CN110839004A - Method and apparatus for access authentication - Google Patents

Abstract

The invention discloses an access authentication method and device, and relates to the technical field of computers. A specific implementation of the method includes: receiving an access request; judging whether the timestamp, the first signature, and the visitor's IP in the access request all conform to the second authentication rule; if so, pass the authentication; the second authentication rule Including: the timestamp is within a first preset time range, the first signature has not been used within a second preset time range, and the visitor IP is in the list of IPs that are allowed to access. This embodiment avoids the repeated use of signatures, optimizes the resource access process, improves the efficiency of resource access, and reduces the workload of the business system due to the adoption of technical means such as signature timeliness verification, signatures that cannot be reused, and restrictions on allowing access to IP. The pressure of malicious requests.

Description

Method and apparatus for access authentication

technical field

The present invention relates to the field of computer technology, and in particular, to a method and device for access authentication.

Background technique

In the prior art, a uniform resource locator URL (Uniform ResourceLocator) is exposed through a Cartesian gateway encapsulation for resource visitors to call. Authentication rules are authenticated by signature generation rules specified by resource visitors. The http interface provided by the server (resource provider) needs to pass token authentication, and token means token (temporary) in computer authentication.

In the process of realizing the present invention, the inventor found that there are at least the following problems in the prior art:

1. The existing signature authentication rules are provided by the customer. If the verification rules and the parameters that need to be verified are leaked, they will be easily attacked maliciously.

2. The token is repeatedly used. If the token is reused, when a malicious attack is encountered, the access request of the malicious attack will be intercepted because the signature has been used.

SUMMARY OF THE INVENTION

In view of this, the embodiments of the present invention provide an access authentication method and apparatus, which can solve the problem of being vulnerable to malicious attacks from external networks after repeated use of the signature token and parameter leakage.

In order to achieve the above purpose, according to an aspect of the embodiments of the present invention, a method for access authentication is provided, including: receiving an access request; Two authentication rules; if yes, pass the authentication; the second authentication rules include: the timestamp is within the first preset time range, the first signature has not been used within the second preset time range, the The visitor IP is in the list of allowed IPs.

Optionally, before judging whether the timestamp, the first signature, and the visitor's IP in the access request all conform to the second authentication rule, the method further includes: determining that the version number and required parameters of the access request conform to the second authentication rule. An authentication rule; the first authentication rule includes: the version number of the access request is consistent with the preset version number, and the required parameter is not missing.

Optionally, judging whether the timestamp, the first signature, and the visitor IP in the access request all meet the second authentication rule; if so, passing the authentication, including: judging the timestamp, the first signature in the access request , whether the visitor IP conforms to the second authentication rule; if so, generate a second signature according to the signature parameters in the access request, and verify whether the second signature is consistent with the first signature; if the first signature If the second signature is consistent with the first signature, the authentication is passed.

Optionally, generating a second signature according to the signature parameters in the access request, including: acquiring the signature parameters in the access request, where the signature parameters include an access token, a timestamp, a universal unique identifier, and a partial uniform resource identifier according to the key value of the signature parameter, sort and splicing the signature parameter in ascending lexicographical order to obtain a string; add a key at the end of the character string, and encode the string to which the key is added. ; Use the message digest algorithm to calculate the digest value of the encoded processing result, thereby obtaining the second signature.

In order to achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an access authentication device, comprising: a receiving module for: receiving an access request; an authentication module for: judging the time in the access request Whether the stamp, the first signature, and the visitor's IP all meet the second authentication rule; if so, pass the authentication; the second authentication rule includes: the timestamp is within the first preset time range, and the first signature is within the first preset time range. It has not been used within the second preset time range, and the visitor IP is in the list of IPs that are allowed to access.

Optionally, the authentication module is further configured to: determine that the version number and required parameters of the access request conform to a first authentication rule; the first authentication rule includes: the version number of the access request and a preset version The numbers are the same, and the required parameters are not missing.

Optionally, the authentication module is further configured to: judge whether the timestamp, the first signature and the visitor IP in the access request all conform to the second authentication rule; if so, according to the signature parameter in the access request , generate a second signature, and verify whether the second signature is consistent with the first signature; if the second signature is consistent with the first signature, the authentication is passed.

Optionally, the authentication module is further configured to: obtain signature parameters in the access request, where the signature parameters include an access token, a timestamp, a universal unique identifier, and a partial uniform resource identifier; key value, sort and splicing the signature parameters in ascending lexicographical order to obtain a string; add a key at the end of the string, and encode the string with the added key; use message digest algorithm to calculate the encoding process The digest value of the result, resulting in the second signature.

To achieve the above object, according to yet another aspect of the embodiments of the present invention, an electronic device is provided, including: one or more processors; a storage device for storing one or more programs, when the one or more The program is executed by the one or more processors, so that the one or more processors implement the access authentication method provided by the embodiment of the present invention.

In order to achieve the above object, according to another aspect of the embodiments of the present invention, a computer-readable medium is provided, on which a computer program is stored, and when the program is executed by a processor, the access authentication as provided in the embodiments of the present invention is implemented. method.

An embodiment in the above invention has the following advantages or beneficial effects: because the use of technical means such as the timeliness verification of the signature, the signature cannot be reused, and the restriction of allowing access to IP, the situation of repeated use of the signature is avoided, and the resource access process is optimized, The efficiency of resource access is improved and the pressure of malicious requests of the business system is reduced.

Further effects of the above non-conventional alternatives will be described below in conjunction with specific embodiments.

Description of drawings

The accompanying drawings are used for better understanding of the present invention and do not constitute an improper limitation of the present invention. in:

1 is a schematic diagram of a basic flow of a method for access authentication according to an embodiment of the present invention;

2 is a schematic diagram of a preferred flow of a method for access authentication according to an embodiment of the present invention;

3 is a schematic diagram of a basic module of an apparatus for access authentication according to an embodiment of the present invention;

4 is an exemplary system architecture diagram to which an embodiment of the present invention may be applied;

FIG. 5 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server according to an embodiment of the present invention.

Detailed ways

Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, which include various details of the embodiments of the present invention to facilitate understanding and should be considered as exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted from the following description for clarity and conciseness.

FIG. 1 is a schematic diagram of a basic flow of a method for access authentication according to an embodiment of the present invention. As shown in FIG. 1, an embodiment of the present invention provides an access authentication method, including:

Step S101. Receive an access request;

Step S102. Judge whether the timestamp, the first signature and the visitor IP in the access request all meet the second authentication rule; if so, pass the authentication;

Step S103. The second authentication rule includes: the timestamp is within the first preset time range, the first signature has not been used within the second preset time range, and the visitor IP is within the preset time range. Allow access to the IP list.

The embodiment of the present invention adopts technical means such as the timeliness verification of the signature, the non-reusable signature, and the restriction of allowing access to IP, etc., so as to avoid the repeated use of the signature, optimize the resource access process, improve the resource access efficiency, and reduce the workload of the business system. The pressure of malicious requests.

In the embodiment of the present invention, before judging whether the timestamp, the first signature, and the visitor IP in the access request all conform to the second authentication rule, the method further includes: determining the version number, required The parameter conforms to the first authentication rule; the first authentication rule includes: the version number of the access request is consistent with the preset version number, and the required parameter is not missing. Mandatory parameters refer to the parameters agreed between the resource visitor and the resource provider that must exist in the access request. The preset version number is provided by the resource provider and is used to verify whether the version number of the access request meets the requirements. The embodiment of the present invention avoids the repeated use of the signature, optimizes the resource access process, improves the resource access efficiency, and reduces the pressure of malicious requests of the business system.

In the embodiment of the present invention, it is judged whether the timestamp, the first signature, and the visitor's IP in the access request all meet the second authentication rule; Whether the first signature and the visitor's IP conform to the second authentication rule; if so, generate a second signature according to the signature parameters in the access request, and verify whether the second signature is consistent with the first signature; If the second signature is consistent with the first signature, the authentication is passed. The embodiment of the present invention avoids the repeated use of the signature, optimizes the resource access process, improves the resource access efficiency, and reduces the pressure of malicious requests of the business system.

In the embodiment of the present invention, generating the second signature according to the signature parameters in the access request includes: acquiring the signature parameters in the access request, where the signature parameters include an access token (api_key), a timestamp, and a universal unique identifier. (ie UUID random number), part of uniform resource identifier (ie part of URI); the part of URI (Uniform ResourceIdentifier) refers to the part after the version number in the URI of the access request. According to the key value of the signature parameter, sort and splicing the signature parameters in ascending lexicographic order to obtain a string; add a secret key (secret_key) at the end of the string to encode the string with the added key Processing: using the message digest algorithm to calculate the digest value of the encoding processing result, so as to obtain the second signature (it may also be: the MD5 value of the encoding processing result is the second signature). UUID random number refers to the random number generated by UUID. UUID (Universally Unique Identifier) is a standard for software construction. It also refers to the number generated on a machine. Machines are unique. MD5 Message-Digest Algorithm, a widely used cryptographic hash function, can generate a 128-bit (16-byte) hash value to ensure complete and consistent information transmission. Lexicographical order is a method of alphabetizing words based on alphabetical order. The embodiment of the present invention avoids the repeated use of the signature, optimizes the resource access process, improves the resource access efficiency, and reduces the pressure of malicious requests of the business system.

The embodiment of the present invention performs authentication from the following dimensions: a. Verification of the version number; b. Verification of the timeliness of the timestamp; c. Verification of whether the signature has been used; d. Verification of the signature; e. The legality of the remote access IP Sexual verification. FIG. 2 is a schematic diagram of a preferred flow of a method for access authentication according to an embodiment of the present invention. As shown in the figure, the resource visitor sends the digital signature (the first signature), the api_key, the universally unique identifier (UUID random number) generated during this visit, and the timestamp to the resource provider; After the visitor's access request, verify whether the version number matches, whether the required parameters are missing, whether the time stamp is valid, whether the first signature has been used within the validity period, whether the access IP is within the allowed access range, and the version of the resource visitor. The URI, api_key, generated UUID random number, timestamp and secret key (secret_key) after the number are subjected to MD5 operation to generate the second signature, and the received first signature and the parameters in the access request are generated according to the signature algorithm. The second signature information is compared, and if the results are consistent, the authentication is passed. The embodiment of the present invention optimizes the resource access process, improves the resource access efficiency and reduces the pressure of malicious requests of the business system.

The authentication management table of the resource provider is shown in Table 1, and the resource provider uses Table 1 to perform authentication management on the resource visitor.

Table 1

Enumeration type is a basic data type in some computer programming languages such as C# or C++, java, VB, etc., rather than a constructed data type. Newly cooperating projects and/or companies can add new records in this table 1 when they have authentication requirements, and then the resource provider sends the api_key and secret_key required to generate signatures to the resource visitor, as well as a list of IPs that are allowed to access.

When the resource provider connects with the resource visitor, you can configure the api_key, secret_key, allowed IP list (allow_IP) and version number into the configuration file. The interaction format between the resource provider and the resource visitor is JSON, and the parameters in the access request need to be encoded in UTF-8. The description of the request header (HTTP Header) parameters in the access request is shown in Table 2:

Table 2

The process of using the signature algorithm to generate the second signature by the authentication interface api is as follows:

1. Obtain the access token api_key, timestamp, and nonce in the HTTP Header of the access request.

2. Obtain the URI of the access request. URI (Uniform Resource Identifier) is a uniform resource identifier, which can identify and locate any resource string; for example:

https://IP:port/xxxx/api/v1/order/list, get the part of "order/list" after the version number "v1/", that is, the part of the URI is "order/list".

3. Arrange the key values of all signature parameters (including the api_key, timestamp, nonce parameters in the HTTP Header, and part of the URI) in lexicographic ascending order. For example: api_key=value1&nonce=value2&timestamp=value3&uri=order/list.

4. Add the value value4 of secret_key to the end of the spliced string. For example: api_key=value1&nonce=value2&timestamp=value3&uri=

order/list&value4, and urlencode encoding is performed to form the base string base_string, and the MD5 value of the base_string is the value of the second signature. urlencode is a function that URL-encodes a string for encoding processing. That is, the second signature Signature=MD5(urlencode(api_key=value1&nonce=value2&timestamp=value3&uri=order/list&value4)).

An embodiment of the present invention provides an access authentication device 300, including: a receiving module 301, configured to: receive an access request; an authentication module 302, configured to: determine a timestamp, a first signature, a visitor in the access request Whether the IP conforms to the second authentication rule; if yes, the authentication is passed; the second authentication rule includes: the timestamp is within the first preset time range, and the first signature is not valid within the second preset time range Used, the visitor IP is in the list of allowed access IPs. The embodiment of the present invention adopts technical means such as verifying the timeliness of the signature, the signature cannot be reused, and the restriction of allowing access to IP, etc., to avoid the repeated use of the signature, optimize the resource access process, improve the resource access efficiency, and reduce the workload of the business system. The pressure of malicious requests.

In this embodiment of the present invention, the authentication module 302 is further configured to: be further configured to: determine that the version number and required parameters of the access request conform to a first authentication rule; the first authentication rule includes: the access request The version number is the same as the default version number, and the required parameters are not missing. The embodiment of the present invention avoids the repeated use of the signature, optimizes the resource access process, improves the resource access efficiency, and reduces the pressure of malicious requests of the business system.

In this embodiment of the present invention, the authentication module 302 is further configured to: determine whether the timestamp, the first signature, and the visitor's IP in the access request all conform to the second authentication rule; The signature parameters are generated, a second signature is generated, and it is verified whether the second signature is consistent with the first signature; if the second signature is consistent with the first signature, the authentication is passed. The embodiment of the present invention avoids the repeated use of the signature, optimizes the resource access process, improves the resource access efficiency, and reduces the pressure of malicious requests of the business system.

In this embodiment of the present invention, the authentication module 302 is further configured to: acquire signature parameters in the access request, where the signature parameters include an access token, a timestamp, a universal unique identifier, and a partial uniform resource identifier; according to the The key value of the signature parameter is sorted and spliced in ascending lexicographical order to obtain a string; a key is added at the end of the string, and the string with the added key is encoded; a message digest algorithm is used The digest value of the encoding processing result is calculated, thereby obtaining the second signature. The embodiment of the present invention avoids the repeated use of the signature, optimizes the resource access process, improves the resource access efficiency, and reduces the pressure of malicious requests of the business system.

The secret key (api_key/secret_key), with secret_key as the parameter, and the appropriate signature algorithm, can obtain the digital signature of the original information, preventing the content from being forged or tampered with during the transmission process. Secrets are usually created and used in pairs, consisting of an api_key and a secret_key. The api_key will be included in the transmission, and the resource provider must keep the secret_key from being transmitted on the network to prevent it from being stolen.

FIG. 4 shows an exemplary system architecture 400 to which a method for access authentication or an apparatus for access authentication according to an embodiment of the present invention may be applied.

As shown in FIG. 4 , the system architecture 400 may include terminal devices 401 , 402 , and 403 , a network 404 and a server 405 . The network 404 is a medium used to provide a communication link between the terminal devices 401 , 402 , 403 and the server 405 . The network 404 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user can use the terminal devices 401, 402, 403 to interact with the server 405 through the network 404 to receive or send messages and the like. Various communication client applications may be installed on the terminal devices 401 , 402 and 403 , such as shopping applications, web browser applications, search applications, instant messaging tools, email clients, social platform software, and the like.

The terminal devices 401, 402, 403 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop computers, desktop computers, and the like.

The server 405 may be a server that provides various services, for example, a background management server that provides support for shopping websites browsed by the terminal devices 401 , 402 and 403 . The background management server can analyze and process the received product information query request and other data, and feed back the processing result to the terminal device.

It should be noted that the access authentication method provided in the embodiment of the present invention is generally performed by the server 405 , and accordingly, the access authentication device is generally set in the server 405 .

It should be understood that the numbers of terminal devices, networks and servers in FIG. 4 are merely illustrative. There can be any number of terminal devices, networks and servers according to implementation needs.

According to the embodiments of the present invention, the embodiments of the present invention further provide an electronic device and a computer-readable medium.

An electronic device according to an embodiment of the present invention includes: one or more processors; and a storage device for storing one or more programs, when the one or more programs are executed by the one or more processors, the one or more programs cause the One or more processors implement the access authentication method provided by the embodiments of the present invention.

The computer-readable medium of the embodiment of the present invention stores a computer program thereon, and when the program is executed by the processor, the access authentication method provided by the embodiment of the present invention is implemented.

Referring to FIG. 5 below, it shows a schematic structural diagram of a computer system 500 suitable for implementing a terminal device according to an embodiment of the present invention. The terminal device shown in FIG. 5 is only an example, and should not impose any limitations on the functions and scope of use of the embodiments of the present invention.

As shown in FIG. 5, a computer system 500 includes a central processing unit (CPU) 501 which can be loaded into a random access memory (RAM) 503 according to a program stored in a read only memory (ROM) 502 or a program from a storage section 508 Instead, various appropriate actions and processes are performed. In the RAM 503, various programs and data necessary for the operation of the system 500 are also stored. The CPU 501 , the ROM 502 , and the RAM 503 are connected to each other through a bus 504 . An input/output (I/O) interface 505 is also connected to bus 504 .

The following components are connected to the I/O interface 505: an input section 506 including a keyboard, a mouse, etc.; an output section 507 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 508 including a hard disk, etc. ; and a communication section 509 including a network interface card such as a LAN card, a modem, and the like. The communication section 509 performs communication processing via a network such as the Internet. A drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 510 as needed so that a computer program read therefrom is installed into the storage section 508 as needed.

In particular, the processes described above with reference to the flowcharts may be implemented as computer software programs in accordance with the disclosed embodiments of the present invention. For example, embodiments disclosed herein include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 509 and/or installed from the removable medium 511 . When the computer program is executed by the central processing unit (CPU) 501, the above-described functions defined in the system of the present invention are performed.

It should be noted that the computer-readable medium shown in the present invention may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples of computer readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Programmable read only memory (EPROM or flash memory), fiber optics, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In the present invention, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In the present invention, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code therein. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device . Program code embodied on a computer readable medium may be transmitted using any suitable medium including, but not limited to, wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more logical functions for implementing the specified functions executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations, can be implemented in special purpose hardware-based systems that perform the specified functions or operations, or can be implemented using A combination of dedicated hardware and computer instructions is implemented.

The modules involved in the embodiments of the present invention may be implemented in a software manner, and may also be implemented in a hardware manner. The described module can also be set in the processor, for example, it can be described as: a processor, including: a receiving module, an authentication module, and a rule module. Wherein, the names of these modules do not constitute a limitation of the module itself under certain circumstances, for example, the receiving module may also be described as "a module for receiving access requests".

As another aspect, the present invention also provides a computer-readable medium, which may be included in the device described in the above embodiments; or may exist alone without being assembled into the device. The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by a device, the device includes: step S101. receiving an access request; step S102. judging the time in the access request Whether the stamp, the first signature, and the visitor's IP all meet the second authentication rule; if so, pass the authentication; step S103. The second authentication rule includes: the timestamp is within the first preset time range, the first A signature has not been used within the second preset time range, and the visitor IP is in the preset list of allowed access IPs.

According to the access authentication method according to the embodiment of the present invention, it can be seen that due to the use of technical means such as the timeliness of signature verification, signature cannot be reused, and the restriction of access IP, the situation of repeated use of signature is avoided, and the resource access process is optimized. The efficiency of resource access is improved and the pressure of malicious requests of the business system is reduced.

The above-mentioned specific embodiments do not constitute a limitation on the protection scope of the present invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modifications, equivalent replacements and improvements made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (10)

1. a method for access authentication, characterized in that, comprising: receive access requests; Determine whether the timestamp, the first signature, and the visitor's IP in the access request all meet the second authentication rule; if so, pass the authentication; The second authentication rule includes: the timestamp is within the first preset time range, the first signature has not been used within the second preset time range, and the visitor IP is in the list of IPs allowed to access . 2. The method according to claim 1, wherein before judging whether the timestamp, the first signature and the visitor IP in the access request all meet the second authentication rule, the method further comprises: Determine that the version number and required parameters of the access request conform to the first authentication rule; The first authentication rule includes: the version number of the access request is consistent with the preset version number, and the required parameter is not missing. 3. method according to claim 1, is characterized in that, whether the time stamp, the first signature, visitor IP in the described access request all meet the second authentication rule; If yes, then through authentication, including: Determine whether the timestamp, the first signature, and the visitor's IP in the access request all meet the second authentication rule; if so, generate a second signature according to the signature parameters in the access request, and verify the second signature Whether it is consistent with the first signature; If the second signature is consistent with the first signature, the authentication is passed. 4. The method according to claim 3, wherein generating a second signature according to the signature parameter in the access request, comprising: Acquiring signature parameters in the access request, where the signature parameters include an access token, a timestamp, a universal unique identifier, and a partial uniform resource identifier; According to the key value of the signature parameter, sort and splicing the signature parameters in ascending lexicographical order to obtain a string; A key is added at the end of the character string, and the character string to which the key is added is encoded; The message digest algorithm is used to calculate the digest value of the encoded processing result, thereby obtaining the second signature. 5. A device for access authentication, comprising: The receiving module is used for: receiving the access request; an authentication module, used for: judging whether the timestamp, the first signature, and the visitor's IP in the access request all conform to the second authentication rule; if so, pass the authentication; A rule module, configured to: configure a second authentication rule, including that the timestamp is within a first preset time range, the first signature has not been used within a second preset time range, and the visitor IP is allowed to Accessed IP list. 6. The device according to claim 1, wherein the authentication module is further used for: Determine that the version number and required parameters of the access request conform to the first authentication rule; The first authentication rule includes: the version number of the access request is consistent with the preset version number, and the required parameter is not missing. 7. The device according to claim 1, wherein the authentication module is further used for: Determine whether the timestamp, the first signature, and the visitor's IP in the access request all meet the second authentication rule; if so, generate a second signature according to the signature parameters in the access request, and verify the second signature Whether it is consistent with the first signature; If the second signature is consistent with the first signature, the authentication is passed. 8. The device according to claim 3, wherein the authentication module is further configured to: Acquiring signature parameters in the access request, where the signature parameters include an access token, a timestamp, a universal unique identifier, and a partial uniform resource identifier; According to the key value of the signature parameter, sort and splicing the signature parameters in ascending lexicographical order to obtain a string; A key is added at the end of the character string, and the character string to which the key is added is encoded; A message digest algorithm is used to calculate the digest value of the encoded processing result, thereby obtaining the second signature. 9. An electronic device, characterized in that, comprising: one or more processors; storage means for storing one or more programs, The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-4. 10. A computer-readable medium on which a computer program is stored, characterized in that, when the program is executed by a processor, the method according to any one of claims 1-4 is implemented.

Images