CN101917438A - Access control method and system in network communication system - Google Patents
Access control method and system in network communication system Download PDFInfo
- Publication number
- CN101917438A CN101917438A CN2010102606056A CN201010260605A CN101917438A CN 101917438 A CN101917438 A CN 101917438A CN 2010102606056 A CN2010102606056 A CN 2010102606056A CN 201010260605 A CN201010260605 A CN 201010260605A CN 101917438 A CN101917438 A CN 101917438A
- Authority
- CN
- China
- Prior art keywords
- identity information
- client
- user
- access rights
- advance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides an access control method and an access control system in a network communication system, which solve the problem of unreasonable password authentication in the prior art. The method comprises the following steps that: when detecting that a user needs to access a server, a client initiates an access request to the server by using the preset identity information thereof; and the server searches whether the identity information of the client exists in the prerecorded identity information or not and performs access control on the user using the client according to a search result. The technical scheme provided by the invention can be applied to the access control of storage resources.
Description
Technical field
The present invention relates to field of computer, relate in particular to a kind of in network communicating system access control method and system.
Background technology
ISCSI (internet Small Computer System Interface, network minicomputer interface) has become a popular SAN solution in large enterprise and the medium-sized and small enterprises.Large enterprise is applied to these technology two wires and three-way data center and large-scale remote branch office usually.In medium-sized and small enterprises' environment, master data center and auxiliary data center and large-scale remote branch office all can use iSCSISANs (storage area network) usually.
The main applied environment of another of iSCSI is ASP's environment.Operate in the high-performance Ethernet structural, based on NFS (Network File System, NFS) NAS (Network Attached Storage: network attached storage) be generally in this field and occupy main flow, because most flow all is based on the flow of file.ISCSI has increased the seamless support to the application software of benefiting from SAN.Now, owing to increased virtual server software, these application software all expand among the cloud computing environment.
From current should being used for, iSCSI uses under the not many situation such as the front end main frame that mainly still concentrates on data center.Also there are some users to begin the iSCSI agreement is used for business data space management and no disc system.But the client terminal quantity of this type of application can be with ten thousand calculating, and this supports host number and rights management to have higher requirement just for the iSCSI agreement.
At present, storage system is at CHAP (Challenge Handshake Authentication Protocol, challenge handshake authentication protocol) during certification mode, this chap authentication has proposed a lot of requirements on password is selected, require the user that two passwords need be set, to be used for two-way communication, and the length of each password all is conditional, and the user need remember long password, in case misremember, just can't use storage resources, make troubles to use; If the user is not the data administrator of specialty, but common office worker is convenient simple relatively with password setting in order to remember probably, does not even establish password, can be because the low excessively problem that causes information leakage of the level of security of password have reduced the fail safe of storage system.
As seen from the above, to the irrational problem of authenticating user identification, be specially in the storage system: the password of user's input is long, the user is logined complicate; The password of user's input is simple, has the hidden danger of information leakage.
Summary of the invention
The invention provides a kind of in network communicating system access control method and system, solve the irrational problem of password authentification in the prior art.
For solving the problems of the technologies described above, the invention provides following technical scheme:
A kind of in network communicating system access control method, comprising:
When detecting the user and need access server, customer end adopted sets in advance, and the identity information of self is initiated access request to described server;
Described server is searched the identity information whether this client is arranged from the identity information that writes down in advance, and according to lookup result, to using the user access control of this client.
Further, described method also has following characteristics: described customer end adopted sets in advance the identity information of self also comprised before described server is initiated access request:
Described client generates the identity information of self according to the generation strategy that sets in advance, and the identity information that generates is notified to described server.
Further, described method also has following characteristics:
The identity information of described client is to determine according to the configuration descriptor of self hardware, and the configuration descriptor of wherein said self hardware comprises in the sequence number of CPU, hard disk, internal memory, mainboard and network interface card of personal computer at least one.
Further, described method also has following characteristics: described server, comprising using the user access control of this client according to lookup result:
If find, then according to the identity information of this client that sets in advance and the corresponding relation of access rights, for the user who uses this client provides this client identity information pairing access rights.
Further, described method also has following characteristics:
If described client has at least two users that access rights are different, then when described server sends described access request, described client is also to the described user's of described server notification identity information;
Described destination end is determined whole access rights of the identity information correspondence of this client according to the identity information of client, pairing access rights during with this client-access according to this user's the identity information of record in advance again, from these whole access rights, determine the final access rights of this user's identity information correspondence, and provide service for described user according to described final access rights.
