阅读说明：本技术 用户的认证方法、装置、代理服务器和网络服务系统 (User authentication method, device, proxy server and network service system ) 是由 张涵 李连闯 白石 张铄 于 2019-11-14 设计创作，主要内容包括：本公开涉及一种用户的认证方法、装置、代理服务器和网络服务系统,涉及计算机技术领域。该方法包括：响应于接收到终端通过用户的虚拟账号发来的操作请求,根据虚拟账号判断用户是否具有处理系统的相应权限；在用户具有相应权限的情况下,将操作请求发送给处理系统；将处理系统返回的处理结果发送给终端。(The disclosure relates to a user authentication method, a user authentication device, a proxy server and a network service system, and relates to the technical field of computers. The method comprises the following steps: in response to receiving an operation request sent by a terminal through a virtual account of a user, judging whether the user has corresponding authority of a processing system according to the virtual account; under the condition that the user has corresponding authority, the operation request is sent to the processing system; and sending the processing result returned by the processing system to the terminal.)

1. A method of authenticating a user, comprising:

in response to receiving an operation request sent by a terminal through a virtual account of a user, judging whether the user has corresponding authority of a processing system according to the virtual account;

sending the operation request to the processing system under the condition that the user has the corresponding authority;

and sending the processing result returned by the processing system to the terminal.

2. The authentication method of claim 1,

the corresponding authority comprises the access authority and the operation authority of the user to the processing system;

the sending the operation request to the processing system in the case that the user has the corresponding right comprises:

under the condition that the user has the access authority, acquiring the operation authority of the user according to the virtual account;

processing the operation request according to the operation authority;

and sending the processed operation request to the processing system so as to obtain a processing result returned by the processing system.

3. The authentication method of claim 1, further comprising:

dividing the operation request into a system processing request and a non-system processing request according to the processing service which can be provided by the processing system;

processing the non-system processing request to obtain a first processing result;

wherein the sending the operation request to the processing system comprises:

and sending the first processing result and the system processing request to the processing system.

4. The authentication method of claim 3, further comprising:

sending the obtained second processing result returned by the processing system to the terminal;

processing the second processing result according to the requirement of the user to obtain a third processing result;

and sending the third processing result to the terminal.

5. The authentication method of claim 1, further comprising:

and sending the operation request to an expansion system for processing under the condition that the processing service of the processing system can not meet the operation request, wherein the expansion system is developed according to the user requirement corresponding to the operation request.

6. The authentication method of claim 5, wherein the sending the operation request to the extension system for processing comprises:

acquiring the routing information according to the unique identifier of the extended system;

and sending the operation request to the expansion system for processing according to the routing information.

7. The authentication method of claim 1, further comprising:

responding to a first login request sent by a terminal through a virtual account of a user, and acquiring a system account related to the virtual account according to the related information of the virtual account and the system account;

generating a second login request according to the system account;

and sending the second login request to the processing system for authentication so as to determine whether the terminal is allowed to login.

8. The authentication method of claim 7, wherein said sending the second login request to the processing system for authentication to determine whether to allow the terminal to login comprises:

responding to the received first authentication failure information of the system account returned by the processing system, and generating second authentication failure information according to the virtual account;

and sending the second authentication failure information to the terminal.

9. The authentication method according to any one of claims 1 to 8,

the authentication method is executed in a proxy server, and the virtual account is a proxy account.

10. An authentication apparatus of a user, comprising:

the judging unit is used for responding to an operation request sent by a terminal through a virtual account of a user, and judging whether the user has corresponding authority of a processing system according to the virtual account;

and the sending unit is used for sending the operation request to the processing system and sending a processing result returned by the processing system to the terminal under the condition that the user has the corresponding authority.

11. An authentication apparatus of a user, comprising:

a memory; and

a processor coupled to the memory, the processor configured to perform the method of authenticating a user of any of claims 1-9 based on instructions stored in the memory.

12. A proxy server, comprising:

an authentication apparatus of a user as claimed in claim 10 or 11.

13. A network service system, comprising:

the proxy server of claim 12;

and the processing system is used for processing the operation request of the user sent by the terminal.

14. A computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the method of authenticating a user of any one of claims 1 to 9.

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a user authentication method, a user authentication device, a proxy server, a network service system, and a computer-readable storage medium.

Background

With the popularization of network services such as e-government affairs and e-commerce, the functions of network service systems are increasing, and more services and functions need to be carried by system applications. The complexity of the network service system is increasing, and the access control authority of the user needs to be configured for the system to ensure the security of the system.

In the related art, highly customized access control rights are developed in source code of a service system based on user information of the service system.

Disclosure of Invention

The inventors of the present disclosure found that the following problems exist in the above-described related art: user information of the service system is exposed to the outside, resulting in a reduction in system security.

In view of this, the present disclosure provides a technical solution for user authentication, which can improve the security of the system.

According to some embodiments of the present disclosure, there is provided a method of authenticating a user, including: in response to receiving an operation request sent by a terminal through a virtual account of a user, judging whether the user has corresponding authority of a processing system according to the virtual account; under the condition that the user has corresponding authority, the operation request is sent to the processing system; and sending the processing result returned by the processing system to the terminal.

In some embodiments, the respective rights include access rights and operational rights of the user to the processing system.

In some embodiments, sending the operation request to the processing system in the case that the user has the corresponding right comprises: under the condition that the user has the access authority, acquiring the operation authority of the user according to the virtual account; processing the operation request according to the operation authority; and sending the processed operation request to the processing system so as to obtain a processing result returned by the processing system.

In some embodiments, the method further comprises: dividing the operation request into a system processing request and a non-system processing request according to the processing service which can be provided by the processing system; and processing the non-system processing request to obtain a first processing result.

In some embodiments, sending the operation request to the processing system comprises: and sending the first processing result and the system processing request to the processing system.

In some embodiments, the method further comprises: sending the acquired second processing result returned by the processing system to the terminal; processing the second processing result according to the requirement of the user to obtain a third processing result; and sending the third processing result to the terminal.

In some embodiments, the method further comprises: and under the condition that the processing service of the processing system can not meet the operation request, sending the operation request to an expansion system for processing, and developing by the expansion system according to the user requirement corresponding to the operation request.

In some embodiments, sending the operation request to the expansion system for processing includes: acquiring routing information according to the unique identifier of the extended system; and sending the operation request to the expansion system for processing according to the routing information.

In some embodiments, the method further comprises: in response to receiving a first login request sent by a terminal through a virtual account of a user, acquiring a system account related to the virtual account according to the related information of the virtual account and the system account; generating a second login request according to the system account; and sending the second login request to the processing system for authentication so as to determine whether the terminal is allowed to login.

In some embodiments, sending the second login request to the processing system for authentication to determine whether to allow the terminal to login comprises: responding to the received first authentication failure information of the system account returned by the processing system, and generating second authentication failure information according to the virtual account; and sending the second authentication failure information to the terminal.

In some embodiments, the authentication method is performed in a proxy server, and the virtual account is a proxy account.

According to further embodiments of the present disclosure, there is provided an authentication apparatus of a user, including: the judging unit is used for responding to an operation request sent by a terminal through a virtual account of a user and judging whether the user has corresponding authority of the processing system according to the virtual account; and the sending unit is used for sending the operation request to the processing system and sending the processing result returned by the processing system to the terminal under the condition that the user has the corresponding authority.

In some embodiments, the respective rights include access rights and operational rights of the user to the processing system.

In some embodiments, the sending unit obtains the operation authority of the user according to the virtual account under the condition that the user has the access authority; processing the operation request according to the operation authority; and sending the processed operation request to the processing system so as to obtain a processing result returned by the processing system.

In some embodiments, the apparatus further includes a processing unit configured to divide the operation request into a system processing request and a non-system processing request according to a processing service that can be provided by the processing system; and processing the non-system processing request to obtain a first processing result.

In some embodiments, the sending unit sends the first processing result and the system processing request to the processing system.

In some embodiments, the sending unit sends the acquired second processing result returned by the processing system to the terminal; the processing unit processes the second processing result according to the requirement of the user to obtain a third processing result; the transmitting unit transmits the third processing result to the terminal.

In some embodiments, the sending unit sends the operation request to the extension system for processing when the processing service of the processing system cannot meet the operation request, and the extension system is developed according to a user requirement corresponding to the operation request.

In some embodiments, the sending unit obtains the routing information according to the unique identifier of the extension system; and sending the operation request to the expansion system for processing according to the routing information.

In some embodiments, the device further includes a processing unit, configured to, in response to receiving a first login request sent by a terminal through a virtual account of a user, obtain a system account associated with the virtual account according to association information between the virtual account and the system account; generating a second login request according to the system account; the sending unit sends the second login request to the processing system for authentication so as to determine whether to allow the terminal to login.

In some embodiments, the processing unit generates second authentication failure information according to the virtual account in response to receiving first authentication failure information of the system account returned by the processing system; the transmitting unit transmits the second authentication failure information to the terminal.

In some embodiments, the authentication device is provided in a proxy server, and the virtual account number is a proxy account number.

According to still further embodiments of the present disclosure, there is provided an authentication apparatus of a user, including: a memory; and a processor coupled to the memory, the processor configured to perform the method of authenticating a user in any of the above embodiments based on instructions stored in the memory device.

According to still further embodiments of the present disclosure, there is provided a proxy server including: the authentication device of a user in any of the above embodiments.

According to still further embodiments of the present disclosure, there is provided a network service system including: the proxy server of any of the above embodiments; and the processing system is used for processing the operation request of the user sent by the terminal.

According to still further embodiments of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of authentication of a user in any of the above embodiments.

In the above embodiment, the authority control function is set outside the processing system, and authority control is performed according to the virtual account of the user. Therefore, the system can ensure that user information such as system passwords and the like in the processing system is not leaked outwards, and the safety of the system is improved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.

The present disclosure can be more clearly understood from the following detailed description with reference to the accompanying drawings, in which:

fig. 1 illustrates a flow diagram of some embodiments of a method of authentication of a user of the present disclosure;

FIG. 2 illustrates a schematic diagram of some embodiments of a user authentication method of the present disclosure;

FIG. 3 shows a schematic diagram of further embodiments of a method of authenticating a user of the present disclosure;

FIG. 4 illustrates a schematic diagram of further embodiments of a user authentication method of the present disclosure;

FIG. 5 illustrates a schematic diagram of still further embodiments of a user authentication method of the present disclosure;

FIG. 6 illustrates a schematic diagram of still further embodiments of a user authentication method of the present disclosure;

FIG. 7 illustrates a schematic diagram of still further embodiments of a user authentication method of the present disclosure;

FIG. 8 shows a schematic diagram of some embodiments of an authentication device of a user of the present disclosure;

FIG. 9 illustrates a block diagram of some embodiments of an authentication device of a user of the present disclosure;

FIG. 10 shows a block diagram of further embodiments of a user's authentication device of the present disclosure;

FIG. 11 shows a block diagram of still further embodiments of a user's authentication device of the present disclosure;

FIG. 12 illustrates a block diagram of some embodiments of a proxy server of the present disclosure;

fig. 13 illustrates a block diagram of some embodiments of a network service system of the present disclosure.

Detailed Description

Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.

Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.

The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.

Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.

In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.

Fig. 1 illustrates a flow diagram of some embodiments of a user authentication method of the present disclosure.

As shown in fig. 1, the method includes: step S11, judging whether the user has corresponding authority; step S12, sending an operation request; and step S13, transmitting the processing result.

In step S11, in response to receiving an operation request sent by the terminal through the virtual account of the user, it is determined whether the user has the corresponding authority of the processing system according to the virtual account. For example, the authentication method is performed in a proxy server, and the virtual account is a proxy account.

In step S12, the operation request is sent to the processing system in the case where the user has the corresponding authority.

In some embodiments, an operation request of a client (terminal) passes through the proxy server, the request is forwarded to a target system (processing system) after being processed, and response data of the target system is returned to the client after being processed by the proxy server.

For example, the corresponding rights include access rights and operation rights of the user to the processing system. For example, when the user has access authority, the operation authority of the user is acquired according to the virtual account; processing the operation request according to the operation authority; and sending the processed operation request to the processing system so as to obtain a processing result returned by the processing system.

In step S13, the processing result returned by the processing system is transmitted to the terminal.

In some embodiments, the above steps may be performed by the embodiment in fig. 2.

Fig. 2 shows a schematic diagram of some embodiments of a user authentication method of the present disclosure.

As shown in fig. 2, the proxy server has an authentication apparatus installed therein for a user, and the authentication apparatus may include a proxy module and a management and control module. The dashed arrows in the figure represent the return operations of the devices, modules and systems.

In event 210, the client sends the user's operation request to the proxy module. For example, a user sends an operation request through a client device, and the proxy server intercepts the request.

At event 220, the agent module queries the governance module for white list information for the agent account.

In event 230, the administration module returns white list information to the agent module.

At event 240, the proxy module authenticates the user's proxy account based on the white list information.

In some embodiments, the management and control module in the proxy server queries access control policy information (e.g., white list information) corresponding to the currently requested proxy account information. If the access is judged to be authorized and operation is permitted, the operation request data is forwarded to the target system; and if the operation is not allowed, the proxy server system returns a result of refusing the access to the client equipment.

In event 250, in case of passing authentication, the agent model queries the management and control module for the operation authority information of the agent account for the current operation request.

In event 260, the administration module returns operational privilege information to the agent module.

In event 270, the agent module processes the operation request according to the operation permission information to generate a restricted operation request. For example, the operation request of the user is to access two items of data, but the authority of the user only allows to access one item of data. In this case, the operation request is processed to access one item of data.

After the access control judgment is passed, the agent module inquires out the limitation of the current operation request through the management and control module. For example, the agent module can query the data authority information of the current user through the management and control module and attach the data authority information to the query request of the user so as to limit the data which can be queried by the user.

In event 280, the proxy module sends a restricted operation request to the target system.

In event 290, the target system returns the processing results to the agent module.

In event 295, the proxy module returns the processing results to the client.

In some embodiments, the operation request is divided into a system processing request and a non-system processing request according to the processing service which can be provided by the processing system; processing the non-system processing request to obtain a first processing result; and sending the first processing result and the system processing request to a processing system.

For example, the obtained second processing result returned by the processing system is sent to the terminal; processing the second processing result according to the requirement of the user to obtain a third processing result; and sending the third processing result to the terminal.

In some embodiments, processing services that cannot be provided by the processing system may be processed by the embodiment of fig. 3.

Fig. 3 shows a schematic diagram of further embodiments of a user authentication method of the present disclosure.

As shown in FIG. 3, at event 310, the client sends a user's operation request to the proxy module.

At event 315, the agent module parses the agent request and authenticates the user rights. For example, the operation request is divided into a system processing request and a non-system processing request according to the processing service that the processing system can provide.

At event 320, the proxy module sends the resolution results to the data analysis module of the proxy server.

In event 325, the data analysis module returns the processing results to the proxy module.

In some embodiments, the data analysis module of the proxy server has a data storage function, and can store the to-be-processed data sent by the user on the ground. For example, the data analysis module supports a plurality of storage modes such as data block storage, file storage, database storage, distributed storage, object storage, cache storage, and memory storage.

In some embodiments, the data analysis module analyzes and processes the request data according to the requirements of the user by using data analysis technologies such as big data, artificial intelligence, scientific data processing and the like.

For example, the target system is a file downloading website, and the operation request of the user is to obtain the weekly downloading amount statistics of a certain format of picture type file without changing the original target system. The target system does not have a statistical function, and in this case, the data processing module of the proxy server can record access data of the type file on the target system for one week and count the total download amount.

In event 330, the agent module sends the processing results and the operation request returned by the data analysis module to the target system.

In event 335, the target system returns the processing results to the proxy module.

At event 340, the agent module sends the processing results of the target system to the data analysis module for further processing.

In event 345, the data analysis module returns the final processing results to the agent module.

In event 350, the agent module returns the final processing result to the client.

In some embodiments, the data analysis module provides a query interface for requesting data analysis results, and the client can use the query interface to perform query data analysis results and other related data.

For example, in event 355, the client sends a query request to the proxy module.

At event 360, the agent module sends a query request to the data analysis module.

At event 365, the data analysis module returns the data processing results corresponding to the query request to the agent module.

In event 370, the proxy module returns the data processing results to the client.

In some embodiments, when the processing service of the processing system cannot meet the operation request, the operation request is sent to the expansion system for processing, and the expansion system is developed according to a user requirement corresponding to the operation request. For example, the routing information is obtained according to the unique identifier of the extended system; and sending the operation request to the expansion system for processing according to the routing information. The above-described functions may be implemented by the embodiment in fig. 4, for example.

Fig. 4 shows a schematic diagram of further embodiments of a user authentication method of the present disclosure.

As shown in FIG. 4, at event 410, the client sends an operation request to the proxy module.

At event 420, the agent module parses and authenticates the operation request.

At event 430, the proxy module will send a routing information acquisition request to the function extension module of the proxy server.

In some embodiments, new system functionality may be developed on the proxy server as an extended system, depending on new user requirements. Therefore, the functions of the original target system can be expanded under the condition of not changing the code of the original target system.

In event 440, the function expansion module returns routing information to the proxy module. For example, the extended system may be assigned a unique route identification for proxy server forwarding requests.

In some embodiments, the request for extended functionality may be identified in the user's request data. After detecting the identification of the request for the extended function in the request data, the proxy server automatically forwards the request to an extended system for processing the extended function.

At event 450, the agent module sends an operation request to the extended system (added system function) based on the routing information.

In some embodiments, an operation request for calling a new function is intercepted by the proxy server; the proxy server sends a routing query request to the function expansion module and obtains the routing information of the request; the proxy server system forwards the request to the corresponding extension system.

In event 460, the extension system returns the processing results to the proxy module.

In event 470, the proxy module returns the processing results to the client.

In some embodiments, in response to receiving a first login request sent by a terminal through a virtual account of a user, acquiring a system account associated with the virtual account according to association information of the virtual account and the system account; generating a second login request according to the system account; and sending the second login request to the processing system for authentication so as to determine whether the terminal is allowed to login. This may be achieved, for example, by the embodiment of fig. 5.

Fig. 5 shows a schematic diagram of still further embodiments of a user authentication method of the present disclosure.

As shown in fig. 5, at event 510, the client sends a login request for a proxy account number to the proxy module.

In some embodiments, prior to event 510, the management and control module may create a proxy account (virtual account) for the user and initialize part of the system account information of the target system; the management and control module binds the proxy account and the system account of the user and can carry out grouping authority configuration. In this way, the user can perform a login operation using the proxy account.

In some embodiments, a user performs a login operation through a client using a proxy account in a proxy server system. For example, the user enters a username and login password for the proxy account. The user may also enter multi-factor authentication credentials, such as a certificate, biometric information, a verification code, an IP address field, and the like. The proxy server intercepts a login request sent by a user to a target system through a client.

At event 515, the proxy module sends a query request to the management module to obtain the corresponding system account of the proxy account.

At event 520, the management and control module authenticates the proxy account.

In event 525, the management and control module queries the corresponding system account of the proxy account after the authentication.

At event 530, the administration module returns the system account number to the agent module.

At event 535, the proxy module replaces the proxy account in the login request with the system account to generate a login request for the system account.

At event 540, the proxy module sends a login request for the system account to the target system for authentication.

In some embodiments, after receiving the login request, the proxy server performs authentication processing on the proxy account through the management and control module. The proxy server determines whether the login password and other authentication credentials of the user account are within the validity period and valid. And after the user login authentication is passed, the proxy server replaces the proxy account information with the real account of the target system to form new login authentication information.

In some embodiments, the proxy server sends the new login authentication information to the target system for secondary authentication. At this stage, the proxy server may process the user account data in a proxy-to-proxy manner.

At event 545, the target system is authenticated by a login request for the system account.

At event 550, the target system returns the authentication result of the system account to the proxy module.

At event 555, the proxy module returns an authentication result to the client.

In some embodiments, in response to receiving first authentication failure information of a system account returned by a processing system, second authentication failure information is generated according to a virtual account; and sending the second authentication failure information to the terminal. This may be achieved, for example, by the embodiment of fig. 6.

Fig. 6 shows a schematic diagram of still further embodiments of a user authentication method of the present disclosure.

As shown in fig. 6, at event 610, the client sends a login request for a proxy account number to the proxy module. For example, the user performs a login operation using a proxy account maintained in the management and control module by using the client.

In event 615, the agent module sends a query request for a corresponding system account of the agent account to the management and control module.

At event 620, the governing module authenticates the proxy account.

In event 625, the management and control module queries the corresponding system account after passing the authentication.

At event 630, the administration module returns system account information to the agent module.

At event 635, the proxy module replaces the proxy account in the login request with the system account to generate a login request for the system account.

In some embodiments, after receiving the login request, the proxy server authenticates the proxy account through a permission information interface related to the management and control module; and after the authentication is passed, the agent module receives corresponding system account information.

At event 640, the proxy module sends a login request for the system account to the target system.

At event 645, the target system fails to authenticate to the system account.

At event 650, the target system returns the authentication result of the system account to the proxy module. For example, if the system account information is wrong, a prompt of authentication failure is returned after the target system authenticates

At event 655, the proxy module replaces the system account number in the authentication result with the proxy account number, generating an authentication result for the proxy account number. For example, the proxy module replaces the returned prompt message with the authentication error message which is clearer for the user.

At event 660, the proxy module returns the authentication result of the proxy account number to the client.

In some embodiments, the proxy module does not have a login request through the proxy account number, which may be implemented by the embodiment in fig. 7.

Fig. 7 shows a schematic diagram of still further embodiments of a user authentication method of the present disclosure.

As shown in fig. 7, at event 710, the client sends a login request for a proxy account number to the proxy module. For example, the user performs a login operation using a proxy account maintained in the management and control module by using the client.

At event 720, the agent module sends a query request for a corresponding system account of the agent account to the management and control module.

In event 730, the management and control module authenticates the proxy account, and the authentication fails.

At event 740, the management and control module returns the authentication result of the proxy account to the proxy module. For example, the returned system account information is null. After the agent module receives the login request, if the agent account provided by the user is incorrect, the management and control module may not return the related system account information.

At event 750, the agent module generates a prompt for the authentication result.

At event 760, the proxy module returns the authentication result and its prompt to the client. For example, if the returned system account information is null, the proxy module directly returns authentication failure information.

In the above-described embodiment, the authority control policy of the user is access control based on a role (virtual account). Role-based access control is the control of access to roles by associating permissions with the roles. A user gains the authority of his role by becoming a member of the appropriate role. Role-based access control is the most widely used access control policy.

The method of the above embodiment applies an implementation means decoupled from the right control module. The system application provides basic access control authority only according to the general security criterion of the system; the access control requirement of user personalized fine granularity is separated into independent modules (such as an authentication device in a proxy server). The implementation method not only simplifies the development process and the development period, but also enables the separated access control module to be applicable to more systems.

In some embodiments, the authority control system based on proxy implementation is an authority control method decoupled from system application. The method can intercept http (hypertext Transfer Protocol), ftp (File Transfer Protocol), tcp (Transmission Control Protocol) and other requests.

In some embodiments, the method can support both software and hardware proxy implementations, with role-based access control implemented on a proxy basis. Meanwhile, the confidentiality problem of the account password of the target system can be solved based on the proxy of the user account. Double proxy of the target system and the target system account is achieved.

In some embodiments, the method adds data analysis to the operation request, and performs related parsing, storing and analyzing on the request.

In some embodiments, the method can provide more intuitive data of the current request state of the system. On the basis of proxy, through the routing function, the target system can be added with non-invasive functions, which is greatly convenient for the rapid expansion of the system.

Fig. 8 shows a schematic diagram of some embodiments of an authentication device of a user of the present disclosure.

As shown in fig. 8, the authentication device may be installed on a proxy server deployed between the user client and the target system server. The authentication device can comprise an agent module (comprising a forward agent module and a reverse agent module), a management and control module, a data analysis module, a function extension module and a protocol analysis module.

Through network path configuration, the client must access the target system through the proxy server, but cannot directly access the target system. After the target system processes the request of the client, the reply to the request is also configured by the network path and must be returned to the client after being processed by the proxy server.

The forward proxy module is mainly responsible for the proxy function of the account; the reverse proxy module is a proxy function for the target system; the protocol analysis module is responsible for analyzing various protocols received by the agent to obtain data in the request or the response; the management and control module is responsible for the management of the agent and target system accounts, the authority management of the agent accounts and the like; the function expansion module is responsible for processing the operation request processing (transmission to the expansion system, etc.) for the newly added function. The agent module can be provided with a judging unit and a sending unit.

The management and control module (which may include a processing unit and a sending unit) may also manage and control part of the user accounts of the storage target system, and map the user accounts with the proxy accounts. A real account (system account) of one target system may correspond to a plurality of proxy accounts.

When a user logs in the processing system, the forward proxy module replaces the proxy account information with the real account information of the target system. Therefore, the method can ensure that the user can normally log in the target system and also protect sensitive information such as the password of the account of the target system.

The management and control module realizes management and control service supporting the authority management service so as to realize management of the proxy account and the target system account and realize authority management of the proxy account. For example, access right management based on a white list mechanism, behavior operation level fine-grained right control on operations such as query and modification of a user, and the like.

The data analysis module (which may comprise a processing unit and a sending unit) provides data analysis services for data flowing through the proxy server based on streaming data processing technology. The data may include key data such as user requests, system responses, etc. The data analysis module analyzes, analyzes and stores the data and the influence result generated by the data, thereby mining the data value contained in a large amount of data streams. The data analysis module may store intermediate results of the data analysis and analysis result data, such as the first few requests at most in the last few minutes, the response status in the last few minutes, and the like.

The function expansion module (which may include a processing unit and a transmitting unit) realizes function expansion service and realizes non-invasive function expansion of a target system. For some target systems that cannot be modified, the vendor does not support, the code does not persist, dedicated hardware cannot support, and so on. The non-intrusive target system function expansion makes it possible for the target system to continue to adapt to new business development requirements.

After the request of the client is intercepted and processed by the agent, the request is continuously sent to the target system for processing. And if the request needs the functions of the original target system, judging whether the user has the authority. When the authority is not available, the data is not sent to a target system for processing; and if the right exists, the target system is sent to be processed.

For the data result returned by the target system, the proxy server can judge whether the sensitivity of the data is matched with the role of the user. If the data is matched with the data, returning the data result to the user; if the user request needs data analysis or the function of the system is expanded, the proxy server directly processes the request and returns result data.

In some embodiments, the protocol parsing module of the authentication device may support a three-layer proxy. For example, three layers of proxies may include an application layer, a transport layer, and a session layer proxy. The Protocol analysis module can analyze http, ftp, tcp, udp (user datagram Protocol), socks5 and other protocols, so as to extract the request information of the user and the response information of the service, and perform corresponding management and control processing.

The bi-directional proxy server supports software and hardware implementations. For example, a software implementation includes running on a bidirectional proxy server in the form of a system service and in the form of a system process; the hardware implementation includes that formatted data processing tasks such as protocol analysis and data calculation are sent to FPGA processing hardware by utilizing the characteristic that the processing speed of the hardware such as FPGA (field programmable Gate Array) is high, and the performance of the bidirectional proxy server is improved.

Fig. 9 illustrates a block diagram of some embodiments of a user's authentication device of the present disclosure.

As shown in fig. 9, the authentication apparatus 9 for a user includes a determination unit 91 and a transmission unit 92.

The judging unit 91, in response to receiving an operation request sent by a terminal through a virtual account of a user, judges whether the user has a corresponding authority of a processing system according to the virtual account; the sending unit 92 sends the operation request to the processing system and sends the processing result returned by the processing system to the terminal, when the user has the corresponding authority.

