CN115396119A - Token management method, device, system, apparatus, storage medium and program product - Google Patents

Abstract

Translated fromChinese

本发明涉及访问控制技术领域，具体是一种令牌管理方法、装置、系统、设备、存储介质及程序产品，所述方法应用于客户端，所述方法包括：当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求。本发明提供的方法，通过对不同类型令牌采用不同的验签方式，不仅能够实现资源的安全访问，而且能够提高令牌的验签效率，从而提高整个系统的资源访问效率。

The present invention relates to the technical field of access control, in particular to a token management method, device, system, equipment, storage medium and program product. The method is applied to a client, and the method includes: when an operation on a target resource is detected When requesting, obtain the token corresponding to the operation request, the target resource is a shared resource of the distributed system, the token includes a signature verification rule, and the signature verification rule includes a signature verification method for the token Signature verification method; the token is analyzed to determine the signature verification method of the token, and the signature verification method is one of the client-side verification method and the server-side verification method; based on the verification method, the The token is verified, and the operation request is responded to according to the result of the verification. The method provided by the present invention adopts different signature verification methods for different types of tokens, not only can realize the safe access of resources, but also can improve the signature verification efficiency of tokens, thereby improving the resource access efficiency of the whole system.

Description

Translated fromChinese

令牌管理方法、装置、系统、设备、存储介质及程序产品Token management method, device, system, equipment, storage medium and program product

技术领域technical field

本发明涉及访问控制技术领域，特别涉及一种令牌管理方法、装置、系统、设备、存储介质及程序产品。The present invention relates to the technical field of access control, in particular to a token management method, device, system, equipment, storage medium and program product.

背景技术Background technique

分布式系统建立在网络基础之上，是由地理上和物理上分散的各自独立的多个节点组成的系统，所述多个节点连接在一起以实现对不同资源的共享，一个分布式系统相当于一个统一的整体。The distributed system is based on the network and is composed of geographically and physically dispersed independent nodes. The multiple nodes are connected together to realize the sharing of different resources. A distributed system is quite in a unified whole.

对于分布式系统来说，系统内的多个节点在并行运行，在同一时刻可能存在多个节点或同一节点的多个进程对同一共享资源发起访问，若不对其进行控制，可能会导致资源错乱、进程损毁等反常状况的发生，并且对同一共享资源并发访问量过高时，也可能会引发过高的资源争用或系统雪崩，严重影响系统的稳定运行。因此，需要合理的控制分布式系统对共享资源的访问，限制资源访问量，以保证分布式系统的正常运行。For a distributed system, multiple nodes in the system are running in parallel. At the same time, there may be multiple nodes or multiple processes of the same node accessing the same shared resource. If it is not controlled, it may lead to resource confusion. , Process damage and other abnormal conditions occur, and when the concurrent access to the same shared resource is too high, it may also cause excessive resource contention or system avalanche, seriously affecting the stable operation of the system. Therefore, it is necessary to reasonably control the distributed system's access to shared resources and limit the amount of resource access to ensure the normal operation of the distributed system.

目前，锁是实现访问控制的常用手段，分布式锁作为控制分布式系统访问共享资源的一种方式，常用的有redis和zookeeper两种实现方案，其中redis通过对键值对的存在性进行判断、zookeeper通过对文档节点的存活性进行判断，实现了对共享资源的同步访问控制。但是，上述实现方案都仅能提供单一锁，而且只能实现对资源的同步访问控制，还需要系统实现复杂的锁管理工作，如果出现锁丢失会导致系统无法访问资源。At present, locks are a common means of access control. Distributed locks are used as a way to control distributed systems to access shared resources. There are two commonly used implementations, redis and zookeeper, in which redis judges the existence of key-value pairs. 、 Zookeeper realizes synchronous access control to shared resources by judging the survival of document nodes. However, the above implementation schemes can only provide a single lock, and can only realize synchronous access control to resources, and also require the system to implement complex lock management. If the lock is lost, the system will not be able to access the resource.

发明内容Contents of the invention

针对现有技术的上述问题，本发明的目的在于提供一种令牌管理方法、装置、系统、设备、存储介质及程序产品，能够实现资源的安全访问，提高系统的资源访问效率。In view of the above problems in the prior art, the object of the present invention is to provide a token management method, device, system, equipment, storage medium and program product, which can realize secure access to resources and improve resource access efficiency of the system.

为了解决上述问题，本发明提供一种令牌管理方法，应用于客户端，所述方法包括：In order to solve the above problems, the present invention provides a token management method, which is applied to the client, and the method includes:

当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；When an operation request for a target resource is detected, the token corresponding to the operation request is obtained. The target resource is a shared resource of the distributed system. The token includes a signature verification rule, and the signature verification rule includes The way of verifying the signature of the token;

对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；Analyzing the token to determine a signature verification method of the token, the signature verification method being one of a client-side signature verification and a server-side signature verification;

基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求。Perform signature verification on the token based on the signature verification manner, and respond to the operation request according to the signature verification result.

进一步地，所述当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌包括：Further, when the operation request for the target resource is detected, obtaining the token corresponding to the operation request includes:

当检测到发起针对目标资源的操作请求时，获取所述操作请求对应的令牌；When it is detected that an operation request for the target resource is initiated, a token corresponding to the operation request is acquired;

或者，or,

当检测到其它客户端发送的针对目标资源的操作请求时，获取所述操作请求携带的令牌。When an operation request for the target resource sent by another client is detected, the token carried in the operation request is acquired.

进一步地，所述基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求包括：Further, the verifying the token based on the verification method, and responding to the operation request according to the result of the verification includes:

当所述验签方式为客户端验签时，对所述令牌进行验签操作得到验签结果；当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作；When the signature verification method is client signature verification, performing a signature verification operation on the token to obtain a signature verification result; when the signature verification result is a signature verification pass, allowing the operation requested by the operation request to be performed;

当所述验签方式为服务端验签时，将所述令牌发送至服务端，以使得所述服务端对所述令牌进行验签操作，得到并返回验签结果；接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。When the signature verification method is server-side signature verification, send the token to the server, so that the server performs a signature verification operation on the token, obtains and returns a signature verification result; receives the service The signature verification result sent by the terminal, when the signature verification result is the signature verification pass, the operation requested by the operation request is allowed to be performed.

进一步地，所述方法还包括：Further, the method also includes:

在需要发起针对目标资源的操作请求时，为所述操作请求申请令牌。When an operation request for the target resource needs to be initiated, a token is applied for the operation request.

进一步地，所述为所述操作请求申请令牌包括：Further, the applying for a token for the operation request includes:

确定本地令牌池中是否存储有所述操作请求对应类型的令牌；Determine whether a token of the type corresponding to the operation request is stored in the local token pool;

当所述本地令牌池中存储有所述操作请求对应类型的令牌时，从所述本地令牌池中取出所述令牌；When a token of the type corresponding to the operation request is stored in the local token pool, take out the token from the local token pool;

当所述本地令牌池中未存储有所述操作请求对应类型的令牌时，向服务端发送令牌获取请求，所述令牌获取请求与所述操作请求相对应；When the token of the type corresponding to the operation request is not stored in the local token pool, a token acquisition request is sent to the server, and the token acquisition request corresponds to the operation request;

接收所述服务端发送的令牌，所述令牌为所述服务端响应于所述令牌获取请求，从可用令牌池中签发的所述操作请求对应类型的令牌；receiving the token sent by the server, where the token is a token of the type corresponding to the operation request issued by the server in response to the token acquisition request from the pool of available tokens;

其中，所述可用令牌池中存储有至少一个所述操作请求对应类型的令牌。Wherein, at least one token of the type corresponding to the operation request is stored in the available token pool.

进一步地，所述方法还包括：Further, the method also includes:

每经过第一预设时间间隔，向服务端发送心跳数据；sending heartbeat data to the server every time the first preset time interval passes;

记录最后一次成功发送心跳数据的时间与当前时间之间的第一时间间隔；Record the first time interval between the time when the last heartbeat data was successfully sent and the current time;

当所述第一时间间隔大于或等于第二预设时间间隔时，销毁本地令牌池中的所有令牌；When the first time interval is greater than or equal to a second preset time interval, destroying all tokens in the local token pool;

其中，所述第二预设时间间隔大于所述第一预设时间间隔。Wherein, the second preset time interval is greater than the first preset time interval.

本发明另一方面提供一种令牌管理方法，应用于令牌管理系统，所述系统包括客户端和服务端，所述方法包括：Another aspect of the present invention provides a token management method, which is applied to a token management system, the system includes a client and a server, and the method includes:

当客户端检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；When the client detects an operation request for a target resource, it obtains a token corresponding to the operation request. The target resource is a shared resource of a distributed system. The token includes a signature verification rule, and the signature verification rule Including a signature verification method for verifying the token;

所述客户端对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；The client parses the token to determine a signature verification method of the token, and the signature verification method is one of a client signature verification and a server signature verification;

当所述验签方式为客户端验签时，所述客户端对所述令牌进行验签操作得到验签结果；当所述验签结果为验签通过时，所述客户端允许执行所述操作请求所请求的操作；When the signature verification method is client signature verification, the client performs a signature verification operation on the token to obtain a signature verification result; when the signature verification result is a signature verification pass, the client allows the execution of the the operation requested by the above operation request;

当所述验签方式为服务端验签时，所述客户端将所述令牌发送至服务端；When the signature verification method is server-side signature verification, the client sends the token to the server;

所述服务端接收所述客户端发送的令牌，对所述令牌进行验签操作得到验签结果，并将所述验签结果发送至所述客户端；The server receives the token sent by the client, performs a signature verification operation on the token to obtain a signature verification result, and sends the signature verification result to the client;

所述客户端接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。The client receives the signature verification result sent by the server, and when the signature verification result is a successful signature verification, it is allowed to execute the operation requested by the operation request.

进一步地，所述方法还包括：Further, the method also includes:

所述服务端接收所述客户端发送的令牌获取请求，所述令牌获取请求与所述客户端需要发起的针对目标资源的操作请求相对应；The server receives a token acquisition request sent by the client, and the token acquisition request corresponds to an operation request for the target resource that the client needs to initiate;

所述服务端响应于所述令牌获取请求从可用令牌池中签发所述操作请求对应类型的令牌，并将所述令牌发送至所述客户端；The server issues a token of the type corresponding to the operation request from an available token pool in response to the token acquisition request, and sends the token to the client;

其中，所述可用令牌池中存储有至少一个所述操作请求对应类型的令牌。Wherein, at least one token of the type corresponding to the operation request is stored in the available token pool.

进一步地，所述方法还包括：Further, the method also includes:

所述服务端接收所述客户端每经过第一预设时间间隔发送的心跳数据；The server receives the heartbeat data sent by the client every first preset time interval;

所述服务端记录最后一次成功接收心跳数据的时间与当前时间之间的第二时间间隔；The server records the second time interval between the last time the heartbeat data was successfully received and the current time;

当所述第二时间间隔大于或等于第二预设时间间隔时，所述服务端销毁可用令牌池中与所述客户端相关联的所有令牌；When the second time interval is greater than or equal to a second preset time interval, the server destroys all tokens associated with the client in the available token pool;

其中，所述第二预设时间间隔大于所述第一预设时间间隔。Wherein, the second preset time interval is greater than the first preset time interval.

进一步地，所述方法还包括：Further, the method also includes:

所述服务端向所述客户端发送令牌检核指令；The server sends a token check instruction to the client;

所述服务端接收所述客户端响应于所述令牌检核指令发送的有效令牌信息；The server receives the effective token information sent by the client in response to the token checking instruction;

所述服务端根据所述有效令牌信息对可用令牌池中的令牌进行管理。The server manages the tokens in the available token pool according to the valid token information.

本发明另一方面提供一种令牌管理装置，设置于客户端，所述装置包括：Another aspect of the present invention provides a token management device, which is set on a client, and the device includes:

获取模块，用于当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；An acquisition module, configured to acquire a token corresponding to the operation request when an operation request for a target resource is detected, the target resource is a shared resource of a distributed system, the token includes a signature verification rule, and the The signature verification rules include a signature verification method for verifying the token;

确定模块，用于对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；A determining module, configured to analyze the token to determine a signature verification method of the token, and the signature verification method is one of a client-side signature verification and a server-side signature verification;

处理模块，用于基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求。A processing module, configured to perform signature verification on the token based on the signature verification method, and respond to the operation request according to the signature verification result.

本发明另一方面提供一种令牌管理系统，包括客户端和服务端；Another aspect of the present invention provides a token management system, including a client and a server;

所述客户端用于当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；The client is used to obtain a token corresponding to the operation request when detecting an operation request for a target resource, the target resource is a shared resource of a distributed system, and the token includes a signature verification rule, so The signature verification rules include a signature verification method for the token; the token is analyzed to determine the signature verification method of the token, and the signature verification method is the client-side verification method and the server-side verification method. one of the signatures;

所述客户端还用于当所述验签方式为客户端验签时，对所述令牌进行验签操作得到验签结果；当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作；The client is also used to perform a signature verification operation on the token to obtain a signature verification result when the signature verification method is client signature verification; when the signature verification result is a signature verification pass, allow the execution of the the operation requested by the operation request;

所述客户端还用于当所述验签方式为服务端验签时，将所述令牌发送至服务端；The client is further configured to send the token to the server when the signature verification method is server-side signature verification;

所述服务端用于接收所述客户端发送的令牌，对所述令牌进行验签操作得到验签结果，并将所述验签结果发送至所述客户端；The server is configured to receive the token sent by the client, perform a signature verification operation on the token to obtain a signature verification result, and send the signature verification result to the client;

所述客户端还用于接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。The client is further configured to receive the signature verification result sent by the server, and when the signature verification result is that the signature verification is passed, the operation requested by the operation request is allowed to be performed.

本发明另一方面提供一种电子设备，包括处理器和存储器，所述存储器中存储有至少一条指令或至少一段程序，所述至少一条指令或所述至少一段程序由所述处理器加载并执行以实现如上述的令牌管理方法。Another aspect of the present invention provides an electronic device, including a processor and a memory, at least one instruction or at least one program is stored in the memory, and the at least one instruction or at least one program is loaded and executed by the processor In order to realize the token management method as above.

本发明另一方面提供一种计算机可读存储介质，所述计算机可读存储介质中存储有至少一条指令或至少一段程序，所述至少一条指令或所述至少一段程序由处理器加载并执行以实现如上述的令牌管理方法。Another aspect of the present invention provides a computer-readable storage medium, at least one instruction or at least one program is stored in the computer-readable storage medium, and the at least one instruction or at least one program is loaded and executed by a processor to Implement the token management method as described above.

本发明另一方面提供一种计算机程序产品，包括计算机程序/指令，该计算机程序/指令被处理器执行时实现如上述的令牌管理方法的步骤。Another aspect of the present invention provides a computer program product, including a computer program/instruction, and when the computer program/instruction is executed by a processor, the steps of the above-mentioned token management method are realized.

由于上述技术方案，本发明具有以下有益效果：Due to the above technical scheme, the present invention has the following beneficial effects:

根据本发明实施例的令牌管理方法，通过在检测到针对目标资源的操作请求时，对所述操作请求对应的令牌进行解析，确定所述令牌的验签方式为客户端验签还是服务端验签，并基于所述验签方式对所述令牌进行验签，根据验签结果响应所述操作请求，通过对不同类型令牌采用不同的验签方式，不仅能够有效控制对资源的各种访问操作，实现资源的安全访问，而且能够提高令牌的验签效率，从而提高整个系统的资源访问效率，同时降低了服务端的压力，提升了系统性能和稳定性。According to the token management method of the embodiment of the present invention, when an operation request for a target resource is detected, the token corresponding to the operation request is analyzed to determine whether the signature verification method of the token is client signature verification or The server verifies the signature, and verifies the token based on the signature verification method, responds to the operation request according to the signature verification result, and adopts different signature verification methods for different types of tokens, not only can effectively control resource usage Various access operations to achieve secure access to resources, and can improve the efficiency of token verification, thereby improving the resource access efficiency of the entire system, while reducing the pressure on the server, improving system performance and stability.

附图说明Description of drawings

为了更清楚地说明本发明的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单的介绍。显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其它附图。In order to illustrate the technical solution of the present invention more clearly, the following will briefly introduce the drawings required for the embodiments or the description of the prior art. Apparently, the drawings in the following description are only some embodiments of the present invention, and those skilled in the art can obtain other drawings according to these drawings without any creative work.

图1是本发明一个实施例提供的实施环境示意图；Fig. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present invention;

图2是本发明一个实施例提供的令牌管理方法的流程图；Fig. 2 is a flowchart of a token management method provided by an embodiment of the present invention;

图3是本发明另一个实施例提供的令牌管理方法的流程图；Fig. 3 is a flowchart of a token management method provided by another embodiment of the present invention;

图4是本发明另一个实施例提供的令牌管理方法的流程图；Fig. 4 is a flowchart of a token management method provided by another embodiment of the present invention;

图5是本发明一个实施例提供的令牌管理装置的结构示意图；Fig. 5 is a schematic structural diagram of a token management device provided by an embodiment of the present invention;

图6是本发明一个实施例提供的令牌管理系统的结构示意图；Fig. 6 is a schematic structural diagram of a token management system provided by an embodiment of the present invention;

图7是本发明一个实施例提供的电子设备的结构示意图。Fig. 7 is a schematic structural diagram of an electronic device provided by an embodiment of the present invention.

具体实施方式Detailed ways

为了使本技术领域的人员更好地理解本发明方案，下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例，都属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the following will clearly and completely describe the technical solutions in the embodiments of the present invention in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

需要说明的是，本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换，以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外，术语“包括”和“具有”以及他们的任何变形，意图在于覆盖不排他的包含，例如，包含了一系列步骤或单元的过程、方法、装置、产品或设备不必限于清楚地列出的那些步骤或单元，而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first" and "second" in the description and claims of the present invention and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, means, product or equipment comprising a series of steps or elements need not be limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus.

为了使本发明实施例公开的目的、技术方案及优点更加清楚明白，以下结合附图及实施例，对本发明实施例进行进一步详细说明。应当理解，此处描述的具体实施例仅仅用以解释本发明实施例，并不用于限定本发明实施例。本发明实施例的技术方案中对数据的获取、存储、使用、处理等均符合国家法律法规的相关规定。In order to make the purpose, technical solutions and advantages disclosed in the embodiments of the present invention clearer, the embodiments of the present invention will be further described in detail below in conjunction with the accompanying drawings and the embodiments. It should be understood that the specific embodiments described here are only used to explain the embodiments of the present invention, and are not intended to limit the embodiments of the present invention. The acquisition, storage, use, and processing of data in the technical solutions of the embodiments of the present invention all comply with the relevant provisions of national laws and regulations.

参考说明书附图1，其示出了本发明一个实施例提供的令牌管理方法的实施环境示意图。需要注意的是，图1所示仅为可以应用本发明实施例的实施环境的示例，以帮助本领域技术人员理解本发明的技术内容，但并不意味着本发明实施例不可以用于其他设备、系统、环境或场景。如图1所示，该实施环境可以至少包括令牌管理节点110和至少一个应用服务节点120，所述令牌管理节点110和各个应用服务节点120可以通过有线或无线通信方式进行直接或间接地连接，本发明实施例对此不做限制。Referring to Fig. 1 of the specification, it shows a schematic diagram of an implementation environment of a token management method provided by an embodiment of the present invention. It should be noted that Fig. 1 is only an example of an implementation environment where the embodiment of the present invention can be applied to help those skilled in the art understand the technical content of the present invention, but it does not mean that the embodiment of the present invention cannot be used in other device, system, environment or scenario. As shown in Figure 1, the implementation environment may at least include atoken management node 110 and at least oneapplication service node 120, and thetoken management node 110 and eachapplication service node 120 may communicate directly or indirectly through wired or wireless communication The connection is not limited in this embodiment of the present invention.

所述令牌管理节点110和各个所述应用服务节点120可以包括智能手机、平板电脑、笔记本电脑、台式计算机、车载终端、服务器等类型的实体设备，也可以包括运行于实体设备中的软体，例如应用程序等，但并不局限于此。所述令牌管理节点110和各个所述应用服务节点120上运行的操作系统可以包括但不限于安卓系统、iOS系统、linux系统、windows系统等。Thetoken management node 110 and each of theapplication service nodes 120 may include physical devices such as smart phones, tablet computers, notebook computers, desktop computers, vehicle terminals, servers, etc., and may also include software running on physical devices, For example, application programs, etc., but not limited thereto. The operating systems running on thetoken management node 110 and each of theapplication service nodes 120 may include, but not limited to, an Android system, an iOS system, a Linux system, a Windows system, and the like.

本发明实施例中，所述令牌管理节点110中可以设置有令牌管理的服务端，所述应用服务节点120中可以设置有至少一个客户端，所述服务端可以用于管理客户端和令牌，负责令牌的分配与回收等，所述客户端可以负责令牌的申请、管理与使用等。通过令牌的合理分配，能够达到同步访问资源或限制资源访问量的目的，且令牌管理工作方便简单。In the embodiment of the present invention, thetoken management node 110 may be provided with a token management server, theapplication service node 120 may be provided with at least one client, and the server may be used to manage the client and Tokens are responsible for the distribution and recovery of tokens, etc., and the client can be responsible for the application, management and use of tokens. Through the reasonable allocation of tokens, the purpose of synchronously accessing resources or limiting the amount of resource access can be achieved, and token management is convenient and simple.

需要说明的是，图1仅仅是一种示例。本领域技术人员可以理解，虽然图1中仅示出了2个应用服务节点120，但并不构成对本发明实施例的限定，根据实际需要，可以具有任意数目的应用服务节点120。It should be noted that Fig. 1 is only an example. Those skilled in the art can understand that although only twoapplication service nodes 120 are shown in FIG. 1 , this does not constitute a limitation to the embodiment of the present invention. According to actual needs, there may be any number ofapplication service nodes 120 .

参考说明书附图2，其示出了本发明一个实施例提供的一种令牌管理方法的流程，该方法可以应用于图1中的应用服务节点中的客户端，具体的如图2所示，所述方法可以包括以下步骤：Referring to Figure 2 of the specification, it shows the flow of a token management method provided by an embodiment of the present invention, which can be applied to the client in the application service node in Figure 1, specifically as shown in Figure 2 , the method may include the following steps:

S210：当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式。S210: When an operation request for a target resource is detected, obtain a token corresponding to the operation request, the target resource is a shared resource of a distributed system, the token includes a signature verification rule, and the signature verification rule It includes a signature verification method for verifying the token.

本发明实施例中，所述目标资源可以为分布式系统的共享资源，例如可以为客户资源、榜单资源和账号信息等等；所述操作请求可以为对所述目标资源的查询请求、下载请求或者变更请求(例如修改请求、删除请求)等等，本发明实施例对所述目标资源的类型和所述操作请求的类型均不作限制。In the embodiment of the present invention, the target resource may be a shared resource of a distributed system, such as customer resource, list resource, account information, etc.; the operation request may be a query request, download Request or change request (such as modification request, deletion request), etc., the embodiment of the present invention does not limit the type of the target resource and the type of the operation request.

在一个可能的实施例中，所述当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌可以包括：In a possible embodiment, when the operation request for the target resource is detected, obtaining the token corresponding to the operation request may include:

当检测到发起针对目标资源的操作请求时，获取所述操作请求对应的令牌；When it is detected that an operation request for the target resource is initiated, a token corresponding to the operation request is obtained;

或者，or,

当检测到其它客户端发送的针对目标资源的操作请求时，获取所述操作请求携带的令牌。When an operation request for the target resource sent by another client is detected, the token carried in the operation request is acquired.

在实际应用中，可以通过以下两种方式发起针对共享资源的操作请求：第一种是本地调用的方式，由客户端自身发起针对目标资源的操作请求，以调用本地应用服务来执行所述操作请求所请求的操作；第二种是分布式调用的方式，由调用方客户端发起针对目标资源的操作请求，将所述操作请求和所述操作请求对应的令牌一起发送至被调用方客户端，以调用所述被调用方客户端的应用服务来执行所述操作请求所请求的操作。具体地，客户端(调用方客户端)可以响应于用户输入的针对所述目标资源的操作指令，发起针对所述目标资源的操作请求，也可以定时发起针对所述目标资源的操作请求。In practical applications, the operation request for the shared resource can be initiated in the following two ways: the first is the local call method, where the client itself initiates the operation request for the target resource to call the local application service to perform the operation Request the requested operation; the second is a distributed call method, where the caller client initiates an operation request for the target resource, and sends the operation request and the token corresponding to the operation request to the callee client end, to invoke the application service of the callee client to execute the operation requested by the operation request. Specifically, the client (caller client) may initiate an operation request for the target resource in response to an operation instruction for the target resource input by the user, or may initiate an operation request for the target resource periodically.

需要说明的是，上述发起针对目标资源的操作请求的方式仅为举例，并不构成对本发明实施例的限制，在实际应用中，也可以采用其它方式发起针对所述目标资源的操作请求。It should be noted that the above method of initiating an operation request for a target resource is only an example, and does not constitute a limitation to the embodiment of the present invention. In practical applications, other methods may also be used to initiate an operation request for the target resource.

在第一种方式中，当客户端检测到自身发起针对目标资源的操作请求时，可以采用本发明实施例提供的方法对所述操作请求对应的令牌进行验签，并根据验签结果响应所述操作请求，也就是说，本发明实施例提供的令牌管理方法的执行主体可以是发起针对目标资源的操作请求的客户端；在第二种方式中，当被调用方客户端检测到调用方客户端发送的针对目标资源的操作请求时，可以采用本发明实施例提供的方法对所述操作请求携带的令牌进行验签，并根据验签结果响应所述操作请求，也就是说，本发明实施例提供的令牌管理方法的执行主体可以是被调用方客户端。In the first way, when the client detects that it initiates an operation request for the target resource, it can use the method provided by the embodiment of the present invention to verify the token corresponding to the operation request, and respond according to the result of the verification The operation request, that is to say, the execution subject of the token management method provided by the embodiment of the present invention may be the client that initiates the operation request for the target resource; in the second method, when the called client detects When the caller client sends an operation request for the target resource, the method provided by the embodiment of the present invention can be used to verify the token carried in the operation request, and respond to the operation request according to the result of the verification, that is to say , the execution subject of the token management method provided in the embodiment of the present invention may be the client of the called party.

在一个可能的实施例中，在客户端发起针对所述目标资源的操作请求之前，还可以包括以下步骤：In a possible embodiment, before the client initiates an operation request for the target resource, the following steps may also be included:

在需要发起针对目标资源的操作请求时，为所述操作请求申请令牌。When an operation request for the target resource needs to be initiated, a token is applied for the operation request.

本发明实施例中，当客户端程序需要访问目标资源时，需要先申请一个令牌，客户端获得令牌后，即可以访问所述目标资源。具体地，所述为所述操作请求申请令牌可以包括：In the embodiment of the present invention, when the client program needs to access the target resource, it needs to apply for a token first, and the client can access the target resource after obtaining the token. Specifically, the requesting for a token for the operation may include:

确定本地令牌池中是否存储有所述操作请求对应类型的令牌；Determine whether a token of the type corresponding to the operation request is stored in the local token pool;

当所述本地令牌池中存储有所述操作请求对应类型的令牌时，从所述本地令牌池中取出所述令牌；When a token of the type corresponding to the operation request is stored in the local token pool, take out the token from the local token pool;

当所述本地令牌池中未存储有所述操作请求对应类型的令牌时，向服务端发送令牌获取请求，所述令牌获取请求与所述操作请求相对应；When the token of the type corresponding to the operation request is not stored in the local token pool, a token acquisition request is sent to the server, and the token acquisition request corresponds to the operation request;

接收所述服务端发送的令牌，所述令牌为所述服务端响应于所述令牌获取请求，从可用令牌池中签发的所述操作请求对应类型的令牌；receiving the token sent by the server, where the token is a token of the type corresponding to the operation request issued by the server in response to the token acquisition request from the pool of available tokens;

其中，所述可用令牌池中存储有至少一个所述操作请求对应类型的令牌。Wherein, at least one token of the type corresponding to the operation request is stored in the available token pool.

具体地，所述客户端可以维护一个本地令牌池，客户端在令牌使用完后不会立即回收，而是存储在本地令牌池中。客户端再次申请该类令牌的时候，可以直接使用本地令牌池中存储的令牌，而无需向服务器申请签发。因此，客户端在为所述操作请求申请令牌时，可以先确定本地令牌池中是否存储有所述操作请求对应类型的令牌，若是，则使用本地令牌池中的令牌，若否，则向服务端申请签发令牌。Specifically, the client can maintain a local token pool, and the client does not recycle the token immediately after it is used up, but stores it in the local token pool. When the client applies for this type of token again, it can directly use the token stored in the local token pool without applying to the server for issuance. Therefore, when the client applies for a token for the operation request, it can first determine whether a token of the type corresponding to the operation request is stored in the local token pool, and if so, use the token in the local token pool, if If not, apply to the server to issue a token.

具体地，所述客户端向服务端申请签发令牌时，可以向服务端发送令牌获取请求，所述令牌获取请求与所述操作请求相对应。相应地，所述服务端可以响应于所述令牌获取请求，从可用令牌池中签发至少一个所述操作请求对应类型的令牌，并将令牌发送至所述客户端。Specifically, when the client applies to the server for issuing a token, it may send a token acquisition request to the server, and the token acquisition request corresponds to the operation request. Correspondingly, the server may issue at least one token of the type corresponding to the operation request from an available token pool in response to the token acquisition request, and send the token to the client.

具体地，所述令牌获取请求中可以携带待签发的令牌名，所述服务端可以根据客户端是否在线以及所述令牌获取请求中提供的令牌名，确定所述可用令牌池中是否还有可用令牌，若所述客户端在线且有可用令牌，则签发至少一个令牌给所述客户端，若所述客户端不在线或者无可用令牌，则不签发令牌，所述客户端获取令牌失败。Specifically, the token acquisition request may carry the token name to be issued, and the server may determine the available token pool according to whether the client is online or not and the token name provided in the token acquisition request Whether there are available tokens in , if the client is online and has available tokens, at least one token will be issued to the client, if the client is not online or there is no available token, no token will be issued , the client failed to obtain the token.

示例性地，如果客户端需要访问榜单资源，则需要先申请一个榜单资源访问令牌。此时，可以先判断本地令牌池中是否存储有榜单资源访问令牌，若是，则使用本地令牌池中的榜单资源访问令牌，若否，则向服务端申请榜单资源访问令牌，如果所述服务端确定所述客户端在线且可用令牌池中还有可用的榜单资源访问令牌，则签发一个榜单资源访问令牌给所述客户端。Exemplarily, if the client needs to access the list resource, it needs to apply for a list resource access token first. At this point, you can first judge whether there is a list resource access token stored in the local token pool, if so, use the list resource access token in the local token pool, if not, apply for list resource access from the server token, if the server determines that the client is online and there is an available list resource access token in the available token pool, then issue a list resource access token to the client.

可以理解，通过维护本地令牌池，客户端可以将申请到的令牌存储至本地，当需要再次使用该类令牌时，可以直接使用本地令牌池中的令牌，无需再向服务端申请签发，可以提高资源的访问效率，同时减少服务端的负担。It can be understood that by maintaining the local token pool, the client can store the applied token locally, and when it needs to use this type of token again, it can directly use the token in the local token pool without submitting a request to the server Applying for issuance can improve resource access efficiency and reduce the burden on the server.

S220：对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种。S220: Parse the token to determine a signature verification method of the token, where the signature verification method is one of a client-side signature verification and a server-side signature verification.

本发明实施例中，所述令牌中可以包括但不限于令牌标识(Identification，ID)、令牌的有效性配置信息、服务端互联网协议(Internet Protocol，IP)、客户端IP、验签规则和令牌有效性加密串等信息中的一种或多种。In the embodiment of the present invention, the token may include but not limited to token identification (Identification, ID), validity configuration information of the token, server Internet protocol (Internet Protocol, IP), client IP, signature verification One or more of information such as rules and token validity encrypted strings.

其中，所述令牌的有效性配置信息可以用于对所述令牌的有效性进行验证，可以包括但不限于令牌的有效时间、有效使用次数和有效使用场景等信息中的一种或多种；所述验签规则表示对所述令牌进行验签的规则，所述验签规则可以包括对所述令牌进行验签的验签方式，所述验签方式可以为客户端验签或者服务端验签；所述令牌有效性加密串可以用于对所述令牌的真伪进行验证，可以包括但不限于对本次客户端启动时间、令牌ID等信息进行加密得到的加密串。Wherein, the validity configuration information of the token may be used to verify the validity of the token, and may include but not limited to one or more Various; the signature verification rule represents a rule for verifying the token, the signature verification rule may include a signature verification method for the token, and the signature verification method may be a client verification method signature or server-side verification; the token validity encrypted string can be used to verify the authenticity of the token, which can include but not limited to encrypting the client startup time, token ID and other information to obtain The encrypted string.

在一个可能的实施例中，所述令牌的有效性配置信息可以由服务端根据实际需要进行预先设定，所述令牌有效性加密串可以由服务端在签发令牌时生成，所述令牌的验签规则可以根据令牌的使用场景进行确定，对于安全等级较高的使用场景，例如机密资源或者隐私资源的各种操作场景，可以将对应令牌的验签方式设置为服务端验签，对于安全等级较低的使用场景，例如一般资源的各种操作场景，可以将对应令牌的验签方式设置为客户端验签。In a possible embodiment, the validity configuration information of the token may be preset by the server according to actual needs, and the token validity encrypted string may be generated by the server when issuing the token. The token verification rules can be determined according to the usage scenarios of the token. For usage scenarios with a higher security level, such as various operation scenarios of confidential resources or private resources, the verification method of the corresponding token can be set to server-side Signature verification. For use scenarios with a low security level, such as various operation scenarios of general resources, you can set the signature verification method of the corresponding token to client-side signature verification.

具体地，在获取到所述令牌后，可以对所述令牌进行解析，以确定所述令牌的验签规则，从而确定所述令牌的验签方式为服务端验签还是客户端验签。Specifically, after the token is obtained, the token can be parsed to determine the token verification rules, so as to determine whether the token verification method is the server-side verification method or the client-side verification method. Check signature.

S230：基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求。S230: Perform signature verification on the token based on the signature verification manner, and respond to the operation request according to the signature verification result.

由于分布式系统内，在同一时刻可能存在多个应用服务节点或者同一应用服务节点的多个客户端进程，对共享资源发起访问操作的情况，为了避免资源错乱、进程损毁等异常情况的发生，可以通过对令牌的分配以及对令牌的有效性进行验证，来实现对共享资源的访问控制、限制资源访问量，从而保证系统的正常运行。In a distributed system, there may be multiple application service nodes or multiple client processes of the same application service node at the same time, which initiate access operations on shared resources. In order to avoid abnormal situations such as resource disorder and process damage, By assigning tokens and verifying the validity of tokens, access control to shared resources and resource access can be limited to ensure the normal operation of the system.

本发明实施例中，当所述验签方式为客户端验签时，所述客户端可以直接对所述令牌进行验签得到验签结果，当所述验签方式为服务端验签时，所述客户端可以将所述令牌发送至服务端进行验签得到验签结果。In the embodiment of the present invention, when the signature verification method is client signature verification, the client can directly perform signature verification on the token to obtain the signature verification result; when the signature verification method is server signature verification , the client may send the token to the server for signature verification to obtain a signature verification result.

在一个可能的实施例中，结合参考说明书附图3，所述基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求可以包括：In a possible embodiment, referring to Fig. 3 of the specification, the verification of the token based on the verification method, and responding to the operation request according to the result of the verification may include:

S231：当所述验签方式为客户端验签时，对所述令牌进行验签操作得到验签结果。S231: When the signature verification method is client signature verification, perform a signature verification operation on the token to obtain a signature verification result.

S232：当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。S232: When the signature verification result is that the signature verification is passed, allow the operation requested by the operation request to be performed.

具体地，所述客户端对所述令牌进行验签时，可以先对所述令牌进行解析，得到所述令牌的有效性配置信息、客户端IP、验签规则和令牌有效性加密串等信息。所述客户端可以根据所述令牌有效性加密串对所述令牌的真伪进行验证，以确定所述令牌是否被篡改；所述客户端可以根据所述有效性配置信息和所述验签规则对所述令牌的有效性进行验证，以确定所述令牌是否有效；所述客户端还可以根据所述客户端IP确定发起所述操作请求的客户端是否具有对应的操作权限。当所述令牌未被篡改、所述令牌有效并且发起所述操作请求的客户端具有对应的操作权限时，可以确定验签结果为验签通过；当所述令牌被篡改、所述令牌无效或者发起所述操作请求的客户端不具有对应的操作权限时，可以确定验签结果为验签不通过。Specifically, when the client verifies the token, it can first parse the token to obtain the token validity configuration information, client IP, signature verification rules and token validity Encrypted string and other information. The client can verify the authenticity of the token according to the encrypted string of validity of the token to determine whether the token has been tampered with; the client can according to the validity configuration information and the The signature verification rule verifies the validity of the token to determine whether the token is valid; the client can also determine whether the client that initiated the operation request has the corresponding operation authority according to the client IP . When the token has not been tampered with, the token is valid, and the client that initiated the operation request has the corresponding operation authority, it can be determined that the signature verification result is passed; when the token has been tampered with, the When the token is invalid or the client that initiates the operation request does not have the corresponding operation authority, it may be determined that the result of the signature verification is that the signature verification fails.

具体地，根据所述令牌有效性加密串对所述令牌的真伪进行验证的方法为现有技术，本发明实施例在此不再赘述。Specifically, the method of verifying the authenticity of the token according to the encrypted string of validity of the token is an existing technology, and the embodiments of the present invention will not repeat it here.

具体地，对所述令牌的有效性进行验证，可以包括判断当前时间是否位于令牌的有效时间内、判断令牌的使用次数是否小于令牌的有效使用次数和/或判断当前场景是否为令牌的有效使用场景，如果当前时间位于令牌的有效时间内、令牌的使用次数小于令牌的有效使用次数和/或当前场景为令牌的有效使用场景，则可以确定所述令牌有效，否则可以确定所述令牌无效。Specifically, verifying the validity of the token may include judging whether the current time is within the valid time of the token, judging whether the number of uses of the token is less than the number of valid uses of the token, and/or judging whether the current scene is The valid use scenario of the token, if the current time is within the valid time of the token, the number of times the token is used is less than the valid use time of the token and/or the current scene is a valid use scenario of the token, the token can be determined valid, otherwise the token can be determined to be invalid.

具体地，可以判断发起所述操作请求的客户端的IP是否与所述客户端IP相同，如果相同则可以确定发起所述操作请求的客户端具有对应的操作权限，否则可以确定发起所述操作请求的客户端不具有对应的操作权限。Specifically, it can be determined whether the IP of the client that initiated the operation request is the same as the IP of the client, if they are the same, it can be determined that the client that initiated the operation request has the corresponding operation authority, otherwise it can be determined that the client that initiated the operation request The client does not have the corresponding operation authority.

S233：当所述验签方式为服务端验签时，将所述令牌发送至服务端，以使得所述服务端对所述令牌进行验签操作，得到并返回验签结果。S233: When the signature verification method is server-side signature verification, send the token to the server, so that the server performs a signature verification operation on the token, obtains and returns a signature verification result.

S234：接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。S234: Receive the signature verification result sent by the server, and allow the operation requested by the operation request to be performed when the signature verification result is a signature verification pass.

具体地，当所述验签方式为服务端验签时，所述客户端可以对所述令牌进行解析，得到所述令牌的服务端IP，并将所述令牌发送至对应的服务端。所述服务端对所述令牌进行验签时，可以先对所述令牌进行解析，得到所述令牌的有效性配置信息、客户端IP、验签规则和令牌有效性加密串等信息，并根据上述信息对令牌进行验签，具体方法与客户端对令牌进行验签的方法类似，本发明实施例在此不再赘述。Specifically, when the signature verification method is server-side signature verification, the client can analyze the token, obtain the server IP of the token, and send the token to the corresponding service end. When the server verifies the token, it can first analyze the token to obtain the token validity configuration information, client IP, signature verification rules and token validity encrypted string, etc. information, and verify the token according to the above information, the specific method is similar to the method for the client to verify the token, and will not be described in this embodiment of the present invention.

在一个可能的实施例中，所述服务端还可以响应于用户的指令或者根据实际情况，对所述令牌的有效性配置信息进行修改以改变所述令牌的验签结果，或者直接修改所述令牌的验签结果，从而实现对所述目标资源访问量的实时自定义控制。示例性地，当所述目标资源的访问量已经较大时，如果仍有客户端发起针对所述目标资源的操作请求，此时，所述服务端接收到所述操作请求对应的令牌后，即使所述令牌未被篡改、所述令牌有效并且发起所述操作请求的客户端具有对应的操作权限，也可以将所述令牌的验签结果修改为验签不通过，不允许客户端执行所述操作请求所请求的操作。In a possible embodiment, the server can also modify the validity configuration information of the token in response to the user's instruction or according to the actual situation to change the verification result of the token, or directly modify The verification result of the token, so as to realize the real-time custom control of the access amount of the target resource. Exemplarily, when the access volume of the target resource is already large, if there are still clients that initiate an operation request for the target resource, at this time, after the server receives the token corresponding to the operation request , even if the token has not been tampered with, the token is valid, and the client that initiated the operation request has the corresponding operation authority, the signature verification result of the token can be modified to fail the signature verification, which is not allowed The client performs the operation requested by the operation request.

可以理解，通过对令牌的真实性、有效性和客户端权限进行验证，能够防止令牌被篡改或被冒用，保证共享资源的安全性，同时能够有效控制共享资源的访问量，保证系统的稳定运行。It can be understood that by verifying the authenticity, validity and client authority of the token, the token can be prevented from being tampered with or fraudulently used, the security of shared resources can be guaranteed, and the access volume of shared resources can be effectively controlled to ensure that the system stable operation.

本发明实施例中，所述验签结果可以包括验签通过和验签不通过，当验签结果为验签通过时，表明所述令牌真实有效，可以执行所述操作请求所请求的操作，当验签结果为验签不通过时，表明所述令牌无效，不允许执行所述操作请求所请求的操作。In the embodiment of the present invention, the signature verification result may include signature verification pass and signature verification failure. When the signature verification result is signature verification pass, it indicates that the token is authentic and valid, and the operation requested by the operation request can be performed , when the signature verification result is that the signature verification fails, it indicates that the token is invalid, and the operation requested by the operation request is not allowed to be performed.

本发明实施例中，当验签结果为验签不通过时，流程异常结束，可以对所述令牌进行销毁。具体地，如果当前应用场景为本地调用场景，则所述客户端确定所述验签结果为验签不通过时，可以立即销毁所述令牌，并向服务端发送令牌回收请求，所述服务端接收到所述令牌回收请求后，可以销毁所述令牌，并重新补充新的可用令牌至所述可用令牌池中。如果当前应用场景为分布式调用场景，则所述服务端还可以将所述验签结果发送至调用方客户端(即所述其它客户端)，如果所述调用方客户端确定所述验签结果为验签不通过时，可以立即销毁所述令牌，并向服务端发送令牌回收请求，所述服务端接收到所述令牌回收请求后，可以销毁所述令牌，并重新补充新的可用令牌至所述可用令牌池中。In the embodiment of the present invention, when the result of the signature verification is that the signature verification fails, the process ends abnormally, and the token can be destroyed. Specifically, if the current application scenario is a local call scenario, when the client determines that the signature verification result is a signature verification failure, it can immediately destroy the token and send a token recovery request to the server. After receiving the token recovery request, the server can destroy the token and add new available tokens to the available token pool. If the current application scenario is a distributed call scenario, the server can also send the signature verification result to the caller client (that is, the other client), if the caller client determines that the signature verification As a result, when the signature verification fails, the token can be destroyed immediately, and a token recovery request can be sent to the server. After receiving the token recovery request, the server can destroy the token and replenish New available tokens are added to the pool of available tokens.

在一个可能的实施例中，客户端使用令牌完成对所述目标资源的访问后，可以将所述令牌回收到本地令牌池中，并设定令牌的保持时间。在令牌保持时间内，客户端一直保留该令牌；超过令牌保持时间后，客户端可以销毁该令牌并向服务端发送令牌回收请求，以通知服务端回收该令牌，所述服务端接收到所述令牌回收请求后，可以销毁所述令牌，并重新补充新的可用令牌至所述可用令牌池中。可以理解，通过设置令牌的保持时间，当超过令牌保持时间后，客户端自动归还令牌，可以实现令牌的有序管理，同时较好地满足分布式系统的资源访问需求。In a possible embodiment, after the client uses the token to complete the access to the target resource, the token may be recycled to the local token pool, and a retention time of the token may be set. During the token holding time, the client keeps the token; after the token holding time is exceeded, the client can destroy the token and send a token recycling request to the server to notify the server to recycle the token, as described After receiving the token recovery request, the server can destroy the token and add new available tokens to the available token pool. It can be understood that by setting the token retention time, the client will automatically return the token after the token retention time exceeds, which can realize the orderly management of tokens and better meet the resource access requirements of the distributed system.

可选择地，所述令牌的保持时间可以由服务端根据实际需要进行配置，并在签发令牌时与所述令牌一起发送至客户端，本发明实施例不对所述保持时间的时长进行限制。Optionally, the retention time of the token can be configured by the server according to actual needs, and sent to the client together with the token when issuing the token. limit.

在一个可能的实施例中，所述方法还可以包括以下步骤：In a possible embodiment, the method may also include the following steps:

每经过第一预设时间间隔，向服务端发送心跳数据；sending heartbeat data to the server every time the first preset time interval passes;

记录最后一次成功发送心跳数据的时间与当前时间之间的第一时间间隔；Record the first time interval between the time when the last heartbeat data was successfully sent and the current time;

当所述第一时间间隔大于或等于第二预设时间间隔时，销毁本地令牌池中的所有令牌；When the first time interval is greater than or equal to a second preset time interval, destroying all tokens in the local token pool;

其中，所述第二预设时间间隔大于所述第一预设时间间隔。Wherein, the second preset time interval is greater than the first preset time interval.

具体地，客户端在启动后，可以每经过第一预设时间间隔向服务端发送心跳数据，并记录最后一次成功发送心跳数据的时间，如果超过第二预设时间间隔没有能够发送心跳成功，则销毁所述客户端本地令牌池中的所有令牌。其中，所述第一预设时间间隔和所述第二预设时间间隔可以根据实际需要进行设置，例如所述第一预设时间间隔可以设置为n秒(n大于或等于1)，所述第二预设时间间隔可以设置为3n+1秒，本发明实施例对此不作限制。Specifically, after the client is started, it can send heartbeat data to the server every time the first preset time interval passes, and record the time when the heartbeat data was successfully sent last time. If the heartbeat cannot be sent successfully after the second preset time interval, Then destroy all tokens in the local token pool of the client. Wherein, the first preset time interval and the second preset time interval can be set according to actual needs, for example, the first preset time interval can be set to n seconds (n is greater than or equal to 1), the The second preset time interval may be set to 3n+1 seconds, which is not limited in this embodiment of the present invention.

相应地，所述服务端可以监控客户端发送的心跳数据，并记录最后一次成功接收心跳数据的时间，如果超过第二预设时间间隔没有接收到心跳数据，则可以将该客户端从在线客户端清单中移除，销毁可用令牌池中与所述客户端相关联的所有令牌，同时补充新的可用令牌至所述可用令牌池中。Correspondingly, the server can monitor the heartbeat data sent by the client, and record the time when the heartbeat data was successfully received for the last time. If the heartbeat data is not received beyond the second preset time interval, the client can be removed from the online client. Remove from the client list, destroy all tokens associated with the client in the available token pool, and add new available tokens to the available token pool at the same time.

可以理解，客户端通过定时向服务端发送心跳数据，可以确保与服务端之间的正常通信，当客户端与服务端通信断开时，服务端即销毁与客户端关联的所有令牌，避免了出现网络异常导致令牌无法归还，进而导致其它客户端无法访问资源的情况，提高了令牌的利用率。It can be understood that the client can ensure normal communication with the server by regularly sending heartbeat data to the server. When the communication between the client and the server is disconnected, the server will destroy all tokens associated with the client to avoid It avoids the situation that tokens cannot be returned due to network abnormalities, which in turn causes other clients to be unable to access resources, and improves the utilization rate of tokens.

综上所述，根据本发明实施例的令牌管理方法，通过在检测到针对目标资源的操作请求时，对所述操作请求对应的令牌进行解析，确定所述令牌的验签方式为客户端验签还是服务端验签，并基于所述验签方式对所述令牌进行验签，根据验签结果响应所述操作请求，通过对不同类型令牌采用不同的验签方式，不仅能够有效控制对资源的各种访问操作，实现资源的安全访问，而且能够提高令牌的验签效率，从而提高整个系统的资源访问效率，同时降低了服务端的压力，提升了系统性能和稳定性。To sum up, according to the token management method of the embodiment of the present invention, when an operation request for a target resource is detected, the token corresponding to the operation request is analyzed, and the signature verification method of the token is determined as The client side or the server side verify the signature, and verify the token based on the signature verification method, and respond to the operation request according to the signature verification result. By using different signature verification methods for different types of tokens, not only It can effectively control various access operations to resources, realize safe access to resources, and improve the efficiency of token verification, thereby improving the resource access efficiency of the entire system, reducing the pressure on the server, and improving system performance and stability. .

参考说明书附图4，其示出了本发明另一个实施例提供的一种令牌管理方法的流程，该方法可以应用于令牌管理系统，所述系统包括客户端和服务端，具体的如图4所示，所述方法可以包括以下步骤：Referring to Figure 4 of the specification, it shows the flow of a token management method provided by another embodiment of the present invention. This method can be applied to a token management system. The system includes a client and a server, specifically as As shown in Figure 4, the method may include the following steps:

S410：当客户端检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式。S410: When the client detects an operation request for a target resource, obtain a token corresponding to the operation request, the target resource is a shared resource of the distributed system, the token includes a signature verification rule, and the verification The signature rule includes a signature verification method for the token.

S420：所述客户端对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种。S420: The client parses the token to determine a signature verification manner of the token, and the signature verification manner is one of a client signature verification and a server signature verification.

S430：当所述验签方式为客户端验签时，所述客户端对所述令牌进行验签操作得到验签结果。S430: When the signature verification method is client signature verification, the client performs a signature verification operation on the token to obtain a signature verification result.

S440：当所述验签结果为验签通过时，所述客户端允许执行所述操作请求所请求的操作。S440: When the signature verification result is that the signature verification is passed, the client allows to perform the operation requested by the operation request.

S450：当所述验签方式为服务端验签时，所述客户端将所述令牌发送至服务端。S450: When the signature verification method is server-side signature verification, the client sends the token to the server.

S460：所述服务端接收所述客户端发送的令牌，对所述令牌进行验签操作得到验签结果。S460: The server receives the token sent by the client, and performs a signature verification operation on the token to obtain a signature verification result.

S470：所述服务端将所述验签结果发送至所述客户端。S470: The server sends the signature verification result to the client.

S480：所述客户端接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。S480: The client receives the signature verification result sent by the server, and when the signature verification result is that the signature verification is passed, the client is allowed to perform the operation requested by the operation request.

其中，所述步骤S410-步骤S480的具体内容可以参考如图2所示的方法实施例的内容，本发明实施例在此不再赘述。Wherein, for the specific content of the step S410-step S480, reference may be made to the content of the method embodiment shown in FIG. 2 , which will not be repeated in this embodiment of the present invention.

本发明实施例中，服务端可以维护一个可用令牌池，所述可用令牌池中可以存储有针对不同业务、不同场景配置的不同种类的令牌，以及各类令牌的基本信息，包括令牌名、令牌数量、分配规则和验签规则等，其中令牌数量表示客户端能够申请到的该类令牌的最大数量，所述分配规则表示为客户端签发令牌的规则，例如可以包括为每个客户端分配口令、为所有客户端共享口令等，所述验签规则表示对该类令牌进行验签的规则，可以包括对该类令牌进行验签的验签方式，所述验签方式可以为客户端验签或者服务端验签。需要说明的是，所述可用令牌池中的令牌种类以及各类令牌的基本信息可以根据实际需要进行设置，本发明实施例对此均不作限制。In the embodiment of the present invention, the server can maintain an available token pool, and the available token pool can store different types of tokens configured for different businesses and different scenarios, as well as the basic information of various types of tokens, including Token name, token quantity, allocation rules and signature verification rules, etc., wherein the token quantity indicates the maximum number of tokens of this type that the client can apply for, and the allocation rules represent the rules for issuing tokens by the client, for example It may include assigning a password for each client, sharing a password for all clients, etc., and the signature verification rule represents a rule for verifying the signature of this type of token, and may include a signature verification method for verifying the signature of this type of token, The signature verification method may be client signature verification or server signature verification. It should be noted that the types of tokens in the available token pool and the basic information of various types of tokens can be set according to actual needs, which is not limited in the embodiments of the present invention.

可以理解，通过维护可用令牌池，针对不同业务、不同场景配置不同种类的令牌，以及各类令牌的基本信息，将复杂的令牌管理工作进行优化，使得应用程序仅需关注令牌的申请与使用，更加便于服务端对令牌进行管理。其中，各类令牌的数量可以设置为一个，也可以设置为多个，因此本发明实施例提供的令牌管理方法既适用于分配单一令牌(分布式锁)，又适用于分配多个令牌(共享资源的限制访问)，通过对令牌的合理分片，既能够实现对资源的同步访问，又能够实现对资源访问量的限制，适用范围广且管理方便。It can be understood that by maintaining the available token pool, configuring different types of tokens for different businesses and different scenarios, and the basic information of various types of tokens, the complex token management work is optimized so that applications only need to pay attention to tokens The application and use of tokens make it easier for the server to manage tokens. Among them, the number of various types of tokens can be set to one or multiple, so the token management method provided by the embodiment of the present invention is not only suitable for allocating a single token (distributed lock), but also suitable for allocating multiple Tokens (restricted access to shared resources), through reasonable fragmentation of tokens, can not only realize synchronous access to resources, but also limit the amount of access to resources, with a wide range of applications and easy management.

在实际应用中，可以先将服务端启动，服务端启动后可以初始化所有令牌，将所有可用令牌按照对应的数量填充到可用令牌池中。再将客户端实例启动，客户端启动后可以将对应的客户端服务器的包含但不限于IP、端口(port)、启动时间、介质访问控制(MediaAccess Control，MAC)地址等信息注册到服务端，服务端可以使用数据库、zookeeper等存储介质保存客户端的注册信息，并向客户端反馈是否注册成功。当客户端注册成功时，所述服务端可以将客户端添加至在线客户端清单中，所述服务端即拥有了包含在线客户端清单、可用令牌池在内的信息。当客户端注册失败时，则所述客户端启动失败，需要重新启动。In practical applications, the server can be started first, and all tokens can be initialized after the server is started, and all available tokens can be filled into the available token pool according to the corresponding quantity. Then start the client instance. After the client is started, the information including but not limited to IP, port (port), startup time, Media Access Control (MAC) address and other information of the corresponding client server can be registered to the server. The server can use database, zookeeper and other storage media to save the registration information of the client, and feedback to the client whether the registration is successful. When the registration of the client is successful, the server can add the client to the online client list, and the server has information including the online client list and the available token pool. When the registration of the client fails, the client fails to start and needs to be restarted.

在一个可能的实施例中，所述方法还可以包括：In a possible embodiment, the method may also include:

所述服务端接收所述客户端发送的令牌获取请求，所述令牌获取请求与所述客户端需要发起的针对目标资源的操作请求相对应；The server receives a token acquisition request sent by the client, and the token acquisition request corresponds to an operation request for the target resource that the client needs to initiate;

所述服务端响应于所述令牌获取请求从可用令牌池中签发所述操作请求对应类型的令牌，并将所述令牌发送至所述客户端；The server issues a token of the type corresponding to the operation request from an available token pool in response to the token acquisition request, and sends the token to the client;

其中，所述可用令牌池中存储有至少一个所述操作请求对应类型的令牌。Wherein, at least one token of the type corresponding to the operation request is stored in the available token pool.

具体地，当客户端程序需要发起针对目标资源的操作请求时，需要先申请一个令牌，客户端获得令牌后，即可以访问所述目标资源。客户端在申请令牌时，可以先确定本地令牌池中是否存储有所述操作请求对应类型的令牌，若是，则使用本地令牌池中的令牌，若否，则向服务端申请签发令牌。Specifically, when a client program needs to initiate an operation request for a target resource, it needs to first apply for a token, and the client can access the target resource after obtaining the token. When applying for a token, the client can first determine whether there is a token of the type corresponding to the operation request stored in the local token pool, if so, use the token in the local token pool, if not, apply to the server Issue tokens.

具体地，客户端在向服务端申请签发令牌时，可以向所述服务端发送一个令牌获取请求，所述令牌获取请求可以携带待签发的令牌名，所述服务端可以根据客户端是否在线以及所述令牌获取请求中提供的令牌名，确定所述可用令牌池中是否还有可用令牌，若所述客户端在线且有可用令牌，则签发至少一个令牌给所述客户端，若所述客户端不在线或者无可用令牌，则不签发令牌，所述客户端获取令牌失败。Specifically, when the client applies for issuing a token to the server, it can send a token acquisition request to the server, and the token acquisition request can carry the name of the token to be issued, and the server can Whether the client is online and the token name provided in the token acquisition request, determine whether there are available tokens in the available token pool, and if the client is online and has available tokens, issue at least one token For the client, if the client is offline or has no available token, no token will be issued, and the client fails to obtain the token.

在一个可能的实施例中，所述方法还可以包括：In a possible embodiment, the method may also include:

所述服务端接收所述客户端每经过第一预设时间间隔发送的心跳数据；The server receives the heartbeat data sent by the client every first preset time interval;

所述服务端记录最后一次成功接收心跳数据的时间与当前时间之间的第二时间间隔；The server records the second time interval between the last time the heartbeat data was successfully received and the current time;

当所述第二时间间隔大于或等于第二预设时间间隔时，所述服务端销毁可用令牌池中与所述客户端相关联的所有令牌；When the second time interval is greater than or equal to a second preset time interval, the server destroys all tokens associated with the client in the available token pool;

其中，所述第二预设时间间隔大于所述第一预设时间间隔。Wherein, the second preset time interval is greater than the first preset time interval.

具体地，客户端在启动后，可以每经过第一预设时间间隔向服务端发送心跳数据。相应地，所述服务端可以监控客户端发送的心跳数据，并记录最后一次成功接收心跳数据的时间，如果超过第二预设时间间隔没有接收到心跳数据，则可以将该客户端从在线客户端清单中移除，销毁可用令牌池中与所述客户端相关联的所有令牌，同时补充新的可用令牌至所述可用令牌池中。其中，所述第一预设时间间隔和所述第二预设时间间隔可以根据实际需要进行设置，例如所述第一预设时间间隔可以设置为n秒(n大于或等于1)，所述第二预设时间间隔可以设置为3n+1秒，本发明实施例对此不作限制。Specifically, after the client is started, it may send heartbeat data to the server every first preset time interval. Correspondingly, the server can monitor the heartbeat data sent by the client, and record the time when the heartbeat data was successfully received for the last time. If the heartbeat data is not received beyond the second preset time interval, the client can be removed from the online client. Remove from the client list, destroy all tokens associated with the client in the available token pool, and add new available tokens to the available token pool at the same time. Wherein, the first preset time interval and the second preset time interval can be set according to actual needs, for example, the first preset time interval can be set to n seconds (n is greater than or equal to 1), the The second preset time interval may be set to 3n+1 seconds, which is not limited in this embodiment of the present invention.

可以理解，客户端通过定时向服务端发送心跳数据，可以确保与服务端之间的正常通信，当客户端与服务端通信断开时，服务端即销毁与客户端关联的所有令牌，避免了出现网络异常导致令牌无法归还，进而导致其它客户端无法访问资源的情况，提高了令牌的利用率。It can be understood that the client can ensure normal communication with the server by regularly sending heartbeat data to the server. When the communication between the client and the server is disconnected, the server will destroy all tokens associated with the client to avoid It avoids the situation that tokens cannot be returned due to network abnormalities, which in turn causes other clients to be unable to access resources, and improves the utilization rate of tokens.

在一个可能的实施例中，所述方法还可以包括：In a possible embodiment, the method may also include:

所述服务端向所述客户端发送令牌检核指令；The server sends a token check instruction to the client;

所述服务端接收所述客户端响应于所述令牌检核指令发送的有效令牌信息；The server receives the effective token information sent by the client in response to the token checking instruction;

所述服务端根据所述有效令牌信息对可用令牌池中的令牌进行管理。The server manages the tokens in the available token pool according to the valid token information.

具体地，服务端重启后或者每隔一段时间，可以向在线的客户端发送令牌检核指令，要求客户端反馈全量有效令牌。相应地，所述客户端可以响应于所述令牌检核指令向所述服务端发送有效令牌信息。所述服务端获取到所述有效令牌信息后，可以通过与可用令牌池中的已签发令牌清单进行对比，确定客户端已经失效但是未能成功通知服务端的令牌，将这些令牌从已签发令牌清单中清除并销毁，并重新补充新的可用令牌至所述可用令牌池中。所述服务端获取到所述有效令牌信息后，还可以根据所述有效令牌信息恢复所述服务端误销毁的令牌。Specifically, after the server is restarted or at regular intervals, it can send a token check instruction to the online client, requiring the client to feed back a full amount of valid tokens. Correspondingly, the client may send valid token information to the server in response to the token checking instruction. After the server obtains the valid token information, it can determine the tokens that the client has expired but failed to notify the server of the tokens by comparing them with the list of issued tokens in the available token pool. Clear and destroy the list of issued tokens, and add new available tokens to the pool of available tokens. After the server acquires the valid token information, it can also restore the token destroyed by the server by mistake according to the valid token information.

可以理解，在服务端出现异常或停机后，可以通过系统自动检核的方式获取各个客户端的有效令牌信息，并基于所述有效令牌信息对可用令牌池中的令牌进行恢复或者销毁，从而确保系统的健壮性。It can be understood that after the server is abnormal or shut down, the valid token information of each client can be obtained through the system automatic check, and the tokens in the available token pool can be recovered or destroyed based on the valid token information , so as to ensure the robustness of the system.

在一个可能的实施例中，所述服务端还可以接收客户端发送的令牌回收请求，所述服务端接收到所述令牌回收请求后，可以销毁所述令牌，并重新补充新的可用令牌至所述可用令牌池中。In a possible embodiment, the server may also receive a token recycling request sent by the client, and after receiving the token recycling request, the server may destroy the token and replenish a new one. available tokens into the pool of available tokens.

在一个可能的实施例中，当客户端下线时，所述客户端可以主动销毁本地令牌池中的所有令牌，并向服务端发送下线通知，所述服务端接收到所述下线通知后，可以销毁可用令牌池中签发给该客户端的所有令牌，补充新的可用令牌至所述可用令牌池中，同时将该客户端从在线客户端清单中移除。In a possible embodiment, when the client goes offline, the client can actively destroy all tokens in the local token pool, and send an offline notification to the server, and the server receives the offline After the online notification, all tokens issued to the client in the available token pool can be destroyed, new available tokens can be added to the available token pool, and the client can be removed from the online client list at the same time.

综上所述，根据本发明实施例的令牌管理方法，通过采用客户端/服务器模式，服务端负责令牌的管理、分配和回收，客户端负责令牌的申请与使用，并且在客户端检测到针对目标资源的操作请求时，对所述操作请求对应的令牌进行解析，确定所述令牌的验签方式为客户端验签还是服务端验签，并基于所述验签方式对所述令牌进行验签，根据验签结果响应所述操作请求，通过对不同类型令牌采用不同的验签方式，不仅能够有效控制对资源的各种访问操作，实现资源的安全访问，而且能够提高令牌的验签效率，从而提高整个系统的资源访问效率，同时降低了服务端的压力，提升了系统性能和稳定性。To sum up, according to the token management method of the embodiment of the present invention, by adopting the client/server mode, the server is responsible for the management, allocation and recovery of tokens, the client is responsible for the application and use of tokens, and the client When an operation request for the target resource is detected, the token corresponding to the operation request is parsed to determine whether the signature verification method of the token is client-side verification or server-side verification, and based on the verification method, the The token is verified, and the operation request is responded to according to the result of the verification. By adopting different verification methods for different types of tokens, not only can effectively control various access operations to resources, and realize safe access to resources, but also It can improve the efficiency of token verification, thereby improving the resource access efficiency of the entire system, reducing the pressure on the server, and improving system performance and stability.

参考说明书附图5，其示出了本发明一个实施例提供的一种令牌管理装置500的结构，所述令牌管理装置500设置于客户端，如图5所示，所述令牌管理装置500可以包括：Referring to accompanying drawing 5 of the specification, it shows the structure of atoken management device 500 provided by an embodiment of the present invention. Thetoken management device 500 is set on the client, as shown in FIG. 5, thetoken management Apparatus 500 may include:

获取模块510，用于当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；The acquiringmodule 510 is configured to acquire a token corresponding to the operation request when an operation request for a target resource is detected, the target resource is a shared resource of a distributed system, and the token includes a signature verification rule, so The signature verification rules include a signature verification method for verifying the token;

确定模块520，用于对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；Thedetermination module 520 is configured to analyze the token to determine the signature verification method of the token, and the signature verification method is one of client signature verification and server signature verification;

处理模块530，用于基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求。Theprocessing module 530 is configured to verify the token based on the verification method, and respond to the operation request according to the result of the verification.

在一个可能的实施例中，所述令牌管理装置500还可以包括：In a possible embodiment, thetoken management device 500 may further include:

令牌申请模块，用于在需要发起针对目标资源的操作请求时，为所述操作请求申请令牌。A token application module, configured to apply for a token for the operation request when an operation request for the target resource needs to be initiated.

在一个可能的实施例中，所述令牌管理装置500还可以包括：In a possible embodiment, thetoken management device 500 may further include:

数据发送模块，用于每经过第一预设时间间隔，向服务端发送心跳数据；A data sending module, configured to send heartbeat data to the server every time the first preset time interval passes;

时间记录模块，用于记录最后一次成功发送心跳数据的时间与当前时间之间的第一时间间隔；A time recording module, configured to record the first time interval between the last time the heartbeat data was successfully sent and the current time;

令牌销毁模块，用于当所述第一时间间隔大于或等于第二预设时间间隔时，销毁本地令牌池中的所有令牌；A token destruction module, configured to destroy all tokens in the local token pool when the first time interval is greater than or equal to a second preset time interval;

其中，所述第二预设时间间隔大于所述第一预设时间间隔。Wherein, the second preset time interval is greater than the first preset time interval.

参考说明书附图6，其示出了本发明一个实施例提供的一种令牌管理系统600的结构，如图6所示，所述令牌管理系统600可以包括客户端610和服务端620；Referring to accompanying drawing 6 of the specification, it shows the structure of atoken management system 600 provided by an embodiment of the present invention. As shown in FIG. 6 , thetoken management system 600 may include aclient 610 and aserver 620;

所述客户端610可以用于当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；Theclient 610 may be configured to obtain a token corresponding to the operation request when an operation request for a target resource is detected, the target resource is a shared resource of a distributed system, and the token includes a signature verification rule , the signature verification rule includes a signature verification method for verifying the token; parsing the token to determine the signature verification method for the token, and the signature verification method is the client’s signature verification and One of the server-side signature verification;

所述客户端610还可以用于当所述验签方式为客户端验签时，对所述令牌进行验签操作得到验签结果；当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作；Theclient 610 can also be used to perform a signature verification operation on the token to obtain a signature verification result when the signature verification method is client signature verification; when the signature verification result is a signature verification pass, allow execution the operation requested by the operation request;

所述客户端610还可以用于当所述验签方式为服务端验签时，将所述令牌发送至服务端；Theclient 610 can also be used to send the token to the server when the signature verification method is server-side verification;

所述服务端620可以用于接收所述客户端发送的令牌，对所述令牌进行验签操作得到验签结果，并将所述验签结果发送至所述客户端；Theserver 620 may be configured to receive the token sent by the client, perform a signature verification operation on the token to obtain a signature verification result, and send the signature verification result to the client;

所述客户端610还可以用于接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。Theclient 610 may also be configured to receive the signature verification result sent by the server, and when the signature verification result is a signature verification pass, allow the operation requested by the operation request to be performed.

在一个可能的实施例中，所述服务端620还可以用于接收所述客户端发送的令牌获取请求，所述令牌获取请求与所述客户端需要发起的针对目标资源的操作请求相对应；响应于所述令牌获取请求从可用令牌池中签发所述操作请求对应类型的令牌，并将所述令牌发送至所述客户端；其中，所述可用令牌池中存储有至少一个所述操作请求对应类型的令牌。In a possible embodiment, theserver 620 may also be configured to receive a token acquisition request sent by the client, where the token acquisition request corresponds to the operation request for the target resource that the client needs to initiate. Corresponding; in response to the token acquisition request, issue a token of the type corresponding to the operation request from the available token pool, and send the token to the client; wherein, the available token pool stores There is at least one token of the type corresponding to the operation request.

在一个可能的实施例中，所述服务端620还可以用于接收所述客户端每经过第一预设时间间隔发送的心跳数据；记录最后一次成功接收心跳数据的时间与当前时间之间的第二时间间隔；当所述第二时间间隔大于或等于第二预设时间间隔时，销毁可用令牌池中与所述客户端相关联的所有令牌；其中，所述第二预设时间间隔大于所述第一预设时间间隔。In a possible embodiment, theserver 620 can also be used to receive the heartbeat data sent by the client every first preset time interval; record the time between the last time the heartbeat data was successfully received and the current time A second time interval; when the second time interval is greater than or equal to a second preset time interval, destroy all tokens associated with the client in the available token pool; wherein, the second preset time The interval is greater than the first preset time interval.

在一个可能的实施例中，所述服务端620还可以用于向所述客户端发送令牌检核指令；接收所述客户端响应于所述令牌检核指令发送的有效令牌信息；根据所述有效令牌信息对可用令牌池中的令牌进行管理。In a possible embodiment, theserver 620 may also be configured to send a token checking instruction to the client; receive valid token information sent by the client in response to the token checking instruction; Manage the tokens in the available token pool according to the valid token information.

需要说明的是，上述实施例提供的装置，在实现其功能时，仅以上述各功能模块的划分进行举例说明，实际应用中，可以根据需要而将上述功能分配由不同的功能模块完成，即将设备的内部结构划分成不同的功能模块，以完成以上描述的全部或者部分功能。另外，上述实施例提供的装置与相应方法实施例属于同一构思，其具体实现过程详见对应方法实施例，这里不再赘述。It should be noted that, when realizing the functions of the device provided by the above-mentioned embodiments, the division of the above-mentioned functional modules is used as an example for illustration. In practical applications, the above-mentioned function allocation can be completed by different functional modules according to the needs. The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the device provided by the above embodiment and the corresponding method embodiment belong to the same idea, and the specific implementation process thereof is detailed in the corresponding method embodiment, and will not be repeated here.

本发明一个实施例还提供了一种电子设备，该电子设备包括处理器和存储器，该存储器中存储有至少一条指令或至少一段程序，该至少一条指令或该至少一段程序由该处理器加载并执行以实现如上述方法实施例所提供的令牌管理方法。An embodiment of the present invention also provides an electronic device, the electronic device includes a processor and a memory, at least one instruction or at least one program is stored in the memory, the at least one instruction or the at least one program is loaded by the processor and Execute to realize the token management method provided by the above method embodiment.

存储器可用于存储软件程序以及模块，处理器通过运行存储在存储器的软件程序以及模块，从而执行各种功能应用以及数据处理。存储器可主要包括存储程序区和存储数据区，其中，存储程序区可存储操作系统、功能所需的应用程序等；存储数据区可存储根据所述设备的使用所创建的数据等。此外，存储器可以包括高速随机存取存储器，还可以包括非易失性存储器，例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。相应地，存储器还可以包括存储器控制器，以提供处理器对存储器的访问。The memory can be used to store software programs and modules, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory. The memory may mainly include a program storage area and a data storage area, wherein the program storage area may store operating systems, application programs required by functions, etc.; the data storage area may store data created according to the use of the device, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage devices. Correspondingly, the memory may also include a memory controller to provide processor access to the memory.

结合参考说明书附图7，所示为根据本发明一个实施例的电子设备700的框图。电子设备700可以包括一个或多个处理器702，与处理器702中的至少一个连接的系统控制逻辑708，与系统控制逻辑708连接的系统内存704，与系统控制逻辑708连接的非易失性存储器(NVM)706，以及与系统控制逻辑708连接的网络接口710。Referring to Fig. 7 of the specification, a block diagram of anelectronic device 700 according to an embodiment of the present invention is shown.Electronic device 700 may include one ormore processors 702,system control logic 708 coupled to at least one ofprocessors 702,system memory 704 coupled tosystem control logic 708,non-volatile memory 704 coupled tosystem control logic 708 memory (NVM) 706 , andnetwork interface 710 tosystem control logic 708 .

处理器702可以包括一个或多个单核或多核处理器。处理器702可以包括通用处理器和专用处理器(例如，图形处理器，应用处理器，基带处理器等)的任何组合。在本文的实施例中，处理器702可以被配置为执行根据如图2至图4所示的各种实施例的一个或多个实施例。Processor 702 may include one or more single-core or multi-core processors.Processor 702 may include any combination of general purpose processors and special purpose processors (eg, graphics processors, application processors, baseband processors, etc.). In the embodiments herein, theprocessor 702 may be configured to execute one or more embodiments according to various embodiments as shown in FIGS. 2 to 4 .

在一些实施例中，系统控制逻辑708可以包括任意合适的接口控制器，以向处理器702中的至少一个和/或与系统控制逻辑708通信的任意合适的设备或组件提供任意合适的接口。In some embodiments,system control logic 708 may include any suitable interface controller to provide any suitable interface to at least one ofprocessors 702 and/or any suitable device or component in communication withsystem control logic 708 .

在一些实施例中，系统控制逻辑708可以包括一个或多个存储器控制器，以提供连接到系统内存704的接口。系统内存704可以用于加载以及存储数据和/或指令。在一些实施例中设备700的内存704可以包括任意合适的易失性存储器，例如合适的动态随机存取存储器(DRAM)。In some embodiments,system control logic 708 may include one or more memory controllers to provide an interface tosystem memory 704 .System memory 704 can be used for loading and storing data and/or instructions.Memory 704 ofdevice 700 may in some embodiments include any suitable volatile memory, such as a suitable dynamic random access memory (DRAM).

NVM/存储器706可以包括用于存储数据和/或指令的一个或多个有形的、非暂时性的计算机可读介质。在一些实施例中，NVM/存储器706可以包括闪存等任意合适的非易失性存储器和/或任意合适的非易失性存储设备，例如HDD(Hard Disk Drive，硬盘驱动器)，CD(Compact Disc，光盘)驱动器，DVD(Digital Versatile Disc，数字通用光盘)驱动器中的至少一个。NVM/memory 706 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some embodiments, NVM/memory 706 may include any suitable non-volatile memory such as flash memory and/or any suitable non-volatile storage device, such as HDD (Hard Disk Drive, hard disk drive), CD (Compact Disc , CD) drive, at least one of DVD (Digital Versatile Disc, Digital Versatile Disc) drive.

NVM/存储器706可以包括安装在设备700的装置上的一部分存储资源，或者它可以由设备访问，但不一定是设备的一部分。例如，可以经由网络接口710通过网络访问NVM/存储706。NVM/memory 706 may comprise a portion of storage resources installed on a device ofdevice 700, or it may be accessed by, but not necessarily part of, the device. For example, NVM/storage 706 may be accessed over a network vianetwork interface 710 .

特别地，系统内存704和NVM/存储器706可以分别包括：指令720的暂时副本和永久副本。指令720可以包括：由处理器702中的至少一个执行时导致设备700实施如图2至图4所示的令牌管理方法的指令。在一些实施例中，指令720、硬件、固件和/或其软件组件可另外地/替代地置于系统控制逻辑708，网络接口710和/或处理器702中。In particular,system memory 704 and NVM/storage 706 may include, respectively, temporary and permanent copies ofinstructions 720 . Theinstructions 720 may include: instructions that when executed by at least one of theprocessors 702 cause thedevice 700 to implement the token management method as shown in FIGS. 2 to 4 . In some embodiments,instructions 720 , hardware, firmware, and/or software components thereof may additionally/alternatively reside insystem control logic 708 ,network interface 710 and/orprocessor 702 .

网络接口710可以包括收发器，用于为设备700提供无线电接口，进而通过一个或多个网络与任意其他合适的设备(如前端模块，天线等)进行通信。在一些实施例中，网络接口710可以集成于设备700的其他组件。例如，网络接口710可以集成于处理器702的通信模块，系统内存704，NVM/存储器706，和具有指令的固件设备(未示出)中的至少一种，当处理器702中的至少一个执行所述指令时，设备700实现图2至图4所示的各种实施例的一个或多个实施例。Thenetwork interface 710 may include a transceiver for providing a radio interface for thedevice 700 to communicate with any other suitable devices (such as front-end modules, antennas, etc.) via one or more networks. In some embodiments,network interface 710 may be integrated with other components ofdevice 700 . For example, thenetwork interface 710 may be integrated into at least one of the communication module of theprocessor 702, thesystem memory 704, the NVM/storage 706, and a firmware device (not shown) with instructions, when at least one of theprocessor 702 executes When the instructions are described, thedevice 700 implements one or more of the various embodiments shown in FIGS. 2 to 4 .

网络接口710可以进一步包括任意合适的硬件和/或固件，以提供多输入多输出无线电接口。例如，网络接口710可以是网络适配器，无线网络适配器，电话调制解调器和/或无线调制解调器。Network interface 710 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example,network interface 710 may be a network adapter, a wireless network adapter, a telephone modem and/or a wireless modem.

在一个实施例中，处理器702中的至少一个可以与用于系统控制逻辑708的一个或多个控制器的逻辑封装在一起，以形成系统封装(SiP)。在一个实施例中，处理器702中的至少一个可以与用于系统控制逻辑708的一个或多个控制器的逻辑集成在同一管芯上，以形成片上系统(SoC)。In one embodiment, at least one of theprocessors 702 may be packaged with logic for one or more controllers of thesystem control logic 708 to form a system in package (SiP). In one embodiment, at least one of theprocessors 702 may be integrated on the same die with logic for one or more controllers of thesystem control logic 708 to form a system on chip (SoC).

设备700可以进一步包括：输入/输出(I/O)设备712。I/O设备712可以包括用户界面，使得用户能够与设备700进行交互；外围组件接口的设计使得外围组件也能够与设备700交互。在一些实施例中，设备700还包括传感器，用于确定与设备700相关的环境条件和位置信息的至少一种。Device 700 may further include: an input/output (I/O)device 712 . I/O device 712 may include a user interface to enable a user to interact withdevice 700 ; peripheral component interfaces are designed to enable peripheral components to also interact withdevice 700 . In some embodiments,device 700 further includes sensors for determining at least one of environmental conditions and location information related todevice 700 .

在一些实施例中，用户界面可包括但不限于显示器(例如，液晶显示器，触摸屏显示器等)，扬声器，麦克风，一个或多个相机(例如，静止图像照相机和/或摄像机)，手电筒(例如，发光二极管闪光灯)和键盘。In some embodiments, the user interface may include, but is not limited to, a display (e.g., a liquid crystal display, a touch screen display, etc.), a speaker, a microphone, one or more cameras (e.g., a still image camera and/or a video camera), a flashlight (e.g., LED flash light) and keyboard.

在一些实施例中，外围组件接口可以包括但不限于非易失性存储器端口、音频插孔和电源接口。In some embodiments, peripheral component interfaces may include, but are not limited to, non-volatile memory ports, audio jacks, and power interfaces.

在一些实施例中，传感器可包括但不限于陀螺仪传感器，加速度计，近程传感器，环境光线传感器和定位单元。定位单元还可以是网络接口710的一部分或与网络接口710交互，以与定位网络的组件(例如，全球定位系统(GPS)卫星)进行通信。In some embodiments, sensors may include, but are not limited to, gyroscope sensors, accelerometers, proximity sensors, ambient light sensors, and positioning units. The positioning unit may also be part of or interact with thenetwork interface 710 to communicate with components of the positioning network, such as Global Positioning System (GPS) satellites.

可以理解的是，本发明实施例示意的结构并不构成对电子设备700的具体限定。在本发明另一些实施例中，电子设备700可以包括比图示更多或更少的部件，或者组合某些部件，或者拆分某些部件，或者不同的部件布置。图示的部件可以以硬件，软件或软件和硬件的组合实现。It can be understood that, the structure shown in the embodiment of the present invention does not constitute a specific limitation on theelectronic device 700 . In other embodiments of the present invention, theelectronic device 700 may include more or fewer components than shown in the figure, or combine certain components, or separate certain components, or arrange different components. The illustrated components can be realized in hardware, software or a combination of software and hardware.

本发明一个实施例还提供了一种计算机可读存储介质，所述计算机可读存储介质可设置于电子设备之中以保存用于实现一种令牌管理方法相关的至少一条指令或至少一段程序，该至少一条指令或该至少一段程序由该处理器加载并执行以实现上述方法实施例提供的令牌管理方法。An embodiment of the present invention also provides a computer-readable storage medium, which can be set in an electronic device to store at least one instruction or at least one program related to implementing a token management method , the at least one instruction or the at least one section of program is loaded and executed by the processor to implement the token management method provided by the above method embodiment.

可选地，在本发明实施例中，上述存储介质可以包括但不限于：U盘、只读存储器(ROM，Read-Only Memory)、随机存取存储器(RAM，Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in the embodiment of the present invention, the above-mentioned storage medium may include but not limited to: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, Various media that can store program codes, such as magnetic disks or optical disks.

本发明一个实施例还提供了一种计算机程序产品，该计算机程序产品包括计算机程序/指令，当计算机程序产品在电子设备上运行时，该计算机程序/指令被处理器加载并执行以实现上述各种可选实施例中提供的令牌管理方法的步骤。An embodiment of the present invention also provides a computer program product, the computer program product includes a computer program/instruction, when the computer program product runs on an electronic device, the computer program/instruction is loaded and executed by a processor to realize the above-mentioned Steps of the token management method provided in an optional embodiment.

需要说明的是：上述本发明实施例先后顺序仅仅为了描述，不代表实施例的优劣。且上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下，在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外，在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中，多任务处理和并行处理也是可以的或者可能是有利的。It should be noted that: the order of the above embodiments of the present invention is only for description, and does not represent the advantages and disadvantages of the embodiments. And the above describes the specific embodiments of this specification. Other implementations are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in an order different from that in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or may be advantageous in certain embodiments.

本说明书中的各个实施例均采用递进的方式描述，各个实施例之间相同相似的部分互相参见即可，每个实施例重点说明的都是与其他实施例的不同之处。尤其，对于装置实施例而言，由于其基本相似于方法实施例，所以描述的比较简单，相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant parts, please refer to part of the description of the method embodiment.

本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成，也可以通过程序来指令相关的硬件完成，所述的程序可以存储于一种计算机可读存储介质中，上述提到的存储介质可以是只读存储器，磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps for implementing the above embodiments can be completed by hardware, and can also be completed by instructing related hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, and the like.

以上所述仅为本发明的较佳实施例，并不用以限制本发明，凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (15)

Translated fromChinese

1.一种令牌管理方法，应用于客户端，其特征在于，所述方法包括：1. A token management method applied to a client, wherein the method comprises:当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；When an operation request for a target resource is detected, the token corresponding to the operation request is obtained. The target resource is a shared resource of the distributed system. The token includes a signature verification rule, and the signature verification rule includes The way of verifying the signature of the token;对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；Analyzing the token to determine a signature verification method of the token, the signature verification method being one of a client-side signature verification and a server-side signature verification;基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求。Perform signature verification on the token based on the signature verification manner, and respond to the operation request according to the signature verification result.2.根据权利要求1所述的方法，其特征在于，所述当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌包括：2. The method according to claim 1, wherein when the operation request for the target resource is detected, obtaining the token corresponding to the operation request comprises:当检测到发起针对目标资源的操作请求时，获取所述操作请求对应的令牌；When it is detected that an operation request for the target resource is initiated, a token corresponding to the operation request is obtained;或者，or,当检测到其它客户端发送的针对目标资源的操作请求时，获取所述操作请求携带的令牌。When an operation request for the target resource sent by another client is detected, the token carried in the operation request is acquired.3.根据权利要求1所述的方法，其特征在于，所述基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求包括：3. The method according to claim 1, wherein said verifying the token based on the verification method, and responding to the operation request according to the result of the verification comprises:当所述验签方式为客户端验签时，对所述令牌进行验签操作得到验签结果；当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作；When the signature verification method is client signature verification, performing a signature verification operation on the token to obtain a signature verification result; when the signature verification result is a signature verification pass, allowing the operation requested by the operation request to be performed;当所述验签方式为服务端验签时，将所述令牌发送至服务端，以使得所述服务端对所述令牌进行验签操作，得到并返回验签结果；接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。When the signature verification method is server-side signature verification, send the token to the server, so that the server performs a signature verification operation on the token, obtains and returns a signature verification result; receives the service The signature verification result sent by the terminal, when the signature verification result is the signature verification pass, the operation requested by the operation request is allowed to be performed.4.根据权利要求1-3任意一项所述的方法，其特征在于，所述方法还包括：4. The method according to any one of claims 1-3, wherein the method further comprises:在需要发起针对目标资源的操作请求时，为所述操作请求申请令牌。When an operation request for the target resource needs to be initiated, a token is applied for the operation request.5.根据权利要求4所述的方法，其特征在于，所述为所述操作请求申请令牌包括：5. The method according to claim 4, wherein the applying for a token for the operation request comprises:确定本地令牌池中是否存储有所述操作请求对应类型的令牌；Determine whether a token of the type corresponding to the operation request is stored in the local token pool;当所述本地令牌池中存储有所述操作请求对应类型的令牌时，从所述本地令牌池中取出所述令牌；When a token of the type corresponding to the operation request is stored in the local token pool, take out the token from the local token pool;当所述本地令牌池中未存储有所述操作请求对应类型的令牌时，向服务端发送令牌获取请求，所述令牌获取请求与所述操作请求相对应；When the token of the type corresponding to the operation request is not stored in the local token pool, a token acquisition request is sent to the server, and the token acquisition request corresponds to the operation request;接收所述服务端发送的令牌，所述令牌为所述服务端响应于所述令牌获取请求，从可用令牌池中签发的所述操作请求对应类型的令牌；receiving the token sent by the server, where the token is a token of the type corresponding to the operation request issued by the server in response to the token acquisition request from the pool of available tokens;其中，所述可用令牌池中存储有至少一个所述操作请求对应类型的令牌。Wherein, at least one token of the type corresponding to the operation request is stored in the available token pool.6.根据权利要求1-3任意一项所述的方法，其特征在于，所述方法还包括：6. The method according to any one of claims 1-3, wherein the method further comprises:每经过第一预设时间间隔，向服务端发送心跳数据；sending heartbeat data to the server every time the first preset time interval passes;记录最后一次成功发送心跳数据的时间与当前时间之间的第一时间间隔；Record the first time interval between the time when the last heartbeat data was successfully sent and the current time;当所述第一时间间隔大于或等于第二预设时间间隔时，销毁本地令牌池中的所有令牌；When the first time interval is greater than or equal to a second preset time interval, destroying all tokens in the local token pool;其中，所述第二预设时间间隔大于所述第一预设时间间隔。Wherein, the second preset time interval is greater than the first preset time interval.7.一种令牌管理方法，应用于令牌管理系统，所述系统包括客户端和服务端，其特征在于，所述方法包括：7. A token management method applied to a token management system, said system comprising a client and a server, characterized in that said method comprises:当客户端检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；When the client detects an operation request for a target resource, it obtains a token corresponding to the operation request. The target resource is a shared resource of a distributed system. The token includes a signature verification rule, and the signature verification rule Including a signature verification method for verifying the token;所述客户端对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；The client parses the token to determine a signature verification method of the token, and the signature verification method is one of a client signature verification and a server signature verification;当所述验签方式为客户端验签时，所述客户端对所述令牌进行验签操作得到验签结果；当所述验签结果为验签通过时，所述客户端允许执行所述操作请求所请求的操作；When the signature verification method is client signature verification, the client performs a signature verification operation on the token to obtain a signature verification result; when the signature verification result is a signature verification pass, the client allows the execution of the the operation requested by the above operation request;当所述验签方式为服务端验签时，所述客户端将所述令牌发送至服务端；When the signature verification method is server-side signature verification, the client sends the token to the server;所述服务端接收所述客户端发送的令牌，对所述令牌进行验签操作得到验签结果，并将所述验签结果发送至所述客户端；The server receives the token sent by the client, performs a signature verification operation on the token to obtain a signature verification result, and sends the signature verification result to the client;所述客户端接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。The client receives the signature verification result sent by the server, and when the signature verification result is a successful signature verification, it is allowed to execute the operation requested by the operation request.8.根据权利要求7所述的方法，其特征在于，所述方法还包括：8. The method according to claim 7, further comprising:所述服务端接收所述客户端发送的令牌获取请求，所述令牌获取请求与所述客户端需要发起的针对目标资源的操作请求相对应；The server receives a token acquisition request sent by the client, and the token acquisition request corresponds to an operation request for the target resource that the client needs to initiate;所述服务端响应于所述令牌获取请求从可用令牌池中签发所述操作请求对应类型的令牌，并将所述令牌发送至所述客户端；The server issues a token of the type corresponding to the operation request from an available token pool in response to the token acquisition request, and sends the token to the client;其中，所述可用令牌池中存储有至少一个所述操作请求对应类型的令牌。Wherein, at least one token of the type corresponding to the operation request is stored in the available token pool.9.根据权利要求7所述的方法，其特征在于，所述方法还包括：9. The method according to claim 7, further comprising:所述服务端接收所述客户端每经过第一预设时间间隔发送的心跳数据；The server receives the heartbeat data sent by the client every first preset time interval;所述服务端记录最后一次成功接收心跳数据的时间与当前时间之间的第二时间间隔；The server records the second time interval between the last time the heartbeat data was successfully received and the current time;当所述第二时间间隔大于或等于第二预设时间间隔时，所述服务端销毁可用令牌池中与所述客户端相关联的所有令牌；When the second time interval is greater than or equal to a second preset time interval, the server destroys all tokens associated with the client in the available token pool;其中，所述第二预设时间间隔大于所述第一预设时间间隔。Wherein, the second preset time interval is greater than the first preset time interval.10.根据权利要求7所述的方法，其特征在于，所述方法还包括：10. The method according to claim 7, further comprising:所述服务端向所述客户端发送令牌检核指令；The server sends a token check instruction to the client;所述服务端接收所述客户端响应于所述令牌检核指令发送的有效令牌信息；The server receives the effective token information sent by the client in response to the token checking instruction;所述服务端根据所述有效令牌信息对可用令牌池中的令牌进行管理。The server manages the tokens in the available token pool according to the valid token information.11.一种令牌管理装置，设置于客户端，其特征在于，所述装置包括：11. A token management device, set on the client, characterized in that the device comprises:获取模块，用于当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；An acquisition module, configured to acquire a token corresponding to the operation request when an operation request for a target resource is detected, the target resource is a shared resource of a distributed system, the token includes a signature verification rule, and the The signature verification rules include a signature verification method for verifying the token;确定模块，用于对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；A determining module, configured to analyze the token to determine a signature verification method of the token, and the signature verification method is one of a client-side signature verification and a server-side signature verification;处理模块，用于基于所述验签方式对所述令牌进行验签，并根据验签结果响应所述操作请求。A processing module, configured to perform signature verification on the token based on the signature verification method, and respond to the operation request according to the signature verification result.12.一种令牌管理系统，其特征在于，包括客户端和服务端；12. A token management system, comprising a client and a server;所述客户端用于当检测到针对目标资源的操作请求时，获取所述操作请求对应的令牌，所述目标资源为分布式系统的共享资源，所述令牌中包括验签规则，所述验签规则包括对所述令牌进行验签的验签方式；对所述令牌进行解析，以确定所述令牌的验签方式，所述验签方式为客户端验签和服务端验签中的一种；The client is used to obtain a token corresponding to the operation request when detecting an operation request for a target resource, the target resource is a shared resource of a distributed system, and the token includes a signature verification rule, so The signature verification rules include a signature verification method for the token; the token is analyzed to determine the signature verification method of the token, and the signature verification method is the client-side verification method and the server-side verification method. one of the signatures;所述客户端还用于当所述验签方式为客户端验签时，对所述令牌进行验签操作得到验签结果；当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作；The client is also used to perform a signature verification operation on the token to obtain a signature verification result when the signature verification method is client signature verification; when the signature verification result is a signature verification pass, allow the execution of the the operation requested by the operation request;所述客户端还用于当所述验签方式为服务端验签时，将所述令牌发送至服务端；The client is further configured to send the token to the server when the signature verification method is server-side signature verification;所述服务端用于接收所述客户端发送的令牌，对所述令牌进行验签操作得到验签结果，并将所述验签结果发送至所述客户端；The server is configured to receive the token sent by the client, perform a signature verification operation on the token to obtain a signature verification result, and send the signature verification result to the client;所述客户端还用于接收所述服务端发送的验签结果，当所述验签结果为验签通过时，允许执行所述操作请求所请求的操作。The client is further configured to receive the signature verification result sent by the server, and when the signature verification result is that the signature verification is passed, the operation requested by the operation request is allowed to be performed.13.一种电子设备，其特征在于，所述电子设备包括处理器和存储器，所述存储器中存储有至少一条指令或至少一段程序，所述至少一条指令或所述至少一段程序由所述处理器加载并执行以实现如权利要求1-10任意一项所述的令牌管理方法。13. An electronic device, characterized in that the electronic device includes a processor and a memory, at least one instruction or at least one section of program is stored in the memory, and the at least one instruction or the at least one section of program is processed by the The device is loaded and executed to realize the token management method according to any one of claims 1-10.14.一种计算机可读存储介质，其特征在于，所述计算机可读存储介质中存储有至少一条指令或至少一段程序，所述至少一条指令或至少一段程序由处理器加载并执行以实现如权利要求1-10任意一项所述的令牌管理方法。14. A computer-readable storage medium, characterized in that at least one instruction or at least one section of program is stored in the computer-readable storage medium, and the at least one instruction or at least one section of program is loaded and executed by a processor to implement the following: The token management method described in any one of claims 1-10.15.一种计算机程序产品，包括计算机程序/指令，其特征在于，该计算机程序/指令被处理器执行时实现权利要求1-10任意一项所述的令牌管理方法的步骤。15. A computer program product, comprising computer programs/instructions, characterized in that, when the computer program/instructions are executed by a processor, the steps of the token management method according to any one of claims 1-10 are realized.

Images