CN118138641A

CN118138641A - Request processing method and device

Info

Publication number: CN118138641A
Application number: CN202211540828.7A
Authority: CN
Inventors: 史学涛; 韩笑; 吴飞昊
Original assignee: Jingdong Technology Information Technology Co Ltd
Current assignee: Jingdong Technology Information Technology Co Ltd
Priority date: 2022-12-02
Filing date: 2022-12-02
Publication date: 2024-06-04

Abstract

The application discloses a request processing method and a request processing device, and relates to the technical field of control consoles. One embodiment of the method comprises the following steps: responding to the detection of a first access request of a user to a second platform embedded in the first platform based on the iframe, determining that the user needs to create a shadow account number and a role, and sending request information to an SSO system; in response to receiving a shadow account number and a role sent by an SSO system based on the user account number and the identification of the first platform, mapping authorization of the user account number and the shadow account number is carried out based on the user account number, the shadow account number and the role; performing verification operation based on the user account and the shadow account authorized by mapping, and sending a verification result to the SSO system; and controlling the shadow account to execute the first access request on the second platform in response to receiving the login state credential of the first platform which is successfully issued by the SSO system based on the verification result. This embodiment reduces the load on the individual consoles and improves the maintainability of the consoles.

Description

Request processing method and device

技术领域Technical Field

本申请涉及计算机技术领域，具体涉及控制台技术领域，尤其涉及一种请求处理方法和装置。The present application relates to the field of computer technology, specifically to the field of console technology, and in particular to a request processing method and device.

背景技术Background technique

单独的控制台，依赖公有云的OpenAPI。目前用户在单独的控制台的购买、管理公有云资源时，会将资源创建到影子账号上，费用记在用户自己的账号上，因此，单独的控制台维护成本较高，功能更新较慢。A separate console relies on the OpenAPI of the public cloud. Currently, when users purchase and manage public cloud resources in a separate console, the resources are created in a shadow account and the fees are charged to the user's own account. Therefore, the maintenance cost of a separate console is high and the function update is slow.

发明内容Summary of the invention

本申请实施例提供了一种请求处理方法、装置、设备以及存储介质。Embodiments of the present application provide a request processing method, apparatus, device, and storage medium.

根据第一方面，本申请实施例提供了一种请求处理方法，该方法包括：响应于检测到用户对第一平台中，基于iframe嵌入的第二平台的第一访问请求，并且确定用户需要创建影子账号和角色，向SSO系统发送请求信息；响应于接收到SSO系统基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权；基于映射授权的用户账号和影子账号执行校验操作，并将校验结果发送至SSO系统；响应于接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求。According to the first aspect, an embodiment of the present application provides a request processing method, the method comprising: in response to detecting a user's first access request to a second platform embedded based on an iframe in a first platform, and determining that the user needs to create a shadow account and a role, sending a request message to an SSO system; in response to receiving a shadow account and a role sent by the SSO system based on the user account and an identifier of the first platform, performing mapping authorization of the user account and the shadow account based on the user account, the shadow account and the role; performing a verification operation based on the mapped authorized user account and the shadow account, and sending the verification result to the SSO system; in response to receiving the login credentials of the first platform issued by the SSO system based on the verification result for successful verification, controlling the shadow account to execute the first access request on the second platform.

根据第二方面，本申请实施例提供了一种请求处理装置，该装置包括：发送模块，被配置成响应于检测到用户对第一平台中，基于iframe嵌入的第二平台的第一访问请求，并且确定用户需要创建影子账号和角色，向SSO系统发送请求信息；接收模块，被配置成响应于接收到SSO系统基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权；校验模块，被配置成基于映射授权的用户账号和影子账号执行校验操作，并将校验结果发送至SSO系统；执行模块，被配置成响应于接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求。According to the second aspect, an embodiment of the present application provides a request processing device, which includes: a sending module, configured to send a request message to the SSO system in response to detecting a user's first access request to a second platform embedded based on an iframe in the first platform, and determining that the user needs to create a shadow account and a role; a receiving module, configured to perform mapping authorization of the user account and the shadow account based on the user account, shadow account and role in response to receiving the shadow account and role sent by the SSO system based on the user account and the identifier of the first platform; a verification module, configured to perform a verification operation based on the mapped authorized user account and shadow account, and send the verification result to the SSO system; an execution module, configured to control the shadow account to execute the first access request on the second platform in response to receiving the login credentials of the first platform issued by the SSO system based on the verification result for successful verification.

根据第三方面，本申请实施例提供了一种电子设备，该电子设备包括一个或多个处理器；存储装置，其上存储有一个或多个程序，当一个或多个程序被该一个或多个处理器执行，使得一个或多个处理器实现如第一方面的任一实施例的请求处理方法。According to the third aspect, an embodiment of the present application provides an electronic device, which includes one or more processors; a storage device on which one or more programs are stored, and when the one or more programs are executed by the one or more processors, the one or more processors implement a request processing method as in any embodiment of the first aspect.

根据第四方面，本申请实施例提供了一种计算机可读介质，其上存储有计算机程序，该程序被处理器执行时实现如第一方面的任一实施例的请求处理方法。According to a fourth aspect, an embodiment of the present application provides a computer-readable medium having a computer program stored thereon, which, when executed by a processor, implements a request processing method as in any embodiment of the first aspect.

本申请通过响应于检测到用户对第一平台中，基于iframe嵌入的第二平台的第一访问请求，并且确定用户需要创建影子账号和角色，向SSO系统发送请求信息；响应于接收到SSO系统基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权；基于映射授权的用户账号和影子账号执行校验操作，并将校验结果发送至SSO系统；响应于接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求，即实现了不同控制台间的嵌套和调用，减轻了单独的控制台的负荷，提高了控制台的可维护性。The present application sends a request message to the SSO system in response to detecting a user's first access request to the second platform embedded based on an iframe in the first platform, and determining that the user needs to create a shadow account and role; in response to receiving the shadow account and role sent by the SSO system based on the user account and the identifier of the first platform, performs mapping authorization of the user account and the shadow account based on the user account, shadow account and role; performs a verification operation based on the mapped authorized user account and shadow account, and sends the verification result to the SSO system; in response to receiving the login credential of the first platform issued by the SSO system based on the verification result for successful verification, controls the shadow account to execute the first access request on the second platform, thereby realizing nesting and calling between different consoles, reducing the load of a separate console, and improving the maintainability of the console.

应当理解，本部分所描述的内容并非旨在标识本公开的实施例的关键或重要特征，也不用于限制本公开的范围。本公开的其他特征将通过以下的说明书而变得容易理解。It should be understood that the content described in this section is not intended to identify the key or important features of the embodiments of the present disclosure, nor is it intended to limit the scope of the present disclosure. Other features of the present disclosure will become easily understood through the following description.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本申请可以应用于其中的示例性系统架构图；FIG1 is a diagram of an exemplary system architecture in which the present application may be applied;

图2是根据本申请的请求处理方法的一个实施例的流程图；FIG2 is a flow chart of an embodiment of a request processing method according to the present application;

图3是根据本申请的请求处理方法的一个应用场景的示意图；FIG3 is a schematic diagram of an application scenario of the request processing method according to the present application;

图4是根据本申请的请求处理方法的又一个实施例的流程图；FIG4 is a flow chart of another embodiment of a request processing method according to the present application;

图5是根据本申请的请求处理装置的一个实施例的示意图；FIG5 is a schematic diagram of an embodiment of a request processing device according to the present application;

图6是适于用来实现本申请实施例的服务器的计算机系统的结构示意图。FIG. 6 is a schematic diagram of the structure of a computer system suitable for implementing a server according to an embodiment of the present application.

具体实施方式Detailed ways

以下结合附图对本申请的示范性实施例做出说明，其中包括本申请实施例的各种细节以助于理解，应当将它们认为仅仅是示范性的。因此，本领域普通技术人员应当认识到，可以对这里描述的实施例做出各种改变和修改，而不会背离本申请的范围和精神。同样，为了清楚和简明，以下的描述中省略了对公知功能和结构的描述。The following is a description of exemplary embodiments of the present application in conjunction with the accompanying drawings, including various details of the embodiments of the present application to facilitate understanding, which should be considered as merely exemplary. Therefore, it should be recognized by those of ordinary skill in the art that various changes and modifications can be made to the embodiments described herein without departing from the scope and spirit of the present application. Similarly, for the sake of clarity and conciseness, the description of well-known functions and structures is omitted in the following description.

需要说明的是，在不冲突的情况下，本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。It should be noted that, in the absence of conflict, the embodiments and features in the embodiments of the present application can be combined with each other. The present application will be described in detail below with reference to the accompanying drawings and in combination with the embodiments.

图1示出了可以应用本申请的请求处理方法的实施例的示例性系统架构100。FIG. 1 shows an exemplary system architecture 100 to which an embodiment of the request processing method of the present application can be applied.

如图1所示，系统架构100可以包括终端设备101、102、103，网络104和服务器105。网络104用以在终端设备101、102、103和服务器105之间提供通信链路的介质。网络104可以包括各种连接类型，例如有线、无线通信链路或者光纤电缆等等。As shown in Fig. 1, system architecture 100 may include terminal devices 101, 102, 103, network 104 and server 105. Network 104 is used to provide a medium for communication links between terminal devices 101, 102, 103 and server 105. Network 104 may include various connection types, such as wired, wireless communication links or optical fiber cables, etc.

终端设备101、102、103通过网络104与服务器105交互，以接收或发送消息等。终端设备101、102、103上可以安装有各种应用平台。The terminal devices 101, 102, 103 interact with the server 105 via the network 104 to receive or send messages, etc. Various application platforms may be installed on the terminal devices 101, 102, 103.

终端设备101、102、103可以是硬件，也可以是软件。当终端设备101、102、103为硬件时，可以是具有显示屏的各种电子设备，包括但不限于手机和笔记本电脑。当终端设备101、102、103为软件时，可以安装在上述所列举的电子设备中。其可以实现成多个软件或软件模块(例如用来提供请求处理服务)，也可以实现成单个软件或软件模块。在此不做具体限定。Terminal devices 101, 102, 103 can be hardware or software. When terminal devices 101, 102, 103 are hardware, they can be various electronic devices with display screens, including but not limited to mobile phones and laptops. When terminal devices 101, 102, 103 are software, they can be installed in the electronic devices listed above. They can be implemented as multiple software or software modules (for example, to provide request processing services), or they can be implemented as a single software or software module. No specific limitation is made here.

服务器105可以是提供各种服务的服务器，例如，响应于检测到用户对第一平台中，基于iframe嵌入的第二平台的第一访问请求，并且确定用户需要创建影子账号和角色，向SSO系统发送请求信息，请求信息可以包括用户账号和第一平台的标识；响应于接收到SSO系统基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权；基于映射授权的用户账号和影子账号执行校验操作，并将校验结果发送至SSO系统；响应于接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求。Server 105 can be a server that provides various services. For example, in response to detecting a user's first access request to a second platform embedded based on an iframe in a first platform, and determining that the user needs to create a shadow account and a role, a request message is sent to the SSO system, and the request message may include the user account and the identifier of the first platform; in response to receiving the shadow account and role sent by the SSO system based on the identifier of the user account and the first platform, mapping authorization of the user account and the shadow account is performed based on the user account, the shadow account and the role; a verification operation is performed based on the mapped authorized user account and the shadow account, and the verification result is sent to the SSO system; in response to receiving the login credentials of the first platform issued by the SSO system based on the verification result for successful verification, the shadow account is controlled to execute the first access request on the second platform.

需要说明的是，服务器105可以是硬件，也可以是软件。当服务器105为硬件时，可以实现成多个服务器组成的分布式服务器集群，也可以实现成单个服务器。当服务器为软件时，可以实现成多个软件或软件模块(例如用来提供请求处理服务)，也可以实现成单个软件或软件模块。在此不做具体限定。It should be noted that the server 105 can be hardware or software. When the server 105 is hardware, it can be implemented as a distributed server cluster consisting of multiple servers, or it can be implemented as a single server. When the server is software, it can be implemented as multiple software or software modules (for example, for providing request processing services), or it can be implemented as a single software or software module. No specific limitation is made here.

需要指出的是，本公开的实施例所提供的请求处理方法可以由服务器105执行，也可以由终端设备101、102、103执行，还可以由服务器105和终端设备101、102、103彼此配合执行。相应地，请求处理装置包括的各个部分(例如各个单元、子单元、模块、子模块)可以全部设置于服务器105中，也可以全部设置于终端设备101、102、103中，还可以分别设置于服务器105和终端设备101、102、103中。It should be noted that the request processing method provided in the embodiments of the present disclosure can be executed by the server 105, or by the terminal devices 101, 102, 103, or by the server 105 and the terminal devices 101, 102, 103 in cooperation with each other. Accordingly, the various parts (such as various units, sub-units, modules, sub-modules) included in the request processing device can be all set in the server 105, or all set in the terminal devices 101, 102, 103, or respectively set in the server 105 and the terminal devices 101, 102, 103.

应该理解，图1中的终端设备、网络和服务器的数目仅仅是示意性的。根据实现需要，可以具有任意数目的终端设备、网络和服务器。It should be understood that the number of terminal devices, networks and servers in Figure 1 is only illustrative. Any number of terminal devices, networks and servers may be provided according to implementation requirements.

图2示出了可以应用于本申请的请求处理方法的实施例的流程示意图200。在本实施例中，请求处理方法包括以下步骤：FIG2 shows a flow chart 200 of an embodiment of a request processing method that can be applied to the present application. In this embodiment, the request processing method includes the following steps:

步骤201，响应于检测到用户对第一平台中，基于iframe嵌入的第二平台的第一访问请求，并且确定用户需要创建影子账号和角色，向SSO系统发送请求信息。Step 201, in response to detecting a first access request from a user to a second platform embedded in an iframe in a first platform, and determining that the user needs to create a shadow account and role, a request message is sent to the SSO system.

在本实施例中，执行主体(如图1中所示的服务器105或终端设备101、102、103)可实时或定期检测用户对第一平台中，基于iframe嵌入的第二平台的访问请求，响应于检测到上述第一访问请求，进一步确定用户是否需要创建影子账号和角色，响应于确定需要，基于创建用户接口，即createuser接口，向SSO(SingleSignOn，单点登录)系统发送请求信息。In this embodiment, the execution entity (such as the server 105 or terminal devices 101, 102, 103 shown in Figure 1) can detect in real time or periodically the user's access request to the second platform embedded based on the iframe in the first platform, and in response to detecting the above-mentioned first access request, further determine whether the user needs to create a shadow account and role, and in response to determining the need, send a request information to the SSO (SingleSignOn) system based on the creation of a user interface, i.e., the createuser interface.

其中，请求信息可以包括用户账号和第一平台的标识，这里，第一平台的标识为第二平台预先下发给第一平台的固定的唯一标识，也即partnerid。The request information may include a user account and an identifier of the first platform. Here, the identifier of the first platform is a fixed unique identifier pre-issued by the second platform to the first platform, that is, partnerid.

这里，第二平台与第一平台为相互信任的平台。第一平台和第二平台可以是任意平台，具体地，第一平台与第二平台可以为不同的控制台。Here, the second platform and the first platform are mutually trusted platforms. The first platform and the second platform can be any platforms, and specifically, the first platform and the second platform can be different consoles.

其中，iframe是HTML元素，用于在网页中内嵌另一个网页。Among them, iframe is an HTML element used to embed another web page in a web page.

步骤202，响应于接收到SSO系统基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权。Step 202, in response to receiving the shadow account and role sent by the SSO system based on the user account and the identifier of the first platform, the mapping authorization of the user account and the shadow account is performed based on the user account, the shadow account and the role.

在本实施例中，执行主体响应于接收到SSO系统基于用户账号和唯一标识发送的影子账号和角色，将用户账号和影子账号进行授权绑定，并为角色增加对用户账号的信任关系，以通过用户账号控制影子账号以角色在第二平台执行访问请求。In this embodiment, in response to receiving the shadow account and role sent by the SSO system based on the user account and unique identifier, the execution entity authorizes and binds the user account and the shadow account, and adds a trust relationship to the user account for the role, so as to control the shadow account through the user account and execute access requests on the second platform with the role.

其中，影子账号为用户在第二平台的账号。用户用影子账号登录后所进行的用户设置及修改相当于用户账户所进行的设置和修改。The shadow account is the user's account on the second platform. The user settings and modifications made by the user after logging in with the shadow account are equivalent to the settings and modifications made by the user account.

这里，角色是一种虚拟账号，影子账号可通过调用方式扮演角色，获得角色的临时访问密钥，解决临时授权问题。Here, the role is a virtual account. The shadow account can play the role by calling it, obtain the temporary access key of the role, and solve the temporary authorization problem.

这里，SSO是在多个应用系统中，用户只需要登录一次就可以访问所有相互信任的应用系统。它包括可以将这次主要的登录映射到其他应用中用于同一个用户的登录的机制。Here, SSO means that in multiple application systems, users only need to log in once to access all mutually trusted application systems. It includes a mechanism that can map this primary login to the login of the same user in other applications.

步骤203，基于映射授权的用户账号和影子账号执行校验操作，并将校验结果发送至SSO系统。Step 203: Perform a verification operation based on the mapped authorized user account and shadow account, and send the verification result to the SSO system.

在本实施例中，执行主体在对用户账号和影子账号进行映射授权后，执行主体可执行校验操作，并将校验结果发送至SSO系统。In this embodiment, after the execution subject authorizes the mapping between the user account and the shadow account, the execution subject may perform a verification operation and send the verification result to the SSO system.

这里，校验操作具体可包括：执行主体基于映射授权的用户账号和影子账号向客户端发送授权码，客户端在接收到授权码后，可将授权码及第二平台信息发送至SSO系统。SSO系统在接收到授权码及第二平台信息后，可发送校验授权码的请求。执行主体响应于接收到SSO系统发送的校验授权码的请求，进行校验并刷新。Here, the verification operation may specifically include: the execution subject sends an authorization code to the client based on the mapped authorized user account and shadow account, and after receiving the authorization code, the client may send the authorization code and the second platform information to the SSO system. After receiving the authorization code and the second platform information, the SSO system may send a request to verify the authorization code. The execution subject performs verification and refreshes in response to receiving the request to verify the authorization code sent by the SSO system.

步骤204，响应于接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求。Step 204 , in response to receiving the login credentials of the first platform issued by the SSO system based on the verification result that the verification is successful, controlling the shadow account to execute the first access request on the second platform.

在本实施例中，SSO系统在接收到校验结果后，可对校验结果进行判断，若校验结果为校验成功则下发第一平台的登录态凭证，若校验结果为校验失败，则不下发第一平台的登录态凭证，并输出报错信息，如“身份验证失败”。In this embodiment, after receiving the verification result, the SSO system can judge the verification result. If the verification result is successful, the login credentials of the first platform will be issued. If the verification result is a failure, the login credentials of the first platform will not be issued, and an error message such as "identity authentication failed" will be output.

执行主体在接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，可控制影子账号在第二平台执行第一访问请求。After receiving the login credentials of the first platform issued by the SSO system based on the successful verification result, the execution subject can control the shadow account to execute the first access request on the second platform.

在一些可选的方式中，控制影子账号在第二平台执行第一访问请求，包括：控制iframe调用指定SDK识别第一平台的登录态凭证，得到识别结果；基于识别结果，控制影子账号在第二平台执行第一访问请求。In some optional methods, controlling the shadow account to execute the first access request on the second platform includes: controlling the iframe to call a specified SDK to identify the login credentials of the first platform to obtain an identification result; based on the identification result, controlling the shadow account to execute the first access request on the second platform.

在本实现方式中，执行主体可控制iframe调用指定SDK识别第一平台的登录态凭证，得到识别结果，即将第二平台的登录态凭证转换为第一平台登录态凭证，进一步地，执行主体根据第一平台登录态凭证控制影子账号在第二平台执行访问请求。In this implementation method, the executing entity can control the iframe to call the specified SDK to identify the login credentials of the first platform, obtain the identification result, that is, convert the login credentials of the second platform into the login credentials of the first platform. Further, the executing entity controls the shadow account to execute the access request on the second platform according to the login credentials of the first platform.

该实现方式通过控制iframe调用指定SDK识别第一平台的登录态凭证，得到识别结果；基于识别结果，控制影子账号在第二平台执行第一访问请求，使得第一平台中的授权和操作需经转换才能对第二平台生效，实现了资源隔离，提升了对第二平台控制的有效性。This implementation method controls the iframe to call the specified SDK to identify the login credentials of the first platform to obtain the identification result; based on the identification result, the shadow account is controlled to execute the first access request on the second platform, so that the authorization and operations in the first platform need to be converted before they can take effect on the second platform, thereby realizing resource isolation and improving the effectiveness of control over the second platform.

在一些可选的方式中，在控制影子账号在第二平台执行第一访问请求的过程中，输出禁止指令。In some optional embodiments, a prohibition instruction is output during the process of controlling the shadow account to execute the first access request on the second platform.

在本实现方式中，执行在可在控制影子账号在第二平台执行第一访问请求的过程中的过程中，输出禁止指令，禁止指令用于指示禁止非iframe对第一平台的登录态凭证进行解析。In this implementation, during the process of controlling the shadow account to execute the first access request on the second platform, a prohibition instruction is output, and the prohibition instruction is used to indicate that the non-iframe is prohibited from parsing the login credentials of the first platform.

该实现方式通过在控制影子账号在第二平台执行第一访问请求的过程中，输出禁止指令，有效避免了影子账号在第二平台执行第一访问请求的过程中，第一平台信息的泄露，实现了资源的有效隔离。This implementation method outputs a prohibition instruction during the process of controlling the shadow account to execute the first access request on the second platform, thereby effectively avoiding the leakage of first platform information during the process of the shadow account executing the first access request on the second platform, and realizing effective isolation of resources.

继续参见图3，图3是根据本实施例的请求处理方法的应用场景的一个时序图。Continuing to refer to FIG. 3 , FIG. 3 is a timing diagram of an application scenario of the request processing method according to this embodiment.

在图3的应用场景中，第一平台为公有云控制台，第二平台为部分公有云产品线，第二平台基于iframe嵌入到第一平台中，执行主体301响应于检测到用户经由客户端302对第一平台中，基于iframe嵌入的第二平台的第一访问请求，即对iframe的访问请求，并且确定用户需要创建影子账号和角色，向SSO系统303发送请求信息，请求信息可以包括用户账号和第一平台的标识；响应于接收到SSO系统303基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权；基于映射授权的用户账号和影子账号执行校验操作，具体可以包括：基于映射授权的用户账号和影子账号向客户端发送授权码，客户端在接收到授权码后，可将授权码及第二平台的信息发送至SSO系统。SSO系统在接收到授权码及第二平台信息后，可发送校验授权码的请求。执行主体响应于接收到SSO系统发送的校验授权码的请求，进行校验并刷新，并将校验结果发送至SSO系统；响应于接收到SSO系统303基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求。In the application scenario of FIG3 , the first platform is a public cloud console, the second platform is part of the public cloud product line, and the second platform is embedded in the first platform based on an iframe. The execution subject 301 responds to detecting a first access request from a user to the second platform embedded in the first platform based on an iframe via a client 302, i.e., an access request to the iframe, and determines that the user needs to create a shadow account and role, and sends a request message to the SSO system 303, and the request message may include the user account and the identifier of the first platform; in response to receiving the shadow account and role sent by the SSO system 303 based on the user account and the identifier of the first platform, the mapping authorization of the user account and the shadow account is performed based on the user account, the shadow account and the role; the verification operation is performed based on the mapped authorized user account and the shadow account, which may specifically include: sending an authorization code to the client based on the mapped authorized user account and the shadow account, and after receiving the authorization code, the client may send the authorization code and the information of the second platform to the SSO system. After receiving the authorization code and the information of the second platform, the SSO system may send a request to verify the authorization code. The execution entity responds to receiving a request for verification of the authorization code sent by the SSO system, verifies and refreshes it, and sends the verification result to the SSO system; in response to receiving the login credentials of the first platform issued by the SSO system 303 based on the verification result that the verification is successful, controls the shadow account to execute the first access request on the second platform.

本公开的请求处理方法，通过响应于检测到用户对第一平台中，基于iframe嵌入的第二平台的第一访问请求，并且确定用户需要创建影子账号和角色，向SSO系统发送请求信息，请求信息可以包括用户账号和第一平台的标识；响应于接收到SSO系统基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权；基于映射授权的用户账号和影子账号执行校验操作，并将校验结果发送至SSO系统；响应于接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求，克服了现有技术中单独的控制台负荷较重、维护成本较高，功能更新较慢的问题，有效降低了单独的控制台的维护成本。The request processing method disclosed in the present invention, in response to detecting a user's first access request to a second platform embedded based on an iframe in a first platform, and determining that the user needs to create a shadow account and a role, sends a request message to the SSO system, and the request message may include the user account and the identifier of the first platform; in response to receiving the shadow account and role sent by the SSO system based on the identifier of the user account and the first platform, performs mapping authorization of the user account and the shadow account based on the user account, the shadow account and the role; performs a verification operation based on the mapped authorized user account and shadow account, and sends the verification result to the SSO system; in response to receiving the login credential of the first platform issued by the SSO system based on the verification result for successful verification, controls the shadow account to execute the first access request on the second platform, thereby overcoming the problems of heavy load, high maintenance cost and slow function update of a separate console in the prior art, and effectively reducing the maintenance cost of a separate console.

进一步参考图4，其示出了图2所示的请求处理方法的又一个实施例的流程400。在本实施例中，请求处理方法的流程400，可包括以下步骤：Further reference is made to Fig. 4, which shows a process 400 of another embodiment of the request processing method shown in Fig. 2. In this embodiment, the process 400 of the request processing method may include the following steps:

步骤401，响应于检测到用户对第一平台中，基于iframe嵌入的第二平台的第一访问请求，并且确定用户需要创建影子账号和角色，向SSO系统发送请求信息。Step 401, in response to detecting a first access request from a user to a second platform embedded in an iframe in a first platform, and determining that the user needs to create a shadow account and role, a request message is sent to the SSO system.

在本实施例中，步骤401的实现细节和技术效果，可以参考对步骤201的描述，在此不再赘述。In this embodiment, the implementation details and technical effects of step 401 can refer to the description of step 201 and will not be repeated here.

步骤402，响应于接收到SSO系统基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权。Step 402, in response to receiving the shadow account and role sent by the SSO system based on the user account and the identifier of the first platform, the mapping authorization of the user account and the shadow account is performed based on the user account, the shadow account and the role.

在本实施例中，步骤402的实现细节和技术效果，可以参考对步骤202的描述，在此不再赘述。In this embodiment, the implementation details and technical effects of step 402 can refer to the description of step 202 and will not be repeated here.

步骤403，基于映射授权的用户账号和影子账号执行校验操作，并将校验结果发送至SSO系统。Step 403: Perform a verification operation based on the mapped authorized user account and shadow account, and send the verification result to the SSO system.

在本实施例中，步骤403的实现细节和技术效果，可以参考对步骤203的描述，在此不再赘述。In this embodiment, the implementation details and technical effects of step 403 may refer to the description of step 203 and will not be repeated here.

步骤404，响应于接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求。Step 404 , in response to receiving the login credentials of the first platform issued by the SSO system based on the verification result that the verification is successful, controlling the shadow account to execute the first access request on the second platform.

步骤405，响应于检测到用户账号下的子账号以第一角色对第二平台的第二访问请求，控制影子账号以第二角色执行第二访问请求。Step 405 , in response to detecting a second access request from a sub-account under the user account to a second platform with a first role, controlling the shadow account to execute the second access request with a second role.

在本实施例中，执行主体可根据用户请求在用户账号下，即主账号下，调用IAM(IdentityandAccessManagement，统一身份认证)接口以创建多个子账号，子账号可以对应企业员工、系统、应用程序等，各子账号可在权限范围内管理主账号下的资源，由主账号统一控制和付费。In this embodiment, the executing entity can call the IAM (Identity and Access Management) interface to create multiple sub-accounts under the user account, that is, the main account, according to the user's request. The sub-accounts can correspond to corporate employees, systems, applications, etc. Each sub-account can manage the resources under the main account within the scope of authority, and the main account will be responsible for unified control and payment.

由于创建子账号仅表明主账号将相应权限分配给子账号，子账号未获取相应的操作权限，通常情况下，要为子账号授权相应角色，才能使得子账号有相应的操作权限。Since creating a sub-account only means that the main account assigns the corresponding permissions to the sub-account, the sub-account does not obtain the corresponding operation permissions. Usually, the sub-account needs to be authorized with the corresponding role in order to have the corresponding operation permissions.

这里，子账号可通过调用方式扮演角色，获得角色的临时访问密钥，解决临时授权问题。Here, the sub-account can play the role by calling, obtain the temporary access key of the role, and solve the temporary authorization problem.

执行主体可实时或定期检测用户账号下的子账号以第一角色对第二平台的第二访问请求，响应于检测到子账号对第二平台的第二访问请求，控制影子账号下以第二角色执行第二访问请求。The execution entity may detect in real time or periodically a second access request to the second platform from a sub-account under the user account in the first role, and in response to detecting the second access request to the second platform from the sub-account, control the shadow account to execute the second access request in the second role.

这里，第一角色和第二角色对应的权限范围相同。Here, the first role and the second role have the same authority scope.

具体地，主账号为A-admin，执行主体根据用户需求在主账号A-admin下创建子账号A-sub1，并调用IAM：createRole接口，创建用户角色a-role1。相应地，影子账号a-admin下创建角色a-role2，信任A-admin。Specifically, the main account is A-admin. The execution subject creates a sub-account A-sub1 under the main account A-admin according to user needs, and calls the IAM: createRole interface to create a user role a-role1. Correspondingly, a role a-role2 is created under the shadow account a-admin, and A-admin is trusted.

执行主体响应于检测到A-sub1以角色a-role1对第二平台的第二访问请求，控制影子账号a-admin以用户角色a-role2执行第二访问请求。In response to detecting a second access request from A-sub1 to the second platform with the role a-role1, the execution subject controls the shadow account a-admin to execute the second access request with the user role a-role2.

其中，a-role1与a-role2对应的操作权限相同。Among them, a-role1 and a-role2 have the same corresponding operation permissions.

在一些可选的方式中，该方法还包括：响应于检测到用户账号下的子账号授权预设策略，为影子账号下创建的用户角色同步绑定预设策略。In some optional embodiments, the method further includes: in response to detecting that a sub-account under the user account authorizes a preset policy, synchronously binding the preset policy to a user role created under the shadow account.

在本实现方式中，执行主体响应于检测到主账号下的子账号授权预设策略，可调用IAM接口为影子账号下创建角色，授信影子账号自己，同时给创建的用户角色也绑定预设策略。In this implementation, in response to detecting that a sub-account under the main account has authorized a preset policy, the execution entity can call the IAM interface to create a role under the shadow account, grant credit to the shadow account itself, and bind the preset policy to the created user role.

进一步地，执行主体可以响应于检测到用户账号下的子账号按照预测策略对第二平台的第三访问请求，控制影子账号以相应角色按照预设策略执行第三访问请求。Furthermore, in response to detecting that the sub-account under the user account makes a third access request to the second platform according to the predicted strategy, the execution entity may control the shadow account to execute the third access request with the corresponding role according to the preset strategy.

这里，策略为描述权限的语言，支持策略生成器、策略模板等方式引导书写策略语法支持，在特定条件下，允许或拒绝特定账号对特定资源的特定操作权限支持多种云服务的权限控制。Here, policy is a language for describing permissions. It supports policy generators, policy templates, and other methods to guide the writing of policy syntax. Under specific conditions, it allows or denies specific accounts specific operation permissions for specific resources and supports permission control for multiple cloud services.

具体地，A-admin给A-sub1授权策略Policy1时，执行主体需调IAM接口给影子账号a-admin下创建用户角色a-role2，授信影子账号自己，同时给a-role2也绑定Policy1。Specifically, when A-admin authorizes Policy1 to A-sub1, the execution subject needs to call the IAM interface to create a user role a-role2 under the shadow account a-admin, grant credit to the shadow account itself, and bind Policy1 to a-role2.

该实现方式通过响应于检测到用户账号下的子账号授权预设策略，为影子账号下创建的用户角色同步绑定预设策略，使得客户看到的是自己管理的子账号/角色，而实际在iframe内的是策略一致的用户角色，提升了用户体验，降低了维护成本。This implementation method responds to detecting the preset policy for sub-account authorization under the user account and synchronously binds the preset policy to the user role created under the shadow account, so that the customer sees the sub-account/role he manages, while the user role actually in the iframe is consistent with the policy, which improves the user experience and reduces maintenance costs.

从图4中可以看出，与图2对应的实施例相比，本实施例中的请求处理方法的流程400体现了响应于检测到用户账号下的子账号以第一角色对第二平台的第二访问请求，控制影子账号以第二角色执行第二访问请求，即实现了控制台子账号和角色的授权，子账号对嵌入控制台的控制，提升了子账号下控制台的可维护性。As can be seen from Figure 4, compared with the embodiment corresponding to Figure 2, the process 400 of the request processing method in this embodiment reflects that in response to detecting that the sub-account under the user account makes a second access request to the second platform with a first role, the shadow account is controlled to execute the second access request with a second role, that is, the authorization of the console sub-account and role is realized, and the sub-account controls the embedded console, thereby improving the maintainability of the console under the sub-account.

进一步参考图5，作为对上述各图所示方法的实现，本申请提供了一种请求处理装置的一个实施例，该装置实施例与图2所示的方法实施例相对应，该装置具体可以应用于各种电子设备中。Further referring to FIG. 5 , as an implementation of the methods shown in the above figures, the present application provides an embodiment of a request processing device, which corresponds to the method embodiment shown in FIG. 2 , and can be specifically applied to various electronic devices.

如图5所示，本实施例的请求处理装置500包括：发送模块501、接收模块502、校验模块503和执行模块504。As shown in FIG. 5 , the request processing device 500 of this embodiment includes: a sending module 501 , a receiving module 502 , a checking module 503 and an executing module 504 .

其中，发送模块501，可被配置成响应于检测到用户对第一平台中，基于iframe嵌入的第二平台的第一访问请求，并且确定用户需要创建影子账号和角色，向SSO系统发送请求信息。Among them, the sending module 501 can be configured to send request information to the SSO system in response to detecting a user's first access request to the second platform embedded based on the iframe in the first platform, and determining that the user needs to create a shadow account and role.

接收模块502，可被配置响应于接收到SSO系统基于用户账号和第一平台的标识发送的影子账号和角色，基于用户账号、影子账号和角色进行用户账号和影子账号的映射授权。The receiving module 502 may be configured to perform mapping authorization between the user account and the shadow account based on the user account, the shadow account and the role in response to receiving the shadow account and the role sent by the SSO system based on the user account and the identifier of the first platform.

校验模块503，可被配置成基于映射授权的用户账号和影子账号执行校验操作，并将校验结果发送至SSO系统。The verification module 503 may be configured to perform a verification operation based on the mapped authorized user account and the shadow account, and send the verification result to the SSO system.

执行模块504，可被配置成响应于接收到SSO系统基于校验结果为校验成功下发的第一平台的登录态凭证，控制影子账号在第二平台执行第一访问请求。The execution module 504 may be configured to control the shadow account to execute the first access request on the second platform in response to receiving the login credentials of the first platform issued by the SSO system based on the verification result that the verification is successful.

在本实施例的一些可选的方式中，该装置还包括控制模块，被配置成响应于检测到用户账号下的子账号以第一角色对第二平台的第二访问请求，控制影子账号以第二角色执行第二访问请求。In some optional embodiments of this embodiment, the device also includes a control module configured to control the shadow account to execute the second access request as a second role in response to detecting a second access request to the second platform by a sub-account under the user account as a first role.

在本实施例的一些可选的方式中，该装置还包括绑定模块，被配置成响应于检测到用户账号下的子账号授权预设策略，为影子账号下创建的用户角色同步绑定预设策略。In some optional aspects of this embodiment, the device further includes a binding module configured to synchronously bind a preset policy to a user role created under a shadow account in response to detecting that a sub-account under the user account has authorized a preset policy.

在本实施例的一些可选的方式中，执行模块进一步被配置成：控制iframe调用指定SDK识别第一平台的登录态凭证，得到识别结果；基于识别结果，控制影子账号在第二平台执行第一访问请求。In some optional modes of this embodiment, the execution module is further configured to: control the iframe to call the specified SDK to identify the login credentials of the first platform to obtain an identification result; based on the identification result, control the shadow account to execute the first access request on the second platform.

在本实施例的一些可选的方式中，该装置还包括输出模块，被配置成在控制影子账号在第二平台执行第一访问请求的过程中，输出禁止指令。In some optional aspects of this embodiment, the device further includes an output module configured to output a prohibition instruction during the process of controlling the shadow account to execute the first access request on the second platform.

根据本申请的实施例，本申请还提供了一种电子设备和一种可读存储介质。According to an embodiment of the present application, the present application also provides an electronic device and a readable storage medium.

如图6所示，是根据本申请实施例的请求处理方法的电子设备的框图。As shown in FIG6 , it is a block diagram of an electronic device according to the request processing method of an embodiment of the present application.

600是根据本申请实施例的请求处理方法的电子设备的框图。电子设备旨在表示各种形式的数字计算机，诸如，膝上型计算机、台式计算机、工作台、个人数字助理、服务器、刀片式服务器、大型计算机、和其它适合的计算机。电子设备还可以表示各种形式的移动装置，诸如，个人数字处理、蜂窝电话、智能电话、可穿戴设备和其它类似的计算装置。本文所示的部件、它们的连接和关系、以及它们的功能仅仅作为示例，并且不意在限制本文中描述的和/或者要求的本申请的实现。600 is a block diagram of an electronic device according to a request processing method of an embodiment of the present application. The electronic device is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workbenches, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely examples and are not intended to limit the implementation of the present application described and/or required herein.

如图6所示，该电子设备包括：一个或多个处理器601、存储器602，以及用于连接各部件的接口，包括高速接口和低速接口。各个部件利用不同的总线互相连接，并且可以被安装在公共主板上或者根据需要以其它方式安装。处理器可以对在电子设备内执行的指令进行处理，包括存储在存储器中或者存储器上以在外部输入/输出装置(诸如，耦合至接口的显示设备)上显示GUI的图形信息的指令。在其它实施方式中，若需要，可以将多个处理器和/或多条总线与多个存储器和多个存储器一起使用。同样，可以连接多个电子设备，各个设备提供部分必要的操作(例如，作为服务器阵列、一组刀片式服务器、或者多处理器系统)。图6中以一个处理器601为例。As shown in Figure 6, the electronic device includes: one or more processors 601, memory 602, and interfaces for connecting various components, including high-speed interfaces and low-speed interfaces. The various components are connected to each other using different buses, and can be installed on a common mainboard or installed in other ways as needed. The processor can process the instructions executed in the electronic device, including instructions stored in or on the memory to display the graphical information of the GUI on an external input/output device (such as a display device coupled to the interface). In other embodiments, if necessary, multiple processors and/or multiple buses can be used together with multiple memories and multiple memories. Similarly, multiple electronic devices can be connected, and each device provides some necessary operations (for example, as a server array, a group of blade servers, or a multi-processor system). In Figure 6, a processor 601 is taken as an example.

存储器602即为本申请所提供的非瞬时计算机可读存储介质。其中，所述存储器存储有可由至少一个处理器执行的指令，以使所述至少一个处理器执行本申请所提供的请求处理方法。本申请的非瞬时计算机可读存储介质存储计算机指令，该计算机指令用于使计算机执行本申请所提供的请求处理方法。The memory 602 is a non-transient computer-readable storage medium provided in the present application. The memory stores instructions executable by at least one processor to enable the at least one processor to perform the request processing method provided in the present application. The non-transient computer-readable storage medium of the present application stores computer instructions, which are used to enable a computer to perform the request processing method provided in the present application.

存储器602作为一种非瞬时计算机可读存储介质，可用于存储非瞬时软件程序、非瞬时计算机可执行程序以及模块，如本申请实施例中的请求处理方法对应的程序指令/模块(例如，附图5所示的发送模块501、接收模块502、校验模块503和执行模块504)。处理器601通过运行存储在存储器602中的非瞬时软件程序、指令以及模块，从而执行服务器的各种功能应用以及数据处理，即实现上述方法实施例中的请求处理方法。The memory 602, as a non-transient computer-readable storage medium, can be used to store non-transient software programs, non-transient computer executable programs and modules, such as program instructions/modules corresponding to the request processing method in the embodiment of the present application (for example, the sending module 501, the receiving module 502, the verification module 503 and the execution module 504 shown in FIG. 5). The processor 601 executes various functional applications and data processing of the server by running the non-transient software programs, instructions and modules stored in the memory 602, that is, implements the request processing method in the above method embodiment.

存储器602可以包括存储程序区和存储数据区，其中，存储程序区可存储操作系统、至少一个功能所需要的应用程序；存储数据区可存储请求处理的电子设备的使用所创建的数据等。此外，存储器602可以包括高速随机存取存储器，还可以包括非瞬时存储器，例如至少一个磁盘存储器件、闪存器件、或其他非瞬时固态存储器件。在一些实施例中，存储器602可选包括相对于处理器601远程设置的存储器，这些远程存储器可以通过网络连接至请求处理的电子设备。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 602 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application required for at least one function; the data storage area may store data created by the use of the electronic device requesting processing, etc. In addition, the memory 602 may include a high-speed random access memory, and may also include a non-transient memory, such as at least one disk storage device, a flash memory device, or other non-transient solid-state storage device. In some embodiments, the memory 602 may optionally include a memory remotely arranged relative to the processor 601, and these remote memories may be connected to the electronic device requesting processing via a network. Examples of the above-mentioned network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

请求处理方法的电子设备还可以包括：输入装置603和输出装置604。处理器601、存储器602、输入装置603和输出装置604可以通过总线或者其他方式连接，图6中以通过总线连接为例。The electronic device of the request processing method may further include: an input device 603 and an output device 604. The processor 601, the memory 602, the input device 603 and the output device 604 may be connected via a bus or other means, and FIG6 takes the bus connection as an example.

输入装置603可接收输入的数字或字符信息，例如触摸屏、小键盘、鼠标、轨迹板、触摸板、指示杆、一个或者多个鼠标按钮、轨迹球、操纵杆等输入装置。输出装置604可以包括显示设备、辅助照明装置(例如，LED)和触觉反馈装置(例如，振动电机)等。该显示设备可以包括但不限于，液晶显示器(LCD)、发光二极管(LED)显示器和等离子体显示器。在一些实施方式中，显示设备可以是触摸屏。The input device 603 can receive input digital or character information, such as a touch screen, a keypad, a mouse, a track pad, a touch pad, an indicator bar, one or more mouse buttons, a track ball, a joystick, and other input devices. The output device 604 may include a display device, an auxiliary lighting device (e.g., an LED), and a tactile feedback device (e.g., a vibration motor). The display device may include, but is not limited to, a liquid crystal display (LCD), a light emitting diode (LED) display, and a plasma display. In some embodiments, the display device may be a touch screen.

此处描述的系统和技术的各种实施方式可以在数字电子电路系统、集成电路系统、专用ASIC(专用集成电路)、计算机硬件、固件、软件、和/或它们的组合中实现。这些各种实施方式可以包括：实施在一个或者多个计算机程序中，该一个或者多个计算机程序可在包括至少一个可编程处理器的可编程系统上执行和/或解释，该可编程处理器可以是专用或者通用可编程处理器，可以从存储系统、至少一个输入装置、和至少一个输出装置接收数据和指令，并且将数据和指令传输至该存储系统、该至少一个输入装置、和该至少一个输出装置。Various implementations of the systems and techniques described herein can be realized in digital electronic circuit systems, integrated circuit systems, dedicated ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various implementations may include: being implemented in one or more computer programs that can be executed and/or interpreted on a programmable system including at least one programmable processor, which can be a special purpose or general purpose programmable processor that can receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.

这些计算程序(也称作程序、软件、软件应用、或者代码)包括可编程处理器的机器指令，并且可以利用高级过程和/或面向对象的编程语言、和/或汇编/机器语言来实施这些计算程序。如本文使用的，术语“机器可读介质”和“计算机可读介质”指的是用于将机器指令和/或数据提供给可编程处理器的任何计算机程序产品、设备、和/或装置(例如，磁盘、光盘、存储器、可编程逻辑装置(PLD))，包括，接收作为机器可读信号的机器指令的机器可读介质。术语“机器可读信号”指的是用于将机器指令和/或数据提供给可编程处理器的任何信号。These computer programs (also referred to as programs, software, software applications, or code) include machine instructions for programmable processors and can be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, device, and/or means (e.g., disk, optical disk, memory, programmable logic device (PLD)) for providing machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal for providing machine instructions and/or data to a programmable processor.

为了提供与用户的交互，可以在计算机上实施此处描述的系统和技术，该计算机具有：用于向用户显示信息的显示装置(例如，CRT(阴极射线管)或者LCD(液晶显示器)监视器)；以及键盘和指向装置(例如，鼠标或者轨迹球)，用户可以通过该键盘和该指向装置来将输入提供给计算机。其它种类的装置还可以用于提供与用户的交互；例如，提供给用户的反馈可以是任何形式的传感反馈(例如，视觉反馈、听觉反馈、或者触觉反馈)；并且可以用任何形式(包括声输入、语音输入或者、触觉输入)来接收来自用户的输入。To provide interaction with a user, the systems and techniques described herein can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user; and a keyboard and pointing device (e.g., a mouse or trackball) through which the user can provide input to the computer. Other types of devices can also be used to provide interaction with the user; for example, the feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including acoustic input, voice input, or tactile input).

可以将此处描述的系统和技术实施在包括后台部件的计算系统(例如，作为数据服务器)、或者包括中间件部件的计算系统(例如，应用服务器)、或者包括前端部件的计算系统(例如，具有图形用户界面或者网络浏览器的用户计算机，用户可以通过该图形用户界面或者该网络浏览器来与此处描述的系统和技术的实施方式交互)、或者包括这种后台部件、中间件部件、或者前端部件的任何组合的计算系统中。可以通过任何形式或者介质的数字数据通信(例如，通信网络)来将系统的部件相互连接。通信网络的示例包括：局域网(LAN)、广域网(WAN)和互联网。The systems and techniques described herein may be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., a user computer with a graphical user interface or a web browser through which a user can interact with implementations of the systems and techniques described herein), or a computing system that includes any combination of such back-end components, middleware components, or front-end components. The components of the system may be interconnected by any form or medium of digital data communication (e.g., a communications network). Examples of communications networks include: a local area network (LAN), a wide area network (WAN), and the Internet.

计算机系统可以包括客户端和服务器。客户端和服务器一般远离彼此并且通常通过通信网络进行交互。通过在相应的计算机上运行并且彼此具有客户端-服务器关系的计算机程序来产生客户端和服务器的关系。A computer system may include clients and servers. Clients and servers are generally remote from each other and usually interact through a communication network. The relationship of client and server is generated by computer programs running on respective computers and having a client-server relationship to each other.

根据本申请实施例的技术方案，减轻了单独的控制台的负荷，提高了控制台的可维护性。According to the technical solution of the embodiment of the present application, the load of the separate console is reduced and the maintainability of the console is improved.

应该理解，可以使用上面所示的各种形式的流程，重新排序、增加或删除步骤。例如，本发申请中记载的各步骤可以并行地执行也可以顺序地执行也可以不同的次序执行，只要能够实现本申请公开的技术方案所期望的结果，本文在此不进行限制。It should be understood that the various forms of processes shown above can be used to reorder, add or delete steps. For example, the steps recorded in this application can be executed in parallel, sequentially or in different orders, as long as the expected results of the technical solution disclosed in this application can be achieved, and this document is not limited here.

上述具体实施方式，并不构成对本申请保护范围的限制。本领域技术人员应该明白的是，根据设计要求和其他因素，可以进行各种修改、组合、子组合和替代。任何在本申请的精神和原则之内所作的修改、等同替换和改进等，均应包含在本申请保护范围之内。The above specific implementations do not constitute a limitation on the protection scope of this application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions can be made according to design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of this application should be included in the protection scope of this application.

Claims

1. A method of request processing, the method comprising:

responding to the detection of a first access request of a user to a second platform embedded on the basis of an iframe, determining that the user needs to create a shadow account number and a role, and sending request information to an SSO system, wherein the request information comprises the user account number and an identification of the first platform;

In response to receiving a shadow account number and a role sent by the SSO system based on the user account number and the identification of the first platform, mapping authorization of the user account number and the shadow account number is carried out based on the user account number, the shadow account number and the role;

performing verification operation based on the user account and the shadow account authorized by mapping, and sending a verification result to the SSO system;

and controlling the shadow account to execute the first access request on the second platform in response to receiving the login state credential of the first platform which is successfully issued by the SSO system based on the verification result.

2. The method of claim 1, the method further comprising:

And responding to the detection of a second access request of the sub account under the user account to the second platform by the first role, and controlling the shadow account to execute the second access request by the second role, wherein the authority ranges of the first role and the second role are the same.

3. The method of claim 2, the method further comprising:

and in response to detecting that the sub-account under the user account authorizes the preset strategy, synchronously binding the preset strategy for the user roles created under the shadow account.

4. The method of claim 1, wherein the control shadow account performs a first access request at a second platform, comprising:

controlling the iframe to call a designated SDK to identify a login state credential of the first platform, and obtaining an identification result;

And controlling the shadow account to execute the first access request on the second platform based on the identification result.

5. The method of claim 4, the method further comprising:

and outputting a prohibition instruction in the process of controlling the shadow account to execute the first access request on the second platform, wherein the prohibition instruction is used for prohibiting the non-iframe from analyzing the login state certificate of the first platform.

6. A request processing apparatus, the apparatus comprising:

the sending module is configured to respond to detection of a first access request of a user to a second platform embedded on the basis of an iframe in the first platform, determine that the user needs to create a shadow account and a role, and send request information to an SSO system, wherein the request information comprises the user account and an identification of the first platform;

The receiving module is configured to respond to receiving a shadow account number and a role sent by the SSO system based on the user account number and the identification of the first platform, and perform mapping authorization of the user account number and the shadow account number based on the user account number, the shadow account number and the role;

The verification module is configured to execute verification operation based on the user account and the shadow account authorized by mapping, and send a verification result to the SSO system;

And the execution module is configured to control the shadow account number to execute the first access request on the second platform in response to receiving the login state credential of the first platform which is successfully issued by the SSO system based on the verification result.

7. The apparatus of claim 6, the apparatus further comprising:

and the control module is configured to respond to the detection of a second access request of the sub account under the user account to the second platform in the first role, and control the shadow account to execute the second access request in the second role, wherein the authority ranges corresponding to the first role and the second role are the same.

8. The apparatus of claim 7, the apparatus further comprising:

and the binding module is configured to synchronously bind the preset strategy for the user roles created under the shadow account in response to detecting that the sub-account under the user account authorizes the preset strategy.

9. The apparatus of claim 6, wherein the execution module is further configured to:

10. The apparatus of claim 9, the apparatus further comprising:

And the output module is configured to output a prohibition instruction in the process of controlling the shadow account to execute the first access request on the second platform, wherein the prohibition instruction is used for prohibiting the non-iframe from analyzing the login state credential of the first platform.

11. An electronic device, comprising:

at least one processor; and

A memory communicatively coupled to the at least one processor; wherein,

The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-5.

12. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-5.