[go: up one dir, main page]

CN114598481B - Authorization authentication method and device, electronic equipment and storage medium - Google Patents

Authorization authentication method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114598481B
CN114598481B CN202011301384.2A CN202011301384A CN114598481B CN 114598481 B CN114598481 B CN 114598481B CN 202011301384 A CN202011301384 A CN 202011301384A CN 114598481 B CN114598481 B CN 114598481B
Authority
CN
China
Prior art keywords
license
certificate
authorization
service
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011301384.2A
Other languages
Chinese (zh)
Other versions
CN114598481A (en
Inventor
徐晶
王晓鹏
于富强
黄智勇
吕勇
陈敬同
周炜
沈晓明
赵大平
孙前方
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Winning Health Technology Group Co Ltd
Original Assignee
Winning Health Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Winning Health Technology Group Co Ltd filed Critical Winning Health Technology Group Co Ltd
Priority to CN202011301384.2A priority Critical patent/CN114598481B/en
Publication of CN114598481A publication Critical patent/CN114598481A/en
Application granted granted Critical
Publication of CN114598481B publication Critical patent/CN114598481B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an authorization authentication method, an authorization authentication device, electronic equipment and a storage medium. The method comprises the following steps: providing a file loading authorization certificate based on the packaged service license when receiving a login request sent by a target client; verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result, thereby realizing the authentication of the authorization certificate; if the verification result is passed, generating service response information and sending the service response information to the target client, so that service is provided only when the verification of the authorization certificate is passed, the security of the network application program interface service is improved, and illegal deployment of the network application program interface to an unauthorized server is avoided.

Description

Authorization authentication method and device, electronic equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of programming and coding, in particular to an authorization authentication method, an authorization authentication device, electronic equipment and a storage medium.
Background
With the development of internet technology, the hardware performance of a client and a server is improved, and the functions of application programs presented on web pages are becoming rich. The HTTP protocol is used for transmitting web page applications from client programs at the desktop end to mobile phone applications at the mobile end, and is stateless, all authorization authentication requests are based on the server end, traditional session authentication and cookie authentication are well operated on a single server, the scale of the server is expanded at any time, and the shared session can solve the problems of migration and copying among multiple servers, but the performance is drastically reduced along with the continuous increase of the number of the servers. Modern WEB applications introduce a front-end and back-end separation technology, a server side does not store the context of a user session, but generates a token object through a specific algorithm, and a client side uses the token to complete the verification of identity when requesting data.
With the development and popularization of distributed applications for constructing services based on HTTP protocol, token authentication or Restful style, the updating of the architecture of a hospital informatization system and the proposal of requirements for interconnection and interworking between systems, the external provision of business services in the form of WEBAPI (WEB Application Programming Interface, network application program interface) is becoming a standard, such as basic HIS (Hospital Information System ) information services of hospital information, patient information, medical insurance information and the like. Currently, the mainstream practice in the industry is to use token check to meet the requirement of authorized service through the mode of WEBAPI.
However, for information system manufacturers, once the WEBAPI service is deployed, control over the WEBAPI is lost, and it is unavoidable that the WEBAPI is illegally deployed to an unauthorized server, so that it is difficult to ensure security of the WEBAPI service.
Disclosure of Invention
The invention provides an authorization authentication method, an authorization authentication device, electronic equipment and a storage medium, which are used for verifying an authorization certificate, so that the security of network application program interface service is improved, and the problem that the network application program interface is illegally deployed on an unauthorized server is solved.
In a first aspect, an embodiment of the present invention provides an authorization authentication method, including:
when receiving a login request sent by a target client, providing a file loading authorization certificate based on the packaged service license;
verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result;
and if the verification result is passed, generating service response information and sending the service response information to the target client.
In a second aspect, an embodiment of the present invention further provides an authorization authentication apparatus, including:
The certificate loading module is used for providing a file loading authorization certificate based on the packaged service license when receiving a login request sent by the target client;
The certificate verification module is used for verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result;
And the response generation module is used for generating service response information and sending the service response information to the target client if the verification result is passed.
In a third aspect, an embodiment of the present invention further provides an electronic device, including:
One or more processors;
Storage means for storing one or more programs,
The one or more programs, when executed by the one or more processors, cause the one or more processors to implement an authorization authentication method as provided by embodiments of the present invention.
In a fourth aspect, the embodiment of the present invention further provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the authorization authentication method as provided by the embodiment of the present invention.
The embodiments of the above invention have the following advantages or benefits:
Providing a file loading authorization certificate based on the packaged service license when receiving a login request sent by a target client; verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result, thereby realizing the authentication of the authorization certificate; if the verification result is passed, generating service response information and sending the service response information to the target client, so that service is provided only when the verification of the authorization certificate is passed, the security of the network application program interface service is improved, and illegal deployment of the network application program interface to an unauthorized server is avoided.
Drawings
In order to more clearly illustrate the technical solution of the exemplary embodiments of the present invention, a brief description is given below of the drawings required for describing the embodiments. It is obvious that the drawings presented are only drawings of some of the embodiments of the invention to be described, and not all the drawings, and that other drawings can be made according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an authorization authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart of an authorization authentication method according to a second embodiment of the present invention;
fig. 3 is a flowchart of an authorization authentication method according to a second embodiment of the present invention;
Fig. 4 is a schematic diagram of an authorization authentication process according to a second embodiment of the present invention;
Fig. 5 is a schematic structural diagram of an authorization authentication device according to a third embodiment of the present invention;
Fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flow chart of an authorization authentication method according to a first embodiment of the present invention, where the method is applicable to a situation that when a target client needs to send a login request, an authorization credential is verified and a service response is generated according to a verification result, the method may be performed by an authorization authentication device, and the device may be implemented by hardware and/or software, and the method specifically includes the following steps:
S110, when receiving a login request sent by a target client, loading an authorization certificate based on the packaged service license providing file.
The target client side refers to an application program capable of initiating a service request to the network application program interface, and can interact with a target user and provide a visual user interface for the target user, so that when the target user is monitored to trigger a service control on the user interface, the service request corresponding to the service is initiated to the network application program interface. When the target client needs to initiate a service request to the network application program interface, the target client generates a login request according to login information of a target user and sends the login request to the network application program interface so as to request the network application program interface to provide corresponding service. The authorization certificate refers to authorization permission data for the network application program interface, which is deployed in advance in the server by the information system manufacturer. By way of example, the specific data content of the authorization certificate may contain the following fields: the interface code |interface name|hospital code|authorization valid start date|authorization valid expiration date|interface valid start date|interface valid expiration date|control mode|use validity period type, wherein the interface code and the interface name are respectively the number and the name of the network application program interface, the hospital code and the hospital name respectively refer to the number and the name of a hospital to which a server deploying the network application program interface belongs, the authorization valid start date and the authorization valid expiration date are respectively the authorization start date and the expiration date aiming at the network application program interface, the interface valid start date and the interface valid expiration date respectively refer to the valid start date and the expiration date of the network application program interface, the control mode is a control identification bit of the network application program interface, the control mode is a prompt mode when 0 is 0, the control mode is 1 indicates prohibition of use, and the use validity period type refers to the type of authorization time of the network application program interface, such as permanent authorization, temporary authorization or in-term authorization and the like. The content in the authorization certificate may be updated after each authorization check.
It should be noted that, the web application interface in this embodiment refers to WEBAPI, and particularly refers to the Restful API of the NET platform. The Restful API refers to an API that represents a resource by a URI, and characterizes an operation on the resource by an HTTP method (GET, POST, PUT, DELETE), that is, the Restful API requires that a target client send a request in a predefined syntax format (such as JSON format), and a server only needs to define a unified response interface, without separately parsing the format of data sent by each target client.
In this embodiment, the NET framework is used for loading and verifying the authorization credentials. Specifically, the NET platform component library LicenseProvider object is adopted and is located in System. Dll, and the space name is: system. ComponentModel. The NET framework authorization structure is characterized in that the NET framework authorization structure is provided with a class with a license caching function, such as ServerLicensProvider.cs, the service license providing file can be formed by adopting C# codes in a custom package mode, an authorization certificate of a network application program interface can be searched in a license cache, data of the authorization certificate is loaded from a text file lic, and a file lic is stored in a Licenses directory in a network application program root directory.
Optionally, providing the file loading authorization certificate based on the encapsulated service license includes: and invoking a certificate acquisition method in the pre-created service license providing file to load the certificate, wherein the certificate acquisition method is inherited by the service license providing file from the license providing object to acquire.
The method for loading the certificate provided by the service license providing file in the NET framework authorization structure is like the Getlicense method. The license providing object refers to an object in a license providing class, which refers to a class in which issuing and verifying an authorization certificate may be implemented in the NET framework, such as LicenseProvider. The certificate acquisition method is provided by the license providing class, and the service license providing file may acquire the certificate acquisition method by inheriting the object in the license providing class. Illustratively, the statement that the authorization certificate is loaded by invoking the certificate acquisition method GetLicense is as follows: protected virtual STRING GETLICENSEDATA (Type) which indicates that the authorization credential data is retrieved from the licensed stream and loaded by starting reading from the first line of data in the licensed stream. Other derived methods may also be used by GetLicense to load the authorization certificate in order to read the authorization certificate data from other non-stream based license stores. In this embodiment, the loading of the authorization certificate is achieved by calling the certificate acquisition method in the service license providing file created in advance, so that the loading speed of the authorization certificate is improved, and further, the verification speed of the authorization certificate is improved.
