[go: up one dir, main page]

CN115550047A - Configuration-free interface authority verification method, device and system - Google Patents

Configuration-free interface authority verification method, device and system Download PDF

Info

Publication number
CN115550047A
CN115550047A CN202211246216.7A CN202211246216A CN115550047A CN 115550047 A CN115550047 A CN 115550047A CN 202211246216 A CN202211246216 A CN 202211246216A CN 115550047 A CN115550047 A CN 115550047A
Authority
CN
China
Prior art keywords
random number
end system
message header
user token
http
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211246216.7A
Other languages
Chinese (zh)
Inventor
于涛
朱映红
袁永俊
王波
胡楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Air Clearing Co ltd
Original Assignee
China Air Clearing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Air Clearing Co ltd filed Critical China Air Clearing Co ltd
Priority to CN202211246216.7A priority Critical patent/CN115550047A/en
Publication of CN115550047A publication Critical patent/CN115550047A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供一种免配置的接口权限验证方法、装置及系统,应用于前端系统,响应登录操作调取已生成的Http消息头与随机数,Http消息头中设置有由后端系统所返回的用户令牌、且后端系统已对应存储用户令牌与随机数;响应针对前端页面上目标控件的访问操作,使用随机数对目标控件所调用API接口的URL地址和参数进行加密,并将加密所获得的加密后的字符串添加到Http消息头中;将携带Http消息头的Http请求发送至后端系统,以使后端系统:基于Http消息头中的用户令牌确定随机数;使用随机数对Http消息头中的加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的API接口的URL地址和参数进行对比;如果两者相同,则执行Http请求;如果两者不同,则拒绝执行Http请求。

Figure 202211246216

The present invention provides a configuration-free interface authority verification method, device and system, which are applied to the front-end system, and the generated Http message header and random number are retrieved in response to the login operation. The user token, and the back-end system has correspondingly stored the user token and random number; in response to the access operation of the target control on the front-end page, use the random number to encrypt the URL address and parameters of the API interface called by the target control, and encrypt the The obtained encrypted string is added to the Http message header; the Http request carrying the Http message header is sent to the backend system, so that the backend system: determines the random number based on the user token in the Http message header; uses the random number The number decrypts the encrypted string in the Http message header, and compares the URL address and parameters obtained by decryption with the URL address and parameters of the queried API interface; if the two are the same, execute the Http request; If the two are different, refuse to perform the Http request.

Figure 202211246216

Description

免配置的接口权限验证方法、装置及系统Configuration-free interface authority verification method, device and system

技术领域technical field

本发明涉及软件技术领域,更具体地说,涉及一种免配置的接口权限验证方法、装置及系统。The present invention relates to the technical field of software, and more specifically, relates to a configuration-free interface authority verification method, device and system.

背景技术Background technique

权限管理是系统开发中非常重要的部分。随着业务和技术的发展,前后端分离成为了目前一种非常流行的开发模式。在前后端分离的开发模式下,用户的功能权限管理就分成了两部分:前端页面负责控制用户的页面功能权限、页面按钮权限、页面控件的使用权限等;后端系统需要验证页面上控件调用的后端API(Application ProgrammingInterface,应用程序接口)接口的访问权限。Rights management is a very important part of system development. With the development of business and technology, the separation of front and back ends has become a very popular development model. In the development mode where front-end and back-end are separated, the user's functional authority management is divided into two parts: the front-end page is responsible for controlling the user's page function authority, page button authority, page control use authority, etc.; the back-end system needs to verify the control calls on the page The access authority of the backend API (Application Programming Interface, application program interface) interface.

整个业务系统需要提供两大部分的功能权限维护,包括页面功能权限、页面按钮权限、页面控件的使用权限、以及后端API接口的访问权限,并且将这两部分权限数据分配到用户的功能权限列表上。在实际的应用中,一个页面上面会展示很多的数据,同时也会访问很多个API接口,一般的系统中API接口的数量会是页面数量的几十倍。API接口功能权限的维护变得非常繁琐,每次一个页面的新增,带来后端API接口大量数据的运维。The entire business system needs to provide two parts of functional authority maintenance, including page function authority, page button authority, page control use authority, and back-end API interface access authority, and assign these two parts of authority data to the user's function authority on the list. In practical applications, a lot of data will be displayed on a page, and many API interfaces will be accessed at the same time. The number of API interfaces in a general system will be dozens of times the number of pages. The maintenance of API interface function permissions has become very cumbersome. Every time a new page is added, it brings about the operation and maintenance of a large amount of data on the back-end API interface.

发明内容Contents of the invention

有鉴于此,为解决上述问题,本发明提供一种免配置的接口权限验证方法、装置及系统,技术方案如下:In view of this, in order to solve the above problems, the present invention provides a configuration-free interface authority verification method, device and system. The technical solution is as follows:

一种免配置的接口权限验证方法,所述方法应用于前端系统,所述方法包括:A configuration-free interface authority verification method, the method is applied to a front-end system, and the method includes:

响应登录操作,调取已生成的Http消息头与随机数,所述Http消息头中设置有用户令牌,所述用户令牌是后端系统所返回的、且所述后端系统已对应存储所述用户令牌与所述随机数;In response to the login operation, call the generated Http message header and random number, the Http message header is provided with a user token, the user token is returned by the back-end system, and the back-end system has correspondingly stored the user token and the random number;

响应针对前端页面上目标控件的访问操作,使用所述随机数对所述目标控件所调用API接口的URL地址和参数进行加密,并将加密所获得的加密后的字符串添加到所述Http消息头中;In response to an access operation on the target control on the front-end page, use the random number to encrypt the URL address and parameters of the API interface called by the target control, and add the encrypted character string obtained by encryption to the Http message in the head;

将携带所述Http消息头的Http请求发送至所述后端系统,以使所述后端系统:Send the Http request carrying the Http message header to the backend system, so that the backend system:

基于所述Http消息头中的所述用户令牌确定所述随机数;使用所述随机数对所述Http消息头中的所述加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的所述API接口的URL地址和参数进行对比;如果两者相同,则执行所述Http请求;如果两者不同,则拒绝执行所述Http请求。Determine the random number based on the user token in the Http message header; use the random number to decrypt the encrypted character string in the Http message header, and decrypt the obtained URL address and parameters are compared with the queried URL address and parameters of the API interface; if they are the same, execute the Http request; if they are different, refuse to execute the Http request.

优选的,生成所述Http消息头与所述随机数的过程,包括:Preferably, the process of generating the Http message header and the random number includes:

获取登录信息,并将所述登录信息发送至所述后端系统,以使所述后端系统对所述登录信息进行验证;Obtain login information, and send the login information to the backend system, so that the backend system can verify the login information;

接收所述后端系统在所述登录信息验证通过的情况下所返回的所述用户令牌,并将所述用户令牌设置到所述Http消息头中;receiving the user token returned by the backend system when the login information is verified, and setting the user token into the Http message header;

生成所述随机数,并将所述随机数发送至所述后端系统,以使所述后端系统将所述用户令牌与所述随机数对应存储于其后端缓存中。generating the random number, and sending the random number to the backend system, so that the backend system stores the user token and the random number in its backend cache correspondingly.

