Search

CN-122001668-A - Request processing method, system, device and storage medium based on authority authentication

CN122001668ACN 122001668 ACN122001668 ACN 122001668ACN-122001668-A

Abstract

The application discloses a request processing method, a request processing system, a request processing device and a request processing storage medium based on authority authentication. The method comprises the steps of carrying out identity validity authentication on a user through a gateway layer according to user identity information in a service processing request under the condition that the service processing request of the user is received, obtaining a first authentication result, carrying out authority authentication on the user through an application layer according to the user identity information in the service processing request under the condition that the authentication is represented to pass by the first authentication result, obtaining a second authentication result, and processing the service processing request through the application layer under the condition that the authentication is represented to pass by the second authentication result. The application solves the problem that the security of processing the user request is low because the authority authentication is only carried out on the user at the gateway layer when the user request is processed in the related technology.

Inventors

  • LI JINSONG
  • YU BO
  • HAO LIPING
  • CAO WEI
  • LUO WENFEI
  • ZHENG XIAOMEI
  • CHEN BING
  • XU JUN

Assignees

  • 中航信云智科技(北京)有限公司

Dates

Publication Date
20260508
Application Date
20260313

Claims (10)

  1. 1. A request processing method based on authority authentication, which is applied to a request processing system, wherein the request processing system comprises a gateway layer and an application layer, and the method comprises the following steps: under the condition that a service processing request of a user is received, carrying out identity validity authentication on the user through the gateway layer according to user identity information in the service processing request to obtain a first authentication result; performing authority authentication on the user through the application layer according to the user identity information in the service processing request under the condition that the first authentication result represents authentication pass, and obtaining a second authentication result; And processing the service processing request through the application layer under the condition that the second authentication result represents authentication passing.
  2. 2. The method of claim 1, wherein authenticating the user for identity validity by the gateway layer according to the user identity information in the service processing request, to obtain a first authentication result, comprises: Extracting an identity token of a user from the service processing request, wherein the identity token is used for recording the identity information of the user; judging whether the user belongs to a preset first list or not based on the user identity information in the identity token, wherein the first list is used for recording users allowed to send requests to the request processing system; Under the condition that the user belongs to the first list, determining that the first authentication result represents authentication passing; And under the condition that the user does not belong to the first list, determining that the first authentication result indicates that the authentication fails.
  3. 3. The method of claim 1, wherein performing, by the application layer, authorization authentication on the user according to the user identity information in the service processing request, to obtain a second authentication result, includes: acquiring a second list through the gateway layer, wherein the second list is used for recording gateway paths with security requirement degrees smaller than a preset degree value; Determining a target gateway path which is requested to be accessed in the service processing request through the gateway layer, and judging whether the target gateway path is included in the second list; And under the condition that the target gateway path is not included in the second list, authority authentication is carried out on the user through the application layer according to the user identity information, and a second authentication result is obtained.
  4. 4. A method according to claim 3, wherein after determining whether the target gateway path is included in the second list, the method further comprises: And processing the service processing request through the application layer under the condition that the target gateway path is included in the second list.
  5. 5. The method of claim 1, wherein performing, by the application layer, authorization authentication on the user according to the user identity information in the service processing request, to obtain a second authentication result, includes: Determining authority information of the user according to the user identity information; Determining that the second authentication result represents authentication pass under the condition that the authority information represents that the user has the authority of the target level; Acquiring a target mapping table under the condition that the authority information characterizes that the user does not have the authority of the target grade, wherein the target mapping table is used for recording the authority grade which the user needs to have when accessing different service services; And authenticating the user based on the target mapping table and the authority information indicated by the service processing request to obtain the second authentication result.
  6. 6. The method of claim 5, wherein authenticating the user based on the target mapping table and the authorization information indicated by the service processing request to obtain the second authentication result comprises: determining a target business service requested to be accessed by the business processing request; determining target authority information corresponding to the target business service from the target mapping table; if the authority information indicated by the service processing request is higher than or equal to the authority level of the target authority information, determining that the second authentication result represents authentication pass; and if the authority information indicated by the service processing request is lower than the authority level of the target authority information, determining that the second authentication result represents that the authentication fails.
  7. 7. The method of claim 6, wherein determining target rights information corresponding to the target business service from the target mapping table comprises: Judging whether a target service path of the target business service exists in the target mapping table; Judging whether a first service path exists in the target mapping table or not based on a wild card under the condition that the target service path does not exist in the target mapping table, wherein the first service path is identical with part of fields in the target service path; and under the condition that the first service path exists in the target mapping table, determining the authority information matched with the first service path as the target authority information.
  8. 8. A request processing system based on rights authentication, comprising: The gateway layer is used for carrying out identity validity authentication on the user according to the user identity information in the service processing request under the condition that the service processing request of the user is received, so as to obtain a first authentication result; And the application layer is used for carrying out authority authentication on the user according to the user identity information in the service processing request to obtain a second authentication result when the first authentication result represents that the authentication is passed, and processing the service processing request when the second authentication result represents that the authentication is passed.
  9. 9. A request processing apparatus based on rights authentication, applied to a request processing system, the request processing system including a gateway layer and an application layer, the apparatus comprising: the first authentication module is used for authenticating the identity validity of the user according to the user identity information in the service processing request through the gateway layer under the condition that the service processing request of the user is received, so as to obtain a first authentication result; the second authentication module is used for carrying out authority authentication on the user through the application layer according to the user identity information in the service processing request under the condition that the first authentication result represents authentication pass, so as to obtain a second authentication result; And the processing module is used for processing the service processing request through the application layer under the condition that the second authentication result represents that the authentication passes.
  10. 10. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a stored executable program, wherein the executable program, when run, controls a device in which the computer-readable storage medium is located to execute the request processing method based on authority authentication according to any one of claims 1 to 7.

Description

Request processing method, system, device and storage medium based on authority authentication Technical Field The application relates to the technical field of internet, in particular to a request processing method, a request processing system, a request processing device and a storage medium based on authority authentication. Background Authentication of rights to users when processing user requests is an integral key to modern web applications, especially enterprise-level applications and service platforms. With the rapid development of information technology and the popularization of the internet, the construction of user rights management and authentication mechanisms has become increasingly complex and important. Currently, related technologies only verify rights at a single point at the gateway layer, and lack a multi-layer protection mechanism. When single point verification fails or is bypassed, system security is severely compromised. For example, if an attacker directly accesses a backend service only when the gateway verifies the rights, the rights control will be completely bypassed, so that there is a problem of low security in processing the user request. In view of the above problems in the related art, no effective solution has been proposed at present. Disclosure of Invention The application mainly aims to provide a request processing method, a request processing system, a request processing device and a storage medium based on authority authentication, so as to solve the problem that the security of processing a user request is low because the authority authentication is only carried out on a user at a gateway layer when the user request is processed in the related technology. In order to achieve the above object, according to one aspect of the present application, there is provided a request processing method based on authority authentication. The method comprises the steps of carrying out identity validity authentication on a user through a gateway layer under the condition that a service processing request of the user is received, obtaining a first authentication result, carrying out authority authentication on the user through an application layer under the condition that the first authentication result represents authentication passing, obtaining a second authentication result, and processing the service processing request through the application layer under the condition that the second authentication result represents authentication passing. The request processing method based on the authority authentication further comprises the steps of extracting an identity token of the user from the service processing request, wherein the identity token is used for recording user identity information, judging whether the user belongs to a preset first list or not based on the user identity information in the identity token, wherein the first list is used for recording the user allowed to send the request to the request processing system, determining that the first authentication result represents authentication passing under the condition that the user belongs to the first list, and determining that the first authentication result represents authentication failing under the condition that the user does not belong to the first list. Optionally, the request processing method based on authority authentication further comprises the steps of obtaining a second list through a gateway layer, wherein the second list is used for recording gateway paths with security requirement degrees smaller than a preset degree value, determining target gateway paths requested to be accessed in service processing requests through the gateway layer, judging whether the second list comprises the target gateway paths or not, and performing authority authentication on users through an application layer according to user identity information under the condition that the second list does not comprise the target gateway paths to obtain a second authentication result. Optionally, the request processing method based on authority authentication further comprises the step of processing the service processing request through the application layer under the condition that the target gateway path is included in the second list after judging whether the target gateway path is included in the second list. Optionally, the request processing method based on the authority authentication further comprises the steps of determining the authority information of the user according to the user identity information, determining that the second authentication result represents that the authentication is passed under the condition that the authority information represents that the user has the authority of the target grade, obtaining a target mapping table under the condition that the authority information represents that the user does not have the authority of the target grade, wherein the target mapping table is used for recording the author