S120, checking the authorization certificate based on the packaged invalid license providing file to obtain a checking result.
The NET framework authorization structure comprises a NET framework authorization structure, wherein the NET framework authorization structure comprises a NET framework authorization structure, a license providing file and a license authentication function, wherein the license providing file refers to a class with a license authentication function, such as an expiring license provider. The expired license providing file is derived from the service license providing file, that is, the expired license providing file can inherit the object in the service license providing file, obtain the authorization certificate loaded by the service license providing file, and verify the authorization certificate. Specifically, the verification method may determine the verification result of the authorization certificate by judging whether the number of times the network application program interface in the authorization certificate has been used exceeds the designated number of times, and it should be noted that the number of times the network application program interface in the authorization certificate has been used is incremented before each verification. The method of verification may also be to obtain the verification result of the authorization certificate by obtaining the authorization start date and the authorization expiration date of the network application interface in the authorization certificate to determine whether the current time is within the authorization period. The verification method may also be implemented by determining whether the content of a specific field in the authorization certificate matches the preset content, and if so, determining that the authorization certificate passes the verification.
Before verifying the authorization certificate, licenseProviderAttribute is used to modify the Controller (Controller) of the WEBAPI, where the LicenseProviderAttribute object is located in system. System. ComponentModel.
Optionally, verifying the authorization credential based on the encapsulated revocation license provision file includes: a validation license method in a pre-created dead license provision file is called to verify the certificate, wherein the validation license method is inherited from the service license provision file by the dead license provision file.
The method of verifying license refers to a method of verifying certificate provided by a service license providing file in the NET framework authorization structure, namely VALIDATELICENSE method and VALIDATELICENSE method, wherein the verification result of the authorization certificate is obtained by checking metadata of the authorization certificate. The verification license method is provided by the service license provision file, and the revocation license provision file may acquire the verification license method by inheriting the service license provision file. Illustratively, the statement that verifies the certificate by invoking the verify permission method VALIDATELICENSE is as follows: protected virtual bool ValidataLicenseData (Type, STRING LICENSEDATA), which indicates that when the data of the authorization certificate is valid, true is returned, and the verification of the authorization certificate passes. If the data of the authorization certificate is invalid, the permission exception verification result is transmitted to the calling code, so that a verification failure response is generated and sent to the target client. In this embodiment, the verification of the authorization certificate is achieved by calling the verification permission method in the pre-created expiration permission providing file, so that the verification speed of the authorization certificate and the accuracy of the verification result are improved.
Optionally, invoking the validation license method in the pre-created revocation license provision file to verify the certificate includes: judging whether the certificate is a valid certificate or not through the authorization key words; and calling an aging verification method in a license management component introduced in the service webpage interface to verify whether the certificate exceeds service period aging.
The verification process of the authorization certificate by the verification licensing method is divided into two parts, namely verifying whether the authorization certificate is valid or not and verifying whether the authorization certificate exceeds the server time effect or not. The authorization keywords are specifically used for matching with the contents in each field of the authorization certificate one by one, and if the authorization certificate contains the authorization keywords, the authorization keywords are successfully matched with part of the contents of the authorization certificate, and the authorization certificate is determined to be a valid certificate. The authorization key may be a specified interface code, interface name, hospital code, hospital name, or usage expiration type content. For example, if the authorization keyword is designated as the interface name content, such as "CA standard interface service", the statement that whether the authorization keyword is a valid certificate is determined by the authorization keyword is as follows:
In this embodiment, the business web interface refers to a web application interface, and the license management component refers to a LICENSEMANAGER component in the NET framework, LICENSEMANAGER is located in system. System. ComponentModel. The aging verification method refers to the static method IsValid method provided by LICENSEMANAGER components in the NET framework. Illustratively, the statement that the IsValid method verifies whether the authorization credential is aged beyond the service period is: and returning a judgment result of whether the authorization certificate exceeds service period aging by a statement (typeof (UserController)). Wherein UserController is a service controller of WEBAPI, and before verifying the authorization certificate, a modification attribute is created in advance in the service controller, for example: [ LicenseProvider (typeof (ExpiringLicenseProvider)) ] public class UserController: apiController. It should be noted that whether a valid certificate is determined by the authorization key. In the embodiment, the verification process of the authorization certificate is divided into judging whether the certificate is valid or not and judging whether the certificate exceeds the server time, so that the secondary verification of the authorization certificate is realized, the accuracy of the verification result of the authorization certificate is improved, the network application program interface is prevented from being illegally deployed on an unauthorized server, and the service safety of the network application program interface is ensured.
Optionally, invoking an aging verification method in a license management component introduced in the service web interface to verify whether the certificate exceeds the service period aging includes: and calling an expiration verification method in the invalid license provision file through an expiration verification method in a license management component introduced in the service webpage interface, so that the expiration verification method judges whether the certificate is aged beyond the service period.
The expiration verification method refers to IsExpired methods in the expiration license providing file provided by the NET framework. The IsExpired method may use the authorization valid start date and the authorization valid expiration date in the authorization certificate to determine whether the authorization certificate exceeds the server aging, and may also use the interface valid start date and the interface valid expiration date in the authorization certificate to determine. Illustratively, the IsExpired method uses the authorization valid start date and the authorization valid expiration date to determine if the certificate exceeds the age of the service period as follows:
The DateTime. Now refers to the current time, which can be the time for starting verification, or the time for receiving a login request sent by a target client, wherein _start represents an authorization valid start date, _end represents an authorization valid expiration date, dateTime. Now </start|DateTime. Now > _end represents that the current time is smaller than the authorization valid start date or the current time is larger than the authorization valid expiration date, if the current time is smaller than the authorization valid start date or the current time is larger than the authorization valid expiration date, 1 is returned, the authorization certificate exceeds the service period time, and the verification result is not passed.
In this embodiment, by calling the expiration verification method in the expiration permission providing file, so that the expiration verification method determines whether the certificate exceeds the service period aging, it is realized that whether the service period aging is exceeded or not is determined based on specific information of the authorization certificate, and thus accuracy of a verification result of the authorization certificate is improved.
Optionally, if the expiration verification method determines that the certificate exceeds the service period aging, the service period of the authorization certificate may be updated according to the type of the usage validity period in the authorization certificate, and the updated authorization certificate is stored in a license cache in the server, so that when a next login request is received, the updated authorization certificate in the license cache is loaded, and the updated authorization certificate is further verified. For example, if the validity period type is temporary authorization, the authorization valid start date and the authorization valid expiration date in the authorization credential and/or the interface valid start date and the interface valid expiration date in the authorization credential may be updated according to the period of the temporary authorization. By updating the service period of the authorization certificate, the secondary authorization for the WEBAPI is provided, and further, the service timeliness of the WEBAPI is effectively controlled.
And S130, if the verification result is passed, generating service response information and sending the service response information to the target client.
After verifying the authorization certificate, the network application program interface generates feedback information according to a verification result and sends the feedback information to the target client. If the verification result is correct, generating service response information as feedback information and sending the feedback information to the target client so as to provide service corresponding to the service for the target client; if the verification result is wrong, generating verification failure information as feedback information and sending the feedback information to the target client so as to refuse to provide service corresponding to the business for the target client.
According to the technical scheme, when a login request is sent by a target client, a file loading authorization certificate is provided based on an encapsulated service license; verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result, thereby realizing the authentication of the authorization certificate; if the verification result is passed, generating service response information and sending the service response information to the target client, so that service is provided only when the verification of the authorization certificate is passed, the security of the network application program interface service is improved, and illegal deployment of the network application program interface to an unauthorized server is avoided.
Example two
Fig. 2 is a flow chart of an authorization authentication method according to a second embodiment of the present invention, where "checking a carrying token in a login request sent by a target client" is added on the basis of the above embodiments in this embodiment. Wherein the explanation of the same or corresponding terms as those of the above embodiments is not repeated herein. Referring to fig. 2, the authorization authentication method provided in this embodiment includes:
s210, when a login request sent by a target client is received, a file loading authorization certificate is provided based on the packaged service license.
S220, checking the authorization certificate based on the packaged invalid license providing file to obtain a checking result.
Optionally, before verifying the authorization certificate based on the encapsulated revocation license provision file, the method further includes: decrypting the authorization certificate through a symmetric encryption algorithm; accordingly, the decrypted authorization credential is verified based on the encapsulated revocation license provisioning file.
It should be noted that, if the authorization certificate exists in the license cache in a manner of a plaintext file, then an application developer can easily modify data in the authorization certificate, so that the WEBAPI is deployed in an illegal server, and the information system manufacturer also loses control over the WEBAPI. Therefore, by encrypting the authorization certificate, the security of the authorization certificate can be improved. The authorization certificate may be encrypted using a symmetric encryption algorithm, and the encrypted authorization certificate may be decrypted using the symmetric encryption algorithm. The symmetric encryption algorithm refers to an encryption algorithm using the same key in the encryption and decryption processes, such as DES (Data Encryption Standard), 3DES (Triple DES), AED (Advanced Encryption Standard), and the like. Since the encryption and decryption speed of DES is high, it is suitable for encrypting and decrypting a large amount of data, so it is preferable to use DES encryption algorithm. The key framework provides DESCryptoServiceProvider to encrypt and decrypt the authorization credentials. Wherein the encryption key is embedded as a private field encryptionKeyBytes into the EncryptedLicenseProvider class itself to increase the difficulty of modifying the data of the authorization credential.