一种免配置的接口权限验证装置,所述装置包括:A configuration-free interface authority verification device, the device comprising:

登录响应模块,用于响应登录操作,调取已生成的Http消息头与随机数,所述Http消息头中设置有用户令牌,所述用户令牌是后端系统所返回的、且所述后端系统已对应存储所述用户令牌与所述随机数;The login response module is used to respond to the login operation and retrieve the generated Http message header and random number, the Http message header is provided with a user token, the user token is returned by the back-end system, and the The backend system has correspondingly stored the user token and the random number;

访问响应模块,用于响应针对前端页面上目标控件的访问操作,使用所述随机数对所述目标控件所调用API接口的URL地址和参数进行加密,并将加密所获得的加密后的字符串添加到所述Http消息头中;将携带所述Http消息头的Http请求发送至所述后端系统,以使所述后端系统:The access response module is used for responding to the access operation of the target control on the front-end page, using the random number to encrypt the URL address and parameters of the API interface called by the target control, and encrypting the obtained encrypted string Add in the Http message header; send the Http request carrying the Http message header to the backend system, so that the backend system:

基于所述Http消息头中的所述用户令牌确定所述随机数;使用所述随机数对所述Http消息头中的所述加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的所述API接口的URL地址和参数进行对比;如果两者相同,则执行所述Http请求;如果两者不同,则拒绝执行所述Http请求。Determine the random number based on the user token in the Http message header; use the random number to decrypt the encrypted character string in the Http message header, and decrypt the obtained URL address and parameters are compared with the queried URL address and parameters of the API interface; if they are the same, execute the Http request; if they are different, refuse to execute the Http request.

优选的,所述登录响应模块生成所述Http消息头与所述随机数的过程,包括:Preferably, the process of generating the Http message header and the random number by the login response module includes:

获取登录信息,并将所述登录信息发送至所述后端系统,以使所述后端系统对所述登录信息进行验证;接收所述后端系统在所述登录信息验证通过的情况下所返回的所述用户令牌,并将所述用户令牌设置到所述Http消息头中;生成所述随机数,并将所述随机数发送至所述后端系统,以使所述后端系统将所述用户令牌与所述随机数对应存储于其后端缓存中。Obtain login information, and send the login information to the back-end system, so that the back-end system can verify the login information; Return the user token, and set the user token in the Http message header; generate the random number, and send the random number to the backend system, so that the backend The system stores the user token and the random number in its backend cache.

一种免配置的接口权限验证方法,所述方法应用于后端系统,所述方法包括:A configuration-free interface authority verification method, the method is applied to a backend system, and the method includes:

接收前端系统发送的Http请求,所述Http请求所携带的Http消息头中包含用户令牌与加密后的字符串,所述加密后的字符串是所述前端系统响应针对前端页面上目标控件的访问操作使用随机数对所述目标控件所调用API接口的URL地址和参数进行加密所获得的,所述随机数与设置有所述用户令牌的所述Http消息头是所述前端系统响应登录操作所调取的,所述用户令牌是所述后端系统所返回的、且所述后端系统已对应存储所述用户令牌与所述随机数;Receive the Http request sent by the front-end system, the Http message header carried by the Http request includes a user token and an encrypted string, and the encrypted string is the response of the front-end system to the target control on the front-end page The access operation is obtained by encrypting the URL address and parameters of the API interface called by the target control with a random number. The random number and the Http message header with the user token are the front-end system response login Called by the operation, the user token is returned by the backend system, and the backend system has correspondingly stored the user token and the random number;

基于所述Http消息头中的所述用户令牌确定所述随机数;determining the random number based on the user token in the Http message header;

使用所述随机数对所述Http消息头中的所述加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的所述API接口的URL地址和参数进行对比;Using the random number to decrypt the encrypted character string in the Http message header, and comparing the URL address and parameters obtained by decryption with the URL address and parameters of the API interface queried;

如果两者相同,则执行所述Http请求;If both are the same, execute said Http request;

如果两者不同,则拒绝执行所述Http请求。If the two are different, then refuse to execute the Http request.

优选的,所述方法还包括:Preferably, the method also includes:

如果两者不同,向所述前端系统返回报错信息,以使所述前端系统输出所述报错信息。If the two are different, return error information to the front-end system, so that the front-end system outputs the error information.

一种免配置的接口权限验证装置,所述装置包括:A configuration-free interface authority verification device, the device comprising:

请求接收模块,用于接收前端系统发送的Http请求,所述Http请求所携带的Http消息头中包含用户令牌与加密后的字符串,所述加密后的字符串是所述前端系统响应针对前端页面上目标控件的访问操作使用随机数对所述目标控件所调用API接口的URL地址和参数进行加密所获得的,所述随机数与设置有所述用户令牌的所述Http消息头是所述前端系统响应登录操作所调取的,所述用户令牌是所述后端系统所返回的、且所述后端系统已对应存储所述用户令牌与所述随机数;The request receiving module is used to receive the Http request sent by the front-end system, the Http message header carried by the Http request includes a user token and an encrypted string, and the encrypted string is the response of the front-end system to The access operation of the target control on the front-end page is obtained by encrypting the URL address and parameters of the API interface called by the target control with a random number, and the random number and the Http message header provided with the user token are Called by the front-end system in response to a login operation, the user token is returned by the back-end system, and the back-end system has correspondingly stored the user token and the random number;

权限验证模块,用于基于所述Http消息头中的所述用户令牌确定所述随机数;使用所述随机数对所述Http消息头中的所述加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的所述API接口的URL地址和参数进行对比;如果两者相同,则执行所述Http请求;如果两者不同,则拒绝执行所述Http请求。An authority verification module, configured to determine the random number based on the user token in the Http message header; use the random number to decrypt the encrypted string in the Http message header, and The URL address and parameters obtained by decryption are compared with the queried URL address and parameters of the API interface; if the two are the same, the Http request is executed; if the two are different, the Http request is refused to be executed.

优选的,所述权限验证模块,还用于:Preferably, the authority verification module is also used for:

如果两者不同,向所述前端系统返回报错信息,以使所述前端系统输出所述报错信息。If the two are different, return error information to the front-end system, so that the front-end system outputs the error information.

一种免配置的接口权限验证系统,所述系统包括:前端系统和后端系统,所述前端系统用于执行所述的免配置的接口权限验证方法,所述后端系统用于执行所述的免配置的接口权限验证方法。A configuration-free interface authority verification system, the system includes: a front-end system and a back-end system, the front-end system is used to execute the configuration-free interface authority verification method, and the back-end system is used to execute the described A configuration-free interface permission verification method.

相较于现有技术,本发明实现的有益效果为:Compared with the prior art, the beneficial effects realized by the present invention are:

本发明提供一种免配置的接口权限验证方法、装置及系统,应用于前端系统,响应登录操作调取已生成的Http消息头与随机数,Http消息头中设置有由后端系统所返回的用户令牌、且后端系统已对应存储用户令牌与随机数;响应针对前端页面上目标控件的访问操作,使用随机数对目标控件所调用API接口的URL地址和参数进行加密,并将加密所获得的加密后的字符串添加到Http消息头中;将携带Http消息头的Http请求发送至后端系统,以使后端系统:基于Http消息头中的用户令牌确定随机数;使用随机数对Http消息头中的加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的API接口的URL地址和参数进行对比;如果两者相同,则执行Http请求;如果两者不同,则拒绝执行Http请求。本发明可以免去API接口权限配置,只需为用户配置前端页面的功能权限,减少系统配置人员对于系统权限配置的工作量,节省运维成本,免去了后端系统每次API接口调用都要验证当前用户是否拥有API接口的访问权限的处理工作,在保证了系统安全性的同时,大大提高了效率。The present invention provides a configuration-free interface authority verification method, device and system, which are applied to the front-end system, and the generated Http message header and random number are retrieved in response to the login operation. User token, and the back-end system has correspondingly stored the user token and random number; in response to the access operation of the target control on the front-end page, use the random number to encrypt the URL address and parameters of the API interface called by the target control, and encrypt The obtained encrypted string is added to the Http message header; the Http request carrying the Http message header is sent to the backend system, so that the backend system: determines the random number based on the user token in the Http message header; uses the random number The number decrypts the encrypted string in the Http message header, and compares the URL address and parameters obtained by decryption with the URL address and parameters of the queried API interface; if the two are the same, execute the Http request; If the two are different, refuse to perform the Http request. The present invention can eliminate the API interface authority configuration, only need to configure the function authority of the front-end page for the user, reduce the workload of the system configuration personnel for the system authority configuration, save the operation and maintenance cost, and eliminate the need for each API interface call of the back-end system. The process of verifying whether the current user has the access authority of the API interface greatly improves the efficiency while ensuring the security of the system.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1为本发明实施例提供的免配置的接口权限验证方法的方法流程图;Fig. 1 is a method flowchart of a configuration-free interface authority verification method provided by an embodiment of the present invention;

图2为本发明实施例提供的免配置的接口权限验证方法的信令流程图;FIG. 2 is a signaling flowchart of a configuration-free interface authority verification method provided by an embodiment of the present invention;

图3为本发明实施例提供的权限控制示意图;FIG. 3 is a schematic diagram of authority control provided by an embodiment of the present invention;

图4为本发明实施例提供的免配置的接口权限验证装置的结构示意图;4 is a schematic structural diagram of a configuration-free interface authority verification device provided by an embodiment of the present invention;

图5为本发明实施例提供的另一免配置的接口权限验证方法的方法流程图;Fig. 5 is a method flowchart of another configuration-free interface authority verification method provided by an embodiment of the present invention;

图6为本发明实施例提供的另一免配置的接口权限验证装置的结构示意图。FIG. 6 is a schematic structural diagram of another configuration-free interface authority verification device provided by an embodiment of the present invention.

具体实施方式detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本发明作进一步详细的说明。In order to make the above objects, features and advantages of the present invention more comprehensible, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

为方便理解本发明,以下对本发明所涉及的相关概念进行说明:For the convenience of understanding the present invention, the relevant concepts involved in the present invention are described below:

前后端分离:目前一种非常流行的开发模式,它使项目的分工更加明确:后端,负责处理、存储数据;前端,负责显示数据。前端和后端开发人员通过API接口进行数据的交换。Separation of front-end and back-end: A very popular development model at present, which makes the division of labor of the project more clear: the back-end is responsible for processing and storing data; the front-end is responsible for displaying data. Front-end and back-end developers exchange data through the API interface.

前端:即网站前台部分,运行在PC端的浏览器上展现给用户浏览的网页。Front-end: the front-end part of the website, which runs on the browser on the PC side and presents the webpage to the user.

后端:负责访问、处理、存储数据的系统。Backend: The system responsible for accessing, processing, and storing data.

API接口:前后端交互的方式,前后端分离模式下一般采用Http+Json的方式。API interface: the way of front-end and back-end interaction, Http+Json is generally used in the front-end and back-end separation mode.

Request Header:也称为Http消息头,表示在Http请求或响应中的用来传递附加信息的字段。Http消息头用来准确描述正在获取的资源、服务器或者客户端的行为,定义了Http事务中的具体操作参数。Request Header: Also known as the Http message header, it represents the field used to transfer additional information in the Http request or response. The Http message header is used to accurately describe the resource being acquired, the behavior of the server or client, and define the specific operating parameters in the Http transaction.

Http拦截器:阻止或改变Http请求或响应的拦截器。Http Interceptor: An interceptor that blocks or changes an Http request or response.

权限管理:用户登录后允许访问哪些页面、允许请求哪些API等,就是管理员对其设置的权限,只有符合权限的用户才可以浏览页面以及访问调用API接口等。权限就是权利的限制范围。Permission management: which pages the user is allowed to visit after logging in, which APIs are allowed to be requested, etc., are the permissions set by the administrator. Only users who meet the permissions can browse pages and access and call API interfaces. Permissions are the limits of rights.

Token:根据用户生成的令牌,一般用于前后端分离模式下的身份验证。Token: According to the token generated by the user, it is generally used for authentication in the front-end and back-end separation mode.

对称加密:数据发信方将明文(原始数据)和加密密钥一起经过特殊加密算法处理后,使其变成复杂的加密密文发送出去。收信方收到密文后,若想解读原文,则需要使用加密用过的密钥及相同算法的逆算法对密文进行解密,才能使其恢复成可读明文。Symmetric encryption: The data sender processes the plaintext (original data) and the encryption key together with a special encryption algorithm, turning it into complex encrypted ciphertext and sending it out. After the recipient receives the ciphertext, if he wants to interpret the original text, he needs to use the encrypted key and the inverse algorithm of the same algorithm to decrypt the ciphertext to restore it to readable plaintext.

随着业务和技术的发展,前端的技术栈越来越丰富,因此大多数系统都采用了前后端分离的开发模式。前后端分离成为了目前一种非常流行的开发模式,它使项目的分工更加明确:后端,负责处理、存储数据;前端,负责显示数据。前端和后端开发人员通过API接口进行数据的交换。With the development of business and technology, the front-end technology stack is becoming more and more abundant, so most systems adopt the development mode of front-end and back-end separation. Separation of front-end and back-end has become a very popular development model at present, which makes the division of labor of the project more clear: the back-end is responsible for processing and storing data; the front-end is responsible for displaying data. Front-end and back-end developers exchange data through the API interface.

在前后端分离的开发模式下,用户的功能权限管理就分成了两部分。前端页面负责控制用户的页面功能权限、页面按钮权限、页面控件的使用权限等。后端系统需要验证页面上控件调用的后端API接口的访问权限。基于前后端分离的模式,系统需要提供两部分的功能权限维护,前端页面上的功能权限,后端API接口的功能权限,并且将这两部分权限数据分配到用户所拥有的功能权限列表中,用户才能安全的访问系统。In the development mode where the front and back ends are separated, the user's functional rights management is divided into two parts. The front-end page is responsible for controlling the user's page function permissions, page button permissions, and page control usage permissions. The back-end system needs to verify the access rights of the back-end API interface called by the controls on the page. Based on the front-end and back-end separation mode, the system needs to provide two parts of functional authority maintenance, the functional authority on the front-end page and the functional authority of the back-end API interface, and assign these two parts of authority data to the functional authority list owned by the user. Users can access the system safely.

在前后端分离的模式下,传统的权限验证的流程为:用户访问系统登录页面,输入用户名密码,登录成功,后端系统返回给前端系统用户的功能权限列表、认证用户身份的Token令牌;前端系统获取到用户拥有的功能权限列表,根据功能权限列表中的数据,展示给用户相应的页面。用户访问页面,页面需要通过后端API查询数据。页面发起API请求的调用,一般的处理方式是将用户令牌Token放在Request Header中,同时发送给后端系统。后端系统通过用户令牌确定用户的身份,然后查询用户所拥有的API接口权限列表,验证用户是否能够访问当前的API接口。In the front-end and back-end separation mode, the traditional authority verification process is: the user accesses the system login page, enters the user name and password, and the login is successful. The back-end system returns to the front-end system the user's function authority list and the Token token for authenticating the user's identity. ; The front-end system obtains the functional permission list owned by the user, and displays the corresponding page to the user according to the data in the functional permission list. When a user visits a page, the page needs to query data through the backend API. When the page initiates an API request call, the general processing method is to put the user token Token in the Request Header and send it to the backend system at the same time. The backend system determines the user's identity through the user token, and then queries the list of API interface permissions owned by the user to verify whether the user can access the current API interface.

在实际的应用中,一个页面上面会展示很多的数据,同时也会访问很多个API接口,系统中API接口的数量会是页面数量的几十倍。实际应用中,还要将这些数据同步运维到开发、测试、UAT、生产等环境中。如果某些数据缺失了,导致了用户不能访问到数据,需要从维护的页面功能列表,以及后端API列表中逐一排查,增加排查问题的难度。每次用户访问到后端的API接口时,后端系统都要从大量的API接口列表中查询筛选,判断用户是否拥有访问此API接口的权限,当API接口数量很大时,这个匹配验证的过程也会对系统带来很大的性能消耗。In practical applications, a lot of data will be displayed on a page, and many API interfaces will be accessed at the same time. The number of API interfaces in the system will be dozens of times the number of pages. In practical applications, these data must also be synchronized and maintained in development, testing, UAT, production and other environments. If some data is missing, resulting in the inability of users to access the data, it is necessary to check one by one from the maintained page function list and the backend API list, which increases the difficulty of troubleshooting. Every time a user accesses a back-end API interface, the back-end system must query and filter from a large number of API interface lists to determine whether the user has access to this API interface. When the number of API interfaces is large, the matching verification process It will also bring a lot of performance consumption to the system.

参见图1,图1为本发明实施例提供的免配置的接口权限验证方法的方法流程图,该免配置的接口权限验证方法应用于前端系统,该方法包括如下步骤:Referring to FIG. 1, FIG. 1 is a method flow chart of a configuration-free interface authority verification method provided by an embodiment of the present invention. The configuration-free interface authority verification method is applied to a front-end system, and the method includes the following steps:

S101,响应登录操作,调取已生成的Http消息头与随机数,Http消息头中设置有用户令牌,用户令牌是后端系统所返回的、且后端系统已对应存储用户令牌与随机数。S101, in response to the login operation, retrieve the generated Http message header and random number, the Http message header is provided with a user token, the user token is returned by the backend system, and the backend system has correspondingly stored the user token and random number.

本发明实施例中,用户首次登陆时,前端系统可以将登录信息发送给后端系统进行验证,由后端系统向前端系统返回用户令牌(即Token),进而前端系统生成随机数设置到Http消息头中,这就可以使之后每次Http请求的Http消息头(即Request Header)中都包含用户令牌,而随机数可以通过携带Http消息头的Http请求发送给后端系统。后端系统在接收到随机数、以及Http请求的用户令牌(即Token),则将该随机数与用户令牌(即Token)的对应关系缓存保存至后端缓存中。In the embodiment of the present invention, when the user logs in for the first time, the front-end system can send the login information to the back-end system for verification, and the back-end system returns the user token (i.e. Token) to the front-end system, and then the front-end system generates a random number and sets it to the Http In the message header, this can make the Http message header (ie Request Header) of each subsequent Http request contain the user token, and the random number can be sent to the backend system through the Http request carrying the Http message header. When the backend system receives the random number and the user token (ie Token) requested by Http, it caches the correspondence between the random number and the user token (ie Token) and saves it in the backend cache.

用户后续登录时,即可以调取已设置有用户令牌(即Token)的Http消息头、以及随机数。When the user subsequently logs in, the Http message header and the random number that have been set with the user token (ie Token) can be called.

具体实现过程中,生成Http消息头与随机数的过程,包括如下步骤:In the specific implementation process, the process of generating the Http message header and the random number includes the following steps:

获取登录信息,并将登录信息发送至后端系统,以使后端系统对登录信息进行验证;Obtain the login information, and send the login information to the backend system, so that the backend system can verify the login information;

接收后端系统在登录信息验证通过的情况下所返回的用户令牌,并将用户令牌设置到Http消息头中;Receive the user token returned by the backend system when the login information is verified, and set the user token in the Http message header;

生成随机数,并将随机数发送至后端系统,以使后端系统将用户令牌与随机数对应存储于其后端缓存中。Generate a random number and send the random number to the backend system, so that the backend system stores the user token and the random number in its backend cache.

参见图2,图2为本发明实施例提供的免配置的接口权限验证方法的信令流程图。其中,前端系统可以由前端框架和前端页面所组成,后端系统可以由后端权限管理服务和后端API服务所组成。Referring to FIG. 2 , FIG. 2 is a signaling flowchart of a configuration-free interface authority verification method provided by an embodiment of the present invention. Wherein, the front-end system may be composed of a front-end framework and a front-end page, and the back-end system may be composed of a back-end authority management service and a back-end API service.

用户通过前端框架进行登录系统操作;后端权限管理服务验证登录的用户名、以及密码,验证通过后,根据用户名和登录时间等信息为该用户本次登录生成用户令牌(即Token),并确定该用户登录成功、向前端框架返回用户令牌(即Token);前端框架收到用户令牌(即Token)后,通过Http拦截器,将用户令牌(即Token)设置到Http请求的Http消息头(即Request Header)中,这就可以使之后每次Http请求的Http消息头(即Request Header)中都包含用户令牌(即Token);前端框架进一步生成随机数,并将该随机数通过Http请求发送给后端权限管理服务;后端权限管理服务接收到随机数、以及Http请求的用户令牌(即Token),并将该随机数与用户令牌(即Token)的对应关系缓存保证至后端缓存中。The user logs in to the system through the front-end framework; the back-end rights management service verifies the user name and password for login, and after the verification is passed, a user token (ie Token) is generated for the user's current login according to the user name and login time information, and Determine that the user has successfully logged in, and return the user token (ie Token) to the front-end framework; after the front-end framework receives the user token (ie Token), set the user token (ie Token) to the Http request Http through the Http interceptor In the message header (that is, Request Header), this can make the Http message header (that is, Request Header) of each Http request contain the user token (that is, Token); the front-end framework further generates a random number, and the random number Send it to the back-end authority management service through the Http request; the back-end authority management service receives the random number and the user token (ie Token) requested by Http, and caches the correspondence between the random number and the user token (ie Token) Guaranteed to the backend cache.

S102,响应针对前端页面上目标控件的访问操作,使用随机数对目标控件所调用API接口的URL地址和参数进行加密,并将加密所获得的加密后的字符串添加到Http消息头中。S102. In response to the access operation on the target control on the front-end page, use random numbers to encrypt the URL address and parameters of the API interface called by the target control, and add the encrypted character string obtained by encryption to the Http message header.

本发明不需要维护API接口的列表数据,只需要维护前端页面权限列表数据。当用户被分配了前端页面、以及前端页面上的控件权限时,用户就能够访问前端页面以及页面上的控件。The present invention does not need to maintain the list data of the API interface, but only needs to maintain the front-end page authority list data. When the user is assigned the authority of the front-end page and the controls on the front-end page, the user can access the front-end page and the controls on the page.

前端页面上的某一控件(即目标控件)在调用后端API接口时,先对将要请求的API接口中的URL(uniform resource locator,统一资源定位系统)地址以及参数进行加密,加密后生成一个加密后的字符串,随着Http请求的Http消息头(即Request Header)统一发送到后端系统。由此,通过在前端系统增加Http请求拦截处理,在发送给后端系统的Http请求所携带的Http消息头(即Request Header)中增加用户令牌(即Token)、以及加密后的字符串(即加密后的URL地址和参数)。When a control on the front-end page (that is, the target control) calls the back-end API interface, it first encrypts the URL (uniform resource locator, Uniform Resource Locator) address and parameters in the API interface to be requested, and generates a The encrypted character string is uniformly sent to the backend system along with the Http message header (Request Header) of the Http request. Thus, by adding Http request interception processing in the front-end system, the user token (ie Token) and the encrypted string ( That is, the encrypted URL address and parameters).

继续参见图2,用户访问前端页面中的数据,前端页面使用用户登录之后生成的随机数作为密钥,采用对称加密算法,对当前将要访问的Http请求的URL地址和参数进行加密,并将加密后的字符串添加到Http消息头(Request Header)的字段中,访问API接口即传递到后端系统。以下为前端系统Http拦截的主要处理步骤:Continue to refer to Figure 2, the user accesses the data in the front-end page, the front-end page uses the random number generated after the user logs in as the key, uses a symmetric encryption algorithm to encrypt the URL address and parameters of the Http request to be accessed currently, and encrypts The final string is added to the field of the Http message header (Request Header), and the access API interface is passed to the backend system. The following are the main processing steps of Http interception in the front-end system:

获取用户本次登录的用户令牌(即Token);获取生成的随机数;将URL地址和参数,用随机数作为密钥进行对称加密,生成加密后的字符串ApiKeys。Obtain the user token (that is, Token) of the user's current login; obtain the generated random number; perform symmetric encryption on the URL address and parameters with the random number as the key, and generate the encrypted string ApiKeys.

通过前端系统发送的Http请求,都会被Http拦截器拦截,将该Http请求的Http消息头(即Request Header)赋值上用户令牌(即Token)和加密后的字符串ApiKeys,再发送给后端系统。其中,加密后的字符串ApiKeys被赋值到Http消息头的Header字段项中。The Http request sent through the front-end system will be intercepted by the Http interceptor, and the Http message header (ie Request Header) of the Http request will be assigned the user token (ie Token) and the encrypted string ApiKeys, and then sent to the backend system. Among them, the encrypted string ApiKeys is assigned to the Header field item of the Http message header.

S103,将携带Http消息头的Http请求发送至后端系统,以使后端系统:S103, sending the Http request carrying the Http message header to the backend system, so that the backend system:

基于Http消息头中的用户令牌确定随机数;使用随机数对Http消息头中的加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的API接口的URL地址和参数进行对比;如果两者相同,则执行Http请求;如果两者不同,则拒绝执行Http请求。Determine the random number based on the user token in the Http message header; use the random number to decrypt the encrypted string in the Http message header, and combine the URL address and parameters obtained by decryption with the URL address of the API interface queried Compare with the parameters; if the two are the same, execute the Http request; if they are different, refuse to execute the Http request.

本发明实施例中,对于保存有用户令牌与随机数关联关系的API接口,后端系统不验证加密后的字符串ApiKeys的具体内容,只验证用户令牌(即Token)。In the embodiment of the present invention, for the API interface that stores the association between the user token and the random number, the backend system does not verify the specific content of the encrypted character string ApiKeys, but only verifies the user token (ie Token).

后端系统拦截Http请求,先从Http请求中获取到当前访问API接口的Http请求的URL地址以及参数,然后解密Http消息头(即Request Header)中加密后的字符串ApiKeys,得到加密前的需要访问的API请求的URL地址以及参数,比对二者的数据,进行验证。这样后端系统不需要判断用户是否拥有访问此API接口的权限,只需要验证Http消息头(即Request Header)中加密后的字符串ApiKeys是否与当前访问的API接口是否相同,以此即达到验证用户是否能够访问此API接口的权限、用户是否进行了私自修改URL以及参数、越权访问API接口的动作。上面的过程中保证了调用后端API必须发送加密后的字符串ApiKeys,加密后的字符串ApiKeys必须在可信任的前端系统内生成。由此保证了,当前端系统调用后端API接口的时候,可以不用验证预设的权限,只需要验证加密后的字符串即可。The back-end system intercepts the Http request, first obtains the URL address and parameters of the Http request currently accessing the API interface from the Http request, and then decrypts the encrypted string ApiKeys in the Http message header (Request Header) to obtain the required data before encryption. The URL address and parameters of the accessed API request are compared and verified. In this way, the backend system does not need to judge whether the user has access to the API interface, but only needs to verify whether the encrypted string ApiKeys in the Http message header (Request Header) is the same as the currently accessed API interface, so as to achieve verification Whether the user can access the authority of this API interface, whether the user has modified the URL and parameters without authorization, or accessed the API interface without authorization. The above process ensures that the encrypted string ApiKeys must be sent when calling the back-end API, and the encrypted string ApiKeys must be generated in a trusted front-end system. This ensures that when the front-end system calls the back-end API interface, it does not need to verify the preset permissions, but only needs to verify the encrypted string.

继续参见图2,前端页面访问API接口将Http请求发送给后端权限管理服务;后端权限管理服务拦截到该Http请求,从该Http请求所携带的Http消息头(即Request Header)中获取到用户令牌(即Token),通过该用户令牌(即Token)查询后端缓存,获取到与该用户令牌(即Token)关联的当前用户登录后生成的随机数;后端权限管理服务将该随机数作为密钥,解密Http消息头的Header字段项中的加密后的字符串ApiKeys,当然,如果加密后的字符串ApiKeys为空,则可以直接报错,向前端页面返回报错信息,通过渲染页面由前端页面输出该报错信息;后端权限管理服务通过web服务器提供的接口查询得到Http请求的URL地址和参数,然后与解密所获得的URL地址和参数进行对比;如果所查询到的URL地址与解密所获得的URL地址完全一致、所查询到的参数与解密所获得的参数完全一致,则验证通过,继续执行该Http请求,访问后端API服务所提供的API资源;如果所查询到的URL地址与解密所获得的URL地址不完全一致、或者所查询到的参数与解密所获得的参数不完全一致,则没有通过验证,拒绝执行该Http请求,该Http请求终止。Continue referring to Figure 2, the front-end page access API interface sends the Http request to the back-end authority management service; the back-end authority management service intercepts the Http request, and obtains the User token (ie Token), query the backend cache through the user token (ie Token), and obtain the random number generated after the current user associated with the user token (ie Token); the backend authority management service will The random number is used as the key to decrypt the encrypted string ApiKeys in the Header field item of the Http message header. Of course, if the encrypted string ApiKeys is empty, you can directly report an error, return the error message to the front-end page, and pass the rendering The page outputs the error message from the front-end page; the back-end rights management service obtains the URL address and parameters of the Http request through the interface provided by the web server, and then compares it with the URL address and parameters obtained by decryption; if the queried URL address It is completely consistent with the URL address obtained by decryption, and the queried parameters are completely consistent with the parameters obtained by decryption, then the verification is passed, continue to execute the Http request, and access the API resources provided by the back-end API service; if the queried If the URL address is not completely consistent with the URL address obtained by decryption, or the query parameters are not completely consistent with the parameters obtained by decryption, then the verification is not passed, the Http request is refused to be executed, and the Http request is terminated.

当然,如果所查询到的URL地址与解密所获得的URL地址不完全一致、或者所查询到的参数与解密所获得的参数不完全一致,在拒绝执行该Http请求的同时,后端权限管理服务还可以报错,向前端页面返回报错信息,通过渲染页面由前端页面输出该报错信息。Of course, if the queried URL address is not completely consistent with the decrypted URL address, or the queried parameters are not completely consistent with the decrypted parameters, while refusing to execute the Http request, the back-end authority management service You can also report an error, return the error message to the front-end page, and output the error message from the front-end page by rendering the page.

通过以上方式,本发明可以不需要用户维护与配置后端API接口的权限,即可对API接口权限进行验证管理,可以有效的节省系统配置人员的人力成本。另外因为免配置,所以权限配置信息也不需要存储,不需要占用数据库资源,不需要同步到各个环境,也不会因为权限的数据量过大导致查询、筛选、处理效率的问题。参见图3,图3为本发明实施例提供的权限控制示意图。如图3所示,系统只需要控制用户对于页面以及页面上功能的权限控制,对于用户来说,所见即所得,用户能获得的页面的功能,相应就能获得API接口的访问权限。并且保证了用户不能越权访问API接口。Through the above method, the present invention can verify and manage the API interface authority without requiring the user to maintain and configure the authority of the back-end API interface, which can effectively save the labor cost of the system configuration personnel. In addition, because it is free of configuration, the permission configuration information does not need to be stored, does not need to occupy database resources, does not need to be synchronized to various environments, and will not cause problems in query, screening, and processing efficiency due to the large amount of permission data. Referring to FIG. 3 , FIG. 3 is a schematic diagram of authority control provided by an embodiment of the present invention. As shown in Figure 3, the system only needs to control the user's authority control over the page and the functions on the page. For the user, what you see is what you get. The functions of the page that the user can obtain can obtain the access authority of the API interface accordingly. And it ensures that users cannot access the API interface without unauthorized access.

本发明实施例提供的免配置的接口权限验证方法,具有如下优势:The configuration-free interface authority verification method provided by the embodiment of the present invention has the following advantages:

1)API接口权限列表不需要维护,同时也不需要维护用户与API接口之间的关联,极大减轻了系统配置人员的工作量,保障了数据访问的安全。1) The API interface permission list does not need to be maintained, nor does it need to maintain the association between users and API interfaces, which greatly reduces the workload of system configuration personnel and ensures the security of data access.

2)后端验证API权限时不需要读取权限配置数据,也不需要通过用户ID对权限数据进行筛选,不需要查询数据库,提升权限验证的效率。2) When the backend verifies API permissions, it does not need to read the permission configuration data, nor does it need to filter the permission data through the user ID, and it does not need to query the database, which improves the efficiency of permission verification.

3)采用随机密钥加密,随机秘钥在认证后的客户前端生成,后端保存了认证用户与随机秘钥的关联,确保了加密动作只能在可信任客户端生成,保证了API接口的安全性。非可信任客户端对API的访问,或者用户认证后通过技术手段私自修改访问参数、用户越权访问等问题都能解决。3) Random key encryption is used. The random key is generated at the front end of the authenticated client, and the back-end stores the association between the authenticated user and the random key, ensuring that the encryption action can only be generated on a trusted client and ensuring the integrity of the API interface. safety. Problems such as access to API by untrusted clients, or unauthorized modification of access parameters through technical means after user authentication, and unauthorized access by users can all be solved.

基于上述实施例提供的免配置的接口权限验证方法,本发明实施例则对应提供执行该免配置的接口权限验证方法的装置,该装置的结构示意图如图4所示,包括:Based on the configuration-free interface authority verification method provided by the above-mentioned embodiments, the embodiment of the present invention provides a corresponding device for performing the configuration-free interface authority verification method. The structural diagram of the device is shown in Figure 4, including:

登录响应模块101,用于响应登录操作,调取已生成的Http消息头与随机数,Http消息头中设置有用户令牌,用户令牌是后端系统所返回的、且后端系统已对应存储用户令牌与随机数;The login response module 101 is used to respond to the login operation and retrieve the generated Http message header and random number. The Http message header is provided with a user token. The user token is returned by the back-end system, and the back-end system has corresponded Store user tokens and random numbers;

访问响应模块102,用于响应针对前端页面上目标控件的访问操作,使用随机数对目标控件所调用API接口的URL地址和参数进行加密,并将加密所获得的加密后的字符串添加到Http消息头中;将携带Http消息头的Http请求发送至后端系统,以使后端系统:The access response module 102 is used to respond to the access operation for the target control on the front-end page, encrypt the URL address and parameters of the API interface called by the target control with random numbers, and add the encrypted character string obtained by encryption to the Http In the message header; send the Http request carrying the Http message header to the backend system, so that the backend system:

基于Http消息头中的用户令牌确定随机数;使用随机数对Http消息头中的加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的API接口的URL地址和参数进行对比;如果两者相同,则执行Http请求;如果两者不同,则拒绝执行Http请求。Determine the random number based on the user token in the Http message header; use the random number to decrypt the encrypted string in the Http message header, and combine the URL address and parameters obtained by decryption with the URL address of the API interface queried Compare with the parameters; if the two are the same, execute the Http request; if they are different, refuse to execute the Http request.

可选的,登录响应模块101生成Http消息头与随机数的过程,包括:Optionally, the process of generating the Http message header and the random number by the login response module 101 includes:

获取登录信息,并将登录信息发送至后端系统,以使后端系统对登录信息进行验证;接收后端系统在登录信息验证通过的情况下所返回的用户令牌,并将用户令牌设置到Http消息头中;生成随机数,并将随机数发送至后端系统,以使后端系统将用户令牌与随机数对应存储于其后端缓存中。Obtain login information, and send the login information to the backend system, so that the backend system can verify the login information; receive the user token returned by the backend system when the login information is verified, and set the user token to into the Http message header; generate a random number, and send the random number to the backend system, so that the backend system stores the user token and the random number in its backend cache.

需要说明的是,本发明实施例中各模块的细化功能可以参见上述免配置的接口权限验证方法实施例对应公开部分,在此不再赘述。It should be noted that, for detailed functions of each module in the embodiment of the present invention, refer to the corresponding disclosure part of the embodiment of the configuration-free interface authority verification method, and details are not repeated here.

基于上述实施例提供的免配置的接口权限验证方法,本发明实施例还提供另一免配置的接口权限验证方法,该免配置的接口权限验证方法应用于后端系统,该方法的方法流程图如图5所示,包括如下步骤:Based on the configuration-free interface authority verification method provided in the above embodiments, the embodiment of the present invention also provides another configuration-free interface authority verification method, which is applied to the back-end system, and the method flow chart of the method As shown in Figure 5, it includes the following steps:

S201,接收前端系统发送的Http请求,Http请求所携带的Http消息头中包含用户令牌与加密后的字符串,加密后的字符串是前端系统响应针对前端页面上目标控件的访问操作使用随机数对目标控件所调用API接口的URL地址和参数进行加密所获得的,随机数与设置有用户令牌的Http消息头是前端系统响应登录操作所调取的,用户令牌是后端系统所返回的、且后端系统已对应存储用户令牌与随机数。S201. Receive the Http request sent by the front-end system. The Http message header carried by the Http request contains the user token and the encrypted string. The encrypted string is the front-end system response to the access operation of the target control on the front-end page. The number is obtained by encrypting the URL address and parameters of the API interface called by the target control. The random number and the Http message header with the user token are retrieved by the front-end system in response to the login operation, and the user token is obtained by the back-end system. Returned, and the backend system has correspondingly stored the user token and random number.

S202,基于Http消息头中的用户令牌确定随机数。S202. Determine a random number based on the user token in the Http message header.

S203,使用随机数对Http消息头中的加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的API接口的URL地址和参数进行对比。S203. Use the random number to decrypt the encrypted character string in the Http message header, and compare the URL address and parameters obtained by decryption with the URL address and parameters of the queried API interface.

S204,如果两者相同,则执行Http请求。S204, if the two are the same, execute the Http request.

S205,如果两者不同,则拒绝执行Http请求。S205, if the two are different, refuse to execute the Http request.

上述方法还包括如下步骤:The above method also includes the steps of:

如果两者不同,向前端系统返回报错信息,以使前端系统输出报错信息。If the two are different, return an error message to the front-end system, so that the front-end system outputs the error message.

需要说明的是,本发明实施例中各步骤的细化实现可以参见上述免配置的接口权限验证方法实施例对应公开部分,在此不再赘述。It should be noted that, for detailed implementation of each step in the embodiment of the present invention, reference may be made to the corresponding disclosure of the embodiment of the configuration-free interface authority verification method, and details are not repeated here.

基于上述实施例提供的免配置的接口权限验证方法,本发明实施例则对应提供执行该免配置的接口权限验证方法的装置,该装置的结构示意图如图6所示,包括:Based on the configuration-free interface authority verification method provided in the above-mentioned embodiments, the embodiment of the present invention provides a corresponding device for executing the configuration-free interface authority verification method. The structural diagram of the device is shown in Figure 6, including:

请求接收模块201,用于接收前端系统发送的Http请求,Http请求所携带的Http消息头中包含用户令牌与加密后的字符串,加密后的字符串是前端系统响应针对前端页面上目标控件的访问操作使用随机数对目标控件所调用API接口的URL地址和参数进行加密所获得的,随机数与设置有用户令牌的Http消息头是前端系统响应登录操作所调取的,用户令牌是后端系统所返回的、且后端系统已对应存储用户令牌与随机数;The request receiving module 201 is used to receive the Http request sent by the front-end system. The Http message header carried by the Http request contains a user token and an encrypted string. The encrypted string is the response of the front-end system to the target control on the front-end page. The access operation uses a random number to encrypt the URL address and parameters of the API interface called by the target control. The random number and the Http message header with the user token are called by the front-end system in response to the login operation. The user token It is returned by the backend system, and the backend system has correspondingly stored the user token and random number;

权限验证模块202,用于基于Http消息头中的用户令牌确定随机数;使用随机数对Http消息头中的加密后的字符串进行解密,并将解密所获得的URL地址和参数与所查询到的API接口的URL地址和参数进行对比;如果两者相同,则执行Http请求;如果两者不同,则拒绝执行Http请求。Authority verification module 202, for determining random number based on the user token in the Http message header; use the random number to decrypt the encrypted character string in the Http message header, and decrypt the obtained URL address and parameters with the query Compare the URL address and parameters of the API interface to be accessed; if the two are the same, execute the Http request; if they are different, refuse to execute the Http request.

可选的,权限验证模块202,还用于:Optionally, the authority verification module 202 is also used for:

如果两者不同,向前端系统返回报错信息,以使前端系统输出报错信息。If the two are different, return an error message to the front-end system, so that the front-end system outputs the error message.

需要说明的是,本发明实施例中各步骤的细化实现可以参见上述免配置的接口权限验证方法实施例对应公开部分,在此不再赘述。It should be noted that, for detailed implementation of each step in the embodiment of the present invention, reference may be made to the corresponding disclosure of the embodiment of the configuration-free interface authority verification method, and details are not repeated here.

本发明实施例还提供一种免配置的接口权限验证系统,该系统包括:前端系统和后端系统,前端系统用于执行其相应的免配置的接口权限验证方法,后端系统用于执行其相应的免配置的接口权限验证方法。The embodiment of the present invention also provides a configuration-free interface authority verification system, the system includes: a front-end system and a back-end system, the front-end system is used to execute its corresponding configuration-free interface authority verification method, and the back-end system is used to execute its Corresponding configuration-free interface permission verification method.

以上对本发明所提供的一种免配置的接口权限验证方法、装置及系统进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。The configuration-free interface authority verification method, device and system provided by the present invention have been described in detail above. In this paper, specific examples are used to illustrate the principle and implementation of the present invention. The description of the above embodiments is only for To help understand the method of the present invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, there will be changes in the specific implementation and scope of application. In summary, the content of this specification It should not be construed as a limitation of the invention.

需要说明的是,本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。It should be noted that each embodiment in this specification is described in a progressive manner, and each embodiment focuses on the difference from other embodiments. For the same and similar parts in each embodiment, refer to each other, that is, Can. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.

还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备所固有的要素,或者是还包括为这些过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this article, relational terms such as first and second etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that these entities or operations Any such actual relationship or order exists between. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to encompass a non-exclusive inclusion such that elements inherent in a process, method, article, or apparatus comprising a set of elements are included or are also included as such , method, article or device inherent in the elements. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A configuration-free interface authority verification method is applied to a front-end system, and comprises the following steps:
responding to login operation, calling a generated Http message header and a random number, wherein a user token is set in the Http message header, the user token is returned by a back-end system, and the back-end system stores the user token and the random number correspondingly;
responding to an access operation aiming at a target control on a front-end page, encrypting a URL (Uniform resource locator) address and parameters of an API (application program interface) called by the target control by using the random number, and adding an encrypted character string obtained by encryption into the Http message header;
sending the Http request carrying the Http message header to the backend system, so that the backend system:
determining the random number based on the user token in the Http message header; decrypting the encrypted character string in the Http message header by using the random number, and comparing the URL address and the parameter obtained by decryption with the queried URL address and parameter of the API; if the two are the same, executing the Http request; and if the two are different, refusing to execute the Http request.
2. The method of claim 1, wherein generating the Http header and the nonce comprises:
acquiring login information, and sending the login information to the back-end system so that the back-end system verifies the login information;
receiving the user token returned by the back-end system under the condition that the login information passes the verification, and setting the user token into the Http message header;
and generating the random number, and sending the random number to the back-end system so that the back-end system correspondingly stores the user token and the random number in a back-end cache thereof.
3. A configuration-free interface permission verification apparatus, the apparatus comprising:
the login response module is used for responding to login operation and calling a generated Http message header and a random number, wherein a user token is set in the Http message header, the user token is returned by a back-end system, and the back-end system stores the user token and the random number correspondingly;
the access response module is used for responding to the access operation of a target control on a front-end page, encrypting the URL address and the parameter of the API called by the target control by using the random number, and adding an encrypted character string obtained by encryption into the Http message header; sending the Http request carrying the Http message header to the backend system, so that the backend system:
determining the random number based on the user token in the Http message header; decrypting the encrypted character string in the Http message header by using the random number, and comparing a URL address and parameters obtained by decryption with the queried URL address and parameters of the API; if the two are the same, executing the Http request; and if the two are different, refusing to execute the Http request.
4. The apparatus of claim 1, wherein the login response module generates the Http header and the nonce, and comprises:
acquiring login information, and sending the login information to the back-end system so that the back-end system verifies the login information; receiving the user token returned by the back-end system under the condition that the login information passes the verification, and setting the user token into the Http message header; and generating the random number, and sending the random number to the back-end system so that the back-end system correspondingly stores the user token and the random number in a back-end cache thereof.
5. A configuration-free interface authority verification method is applied to a back-end system, and comprises the following steps:
receiving an Http request sent by a front-end system, wherein an Http message header carried by the Http request comprises a user token and an encrypted string, the encrypted string is obtained by encrypting a URL address and parameters of an API interface called by a target control on a front-end page by using a random number in response to an access operation of the target control on the front-end page, the random number and the Http message header provided with the user token are called by the front-end system in response to a login operation, the user token is returned by the back-end system, and the user token and the random number are stored in the back-end system correspondingly;
determining the random number based on the user token in the Http message header;
decrypting the encrypted character string in the Http message header by using the random number, and comparing a URL address and parameters obtained by decryption with the queried URL address and parameters of the API;
if the two are the same, executing the Http request;
and if the two are different, refusing to execute the Http request.
6. The method of claim 5, further comprising:
and if the two are different, returning error information to the front-end system so that the front-end system outputs the error information.
7. A configuration-free interface permission verification apparatus, the apparatus comprising:
a request receiving module, configured to receive an Http request sent by a front-end system, where an Http message header carried by the Http request includes a user token and an encrypted string, where the encrypted string is obtained by encrypting, by the front-end system, a URL address and a parameter of an API interface called by a target control using a random number in response to an access operation on the target control on a front-end page, the random number and the Http message header provided with the user token are called by the front-end system in response to a login operation, and the user token is returned by the back-end system and the user token and the random number are stored in the back-end system correspondingly;
an authority verification module for determining the random number based on the user token in the Http message header; decrypting the encrypted character string in the Http message header by using the random number, and comparing the URL address and the parameter obtained by decryption with the queried URL address and parameter of the API; if the two are the same, executing the Http request; and if the two are different, refusing to execute the Http request.
8. The apparatus of claim 7, wherein the permission verification module is further configured to:
if the two are different, returning error information to the front-end system so that the front-end system outputs the error information.
9. A configuration-free interface permission verification system, the system comprising: a front-end system and a back-end system, wherein the front-end system is used for executing the configuration-free interface authority verification method of claim 1 or 2, and the back-end system is used for executing the configuration-free interface authority verification method of claim 5 or 6.
CN202211246216.7A 2022-10-12 2022-10-12 Configuration-free interface authority verification method, device and system Pending CN115550047A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211246216.7A CN115550047A (en) 2022-10-12 2022-10-12 Configuration-free interface authority verification method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211246216.7A CN115550047A (en) 2022-10-12 2022-10-12 Configuration-free interface authority verification method, device and system

Publications (1)

Publication Number Publication Date
CN115550047A true CN115550047A (en) 2022-12-30

Family

ID=84733464

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211246216.7A Pending CN115550047A (en) 2022-10-12 2022-10-12 Configuration-free interface authority verification method, device and system

Country Status (1)

Country Link
CN (1) CN115550047A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118134510A (en) * 2024-04-02 2024-06-04 国网河北省电力有限公司雄安新区供电公司 Carbon emission management system and management method based on energy big data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103944900A (en) * 2014-04-18 2014-07-23 中国科学院计算技术研究所 Cross-station request attack defense method and device based on encryption
US9894067B1 (en) * 2015-12-03 2018-02-13 Amazon Technologies, Inc. Cross-region roles
CN109309683A (en) * 2018-10-30 2019-02-05 泰华智慧产业集团股份有限公司 The method and system of client identity verifying based on token
US20200145421A1 (en) * 2018-11-05 2020-05-07 Wistron Corporation Method for authentication and authorization and authentication server using the same
CN113783867A (en) * 2021-09-07 2021-12-10 福建天泉教育科技有限公司 Request authentication method and terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103944900A (en) * 2014-04-18 2014-07-23 中国科学院计算技术研究所 Cross-station request attack defense method and device based on encryption
US9894067B1 (en) * 2015-12-03 2018-02-13 Amazon Technologies, Inc. Cross-region roles
CN109309683A (en) * 2018-10-30 2019-02-05 泰华智慧产业集团股份有限公司 The method and system of client identity verifying based on token
US20200145421A1 (en) * 2018-11-05 2020-05-07 Wistron Corporation Method for authentication and authorization and authentication server using the same
CN113783867A (en) * 2021-09-07 2021-12-10 福建天泉教育科技有限公司 Request authentication method and terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
熊小军;翁培钧;: "APP后台用户安全登录验证解决方案的研究", 电子世界, no. 24, 23 December 2017 (2017-12-23) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118134510A (en) * 2024-04-02 2024-06-04 国网河北省电力有限公司雄安新区供电公司 Carbon emission management system and management method based on energy big data

Similar Documents

Publication Publication Date Title
US12107897B1 (en) Data loss prevention techniques
CN112422532B (en) Service communication method, system and device and electronic equipment
EP3585032B1 (en) Data security service
US9191375B2 (en) System and method for accessing integrated applications in a single sign-on enabled enterprise solution
US8627409B2 (en) Framework for automated dissemination of security metadata for distributed trust establishment
CN103581108B (en) Login authentication method, login authentication client, login authentication server and login authentication system
US7293098B2 (en) System and apparatus for storage and transfer of secure data on web
US8782757B2 (en) Session sharing in secure web service conversations
US9286491B2 (en) Virtual service provider zones
US9172541B2 (en) System and method for pool-based identity generation and use for service access
WO2021184755A1 (en) Application access method and apparatus, and electronic device and storage medium
CN114679293A (en) Access control method, device and storage medium based on zero trust security
CN105491058B (en) API access distributed authorization method and system
US9009469B2 (en) Systems and methods for securing data in a cloud computing environment using in-memory techniques and secret key encryption
CN111291043A (en) Identification value query method, identification resolution server and storage medium
WO2017028804A1 (en) Web real-time communication platform authentication and access method and device
CN107483495B (en) Big data cluster host management method, management system and server
CN103095847A (en) Cloud storage safety-ensuring method and system thereof
CN107948235A (en) Cloud data safety management and audit device based on JAR
CN111460410A (en) Server login method, apparatus, system and computer-readable storage medium
CN114826757B (en) Identity authentication method and device
US20050273596A1 (en) Architecture and design for central authentication and authorization in an on-demand utility environment using a secured global hashtable
WO2022193494A1 (en) Permission control method, server, terminal, storage medium, and computer program
CN115550047A (en) Configuration-free interface authority verification method, device and system
CN113312576A (en) Page jump method, system and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination