CN102088360B - Distributed authorization management system and implementation method thereof - Google Patents
Distributed authorization management system and implementation method thereof Download PDFInfo
- Publication number
- CN102088360B CN102088360B CN 200910217965 CN200910217965A CN102088360B CN 102088360 B CN102088360 B CN 102088360B CN 200910217965 CN200910217965 CN 200910217965 CN 200910217965 A CN200910217965 A CN 200910217965A CN 102088360 B CN102088360 B CN 102088360B
- Authority
- CN
- China
- Prior art keywords
- attribute certificate
- certificate
- user
- rights management
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an authorization management system, which belongs to the technical field of information security. The system comprises an authorization management server, at least one application device and at least one user device which are connected with one another through a network, wherein the authorization management server at least comprises an authority management device, a purchase management system (PMS) manager, an attribute certificate signing and issuing device, a certificate agency (CA) directory server, a purchase management index (PMI) directory server and a middleware device. The invention can provide the authorization management system and an implementation method of the system. A user group is authorized in the way of a rule group, a working group and an individual, support can be provided for a large number of users who do not register in the system and authorization information is released by an attribute certificate, so that the possibility of personal tampering can be effectively avoided, and uniform user authorization information and security access control can be provided for a plurality of application systems.
Description
Technical field
The present invention relates to field of information security technology, particularly, relate to a kind of distributed authorization management system and its implementation.
Background technology
Along with the raising of government, IT application in enterprises degree, application system quantity progressively increases.In the situation that number of users is very large, the region substep is relatively wider, application system quantity is many, the mandate of application system becomes a very stubborn problem.In a large government or enterprises and institutions, often there will be following situation: a certain employee leaves office, and can also normally access some very important application systems; The change of some employee's positions, corresponding old authority still in application system; Due to interim service needed, registered account and opened application permission for someone of other places in certain application system, but forgotten that timely withdrawal causes key message to reveal; Although all application all in the machine room of oneself, really can't be taken easily each application system authority and authorize situation can be responsible for informationalized policymaker.How can unify to solve effectively the sharing of resource, how in time, the access rights of leading subscriber fast and effectively, become pendulum at the policymaker of application system development, a difficult problem in face of service management person.
For user's unified certification mandate and safe access control, very many solutions have also been proposed at present:
(1), the patent application CN 200710191525.8 (applying date: 2007.12.12, title: Unified Identity management and authentication method based under digital certificate and multilevel field) disclose a kind of Unified Identity management and authentication method based under digital certificate and multilevel field in, at first carried out the user identity maintenance; Adopting timing to carry out subscriber identity information with the human resources system synchronizes; By the manual maintenance mode, the management of completing user data message; Subscriber identity information is synchronized to territory; Ldap protocol by subscriber identity information by standard, be synchronized in corresponding AD subdomain according to user affiliated unit; Realize that the user authenticates.The present invention can realize the access to a plurality of operation systems by user's single-sign-on, but can not solve the unified rights management problem of user in a plurality of operation systems.
(2), the patent application CN 200610076491.3 (applying date: 2006.04.26, title: the security protection system of information system or equipment and method of work thereof), CN 200810040672.X (the applying date: 2008.07.17, title: the system user access management system based on digital certificate technique and method), CN 200810040674.9 (the applying date: 2008.07.17, title: a kind of access control method of the information system based on digital certificate technique and device), CN 200620100455.1 (the applying date: 2006.01.18, a kind of network security certification authoring system) and the CN 200710147233.4 (applying date: 2007.08.30 title:, title: the implementation method of distributed business operation support system and distributed service) all disclose and a kind of login user has been carried out to authentication, and obtain the technical scheme of its corresponding access rights after by authentication, but lack the safety management of user right information in these technical schemes, can not effectively avoid the people is the possibility of distorting, and the number of users of supporting is limited, can not solve a large number of users (particularly One's name is legion and the user's that do not register) uniform authorization and safe access control problem in system.
The patent application CN 200810062264.4 of Zhejiang University (applying date: 2008.06.17, title: disclose a kind of Web service controling mechanism based on PKI and PMI the Web service controling mechanism based on PKI and PMI).It comprises PKI, PMI and Web service safety system, the user is by PKI system application letter of identity, according to letter of identity, go PMI to omit certificate again goes role bindings to one or more Web services, when the user uses Web service, whether the Web safety system helps the legitimacy of PKI systems inspection letter of identity, then help PMI systems inspection user to have authority to call this Web service, when all inspections are all passed through, allow the user to access Web service, call to realize safe Web service.In the present invention, the user uses letter of identity application Attribute certificate, and specify the role apply for, examine the corresponding Attribute certificate of rear acquisition by the keeper, authority, role give the individual application mainly for the user, can not the user's of colony authority and role be defined, the number of users of supporting is limited, can not support One's name is legion and the user who does not register in system.
The shortcoming that above technical scheme all exists is, can not a large amount of user groups be authorized, and the reliable form issue with Attribute certificate by described authorization message, thereby realizes unification user empowerment management and the safe access control of a plurality of application systems.
Summary of the invention
Technical problem to be solved by this invention is: a kind of authentication management system and its implementation are provided, the user group is authorized, and the form issue with Attribute certificate by described authorization message, thereby can provide unified authorized user message and safe access control for several application systems.
A kind of authentication management system is provided in the present invention, comprises the empowerment management server, at least one application apparatus and at least one user's set, described empowerment management server at least comprises:
The rights management device, safeguarded for the mandate key element that system is included to user group, application role, sets up the mandate relation of user group to the application role, and described authorization message is published on the PMI LIST SERVER;
The PMS manager, mutual for keeper and system;
The Attribute certificate issue apparatus, for setting up the attribute authority (aa) source, receive the authorization message that the rights management device sends, and return to the rights management device after described information is signed and issued into to Attribute certificate;
The CA LIST SERVER, provide the directory service of customer digital certificate for following the LDAP standard for the rights management device;
The PMI LIST SERVER, provide the directory service of Attribute certificate for following the LDAP standard for middleware device, and the Attribute Certificate Revocation List sent by the rights management device is deleted corresponding Attribute certificate;
Middleware device, the user's logging request forwarded for receiving application apparatus, legitimacy to customer digital certificate is verified, searches the corresponding Attribute certificate of described user in the PMI LIST SERVER, and the Role Information obtained in the dependency certificate is returned to application apparatus;
Described empowerment management server, application apparatus, user's set are by the network interconnection.
The present invention also provides a kind of implementation method of authentication management system, and wherein empowerment management server, application apparatus, user's set, by the network interconnection, comprise the following steps:
Step 1: the rights management service parts of rights management device obtain digital certificate from the CA LIST SERVER, read personnel and corresponding agency information;
Step 2: the rights management service parts of rights management device generate the user group;
Step 3: the rights management service parts of rights management device read the corresponding application role of several application apparatus;
Step 4: the rights management service parts of rights management device are set up the mandate relation between user group and application role;
Step 5: the rights management service parts of rights management device are sent to the Attribute certificate issue apparatus by described authorization message;
Step 6: the Attribute certificate issue apparatus is signed and issued Attribute certificate, and described Attribute certificate is returned to the Attribute certificate issuing service parts of rights management device;
Step 7: the Attribute certificate issuing service parts of rights management device are distributed to described Attribute certificate on the PMI LIST SERVER.
Compared with prior art, the invention has the beneficial effects as follows:
A kind of authentication management system and its implementation are provided, extract user's identity and attribute information by digital certificate, can guarantee the authenticity of subscriber identity information; The user group is authorized in regular colony, working group and individual's mode, can be provided support per family to One's name is legion and the use do not registered in system; Authorization message use attribute certificate is issued, and can effectively avoid the people is the possibility of distorting; If while adopting the PKI technical licensing, digital certificate is bound mutually with the application role, there will be the lifetime of user identity and the inconsistent problem of lifetime of authority, by shortening the term of validity of Attribute certificate, can avoid constantly producing, cancelling because of the variation of user right the problem of digital certificate.
The accompanying drawing explanation
Fig. 1 is the system deployment diagram.
Fig. 2 is the authentication management system structure chart.
Fig. 3 is the rights management structure drawing of device.
Fig. 4 is rights management service modular construction figure.
Fig. 5 is Attribute certificate issue flow chart.
Fig. 6 logins the flow chart of application apparatus for the user.
Fig. 7 is for revising the flow chart of authorization message.
Embodiment
As shown in Figure 1, be the physics deployment diagram of authentication management system, system is by empowerment management server 1, and at least one application apparatus 2 and at least one user's set 3 form, and wherein, empowerment management server 1, application apparatus 2, user's set 3 are by the network interconnection.Empowerment management server 1, manage and safeguard for mandate key element and the mandate relation that system is included to people, colony, application role, receive the logging request of the user's set 3 of application apparatus 2 forwardings, and described user's application Role Information is provided to described application apparatus 2.
The logging request that application apparatus 2 sends for receiving user's set 3, and the described user's who returns according to empowerment management server 1 application Role Information, provide the application resource information based on described application role to the user.The application resource that application apparatus 2 is issued to the user can be divided into following 3 classes:
1, resource-sharing class application system: the user is numerous and distributional region is wider, be difficult to all user profile is registered, and user's natural quality information can occur to change relatively frequently, thereby have influence on the authority of this user in application system, as the Population System of public security industry, the comprehensive system etc. of looking into;
2, intranet handles official business class application system: calling party quantity is controlled, and the user is generally certain enterprise or internal institution employee, can divide working group to some of the staff, but the member of working group enjoys specific operating right and resource;
3, open visit class application system: as news website that can anonymous browse.
Wherein the 3rd class open visit class application system does not need identifying user identity, there do not is access privilege control problem, the application resource that the application apparatus 2 related in the present invention is issued mainly belongs to the 1st, 2 classes, does not belong to the 3rd class open visit class application system.For the 1st, 2 class application systems, the safety problem that application apparatus 2 in use faced roughly comprises as follows:
1, need to be in the face of One's name is legion and the user who does not register in system
The user of access (or use) application apparatus 2 can be divided into two classes: a class for registrable identity (sign) in system but management access person; Another kind of be because of its enormous amount, can not limit etc. reason, be not easy in system for its set up identity (sign) can not management access person.
Can not management access person often there is different attributes, need to be treated differently when its access application device 2, such as, in an application apparatus 2 that level of confidentiality arranged, the user-accessible resource with higher professional level attribute can be more more than subordinate; The data of perhaps paying close attention to from the visitor of different geographical are by different, and this has just embodied different authorities.Like this, application apparatus 2 just can not simply be given and can not management access person distribute the authority be equal to.
2, be not easy to gather user's identity information and attribute information simultaneously
General application apparatus more than 2 adopts " user name+password " mechanism to carry out the user identity discriminating, like this, system getable be only one the sign different user ID, the information that this ID can comprise is very limited, for manageable visitor, can in system, retrieve associated attribute information by ID, still, in the face of thousands of, can not management access person the time, its manageable attribute information be difficult to by system acquisition.
3, for the user of different responsibilities, control of authority Grained Requirements difference
User's segregation of duties from application apparatus 2, part user bears system data maintenance (renewal) work more some more, and another part user does, system data being inquired about and browsed, is not identical to two class users' control of authority Grained Requirements.Most OA office type systematics for example, if it is inadequate can only the access control person whether can entering certain application menu item, but to control to inside modules, and whether as certain, to examine button available, and whether certain piece of document readable, can write, can download same needs carries out control of authority.
User's set 3, for to application apparatus 2, sending logging request, is accessed described application resource information.
As shown in Figure 2, empowerment management server 1, include rights management device 11, PMS manager 12, Attribute certificate issue apparatus 13, CA LIST SERVER 14, PMI LIST SERVER 15 and middleware device 16.
1, regular colony: the attribute information had according to the user colony's expression formula that establishes relevant regulations, utilize described regular colony expression formula to create regular colony, described regular colony is applicable to the scene that customer group is large, distributional region is wide, whole users can't be registered in application apparatus 2.
2, working group: because the business development of application apparatus 2 need to, several users need to have identical role, but can't or not service regeulations colony expression formula create regular colony, can the building work group, described several users are divided into to a working group.
3, individual: scattered personal user.
As shown in Figure 3, rights management device 11 further includes rights management service parts 111, data synchronization check Service Part 112, Attribute certificate issuing service parts 113 and database 114.
Wherein, rights management service parts 111, for generating the application Role Information of user group, application apparatus 2 correspondences, set up the mandate relation between user group and application role, and described authorization message transferred to Attribute certificate issue apparatus 13 and sign and issue.As shown in Figure 4, rights management service parts 111 further include application management unit 1111, population management unit 1112 and empowerment management unit 1113.
