The content of the invention
In view of this, the embodiment of the present invention provides a kind of access control method of application, and this method ensure that access shouldSecurity.
The embodiment of the present invention also provides a kind of access control apparatus of application, and the device ensure that the safety for accessing applicationProperty.
According to above-mentioned purpose, what the present invention was realized in:
A kind of access control method of application, including:
First application receives the HTTP request of the second application, and the unified resource of the HTTP request is determinedAccess keyword, random number and the signed data of second application are carried in the symbol URL of position;
First application determines that second application is allowed access to institute according to the access keyword of the described second applicationThe first application is stated, determines that the HTTP request is non-duplicate request according to the random number of the described second application, and according to describedThe signed data of second application determines that the HTTP request is not tampered with, then first application responds the institute of second applicationState HTTP request.
First application, which is provided with configuration file, the configuration file, at least to be included:
The access keyword appKey of first application;
The verification password secret of first application;And,
It is allowed access to the appkey and secret of the application of first application.
First application determines that second application is allowed access to institute according to the access keyword of the described second applicationThe first application is stated, including:
First application obtains the appKey of second application from the HTTP request of the described second application;
First application determines whether include the appKey of the described second application in the configuration file of first application,If including first application determines that second application is allowed access to first application.
First application determines that the HTTP request is non-duplicate request, bag according to the random number of the described second applicationInclude:
First application determines whether include the random number of the described second application in the access record of first application;Wherein, the access record of first application includes accessing the random number of the application of first application;
If the access record of first application includes the random number of second application, first application is determinedThe HTTP request of second application is non-duplicate request.
First application determines that the HTTP request is not tampered with according to the signed data of the described second application, including:
It is described first application from described first application configuration file in inquire about it is described second application appkey andsecret;
Described first calculates second application using according to the appkey and secret of second application inquiredSigned data;
Described first using the signature in the signed data and the HTTP request of second application for determining to calculateWhether data are consistent;
If consistent, first application determines that the HTTP request is not tampered with.
Described first calculates second application using according to the appkey and secret of second application inquiredSigned data, including:
If the HTTP request is asked for get, first application is according to formula sign=md5 (uri+params+Appkey+nonce+secret the signed data of second application) is calculated;
If the HTTP request is POST request, first application is according to formula sign=md5 (uri+appkey+Nonce+secret) .getByte+body.getByte calculates the signed data of second application;
In above-mentioned formula, sign is signed data, and uri is the Uniform Resource Identifier of the described second application, and params isThe parameter of get requests, appkey is the appkey for second application that the described first application is inquired from configuration file,Nonce is the random number that carries in HTTP request, and secret is described that the described first application is inquired from configuration fileThe verification password of two applications, body is the data volume of POST request, and getByte is to take binary data, and md5 is close for what is usedCode algorithm.
URL in the get requests also includes the uri and params of the described first application.
URL in the POST request also includes the uri of the described first application.
A kind of access control apparatus of application, including:Receiving module, filter and authentication module, wherein,
Carrying described second in receiving module, the HTTP request for receiving the second application, the URL of the HTTP request shouldAccess keyword, random number and signed data;
Filter, for according to described second application access keyword determine it is described second application be allowed access to described inFirst application;
Authentication module, for determining that the HTTP request is non-duplicate request according to the random number of the described second application, withAnd determining that the HTTP request is not tampered with according to the signed data of the described second application, then first application responds described theThe HTTP request of two applications.
Also include:Setup module and sending module, wherein,
Carrying described second in setup module, the HTTP request for setting the second application, the URL of the HTTP request shouldAccess keyword, random number and signed data;
Sending module, for HTTP request to be sent.
As can be seen from the above scheme, the embodiment of the present invention sends the second application hypertext and passed when access first is appliedThe request of defeated agreement (HTTP), the URL (URL) in the request carry the second application access keyword, withMachine number and signed data, access keyword of first application in request determine whether to be accessed, true according to random numberIt is fixed to determine whether the data in request are tampered according to signed data whether by repetitive requests, should this way it is secured that accessingSecurity.
Embodiment
For the objects, technical solutions and advantages of the present invention are more clearly understood, develop simultaneously embodiment referring to the drawings, rightThe present invention is described in further detail.
In order to ensure security when accessing application, the embodiment of the present invention is sending the HTTP of the second applicationThe URL of HTTP request carries access keyword, random number and the signed data of promising the second application for being able to access that the first application,Access keyword of first application in request determines whether to be accessed, and is determined whether to be repeated to ask according to random numberAsk, determine whether the data in request are tampered according to signed data.
Fig. 1 is application access control method flow diagram provided in an embodiment of the present invention, and it is concretely comprised the following steps:
When step 101, the first application are accessed, the HTTP request that the second application is sent, the URL of the HTTP request are receivedMiddle access keyword, random number and the signed data for carrying second application;
In this step, the corresponding unique access keyword (appKey) of each application, when accessed, correspondence is uniqueFirst application second application access keyword (accesskey);
Step 102, the first application determine that second application is allowed to visit according to the access keyword of the described second applicationAsk first application;
In this step, if the first application confirms that the access keyword of second application is to be able to access that the first applicationSecond apply corresponding access keyword, then allow to be accessed, otherwise, then first application do not allow to be accessed;
In this step, filter is set in the application, after the access keyword that second application can be obtained from URLVerified;
Step 103, the first application determine that the HTTP request is non-duplicate request according to the random number of the described second application;
In this step, the access record of the first application query itself storage, if the first application confirms the random numberIt has been occurred that, then illustrate that the request is repetitive requests, do not receive request directly, if it is not, then receiving request;
Step 104, the first application determine that the HTTP request is not tampered with according to the signed data of the described second application, thenFirst application responds the HTTP request of second application;
In this step, the first application is verified to signed data, if the verification passes, then the HTTP request is carriedData be not tampered with, if checking do not pass through, the data of the HTTP request band are tampered.
In the method, the HTTP request is that get is asked or post requests.
In the method, each application is designated as App, such as App01, App02 ..., AppN.Each application is setThere are appKey and verification password (secret), each application also has the other application that oneself can be accessed, similarly other applicationItself application can also be accessed.Therefore, each application has configuration file, and the content wherein included in configuration file is at leastFor:AppKey, secret, the appkey for the application that can be accessed and secret set, referred to asallowdeAccessKeyAndSecrets.The configuration file of application is arranged in computer network side, using when in useThe configuration file can just be read, the appKey and secret of oneself is determined, also determine the appKey that can be accessed andsecret.The configuration file of application is the basis of the authentication service of computer network, is also using the basis for accessing protection.
In the method, using after the configuration file that itself is determined, by during computer network access other application justConfiguration file can be used, the access to other application, that is, access of second application to the first application is completed.
In the method, when HTTP request is that get is asked, the access of the second application is provided with the URL in get requestsKeyword, random number and signed data, wherein, the access keyword is the appKey of the second application, the signature of the second applicationThe calculation formula of data such as formula (1):
Sign=md5 (uri+params+appkey+nonce+secret) formula (1);
Wherein, uri is the Uniform Resource Identifier of the described second application, and params is the parameter that get is asked, and appkey isThe appkey for second application that first application is inquired from configuration file, nonce are to carry in HTTP requestRandom number, secret is the verification password for second application that the described first application is inquired from configuration file.
The uri and params of the first application can also be included in URL in get requests.
In the method, connecing for the second application is provided with when HTTP request is POST request, in the URL in POST requestEnter keyword, random number and signed data, the access keyword is the appKey of the second application, the signed data of the second applicationCalculation formula such as formula (2):
Sign=md5 (uri+appkey+nonce+secret) .getByte+body.getByte formula (2);
Wherein, uri is the Uniform Resource Identifier of the described second application, and params is the parameter that get is asked, and appkey isThe appkey for second application that first application is inquired from configuration file, nonce are to carry in HTTP requestRandom number, secret is the verification password for second application that the described first application is inquired from configuration file, and body isThe data volume of POST request, getByte is to take binary data, and md5 is the cryptographic algorithm that is used.
Also include the uri of the first application in URL in POST request.
In the method, get requests or the POST request of sign signatures be have passed through, it is possible to ensure the number called between applicationAccording to that cannot be tampered, it can not be handled once distorting by the first application.
In embodiments of the present invention, by the URL in HTTP request according to above-mentioned setting, and the URL in HTTP request is setThe filter proof rule for putting rule and application is programmed post package, is packaged as SDK (SDK) file, suppliesWith access when call the SDK files to carry out the setting of HTTP request.
Fig. 2 is a kind of access control apparatus structural representation of application provided in an embodiment of the present invention, if accessedUsing, that is, the first application, including:Receiving module 201, filter 202 and authentication module 203, wherein,
Receiving module 201, the HTTP request for receiving the second application carries described the in the URL of the HTTP requestAccess keyword, random number and the signed data of two applications;
Filter 202, for determining that second application is allowed access to according to the access keyword of the described second applicationFirst application;
Authentication module 203, for determining that the HTTP request is non-duplicate request according to the random number of the described second application,And determining that the HTTP request is not tampered with according to the signed data of the described second application, then the first application response is describedThe HTTP request of second application..
In the apparatus, applied if access, that is, the second application, in addition to:Setup module 204 and sending module205, wherein,
Setup module 204, the HTTP request for setting the second application carries described the in the URL of the HTTP requestAccess keyword, random number and the signed data of two applications;
Sending module 205, for HTTP request to be sent.
In the apparatus, the HTTP request is that get is asked or POST request.
Preferred embodiment is lifted above, the object, technical solutions and advantages of the present invention is further described, instituteIt should be understood that the foregoing is merely illustrative of the preferred embodiments of the present invention, it is not intended to limit the invention, it is all the present invention'sSpirit and principle within, any modifications, equivalent substitutions and improvements made etc., should be included in protection scope of the present invention itIt is interior.