Service security method and device based on application market architecture
1. A service security method based on an application market architecture is applied to a client, wherein the method comprises the following steps:
acquiring service plaintext data and a market version type of an application program through the application program, wherein the service plaintext data comprises a service identifier;
calling an encryption key corresponding to the market version type, and encrypting the service plaintext data based on the encryption key to obtain service ciphertext data;
sending a market request to gateway service equipment through a hypertext transfer security protocol (HTTPS), wherein the market request comprises routing information and business ciphertext data, so that the gateway service equipment intercepts the market request through a protection interceptor and judges whether the market request is a malicious request, if not, matching a corresponding decryption key according to the routing information, decrypting the business ciphertext data based on the corresponding decryption key to obtain business plaintext data, and then sending a business request to the business service equipment corresponding to the business identifier;
receiving business ciphertext result data sent by the gateway service equipment;
calling a decryption key corresponding to the encryption key, and decrypting the business ciphertext result data to obtain business result data;
and presenting the service result data.
2. The method of claim 1, wherein the method further comprises:
and setting different encryption keys for data encryption and decryption and corresponding decryption keys according to different market version types of the application program.
3. A service security method based on an application market architecture is applied to a gateway service device, wherein the method comprises the following steps:
intercepting a market request sent by an application program of a client through a protection interceptor and judging whether the market request is a malicious request, wherein the market request comprises routing information and service ciphertext data;
if not, matching a corresponding decryption key according to the routing information, and decrypting the service ciphertext data based on the decryption key to obtain service plaintext data, wherein the service plaintext data comprises a service identifier;
sending a service request to service equipment corresponding to the service identifier, wherein the service request comprises a network address of routing equipment corresponding to the service equipment and the service plaintext data;
receiving service result data returned by the service equipment;
calling an encryption key corresponding to the decryption key, and encrypting the service result data to obtain service ciphertext result data;
and sending the service ciphertext result data to the client through a hypertext transfer secure protocol (HTTPS) so that the client decrypts and presents the service ciphertext result data.
4. The method of claim 3, wherein the method further comprises:
different market version types of the application program and corresponding routing information are stored, and different encryption keys and corresponding decryption keys for data encryption and decryption are set for the different market version types of the application program respectively.
5. The method of claim 4, wherein said matching a corresponding decryption key according to the routing information comprises:
determining the market version type of the application program of the client according to the routing information;
and acquiring a decryption key corresponding to the market version type of the application program of the client.
6. The method of claim 1, wherein if there are a plurality of service devices supporting services corresponding to the service identifier, wherein the sending a service request to the service device corresponding to the service identifier, where the service request includes a network address of a routing device corresponding to the service device and the service plaintext data, comprises:
selecting a service device from the plurality of service devices according to the service configuration weight of the service corresponding to the service identifier;
and sending the service request to the selected service equipment corresponding to the service identifier, wherein the service request comprises the network address of the routing equipment corresponding to the selected service equipment corresponding to the service identifier and the service plaintext data.
7. A service security method based on an application market architecture is applied to business service equipment, wherein the method comprises the following steps:
receiving a service request sent by gateway service equipment, wherein the service request comprises a network address of routing equipment and service plaintext data, and the service plaintext data comprises a service identifier; after the service request is intercepted by gateway service equipment through a protection interceptor and a market request sent by an application program of a client is judged whether to be a malicious request, if not, the service request is initiated after a corresponding decryption key is matched according to routing information in the market request and service ciphertext data in the market request is decrypted based on the decryption key;
acquiring service result data of a service corresponding to the service identifier of the routing equipment service corresponding to the network address;
and returning the service result data to the gateway service equipment so that the gateway service equipment encrypts the service result data and sends the encrypted service result data to a client.
8. The method of claim 7, wherein the method further comprises:
and sending the routing information of the business service equipment for the external service to cluster registration equipment for registration so that the cluster registration equipment performs centralized registration and management on the business service equipment for the external service.
9. A non-transitory storage medium having stored thereon computer readable instructions which, when executed by a processor, cause the processor to implement the method of any one of claims 1 to 10.
10. A client for service security based on an application market architecture, wherein the client comprises:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
when executed by the one or more processors, cause the one or more processors to implement the method of claim 1 or 2.
11. A gateway service device for service security based on an application market architecture, wherein the gateway service device comprises:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
the one or more computer-readable instructions, when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 3-6.
12. A business service device for service security based on an application market architecture, wherein the business service device comprises:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
when executed by the one or more processors, cause the one or more processors to implement the method of claim 7 or 8.
Background
With the continuous development of information technology, large information security events occur every year, for example, a webpage of a certain website is tampered with and sensitive information of a user is leaked, so that information security problems are inevitably reported and criticized and are rectified and revised by strangers. In addition, it is found that an illegal hacker may occasionally attack the service server to apply the services of the market, which results in high access traffic, high concurrency, high cost, leakage of market resources, and even influences on the access of other normal users to the market services. Moreover, with the development of science and technology, network security is more and more emphasized nowadays, and the related policies of network security are clearly specified, a network operator should fulfill corresponding security protection obligations according to the requirements of a network security level protection system, for example, to protect a network from interference, damage or unauthorized access, and prevent network data from being leaked or stolen, tampered, and the like.
In the prior art, the technology used in the current application market is the combination of Java SSM framework, wherein SSM is Spring + Spring mvc + MyBatis; with the development of the technology era, if the existing architecture vulnerability or defect cannot be updated in time, the security of the service will gradually become worse, wherein the current service has disadvantages:
for example, the reliability is poor: if a Bug is present in an application, such as a dead loop, memory overflow, etc., the Bug may cause the entire market to be broken and occur frequently.
As another example, poor service security: each business service data is directly exchanged with the client, and the business service is completely exposed and is easy to be attacked to influence the business.
As another example, the protective ability is poor: the system has obvious potential safety hazard and cannot resist various external injection attacks.
For another example, the accident notification is not timely: application level attacks, incidents, and related technicians cannot be predicted and notified in a timely manner.
For another example, the data information protection is poor: sensitive information (such as account mobile phone information and the like) cannot be effectively protected.
As another example, resource data is vulnerable to leakage: information such as Uniform Resource Locators (URLs) downloaded by applications in the market is easily crawled by hackers, resulting in data leakage.
For another example, Hypertext Transfer Protocol (HTTP) requests are easily hijacked, and HTTP requests are used in a traditional system framework, so that the requests are easily hijacked and attacked, which results in that security cannot be guaranteed.
Disclosure of Invention
An object of the present application is to provide a service security method and device based on an application market framework, which implement encryption transmission of requests and returned service result data of different application programs based on the application market framework, effectively protect illegal injection attacks, crawler events, malicious scanning, and the like, reduce risks of various attacks on the system, and further improve the security of services in the application market framework.
According to one aspect of the application, a service security method based on an application market architecture is provided, which is applied to a client, wherein the method comprises the following steps:
acquiring service plaintext data and a market version type of an application program through the application program, wherein the service plaintext data comprises a service identifier;
calling an encryption key corresponding to the market version type, and encrypting the service plaintext data based on the encryption key to obtain service ciphertext data;
sending a market request to gateway service equipment through a hypertext transfer security protocol (HTTPS), wherein the market request comprises routing information and business ciphertext data, so that the gateway service equipment intercepts the market request through a protection interceptor and judges whether the market request is a malicious request, if not, matching a corresponding decryption key according to the routing information, decrypting the business ciphertext data based on the corresponding decryption key to obtain business plaintext data, and then sending a business request to the business service equipment corresponding to the business identifier;
receiving business ciphertext result data sent by the gateway service equipment;
calling a decryption key corresponding to the encryption key, and decrypting the business ciphertext result data to obtain business result data;
and presenting the service result data.
Further, in the above method, the method further includes:
and setting different encryption keys for data encryption and decryption and corresponding decryption keys according to different market version types of the application program.
According to another aspect of the present application, there is also provided a service security method based on an application market architecture, applied to a gateway service device, wherein the method includes:
intercepting a market request sent by an application program of a client through a protection interceptor and judging whether the market request is a malicious request, wherein the market request comprises routing information and service ciphertext data;
if not, matching a corresponding decryption key according to the routing information, and decrypting the service ciphertext data based on the decryption key to obtain service plaintext data, wherein the service plaintext data comprises a service identifier;
sending a service request to service equipment corresponding to the service identifier, wherein the service request comprises a network address of routing equipment corresponding to the service equipment and the service plaintext data;
receiving service result data returned by the service equipment;
calling an encryption key corresponding to the decryption key, and encrypting the service result data to obtain service ciphertext result data;
and sending the service ciphertext result data to the client through a hypertext transfer secure protocol (HTTPS) so that the client decrypts and presents the service ciphertext result data.
Further, in the above method, the method further includes:
different market version types of the application program and corresponding routing information are stored, and different encryption keys and corresponding decryption keys for data encryption and decryption are set for the different market version types of the application program respectively.
Further, in the foregoing method, the matching, according to the routing information, a corresponding decryption key includes:
determining the market version type of the application program of the client according to the routing information;
and acquiring a decryption key corresponding to the market version type of the application program of the client.
Further, in the above method, if there are multiple service devices supporting the service corresponding to the service identifier, where the sending a service request to the service device corresponding to the service identifier, where the service request includes a network address of a routing device corresponding to the service device and the service plaintext data, includes:
selecting a service device from the plurality of service devices according to the service configuration weight of the service corresponding to the service identifier;
and sending the service request to the selected service equipment corresponding to the service identifier, wherein the service request comprises the network address of the routing equipment corresponding to the selected service equipment corresponding to the service identifier and the service plaintext data.
According to another aspect of the present application, there is also provided a service security method based on an application market architecture, applied to a business service device, wherein the method includes:
receiving a service request sent by gateway service equipment, wherein the service request comprises a network address of routing equipment and service plaintext data, and the service plaintext data comprises a service identifier; after the service request is intercepted by gateway service equipment through a protection interceptor and a market request sent by an application program of a client is judged whether to be a malicious request, if not, the service request is initiated after a corresponding decryption key is matched according to routing information in the market request and service ciphertext data in the market request is decrypted based on the decryption key;
acquiring service result data of a service corresponding to the service identifier of the routing equipment service corresponding to the network address;
and returning the service result data to the gateway service equipment so that the gateway service equipment encrypts the service result data and sends the encrypted service result data to a client.
Further, in the above method, the method further includes:
and sending the routing information of the business service equipment for the external service to cluster registration equipment for registration so that the cluster registration equipment performs centralized registration and management on the business service equipment for the external service.
According to another aspect of the present application, there is also provided a non-volatile storage medium having computer-readable instructions stored thereon, which, when executed by a processor, cause the processor to implement the application marketplace architecture-based service security method as described above.
According to another aspect of the present application, there is also provided a client for service security based on an application market architecture, wherein the client comprises:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
when executed by the one or more processors, cause the one or more processors to implement a client-based application marketplace architecture based service security method, as described above.
According to another aspect of the present application, there is also provided a gateway service device for service security based on an application market architecture, wherein the gateway service device includes:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
when executed by the one or more processors, the one or more computer-readable instructions cause the one or more processors to implement a service security method based on an application market architecture, such as that described above for the gateway service device side.
According to another aspect of the present application, there is also provided a business service device for service security based on an application market architecture, wherein the business service device includes:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
when executed by the one or more processors, the one or more computer-readable instructions cause the one or more processors to implement a service security method based on an application market architecture, such as that described above for a business service device.
Compared with the prior art, the application constructs a client, a gateway service device and an application market architecture of the service device, business plaintext data and a market version type of the application program are obtained at the client through the application program, the business plaintext data comprise a business identifier, an encryption key corresponding to the market version type is called, the business plaintext data are encrypted based on the encryption key to obtain business ciphertext data, then a market request is sent to the gateway service device through a hypertext transfer security protocol HTTPS, the market request comprises routing information and the business ciphertext data, so that the gateway service device intercepts the market request through a protection interceptor and judges whether the market request is a malicious request, if not, the corresponding decryption key is matched according to the routing information, and the business ciphertext data are decrypted based on the corresponding decryption key to obtain the business plaintext data, sending a service request to service equipment corresponding to the service identifier; the service equipment responds to the service request to obtain service result data of a service corresponding to the service identifier served by the routing equipment corresponding to the network address, returns the service result data to the gateway service equipment, so that the gateway service equipment calls an encryption key corresponding to the decryption key, encrypts the service result data to obtain service ciphertext result data, and sends the service ciphertext result data to the client through a hypertext transfer security protocol (HTTPS) so that the client decrypts and presents the service ciphertext result data. The encryption transmission of the request and the returned service result data of different application programs is realized based on the application market architecture, meanwhile, the protection interceptor additionally arranged at the gateway service equipment end also effectively protects illegal injection attack, crawler event, malicious scanning and the like, and the risk of various attacks on the system is reduced, so that the safety of the service in the application market architecture is further improved.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 illustrates a schematic diagram of an application market framework constructed in an application market framework-based service security method according to an aspect of the subject application;
fig. 2 is a schematic diagram illustrating an interaction structure among a gateway service device, a cluster registration device, and a business service device of an application market architecture constructed in a service security method based on the application market architecture according to an aspect of the present application;
FIG. 3 illustrates an interaction flow diagram of a service security method based on an application marketplace architecture, in accordance with an aspect of the present application;
FIG. 4 is a diagram illustrating interception results of a guard interceptor in a service security method based on an application market architecture, according to an aspect of the subject application;
FIG. 5 illustrates an overall flow diagram of an actual application scenario of an application market architecture based service security method in accordance with an aspect of the subject application;
fig. 6 is a schematic diagram illustrating a data encryption and decryption process flow of an actual application scenario in a service security method based on an application market architecture according to an aspect of the present application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present application is described in further detail below with reference to the attached figures.
In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
As shown in fig. 1, the present application constructs a schematic structural diagram of an application market architecture, where the application market architecture includes a Client (e.g., a Mobile Client), an application firewall, a gateway service device (corresponding to the gateway service center in fig. 1), a cluster registration device (corresponding to the registration center in fig. 1), and a business service device (corresponding to the REST API in fig. 1), and each device in the application market architecture is further explained below:
the Client (Mobile Client) can be a Mobile phone version Client in an application market, an HD version Client in the application market, a music version Client in the application market, and the like.
The Internet is a collection of global information resources.
The application firewall WAF is used for carrying out multi-dimensional detection and protection on website service flow, and malicious request characteristics can be intelligently identified and unknown threats can be defended by combining deep machine learning, so that the purpose of comprehensively avoiding malicious attack and intrusion of a website by a hacker is achieved. The application firewall WAF is used for intercepting a request to be sent to the gateway service equipment and judging the malicious request so that the request processed in the gateway service equipment is a legal request.
The gateway service equipment belongs to a core API treatment service center reconstructed by the application market architecture, and the functional logic of the gateway service equipment is simple and clear. The method comprises the steps of providing external services for a mobile phone client, filtering invalid access, resisting illegal requests, decrypting an external request data source, transmitting the external request data source to an internal service server, encrypting return result data of the internal service, and transmitting the encrypted return result data to the client so as to protect the service safety of the internal service. Meanwhile, the gateway service equipment provides the gateway service to the external service uniformly, and the internal service can access and acquire data only through the gateway service, so that the safety of the internal service is better protected and the internal service is prevented from being invaded.
Cluster registry equipment (namely an Etcd registry), wherein the Etcd aims to construct a highly available distributed key value (key-value) database; the interior of the Etcd adopts a raft protocol as a consistency algorithm, and the Etcd is realized based on Go language; according to benchmark data provided by the official, the Etcd single instance supports 2k + fast reading operation per second; the Etcd adopts a raft algorithm to realize the availability and consistency of data of a distributed system and ensure the reliability of the data; SSL certificate verification is supported, and safety is guaranteed. Zookeeper and etcd can both be registration and discovery for services, but etcd provides HTTP API interactions and is much simpler to use than Zookeeper.
The service equipment (namely Rest API service) comprises an APP marker service, a Report data service and a low-old Java service, wherein the APP marker service is an application market APP service, and the two servers are deployed; report data service is data service such as exposure, click, download and the like applied to market, and is deployed by two servers; the low-old Java service is an application market low-version old service overall system, namely an application market service system before market architecture reconstruction, and is deployed by two servers.
Through the application market architecture constructed by the application, the research and development and the deployment of the independent services which are mutually separated and isolated can be realized; the gateway service equipment is uniformly responsible for external services, and the service only allows internal access; data specification statistics collection and double backup are carried out, namely each service device corresponds to a main device and a standby device, so that the aim of double backup is fulfilled, and effective, stable and reliable data are guaranteed to be used for operation analysis decision; the WAF application firewall is additionally arranged in the gateway service equipment, and event early warning is set, so that illegal injection attack, crawler event, malicious scanning and the like are effectively prevented, and the risk of various attacks on the system is reduced; the access request which needs to be sent to the service equipment and the returned service result data need to be encrypted in the gateway service equipment so as to ensure the security of data transmission in the service process; from the service deployment perspective: the gateway service equipment, the RESTAPI business service equipment and the low-old system are deployed in multiple service modes and can play a certain disaster recovery role; by utilizing service item segmentation, different services are distinguished through the service identification of each service, so that the safety of each service is protected, the service modules are independent from each other, and the influence range is minimized when abnormal faults occur; different application market versions (application market mobile phone version, HD version, music video version and the like) are marked by the routing, and encryption and decryption of each large market are independent and do not interfere with each other, so that the data safety of different versions of the market is guaranteed.
As shown in fig. 2, the application market architecture of the present application is a distributed system, and discovery, registration and invocation of services of the Etcd cluster registration center are used coincidently, so as to protect security of each internal service and reduce the risk of being attacked. The work flow of the application market architecture system comprises the following steps: each gateway administration service center (namely each gateway service device) initializes an instance and establishes connection with an etcd cluster registration center (namely cluster registration device), each gateway service device acquires service configuration information of REST API (namely service device) corresponding to each node connected with the etcd cluster registration service device, and the service configuration information comprises but is not limited to key number information mcd and value ip + port + real routing device corresponding to the service; and node information configuration is stored in the memory of the service system, and the specific code is realized as follows:
after the REST API (i.e. service device) service initialization instance, the REST API (i.e. service device) maintains long connection with the etcd cluster registration center (i.e. cluster registration device) so as to subsequently register the routing device corresponding to the service, and the specific implementation code is as follows:
fig. 3 is a schematic view illustrating an interaction flow of a service security method based on an application market architecture according to an aspect of the present application, where the method includes a client, a gateway service device (gateway API service), and a business service device, where the client may be a mobile phone client or a mobile terminal, and the following description describes an embodiment in which the client is preferably a mobile phone client, where the method includes step S11, step S12, step S13, step S14, step S15, step S16, step S21, step S22, step S23, step S24, step S25, step S26, step S31, step S32, and step S33, and specifically includes the following steps:
step S11, the client obtains service plaintext data and market version type of the application program through the application program, and the service plaintext data comprises service identification; the market version types corresponding to the application programs of the client comprise but are not limited to a mobile phone version client of an application market, an HD version client of the application market, a music version client of the application market and the like.
Step S12, the client calls an encryption key corresponding to the market version type, and encrypts the service plaintext data based on the encryption key to obtain service ciphertext data; here, different market version types correspond to different encryption keys and decryption keys corresponding to the encryption keys, so as to meet the encryption protection requirements of data to be transmitted by clients corresponding to different market version types. When encrypting the service plaintext data, the encryption can be performed by adopting but not limited to a DES encryption algorithm, so that the security protection of the service plaintext data can be enhanced.
Step S13, the client sends a market request to a gateway service device through a hypertext transfer secure protocol (HTTPS), which can guarantee the security of data in network transmission, wherein the market request includes routing information and the business ciphertext data, so that the gateway service device intercepts the market request through a protection interceptor and judges whether the market request is a malicious request, if not, the corresponding decryption key is matched according to the routing information, and after the business ciphertext data is decrypted based on the corresponding decryption key to obtain business plaintext data, the business request is sent to the business service device corresponding to the business identifier.
Step S21, the gateway service device intercepts a market request sent by an application program of a client through a protection interceptor and judges whether the market request is a malicious request, wherein the market request comprises routing information and business ciphertext data; for example, a protection interceptor is added to the gateway service device, where the protection interceptor includes, but is not limited to, an application firewall WAF that is added before the gateway service device processes the request, as shown in fig. 1, so that a time statement is set in the application firewall, and various injection attacks, crawler events, malicious scanning, and the like can be effectively protected, thereby improving the service security of the system. The actual application scenario of the guard interceptor intercepting the market request is shown in fig. 4.
If not, step S22, the gateway service device matches a corresponding decryption key according to the routing information, and decrypts the service ciphertext data based on the decryption key to obtain service plaintext data, where the service plaintext data includes a service identifier.
Step S23, the gateway service device sends a service request to a service device corresponding to the service identifier, where the service request includes a network address of a routing device corresponding to the service device and the service plaintext data.
Step S31, the service equipment receives a service request sent by gateway service equipment, the service request includes a network address of the routing equipment and service plaintext data, and the service plaintext data includes a service identifier; and after the service request is intercepted by the gateway service equipment through the protection interceptor and is judged whether to be a malicious request, if not, the service request is initiated after matching a corresponding decryption key according to the routing information in the market request and decrypting the service ciphertext data in the market request based on the decryption key.
Step S32, the service device obtains service result data of a service corresponding to the service identifier of the routing device service corresponding to the network address.
Step S33, the service device returns the service result data to the gateway service device, so that the gateway service device encrypts the service result data and sends the encrypted service result data to the client.
Step S24, the gateway service device receives the service result data returned by the service device.
Step S25, the gateway service device invokes an encryption key corresponding to the decryption key, and encrypts the service result data to obtain service ciphertext result data.
Step S26, the gateway service device sends the service ciphertext result data to the client through a hypertext transfer security protocol HTTPS, so that the client decrypts and presents the service ciphertext result data.
Step S14, the client receives the service ciphertext result data sent by the gateway service device.
And step S15, the client calls a decryption key corresponding to the encryption key, and decrypts the service ciphertext result data to obtain service result data.
And step S16, the client presents the service result data.
Through the above steps S11 to S16, S21 to S26, and S31 to S33, the transmission protocol is changed from the hypertext transfer security protocol HTTP in the prior art to the hypertext transfer security protocol HTTPs in the embodiment of the present application, so as to increase the security of data transmission; the market version types (such as mobile phone version, HD version, music version and the like) of different application markets of the client are marked out by the routing, and encryption and decryption in the data transmission process of the client corresponding to each market version type are independent and do not interfere with disorder, so that the data safety of different versions of the market is guaranteed; a protection interceptor is additionally arranged in front of gateway service equipment, and time statements are set, so that various injection attacks, crawler events, malicious scanning and the like are effectively protected; whether the access is requested or the data reference is accessed, the access is carried out by adopting a hypertext transfer secure protocol (HTTPS), so that the safety of data in network transmission is further ensured; the request for accessing the service device and the returned service result data and the like all adopt an encryption algorithm, so that the security protection of the data is enhanced, and a detailed flow diagram in a specific practical application scene is shown in fig. 5.
In this embodiment, when the gateway service device intercepts a market request sent by an application program of a client through a protection interceptor and determines that the market request is not a malicious request, the gateway service device decrypts data according to a decryption key corresponding to a market version type, and different market version types correspond to different decryption keys, so that service-related requests or data sent by clients corresponding to the market version types of each application market are isolated from each other and do not interfere with each other, and specific implementation codes are as follows:
in this embodiment, the gateway service device calls an encryption key corresponding to the decryption key, encrypts the service result data to obtain service ciphertext result data, and sends the service ciphertext result data to the client through a hypertext transfer security protocol HTTPS, which may be implemented by the following codes, so that the security of data transmission is better ensured:
following the above-described embodiments of the present application, the method further comprises:
and setting different encryption keys for data encryption and decryption and corresponding decryption keys according to different market version types of the application program. For example, the market version types of the application are Tape1, Tape2, … … and Tape N, where N is a positive integer greater than or equal to 1, in order to meet the security requirements of the data transmission process of different market version types, different encryption keys and decryption keys are set for different market version types, for example, an encryption key 1 and a decryption key 1 corresponding to the encryption key for data encryption and decryption are set for the market version type Tape1, an encryption key 2 and a decryption key 2, … … corresponding to the encryption key for data encryption and decryption are set for the market version type Tape2, and an encryption key N and a decryption key N corresponding to the encryption key and the decryption key for data encryption and decryption are set for the market version type Tape N, so as to achieve the setting of the encryption key and the decryption key corresponding to different market version types, and the encryption and decryption in the data transmission process of the client corresponding to each market version type are independent, The data are not interfered and disordered, so that the data safety of different versions of the market can be guaranteed.
Next to the foregoing embodiment of the present application, the service security method based on the application market architecture applied to the gateway service device side in the embodiment of the present application further includes:
different market version types of the application program and corresponding routing information are stored, and different encryption keys and corresponding decryption keys for data encryption and decryption are set for the different market version types of the application program respectively.
For example, the gateway service device stores the routing information corresponding to different market version types, for example, the routing information stored corresponding to the market version type Tape1 is Router1, the routing information stored corresponding to the market version type Tape2 is Router2, … …, and the routing information stored corresponding to the market version type Tape N is Router N, and different encryption keys and corresponding decryption keys for data encryption and decryption are set in the gateway service device for different market version types of each application, for example, an encryption key 1 and a corresponding decryption key 1 for data encryption and decryption are set for the market version type Tape1, an encryption key 2 and a corresponding decryption key 2, … … for data encryption and decryption are set for the market version type Tape2, and an encryption key N and a corresponding decryption key N for data encryption and decryption are set for the market version type Tape N, therefore, the decryption key for decrypting the business ciphertext data in the market request can be inquired in the gateway service equipment by sending the routing information of the market request, and the inquiry of the decryption key is realized through the routing information.
Next to the foregoing embodiment of the present application, when executing step S22, the matching, by the gateway service device, the corresponding decryption key according to the routing information specifically includes:
determining the market version type of the application program of the client according to the routing information;
and acquiring a decryption key corresponding to the market version type of the application program of the client.
For example, after the gateway service device has set a mapping relationship between different market version types and corresponding routing information, and configures a corresponding encryption key for encryption and decryption and a corresponding decryption key for each market version type, according to the routing information carried in the market request, the market version type of the application program of the client corresponding to the routing information in the market request is matched from the mapping relationship between the different market version types and the corresponding routing information, and the corresponding decryption key is obtained through the market version type of the application program of the client matched, so that the business ciphertext data carried by the market request is matched with the corresponding decryption key through the routing information carried by the market request, thereby realizing decryption of the business ciphertext data.
Next to the foregoing embodiment of the present application, if there are multiple service devices supporting the service corresponding to the service identifier, where the step S23 executed by the gateway service device sends a service request to the service device corresponding to the service identifier, where the service request includes a network address of a routing device corresponding to the service device and the service plaintext data, and the method specifically includes:
selecting a service device from the plurality of service devices according to the service configuration weight of the service corresponding to the service identifier;
and sending the service request to the selected service equipment corresponding to the service identifier, wherein the service request comprises the network address of the routing equipment corresponding to the selected service equipment corresponding to the service identifier and the service plaintext data.
For example, if there are a plurality of service devices all configured to support the service corresponding to the service identifier, when sending the service request related to the service corresponding to the service identifier to the service device, first, according to a service configuration weight of the service corresponding to the service identifier, such as a real-time service load of each service device and/or a priority of each service device, a service device is selected from the plurality of service devices supporting the service corresponding to the service identifier, and then the service request is sent to the selected service device, where the service request includes not only service plaintext data to be queried, but also a network address of a routing device corresponding to the selected service device corresponding to the service identifier, so that when there are a plurality of service devices in the service corresponding to the service identifier, and selecting one of the plurality of service devices according to the service configuration weight of the service corresponding to the service identifier, thereby achieving the operation of issuing the service request.
Next to the foregoing embodiment of the present application, the service security method based on the application market architecture applied to the service device side in the embodiment of the present application further includes:
and sending the routing information of the business service equipment for the external service to cluster registration equipment for registration so that the cluster registration equipment performs centralized registration and management on the business service equipment for the external service.
For example, in order to distinguish external services from internal services in all services, the service device of the external service sends corresponding routing information to a cluster registration device (corresponding to the cluster registration center in fig. 2), so that the cluster registration device performs centralized registration and management on the service devices of all external services, and thus the routing information of the service device of the external service is sent to the gateway service device through the cluster registration device, so as to support the corresponding external services, so that the internal service is not registered and managed in the cluster registration device, and thus the internal service can only be accessed by the internal service and does not support the external services through the cluster registration device. For example, in an actual application scenario, in order to distinguish an external service from an internal service, routing information of a service device of the external service is numbered to distinguish, so that each service device of the external service will contain routing information of the number, such as an mcd address: the routes/appDemail/101030 and the like are all centrally registered in the etcd cluster registration equipment, and routing information (routing information of business service equipment for indicating internal services) without a digital number is not registered in the etcd cluster registration equipment, only internal service access is available, and external services are not supported, namely, a mobile phone client accesses the route, so that the routing naming rule is skillfully used to realize that only part of services are exposed to the external services, and the internal services are protected from external intrusion, thereby further ensuring the service safety of the business services, and particularly being realized by the following codes:
in an actual application scenario of the present application, as shown in fig. 6, when a client needs to send service plaintext data related to a service, the service plaintext data triggered by the client in step a needs to be obtained simultaneously with a market version type of an application program, where the service plaintext data includes a service identifier;
in the step A, the client calls an encryption key corresponding to the current market version type to perform DES encryption on the service plaintext data to obtain service ciphertext data;
in step a, the client transmits the encrypted service ciphertext data to a gateway service device (corresponding to the gateway service center in fig. 5) by using an HTTPS network protocol to transmit a market request on the Internet;
in the step A, the gateway service equipment matches a decryption key corresponding to the routing information according to the routing information of the market request entrance;
in step a, the gateway service device performs DES decryption according to a decryption key corresponding to the routing information of the entry of the market request to obtain service plaintext data initiated by the client, and step a may be specifically implemented by the following codes:
in step a, the gateway service device sends a POST service request to the service device rest api corresponding to the service identifier in the local area network LAN in response to the service plaintext data, where the service request includes a network address of a routing device corresponding to the service device and the service plaintext data;
in the step B, the business service equipment acquires business result data of a business corresponding to the business identifier of the routing equipment service corresponding to the network address, and transmits the returned plaintext business result data in a local area network;
in the step B, the business service equipment sends the business result data to the gateway service equipment;
in the third step, the gateway service device calls an encryption key corresponding to the decryption key to perform DES encryption on the service result data of the plaintext to obtain service ciphertext result data, wherein the third step can be implemented by the following codes:
in the step B, transmitting the encrypted business ciphertext result data to the client by using an HTTPS network protocol on the Internet;
in the step B, the client receives the business ciphertext result data returned by the gateway service equipment;
in the step B, the client calls a decryption key corresponding to the encryption key to decrypt the business ciphertext result data to obtain plaintext business result data, and the plaintext business result data is displayed on the client.
According to another aspect of the present application, there is also provided a non-volatile storage medium having computer-readable instructions stored thereon, which, when executed by a processor, cause the processor to implement the application marketplace architecture-based service security method as described above.
According to another aspect of the present application, there is also provided a client for service security based on an application market architecture, wherein the client comprises:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
when executed by the one or more processors, cause the one or more processors to implement a client-based application marketplace architecture based service security method, as described above.
Here, for details of each embodiment of the client based on the service security of the application market architecture, reference may be made to corresponding parts of the embodiments of the service security method based on the application market architecture of the client, and details are not described herein again.
According to another aspect of the present application, there is also provided a gateway service device for service security based on an application market architecture, wherein the gateway service device includes:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
when executed by the one or more processors, the one or more computer-readable instructions cause the one or more processors to implement a service security method based on an application market architecture, such as that described above for the gateway service device side.
Here, for details of each embodiment in the gateway service device based on the application market architecture for service security, reference may be made to the corresponding part of the embodiment of the service security method based on the application market architecture at the gateway service device side, and details are not described herein again.
According to another aspect of the present application, there is also provided a business service device for service security based on an application market architecture, wherein the business service device includes:
one or more processors;
a computer-readable medium for storing one or more computer-readable instructions,
when executed by the one or more processors, the one or more computer-readable instructions cause the one or more processors to implement a service security method based on an application market architecture, such as that described above for a business service device.
Here, for details of each embodiment in the service security service device based on the application market architecture, reference may be specifically made to corresponding parts of the embodiment of the service security method based on the application market architecture at the service device side, and details are not described herein again.
In summary, the application constructs a client, a gateway service device and an application market architecture of the service device, obtains service plaintext data and a market version type of the application program at the client through the application program, the service plaintext data includes a service identifier, calls an encryption key corresponding to the market version type, encrypts the service plaintext data based on the encryption key to obtain service ciphertext data, and then sends a market request to the gateway service device through a hypertext transfer security protocol HTTPS, the market request includes routing information and the service ciphertext data, so that the gateway service device intercepts the market request through a protection interceptor and judges whether the market request is a malicious request, if not, matches a corresponding decryption key according to the routing information, and decrypts the service ciphertext data based on the corresponding decryption key to obtain service plaintext data, sending a service request to service equipment corresponding to the service identifier; the service equipment responds to the service request to obtain service result data of a service corresponding to the service identifier served by the routing equipment corresponding to the network address, returns the service result data to the gateway service equipment, so that the gateway service equipment calls an encryption key corresponding to the decryption key, encrypts the service result data to obtain service ciphertext result data, and sends the service ciphertext result data to the client through a hypertext transfer security protocol (HTTPS) so that the client decrypts and presents the service ciphertext result data. The encryption transmission of the request and the returned service result data of different application programs is realized based on the application market architecture, meanwhile, the protection interceptor additionally arranged at the gateway service equipment end also effectively protects illegal injection attack, crawler event, malicious scanning and the like, and the risk of various attacks on the system is reduced, so that the safety of the service in the application market architecture is further improved.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the steps or functions described above. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
In addition, some of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application through the operation of the computer. Program instructions which invoke the methods of the present application may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the present application comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or a solution according to the aforementioned embodiments of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