A kind of in network communicating system access control system, comprise client and server, wherein:
Described client is used for when detecting the user and need visit described server, adopts self the identity information that sets in advance to initiate access request to described server;
Described server is used for searching the identity information whether this client is arranged, and according to lookup result, to using the user access control of this client from the identity information of record in advance.
Further, described system also has following characteristics: described client also comprises:
Generation module, self the identity information that is used for setting in advance in employing according to the generation strategy that sets in advance, generated the identity information of self before described server is initiated access request;
Notification module, the identity information that is used for generating is notified to described server.
Further, described system also has following characteristics:
The identity information of described client is to determine according to the configuration descriptor of self hardware, and the configuration descriptor of wherein said self hardware comprises in the sequence number of CPU, hard disk, internal memory, mainboard and network interface card of personal computer at least one.
Further, described system also has following characteristics: described server comprises:
Search module, be used for from advance the record identity information, search the identity information whether this client is arranged;
Control module is if be used for finding, according to the identity information of this client that sets in advance and the corresponding relation of access rights, for the user who uses this client provides this client identity information pairing access rights.
Further, described system also has following characteristics:
Described client also is used in this locality at least two users that access rights are different being arranged, when described server sends described access request, also to the described user's of described server notification identity information;
Described server, also be used for determining whole access rights of the identity information correspondence of this client according to the identity information of client, pairing access rights during with this client-access according to this user's the identity information of record in advance again, from these whole access rights, determine the final access rights of this user's identity information correspondence, and provide service for described user according to described final access rights.
Technical scheme provided by the invention adopts the identity information of client to carry out authentication, reaches the purpose of authentication, and need not the long password of user's input, uses the identity information of client to finish authentication automatically, reduces user's operating pressure.
Description of drawings
Fig. 1 be provided by the invention a kind of in network communicating system the structural representation of access control system;
Fig. 2 is the structural representation of client 11 among the system shown in Figure 1 embodiment;
Fig. 3 is the structural representation of server 12 among the system shown in Figure 1 embodiment;
Fig. 4 be provided by the invention a kind of in network communicating system the schematic flow sheet of access control method embodiment.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with the accompanying drawings and the specific embodiments.
Fig. 1 be provided by the invention a kind of in network communicating system the structural representation of access control system.System shown in Figure 1 comprises client 11 and server 12, wherein:
Described client 11 is used for when detecting the user and need visit described server 12, adopts self the identity information that sets in advance to initiate access request to described server 12;
Described server 12 is used for searching the identity information whether this client 11 is arranged, and according to lookup result, to using the user access control of this client 11 from the identity information of record in advance.
Fig. 2 is the structural representation of client 11 among the system shown in Figure 1 embodiment.Client 11 shown in Figure 2 also comprises generation module 111 and communication module 112, wherein:
Described generation module, self the identity information that is used for setting in advance in employing according to the generation strategy that sets in advance, generated the identity information of self before described server is initiated access request;
Notification module, the identity information that is used for generating is notified to described server.
In like manner, if server has generated the identity information of this client for each client, then server can send to clients corresponding with the identity information that generates.
The identity information of described client is to determine according to the configuration descriptor of self hardware, and the configuration descriptor of wherein said self hardware comprises in the sequence number of CPU, hard disk, internal memory, mainboard and network interface card of client at least one.
For example, set in advance a calculation expression, the numeral in one or more hardware description information and this calculation expression of alphabetical substitution are obtained one section code, the identity information of this code as client.All right other algorithms as hashing algorithm, coding being provided from the information sequence that is provided constituting identity information.
Because the hardware description information of any two personal computers all is inequality, so, can both clearly distinguish different clients if adopting configuration descriptor result calculated with a kind of calculation expression and same hardware is inequality in twos.Need not to generate and be used to calculate the information sequence of identity information increasing hardware, saved the cost of hardware.
Wherein adopt client to generate the identity information of self, flow process is simple, promptly need not to report to server the hardware configuration descriptor of self, and adopts server to generate the identity information of client, is convenient to the active management of destination end.
Fig. 3 is the structural representation of server 12 among the system shown in Figure 1 embodiment.Destination end shown in Figure 3 comprises searches module 121 and control module 122, wherein:
Wherein access rights can identify with the address realm of memory space or system in other are divided the address designation that disposes behind addresses and come mark, can certainly identify with the filename that allows visit.
Generally, the use user of each client is fixed as a people usually, so as long as server is set up corresponding relation with the identity information of this client with the user's who uses this client access rights, and when personal computer has the different user of at least two access rights, in order clearly to distinguish user's access rights, need carry out following processing:
Described client also is used in this locality at least two users that access rights are different being arranged, when described server sends described access request, also to the described user's of described server notification identity information;
Described server, also be used for determining whole access rights of the identity information correspondence of this client according to the identity information of client, pairing access rights during with this client-access according to this user's the identity information of record in advance again, from these whole access rights, determine the final access rights of this user's identity information correspondence, and provide service for described user according to described final access rights.
In the present embodiment, client replaces the identity information that the user imports in the prior art by the identity information of self, finish authentication with server, make after client is by authentication, the user gets final product successful access, need not the authentication information that the user remembers the access destination end, finish authentication automatically, realize fast access user's self storage resources.
Wherein above-mentioned access control system can specifically be applied in the storage system, and in storage system, client is a personal computer, and server is a storage device.Certainly, also can be other communication systems, it is the mode of the communication mode employing client-server of network, and client use mode as special messenger's special plane, be that every employed user of client fixes, as PC in the company etc., for example be applied in the scene of mailbox login system, forum's login system.
System embodiment provided by the invention adopts the identity information of client to carry out authentication, reaches the purpose of authentication, and need not the long password of user's input, uses the identity information of client to finish authentication automatically, reduces user's operating pressure.
Fig. 4 be provided by the invention a kind of in network communicating system the schematic flow sheet of access control method embodiment.In conjunction with the system embodiment shown in Fig. 1~3, method embodiment shown in Figure 4 comprises:
Step 401, when detecting the user and need access server, customer end adopted sets in advance, and the identity information of self is initiated access request to described server;
Step 402, described server are searched the identity information whether this client is arranged from the identity information that writes down in advance;
Step 403, described server are according to lookup result, to using the user access control of this client.
Below method embodiment provided by the invention is described further:
Wherein before step 401, described method also comprises the steps:
Described client generates the identity information of self according to the generation strategy that sets in advance, and the identity information that generates is notified to described server.
Further, the identity information of described client is to determine according to the configuration descriptor of self hardware, and the configuration descriptor of wherein said self hardware comprises in the sequence number of CPU, hard disk, internal memory, mainboard and network interface card of personal computer at least one.
Wherein step 403 specifically comprises:
If find, then according to the identity information of this client that sets in advance and the corresponding relation of access rights, for the user who uses this client provides this client identity information pairing access rights.
Further, described method also comprises:
If described client has at least two users that access rights are different, then when described server sends described access request, described client is also to the described user's of described server notification identity information;
Described destination end is determined whole access rights of the identity information correspondence of this client according to the identity information of client, pairing access rights during with this client-access according to this user's the identity information of record in advance again, from these whole access rights, determine the final access rights of this user's identity information correspondence, and provide service for described user according to described final access rights.
Wherein above-mentioned access control method can specifically be applied in the storage system, and in storage system, client is a personal computer, and server is a storage device.Certainly, also can be other communication systems, it is the mode of the communication mode employing client-server of network, and client use mode as special messenger's special plane, be that every employed user of client fixes, as PC in the company etc., for example be applied in the scene of mailbox login system, forum's login system.
Method embodiment provided by the invention adopts the identity information of client to carry out authentication, reaches the purpose of authentication, and need not the long password of user's input, uses the identity information of client to finish authentication automatically, reduces user's operating pressure.
The all or part of step that the one of ordinary skill in the art will appreciate that the foregoing description program circuit that can use a computer is realized, described computer program can be stored in the computer-readable recording medium, described computer program (as system, unit, device etc.) on the relevant hardware platform is carried out, when carrying out, comprise one of step or its combination of method embodiment.
Alternatively, all or part of step of the foregoing description also can use integrated circuit to realize, these steps can be made into integrated circuit modules one by one respectively, perhaps a plurality of modules in them or step is made into the single integrated circuit module and realizes.Like this, the present invention is not restricted to any specific hardware and software combination.
Each device/functional module/functional unit in the foregoing description can adopt the general calculation device to realize, they can concentrate on the single calculation element, also can be distributed on the network that a plurality of calculation element forms.
Each device/functional module/functional unit in the foregoing description is realized with the form of software function module and during as independently production marketing or use, can be stored in the computer read/write memory medium.The above-mentioned computer read/write memory medium of mentioning can be a read-only memory, disk or CD etc.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the described protection range of claim.
Claims (10)
1. an access control method in network communicating system is characterized in that, comprising:
When detecting the user and need access server, customer end adopted sets in advance, and the identity information of self is initiated access request to described server;
Described server is searched the identity information whether this client is arranged from the identity information that writes down in advance, and according to lookup result, to using the user access control of this client.
2. method according to claim 1 is characterized in that, described customer end adopted sets in advance the identity information of self also comprised before described server is initiated access request:
Described client generates the identity information of self according to the generation strategy that sets in advance, and the identity information that generates is notified to described server.
3. method according to claim 1 and 2 is characterized in that,
The identity information of described client is to determine according to the configuration descriptor of self hardware, and the configuration descriptor of wherein said self hardware comprises in the sequence number of CPU, hard disk, internal memory, mainboard and network interface card of personal computer at least one.
4. method according to claim 1 is characterized in that, described server, comprising using the user access control of this client according to lookup result:
If find, then according to the identity information of this client that sets in advance and the corresponding relation of access rights, for the user who uses this client provides this client identity information pairing access rights.
5. method according to claim 4 is characterized in that,
If described client has at least two users that access rights are different, then when described server sends described access request, described client is also to the described user's of described server notification identity information;
Described destination end is determined whole access rights of the identity information correspondence of this client according to the identity information of client, pairing access rights during with this client-access according to this user's the identity information of record in advance again, from these whole access rights, determine the final access rights of this user's identity information correspondence, and provide service for described user according to described final access rights.
6. an access control system in network communicating system is characterized in that, comprises client and server, wherein:
Described client is used for when detecting the user and need visit described server, adopts self the identity information that sets in advance to initiate access request to described server;
Described server is used for searching the identity information whether this client is arranged, and according to lookup result, to using the user access control of this client from the identity information of record in advance.
7. system according to claim 6 is characterized in that, described client also comprises:
Generation module, self the identity information that is used for setting in advance in employing according to the generation strategy that sets in advance, generated the identity information of self before described server is initiated access request;
Notification module, the identity information that is used for generating is notified to described server.
8. according to claim 6 or 7 described systems, it is characterized in that:
The identity information of described client is to determine according to the configuration descriptor of self hardware, and the configuration descriptor of wherein said self hardware comprises in the sequence number of CPU, hard disk, internal memory, mainboard and network interface card of personal computer at least one.
9. system according to claim 6 is characterized in that, described server comprises:
Search module, be used for from advance the record identity information, search the identity information whether this client is arranged;
Control module is if be used for finding, according to the identity information of this client that sets in advance and the corresponding relation of access rights, for the user who uses this client provides this client identity information pairing access rights.
10. system according to claim 9 is characterized in that,
Described client also is used in this locality at least two users that access rights are different being arranged, when described server sends described access request, also to the described user's of described server notification identity information;
Described server, also be used for determining whole access rights of the identity information correspondence of this client according to the identity information of client, pairing access rights during with this client-access according to this user's the identity information of record in advance again, from these whole access rights, determine the final access rights of this user's identity information correspondence, and provide service for described user according to described final access rights.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102606056A CN101917438A (en) | 2010-08-23 | 2010-08-23 | Access control method and system in network communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102606056A CN101917438A (en) | 2010-08-23 | 2010-08-23 | Access control method and system in network communication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101917438A true CN101917438A (en) | 2010-12-15 |
Family
ID=43324822
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102606056A Pending CN101917438A (en) | 2010-08-23 | 2010-08-23 | Access control method and system in network communication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101917438A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098317A (en) * | 2011-03-22 | 2011-06-15 | 浙江中控技术股份有限公司 | Data transmitting method and system applied to cloud system |
| CN104021351A (en) * | 2014-05-28 | 2014-09-03 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for data resource access |
| CN104363229A (en) * | 2014-11-14 | 2015-02-18 | 浪潮(北京)电子信息产业有限公司 | Data center and access method thereof |
| CN106161467A (en) * | 2016-08-31 | 2016-11-23 | 成都九鼎瑞信科技股份有限公司 | Water utilities data access method and device |
| CN107180172A (en) * | 2017-04-19 | 2017-09-19 | 上海海加网络科技有限公司 | A kind of IPSAN access control methods and device based on USBKey digital certificate authentications |
| CN108287894A (en) * | 2018-01-19 | 2018-07-17 | 腾讯科技(深圳)有限公司 | Data processing method, device, computing device and storage medium |
| CN112532561A (en) * | 2019-08-28 | 2021-03-19 | 斑马智行网络(香港)有限公司 | Method, device, system and storage medium for realizing access between devices |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003186831A (en) * | 2001-12-13 | 2003-07-04 | Sony Corp | Network system, information processing device and method, recording medium, and program |
| US20040103097A1 (en) * | 1995-12-14 | 2004-05-27 | Wesinger Ralph E. | Automated on-line information service and directory, particularly for the World Wide Web |
| CN1703004A (en) * | 2005-02-28 | 2005-11-30 | 联想(北京)有限公司 | Method for implementing network access authentication |
| CN100464548C (en) * | 2005-10-10 | 2009-02-25 | 广东省电信有限公司研究院 | System and method for blocking worm attack |
-
2010
- 2010-08-23 CN CN2010102606056A patent/CN101917438A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040103097A1 (en) * | 1995-12-14 | 2004-05-27 | Wesinger Ralph E. | Automated on-line information service and directory, particularly for the World Wide Web |
| JP2003186831A (en) * | 2001-12-13 | 2003-07-04 | Sony Corp | Network system, information processing device and method, recording medium, and program |
| CN1703004A (en) * | 2005-02-28 | 2005-11-30 | 联想(北京)有限公司 | Method for implementing network access authentication |
| CN100464548C (en) * | 2005-10-10 | 2009-02-25 | 广东省电信有限公司研究院 | System and method for blocking worm attack |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098317A (en) * | 2011-03-22 | 2011-06-15 | 浙江中控技术股份有限公司 | Data transmitting method and system applied to cloud system |
| CN102098317B (en) * | 2011-03-22 | 2013-12-18 | 浙江中控技术股份有限公司 | Data transmitting method and system applied to cloud system |
| CN104021351A (en) * | 2014-05-28 | 2014-09-03 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for data resource access |
| CN104021351B (en) * | 2014-05-28 | 2017-11-17 | 宇龙计算机通信科技(深圳)有限公司 | The access method and device of a kind of data resource |
| CN104363229A (en) * | 2014-11-14 | 2015-02-18 | 浪潮(北京)电子信息产业有限公司 | Data center and access method thereof |
| CN106161467A (en) * | 2016-08-31 | 2016-11-23 | 成都九鼎瑞信科技股份有限公司 | Water utilities data access method and device |
| CN107180172A (en) * | 2017-04-19 | 2017-09-19 | 上海海加网络科技有限公司 | A kind of IPSAN access control methods and device based on USBKey digital certificate authentications |
| CN108287894A (en) * | 2018-01-19 | 2018-07-17 | 腾讯科技(深圳)有限公司 | Data processing method, device, computing device and storage medium |
| CN108287894B (en) * | 2018-01-19 | 2023-06-23 | 腾讯科技(深圳)有限公司 | Data processing method, device, computing equipment and storage medium |
| CN112532561A (en) * | 2019-08-28 | 2021-03-19 | 斑马智行网络(香港)有限公司 | Method, device, system and storage medium for realizing access between devices |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2463652C2 (en) | Extensible and programmable multi-tenant service architecture | |
| JP5698539B2 (en) | System and method for delegating access to an online account | |
| CN105659234B (en) | Pervasive search architecture | |
| US11792199B2 (en) | Application-assisted login for a web browser | |
| US20190034295A1 (en) | Methods and systems relating to network based storage | |
| US20170346797A1 (en) | Detecting compromised credentials | |
| CN101917438A (en) | Access control method and system in network communication system | |
| JP6608453B2 (en) | Remote access control for stored data | |
| US20140181116A1 (en) | Method and device of cloud storage | |
| CN104580395B (en) | A kind of cloudy collaboration Storage Middleware Applying system based on existing cloud storage platform | |
| US20070150498A1 (en) | Social network for distributed content management | |
| CN104205723A (en) | Identity services for organizations transparently hosted in the cloud | |
| US20190342753A1 (en) | Device configuration method, apparatus and system | |
| US11163499B2 (en) | Method, apparatus and system for controlling mounting of file system | |
| JP6096376B2 (en) | Access control method, apparatus, program, and recording medium | |
| US9262646B1 (en) | Systems and methods for managing web browser histories | |
| US9930063B2 (en) | Random identifier generation for offline database | |
| US10303669B1 (en) | Simulating hierarchical structures in key value stores | |
| US10218659B1 (en) | Persistent connections for email web applications | |
| US10460120B1 (en) | Policy mediated hierarchical structures in key value stores | |
| US9130994B1 (en) | Techniques for avoiding dynamic domain name system (DNS) collisions | |
| US9231957B2 (en) | Monitoring and controlling a storage environment and devices thereof | |
| WO2015062266A1 (en) | System and method of authenticating user account login request messages | |
| CN103491141A (en) | Application server and request processing method | |
| WO2019052328A1 (en) | Authentication method for anonymous account, and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20101215 |