阅读说明：本技术 访问认证的方法和装置 (Method and device for access authentication ) 是由 王婷 魏斌 于 2018-08-16 设计创作，主要内容包括：本发明公开了一种访问认证的方法和装置,涉及计算机技术领域。该方法的一具体实施方式包括：接收访问请求；判断所述访问请求中的时间戳、第一签名、访问者IP是否均符合第二认证规则；若是,则通过认证；所述第二认证规则包括：所述时间戳在第一预设时间范围内,所述第一签名在第二预设时间范围内未使用过,所述访问者IP在允许访问的IP列表中。该实施方式因为采用签名的时效性验证、签名不能重复使用、允许访问IP的限制等技术手段,避免了签名重复使用的情况,优化了资源访问流程,提高了资源访问效率及减轻了业务系统的恶意请求的压力。(The invention discloses an access authentication method and device, and relates to the technical field of computers. One embodiment of the method comprises: receiving an access request; judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access. According to the embodiment, the technical means of signature timeliness verification, signature non-reuse, limitation of access to IP permission and the like are adopted, so that the situation of signature reuse is avoided, the resource access flow is optimized, the resource access efficiency is improved, and the pressure of malicious requests of a service system is relieved.)

1. A method of access authentication, comprising:

receiving an access request;

judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication;

the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access.

2. The method of claim 1, before determining whether the timestamp, the first signature, and the visitor IP in the access request all conform to the second authentication rule, the method further comprising:

determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule;

the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost.

3. The method of claim 1, wherein whether the timestamp, the first signature, and the visitor IP in the access request all conform to a second authentication rule is determined; if yes, passing authentication, including:

judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature;

and if the second signature is consistent with the first signature, the authentication is passed.

4. The method of claim 3, wherein generating a second signature based on the signature parameter in the access request comprises:

acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier;

sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings;

adding a key at the tail of the character string, and encoding the character string with the key;

and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature.

5. An apparatus for access authentication, comprising:

a receiving module to: receiving an access request;

an authentication module to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication;

a rules module to: and configuring a second authentication rule, wherein the second authentication rule comprises that the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing access.

6. The apparatus of claim 1, wherein the authentication module is further configured to:

determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule;

the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost.

7. The apparatus of claim 1, wherein the authentication module is further configured to:

judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature;

and if the second signature is consistent with the first signature, the authentication is passed.

8. The apparatus of claim 3, wherein the authentication module is further configured to:

acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier;

sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings;

adding a key at the tail of the character string, and encoding the character string with the key;

and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature.

9. An electronic device, comprising:

one or more processors;

a storage device for storing one or more programs,

when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-4.

10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-4.

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for access authentication.

Background

Disclosure of Invention

In view of this, embodiments of the present invention provide an access authentication method and apparatus, which can solve the problem that a signature token is repeatedly used and is easily attacked by an external network after a parameter is leaked.

To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided an access authentication method including: receiving an access request; judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access.

Optionally, before determining whether the timestamp, the first signature, and the visitor IP in the access request all conform to the second authentication rule, the method further includes: determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule; the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost.

Optionally, judging whether the timestamp, the first signature and the visitor IP in the access request all conform to a second authentication rule; if yes, passing authentication, including: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature; and if the second signature is consistent with the first signature, the authentication is passed.

Optionally, generating a second signature according to the signature parameter in the access request includes: acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier; sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings; adding a key at the tail of the character string, and encoding the character string with the key; and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature.

To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an apparatus for access authentication, including: a receiving module to: receiving an access request; an authentication module to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access.

Optionally, the authentication module is further configured to: determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule; the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost.

Optionally, the authentication module is further configured to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature; and if the second signature is consistent with the first signature, the authentication is passed.

Optionally, the authentication module is further configured to: acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier; sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings; adding a key at the tail of the character string, and encoding the character string with the key; and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature.

To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an electronic apparatus including: one or more processors; a storage device, configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method for access authentication provided by the embodiment of the present invention.

To achieve the above object, according to still another aspect of the embodiments of the present invention, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the method of access authentication as provided by the embodiments of the present invention.

One embodiment of the above invention has the following advantages or benefits: by adopting the technical means of signature timeliness verification, signature non-reuse, limitation of access to IP permission and the like, the situation of signature reuse is avoided, the resource access flow is optimized, the resource access efficiency is improved, and the pressure of malicious requests of a service system is relieved.

Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.

Drawings

The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:

FIG. 1 is a schematic diagram of a basic flow of a method of access authentication according to an embodiment of the invention;

FIG. 2 is a schematic diagram of a preferred flow of a method of access authentication according to an embodiment of the invention;

FIG. 3 is a schematic diagram of the basic modules of an apparatus for access authentication according to an embodiment of the present invention;

FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;

fig. 5 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.

Detailed Description

Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.

Fig. 1 is a schematic diagram of a basic flow of a method of access authentication according to an embodiment of the present invention. As shown in fig. 1, an embodiment of the present invention provides an access authentication method, including:

s101, receiving an access request;

s102, judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication;

step S103, the second authentication rule comprises the following steps: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the visitor IP is in a preset access-allowed IP list.

The embodiment of the invention adopts the technical means of signature timeliness verification, signature non-reuse, limitation of access IP permission and the like, avoids the situation of signature reuse, optimizes the resource access process, improves the resource access efficiency and relieves the pressure of malicious requests of a service system.

In this embodiment of the present invention, before determining whether the timestamp, the first signature, and the visitor IP in the access request all conform to the second authentication rule, the method further includes: determining that the version number and the mandatory filling parameter in the access request accord with a first authentication rule; the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost. The mandatory parameter refers to a parameter that the resource visitor has agreed with the resource provider and must be present in the access request. The preset version number is provided by the resource provider for verifying that the version number of the access request meets requirements. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.

In the embodiment of the invention, whether a timestamp, a first signature and an IP of an accessor in the access request all accord with a second authentication rule is judged; if yes, passing authentication, including: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature; and if the second signature is consistent with the first signature, the authentication is passed. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.

In this embodiment of the present invention, generating a second signature according to the signature parameter in the access request includes: acquiring a signature parameter in the access request, wherein the signature parameter comprises an access token (api _ key), a timestamp, a universal unique identifier (UUID random number) and a partial uniform resource identifier (partial URI); the part URI (uniform resource identifier) refers to the part of the URI of the access request following the version number. Sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings; adding a key (secret _ key) at the end of the character string, and encoding the character string with the key; and calculating the digest value of the encoding processing result by using a message digest algorithm to obtain a second signature (the MD5 value of the encoding processing result can also be the second signature). The UUID random number refers to a random number generated by the UUID, and a Universally Unique Identifier (UUID) (universal Unique identifier) is a standard for software construction and also refers to a number generated on one machine, which is guaranteed to be Unique to all machines in the same space-time. The MD5Message Digest Algorithm (MD5Message-Digest Algorithm), a widely used cryptographic hash function, may generate a 128-bit (16-byte) hash value (hash value) to ensure the integrity of the Message transmission. Lexicographic ordering is a method of alphabetically arranging words based on alphabetical ordering. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.

The embodiment of the invention carries out authentication from the following dimensions: a. verifying the version number; b. verifying timeliness of the timestamp; c. verification of whether the signature was used; d. verifying the signature; e. and verifying the validity of the remote access IP. Fig. 2 is a schematic diagram of a preferred flow of a method of access authentication according to an embodiment of the invention. As shown in the figure, the resource visitor sends a digital signature (first signature), an api _ key, a universally unique identifier (UUID random number) generated by the access and a timestamp to the resource provider; after receiving an access request from a resource visitor, a resource provider verifies whether version numbers are matched, whether a mandatory parameter is missing, the time efficiency of a timestamp, whether a first signature is used in the time efficiency period, whether an access IP is in a range allowing access, and a URI, an api _ key, a generated UUID random number, a timestamp and a key (secret _ key) after the version number of the resource visitor are subjected to MD5 operation to generate a second signature, compares the received first signature with second signature information generated by the parameter in the access request according to a signature algorithm, and passes authentication if the results are consistent. The embodiment of the invention optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.

Table 1 shows an authentication management table of a resource provider, and the resource provider performs authentication management of a resource visitor using table 1.

TABLE 1

The enumerated type is a basic data type rather than a constructed data type in some computer programming languages such as C # or C + +, java, VB, and the like. When a new cooperative project and/or company has an authentication requirement, a new record can be added in the table 1, and then the resource provider sends api _ key and secret _ key required by the signature generation of the resource visitor and an IP list allowing the visit to the resource visitor.

The resource provider, when interfacing with the resource visitor, can configure the api _ key, secret _ key, the allowed access IP list (allow _ IP), and the version number into a configuration file. The interaction format of the resource provider and the resource visitor is JSON, and the parameters in the access request are UTF-8 encoded. The request Header (HTTP Header) parameter specification in the access request is shown in table 2:

TABLE 2

The process of the authentication interface api using the signature algorithm to generate the second signature is as follows:

1. and obtaining an access token api _ key, a timestamp and a nonce in the HTTP Header of the access request.

2. Obtaining a URI (Uniform Resource Identifier) of the access request, wherein the URI (Uniform Resource Identifier) is a Uniform Resource Identifier and can identify and locate a character string of any Resource; for example:

and https:// IP: port/xxxx/api/v1/order/list, and acquiring the part 'order/list' behind the version number 'v 1/', namely the part URI is 'order/list'.

3. All signature parameters (including the api _ key, timemap, nonce, and part URI in HTTP Header) are keyed in ascending lexicographic order. For example: api _ key value1 value2 value3 value order/list.

4. The value4 of secret _ key is added to the end of the spliced character string. For example: api _ key value1 value2 value3 value

And (3) order/list & value4, carrying out url code encoding processing to form a base string base _ string, wherein the MD5 value of the base _ string is the value of the second signature. The URL code is a function that can encode a character string in URL for an encoding process. Namely, a second Signature is MD5(url code (api _ key value1& nonce value2& va lue3& uri & order/list & value 4)).

The embodiment of the present invention provides an access authentication apparatus 300, including: a receiving module 301, configured to: receiving an access request; an authentication module 302 to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; the second authentication rule includes: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the IP of the visitor is in an IP list allowing the visitor to access. The embodiment of the invention adopts the technical means of verifying the timeliness of the signature, preventing the signature from being reused, limiting the access to IP and the like, avoids the situation of reusing the signature, optimizes the resource access process, improves the resource access efficiency and relieves the pressure of malicious requests of a service system.

In this embodiment of the present invention, the authentication module 302 is further configured to: and is also used for: determining that the version number and the mandatory filling parameter of the access request accord with a first authentication rule; the first authentication rule includes: and the version number of the access request is consistent with the preset version number, and the mandatory filling parameter is not lost. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.

In this embodiment of the present invention, the authentication module 302 is further configured to: judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if so, generating a second signature according to the signature parameter in the access request, and verifying whether the second signature is consistent with the first signature; and if the second signature is consistent with the first signature, the authentication is passed. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.

In this embodiment of the present invention, the authentication module 302 is further configured to: acquiring signature parameters in the access request, wherein the signature parameters comprise an access token, a timestamp, a universal unique identification code and a part of uniform resource identifier; sorting and splicing the signature parameters in a dictionary order ascending order according to the key values of the signature parameters to obtain character strings; adding a key at the tail of the character string, and encoding the character string with the key; and calculating the digest value of the encoding processing result by adopting a message digest algorithm so as to obtain a second signature. The embodiment of the invention avoids the situation of repeated use of the signature, optimizes the resource access flow, improves the resource access efficiency and lightens the pressure of malicious requests of a service system.

The key (api _ key/secret _ key) takes the secret _ key as a parameter, and a proper signature algorithm is matched, so that a digital signature of the original information can be obtained, and the content is prevented from being forged or tampered in the transmission process. The key is usually created and used in pairs, containing one api _ key and one secret _ key. Where the api _ key is included in the transmission, the resource provider must keep the secret _ key from transmitting on the network to prevent theft.

Fig. 4 shows an exemplary system architecture 400 of an access authentication method or access authentication apparatus to which embodiments of the invention may be applied.

As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405. The network 404 serves as a medium for providing communication links between the terminal devices 401, 402, 403 and the server 405. Network 404 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.

A user may use terminal devices 401, 402, 403 to interact with a server 405 over a network 404 to receive or send messages or the like. The terminal devices 401, 402, 403 may have various communication client applications installed thereon, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, and the like.

The terminal devices 401, 402, 403 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.

The server 405 may be a server that provides various services, such as a background management server that supports shopping websites browsed by users using the terminal devices 401, 402, and 403. The background management server can analyze and process the received data such as the product information inquiry request and feed back the processing result to the terminal equipment.

It should be noted that the method for access authentication provided by the embodiment of the present invention is generally executed by the server 405, and accordingly, the apparatus for access authentication is generally disposed in the server 405.

It should be understood that the number of terminal devices, networks, and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

According to an embodiment of the present invention, an electronic device and a computer-readable medium are also provided.

The electronic device of the embodiment of the invention comprises: one or more processors; a storage device, configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method for access authentication provided by the embodiment of the present invention.

The computer readable medium of the embodiment of the present invention stores thereon a computer program, which when executed by a processor implements the method of access authentication as provided by the embodiment of the present invention.

Referring now to FIG. 5, shown is a block diagram of a computer system 500 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.

As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU)501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data necessary for the operation of the system 500 are also stored. The CPU501, ROM502, and RAM503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.

The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.

In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 501.

It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor, comprising: the device comprises a receiving module, an authentication module and a rule module. The names of these modules do not in some cases constitute a limitation on the module itself, and for example, a receiving module may also be described as a "module for receiving an access request".

As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: s101, receiving an access request; s102, judging whether the timestamp, the first signature and the visitor IP in the access request all accord with a second authentication rule; if yes, passing the authentication; step S103, the second authentication rule comprises the following steps: the time stamp is in a first preset time range, the first signature is not used in a second preset time range, and the visitor IP is in a preset access-allowed IP list.

According to the access authentication method provided by the embodiment of the invention, the technical means of signature timeliness verification, signature non-reuse, limitation of access permitted IP and the like are adopted, so that the situation of signature reuse is avoided, the resource access flow is optimized, the resource access efficiency is improved, and the pressure of malicious requests of a service system is relieved.

The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.