证信息。 The service node is configured to receive a service chain call request that includes a service chain user identity, Sending a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity and the service node identity of the service node; and receiving the first identity sent by the service chain manager When the result information is parsed, the user corresponding to the service chain user identity is determined to be authenticated, and the first identity resolution result information includes an account number and login credential information of the user accessing the service node.

所述业务链管理器，用于接收业务节点发送的所述用户身份解析请求后，根据所述业务链用户身份标识和所述业务节点标识获得所述用户访问所述业务节点的帐号和登录凭证信息，并向所述业务节点发送第一身份解析结果信息。 The service chain manager is configured to: after receiving the user identity resolution request sent by the service node, obtain an account and a login credential of the user accessing the service node according to the service chain user identity and the service node identifier. Information, and sending the first identity resolution result information to the service node.