Summary of the invention
The embodiment of the present invention provides a kind of resource access method and system of multiple service platform, to solve the unauthorized access existing in the prior art, the technical problem that affects user's experience.
For solving the problems of the technologies described above, embodiments of the invention provide a kind of resource access method of multiple service platform, and described multiple service platform includes service server and certificate server, and the method comprises:
The resource access request that service server interception user sends, comprises the resource code information of unifying layout by the level of resource, subordinate relation in this request;
Certificate server is concentrated user's identity is identified, and obtains recognition result;
If described recognition result for user be validated user, service server, according to the identity identification information of this validated user, obtains this user's resource access control information;
Service server judges according to resource hierarchy and subordinate relation whether the resource code information in this user's resource access control information mates with the resource code information comprising in described request, and after the match is successful, carries out user and access the operation of respective resources.
Wherein, certificate server is concentrated user's identity is identified, and obtains recognition result and comprise:
Certificate server obtains the billing information being associated with user identity in described resource access request;
The user identification information that certificate server obtains with this server described billing information from database is done to mate, if the match is successful, described user is validated user, otherwise is disabled user.
Wherein, the step that certificate server obtains the billing information being associated with user identity in described resource access request comprises:
In described service server judging resource access request, whether comprise the billing information being associated with user identity;
If judged result, for comprising described billing information in request, is obtained the billing information in this request from described service server by certificate server;
If judged result is not for comprising described billing information in request, receive after the information that described user successfully logins at certificate server, produce at random billing information and this billing information is added to and in resource access request, sends to service server by certificate server, then from described service server, being obtained the billing information in this request by certificate server.
Wherein, the Action number that described resource code packets of information contains resource number and resource is operated;
Described service server judges according to resource hierarchy and subordinate relation whether the resource code information in this user's resource access control information is mated and comprised with the resource code information comprising in described request:
Service server searches in described resource access control information whether comprise resource number and the Action number in described request, if lookup result is for comprising described resource number and Action number, judged result is that the match is successful, otherwise, be judged as and do not mate.
Wherein, the resource code information in described request only comprises resource number;
Described service server judges according to resource hierarchy and subordinate relation whether the resource code information in this user's resource access control information is mated and comprised with the resource code information comprising in described request:
Search in described resource access control information and whether comprise the resource number in described request, if lookup result is for comprising described resource number, judged result is that this request form is incorrect, do not mate, otherwise, the son numbering that whether comprises the resource number in described request in described resource access control information further searched, if lookup result is for comprising described son numbering, judged result is that the match is successful, otherwise judged result is not for mating.
Wherein, at service server, according to the identity identification information of this validated user, the step of obtaining this user's resource access control information also comprises afterwards:
Service server is preserved this user's resource access control information, so that this user is follow-up while carrying out resource access, can directly utilize the described resource access control information control that conducts interviews.
Correspondingly, the present invention also provides a kind of resource access treatment system of multiple service platform, and it includes: service server, certificate server and database; Wherein
Database is for each user's of centralized stores identity identification information;
Certificate server is used for accessing described database, concentrates user's identity is identified, and obtains recognition result, and by described recognition result informing business server;
The resource access request that service server sends for tackling each service-user, in this request, comprise by resource hierarchy, subordinate relation is unified the resource code information of layout, and notification authentication server is identified user identity, if the recognition result of certificate server for user be validated user, according to the identity identification information of this validated user, obtain this user's resource access control information, then judge according to resource hierarchy and subordinate relation whether the resource code information in this user's resource access control information mates with the resource code information comprising in described request, and carrying out described user after the match is successful and accessing the operation of respective resources.
Wherein, described service server can comprise:
Access request blocker, the resource access request sending for tackling each service-user, comprises the resource code information of unifying layout by resource hierarchy, subordinate relation in this request;
Access control processor, for notification authentication server, user identity is identified, if the recognition result of certificate server for user be validated user, according to the identity identification information of this validated user, obtain this user's resource access control information, then judge according to resource hierarchy and subordinate relation whether the resource code information in this user's resource access control information mates with the resource code information comprising in described request, and after the match is successful, carry out described user and access the operation of respective resources.
The prior art of comparing, the technical scheme that the embodiment of the present invention provides has following beneficial effect:
Multiple service platform resource access control method provided by the invention and system, authentication service that can be based on centralized, user's (as browser end, cell-phone customer terminal) in various sources can be entered in platform by same entrance, and have unified identify label, for multi-service integration provides support.Centralized authentication service makes business itself not need to consider the logic relevant to access control simultaneously, and user-dependent like this security information just can be deposited separately, and Operational Visit can not be passed through in these information outsides;
In addition, the resource code information of unifying layout by the level of resource, subordinate relation makes hierarchical relationship, subordinate relation between resource be easy to identification, obtain and judge, makes system just can realize access control to high-rise resource according to the visit information of underlying resource;
Again, by the interception mode towards request, make any access of resource to be verified and to control, prevent from guessing the appearance of path situation, when effectively avoiding unauthorized access, do not affect user and experience, and be suitable for resource concept extensively, the Management and application information system of laying equal stress on is as mobile value-added service platform.
Embodiment
Referring to Fig. 1, Fig. 1 is the flow chart of the resource access method of multiple service platform in the present invention, and described multiple service platform includes service server and certificate server, and the method can comprise the following steps:
The resource access request that step 101, service server interception user send, in this request, comprise resource code information, if, this resource code packets of information is containing the resource number of user's request resource, or not only comprised resource number, but also comprised the Action number that request resource is operated.In practical application, in described request, can also comprise the billing information relevant to subscriber identity information.
Step 102, certificate server are identified described user's identity, and obtain recognition result, are disabled users if recognition result is described user, perform step 104; If described user is validated user, perform step 103.
Step 103, service server are according to the identity identification information of described validated user, obtain the resource access control information of validated user, judge according to resource hierarchy and subordinate relation whether the resource code information in resource access control information mates with the resource code information comprising in described request, if coupling, allow described user to access described resource, otherwise, execution step 104.
Step 104, refusal user's access request.
With reference to figure 2, this figure is the resource access treatment system of corresponding above-mentioned resource access method in multiple service platform of the present invention, concrete, and in the present embodiment, the resource access treatment system of multiple service platform can comprise: service server 1, certificate server 2 and database 3; Wherein
Database 3 is mainly used in each user's of centralized stores identity identification information;
Certificate server 2 is mainly used in concentrating user's identity is identified, obtain recognition result, and by described recognition result informing business server 1, when specific implementation, the request that it is intercepted based on service server 1, obtain user related information from database 3, user related information is offered to service server 1;
Service server 1 is mainly used in tackling the resource access request that each service-user sends, in this request, comprise by resource hierarchy, subordinate relation is unified the resource code information of layout, and notification authentication server 2 is identified user identity, if the recognition result of certificate server 2 for user be validated user, according to the identity identification information of this validated user, obtain this user's resource access control information, then judge according to resource hierarchy and subordinate relation whether the resource code information in this user's resource access control information mates with the resource code information comprising in described request, and carrying out described user after the match is successful and accessing the operation of respective resources, when specific implementation, as a specific embodiment, described service server 1 can comprise: access request blocker, the resource access request sending for tackling each service-user, in this request, comprise by resource hierarchy, subordinate relation is unified the resource code information of layout,
Access control processor, for notification authentication server, user identity is identified, if the recognition result of certificate server for user be validated user, according to the identity identification information of this validated user, obtain this user's resource access control information, then judge according to resource hierarchy and subordinate relation whether the resource code information in this user's resource access control information mates with the resource code information comprising in described request, and after the match is successful, carry out described user and access the operation of respective resources.Due in service layer, service server 1 is accessing database 3 directly, make business itself not need to consider the logic relevant to access control, thereby when realization is verified user identity and access rights, effectively ensure the fail safe of data in database.
Referring to Fig. 3, Fig. 3 is resource access process chart in the embodiment of the present invention one, and this flow process can comprise the following steps:
Step 201, service server receive that the user of client transmission requires the request of access resources, in this request, comprise resource code information, in judgement request, do not comprise the billing information being associated with user identity, require user to provide log-on message to certificate server.
In the present embodiment, in request, do not comprise user identity billing information, for the concrete processing of the situation that comprises user identity billing information in request, refer to illustrating of subsequent embodiment two.
Step 202, user send to certificate server by client by log-on message.
Step 203, certificate server are received after log-on message, are obtained user identification information from database.
Step 204, certificate server do with log-on message the user identification information getting mate, and the match is successful, execution step 205; Otherwise, execution step 211.
Step 205, certificate server produce this user's billing information at random, and this billing information is returned to service server by request.As, described billing information can be the code relevant to described user identity.
Step 206, service server are preserved billing information, and by coded communication, billing information are sent to certificate server.
Step 207, certificate server mate identity identification information and billing information, if the match is successful, and execution step 208; Otherwise, execution step 211.
Step 208, service server, according to the result that the match is successful, continue this request of interception, self do not store this user's resource access control information if judge, require certificate server to verify access.
Step 209, certificate server obtain this user's resource access control information from database, resource access control information is offered to service server.
The resource access control information that step 210, service server storage are received, does resource access control information to mate with resource code information, if the match is successful, allows user to access this resource, carries out the operation of access resources, otherwise, execution step 211.
Step 211, service server, according to the certificate server result that it fails to match, are refused user's request.
In specific implementation of the present invention, resource access control information specifically can be Access Control List (ACL) (ACL, Access Control List), the list items of the Action number that this list can be carried out by the multiple resource numbers that comprise user-accessible and to this resource forms.Resource access control information is that user uses in the process of business platform and produces, and as in the value-added service platform having, when user registers certain data service, must determine that it wants the business tine of obtaining by customization.Each user is no matter use while which kind of platform must producing resource access control information for access control by similar mode with.Service server is preserved first from certificate server obtains this list, after making, does not need access registrar server again for this user's access control, to accelerate the proof procedure of access control.
It should be noted that, carry out above-mentioned compare operation for convenience of service server, in specific implementation of the present invention, adopt the resource code Information and Resource access control information of identical coded format.For example, content of consumption and management functions all in multiple service platform system are all encoded according to a kind of tree structure, the basic skills of this number form structured coding is to adopt the numeral of a location number to carry out the resource in expression system, resource in system is distributed the not field of isotopic number according to level distribution big-endian, like this for the resource of a certain level, the parent resource numbering that can know by high order field it, has reached the access path information that arrives this resource has been stored in to the object in this resource.
In addition, the resource number in the resource number in resource access request and resource access control information is not only processed according to correspondence one by one, also considers that their set membership (or being called subordinate relation) processes simultaneously.Be specially, whether in the time comprising resource number and Action number in request, looking into ACL has the list items that comprises this resource number and Action number, if any allowing access, otherwise denied access; Whether when in request while only comprising resource number, looking into ACL has the resource number of list items corresponding with it, if any representing that this request form is incorrect, mates unsuccessfully, does not allow to access; Otherwise further search, in ACL table, whether to have resource number be the list items of the son numbering of resource number in request, is the path that in access ACL, this child resource must pass through if any the resource that represents request, agrees to this access request, otherwise denied access.In this way, as long as according to coding rule, no matter be that content of consumption or management function can, according to tree structure, be carried out effective access control to the underlying resource of the high-rise resource in access path and expression actual content and function point.
Referring to Fig. 4, Fig. 4 is resource access process chart in the embodiment of the present invention two, and this flow process can comprise the following steps:
Step 301, service server receive that the user of client transmission requires the request of access resources, comprises resource code information in this request.
Step 302, service server judging self store user's billing information, by coded communication, billing information are sent to certificate server.
Step 303, certificate server obtain user identification information from database, and the user identification information getting is done and mated with the billing information of receiving, if the match is successful, execution step 304; Otherwise, execution step 306.
Step 304, service server, according to the result that the match is successful, continue this request of interception.
Step 305, service server judging self store this user's resource access control information, resource access control information and resource code information are compared, if both are consistent, allow user to access this resource, carry out the operation of access resources, otherwise, execution step 306.
Step 306, service server refusal user's request.
To sum up, the resource access method of multiple service platform provided by the invention and system, based on centralized authentication service, user's (as browser end, cell-phone customer terminal) in various sources can be entered in platform by same entrance, and have unified identify label, for multi-service integration provides support.Centralized authentication service makes business itself not need to consider the logic relevant to access control simultaneously, and user-dependent like this security information just can be deposited separately, and Operational Visit can not be passed through in these information outsides; Adopt resource Unified coding to make hierarchical relationship, subordinate relation between resource be easy to identification, obtain and judge, make system just can realize access control to high-rise resource according to the visit information of underlying resource; By the interception mode towards request, make any access of resource to be verified and to control, prevent the above-mentioned appearance of guessing path situation.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.