Illustratively, the content of the encrypted authorization certificate is as follows :6200000000000000D52AF38605AC9919BBD4861CD1525E51EEA18E838DDECD1AEBCD95F3BB0C332901A8A23794C7FD13A82E45578DFC812B44D8B5C16854EAA90662E8781CCF31D0D1ADDFE4805C62BAF428D626AFB461D72E1000CE1E2AE80F7D9F6EB5DF830E1AF66EDB7EA5DC10FAFFF17433B8397F1F; the decrypted authorization certificate obtained by the encryption symmetric algorithm is: 251566|CA Standard interface service |234567| virtual first Hospital |20201001|20230930|20201001|20230930|0|2. In the embodiment, the symmetric encryption algorithm is adopted to decrypt the authorization certificate and verify the decrypted authorization certificate, so that encryption and decryption of the authorization certificate are realized, the authorization certificate is prevented from being tampered, and meanwhile, the security of the network application program interface service is improved.
And S230, if the verification result is passed, verifying the carried token in the login request sent by the target client.
The carrying token refers to a character string which is generated by the server and is used as a target client request identifier, and is carried by the target client when a login request is initiated, namely a token. Specifically, when the target client initiates the first login request, the server verifies the user account information in the first login request, and generates a token when the verification is passed, and the token is returned to the target client, so that the target client carries the token when the target client subsequently initiates the login request, and the user account information is not required to be carried. Token may be generated based on the mac address of the device of the target client or based on the first session. If the target client sends the login request without carrying the token, the target client is considered to initiate the login request for the first time, or verification of the user account information in the login request initiated before is not passed, and at this time, verification of the user account information in the login request sent by the target client is required. Specifically, the checking process for the token is as follows: HS256 operation is carried out based on the header ciphertext and the payload ciphertext in the token, so that a signature is generated; comparing the generated signature with the signature carried in the token, and if the generated signature is consistent with the signature carried in the token, indicating that the verification of the token is correct.
And S240, if the verification is correct, generating service response information and sending the service response information to the target client.
When the authorization certificate and the token are checked to pass, as shown in fig. 3, the WEBAPI service information is obtained and sent to the target client as service response information, and if the authorization certificate or the token is checked to fail, request failure information is generated and sent to the client and the response process to the login request is finished. Specifically, the interaction process among the target user, the information system manufacturer, the hospital and the WEBAPI is shown in fig. 4, wherein the information system manufacturer provides an authorization certificate for the WEBAPI, and the target user provides a token for the verification process of the WEBAPI when initiating a login request. The WEBAPI is also connected with a hospital information system of a hospital, so that when the verification of the authorization certificate and the token is passed, the WEBAPI can acquire the data of the hospital information system and provide corresponding business service for a target user. It can be understood that in this embodiment, the order of S220 and S230 is not separately, that is, the order of checking the authorization certificate and checking the token is not limited in this embodiment, as shown in fig. 3, the authorization certificate may be checked first, and when the authorization certificate passes the check, the token is checked again; the token may also be checked first, and the authorization credential may be checked again when the token passes the check.
According to the technical scheme, the authorization certificate is checked through the encapsulated invalid license providing file, the carried token in the login request sent by the target client is checked, and the service response information is generated and sent to the target client only when the authorization certificate and the carried token pass the check, so that the secondary check of the authorization certificate and the token is realized, the illegal deployment of the network application program interface is avoided, the service safety of the network application program interface is further improved, and the safety guarantee is increased for the user to use the service.
Example III
Fig. 5 is a schematic structural diagram of an authorization authentication device according to a third embodiment of the present invention, where the embodiment is applicable to a situation where an authorization credential needs to be checked and a service response is generated according to a check result when a target client sends a login request, and the device specifically includes: a certificate loading module 510, a certificate verification module 520, and a response generation module 530.
A certificate loading module 510, configured to provide a file loading authorization certificate based on the encapsulated service license when receiving a login request sent by the target client;
the certificate verification module 520 is configured to verify the authorization certificate based on the encapsulated revocation license provision file, to obtain a verification result;
and the response generation module 530 is configured to generate service response information and send the service response information to the target client when the verification result is passed.
In this embodiment, when receiving a login request sent by a target client, a certificate loading module provides a file loading authorization certificate based on an encapsulated service license; the certificate verification module is used for verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result, so that the authentication of the authorization certificate is realized; and when the verification result is passed, the response generation module generates service response information and sends the service response information to the target client, so that the service is provided only when the verification of the authorization certificate is passed, the safety of the network application program interface service is improved, and the network application program interface is prevented from being illegally deployed on an unauthorized server.
On the basis of the device, optionally, the certificate loading module is specifically configured to call a certificate acquisition method in a pre-created service license providing file to load a certificate, wherein the certificate acquisition method is inherited by the service license providing file from a license providing object to obtain.
Optionally, the certificate verification module includes a license calling unit for calling a verification license method in a pre-created expired license providing file to verify the certificate, wherein the verification license method is inherited from the service license providing file by the expired license providing file.
Optionally, the license calling unit includes:
a valid verification subunit for determining whether it is a valid certificate by the authorization key;
and the invalidation verification subunit is used for calling an aging verification method in the license management component introduced in the service webpage interface to verify whether the certificate exceeds service period aging.
Optionally, the invalidation verification subunit is specifically configured to invoke the expiration verification method in the invalidation license provision file through the aging verification method in the license management component introduced in the service web interface, so that the expiration verification method determines whether the certificate exceeds the service period for aging.
Optionally, the authorization authentication device further includes:
The certificate decryption module is used for decrypting the authorization certificate through a symmetric encryption algorithm; accordingly, the certificate verification module 520 is configured to verify the decrypted authorization certificate based on the encapsulated expired license provision file.
Optionally, the authorization authentication device further includes:
The token checking module is configured to check a carried token in a login request sent by the target client before the response generating module 530 generates service response information and sends the service response information to the target client; accordingly, the response generation module 530 generates service response information to be sent to the target client when the carrying token checks.
The authorization authentication device provided by the embodiment of the invention can execute the authorization authentication method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
It should be noted that, the units and modules included in the above system are only divided according to the functional logic, but not limited to the above division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the embodiments of the present invention.
Example IV
Fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention. Fig. 6 shows a block diagram of an exemplary electronic device 60 suitable for use in implementing the embodiments of the invention. The electronic device 60 shown in fig. 6 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 6, the electronic device 60 is in the form of a general purpose computing device. Components of electronic device 60 may include, but are not limited to: one or more processors or processing units 601, a system memory 602, and a bus 603 that connects the different system components (including the system memory 602 and the processing units 601).
Bus 603 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, micro channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Electronic device 60 typically includes many types of computer system readable media. Such media can be any available media that is accessible by electronic device 60 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 602 may include computer system readable media in the form of volatile memory such as Random Access Memory (RAM) 604 and/or cache memory 605. Electronic device 60 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 606 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 6, commonly referred to as a "hard disk drive"). Although not shown in fig. 6, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be coupled to bus 603 through one or more data medium interfaces. Memory 602 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the invention.
A program/utility 608 having a set (at least one) of program modules 607 may be stored in, for example, memory 602, such program modules 607 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 607 generally perform the functions and/or methods of the described embodiments of the invention.
The electronic device 60 may also communicate with one or more external devices 609 (e.g., keyboard, pointing device, display 610, etc.), one or more devices that enable a user to interact with the electronic device 60, and/or any device (e.g., network card, modem, etc.) that enables the electronic device 60 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 611. Also, the electronic device 60 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter 612. As shown, the network adapter 612 communicates with other modules of the electronic device 60 over the bus 603. It should be appreciated that although not shown in fig. 6, other hardware and/or software modules may be used in connection with electronic device 60, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
The processing unit 601 executes various functional applications and data processing by running a program stored in the system memory 602, for example, implementing an authorization authentication method step provided in the present embodiment, the method includes:
when receiving a login request sent by a target client, providing a file loading authorization certificate based on the packaged service license;
Verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result;
And if the verification result is passed, generating service response information and sending the service response information to the target client.
Of course, it will be understood by those skilled in the art that the processor may also implement the technical solution of the authorization authentication method provided in any embodiment of the present invention.
Example five
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the authorization authentication method as provided by any embodiment of the present invention, the method comprising:
when receiving a login request sent by a target client, providing a file loading authorization certificate based on the packaged service license;
Verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result;
And if the verification result is passed, generating service response information and sending the service response information to the target client.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for embodiments of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (6)

1. An authorization authentication method, comprising:
when receiving a login request sent by a target client, providing a file loading authorization certificate based on the packaged service license;
verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result;
if the verification result is passed, generating service response information and sending the service response information to the target client;
The verifying the authorization credential based on the encapsulated expiring license provision file includes:
Invoking a validation license method in a pre-created dead license provision file to verify a certificate, wherein the validation license method is inherited from the service license provision file by the dead license provision file;
the invoking the pre-created revocation license provides a validation license method in the file to verify the certificate includes:
judging whether the certificate is a valid certificate or not through the authorization key words;
calling an aging verification method in a license management component introduced in a service webpage interface to verify whether the certificate exceeds service period aging;
the step of calling the aging verification method in the license management component introduced in the service webpage interface to verify whether the certificate exceeds the service period aging comprises the following steps:
Calling an expiration verification method in the invalid license provision file through an expiration verification method in a license management component introduced in a service webpage interface, so that the expiration verification method judges whether a certificate is aged beyond a service period;
Prior to verifying the authorization credential, a control (Controller) of WEBAPI is modified with LicenseProviderAttribute, where LicenseProviderAttribute objects are located in system. System. Componentmodel;
Before the generated service response information is sent to the target client, the method further comprises the following steps:
verifying the carried token in the login request sent by the target client;
if the verification is correct, generating service response information and sending the service response information to the target client.
2. The method of claim 1, wherein providing a file loading authorization credential based on the packaged service license comprises:
A certificate acquisition method in a pre-created service license provision file is called to load a certificate, wherein the certificate acquisition method is inherited from a license provision object by the service license provision file to acquire.
3. The method of claim 1, further comprising, prior to verifying the authorization credential based on the package expiration license provision file:
decrypting the authorization certificate through a symmetric encryption algorithm;
accordingly, the decrypted authorization credential is verified based on the encapsulated revocation license provisioning file.
4. An authorization authentication device, comprising:
The certificate loading module is used for providing a file loading authorization certificate based on the packaged service license when receiving a login request sent by the target client;
The certificate verification module is used for verifying the authorization certificate based on the encapsulated invalid license providing file to obtain a verification result;
The response generation module is used for generating service response information and sending the service response information to the target client if the verification result is passed;
The certificate verification module includes a license call unit, wherein:
The license calling unit is used for calling a verification license method in a pre-created invalid license providing file to verify a certificate, wherein the verification license method is obtained by inheriting the invalid license providing file from the service license providing file;
The license calling unit comprises a valid verification subunit and a invalid verification subunit, wherein:
The effective verification subunit is used for judging whether the certificate is a valid certificate or not through the authorization key words; the invalidation verification subunit is used for calling an aging verification method in a license management component introduced in the service webpage interface to verify whether the certificate exceeds service period aging;
the expiration verification subunit is specifically configured to invoke an expiration verification method in the expiration license provision file through an expiration verification method in the license management component introduced in the service web interface, so that the expiration verification method determines whether the certificate exceeds the service period for aging;
The certificate verification module comprises a Controller (Controller) for modifying WEBAPI before verifying the authorization certificate, wherein LicenseProviderAttribute objects are located in a System. Dll, and the name space is as follows: system. Componentmodel;
the token checking module is used for checking the carried token in the login request sent by the target client before the response generating module generates service response information and sends the service response information to the target client;
and the response generation module is used for generating service response information and sending the service response information to the target client when the carried token is checked to be correct.
5. An electronic device, the electronic device comprising:
One or more processors;
Storage means for storing one or more programs,
The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the authorization authentication method of any of claims 1-3.
6. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when executed by a processor, implements the authorization authentication method according to any one of claims 1-3.
CN202011301384.2A 2020-11-19 2020-11-19 Authorization authentication method and device, electronic equipment and storage medium Active CN114598481B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011301384.2A CN114598481B (en) 2020-11-19 2020-11-19 Authorization authentication method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011301384.2A CN114598481B (en) 2020-11-19 2020-11-19 Authorization authentication method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114598481A CN114598481A (en) 2022-06-07
CN114598481B true CN114598481B (en) 2024-05-31

Family

ID=81802378

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011301384.2A Active CN114598481B (en) 2020-11-19 2020-11-19 Authorization authentication method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114598481B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118611B (en) * 2022-06-24 2025-03-25 中国工商银行股份有限公司 A software SDN network specification statistics method and system
CN114896621B (en) * 2022-07-15 2022-10-14 深圳竹云科技股份有限公司 Application service acquisition method, encryption method, device and computer equipment
CN116684467B (en) * 2023-08-02 2023-10-27 武汉吧哒科技股份有限公司 Data acquisition method, electronic device and storage medium
CN117574333A (en) * 2024-01-16 2024-02-20 四川精容数安科技有限公司 Verification method for License validity period of backup software
CN118473677A (en) * 2024-07-09 2024-08-09 济南浪潮数据技术有限公司 Security authentication method, device, computer equipment and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN107689944A (en) * 2016-08-05 2018-02-13 阿里巴巴集团控股有限公司 Identity identifying method, device and system
WO2018120913A1 (en) * 2016-12-28 2018-07-05 华为技术有限公司 Certificate acquisition method, authentication method and network device
CN109379336A (en) * 2018-09-18 2019-02-22 中汇信息技术(上海)有限公司 A kind of uniform authentication method, distributed system and computer readable storage medium
CN110213276A (en) * 2019-06-05 2019-09-06 宁波深擎信息科技有限公司 Authority checking method, server, terminal and medium under a kind of micro services framework
CN110535851A (en) * 2019-08-27 2019-12-03 浪潮云信息技术有限公司 A kind of customer certification system based on oauth2 agreement
CN111066284A (en) * 2017-10-09 2020-04-24 华为技术有限公司 Service certificate management method, terminal and server
CN111147525A (en) * 2020-02-27 2020-05-12 深圳市伊欧乐科技有限公司 Authentication method, system, server and storage medium based on API gateway
CN111428213A (en) * 2020-03-27 2020-07-17 深圳融安网络科技有限公司 Two-factor authentication apparatus, method thereof, and computer-readable storage medium
CN111769939A (en) * 2020-06-29 2020-10-13 北京海泰方圆科技股份有限公司 Business system access method and device, storage medium and electronic equipment
CN111800378A (en) * 2020-05-21 2020-10-20 视联动力信息技术股份有限公司 Login authentication method, device, system and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130218779A1 (en) * 2012-02-21 2013-08-22 Rawllin International Inc. Dual factor digital certificate security algorithms

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN107689944A (en) * 2016-08-05 2018-02-13 阿里巴巴集团控股有限公司 Identity identifying method, device and system
WO2018120913A1 (en) * 2016-12-28 2018-07-05 华为技术有限公司 Certificate acquisition method, authentication method and network device
CN111066284A (en) * 2017-10-09 2020-04-24 华为技术有限公司 Service certificate management method, terminal and server
CN109379336A (en) * 2018-09-18 2019-02-22 中汇信息技术(上海)有限公司 A kind of uniform authentication method, distributed system and computer readable storage medium
CN110213276A (en) * 2019-06-05 2019-09-06 宁波深擎信息科技有限公司 Authority checking method, server, terminal and medium under a kind of micro services framework
CN110535851A (en) * 2019-08-27 2019-12-03 浪潮云信息技术有限公司 A kind of customer certification system based on oauth2 agreement
CN111147525A (en) * 2020-02-27 2020-05-12 深圳市伊欧乐科技有限公司 Authentication method, system, server and storage medium based on API gateway
CN111428213A (en) * 2020-03-27 2020-07-17 深圳融安网络科技有限公司 Two-factor authentication apparatus, method thereof, and computer-readable storage medium
CN111800378A (en) * 2020-05-21 2020-10-20 视联动力信息技术股份有限公司 Login authentication method, device, system and storage medium
CN111769939A (en) * 2020-06-29 2020-10-13 北京海泰方圆科技股份有限公司 Business system access method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN114598481A (en) 2022-06-07

Similar Documents

Publication Publication Date Title
CN114598481B (en) Authorization authentication method and device, electronic equipment and storage medium
US9871821B2 (en) Securely operating a process using user-specific and device-specific security constraints
CN101771689B (en) Method and system for enterprise network single-sign-on by a manageability engine
US9747425B2 (en) Method and system for restricting execution of virtual application to a managed process environment
EP1920354B1 (en) Remotely accessing protected files via streaming
EP2549401B1 (en) Method and System for Provision of Cryptographic Services
US8160247B2 (en) Providing local storage service to applications that run in an application execution environment
JP6286034B2 (en) Process authentication and resource permissions
US7178163B2 (en) Cross platform network authentication and authorization model
KR100996784B1 (en) One or more computer readable media storing a method, system and a plurality of instructions implemented in a computing device for storage and retrieval of data based on public key encryption.
EP3092775B1 (en) Method and system for determining whether a terminal logging into a website is a mobile terminal
KR101067399B1 (en) One or more computer readable media storing a method, system and a plurality of instructions implemented in a computing device for storage and retrieval of data based on symmetric key encryption.
CN111262889B (en) Authority authentication method, device, equipment and medium for cloud service
US20090089881A1 (en) Methods of licensing software programs and protecting them from unauthorized use
CN109981680B (en) Access control implementation method and device, computer equipment and storage medium
US9129098B2 (en) Methods of protecting software programs from unauthorized use
CN116032627A (en) Unified authentication and authorization method and device based on micro-service architecture
CN106992978B (en) Network security management method and server
JP5474091B2 (en) How to secure gadget access to your library
US7694154B2 (en) Method and apparatus for securely executing a background process
US8850602B2 (en) Method for protecting application and method for executing application using the same
EP3036674B1 (en) Proof of possession for web browser cookie based security tokens
US20240080195A1 (en) Managing composite tokens for content access requests
CN114817957A (en) Encrypted partition access control method and system based on domain management platform and computing equipment
KR20130101640A (en) Apparatus and method for drm/cas service using security context

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant