[go: up one dir, main page]

CN112929321B - Authentication method, device and terminal equipment - Google Patents

Authentication method, device and terminal equipment Download PDF

Info

Publication number
CN112929321B
CN112929321B CN201911237083.5A CN201911237083A CN112929321B CN 112929321 B CN112929321 B CN 112929321B CN 201911237083 A CN201911237083 A CN 201911237083A CN 112929321 B CN112929321 B CN 112929321B
Authority
CN
China
Prior art keywords
authentication
request
information
data acquisition
path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911237083.5A
Other languages
Chinese (zh)
Other versions
CN112929321A (en
Inventor
蒲文宾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd, Beijing Kingsoft Cloud Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN201911237083.5A priority Critical patent/CN112929321B/en
Publication of CN112929321A publication Critical patent/CN112929321A/en
Application granted granted Critical
Publication of CN112929321B publication Critical patent/CN112929321B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/562Brokering proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明实施例提供了一种鉴权方法、装置及终端设备。其中,所述方法包括:获取针对所述鉴权服务器预先配置的配置参数,所述配置参数用于表示所述鉴权服务器的鉴权方式;当接收到数据获取请求时,按照所述配置参数所表示的所述鉴权方式,向所述鉴权服务器发送符合所述鉴权方式的鉴权请求;接收所述鉴权服务器针对所述鉴权请求返回的鉴权响应,所述鉴权响应中携带认证信息。可以在无需更改终端设备底层业务逻辑的前提下,完成鉴权系统的部署,因此可以提高在CDN网络中部署鉴权系统的效率,降低部署鉴权系统的人工成本。

Figure 201911237083

The embodiment of the present invention provides an authentication method, device and terminal equipment. Wherein, the method includes: obtaining configuration parameters pre-configured for the authentication server, the configuration parameters being used to represent the authentication mode of the authentication server; when receiving a data acquisition request, according to the configuration parameters The authentication mode indicated, sends an authentication request conforming to the authentication mode to the authentication server; receives an authentication response returned by the authentication server in response to the authentication request, and the authentication response carry authentication information. The deployment of the authentication system can be completed without changing the underlying business logic of the terminal device, so the efficiency of deploying the authentication system in the CDN network can be improved, and the labor cost of deploying the authentication system can be reduced.

Figure 201911237083

Description

一种鉴权方法、装置及终端设备An authentication method, device and terminal equipment

技术领域technical field

本发明涉及云存储技术领域,特别是涉及一种鉴权方法、装置及终端设备。The present invention relates to the technical field of cloud storage, in particular to an authentication method, device and terminal equipment.

背景技术Background technique

客户端设备可以向CDN(Content Delivery Network,内容分发网络)中的终端设备发送数据获取请求,以获取CDN中的数据。出于数据安全的考虑,终端设备在接收到数据请求后,可以向鉴权服务器发送针对该客户端的鉴权请求,鉴权服务器针对鉴权请求向终端设备返回鉴权响应,该鉴权响应中携带有认证信息,认证信息用于表示该客户端设备是否具有获取所请求的数据的权限。终端设备通过解析该认证信息,得到鉴权结果,并根据鉴权结果确定是否向客户端设备反馈所请求的数据。The client device may send a data acquisition request to a terminal device in a CDN (Content Delivery Network, content distribution network), so as to acquire data in the CDN. For the sake of data security, after receiving the data request, the terminal device can send an authentication request for the client to the authentication server, and the authentication server returns an authentication response to the terminal device in response to the authentication request. In the authentication response, It carries authentication information, and the authentication information is used to indicate whether the client device has the authority to obtain the requested data. The terminal device obtains an authentication result by parsing the authentication information, and determines whether to feed back the requested data to the client device according to the authentication result.

不同的CDN由于应用场景不同,鉴权服务器的鉴权方式可能不同,因此所需要的鉴权请求的格式和/或所反馈的鉴权结果的格式可能不同。相关技术中,开发人员可以针对不同的鉴权服务器开发业务逻辑不同的终端设备,以使得终端设备能够发送符合鉴权服务器需求的鉴权请求,并准确识别鉴权服务器返回的鉴权响应。Due to different application scenarios of different CDNs, the authentication methods of the authentication server may be different, so the format of the required authentication request and/or the format of the fed back authentication result may be different. In related technologies, developers can develop terminal devices with different business logics for different authentication servers, so that the terminal devices can send authentication requests that meet the requirements of the authentication server and accurately identify the authentication response returned by the authentication server.

但是,当存在大量应用场景不同的CDN时,需要针对每个CDN中的鉴权服务器开发相应的终端设备,导致在CDN中部署鉴权系统的效率较低,人工成本较高。However, when there are a large number of CDNs with different application scenarios, corresponding terminal devices need to be developed for the authentication servers in each CDN, resulting in low efficiency and high labor costs for deploying the authentication system in the CDN.

发明内容Contents of the invention

本发明实施例的目的在于提供一种鉴权方法、装置及终端设备,以实现提高在CDN网络中部署鉴权系统的效率,降低部署鉴权系统的人工成本。具体技术方案如下:The purpose of the embodiments of the present invention is to provide an authentication method, device and terminal equipment, so as to improve the efficiency of deploying the authentication system in the CDN network and reduce the labor cost of deploying the authentication system. The specific technical scheme is as follows:

在本发明实施例的第一方面,提供了一种鉴权方法,应用于内容分发网络CDN中的终端设备,所述CDN还包括鉴权服务器,所述方法包括:In the first aspect of the embodiments of the present invention, an authentication method is provided, which is applied to a terminal device in a content distribution network CDN, where the CDN also includes an authentication server, and the method includes:

获取针对所述鉴权服务器预先配置的配置参数,所述配置参数用于表示所述鉴权服务器的鉴权方式;Acquiring configuration parameters preconfigured for the authentication server, where the configuration parameters are used to represent the authentication mode of the authentication server;

当接收到数据获取请求时,按照所述配置参数所表示的所述鉴权方式,向所述鉴权服务器发送符合所述鉴权方式的鉴权请求;When receiving a data acquisition request, according to the authentication method represented by the configuration parameter, send an authentication request conforming to the authentication method to the authentication server;

接收所述鉴权服务器针对所述鉴权请求返回的鉴权响应,所述鉴权响应中携带认证信息。receiving an authentication response returned by the authentication server in response to the authentication request, where the authentication response carries authentication information.

在一种可能的实施例中,在所述接收所述鉴权服务器针对所述鉴权请求返回的鉴权响应之后,所述方法还包括:In a possible embodiment, after receiving the authentication response returned by the authentication server for the authentication request, the method further includes:

按照所述配置参数表示的解析条件,对所述认证信息进行解析,得到表示通过或者拒绝的鉴权结果。According to the parsing conditions indicated by the configuration parameters, the authentication information is parsed to obtain an authentication result indicating pass or reject.

在一种可能的实施例中,所述配置参数包括响应模式参数,所述响应模式参数用于表示所述认证信息中用于表示鉴权结果的元素为状态码,和/或信息体;In a possible embodiment, the configuration parameters include a response mode parameter, and the response mode parameter is used to indicate that the element used to indicate the authentication result in the authentication information is a status code and/or an information body;

所述按照所述配置参数表示的解析条件,对所述认证信息进行解析,得到表示通过或者拒绝的鉴权结果,包括:The said authentication information is parsed according to the parsing conditions indicated by the configuration parameters, and an authentication result indicating pass or rejection is obtained, including:

按照所述响应模式参数所表示的元素,从所述认证信息中读取用于表示鉴权结果的元素;According to the element represented by the response mode parameter, read the element used to represent the authentication result from the authentication information;

如果所读取的元素符合鉴权规则,确定鉴权结果为通过;If the read element complies with the authentication rules, determine that the authentication result is passed;

如果所读取的元素不符合所述鉴权规则,确定鉴权结果为拒绝。If the read element does not comply with the authentication rule, determine that the authentication result is rejection.

在一种可能的实施例中,所述配置参数还包括判断规则参数,所述判断规则参数用于表示鉴权规则。In a possible embodiment, the configuration parameters further include a judgment rule parameter, and the judgment rule parameter is used to represent an authentication rule.

在一种可能的实施例中,所述配置参数包括鉴权路径参数,所述鉴权路径参数用于表示一个或多个预设路径;In a possible embodiment, the configuration parameters include authentication path parameters, and the authentication path parameters are used to indicate one or more preset paths;

所述方法还包括:The method also includes:

当接收到数据获取请求时,确定所述数据获取请求所请求的数据的路径是否属于所述预设路径;When a data acquisition request is received, determine whether the path of the data requested by the data acquisition request belongs to the preset path;

如果所述数据获取请求所请求的数据的路径不属于所述预设路径,终止鉴权;If the path of the data requested by the data acquisition request does not belong to the preset path, terminate the authentication;

所述向所述鉴权服务器发送符合所述鉴权方式的鉴权请求,包括:The sending an authentication request conforming to the authentication method to the authentication server includes:

如果所述数据获取请求所请求的数据的路径属于所述预设路径,向所述鉴权服务器发送符合所述鉴权方式的鉴权请求。If the path of the data requested by the data acquisition request belongs to the preset path, an authentication request conforming to the authentication mode is sent to the authentication server.

在一种可能的实施例中,所述配置参数包括信息修改参数,所述信息更改参数用于表示对所述数据获取请求中信息的修改方式;In a possible embodiment, the configuration parameter includes an information modification parameter, and the information modification parameter is used to indicate a method of modifying the information in the data acquisition request;

所述按照所述配置参数所表示的所述鉴权方式,向所述鉴权服务器发送符合所述鉴权方式的鉴权请求,包括:The sending an authentication request conforming to the authentication method to the authentication server according to the authentication method represented by the configuration parameter includes:

按照所述信息修改参数所表示的修改方式,对所述数据获取请求进行修改,得到鉴权请求;Modifying the data acquisition request according to the modification method indicated by the information modification parameter to obtain an authentication request;

向所述鉴权服务器发送所述鉴权请求。Send the authentication request to the authentication server.

在一种可能的实施例中,所述方法还包括:In a possible embodiment, the method also includes:

确定所述数据获取请求中的信息体是否不为预设格式;determining whether the information body in the data acquisition request is not in a preset format;

所述向所述鉴权服务器发送所述鉴权请求,包括:The sending the authentication request to the authentication server includes:

如果所述数据获取请求中的信息体不为预设格式,向中间件发送所述鉴权请求,以使得所述中间件按照所述预设格式对所述鉴权请求中的信息体进行封装,并将封装后的所述鉴权请求发送至所述鉴权服务器。If the information body in the data acquisition request is not in the preset format, sending the authentication request to the middleware, so that the middleware encapsulates the information body in the authentication request according to the preset format , and send the encapsulated authentication request to the authentication server.

在本发明的第二方面,提供了一种鉴权装置,应用于内容分发网络CDN中的终端设备,所述CDN还包括鉴权服务器,所述装置包括:In a second aspect of the present invention, an authentication device is provided, which is applied to a terminal device in a content distribution network CDN, the CDN also includes an authentication server, and the device includes:

参数获取模块,用于获取针对所述鉴权服务器预先配置的配置参数,所述配置参数用于表示所述鉴权服务器的鉴权方式;A parameter acquisition module, configured to acquire configuration parameters preconfigured for the authentication server, where the configuration parameters are used to represent the authentication mode of the authentication server;

请求模块,用于当接收到数据获取请求时,按照所述配置参数所表示的所述鉴权方式,向所述鉴权服务器发送符合所述鉴权方式的鉴权请求;The request module is configured to, when receiving a data acquisition request, send an authentication request conforming to the authentication method to the authentication server according to the authentication method represented by the configuration parameter;

认证模块,用于接收所述鉴权服务器针对所述鉴权请求返回的鉴权响应,所述鉴权响应中携带认证信息;An authentication module, configured to receive an authentication response returned by the authentication server for the authentication request, where the authentication response carries authentication information;

在一种可能的实施例中,所述装置还包括解析模块,用于按照所述配置参数表示的解析条件,对所述认证信息进行解析,得到表示通过或者拒绝的鉴权结果。In a possible embodiment, the device further includes an analysis module, configured to analyze the authentication information according to the analysis conditions indicated by the configuration parameters, and obtain an authentication result indicating pass or reject.

在一种可能的实施例中,所述配置参数包括响应模式参数,所述响应模式参数用于表示所述认证信息中用于表示鉴权结果的元素为状态码,和/或信息体;In a possible embodiment, the configuration parameters include a response mode parameter, and the response mode parameter is used to indicate that the element used to indicate the authentication result in the authentication information is a status code and/or an information body;

所述解析模块,具体用于按照所述响应模式参数所表示的元素,从所述认证信息中读取用于表示鉴权结果的元素;The parsing module is specifically configured to read elements used to represent authentication results from the authentication information according to the elements represented by the response mode parameters;

如果所读取的元素符合鉴权规则,确定鉴权结果为通过;If the read element complies with the authentication rules, determine that the authentication result is passed;

如果所读取的元素不符合所述鉴权规则,确定鉴权结果为拒绝。If the read element does not comply with the authentication rule, determine that the authentication result is rejection.

在一种可能的实施例中,所述配置参数还包括判断规则参数,所述判断规则参数用于表示鉴权规则。In a possible embodiment, the configuration parameters further include a judgment rule parameter, and the judgment rule parameter is used to represent an authentication rule.

在一种可能的实施例中,所述配置参数包括鉴权路径参数,所述鉴权路径参数用于表示一个或多个预设路径;In a possible embodiment, the configuration parameters include authentication path parameters, and the authentication path parameters are used to indicate one or more preset paths;

所述请求模块,还用于当接收到数据获取请求时,确定所述数据获取请求所请求的数据的路径是否属于所述预设路径;The request module is further configured to, when receiving a data acquisition request, determine whether the path of the data requested by the data acquisition request belongs to the preset path;

如果所述数据获取请求所请求的数据的路径不属于所述预设路径,终止鉴权;If the path of the data requested by the data acquisition request does not belong to the preset path, terminate the authentication;

所述请求模块,具体用于如果所述数据获取请求所请求的数据的路径属于所述预设路径,向所述鉴权服务器发送符合所述鉴权方式的鉴权请求。The request module is specifically configured to send an authentication request conforming to the authentication mode to the authentication server if the path of the data requested by the data acquisition request belongs to the preset path.

在一种可能的实施例中,所述配置参数包括信息修改参数,所述信息更改参数用于表示对所述数据获取请求中信息的修改方式;In a possible embodiment, the configuration parameter includes an information modification parameter, and the information modification parameter is used to indicate a method of modifying the information in the data acquisition request;

所述请求模块,具体用于按照所述信息修改参数所表示的修改方式,对所述数据获取请求进行修改,得到鉴权请求;The request module is specifically configured to modify the data acquisition request according to the modification method indicated by the information modification parameter to obtain an authentication request;

向所述鉴权服务器发送所述鉴权请求。Send the authentication request to the authentication server.

在一种可能的实施例中,所述请求模块还用于确定所述数据获取请求中的信息体是否不为预设格式;In a possible embodiment, the request module is further configured to determine whether the information body in the data acquisition request is not in a preset format;

所述请求模块,具体用于如果所述数据获取请求中的信息体不为预设格式,向中间件发送所述鉴权请求,以使得所述中间件按照所述预设格式对所述鉴权请求中的信息体进行封装,并将封装后的所述鉴权请求发送至所述鉴权服务器。The request module is specifically configured to send the authentication request to the middleware if the information body in the data acquisition request is not in the preset format, so that the middleware performs the authentication according to the preset format. Encapsulate the information body in the authorization request, and send the encapsulated authentication request to the authentication server.

在本发明实施例的第三方面,提供了一种终端设备,所述终端设备包括处理器、通信接口、存储器和通信总线,其中,处理器,通信接口,存储器通过通信总线完成相互间的通信;In the third aspect of the embodiments of the present invention, a terminal device is provided, and the terminal device includes a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory complete mutual communication through the communication bus ;

存储器,用于存放计算机程序;memory for storing computer programs;

处理器,用于执行存储器上所存放的程序时,实现第一方面任一所述的方法步骤。The processor is configured to implement the method steps described in any one of the first aspect when executing the program stored in the memory.

在本发明实施例IDE第四方面,提供了一种计算机可读存储介质,所述计算机可读存储介质内存储有计算机程序,所述计算机程序被处理器执行时实现第一方面任一所述的方法步骤。In the fourth aspect of the IDE of the embodiment of the present invention, a computer-readable storage medium is provided, and a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, any one of the first aspect is implemented. method steps.

本发明实施例提供的鉴权方法、装置及终端设备,可以通过配置参数的方式使得终端设备能够发送鉴权服务器所需要的格式的鉴权请求,可以在无需更改终端设备底层业务逻辑的前提下,完成鉴权系统的部署,因此可以提高在CDN网络中部署鉴权系统的效率,降低部署鉴权系统的人工成本。当然,实施本发明的任一产品或方法并不一定需要同时达到以上所述的所有优点。The authentication method, device, and terminal device provided by the embodiments of the present invention can enable the terminal device to send an authentication request in the format required by the authentication server by configuring parameters, without changing the underlying business logic of the terminal device. , to complete the deployment of the authentication system, so the efficiency of deploying the authentication system in the CDN network can be improved, and the labor cost of deploying the authentication system can be reduced. Of course, implementing any product or method of the present invention does not necessarily need to achieve all the above-mentioned advantages at the same time.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明实施例提供的鉴权方法的一种可能的应用场景示意图;FIG. 1 is a schematic diagram of a possible application scenario of an authentication method provided by an embodiment of the present invention;

图2a为本发明实施例提供的鉴权方法的一种流程示意图;FIG. 2a is a schematic flowchart of an authentication method provided by an embodiment of the present invention;

图2b为本发明实施例提供的鉴权方法的另一种流程示意图;Fig. 2b is another schematic flowchart of the authentication method provided by the embodiment of the present invention;

图3为本发明实施例提供的鉴权方法的另一种流程示意图;FIG. 3 is another schematic flowchart of an authentication method provided by an embodiment of the present invention;

图4为本发明实施例提供的鉴权方法的一种信令交互图;FIG. 4 is a signaling interaction diagram of an authentication method provided by an embodiment of the present invention;

图5为本发明实施例提供的鉴权装置的一种结构示意图;FIG. 5 is a schematic structural diagram of an authentication device provided by an embodiment of the present invention;

图6为本发明实施例提供的终端设备的一种结构示意图。FIG. 6 is a schematic structural diagram of a terminal device provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

为更清楚的对本发明实施例提供的鉴权方法进行说明,可以参见图1,图1所示为本发明实施例提供的鉴权方法的一种可能的应用场景示意图,包括客户端设备110、终端设备120以及鉴权服务器130。For a clearer description of the authentication method provided by the embodiment of the present invention, please refer to FIG. 1, which is a schematic diagram of a possible application scenario of the authentication method provided by the embodiment of the present invention, including a client device 110, Terminal device 120 and authentication server 130.

当客户端设备110需求获取CDN中的数据时,可以向终端设备120发送数据获取请求,终端设备120在接收到数据获取请求后,根据所接收到的数据获取请求,向鉴权服务器130发送鉴权请求。鉴权服务器130根据鉴权请求,向终端设备120反馈认证信息,终端设备120解析认证信息,得到鉴权结果。如果鉴权结果为通过,则终端设备120可以确定本地是否保存有客户端设备110所请求的数据,如果本地保存有所请求的数据,则将该数据发送至客户端设备110,如果本地没有保存所请求的数据,则从CDN中该终端设备120的上级节点处获取所请求的数据,并将获取的数据发送至客户端设备110。如果鉴权结果为拒绝,则终端设备120终止本次数据获取。When the client device 110 needs to obtain data in the CDN, it can send a data acquisition request to the terminal device 120. After receiving the data acquisition request, the terminal device 120 sends an authentication request to the authentication server 130 according to the received data acquisition request. rights request. The authentication server 130 feeds back authentication information to the terminal device 120 according to the authentication request, and the terminal device 120 parses the authentication information to obtain an authentication result. If the authentication result is passed, then the terminal device 120 can determine whether the data requested by the client device 110 is stored locally, and if the requested data is stored locally, the data is sent to the client device 110, if not stored locally The requested data is obtained from the upper node of the terminal device 120 in the CDN, and the obtained data is sent to the client device 110 . If the authentication result is rejection, the terminal device 120 terminates the current data acquisition.

图1所示仅为本发明实施例提供的鉴权方法的一种可能的应用场景,本发明实施例提供的鉴权方法也可以应用于其他应用场景,本实施例对此不做限制。参见图2a,图2a所示为本发明实施例提供的鉴权方法的一种流程示意图,可以包括:Figure 1 shows only one possible application scenario of the authentication method provided by the embodiment of the present invention. The authentication method provided by the embodiment of the present invention can also be applied to other application scenarios, which is not limited in this embodiment. Referring to FIG. 2a, FIG. 2a is a schematic flow diagram of an authentication method provided by an embodiment of the present invention, which may include:

S201,获取针对鉴权服务器预先配置的配置参数。S201. Obtain configuration parameters pre-configured for the authentication server.

其中,配置参数用于表示鉴权服务器的鉴权方式。可以是通过读取鉴权服务器对应的配置文件,以获取鉴权服务器对应的配置参数。根据应用场景的不同,配置参数中所包括的参数可以不同,配置参数具体所包括的参数将在后续的实施例中进行说明,在此不再赘述。Wherein, the configuration parameter is used to indicate the authentication mode of the authentication server. It may be by reading the configuration file corresponding to the authentication server to obtain the configuration parameters corresponding to the authentication server. According to different application scenarios, the parameters included in the configuration parameters may be different, and the specific parameters included in the configuration parameters will be described in subsequent embodiments, and will not be repeated here.

S202,当接收到数据获取请求时,按照配置参数所表示的鉴权方式,向鉴权服务器发送符合鉴权方式的鉴权请求。S202. When receiving the data acquisition request, according to the authentication mode indicated by the configuration parameter, send an authentication request conforming to the authentication mode to the authentication server.

由于配置参数可以表示鉴权服务器的鉴权方式,因此根据配置参数,可以得到符合鉴权服务器的鉴权方式的鉴权请求,鉴权服务器可以正确处理该鉴权请求。Since the configuration parameters can indicate the authentication mode of the authentication server, an authentication request conforming to the authentication mode of the authentication server can be obtained according to the configuration parameters, and the authentication server can correctly process the authentication request.

S203,接收鉴权服务器针对鉴权请求返回的鉴权响应,鉴权响应中携带认证信息。S203. Receive an authentication response returned by the authentication server for the authentication request, where the authentication response carries authentication information.

如前述分析,由于鉴权服务器可以正确处理该鉴权请求,因此可以获取到鉴权服务器针对鉴权请求反馈的认证信息。而认证信息可以表示鉴权结果,因此可以实现对客户端设备的鉴权。As analyzed above, since the authentication server can correctly process the authentication request, the authentication information fed back by the authentication server for the authentication request can be obtained. The authentication information can represent the authentication result, so the authentication of the client device can be realized.

选用该实施例,可以通过配置参数的方式使得终端设备能够发送鉴权服务器所需要的格式的鉴权请求,可以在无需更改终端设备底层业务逻辑的前提下,完成鉴权系统的部署,因此可以提高在CDN网络中部署鉴权系统的效率,降低部署鉴权系统的人工成本。By choosing this embodiment, the terminal device can send an authentication request in the format required by the authentication server by configuring parameters, and the deployment of the authentication system can be completed without changing the underlying business logic of the terminal device, so it can Improve the efficiency of deploying the authentication system in the CDN network and reduce the labor cost of deploying the authentication system.

在另一种可能的实施例中,如图2b所示,在S203之后还可以包括:In another possible embodiment, as shown in FIG. 2b, after S203, it may further include:

S204,按照配置参数表示的解析条件,对认证信息进行解析,得到表示通过或者拒绝的鉴权结果。S204: Analyze the authentication information according to the analysis conditions indicated by the configuration parameters, and obtain an authentication result indicating pass or reject.

认证信息可以用于表示鉴权结果,但不同鉴权服务器返回的鉴权响应中,认证信息表示鉴权结果的方式不同,示例性的,在一些应用场景中,可以是由认证信息中的状态码表示的,例如,如果认证信息中的状态码为200,则表示鉴权结果为通过,如果不为200,则表示鉴权结果为拒绝。在另一些应用场景中,也可以是由认证信息中的信息体表示的,例如,如果认证信息的信息体为false(假),则表示鉴权结果为通过,如果认证信息的信息为True(真),则表示鉴权结果为拒绝。在另一些应用场景中,还可以是由认证信息中的状态码和信息体共同表示,例如,如果认证信息中的状态码为200并且信息体为false,则表示鉴权结果为通过,如果状态码不为200或者信息体为True,则表示鉴权结果为拒绝。The authentication information can be used to represent the authentication result, but in the authentication responses returned by different authentication servers, the authentication information represents the authentication result in different ways. For example, in some application scenarios, the status in the authentication information can be For example, if the status code in the authentication information is 200, it means that the authentication result is passed; if it is not 200, it means that the authentication result is rejected. In other application scenarios, it can also be represented by the information body in the authentication information. For example, if the information body of the authentication information is false (false), it means that the authentication result is passed; if the information of the authentication information is True ( true), it means that the authentication result is rejected. In other application scenarios, it can also be represented by the status code in the authentication information and the information body. For example, if the status code in the authentication information is 200 and the information body is false, it means that the authentication result is passed. If the status If the code is not 200 or the message body is True, the authentication result is rejected.

由于配置参数可以表示鉴权服务器的鉴权方式,因此根据配置参数,可以确定鉴权服务器反馈的认证信息如何携带鉴权结果,因此根据配置参数,可以正确解析认证信息得到鉴权结果。Since the configuration parameters can indicate the authentication method of the authentication server, according to the configuration parameters, it can be determined how the authentication information fed back by the authentication server carries the authentication result, so according to the configuration parameters, the authentication information can be correctly parsed to obtain the authentication result.

选用该实施例,可以通过配置参数的方式使得终端设备能够发送鉴权服务器所需要的格式的鉴权请求,并且正确解析鉴权服务器反馈的认证信息,可以在无需更改终端设备底层业务逻辑的前提下,完成鉴权系统的部署,因此可以提高在CDN网络中部署鉴权系统的效率,降低部署鉴权系统的人工成本。By choosing this embodiment, the terminal device can send the authentication request in the format required by the authentication server by configuring parameters, and correctly parse the authentication information fed back by the authentication server, without changing the underlying business logic of the terminal device. Next, the deployment of the authentication system is completed, so the efficiency of deploying the authentication system in the CDN network can be improved, and the labor cost of deploying the authentication system can be reduced.

下面将分别对配置参数中可能包括的参数进行说明,根据应用场景的不同,配置参数中可以包括后续描述的多个参数中的部分(一个或多个)参数或所有参数,也可以包括后续描述的多个参数以外的其他参数。The parameters that may be included in the configuration parameters will be described separately below. According to different application scenarios, the configuration parameters may include some (one or more) parameters or all parameters in the multiple parameters described later, and may also include the subsequent description other than the multiple parameters of the .

在一种可能的实施例中,配置参数中可以包括响应模式参数,响应模式参数用于表示认证信息中用于表示鉴权结果的元素为状态码、和/或信息体。如前述分析,鉴权结果可以是由认证信息中的状态码表示的,也可以是由认证信息中信息体表示,还可以是由状态码和信息体共同表示的。In a possible embodiment, the configuration parameters may include a response mode parameter, and the response mode parameter is used to indicate that the element used to indicate the authentication result in the authentication information is a status code and/or an information body. As analyzed above, the authentication result can be represented by the status code in the authentication information, or by the information body in the authentication information, or by both the status code and the information body.

因此,如果需要正确解析认证信息,以得到鉴权结果,需要确定认证信息中哪些元素用于表示鉴权结果。在该实施例中,可以是根据响应模式参数,从认证信息中读取用于表示鉴权结果的元素,并根据所读取的元素,确定鉴权结果。例如,假设响应模式参数,表示认证信息中用于表示鉴权结果的元素为状态码,则从认证信息中读取状态码,并根据所读取的状态码,确定鉴权结果。Therefore, if the authentication information needs to be parsed correctly to obtain the authentication result, it is necessary to determine which elements in the authentication information are used to represent the authentication result. In this embodiment, the element used to represent the authentication result may be read from the authentication information according to the response mode parameter, and the authentication result may be determined according to the read element. For example, assuming that the response mode parameter indicates that the element used to represent the authentication result in the authentication information is a status code, the status code is read from the authentication information, and the authentication result is determined according to the read status code.

在一种可能的实施例中,配置参数中还可以包括判断规则参数,判断规则参数用于表示鉴权规则。示例性的,鉴权规则可以是等于200,也可以是等于200或206,还可以是小于201等。该实施例中,可以是确定所读取的元素是否满足该鉴权规则,如果所读取的元素满足该鉴权规则,则确定鉴权结果为通过,如果所读取的元素不满足该鉴权规则,则确定鉴权结果为拒绝。示例性的,假设响应模式参数表示鉴权结果的元素为状态码,判断规则参数表示鉴权规则为等于200,如果读取到的状态码为200,由于符合该鉴权规则,因此确定鉴权结果为通过,如果读取到的状态码为198,由于不符合鉴权规则,因此确定鉴权结果为拒绝。In a possible embodiment, the configuration parameters may further include a judging rule parameter, and the judging rule parameter is used to represent an authentication rule. Exemplarily, the authentication rule may be equal to 200, or equal to 200 or 206, or less than 201, etc. In this embodiment, it may be determined whether the read element satisfies the authentication rule, if the read element satisfies the authentication rule, then it is determined that the authentication result is passed, and if the read element does not meet the authentication rule authorization rule, the authentication result is determined to be rejected. Exemplarily, assume that the response mode parameter indicates that the element of the authentication result is a status code, and the judgment rule parameter indicates that the authentication rule is equal to 200. If the read status code is 200, the authentication is determined because it complies with the authentication rule The result is passed. If the read status code is 198, it is determined that the authentication result is rejected because the authentication rule is not met.

判断规则参数可以包括关系子参数和值子参数,其中关系子参数用于表示一个关系,示例性,可以是表示以下8个算符中的任一关系:大于、小于、等于、不等于、大于等于、小于等于、匹配、不匹配。值子参数用于表示一个或多个值,判断规则参数所表示的预设规则为所读取的元素与值子参数所表示的值之间是否符合关系子参数所表示的关系。示例性的,假设关系子参数表示等于,值子参数表示200和206,则鉴权规则为等于200或206。Judgment rule parameters may include relationship sub-parameters and value sub-parameters, wherein the relationship sub-parameters are used to represent a relationship, for example, may represent any of the following 8 operators: greater than, less than, equal to, not equal to, greater than Equal to, less than or equal to, match, not match. The value sub-parameter is used to represent one or more values, and the preset rule represented by the judgment rule parameter is whether the read element and the value represented by the value sub-parameter conform to the relationship represented by the relation sub-parameter. Exemplarily, assuming that the relationship sub-parameter represents equal to, and the value sub-parameter represents 200 and 206, then the authentication rule is equal to 200 or 206.

在一种可能的实施例中,配置参数可以包括鉴权路径参数,鉴权路径参数用于表示一个或多个预设路径。鉴权路径参数可以是以字符串的形式表示一个或多个路径,例如“/urltoken/auth”,也可以是以变量的形式表示一个或多个路径,例如可以表示从变量token中获取预设路径,还可以是以字符串和变量结合的方式表示一个或多个路径,本实施例对此不做限制。In a possible embodiment, the configuration parameters may include authentication path parameters, and the authentication path parameters are used to indicate one or more preset paths. The authentication path parameter can represent one or more paths in the form of a string, such as "/urltoken/auth", or represent one or more paths in the form of a variable, for example, it can represent obtaining a preset from the variable token The path may also represent one or more paths in the form of a combination of character strings and variables, which is not limited in this embodiment.

该实施例可以如图3所示,图3所示为本发明实施例提供的鉴权方法的另一种流程示意图,可以包括:This embodiment may be shown in FIG. 3, and FIG. 3 is another schematic flowchart of the authentication method provided by the embodiment of the present invention, which may include:

S301,获取针对鉴权服务器预先配置的配置参数。S301. Obtain configuration parameters preconfigured for the authentication server.

该步骤与S201相同,可以参见前述关于S201的描述,在此不再赘述。This step is the same as S201, and reference may be made to the foregoing description of S201, and details are not repeated here.

S302,当接收到数据获取请求时,确定数据获取请求所请求的数据的路径是否属于预设路径,如果数据获取请求所请求的数据的路径属于预设路径,执行S303,如果数据获取请求所请求的数据的路径不属于预设路径,执行S306。S302. When the data acquisition request is received, determine whether the path of the data requested by the data acquisition request belongs to the preset path. If the path of the data requested by the data acquisition request belongs to the preset path, execute S303. If the path of the data requested by the data acquisition request If the path of the data does not belong to the preset path, execute S306.

所请求的数据的路径属于预设路径,是指至少存在一个预设路径与所请求的数据的路径相同。The path of the requested data belongs to the preset path, which means that there is at least one preset path that is the same as the path of the requested data.

S303,按照配置参数所表示的鉴权方式,向鉴权服务器发送符合鉴权方式的鉴权请求。S303. According to the authentication mode indicated by the configuration parameter, send an authentication request conforming to the authentication mode to the authentication server.

可以理解的是,如果所请求的数据属于预设路径,则可以认为客户端设备所请求的数据需要鉴权成功后才能获取,因此需要向鉴权服务器发送鉴权请求。It can be understood that if the requested data belongs to the preset path, it can be considered that the data requested by the client device can only be obtained after the authentication is successful, so an authentication request needs to be sent to the authentication server.

S304,接收鉴权服务器针对鉴权请求返回的鉴权响应。S304. Receive an authentication response returned by the authentication server for the authentication request.

该步骤与S203相同,可以参见前述关于S203的描述,在此不再赘述。This step is the same as S203, and reference may be made to the foregoing description of S203, and details are not repeated here.

S305,按照配置参数所表示的解析方式,对认证信息进行解析,得到鉴权结果。S305: Analyze the authentication information according to the analysis mode indicated by the configuration parameter, and obtain an authentication result.

该步骤与S204相同,可以参见前述关于S204的描述,在此不再赘述。This step is the same as S204, and reference may be made to the foregoing description of S204, which will not be repeated here.

S306,终止鉴权。S306. Terminate authentication.

可以理解的是,如果所请求的数据不属于预设路径,则可以认为客户端设备所请求的数据不需要鉴权即可获取,因此不需要向鉴权服务器发送鉴权请求,即可以终止鉴权。It can be understood that if the requested data does not belong to the preset path, it can be considered that the data requested by the client device can be obtained without authentication, so the authentication can be terminated without sending an authentication request to the authentication server. right.

在一种可能的实施例中,配置参数可以包括信息修改参数,信息修改参数用于表示对数据获取请求中信息的修改方式。在该实施例中,可以按照信息修改参数所表示的修改方式,对数据获取请求进行修改,得到鉴权请求。In a possible embodiment, the configuration parameters may include information modification parameters, and the information modification parameters are used to indicate a modification method for the information in the data acquisition request. In this embodiment, the data acquisition request may be modified according to the modification manner indicated by the information modification parameter to obtain the authentication request.

可以是对数据获取请求中的请求参数进行修改,也可以是对数据获取请求的请求头进行修改,还可以是对数据获取请求中的请求参数和请求头进行修改。对请求参数进行修改时,可以是采取以下四种修改方式中的任一修改方式:忽略、保留、删除、增加。其中,忽略是指忽略所有请求参数,即鉴权请求中不包含任一请求参数,保留是指保留指定的部分请求参数,即鉴权请求中包含所指定的部分请求参数,删除是指删除指定的部分请求参数,即鉴权请求中包含除指定的部分请求参数外的所有请求参数,增加是指增加原请求参数外的其他请求参数,即鉴权请求中包含原请求参数外的其他请求参数。对请求头的修改可以是增加自定义请求头。如果配置参数中,信息修改参数为空,则可以不对数据获取请求中的信息进行修改,以在得到的鉴权请求中保留数据获取请求中的所有信息(即透传)。It may be to modify the request parameters in the data acquisition request, or to modify the request header of the data acquisition request, or to modify the request parameters and the request header in the data acquisition request. When modifying the request parameters, any of the following four modification methods can be adopted: ignore, retain, delete, and add. Among them, ignore refers to ignoring all request parameters, that is, the authentication request does not contain any request parameters, retaining refers to retaining some of the specified request parameters, that is, the authentication request contains some of the specified request parameters, and deleting refers to deleting the specified request parameters. Part of the request parameters, that is, the authentication request contains all the request parameters except the specified part of the request parameters, adding refers to adding other request parameters other than the original request parameters, that is, the authentication request contains other request parameters other than the original request parameters . The modification to the request header can be to add a custom request header. If the information modification parameter is empty in the configuration parameters, the information in the data acquisition request may not be modified, so as to retain all the information in the data acquisition request in the obtained authentication request (ie transparent transmission).

在一些应用场景中,鉴权服务器可能对鉴权请求中的信息体的格式存在要求,例如要求鉴权请求中信息体的格式为json格式,而如果数据获取请求中信息体的格式为其他格式如string格式,则基于数据获取请求得到的鉴权请求中的信息体同样为其他格式。In some application scenarios, the authentication server may have requirements on the format of the information body in the authentication request, for example, the format of the information body in the authentication request is required to be in JSON format, and if the format of the information body in the data acquisition request is in other formats If the format is string, the information body in the authentication request obtained based on the data acquisition request is also in other formats.

基于此,在一种可能的实施例中,可以确定数据获取请求中的信息体是否不为预设格式,如果数据获取请求中的信息体不为预设格式,向中间件发送鉴权请求,以是的中间件按照预设格式对鉴权请求中的信息体进行封装,并将封装后的鉴权请求发送至鉴权服务器。在该实施例中,鉴权流程中信令的交互可以参见图4,图4所示为本发明实施例提供的鉴权方法的一种信令交互图,包括客户端设备110、终端设备120、鉴权服务器130、中间件140。Based on this, in a possible embodiment, it may be determined whether the information body in the data acquisition request is not in the preset format, and if the information body in the data acquisition request is not in the preset format, an authentication request is sent to the middleware, The middleware encapsulates the information body in the authentication request according to the preset format, and sends the encapsulated authentication request to the authentication server. In this embodiment, the signaling interaction in the authentication process can be referred to FIG. 4, which is a signaling interaction diagram of the authentication method provided by the embodiment of the present invention, including the client device 110 and the terminal device 120. , the authentication server 130, and the middleware 140.

步骤1、客户端设备向终端设备发送数据获取请求。Step 1. The client device sends a data acquisition request to the terminal device.

步骤2、终端设备向本机(127.0.0.1)发送鉴权请求。Step 2. The terminal device sends an authentication request to the local machine (127.0.0.1).

步骤3、本机向CDN供应商的内部网络设备发送鉴权请求,并将请求host修改为内部网络设备的域名。Step 3. The machine sends an authentication request to the internal network device of the CDN provider, and changes the requested host to the domain name of the internal network device.

步骤4、内部网络设备向中间件发送鉴权请求。Step 4. The internal network device sends an authentication request to the middleware.

步骤5、中间件重新封装后,向鉴权服务器发送鉴权请求,并将请求host修改为鉴权服务器的地址。Step 5: After the middleware is repackaged, it sends an authentication request to the authentication server, and modifies the request host to the address of the authentication server.

步骤6、鉴权服务器向中间件反馈认证信息。Step 6: The authentication server feeds back the authentication information to the middleware.

步骤7、中间件向内部网络设备反馈认证信息。Step 7, the middleware feeds back the authentication information to the internal network device.

步骤8、内部网络设备向本机反馈认证信息。Step 8. The internal network device feeds back the authentication information to the local machine.

步骤9、本机向终端设备反馈认证信息。Step 9. The machine feeds back the authentication information to the terminal device.

步骤10、终端设备根据认证信息所携带的鉴权结果,对客户端设备进行反馈Step 10, the terminal device gives feedback to the client device according to the authentication result carried in the authentication information

选用该实施例,可以对信息体进行统一封装,避免因信息体格式不正确导致无法正常鉴权。By choosing this embodiment, the information body can be packaged uniformly, so as to avoid the failure of normal authentication due to incorrect format of the information body.

参见图5,图5所示为本发明实施例提供的鉴权装置的一种结构示意图,应用于内容分发网络CDN中的终端设备,CDN还包括鉴权服务器,装置包括:Referring to FIG. 5, FIG. 5 is a schematic structural diagram of an authentication device provided by an embodiment of the present invention, which is applied to a terminal device in a content distribution network CDN. The CDN also includes an authentication server, and the device includes:

参数获取模块501,用于获取针对鉴权服务器预先配置的配置参数,配置参数用于表示鉴权服务器的鉴权方式;A parameter acquisition module 501, configured to acquire configuration parameters pre-configured for the authentication server, where the configuration parameters are used to indicate the authentication mode of the authentication server;

请求模块502,用于当接收到数据获取请求时,按照配置参数所表示的鉴权方式,向鉴权服务器发送符合鉴权方式的鉴权请求;The request module 502 is configured to send an authentication request conforming to the authentication method to the authentication server according to the authentication method represented by the configuration parameter when the data acquisition request is received;

认证模块503,用于接收鉴权服务器针对鉴权请求返回的鉴权响应,鉴权响应中携带认证信息。The authentication module 503 is configured to receive an authentication response returned by the authentication server for the authentication request, where the authentication response carries authentication information.

在一种可能的实施例中,配置参数还用于表示认证信息的解析方式;In a possible embodiment, the configuration parameter is also used to indicate the parsing method of the authentication information;

装置还包括解析模块,用于按照配置参数表示的解析条件,对认证信息进行解析,得到表示通过或者拒绝的鉴权结果。The device also includes an analysis module, which is used to analyze the authentication information according to the analysis conditions indicated by the configuration parameters, and obtain an authentication result indicating pass or reject.

配置参数包括响应模式参数,响应模式参数用于表示认证信息中用于表示鉴权结果的元素为状态码,和/或信息体;The configuration parameters include response mode parameters, and the response mode parameters are used to indicate that the element used to indicate the authentication result in the authentication information is a status code and/or an information body;

解析模块,具体用于按照响应模式参数所表示的元素,从认证信息中读取用于表示鉴权结果的元素;The parsing module is specifically used to read the elements used to represent the authentication results from the authentication information according to the elements represented by the response mode parameters;

如果所读取的元素符合鉴权规则,确定鉴权结果为通过;If the read element complies with the authentication rules, determine that the authentication result is passed;

如果所读取的元素不符合鉴权规则,确定鉴权结果为拒绝。If the read element does not comply with the authentication rule, determine that the authentication result is rejection.

在一种可能的实施例中,配置参数还包括判断规则参数,判断规则参数用于表示鉴权规则。In a possible embodiment, the configuration parameter further includes a judging rule parameter, and the judging rule parameter is used to represent an authentication rule.

在一种可能的实施例中,配置参数包括鉴权路径参数,鉴权路径参数用于表示一个或多个预设路径;In a possible embodiment, the configuration parameters include authentication path parameters, and the authentication path parameters are used to indicate one or more preset paths;

请求模块502,还用于当接收到数据获取请求时,确定数据获取请求所请求的数据的路径是否属于预设路径;The request module 502 is further configured to determine whether the path of the data requested by the data acquisition request belongs to a preset path when the data acquisition request is received;

如果数据获取请求所请求的数据的路径不属于预设路径,终止鉴权;If the path of the data requested by the data acquisition request does not belong to the preset path, terminate the authentication;

请求模块502,具体用于如果数据获取请求所请求的数据的路径属于预设路径,向鉴权服务器发送符合鉴权方式的鉴权请求。The request module 502 is specifically configured to send an authentication request conforming to the authentication mode to the authentication server if the path of the data requested by the data acquisition request belongs to the preset path.

在一种可能的实施例中,配置参数包括信息修改参数,信息更改参数用于表示对数据获取请求中信息的修改方式;In a possible embodiment, the configuration parameter includes an information modification parameter, and the information modification parameter is used to indicate a method of modifying the information in the data acquisition request;

请求模块502,具体用于按照信息修改参数所表示的修改方式,对数据获取请求进行修改,得到鉴权请求;The request module 502 is specifically configured to modify the data acquisition request according to the modification method indicated by the information modification parameter, and obtain the authentication request;

向鉴权服务器发送鉴权请求。Send an authentication request to the authentication server.

在一种可能的实施例中,请求模块502还用于确定数据获取请求中的信息体是否不为预设格式;In a possible embodiment, the request module 502 is also used to determine whether the information body in the data acquisition request is not in a preset format;

请求模块502,具体用于如果数据获取请求中的信息体不为预设格式,向中间件发送鉴权请求,以使得中间件按照预设格式对鉴权请求中的信息体进行封装,并将封装后的鉴权请求发送至鉴权服务器。The request module 502 is specifically configured to send an authentication request to the middleware if the information body in the data acquisition request is not in a preset format, so that the middleware encapsulates the information body in the authentication request according to a preset format, and The encapsulated authentication request is sent to the authentication server.

本发明实施例还提供了一种终端设备,如图6所示,包括处理器601、通信接口602、存储器603和通信总线604,其中,处理器601,通信接口602,存储器603通过通信总线604完成相互间的通信,The embodiment of the present invention also provides a terminal device, as shown in FIG. complete the communication with each other,

存储器603,用于存放计算机程序;Memory 603, for storing computer programs;

处理器601,用于执行存储器603上所存放的程序时,实现如下步骤:When the processor 601 is used to execute the program stored on the memory 603, the following steps are implemented:

获取针对鉴权服务器预先配置的配置参数,配置参数用于表示鉴权服务器的鉴权方式;Obtain the configuration parameters pre-configured for the authentication server, the configuration parameters are used to indicate the authentication mode of the authentication server;

当接收到数据获取请求时,按照配置参数所表示的鉴权方式,向鉴权服务器发送符合鉴权方式的鉴权请求;When the data acquisition request is received, according to the authentication method indicated by the configuration parameter, send an authentication request conforming to the authentication method to the authentication server;

接收鉴权服务器针对鉴权请求返回的鉴权响应,鉴权响应中携带认证信息。An authentication response returned by the authentication server for the authentication request is received, and the authentication response carries authentication information.

可以理解的是,上述终端设备可以是一种边缘设备。It can be understood that the foregoing terminal device may be an edge device.

在一种可能的实施例中,在接收鉴权服务器针对鉴权请求返回的鉴权响应之后,方法还包括:In a possible embodiment, after receiving the authentication response returned by the authentication server for the authentication request, the method further includes:

按照配置参数表示的解析条件,对认证信息进行解析,得到表示通过或者拒绝的鉴权结果。According to the parsing conditions indicated by the configuration parameters, the authentication information is parsed, and the authentication result indicating pass or reject is obtained.

在一种可能的实施例中,配置参数包括响应模式参数,响应模式参数用于表示认证信息中用于表示鉴权结果的元素为状态码,和/或信息体;In a possible embodiment, the configuration parameters include a response mode parameter, and the response mode parameter is used to indicate that the element used to indicate the authentication result in the authentication information is a status code and/or an information body;

按照配置参数表示的解析条件,对认证信息进行解析,得到表示通过或者拒绝的鉴权结果,包括:According to the parsing conditions indicated by the configuration parameters, the authentication information is parsed, and the authentication result indicating pass or reject is obtained, including:

按照响应模式参数所表示的元素,从认证信息中读取用于表示鉴权结果的元素;According to the element represented by the response mode parameter, read the element used to represent the authentication result from the authentication information;

如果所读取的元素符合鉴权规则,确定鉴权结果为通过;If the read element complies with the authentication rules, determine that the authentication result is passed;

如果所读取的元素不符合鉴权规则,确定鉴权结果为拒绝。If the read element does not comply with the authentication rule, determine that the authentication result is rejection.

在一种可能的实施例中,配置参数还包括判断规则参数,判断规则参数用于表示鉴权规则。In a possible embodiment, the configuration parameter further includes a judging rule parameter, and the judging rule parameter is used to represent an authentication rule.

在一种可能的实施例中,配置参数包括鉴权路径参数,鉴权路径参数用于表示一个或多个预设路径;In a possible embodiment, the configuration parameters include authentication path parameters, and the authentication path parameters are used to indicate one or more preset paths;

方法还包括:Methods also include:

当接收到数据获取请求时,确定数据获取请求所请求的数据的路径是否属于预设路径;When a data acquisition request is received, determine whether the path of the data requested by the data acquisition request belongs to a preset path;

如果数据获取请求所请求的数据的路径不属于预设路径,终止鉴权;If the path of the data requested by the data acquisition request does not belong to the preset path, terminate the authentication;

向鉴权服务器发送符合鉴权方式的鉴权请求,包括:Send an authentication request conforming to the authentication method to the authentication server, including:

如果数据获取请求所请求的数据的路径属于预设路径,向鉴权服务器发送符合鉴权方式的鉴权请求。If the path of the data requested by the data acquisition request belongs to the preset path, an authentication request conforming to the authentication mode is sent to the authentication server.

在一种可能的实施例中,配置参数包括信息修改参数,信息更改参数用于表示对数据获取请求中信息的修改方式;In a possible embodiment, the configuration parameter includes an information modification parameter, and the information modification parameter is used to indicate a method of modifying the information in the data acquisition request;

按照配置参数所表示的鉴权方式,向鉴权服务器发送符合鉴权方式的鉴权请求,包括:According to the authentication method indicated by the configuration parameters, send an authentication request that conforms to the authentication method to the authentication server, including:

按照信息修改参数所表示的修改方式,对数据获取请求进行修改,得到鉴权请求;According to the modification method indicated by the information modification parameter, the data acquisition request is modified to obtain the authentication request;

向鉴权服务器发送鉴权请求。Send an authentication request to the authentication server.

在一种可能的实施例中,方法还包括:In a possible embodiment, the method also includes:

确定数据获取请求中的信息体是否不为预设格式;Determine whether the information body in the data acquisition request is not in a preset format;

向鉴权服务器发送鉴权请求,包括:Send an authentication request to the authentication server, including:

如果数据获取请求中的信息体不为预设格式,向中间件发送鉴权请求,以使得中间件按照预设格式对鉴权请求中的信息体进行封装,并将封装后的鉴权请求发送至鉴权服务器。If the information body in the data acquisition request is not in the preset format, send an authentication request to the middleware, so that the middleware can encapsulate the information body in the authentication request according to the preset format, and send the encapsulated authentication request to the authentication server.

上述终端设备提到的通信总线可以是外设部件互连标准(Peripheral ComponentInterconnect,PCI)总线或扩展工业标准结构(Extended Industry StandardArchitecture,EISA)总线等。该通信总线可以分为地址总线、数据总线、控制总线等。为便于表示,图中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The communication bus mentioned above for the terminal device may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (Extended Industry Standard Architecture, EISA) bus or the like. The communication bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.

通信接口用于上述终端设备与其他设备之间的通信。The communication interface is used for communication between the terminal equipment and other equipment.

存储器可以包括随机存取存储器(Random Access Memory,RAM),也可以包括非易失性存储器(Non-Volatile Memory,NVM),例如至少一个磁盘存储器。可选的,存储器还可以是至少一个位于远离前述处理器的存储装置。The memory may include a random access memory (Random Access Memory, RAM), and may also include a non-volatile memory (Non-Volatile Memory, NVM), such as at least one disk memory. Optionally, the memory may also be at least one storage device located far away from the aforementioned processor.

上述的处理器可以是通用处理器,包括中央处理器(Central Processing Unit,CPU)、网络处理器(Network Processor,NP)等;还可以是数字信号处理器(Digital SignalProcessing,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。Above-mentioned processor can be general-purpose processor, comprises central processing unit (Central Processing Unit, CPU), network processor (Network Processor, NP) etc.; Can also be Digital Signal Processor (Digital Signal Processing, DSP), ASIC (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.

在本发明提供的又一实施例中,还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述实施例中任一鉴权方法。In yet another embodiment provided by the present invention, a computer-readable storage medium is also provided. Instructions are stored in the computer-readable storage medium. When the computer-readable storage medium is run on a computer, it causes the computer to execute any one of the above-mentioned embodiments. Authentication method.

在本发明提供的又一实施例中,还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述实施例中任一鉴权方法。In yet another embodiment provided by the present invention, a computer program product containing instructions is also provided, and when it is run on a computer, it causes the computer to execute any authentication method in the above embodiments.

在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘Solid State Disk(SSD))等。In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present invention will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a Solid State Disk (SSD)).

需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. There is no such actual relationship or order between them. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

本说明书中的各个实施例均采用相关的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于装置、终端设备、计算机可读存储介质以及计算机程序产品的实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a related manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the embodiments of the device, terminal equipment, computer-readable storage medium, and computer program product, since they are basically similar to the method embodiments, the description is relatively simple, and for relevant parts, please refer to the part of the description of the method embodiments. .

以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均包含在本发明的保护范围内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present invention are included in the protection scope of the present invention.

Claims (9)

1. An authentication method is applied to a terminal device in a Content Delivery Network (CDN), the CDN further includes an authentication server, and the method includes:
acquiring configuration parameters which are configured in advance for the authentication server, wherein the configuration parameters are used for representing the authentication mode of the authentication server; the configuration parameters comprise authentication path parameters, and the authentication path parameters are used for representing one or more preset paths;
when a data acquisition request is received, determining whether a path of data requested by the data acquisition request belongs to the preset path;
if the path of the data requested by the data acquisition request does not belong to the preset path, terminating authentication;
if the path of the data requested by the data acquisition request belongs to the preset path, sending an authentication request conforming to the authentication mode to the authentication server according to the authentication mode represented by the configuration parameters;
and receiving an authentication response returned by the authentication server aiming at the authentication request, wherein the authentication response carries authentication information.
2. The method of claim 1, wherein the configuration parameter is further used to indicate a parsing manner of the authentication information;
after the receiving of the authentication response returned by the authentication server for the authentication request, the method further comprises:
and analyzing the authentication information according to the analysis condition represented by the configuration parameter to obtain an authentication result representing passing or refusing.
3. The method according to claim 2, wherein the configuration parameter includes a response mode parameter, and the response mode parameter is used to indicate that an element in the authentication information used to indicate the authentication result is a status code and/or an information body;
the analyzing the authentication information according to the analysis condition represented by the configuration parameter to obtain an authentication result representing passing or refusing, including:
reading an element for representing an authentication result from the authentication information according to the element represented by the response mode parameter;
if the read element accords with the authentication rule, determining that the authentication result is passed;
and if the read element does not accord with the authentication rule, determining that the authentication result is refused.
4. The method of claim 3, wherein the configuration parameters further comprise a judgment rule parameter, and wherein the judgment rule parameter is used for representing an authentication rule.
5. The method according to claim 1, wherein the configuration parameters include an information modification parameter, and the information modification parameter is used for indicating a modification manner of information in the data acquisition request;
the sending an authentication request conforming to the authentication mode to the authentication server according to the authentication mode represented by the configuration parameters includes:
modifying the data acquisition request according to the modification mode represented by the information modification parameter to obtain an authentication request;
and sending the authentication request to the authentication server.
6. The method of claim 5, further comprising:
determining whether an information body in the data acquisition request is not in a preset format;
the sending the authentication request to the authentication server includes:
if the information body in the data acquisition request is not in a preset format, the authentication request is sent to the middleware, so that the middleware packages the information body in the authentication request according to the preset format, and sends the packaged authentication request to the authentication server.
7. An authentication apparatus, applied to a terminal device in a Content Delivery Network (CDN), the CDN further including an authentication server, the apparatus comprising:
a parameter obtaining module, configured to obtain a configuration parameter pre-configured for the authentication server, where the configuration parameter is used to indicate an authentication mode of the authentication server;
the request module is used for sending an authentication request conforming to the authentication mode to the authentication server according to the authentication mode represented by the configuration parameters when receiving a data acquisition request;
the authentication module is used for receiving an authentication response returned by the authentication server aiming at the authentication request, and the authentication response carries authentication information;
the configuration parameters comprise authentication path parameters, and the authentication path parameters are used for representing one or more preset paths;
the request module is further configured to determine whether a path of data requested by a data acquisition request belongs to the preset path when the data acquisition request is received;
if the path of the data requested by the data acquisition request does not belong to the preset path, terminating authentication;
the request module is specifically configured to send an authentication request conforming to the authentication mode to the authentication server if a path of the data requested by the data acquisition request belongs to the preset path.
8. The terminal equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing the communication between the processor and the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1-6 when executing a program stored in the memory.
9. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 6.
CN201911237083.5A 2019-12-05 2019-12-05 Authentication method, device and terminal equipment Active CN112929321B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911237083.5A CN112929321B (en) 2019-12-05 2019-12-05 Authentication method, device and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911237083.5A CN112929321B (en) 2019-12-05 2019-12-05 Authentication method, device and terminal equipment

Publications (2)

Publication Number Publication Date
CN112929321A CN112929321A (en) 2021-06-08
CN112929321B true CN112929321B (en) 2023-02-03

Family

ID=76162360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911237083.5A Active CN112929321B (en) 2019-12-05 2019-12-05 Authentication method, device and terminal equipment

Country Status (1)

Country Link
CN (1) CN112929321B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119233255A (en) * 2023-06-30 2024-12-31 中兴通讯股份有限公司 Authentication method, data configuration method, electronic device, and storage medium
CN118200013B (en) * 2024-04-11 2025-02-25 北京优特捷信息技术有限公司 Application access method, device, equipment and storage medium based on multiple authentication modes

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1642083A (en) * 2004-09-23 2005-07-20 华为技术有限公司 Network side anthority-discrimination-mode selecting method
CN1835436A (en) * 2005-03-14 2006-09-20 华为技术有限公司 General power authentication frame and method of realizing power auttientication
CN101132279A (en) * 2006-08-24 2008-02-27 华为技术有限公司 An authentication method and authentication system
CN109379344A (en) * 2018-09-27 2019-02-22 网宿科技股份有限公司 Access request authentication method and authentication server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9736271B2 (en) * 2012-12-21 2017-08-15 Akamai Technologies, Inc. Scalable content delivery network request handling mechanism with usage-based billing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1642083A (en) * 2004-09-23 2005-07-20 华为技术有限公司 Network side anthority-discrimination-mode selecting method
CN1835436A (en) * 2005-03-14 2006-09-20 华为技术有限公司 General power authentication frame and method of realizing power auttientication
CN101132279A (en) * 2006-08-24 2008-02-27 华为技术有限公司 An authentication method and authentication system
CN109379344A (en) * 2018-09-27 2019-02-22 网宿科技股份有限公司 Access request authentication method and authentication server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
URI Signing for CDN Interconnection (CDNI) draft-ietf-cdni-uri-signing-06;K. Leung等;《IETF 》;20151230;全文 *

Also Published As

Publication number Publication date
CN112929321A (en) 2021-06-08

Similar Documents

Publication Publication Date Title
US9143511B2 (en) Validation of conditional policy attachments
EP4109861B1 (en) Data processing method, apparatus, computer device, and storage medium
CN110601880A (en) Cloud platform, service processing method, command interface and computer equipment
JP2025023927A (en) System and method for security surveillance processing - Patents.com
CN109284198A (en) A kind of method and apparatus verifying data
CN111818035B (en) Permission verification method and device based on API gateway
CN110138801A (en) File sharing method, device, system, server, terminal and storage medium
CN112929321B (en) Authentication method, device and terminal equipment
CN115934202A (en) Data management method, system, data service gateway and storage medium
CN116431379A (en) A data verification method and system
CN113742235A (en) A method and device for checking code
CN108512889B (en) A HTTP-based application response push method and proxy server
CN112235124B (en) Method and device for configuring pico-cell, storage medium and electronic device
CN112714160A (en) Instruction issuing method and device of equipment and electronic equipment
US9398041B2 (en) Identifying stored vulnerabilities in a web service
CN114449052B (en) A data compression method, device, electronic equipment and storage medium
CN113051571A (en) Method and device for detecting false alarm vulnerability and computer equipment
CN109522202B (en) Software testing method and device
CN112015383A (en) A login method and device
CN110049106B (en) Service request processing system and method
CN111625373A (en) Function access method and device, electronic equipment and storage medium
CN117892348A (en) Application program interface asset management method, device and electronic device
CN113726855B (en) Service aggregation method, device, electronic equipment and computer-readable storage medium
CN110995848B (en) Service management method, device, system, electronic equipment and storage medium
CN113938302A (en) Equipment communication method, device, medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant