CN115001714A - Resource access method and device, electronic equipment and storage medium - Google Patents
Resource access method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115001714A CN115001714A CN202210839421.8A CN202210839421A CN115001714A CN 115001714 A CN115001714 A CN 115001714A CN 202210839421 A CN202210839421 A CN 202210839421A CN 115001714 A CN115001714 A CN 115001714A
- Authority
- CN
- China
- Prior art keywords
- user
- signature algorithm
- token
- user information
- resource access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000012795 verification Methods 0.000 claims abstract description 102
- 238000013507 mapping Methods 0.000 claims abstract description 47
- 230000005540 biological transmission Effects 0.000 abstract description 13
- 238000004590 computer program Methods 0.000 description 19
- 238000010586 diagram Methods 0.000 description 11
- 238000012545 processing Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
技术领域technical field
本申请涉及字符识别技术领域,尤其涉及一种资源访问方法及装置、电子设备、存储介质。The present application relates to the technical field of character recognition, and in particular, to a method and device for accessing resources, an electronic device, and a storage medium.
背景技术Background technique
JWT(Jsonwebtoken,一种基于Json的开放标准)是一种为了在网络应用环境间传递声明而执行的基于JSON的开放标准,一般被用来在身份提供者和服务提供者间传递被认证的用户身份信息,以便于从资源服务器获取资源,也可以增加一些额外的其它业务逻辑所必须的声明信息,该令牌也可直接被用于认证,也可被加密。JWT (Jsonwebtoken, an open standard based on Json) is a JSON-based open standard implemented for transferring claims between web application environments. It is generally used to transfer authenticated users between identity providers and service providers. Identity information, in order to obtain resources from the resource server, and some additional declaration information necessary for other business logic can also be added. The token can also be used directly for authentication or encrypted.
JWT由payload(头部)、header(载荷)和signature(签证)组成,JWT令牌的签名机制一方面保证了信息的完整性,但另一方面也带来了很大的问题。JWT的payload和header信息是公开的,如果在传输过程中令牌被恶意获取,通过修改或删除header中的签名算法,可以伪造能绕过签名验证的令牌,获取访问资源,从而给信息系统带来很大的安全风险。JWT consists of payload (header), header (load) and signature (visa). On the one hand, the signature mechanism of JWT token ensures the integrity of information, but on the other hand, it also brings great problems. The payload and header information of JWT are public. If the token is maliciously obtained during the transmission process, by modifying or deleting the signature algorithm in the header, it is possible to forge a token that can bypass the signature verification, obtain access resources, and provide information to the information system. pose a great security risk.
发明内容SUMMARY OF THE INVENTION
为解决上述技术问题,本申请的实施例提供了一种资源访问方法及装置、电子设备、计算机可读存储介质、计算机程序产品。To solve the above technical problems, embodiments of the present application provide a resource access method and apparatus, electronic device, computer-readable storage medium, and computer program product.
根据本申请实施例的一个方面,提供了一种资源访问方法,包括:接收客户端发送的资源访问请求;其中,所述资源访问请求中携带有用户信息和用户令牌,所述用户令牌中含有待验证签名算法;根据预设用户信息与签名算法映射关系,确定与所述用户信息相匹配的目标签名算法;根据所述目标签名算法对所述待验证签名算法进行验证,得到第一验证结果;根据所述第一验证结果确定是否响应所述资源访问请求。According to an aspect of the embodiments of the present application, a resource access method is provided, including: receiving a resource access request sent by a client; wherein the resource access request carries user information and a user token, and the user token contains the signature algorithm to be verified; according to the preset user information and signature algorithm mapping relationship, determine the target signature algorithm that matches the user information; verify the signature algorithm to be verified according to the target signature algorithm, and obtain the first Verification result; determine whether to respond to the resource access request according to the first verification result.
根据本申请实施例的一个方面,一种资源访问装置,包括:获取单元,用于接收客户端发送的资源访问请求,其中所述资源访问请求中携带有实时用户信息和用户令牌,所述用户令牌中含有待验证签名算法;确定单元,用于根据预设用户信息与签名算法映射关系,确定与所述实时用户信息相匹配的目标签名算法;验证单元,用于基于所述目标签名算法对所述待验证签名算法进行验证,得到验证结果;执行单元,用于基于所述验证结果确定是否响应所述资源访问请求。According to an aspect of the embodiments of the present application, a resource access device includes: an acquisition unit, configured to receive a resource access request sent by a client, wherein the resource access request carries real-time user information and a user token, and the resource access request The user token contains a signature algorithm to be verified; a determination unit is used to determine a target signature algorithm matching the real-time user information according to the mapping relationship between the preset user information and the signature algorithm; a verification unit is used to determine the target signature algorithm based on the target signature The algorithm verifies the to-be-verified signature algorithm to obtain a verification result; an execution unit is configured to determine whether to respond to the resource access request based on the verification result.
在另一示例性实施例中,在所述接收客户端发送的资源访问请求之前,所述方法还包括:接收所述客户端发送的令牌获取请求;其中,所述令牌获取请求中携带有用户信息;选取与所述用户信息对应的签名算法,并将所述用户信息与所述用户信息对应的签名算法进行关联存储,生成所述预设签名算法与用户信息映射关系;根据所述用户信息与所述用户信息对应的所述签名算法,生成所述用户令牌。In another exemplary embodiment, before receiving the resource access request sent by the client, the method further includes: receiving a token acquisition request sent by the client; wherein the token acquisition request carries There is user information; select the signature algorithm corresponding to the user information, and store the user information in association with the signature algorithm corresponding to the user information, and generate a mapping relationship between the preset signature algorithm and the user information; according to the The user information and the signature algorithm corresponding to the user information are used to generate the user token.
在另一示例性实施例中,所述用户信息包括用户标识和登录时间戳;所述根据所述用户信息与所述用户信息对应的所述签名算法,生成所述用户令牌,包括:根据所述用户标识、所述登录时间戳以及预先存储的基础密钥,生成用户密钥;其中,所述基础密钥是预先设定的一个密钥;根据所述用户密钥和所述签名算法,生成所述用户令牌。In another exemplary embodiment, the user information includes a user ID and a login timestamp; and the generating the user token according to the user information and the signature algorithm corresponding to the user information includes: according to The user ID, the login timestamp and the pre-stored basic key are used to generate a user key; wherein, the basic key is a pre-set key; according to the user key and the signature algorithm , to generate the user token.
在另一示例性实施例中,所述根据所述用户信息与所述用户信息对应的所述签名算法,生成所述用户令牌,包括:获取负载数据,并将所述用户信息与所述负载数据进行关联存储,生成预设负载数据与用户信息映射关系;其中,所述负载数据是与用户和待生成的用户令牌相关的数据;根据所述负载数据、所述用户密钥以及所述签名算法,生成所述用户令牌。In another exemplary embodiment, generating the user token according to the user information and the signature algorithm corresponding to the user information includes: acquiring payload data, and combining the user information with the user information. The load data is associated and stored, and the preset load data and user information mapping relationship is generated; wherein, the load data is data related to the user and the user token to be generated; according to the load data, the user key and all The signature algorithm is used to generate the user token.
在另一示例性实施例中,所述用户令牌中还含有待验证负载数据,所述根据所述第一验证结果确定是否响应所述资源访问请求,包括:若所述第一验证结果表征为验证通过,则根据预设负载数据与用户信息映射关系,确定出与所述用户信息相匹配的目标负载数据;根据所述目标负载数据对所述待验证负载数据进行验证,得到第二验证结果;若所述第二验证结果表征为验证通过,则响应所述资源访问请求,以允许所述客户端进行资源访问。In another exemplary embodiment, the user token further contains payload data to be verified, and the determining whether to respond to the resource access request according to the first verification result includes: if the first verification result represents In order to pass the verification, the target load data matching the user information is determined according to the preset load data and the user information mapping relationship; the to-be-verified load data is verified according to the target load data to obtain a second verification Result: if the second verification result indicates that the verification is passed, responding to the resource access request to allow the client to access the resource.
在另一示例性实施例中,所述方法还包括:接收所述客户端发送的针对所述用户令牌的失效请求;获取所述用户令牌对应的用户密钥和基础密钥;其中,所述基础密钥是预先设定得到的,所述用户密钥是根据基础密钥确定得到的;将所述用户密钥修改为所述基础密钥,以使所述用户令牌失效。In another exemplary embodiment, the method further includes: receiving an invalidation request for the user token sent by the client; acquiring a user key and a basic key corresponding to the user token; wherein, The basic key is preset, and the user key is determined according to the basic key; the user key is modified to the basic key to make the user token invalid.
在另一示例性实施例中,所述将所述用户密钥修改为所述基础密钥,包括:若检测到所述失效请求中携带有即时失效指令,则根据所述即时失效指令将所述用户密钥修改为所述基础密钥;其中,所述即时失效指令用于指示立即对所述用户令牌进行失效处理。In another exemplary embodiment, the modifying the user key to the basic key includes: if it is detected that the invalidation request carries an immediate invalidation instruction, changing the immediate invalidation instruction according to the immediate invalidation instruction. The user key is modified to the basic key; wherein, the instant invalidation instruction is used to instruct the user token to be invalidated immediately.
根据本申请实施例的一个方面,一种电子设备,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述电子设备如前实现所述的资源访问方法。According to an aspect of the embodiments of the present application, an electronic device includes: one or more processors; and a storage device for storing one or more programs, when the one or more programs are stored by the one or more programs When executed by the processor, the electronic device implements the resource access method as before.
根据本申请实施例的一个方面,一种计算机可读存储介质,其上存储有计算机可读指令,当所述计算机可读指令被计算机的处理器执行时,使计算机执行如上所述的资源访问方法。According to one aspect of the embodiments of the present application, a computer-readable storage medium stores computer-readable instructions thereon, and when the computer-readable instructions are executed by a processor of a computer, causes the computer to perform the above-mentioned resource access method.
根据本申请实施例的一个方面,提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述各种可选实施例中提供的资源访问方法。According to one aspect of the embodiments of the present application, there is provided a computer program product or computer program, where the computer program product or computer program includes computer instructions, and the computer instructions are stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the resource access methods provided in the various optional embodiments described above.
在本申请的实施例所提供的技术方案中,在对接收到的资源访问请求进行响应之前,会对携带的用户令牌进行验证,验证资源访问请求的令牌合法性,首先会通过预设用户信息与签名算法映射关系,确定资源访问请求携带的用户信息相匹配的目标签名算法,进而根据目标签名算法对用户令牌中的待验证签名算法进行验证,根据验证结果确定是否响应资源访问请求。这样,由于有预设用户信息与签名算法映射关系,因此,在接收到资源访问请求后可以通过该预设用户信息与签名算法映射关系实现了对其携带的用户令牌的签名算法的验证,从而避免了相关技术中通过恶意修改或删除用户令牌中的签名算法,以伪造能绕过签名验证的令牌从而违法获取访问资源的情况,保证了用户令牌传输过程中的安全性。In the technical solutions provided by the embodiments of the present application, before responding to the received resource access request, the carried user token is verified to verify the legitimacy of the token of the resource access request. The mapping relationship between user information and signature algorithm, determine the target signature algorithm that matches the user information carried in the resource access request, and then verify the signature algorithm to be verified in the user token according to the target signature algorithm, and determine whether to respond to the resource access request according to the verification result. . In this way, since there is a mapping relationship between the preset user information and the signature algorithm, after the resource access request is received, the verification of the signature algorithm of the user token carried by it can be realized through the mapping relationship between the preset user information and the signature algorithm. This avoids the situation of illegally obtaining access resources by maliciously modifying or deleting the signature algorithm in the user token to forge a token that can bypass the signature verification in the related art, and ensuring the security of the user token transmission process.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not limiting of the present application.
附图说明Description of drawings
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并与说明书一起用于解释本申请的原理。显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术者来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。在附图中:The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description serve to explain the principles of the application. Obviously, the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can also be obtained from these drawings without creative effort. In the attached image:
图1是本申请涉及的一种实施环境的示意图;1 is a schematic diagram of an implementation environment involved in the present application;
图2是本申请的一示例性实施例示出的一种资源访问方法的流程图;FIG. 2 is a flowchart of a method for accessing resources according to an exemplary embodiment of the present application;
图3是图2所示实施例中的步骤S201之前生成用户令牌的步骤在一示例性实施例示出的一种资源访问方法的流程图;FIG. 3 is a flowchart of a method for accessing a resource shown in an exemplary embodiment of the step of generating a user token before step S201 in the embodiment shown in FIG. 2;
图4是图2所示实施例中的步骤S204在一示例性的实施例中的流程图;FIG. 4 is a flowchart of step S204 in the embodiment shown in FIG. 2 in an exemplary embodiment;
图5是本申请的一示例性实施例示出的一种资源访问方法的流程图;5 is a flowchart of a method for accessing resources according to an exemplary embodiment of the present application;
图6是本申请的一示例性实施例示出的一种资源访问方法的流程图;6 is a flowchart of a method for accessing resources according to an exemplary embodiment of the present application;
图7是图5所示实施例中的步骤S400之前对失效请求进行身份验证以及对携带的用户令牌进行验证的步骤在一示例性实施例示出的一种资源访问方法的流程图;7 is a flowchart of a resource access method shown in an exemplary embodiment of the steps of performing identity verification on the invalidation request and verifying the carried user token before step S400 in the embodiment shown in FIG. 5;
图8是本申请的一示例性实施例示出的一种资源访问方法的流程图;8 is a flowchart of a method for accessing resources according to an exemplary embodiment of the present application;
图9是本申请的一示例性实施例示出的一种资源访问装置的框图;FIG. 9 is a block diagram of a resource access apparatus shown in an exemplary embodiment of the present application;
图10是适于用来实现本申请实施例的电子设备的计算机系统的结构示意图。FIG. 10 is a schematic structural diagram of a computer system suitable for implementing the electronic device according to the embodiment of the present application.
具体实施方式Detailed ways
这里将详细地对示例性实施例执行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。The description will now be made in detail of exemplary embodiments, examples of which are illustrated in the accompanying drawings. Where the following description refers to the drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the illustrative examples below are not intended to represent all implementations consistent with this application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as recited in the appended claims.
附图中所示的方框图仅仅是功能实体,不一定必须与物理上独立的实体相对应。即,可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The block diagrams shown in the figures are merely functional entities and do not necessarily necessarily correspond to physically separate entities. That is, these functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices entity.
附图中所示的流程图仅是示例性说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解,而有的操作/步骤可以合并或部分合并,因此实际执行的顺序有可能根据实际情况改变。The flowcharts shown in the figures are only exemplary illustrations and do not necessarily include all contents and operations/steps, nor do they have to be performed in the order described. For example, some operations/steps can be decomposed, and some operations/steps can be combined or partially combined, so the actual execution order may be changed according to the actual situation.
在本申请中提及的“多个”是指两个或者两个以上。“和/或”描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。The "plurality" mentioned in this application means two or more. "And/or" describes the association relationship between associated objects, indicating that there can be three kinds of relationships, for example, A and/or B can indicate that A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the associated objects are an "or" relationship.
相关技术中,JWT(JSONWebToken)是一个开放的行业标准,它定义了一种简洁的、自包含的协议格式,用于在通信双方传递json对象,传递的信息经过数字签名可以被验证和信任。JWT令牌由Header(头部)、Payload(载荷)、Signature(签证)三部分组成,每部分中间使用点“.”分隔。In related technologies, JWT (JSON Web Token) is an open industry standard, which defines a concise, self-contained protocol format for transferring json objects between communication parties, and the transferred information can be verified and trusted through digital signatures. The JWT token consists of three parts: Header (header), Payload (payload), and Signature (visa). Each part is separated by a dot ".".
其中,头部包括令牌的类型(即JWT)及使用的签名算法(如HMACSHA256或RSA256)。载荷的内容也是一个json对象,它是存放有效信息的地方,它可以存放jwt提供的现成字段,比如:iss(签发者),exp(过期时间戳),sub(面向的用户)等,也可自定义字段。签证部分,用于防止JWT内容被篡改。在签证部分,使用base64url将头部和载荷部分分别进行编码,得到JWT令牌的第一部分和第二部分,再在编码后使用点“.”连接组成字符串,最后使用头部中选定并声明的签名算法进行签名,得到JWT令牌的第三部分。JWT三个部分中只有第三部分是加密的,通过数字签名机制,既可以保证数据完整性,也可以对数据来源进行身份验证。这样使得JWT令牌具有基于json方便解析以及可以在令牌中自定义丰富的内容进而易扩展的优点。The header includes the type of token (ie JWT) and the signature algorithm used (eg HMACSHA256 or RSA256). The content of the payload is also a json object, which is where valid information is stored. It can store ready-made fields provided by jwt, such as: iss (issuer), exp (expiration timestamp), sub (user-oriented), etc., or custom fields. The visa part is used to prevent the JWT content from being tampered with. In the visa part, use base64url to encode the header and payload respectively to get the first and second parts of the JWT token, and then use dot "." after encoding to form a string, and finally use the header to select and The claimed signature algorithm is signed to get the third part of the JWT token. Only the third part of the three parts of the JWT is encrypted. Through the digital signature mechanism, the data integrity can be guaranteed and the data source can be authenticated. In this way, the JWT token has the advantages of convenient parsing based on json and the advantages of customizing rich content in the token and easy expansion.
但是由于JWT的payload和header信息是公开的,如果在传输过程中令牌被恶意获取,通过修改或删除header中的签名算法,可以伪造能绕过签名验证的令牌,最终在跟随资源访问请求时不合法得获取访问资源,在验证令牌时也只是对令牌中载荷的负载信息进行验证,从而给信息系统带来很大的安全风险。However, since the payload and header information of JWT are public, if the token is maliciously obtained during the transmission process, by modifying or deleting the signature algorithm in the header, it is possible to forge a token that can bypass the signature verification, and finally follow the resource access request. It is illegal to obtain access resources at times, and when verifying the token, only the payload information in the token is verified, which brings great security risks to the information system.
为了解决如上问题,本申请的实施例提出了一种资源访问方法及装置、电子设备、计算机可读存储介质主要涉及人工智能技术中包括的机器视觉的字符识别技术,以下将对这些实施例进行详细说明。In order to solve the above problems, the embodiments of the present application propose a resource access method and device, electronic equipment, and computer-readable storage medium, which mainly relate to the character recognition technology of machine vision included in artificial intelligence technology. These embodiments will be described below. Detailed description.
首先请参阅图1,图1是本申请涉及的一种实施环境的示意图。该实施环境包括终端10和服务器20,终端10和服务器20之间通过有线或者无线网络进行通信。First, please refer to FIG. 1 , which is a schematic diagram of an implementation environment involved in the present application. The implementation environment includes a terminal 10 and a
服务器20用于在接收到资源访问请求之后,对资源访问请求携带的用户令牌进行验证,验证资源访问请求的令牌合法性,首先会通过预设用户信息与签名算法映射关系,确定资源访问请求携带的用户信息相匹配的目标签名算法,进而根据目标签名算法对用户令牌中的待验证签名算法进行验证,根据验证结果确定是否响应资源访问请求,并将所得到的是否响应资源访问请求的结果传输至终端10,以使终端10在接收到反馈的确定响应资源访问请求时对服务器20进行资源访问。相比于现有技术的资源访问方案,本实施环境所提供的资源访问方法能够保证用户令牌传输过程中的信息安全性。After receiving the resource access request, the
需说明的是,图1所示实施环境中的终端10可以是智能手机、平板、笔记本电脑、计算机等任意的电子设备;服务器20服务器可以是独立的服务器,也可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、内容分发网络(ContentDeliveryNetwork,CDN)、以及大数据和人工智能平台等基础云计算服务的云服务器,本处不进行限制。It should be noted that the terminal 10 in the implementation environment shown in FIG. 1 can be any electronic device such as a smart phone, tablet, notebook computer, computer, etc.; the
图2是本申请的一示例性实施例示出的资源访问方法的流程图。该方法可以应用于图1所示的实施环境,并由图1所示实施例环境中的服务器20所处的服务端具体执行。而在其它的实施环境中,该方法可以由其它实施环境中的设备执行,本实施例不对此进行限制。FIG. 2 is a flowchart of a method for accessing resources according to an exemplary embodiment of the present application. The method can be applied to the implementation environment shown in FIG. 1 , and is specifically executed by the server where the
如图2所示,在一示例性实施例中,该资源访问方法可以包括步骤S201至步骤S204,详细介绍如下:As shown in FIG. 2, in an exemplary embodiment, the resource access method may include steps S201 to S204, which are described in detail as follows:
步骤S201,接收客户端发送的资源访问请求;其中,资源访问请求中携带有用户信息和用户令牌,用户令牌中含有待验证签名算法。Step S201: Receive a resource access request sent by a client; wherein, the resource access request carries user information and a user token, and the user token contains a signature algorithm to be verified.
服务端接收到客户端发送的资源访问请求,资源访问请求用于客户端向服务端请求能够进行资源访问的权利。并且,资源访问请求携带有与之相关联的用户信息和用户令牌,其中,用户信息可以包括有用户名、用户账号、登录密码等用户的基础信息;用户令牌是在客户端发送资源访问请求之前,从服务端获取的与客户端的用户信息对应的令牌,服务端通过用户令牌对客户端的访问合法性进行验证,故资源访问请求携带的用户令牌中包含有待验证的签名算法。The server receives the resource access request sent by the client, and the resource access request is used by the client to request the server for the right to access resources. In addition, the resource access request carries user information and user token associated with it, wherein the user information may include basic information of the user such as user name, user account, and login password; Before the request, the token corresponding to the client's user information is obtained from the server, and the server verifies the legitimacy of the client's access through the user token. Therefore, the user token carried in the resource access request contains the signature algorithm to be verified.
步骤S202,根据预设用户信息与签名算法映射关系,确定与用户信息相匹配的目标签名算法。Step S202: Determine a target signature algorithm matching the user information according to the preset mapping relationship between the user information and the signature algorithm.
服务端存储有预设用户信息与签名算法映射关系,可以事先在服务端生成与客户端对应令牌的时候获取该预设用户信息与签名算法映射关系并存储,也就是已经获取有用户令牌的客户端,都对应有唯一正确的签名算法体现在预设用户信息与签名算法映射关系中。这样,在接收到客户端发送的资源访问请求并获取其携带的用户信息后,能够通过资源访问请求中携带的用户信息确定出与用户信息相匹配的目标签名算法,用于对待验证签名算法的验证。The server stores the mapping relationship between the preset user information and the signature algorithm, and can obtain and store the mapping relationship between the preset user information and the signature algorithm when the server generates the token corresponding to the client in advance, that is, the user token has been obtained. Each client has a unique and correct signature algorithm, which is reflected in the preset user information and signature algorithm mapping relationship. In this way, after receiving the resource access request sent by the client and obtaining the user information carried by the resource access request, the target signature algorithm that matches the user information can be determined through the user information carried in the resource access request, which is used for the signature algorithm to be verified. verify.
步骤S203,根据目标签名算法对待验证签名算法进行验证,得到第一验证结果。Step S203, verifying the signature algorithm to be verified according to the target signature algorithm to obtain a first verification result.
在根据预设用户信息与签名算法映射关系确定出与用户信息相匹配的目标签名算法后,同时从资源访问请求携带的用户令牌中获取待验证签名算法。通过判定待验证签名算法是否与目标签名算法一致来对待验证签名算法进行验证,得到第一验证结果,若判定一致,则第一验证结果表征为验证通过,反之若判定不一致,则第一验证结果表征为验证不通过。After the target signature algorithm matching the user information is determined according to the preset user information and signature algorithm mapping relationship, the signature algorithm to be verified is obtained from the user token carried in the resource access request at the same time. The signature algorithm to be verified is verified by judging whether the signature algorithm to be verified is consistent with the target signature algorithm, and the first verification result is obtained. Indicates that the verification fails.
步骤S204,根据第一验证结果确定是否响应资源访问请求。Step S204, determining whether to respond to the resource access request according to the first verification result.
服务端通过第一验证结果表征的内容,确定是否响应资源访问请求,若表征为验证通过,服务端则响应资源访问请求,允许客户端进行资源访问,若表征为验证不通过,服务端则返回异常信息至客户端并拒绝响应该资源访问请求。The server determines whether to respond to the resource access request based on the content represented by the first verification result. If the verification is passed, the server responds to the resource access request and allows the client to access resources. If the verification fails, the server returns Exception message to the client and refuse to respond to the resource access request.
由上可知,在本实施例提供的方法中,通过对资源访问请求携带的用户令牌进行验证,以此验证资源访问请求的令牌合法性,首先会通过事先服务端存储的预设用户信息与签名算法映射关系,确定出与资源访问请求携带的用户信息相匹配的目标签名算法,进而根据目标签名算法对用户令牌中的待验证签名算法进行一致性的验证,根据得到的第一验证结果确定服务端是否响应资源访问请求。这样,在接收到资源访问请求后,首先通过预设用户信息与签名算法映射关系对资源访问请求携带的用户令牌的签名算法进行验证,避免了通过恶意修改或删除用户令牌中的签名算法,以伪造能绕过签名验证的令牌从而违法获取访问资源的权利的情况,保证了用户令牌传输过程中的安全性,规避了信息泄露等安全风险问题。As can be seen from the above, in the method provided in this embodiment, the validity of the token of the resource access request is verified by verifying the user token carried in the resource access request. First, the preset user information stored in the server is used. The mapping relationship with the signature algorithm determines the target signature algorithm that matches the user information carried in the resource access request, and then verifies the consistency of the signature algorithm to be verified in the user token according to the target signature algorithm. The result determines whether the server responds to the resource access request. In this way, after the resource access request is received, the signature algorithm of the user token carried in the resource access request is first verified by using the preset mapping relationship between the user information and the signature algorithm, so as to avoid malicious modification or deletion of the signature algorithm in the user token. , in order to forge a token that can bypass the signature verification and illegally obtain the right to access resources, which ensures the security of the user's token transmission process and avoids security risks such as information leakage.
请参阅图3,图3是在图2所示实施例中的步骤S201之前,本申请提供的资源访问方法还包括在服务端生成用户令牌的步骤在一个示例性实施例中的流程图。如图3所示,生成用户令牌的步骤具体可以包括步骤S301至步骤S305,通过上述步骤来根据令牌获取请求生成用户令牌,详细介绍如下:Please refer to FIG. 3 . FIG. 3 is a flowchart of an exemplary embodiment of the resource access method provided by the present application further including the step of generating a user token at the server before step S201 in the embodiment shown in FIG. 2 . As shown in FIG. 3, the step of generating a user token may specifically include steps S301 to S305, and the user token is generated according to the token acquisition request through the above steps, and the details are as follows:
步骤S301,接收客户端发送的令牌获取请求。Step S301, receiving a token acquisition request sent by a client.
客户端通过发送令牌获取请求至服务端来获取用户令牌,由于服务端需要根据令牌获取请求生成与服务端相关联的用户令牌,故客户端发送的令牌获取请求中携带有用户信息,不仅用于生成用户令牌,还起到标识的作用使得生成的用户令牌与客户端相对应。The client obtains the user token by sending a token obtaining request to the server. Since the server needs to generate a user token associated with the server according to the token obtaining request, the token obtaining request sent by the client carries the user token. The information is not only used to generate the user token, but also plays the role of identification so that the generated user token corresponds to the client.
步骤S302,选取与用户信息对应的签名算法,并将用户信息与用户信息对应的签名算法进行关联存储,生成预设签名算法与用户信息映射关系。Step S302, select a signature algorithm corresponding to the user information, associate and store the user information and the signature algorithm corresponding to the user information, and generate a mapping relationship between the preset signature algorithm and the user information.
服务端选取与用户信息相对应的签名算法,选取的签名算法可以包括但不限于对称签名算法(HS256)或不对称签名算法(RS256)这两种。并且将选取出的签名算法与令牌获取请求携带的用户请求相关联,进而将关联关系进行存储,生成预设签名算法与用户信息映射关系,用于在对资源访问请求的用户令牌进行验证准备时,从存储的预设签名算法与用户信息映射关系确定出目标签名算法。The server selects a signature algorithm corresponding to the user information, and the selected signature algorithm may include, but is not limited to, a symmetric signature algorithm (HS256) or an asymmetric signature algorithm (RS256). And the selected signature algorithm is associated with the user request carried in the token acquisition request, and then the association relationship is stored to generate a preset signature algorithm and user information mapping relationship, which is used to verify the user token of the resource access request. When preparing, the target signature algorithm is determined from the stored mapping relationship between the preset signature algorithm and the user information.
其中,选取对应签名算法的方式,可以是依据用户需求选取,也可以是依据事先设定不同的用户类型对应不同签名算法进行选取,还可以根据JWT相关规范进行选取,在此不做限制。Among them, the method of selecting the corresponding signature algorithm can be selected according to user needs, or according to different user types corresponding to different signature algorithms set in advance, and can also be selected according to relevant JWT specifications, which is not limited here.
进一步地,令牌获取请求携带的用户信息包括有用户标识和登录时间戳,步骤S303,根据用户标识、登录时间戳以及预先存储的基础密钥,生成用户密钥。Further, the user information carried in the token acquisition request includes a user ID and a login timestamp. In step S303, a user key is generated according to the user ID, the login timestamp and a pre-stored basic key.
获取用户信息包括的用户标识和登录时间戳,通过基础密钥+用户标识+登录时间戳的形式得到用户密钥并进行存储,用户密钥用于对在生成用户令牌的过程中对各项数据进行加密。上述提及的基础密钥是预先设定的一个密钥,可以是服务端在初始化阶段随机生成的密钥,将其作为基础密钥。Obtain the user ID and login timestamp included in the user information, obtain the user key in the form of basic key + user ID + login timestamp and store it. data is encrypted. The basic key mentioned above is a preset key, which may be a key randomly generated by the server during the initialization phase, and used as the basic key.
步骤S304,获取负载数据,并将用户信息与负载数据进行关联存储,生成预设负载数据与用户信息映射关系。Step S304: Acquire load data, associate and store the user information and the load data, and generate a preset mapping relationship between the load data and the user information.
获取用于添加至令牌的载荷部分的负载数据,负载数据是指与用户和待生成的用户令牌相关的数据,可以包括但不限于主题、令牌签发者、接收令牌的一方、令牌的签发时间、令牌的过期时间、令牌可用的时间、令牌的身份标识,其他自定义用户信息如用户名等信息。并且将获取到的负载数据与令牌获取请求携带的用户请求相关联,进而将此关联关系进行存储,生成预设负载数据与用户信息映射关系。Obtain payload data for adding to the payload portion of the token, payload data refers to data related to the user and the user token to be generated, which can include but is not limited to the subject, the token issuer, the party receiving the token, the order The issuance time of the token, the expiration time of the token, the time when the token is available, the identity of the token, and other custom user information such as username and other information. And the obtained load data is associated with the user request carried in the token obtaining request, and then the association is stored to generate the preset load data and user information mapping relationship.
步骤S305,根据负载数据、用户密钥以及签名算法,生成用户令牌。Step S305: Generate a user token according to the payload data, the user key and the signature algorithm.
根据以上步骤获取或者生成负载数据、用户密钥以及签名算法后,在头部部分描述选取的签名算法,在载荷部分添加获取的负载数据,再通过签名算法和用户秘钥对头部部分和载荷部分的数据进行组合加密,得到加密数据写入签证部分,最终将头部、载荷和签证三个部分组合形成一个字符串,每个部分用“.”分隔,构成整个JWT令牌对象,生成与客户端发送的令牌获取请求相对应的用户令牌。After acquiring or generating the payload data, user key and signature algorithm according to the above steps, describe the selected signature algorithm in the header part, add the acquired payload data in the payload part, and then use the signature algorithm and the user key to pair the header part with the payload. Part of the data is combined and encrypted, and the encrypted data is written into the visa part. Finally, the three parts of the header, the payload and the visa are combined to form a string, and each part is separated by "." to form the entire JWT token object. The user token corresponding to the token acquisition request sent by the client.
另外,需要说明的是,生成并存储预设签名算法与用户信息映射关系的步骤,可以是在选取签名算法后,也可以是在生成用户令牌时或者生成用户令牌之后,本实施例将其在步骤S302中进行描述,只是为了便于理解,并没有将该步骤的实施顺序限制在选取签名算法后即可生成预设签名算法与用户信息映射关系的含义;并且,生成并存储生成预设负载数据与用户信息映射关系,同样可以是在获取负载数据之后,也可以是在生成用户令牌时或者生成用户令牌之后。In addition, it should be noted that the step of generating and storing the mapping relationship between the preset signature algorithm and the user information may be after the signature algorithm is selected, or when the user token is generated or after the user token is generated. It is described in step S302, only for the convenience of understanding, and does not limit the implementation order of this step to the meaning that the preset signature algorithm and the user information mapping relationship can be generated after selecting the signature algorithm; and, generate and store the generated preset. The mapping relationship between the load data and the user information may also be after the load data is acquired, or when the user token is generated or after the user token is generated.
本申请的另一实施例中,在步骤S302中服务端根据接收到的令牌获取请求携带的用户信息选取相应的签名算法之前,方法还包括对客户端用户进行身份验证的步骤,其具体可以包括有:获取用户信息包括的账号数据,例如账号和登录密码,基于账号数据进行身份验证,若身份验证通过,则执行选取签名算法的步骤S302,实施用户令牌的生成步骤;若身份验证不通过,则返回异常信息至客户端并拒绝响应令牌获取请求。In another embodiment of the present application, before the server selects a corresponding signature algorithm according to the user information carried in the received token acquisition request in step S302, the method further includes the step of authenticating the client user, which may specifically be Including: acquiring account data included in the user information, such as account number and login password, performing identity verification based on the account data, and if the identity verification is passed, then executing the step S302 of selecting a signature algorithm, and implementing the step of generating a user token; If passed, return exception information to the client and refuse to respond to the token acquisition request.
本申请提供的上述实施例,根据令牌获取请求生成与客户端匹配的用户令牌,并且生成后续接收到资源访问请求时,用于对资源访问请求携带的用户令牌进行验证的预设签名算法与用户信息映射关系,这样可以对用户令牌的签名算法进行验证,保证了用户令牌传输过程中的安全性,规避了信息泄露等安全风险问题。In the above-mentioned embodiments provided in this application, a user token matching the client is generated according to the token acquisition request, and a preset signature for verifying the user token carried in the resource access request is generated when the resource access request is subsequently received The mapping relationship between the algorithm and the user information can verify the signature algorithm of the user token, ensure the security of the user token transmission process, and avoid security risks such as information leakage.
请参阅图4,图4是图2所示实施例中的步骤S204在一个示例性实施例中的流程图。如图4所示,步骤S204可以包括步骤S401至步骤S403,通过上述步骤来进一步对用户令牌中含有的待验证负载数据进行验证,详细介绍如下:Please refer to FIG. 4 , which is a flowchart of step S204 in the embodiment shown in FIG. 2 in an exemplary embodiment. As shown in FIG. 4 , step S204 may include steps S401 to S403, and the above steps are used to further verify the payload data to be verified contained in the user token. The details are as follows:
步骤S401,若第一验证结果表征为验证通过,则根据预设负载数据与用户信息映射关系,确定出与用户信息相匹配的目标负载数据。Step S401 , if the first verification result indicates that the verification is passed, the target load data matching the user information is determined according to the mapping relationship between the preset load data and the user information.
若第一验证结果表征为验证通过,说明用户令牌的签名算法与确定出的目标签名算法一致,在这之后需要对用户令牌的负载数据进行验证。在进行验证之前首先需要获取与用户信息相匹配的目标负载数据,本实施例中,根据在事先存储的预设负载数据与用户信息映射关系,确定出与资源访问请求携带的用户信息相匹配的负载数据,作为目标负载数据。If the first verification result indicates that the verification is passed, it means that the signature algorithm of the user token is consistent with the determined target signature algorithm, and then the payload data of the user token needs to be verified. Before performing verification, it is necessary to obtain the target load data matching the user information. In this embodiment, according to the pre-stored mapping relationship between the preset load data and the user information, it is determined that the target load data matching the user information carried in the resource access request is determined. Load data, as the target load data.
步骤S402,根据目标负载数据对待验证负载数据进行验证,得到第二验证结果。Step S402, verifying the load data to be verified according to the target load data to obtain a second verification result.
同时服务端还会获取用户令牌中含有的待验证负载数据,这样在获取到目标负载数据之后,便通过判定待验证负载数据是否与目标负载数据一致来对待验证负载数据进行验证,得到第二验证结果,若判定一致,则第二验证结果表征为验证通过,反之若判定不一致,则第二验证结果表征为验证不通过。At the same time, the server will also obtain the load data to be verified contained in the user token, so that after obtaining the target load data, it will verify the load data to be verified by determining whether the load data to be verified is consistent with the target load data, and obtain the second If the verification results are determined to be consistent, the second verification result is characterized as passed the verification; otherwise, if it is determined to be inconsistent, the second verification result is represented as the verification failed.
得到第二验证结果还可以是,获取通过签名算法验证的待验证签名算法或者目标签名算法,以及待验证签名算法或者目标签名算法对应的用户秘钥,同时提取出用户令牌中的头部部分数据和载荷部分的负载数据;将头部部分数据和负载部分数据通过获取到的用户秘钥和待验证签名算法或者目标签名算法进行组合加密,得到新的加密数据,也就是新的签证部分;将新的签证部分与资源访问请求携带的用户令牌的签证部分进行比对,判定是否一致。以此验证用户令牌的负载数据部分甚至用户秘钥是否被篡改,从而保证用户令牌传输过程中的安全性。Obtaining the second verification result may also be: obtaining the signature algorithm to be verified or the target signature algorithm verified by the signature algorithm, and the user secret key corresponding to the signature algorithm to be verified or the target signature algorithm, and extracting the header part of the user token at the same time The payload data of the data and the payload part; the header part data and the payload part data are combined and encrypted by the obtained user secret key and the signature algorithm to be verified or the target signature algorithm to obtain new encrypted data, that is, the new visa part; Compare the new visa part with the visa part of the user token carried in the resource access request to determine whether they are consistent. In this way, it is verified whether the payload data part of the user token or even the user secret key has been tampered with, thereby ensuring the security of the user token transmission process.
步骤S403,若第二验证结果表征为验证通过,则响应资源访问请求,以允许客户端进行资源访问。Step S403, if the second verification result indicates that the verification is passed, the resource access request is responded to to allow the client to access the resource.
若第二验证结果表征为验证通过,则说明资源访问请求携带的用户令牌在签名算法验证通过之后,再次通过了负载数据的验证,服务端则需要响应资源访问请求,允许客户端进行资源访问。若第二验证结果表征为验证不通过,服务端则需要返回异常信息至客户端并拒绝响应该资源访问请求。If the second verification result indicates that the verification is passed, it means that the user token carried in the resource access request has passed the verification of the payload data after the signature algorithm has passed the verification, and the server needs to respond to the resource access request and allow the client to access the resource. . If the second verification result indicates that the verification fails, the server needs to return exception information to the client and refuse to respond to the resource access request.
由上可知,在本实施例提供的方法中,通过在验证签名算法无误的基础上进行用户负载信息验证,进一步保证用户令牌传输过程中的安全性,并避免了由于令牌本身结构,可通过恶意修改或删除头部中的签名算法,以伪造能绕过签名验证的令牌问题。It can be seen from the above that in the method provided in this embodiment, the user load information verification is performed on the basis of verifying that the signature algorithm is correct, so as to further ensure the security of the user token transmission process, and avoid the possibility that the token itself may be damaged due to the structure of the token itself. By maliciously modifying or deleting the signature algorithm in the header, to forge the token problem that can bypass signature verification.
另外,针对在在服务端生成的用户令牌,将其发送至客户端之后,令牌就独立于服务端了,即使在服务端对已经发出的用户令牌进行撤销但未过期的令牌也可能会被恶意使用,进一步增大了给信息系统带来很大的安全风险,而大多采用每次需要对令牌进行失效时,都获取一个随机秘钥对令牌进行失效处理,这样便需要保存大量的随机密钥,存在计算资源占用较多的问题。In addition, for the user token generated on the server side, after it is sent to the client, the token is independent of the server side, even if the user token has been revoked on the server side but has not expired. It may be maliciously used, which further increases the security risk to the information system, and most of them use a random secret key to invalidate the token every time the token needs to be invalidated. To save a large number of random keys, there is a problem of occupying a lot of computing resources.
进一步地,针对上述各个实施例提供的用户令牌,请参阅图5,图5是本申请的一示例性实施例示出的资源访问方法的流程图,具体包括步骤S501至步骤S503,通过上述步骤来指令针对上述各个实施例提供的用户令牌的失效请求,详细介绍如下:Further, for the user token provided by the above embodiments, please refer to FIG. 5 . FIG. 5 is a flowchart of a resource access method shown in an exemplary embodiment of the present application, which specifically includes steps S501 to S503. Through the above steps to instruct the invalidation request for the user token provided by the above embodiments, the details are as follows:
步骤S501,接收客户端发送的针对用户令牌的失效请求。Step S501, receiving an invalidation request for the user token sent by the client.
当用户需要通过客户端发送下线或注销服务等需求时,客户端会发送针对用户令牌的失效请求到服务端,服务端会根据失效请求对其携带的与客户端用户对应的用户令牌进行失效处理,以完成下线或注销服务。When the user needs to send offline or logout services through the client, the client will send an invalidation request for the user token to the server, and the server will carry the user token corresponding to the client user according to the invalidation request. Perform invalidation processing to complete the offline or logout service.
步骤S502,获取用户令牌对应的用户密钥和基础密钥。Step S502, acquiring the user key and the basic key corresponding to the user token.
其中,基础密钥是预先设定得到的,用户密钥是根据基础密钥确定得到的。具体的,在生成用户令牌时,用户秘钥是通过基础密钥+用户标识+登录时间戳的形式得到的,用户标识和登录时间戳是从用户信息中获取的。上述提及的基础密钥是预先设定的一个密钥,可以是服务端在初始化阶段随机生成的密钥,将其作为基础密钥。The basic key is obtained in advance, and the user key is determined according to the basic key. Specifically, when the user token is generated, the user secret key is obtained in the form of basic key + user ID + login timestamp, and the user ID and login timestamp are obtained from user information. The basic key mentioned above is a preset key, which may be a key randomly generated by the server during the initialization phase, and used as the basic key.
步骤S503,将用户密钥修改为基础密钥,以使用户令牌失效。Step S503, modifying the user key to the basic key to invalidate the user token.
获取到用户令牌对应的用户密钥和基础密钥后,将用户密钥修改为基础密钥,也就是用户密钥的组成由基础密钥+用户标识+登录时间戳的形式,变为只有基础密钥的形式。After obtaining the user key and basic key corresponding to the user token, modify the user key to the basic key, that is, the composition of the user key is in the form of basic key + user ID + login timestamp, and becomes only The form of the base key.
这样,在本实施例中,针对用户令牌传输的失效指令,通过将用户令牌对应的用户密钥更改为基础密钥,使得之前的用户令牌失效,下次登陆时便无法利用该令牌进行请求,利用预设的基础密钥修改用户密钥,解决了令牌失效处理时随机生成密钥导致计算资源占用较多的问题的同时,避免了已撤销的用户令牌并恶意使用,更进一步保证了用户令牌传输过程中的安全性,规避了信息泄露等安全风险问题。In this way, in this embodiment, for the invalidation instruction transmitted by the user token, by changing the user key corresponding to the user token to the basic key, the previous user token is invalidated, and the password cannot be used for the next login. It uses the preset basic key to modify the user's key, which solves the problem that the key is randomly generated when the token is invalid, which leads to the occupation of more computing resources. At the same time, it avoids the revoked user token and malicious use. It further ensures the security of the user token transmission process, and avoids security risks such as information leakage.
另一实施例中,失效请求中还携带有即时失效指令,如图6所示,图5所示实施例中的步骤S503具体可以表示为:In another embodiment, the invalidation request also carries an immediate invalidation instruction. As shown in FIG. 6 , step S503 in the embodiment shown in FIG. 5 can be specifically expressed as:
步骤S600,若检测到失效请求中携带有即时失效指令,则根据即时失效指令将用户密钥修改为基础密钥。Step S600, if it is detected that the invalidation request carries an instant invalidation instruction, the user key is modified into a basic key according to the instant invalidation instruction.
上述的即时失效指令用于指示立即对用户令牌进行失效处理,立刻将用户密钥修改为基础密钥的用户令牌失效处理,能够避免在接收到失效指令与实施失效处理之间的时间间隙内用户令牌被恶意使用。The above-mentioned instant invalidation instruction is used to instruct the user token to be invalidated immediately, and the user token invalidation processing of immediately modifying the user key to the basic key can avoid the time gap between receiving the invalidation instruction and implementing the invalidation processing. The internal user token is being used maliciously.
请参阅图7,图7是在图5所示实施例中的步骤S502之前,本申请提供的资源访问方法还包括对失效请求进行身份验证以及对携带的用户令牌进行验证的步骤在一个示例性实施例中的流程图。如图7,具体可以包括步骤S701至步骤S704,详细介绍如下:Please refer to FIG. 7 . FIG. 7 shows that before step S502 in the embodiment shown in FIG. 5 , the resource access method provided by the present application further includes the steps of performing identity verification on the invalidation request and verifying the carried user token. In an example Flowchart in the exemplary embodiment. As shown in FIG. 7, it may specifically include steps S701 to S704, which are described in detail as follows:
步骤S701,基于失效请求携带的用户信息进行身份验证。Step S701, performing identity verification based on the user information carried in the invalidation request.
获取失效请求携带的用户信息包括的账号数据,例如账号和登录密码,基于账号数据进行身份验证,即时对用户登录的合法性进行验证。Acquire the account data included in the user information carried in the invalidation request, such as the account number and login password, and perform authentication based on the account data to verify the legitimacy of the user login in real time.
步骤S702,若身份验证通过,则根据预设用户信息与签名算法映射关系和预设负载数据与用户信息映射关系,确定出与用户信息相匹配的目标签名算法和目标负载数据。Step S702, if the identity verification is passed, the target signature algorithm and target payload data matching the user information are determined according to the preset user information and signature algorithm mapping relationship and the preset load data and user information mapping relationship.
反之若身份验证不通过,则返回异常信息并拒绝响应失效请求。On the contrary, if the authentication fails, it will return an exception message and refuse to respond to the invalid request.
步骤S703,基于目标签名算法和目标负载数据,依次分别对失效请求携带的待失效用户令牌的签名算法和负载进行验证,得到第三验证结果。Step S703: Based on the target signature algorithm and the target load data, the signature algorithm and the load of the user token to be invalidated carried by the invalidation request are respectively verified in sequence, and a third verification result is obtained.
服务端还会获取待失效用户令牌中含有的签名算法和负载数据,这样在获取到目标负载数据之后,首先通过签名算法是否与目标签名算法一致来对待失效用户令牌的签名算法进行验证,若签名算法验证不通过,则第三验证结果表征为不通过;若签名算法验证通过,则通过负载数据是否与目标负载数据一致来对待失效用户令牌的负载数据进行验证,若判定一致,则第三验证结果表征为验证通过,反之若判定不一致,则第三验证结果表征为验证不通过。The server will also obtain the signature algorithm and payload data contained in the user token to be expired, so that after obtaining the target payload data, the signature algorithm of the expired user token is first verified by whether the signature algorithm is consistent with the target signature algorithm. If the verification of the signature algorithm fails, the third verification result indicates that the verification fails; if the verification of the signature algorithm passes, the payload data of the invalid user token is verified by whether the payload data is consistent with the target payload data. The third verification result is characterized as passing the verification, otherwise, if it is determined that the verification is inconsistent, the third verification result is characterized as failing the verification.
步骤S704,若第三验证结果表征为验证通过,则响应失效请求,对用户令牌进行失效处理。Step S704, if the third verification result indicates that the verification is passed, the user token is invalidated in response to the invalidation request.
若第三验证结果表征为通过,则执行图5所示实施例的步骤,对用户令牌进行失效处理;若第三验证结果表征为不通过,则返回异常信息并拒绝响应失效请求。If the third verification result is represented as passing, the steps of the embodiment shown in FIG. 5 are performed to perform invalidation processing on the user token; if the third verification result is represented as failing, abnormal information is returned and the invalidation request is rejected.
由此,通过本实施例的方法,本申请再根据失效请求对用户令牌进行失效处理之前,同样会对用户令牌的合法性通过签名算法以及负载数据依次进行验证,避免了通过恶意修改或删除用户令牌中的签名算法,以伪造能绕过签名验证的令牌从而违法甚至恶意的失效令牌的情况,保证了用户令牌传输过程中的安全性。Therefore, with the method of this embodiment, before the application performs invalidation processing on the user token according to the invalidation request, the validity of the user token is also verified through the signature algorithm and the payload data in turn, avoiding malicious modification or The signature algorithm in the user token is deleted to forge the token that can bypass the signature verification and thus become an illegal or even malicious invalid token, which ensures the security of the user token transmission process.
请参阅图8,图8是本申请提供的资源访问方法在一示例性实施例中的流程图,可以包括步骤S801至步骤S811,如下:Please refer to FIG. 8. FIG. 8 is a flowchart of the resource access method provided by the present application in an exemplary embodiment, which may include steps S801 to S811, as follows:
步骤S801,接收客户端发送的令牌获取请求。Step S801, receiving a token acquisition request sent by a client.
步骤S802,根据令牌获取请求携带的用户信息进行身份验证,并判定身份验证是否通过,若身份验证通过,则跳转至步骤S803,若身份验证不通过,则跳转至步骤S811。Step S802, perform identity verification according to the user information carried in the token acquisition request, and determine whether the identity verification is passed, if the identity verification is passed, jump to step S803, and if the identity verification fails, jump to step S811.
步骤S803,选取签名算法,根据用户信息和基础密钥生成用户秘钥,获取负载数据,根据负载数据、用户密钥以及签名算法,生成用户令牌。Step S803, select a signature algorithm, generate a user secret key according to the user information and the basic key, acquire payload data, and generate a user token according to the payload data, the user key and the signature algorithm.
步骤S804,存储预设用户信息与签名算法映射关系和预设负载数据与用户信息映射关系。Step S804, storing the mapping relationship between the preset user information and the signature algorithm and the mapping relationship between the preset load data and the user information.
步骤S805,接收客户端发送的携带有用户信息和用户令牌的资源访问请求。Step S805: Receive a resource access request that carries user information and a user token and is sent by the client.
步骤S806,接收客户端发送的针对用户令牌的失效请求。Step S806, receiving an invalidation request for the user token sent by the client.
步骤S807,根据预设用户信息与签名算法映射关系,确定与用户信息相匹配的目标签名算法,根据目标签名算法对待验证签名算法进行验证得到第一验证结果,判定第一验证结果是否表征为通过,若通过,则跳转至步骤S808,若不通过,则跳转至步骤S811。Step S807, according to the preset user information and signature algorithm mapping relationship, determine the target signature algorithm that matches the user information, verify the signature algorithm to be verified according to the target signature algorithm to obtain a first verification result, and determine whether the first verification result is represented as passing. , if passed, go to step S808, if not pass, go to step S811.
步骤S808,根据预设负载数据与用户信息映射关系,确定出与用户信息相匹配的目标负载数据,根据目标负载数据对待验证负载数据进行验证得到第二验证结果,判定第二验证结果是否表征为通过,若通过且接收的是资源访问请求,则跳转至步骤S809;若通过且接收的是失效请求,则跳转至步骤S810,若不通过,则跳转至步骤S811。Step S808: Determine the target load data matching the user information according to the mapping relationship between the preset load data and the user information, verify the load data to be verified according to the target load data to obtain a second verification result, and determine whether the second verification result is characterized as Pass, if pass and receive a resource access request, go to step S809; if pass and receive an invalidation request, go to step S810, if not pass, go to step S811.
步骤S809,响应资源访问请求,以允许客户端进行资源访问。Step S809, responding to the resource access request to allow the client to access the resource.
步骤S810,将用户密钥修改为基础密钥,以使用户令牌失效。Step S810, modifying the user key to the basic key to invalidate the user token.
步骤S811,返回异常信息并拒绝响应请求。Step S811, returning abnormal information and rejecting the response request.
上述实施例中,在生成用户令牌时便对预设用户信息与签名算法映射关系和预设负载数据与用户信息映射关系进行存储,用于在接收到资源访问请求或者失效请求时对签名算法以及负载数据依次进行验证,避免了通过恶意修改或删除用户令牌中的签名算法,以伪造能绕过签名验证的令牌从而违法甚至恶意的失效令牌的情况,保证了用户令牌传输过程中的安全性。In the above embodiment, when the user token is generated, the preset user information and signature algorithm mapping relationship and the preset load data and user information mapping relationship are stored, which are used for the signature algorithm when a resource access request or invalidation request is received. And the payload data are verified in turn, avoiding the malicious modification or deletion of the signature algorithm in the user token to forge tokens that can bypass the signature verification and thus illegal or even malicious invalid tokens, ensuring the user token transmission process. security in.
图9是本申请的一示例性实施例示出的一种资源访问装置900的框图。如图9所示,该装置包括:FIG. 9 is a block diagram of a resource access apparatus 900 according to an exemplary embodiment of the present application. As shown in Figure 9, the device includes:
获取单元901,用于接收客户端发送的资源访问请求,其中资源访问请求中携带有实时用户信息和用户令牌,用户令牌中含有待验证签名算法;The obtaining
确定单元902,用于根据预设用户信息与签名算法映射关系,确定与实时用户信息相匹配的目标签名算法;A determining
验证单元903,用于基于目标签名算法对待验证签名算法进行验证,得到验证结果;A
执行单元904,用于基于验证结果确定是否响应资源访问请求。The executing
该装置应用本申请提供的资源访问方法,通过获取单元901接收到客户端发送的资源访问请求后,确定单元902通过事先服务端存储的预设用户信息与签名算法映射关系,确定出与资源访问请求携带的用户信息相匹配的目标签名算法,进而验证单元903根据目标签名算法对用户令牌中的待验证签名算法进行一致性的验证,最后执行单元904根据得到的第一验证结果确定服务端是否响应资源访问请求。这样,通过预设用户信息与签名算法映射关系对资源访问请求携带的用户令牌的签名算法进行验证,避免了通过恶意修改或删除用户令牌中的签名算法,保证了用户令牌传输过程中的安全性,规避了信息泄露等安全风险问题。The device applies the resource access method provided in this application, and after receiving the resource access request sent by the client through the obtaining
在另一示例性的实施例中,该装置还包括:In another exemplary embodiment, the apparatus further includes:
令牌生成单元,用于接收客户端发送的令牌获取请求;选取与用户信息对应的签名算法,并将用户信息与用户信息对应的签名算法进行关联存储,生成预设签名算法与用户信息映射关系;根据用户标识、登录时间戳以及预先存储的基础密钥,生成用户密钥;获取负载数据,并将用户信息与负载数据进行关联存储,生成预设负载数据与用户信息映射关系;根据负载数据、用户密钥以及签名算法,生成用户令牌。A token generation unit, configured to receive a token acquisition request sent by the client; select a signature algorithm corresponding to the user information, associate and store the user information and the signature algorithm corresponding to the user information, and generate a preset signature algorithm and user information mapping relationship; generate user key according to user ID, login timestamp and pre-stored basic key; obtain load data, associate and store user information and load data, and generate preset load data and user information mapping relationship; Data, user key, and signature algorithm to generate user token.
在另一示例性的实施例中,验证单元903,还用于若第一验证结果表征为验证通过,则根据预设负载数据与用户信息映射关系,确定出与用户信息相匹配的目标负载数据;根据目标负载数据对待验证负载数据进行验证,得到第二验证结果;若第二验证结果表征为验证通过,则响应资源访问请求,以允许客户端进行资源访问。In another exemplary embodiment, the
在另一示例性的实施例中,该装置还包括:In another exemplary embodiment, the apparatus further includes:
令牌失效单元,用于接收客户端发送的针对用户令牌的失效请求;获取用户令牌对应的用户密钥和基础密钥;其中,基础密钥是预先设定得到的,用户密钥是根据基础密钥确定得到的;将用户密钥修改为基础密钥,以使用户令牌失效。The token invalidation unit is used to receive the invalidation request for the user token sent by the client; obtain the user key and the basic key corresponding to the user token; wherein, the basic key is preset, and the user key is Determined from the base key; the user key is modified to the base key to invalidate the user token.
在另一示例性的实施例中,令牌失效单元,还用于若检测到失效请求中携带有即时失效指令,则根据即时失效指令将用户密钥修改为基础密钥;其中,即时失效指令用于指示立即对用户令牌进行失效处理。In another exemplary embodiment, the token expiry unit is further configured to modify the user key to the basic key according to the instant expiry instruction if it is detected that the expiry request carries the instant expiry instruction; wherein the instant expiry instruction Used to indicate immediate invalidation of the user token.
需要说明的是,上述实施例所提供的资源访问装置与上述实施例所提供的资源访问方法属于同一构思,其中各个模块和单元执行操作的具体方式已经在方法实施例中进行了详细描述,此处不再赘述。上述实施例所提供的资源访问装置在实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能,本处也不对此进行限制。It should be noted that the resource access device provided by the above embodiments and the resource access method provided by the above embodiments belong to the same concept, and the specific manner in which each module and unit performs operations has been described in detail in the method embodiments. It is not repeated here. In practical applications of the resource access device provided by the above-mentioned embodiments, the above-mentioned function allocation can be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. , and this is not restricted here.
本申请的实施例还提供了一种电子设备,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当一个或多个程序被一个或多个处理器执行时,使得电子设备实现上述各个实施例中提供的资源访问方法。Embodiments of the present application also provide an electronic device, including: one or more processors; and a storage device for storing one or more programs, when the one or more programs are executed by the one or more processors, The electronic device is made to implement the resource access methods provided in the above embodiments.
图10示出了适于用来实现本申请实施例的电子设备的计算机系统的结构示意图。需要说明的是,图10示出的电子设备的计算机系统1000仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。FIG. 10 shows a schematic structural diagram of a computer system suitable for implementing the electronic device according to the embodiment of the present application. It should be noted that the
如图10所示,计算机系统1000包括中央处理单元(CentralProcessingUnit,CPU)1001,其可以根据存储在只读存储器(Read-OnlyMemory,ROM)1002中的程序或者从储存部分1008加载到随机访问存储器(RandomAccessMemory,RAM)1003中的程序而执行各种适当的动作和处理,例如执行上述实施例中的方法。在RAM1003中,还存储有系统操作所需的各种程序和数据。CPU1001、ROM1002以及RAM1003通过总线1004彼此相连。输入/输出(Input/Output,I/O)接口1005也连接至总线1004。As shown in FIG. 10 , the
以下部件连接至I/O接口1005:包括键盘、鼠标等的输入部分1006;包括诸如阴极射线管(CathodeRayTube,CRT)、液晶显示器(LiquidCrystalDisplay,LCD)等以及扬声器等的输出部分1007;包括硬盘等的储存部分1008;以及包括诸如LAN(LocalAreaNetwork,局域网)卡、调制解调器等的网络接口卡的通信部分1009。通信部分1009经由诸如因特网的网络执行通信处理。驱动器1010也根据需要连接至I/O接口1005。可拆卸介质1011,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器1010上,以便于从其上读出的计算机程序根据需要被安装入储存部分1008。The following components are connected to the I/O interface 1005: an
特别地,根据本申请的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本申请的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的计算机程序。在这样的实施例中,该计算机程序可以通过通信部分1009从网络上被下载和安装,和/或从可拆卸介质1011被安装。在该计算机程序被中央处理单元(CPU)1001执行时,执行本申请的系统中限定的各种功能。In particular, according to embodiments of the present application, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program comprising a computer program for performing the method illustrated in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the
需要说明的是,本申请实施例所示的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(ErasableProgrammableReadOnlyMemory,EPROM)、闪存、光纤、便携式紧凑磁盘只读存储器(CompactDiscRead-OnlyMemory,CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本申请中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的计算机程序。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的计算机程序可以用任何适当的介质传输,包括但不限于:无线、有线等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the embodiments of the present application may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium can be, for example, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples of computer readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Erasable Programmable Read Only Memory (EPROM), flash memory, optical fiber, portable compact disk read only memory (Compact Disc Read-Only Memory, CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In this application, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying a computer-readable computer program thereon. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device . A computer program embodied on a computer-readable medium may be transmitted using any suitable medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。其中,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Wherein, each block in the flowchart or block diagram may represent a module, program segment, or part of code, and the above-mentioned module, program segment, or part of code contains one or more executables for realizing the specified logical function instruction. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations, can be implemented in special purpose hardware-based systems that perform the specified functions or operations, or can be implemented using A combination of dedicated hardware and computer instructions is implemented.
描述于本申请实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现,所描述的单元也可以设置在处理器中。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定。The units involved in the embodiments of the present application may be implemented in software or hardware, and the described units may also be provided in a processor. Among them, the names of these units do not constitute a limitation on the unit itself under certain circumstances.
本申请的另一方面还提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如前的资源访问方法。该计算机可读存储介质可以是上述实施例中描述的电子设备中所包含的,也可以是单独存在,而未装配入该电子设备中。Another aspect of the present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the foregoing resource access method. The computer-readable storage medium may be included in the electronic device described in the above embodiments, or may exist alone without being assembled into the electronic device.
本申请的另一方面还提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述各个实施例中提供的资源访问方法。Another aspect of the present application also provides a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the resource access methods provided in the foregoing embodiments.
以上仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内所作的任何修改、等同替换或改进等,均应包含在本申请的保护范围之内。The above are only preferred embodiments of the present application, and are not intended to limit the present application. Any modifications, equivalent replacements or improvements made within the spirit and principles of the present application shall be included in the protection scope of the present application. Inside.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210839421.8A CN115001714B (en) | 2022-07-15 | 2022-07-15 | Resource access method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210839421.8A CN115001714B (en) | 2022-07-15 | 2022-07-15 | Resource access method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115001714A true CN115001714A (en) | 2022-09-02 |
| CN115001714B CN115001714B (en) | 2024-03-19 |
Family
ID=83022323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210839421.8A Active CN115001714B (en) | 2022-07-15 | 2022-07-15 | Resource access method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001714B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115459992A (en) * | 2022-09-05 | 2022-12-09 | 山石网科通信技术股份有限公司 | Method, device, storage medium and electronic device for processing resource access request |
| CN115963808A (en) * | 2022-12-30 | 2023-04-14 | 阿波罗智联(北京)科技有限公司 | Method, device, electronic equipment and storage medium for remotely controlling vehicle |
| CN117650950A (en) * | 2024-01-30 | 2024-03-05 | 浙江省电子信息产品检验研究院(浙江省信息化和工业化融合促进中心) | Secure communication method and apparatus |
| CN118200013A (en) * | 2024-04-11 | 2024-06-14 | 北京优特捷信息技术有限公司 | Application access method, device, equipment and storage medium based on multiple authentication modes |
| CN118842657A (en) * | 2024-09-20 | 2024-10-25 | 北京九章云极科技有限公司 | Method and device for accessing computing power resources of intelligent computing center |
| WO2024259864A1 (en) * | 2023-06-21 | 2024-12-26 | Huawei Technologies Co., Ltd. | Method, apparatus and system for semantic communications |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107251477A (en) * | 2015-02-11 | 2017-10-13 | 维萨国际服务协会 | System and method for safely managing biometric data |
| CN108965230A (en) * | 2018-05-09 | 2018-12-07 | 深圳市中信网安认证有限公司 | A kind of safety communicating method, system and terminal device |
| US20190273620A1 (en) * | 2017-07-18 | 2019-09-05 | Zhongan Information Technology Service Co., Ltd. | Data sharing method and data sharing system |
| CN110311782A (en) * | 2019-04-29 | 2019-10-08 | 山东工商学院 | Zero-knowledge proof method, system and storage medium for personal information |
| CN110784457A (en) * | 2019-10-17 | 2020-02-11 | 中诚信征信有限公司 | Service access method and device |
| CN114244530A (en) * | 2021-12-16 | 2022-03-25 | 中国电信股份有限公司 | Resource access method and device, electronic equipment and computer readable storage medium |
| CN114528571A (en) * | 2022-02-11 | 2022-05-24 | 京东科技信息技术有限公司 | Resource access and data processing method, device, electronic equipment and medium |
-
2022
- 2022-07-15 CN CN202210839421.8A patent/CN115001714B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107251477A (en) * | 2015-02-11 | 2017-10-13 | 维萨国际服务协会 | System and method for safely managing biometric data |
| US20190273620A1 (en) * | 2017-07-18 | 2019-09-05 | Zhongan Information Technology Service Co., Ltd. | Data sharing method and data sharing system |
| CN108965230A (en) * | 2018-05-09 | 2018-12-07 | 深圳市中信网安认证有限公司 | A kind of safety communicating method, system and terminal device |
| CN110311782A (en) * | 2019-04-29 | 2019-10-08 | 山东工商学院 | Zero-knowledge proof method, system and storage medium for personal information |
| CN110784457A (en) * | 2019-10-17 | 2020-02-11 | 中诚信征信有限公司 | Service access method and device |
| CN114244530A (en) * | 2021-12-16 | 2022-03-25 | 中国电信股份有限公司 | Resource access method and device, electronic equipment and computer readable storage medium |
| CN114528571A (en) * | 2022-02-11 | 2022-05-24 | 京东科技信息技术有限公司 | Resource access and data processing method, device, electronic equipment and medium |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115459992A (en) * | 2022-09-05 | 2022-12-09 | 山石网科通信技术股份有限公司 | Method, device, storage medium and electronic device for processing resource access request |
| CN115963808A (en) * | 2022-12-30 | 2023-04-14 | 阿波罗智联(北京)科技有限公司 | Method, device, electronic equipment and storage medium for remotely controlling vehicle |
| WO2024259864A1 (en) * | 2023-06-21 | 2024-12-26 | Huawei Technologies Co., Ltd. | Method, apparatus and system for semantic communications |
| CN117650950A (en) * | 2024-01-30 | 2024-03-05 | 浙江省电子信息产品检验研究院(浙江省信息化和工业化融合促进中心) | Secure communication method and apparatus |
| CN117650950B (en) * | 2024-01-30 | 2024-04-19 | 浙江省电子信息产品检验研究院(浙江省信息化和工业化融合促进中心) | Secure communication method and apparatus |
| CN118200013A (en) * | 2024-04-11 | 2024-06-14 | 北京优特捷信息技术有限公司 | Application access method, device, equipment and storage medium based on multiple authentication modes |
| CN118842657A (en) * | 2024-09-20 | 2024-10-25 | 北京九章云极科技有限公司 | Method and device for accessing computing power resources of intelligent computing center |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115001714B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI672648B (en) | Business process method and device, data share system, and storage medium | |
| CN115001714B (en) | Resource access method and device, electronic equipment and storage medium | |
| TWI701623B (en) | Logistics information transmission method, system and device based on blockchain | |
| WO2020258912A1 (en) | Blockchain consensus method, device and system | |
| CN112131316B (en) | Data processing method and device applied to block chain system | |
| WO2022179115A1 (en) | User authentication method and apparatus, server and storage medium | |
| US10270757B2 (en) | Managing exchanges of sensitive data | |
| CN111355726A (en) | Identity authorization login method and device, electronic equipment and storage medium | |
| CN109660534B (en) | Multi-merchant-based security authentication method and device, electronic equipment and storage medium | |
| CN108923925B (en) | Data storage method and device applied to block chain | |
| CN110210863A (en) | Block chain method for secure transactions, device, electronic equipment and storage medium | |
| CN112311779B (en) | Data access control method and device applied to block chain system | |
| CN115967508A (en) | Data access control method and device, equipment, storage medium and program product | |
| CN115361143A (en) | Cross-domain data transmission method and device, electronic device, computer readable medium | |
| CN115150072B (en) | Cloud network issuance authentication method, equipment, device and storage medium | |
| CN114244525A (en) | Request data processing method, device, equipment and storage medium | |
| CN115879080A (en) | Certificate authentication method and device | |
| CN110602218B (en) | Method and related device for assembling cloud service in user-defined manner | |
| CN114428661A (en) | Mirror image management method and device | |
| US20200403811A1 (en) | Dynamic certificate pinning systems and methods | |
| JP2024542677A (en) | Blockchain consensus method, device, electronic device, and program | |
| CN115357866A (en) | Application program execution method, device, equipment and storage medium | |
| JP7575561B1 (en) | Server, method, and program | |
| CN112242901B (en) | Service verification methods, devices, equipment and computer storage media | |
| CN116226932A (en) | Service data verification method and device, computer medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20220902 Assignee: Tianyiyun Technology Co.,Ltd. Assignor: CHINA TELECOM Corp.,Ltd. Contract record no.: X2024990000687 Denomination of invention: Resource access methods and devices, electronic devices, storage media Granted publication date: 20240319 License type: Common License Record date: 20241220 |