In some embodiments, the respective rights include access rights and operational rights of the user to the processing system. The sending unit 92 obtains the operation authority of the user according to the virtual account when the user has the access authority; processing the operation request according to the operation authority; and sending the processed operation request to the processing system so as to obtain a processing result returned by the processing system.

In some embodiments, the authentication apparatus 9 further comprises a processing unit 93, configured to divide the operation request into a system processing request and a non-system processing request according to the processing service that can be provided by the processing system; and processing the non-system processing request to obtain a first processing result.

In some embodiments, the sending unit 92 sends the first processing result and the system processing request to the processing system.

In some embodiments, the sending unit 92 sends the acquired second processing result returned by the processing system to the terminal; the processing unit 93 processes the second processing result according to the user's requirement to obtain a third processing result; the transmitting unit 92 transmits the third processing result to the terminal.

In some embodiments, the sending unit 92 sends the operation request to the extension system for processing when the processing service of the processing system cannot meet the operation request, and the extension system is developed according to the user requirement corresponding to the operation request.

In some embodiments, the sending unit 92 obtains the routing information according to the unique identifier of the extension system; and sending the operation request to the expansion system for processing according to the routing information.

In some embodiments, the processing unit 93 is configured to, in response to receiving a first login request sent by a terminal through a virtual account of a user, obtain a system account associated with the virtual account according to association information between the virtual account and the system account; generating a second login request according to the system account; the sending unit 92 sends the second login request to the processing system for authentication in order to determine whether to allow the terminal to login.

In some embodiments, in response to receiving the first authentication failure information of the system account returned by the processing system, the processing unit 93 generates second authentication failure information according to the virtual account; the transmitting unit 92 transmits the second authentication failure information to the terminal.

In some embodiments, the authentication apparatus 9 is provided in a proxy server, and the virtual account is a proxy account.

Fig. 10 shows a block diagram of further embodiments of a user's authentication device of the present disclosure.

As shown in fig. 10, the authentication apparatus 10 of the user of this embodiment includes: a memory 101 and a processor 102 coupled to the memory 101, the processor 102 being configured to perform a method in any one of the embodiments of the present disclosure based on instructions stored in the memory 101.

The memory 101 may include, for example, a system memory, a fixed nonvolatile storage medium, and the like. The system memory stores, for example, an operating system, application programs, a boot loader, a database, and other programs.

Fig. 11 illustrates a block diagram of still further embodiments of a user's authentication device of the present disclosure.

As shown in fig. 11, the authentication apparatus 11 of the user of this embodiment includes: a memory 1110 and a processor 1120 coupled to the memory 1110, the processor 1120 being configured to perform a method of authenticating a user in any of the embodiments described above based on instructions stored in the memory 1110.

The memory 1110 may include, for example, system memory, fixed non-volatile storage media, and the like. The system memory stores, for example, an operating system, an application program, a boot loader, and other programs.

The user's authentication apparatus 11 may further include an input-output interface 1130, a network interface 1140, a storage interface 1150, and the like. These interfaces 1130, 1140, 1150 and the memory 1110 and the processor 1120 may be connected via a bus 1160, for example. The input/output interface 1130 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 1140 provides a connection interface for various networking devices. The storage interface 1150 provides a connection interface for external storage devices such as an SD card and a usb disk.

Fig. 12 illustrates a block diagram of some embodiments of a proxy server of the present disclosure.

As shown in fig. 12, the proxy server 12 includes an authentication device 121 of the user in any of the above embodiments.

Fig. 13 illustrates a block diagram of some embodiments of a network service system of the present disclosure.

As shown in fig. 13, the network service system 13 includes: the proxy server 131 in any of the above embodiments; and a processing system 132 for processing the operation request of the user from the terminal.

As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media having computer-usable program code embodied therein.

So far, an authentication method of a user, an authentication apparatus of a user, a proxy server, a network service system, and a computer-readable storage medium according to the present disclosure have been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.

The method and system of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.

Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.