Application management unit 1111, for all application apparatus 2 are registered, when log-on message sends variation, to the empowerment management unit, 1113 send modification mandate relationship request message.Log-on message includes:
1, the sign title of registered application device 2 title of each application apparatus 2 (corresponding a unique identification code), dispose the information such as ground, authority valid expiration date.
2, add the corresponding application Role Information of each application apparatus 2, the mode that addition manner can be inputted by hand or the specified format dictionary imports in batches.
Population management unit 1112, for from CA LIST SERVER 14, obtaining personal information, and generation, maintenance customer's community information, when user group's information sends while changing, to the empowerment management unit, 1113 send to revise and authorize the relationship request message.Include:
1, according to regular colony expression formula, create-rule colony.
2, establishment maintenance work group and member.
Empowerment management unit 1113, for setting up the mandate relation between user group and application role, or receive the modification mandate relationship request message of sending other unit, described new authorization message is sent to Attribute certificate issue apparatus 13 and signed and issued.
Data synchronization check Service Part 112, for according to custom strategies, carry out verification to the consistency of distributing data on database 114 and PMI LIST SERVER 15.Whether whether the Attribute certificate of for example preserving in regular check database 114 consistent with the distributing data on PMI LIST SERVER 15, if inconsistent, notification properties certificate issuance Service Part 113 more new data be published on PMI LIST SERVER 15.
Attribute certificate issuing service parts 113, send to PMI LIST SERVER 15 for the Attribute certificate that Attribute certificate issue apparatus 13 is signed and issued, described authorization message includes regular group property certificate, working group's Attribute certificate, personal attribute's certificate, Attribute Certificate Revocation List.
1, add, revise the log-on message of application apparatus 2.
2, check personal information and relevant institutional framework information, add, revise user group's information, as regular colony expression formula, working group and member.
3, the mandate relation between foundation, modification, logging off users colony and application role and corresponding Attribute certificate.
Attribute certificate issue apparatus 13, be connected with rights management device 11, for setting up the attribute authority (aa) source, receives the authorization message that rights management device 11 sends, and return to rights management device 11 after described information is signed and issued into to Attribute certificate.Attribute certificate issue apparatus 13 reads the message of the specified format that rights management device 11 sends, resolve, obtain the authorization message between user group and application role, described authorization message is signed and issued into to the Attribute certificate that meets the RFC3281V4 reference format, and described Attribute certificate is returned to rights management device 11.Allow if need to abolish to authorize, sign and issue an Attribute Certificate Revocation List (ACRL).Described Attribute certificate includes following several:
1, regular group property certificate, definition rule colony and the mandate relation of application between the role, include the definition of regular colony XML coding, application apparatus 2, apply the information such as role, valid expiration date.
2, working group's Attribute certificate, the mandate relation between definition working group and application role, include the information such as workgroup name, work group member, application apparatus 2, application role, valid expiration date.
3, personal attribute's certificate, the mandate relation between definition individual subscriber and application role, include the information such as individual subscriber, application apparatus 2, application role, valid expiration date.
At first, system need to be obtained user and attribute information, application apparatus 2 and application Role Information, sets up the mandate relation of user group to the application role, and described authorization message is signed and issued into to Attribute certificate and issued.As shown in Figure 5, be the issue flow process of Attribute certificate, concrete steps are as follows:
Step 1: the rights management service parts 111 of rights management device 11 obtain digital certificate from CA LIST SERVER 14, read personnel and corresponding agency information (step S1001).Rights management device 11 is according to service needed, according to search condition, from CA LIST SERVER 14, obtains the digital certificate information of relative users.
Step 2: the rights management service parts 111 of rights management device 11 generate user group (step S1002).The user group includes regular colony, working group and individual.
Wherein the generative process of regular colony is as follows: the keeper is by PMS manager definition rule colony expression formula, the population management unit 1112 of rights management service parts 111 is according to regular colony expression formula, read the customer attribute information in digital certificate, create corresponding regular colony.For example, regular colony expression formula can be defined as follows:
((city=Bei Jingshi & & Mechanism=parent company)) & & (department=) & of research and development centre; & ((tenure=principal) || (tenure=position of a deputy)),
Population management unit 1112 reads the attribute informations such as city under user in digital certificate, mechanism, department, post, creates corresponding regular colony: the leader of Beijing research and development centre of parent company.
The generative process of working group is as follows: the keeper checks personal information and relevant institutional framework information by the PMS manager, and select the some personnel on the organization tree to define working group, the population management unit 1112 of rights management service parts 111 reads the work item information of keeper's definition, creates corresponding working group.
Step 3: the rights management service parts 111 of rights management device 11 read the corresponding application role (step S1003) of several application apparatus 2.As shown in table 1, can be divided into a plurality of application roles according to the city under the user, mechanism, department, post, the corresponding unique role's coding of each application role
Table 1 application role and the role mapping table of encoding
Step 4: the rights management service parts 111 of rights management device 11 are set up the mandate relation (step S1004) between user group and application role.The keeper is by the mandate relation between PMS manager 12 definition user groups and application role, the empowerment management unit 1113 of rights management service parts 111 reads and sets up corresponding mandate relation, as shown in table 2, be regular colony and application role's mapping table.
The mapping table of table 2 application role, role's coding and regular colony expression formula
Step 5: the rights management service parts 111 of rights management device 11 are sent to Attribute certificate issue apparatus 13 (step S1005) by described authorization message.
Step 6: Attribute certificate issue apparatus 13 is signed and issued Attribute certificate, and described Attribute certificate is returned to the Attribute certificate issuing service parts 113 (step S1006) of rights management device 11.
Step 7: the Attribute certificate issuing service parts 113 of rights management device 11 are distributed to (step S1007) on PMI LIST SERVER 15 by described Attribute certificate.
The user is by user's set 3 login application apparatus 2, and application apparatus 2 forwards user's logging request to empowerment management server 1, and receives the described user's that empowerment management server 1 returns Role Information.Application apparatus 2, according to user role, is authorized the user corresponding access rights.As shown in Figure 6, be user's login process figure, concrete steps are as follows:
Step 1: the user uses digital certificate login application apparatus 2 (step S2001).
Step 2: application apparatus 2 forwards user's logging request (step S2002) to middleware device 16.
Step 3: 16 couples of users' of middleware device digital certificate information is verified (step S2003).
Does step 4: middleware device 16 judge that whether user's digital certificate is by checking (step S2004)? if, by checking, do not turn to step 8 (step S2016), this flow process finishes.
Step 5: middleware device 16 is search rule group property certificate, working group's Attribute certificate and personal attribute's certificate from PMI LIST SERVER 15, and obtains described user's application Role Information in the dependency certificate.Concrete steps are as follows:
(1), middleware device 16 search rule group property certificate (step S2005) from PMI LIST SERVER 15.
(2), middleware device 16 judges that described user belongs to the regular colony (step S2006) in described regular group property certificate? if no, turn to step (4) (step S2008).
(3), middleware device 16 obtains described user's application Role Information (step S2007) from regular group property certificate.
(4), middleware device 16 search work group Attribute certificate (step S2008) from PMI LIST SERVER 15.
(5), middleware device 16 judges that described user belongs to the working group (step S2009) in described working group Attribute certificate? if no, turn to step (7) (step S2011).
(6), middleware device 16 obtains described user's application Role Information (step S2010) from working group's Attribute certificate.
(7), middleware device 16 is from PMI LIST SERVER 15 search personal attribute's certificates (step S2011).
(8), middleware device 16 judges whether to have personal attribute's certificate (step S2012) of described user? if no, turn to step 6 (step S2014).
(9), middleware device 16 obtains described user's application Role Information (step S2013) from personal attribute's certificate.
Step 6: middleware device 16 returns to application apparatus 2 (step S2014) by the application Role Information obtained.
Step 7: application apparatus 2, according to described application Role Information, is authorized the corresponding access rights of user (step S2015).
Step 8: this flow process finishes (step S2016).
If authorization message has produced variation, for example the keeper revises the mandate relation between user group and application role, and the present invention can, according to the changing content of authorization message, cancel old Attribute certificate and produce new Attribute certificate.As shown in Figure 7, be the modification process of authorization message, its concrete steps are as follows:
Step 1: the keeper revises authorization message (step S3001) by PMS manager 12.
Step 2:PMS manager 12 is transmitted to the corresponding component (step S3002) in rights management device 11 by the request of described modification authorization message.
If revise the application Role Information of application apparatus 2 or application apparatus 2, deliver to the application management unit 1111 of the rights management service parts 111 of rights management device 11; If revise user group's information, for example alteration ruler colony expression formula or modification group and member, deliver to the population management unit 1112 of the rights management service parts 111 of rights management device 11; If revise the mandate relation between user group and application role, deliver to the empowerment management unit 1113 of the rights management service parts 111 of rights management device 11.
Step 3: the corresponding components in rights management device 11 are processed described request, send to revise to the empowerment management unit 1113 of the rights management service parts 111 of rights management device 11 and authorize relationship request message (step S3003).
Step 4: the empowerment management unit 1113 of the rights management service parts 111 of rights management device 11 reads described message, and searches the Attribute certificate (step S3004) relevant to modification information in database 114.
Step 5: empowerment management unit 1113 is added into Attribute Certificate Revocation List by the described Attribute certificate found, and Attribute Certificate Revocation List and the new mandate relation produced are sent to Attribute certificate issue apparatus 13 (step S3005).
Step 6: Attribute certificate issue apparatus 13 is signed and issued new Attribute certificate and Attribute Certificate Revocation List, and returns to Attribute certificate issuing service parts 113 (step S3006).
Step 7: Attribute certificate issuing service parts 113 send to PMI LIST SERVER 15 (step S3007) by described new Attribute certificate and Attribute Certificate Revocation List.
Step 8:PMI LIST SERVER 15 is deleted corresponding Attribute certificate by Attribute Certificate Revocation List, and issues new Attribute certificate (step S3008).
For example in working group 1, add or the deletion personnel, inquire about the Attribute certificate of working group's 1 correspondence, described Attribute certificate is added in Attribute Certificate Revocation List, sign and issue new working group's Attribute certificate and Attribute Certificate Revocation List by Attribute certificate issue apparatus 13, Attribute certificate issuing service parts 113 are sent to PMI LIST SERVER 15 by new working group's Attribute certificate and Attribute Certificate Revocation List, the new working group's Attribute certificate of PMI LIST SERVER 15 issue, and delete corresponding Attribute certificate by Attribute Certificate Revocation List.
It should be noted last that, above embodiment is only in order to explanation and unrestricted technical scheme described in the invention; Therefore, although this specification has been described in detail the present invention with reference to the above embodiments,, those of ordinary skill in the art should be appreciated that still and can modify or replace equally the present invention; And all do not break away from technical scheme and the improvement thereof of the spirit and scope of the present invention, it all should be encompassed in the middle of claim scope of the present invention.
Claims (7)
1. an authentication management system, comprise empowerment management server, at least one application apparatus and at least one user's set, it is characterized in that:
Described empowerment management server at least comprises:
The rights management device, safeguarded for the mandate key element that system is included to user group, application role, sets up the mandate relation of user group to the application role, and described authorization message is published on the PMI LIST SERVER;
PMS (Privilege Management System Unified Privilege Management System) manager, mutual for keeper and system;
The Attribute certificate issue apparatus, for setting up the attribute authority (aa) source, receive the authorization message that the rights management device sends, and return to the rights management device after described information is signed and issued into to Attribute certificate;
CA (CertificateAuthority digital certificate authentication center) LIST SERVER, provide the directory service of customer digital certificate for following LDAP (Lightweight Directory Access Protocol Light Directory Access Protocol) standard for the rights management device;
PMI (Privilege Management Infrastructure rights management infrastructure) LIST SERVER, provide the directory service of Attribute certificate for following the LDAP standard for middleware device, and the Attribute Certificate Revocation List sent by the rights management device is deleted corresponding Attribute certificate;
Middleware device, the user's logging request forwarded for receiving application apparatus, legitimacy to customer digital certificate is verified, searches the corresponding Attribute certificate of described user in the PMI LIST SERVER, and the Role Information obtained in the dependency certificate is returned to application apparatus;
Described empowerment management server, application apparatus, user's set are by the network interconnection;
Described rights management device further includes:
The rights management service parts, for generating user group, application Role Information that application apparatus is corresponding, set up the mandate relation between user group and application role, and described authorization message transferred to the Attribute certificate issue apparatus and sign and issue;
Attribute certificate issuing service parts, send to the PMI LIST SERVER for the Attribute certificate that the Attribute certificate issue apparatus is signed and issued, and described Attribute certificate includes regular group property certificate, working group's Attribute certificate and personal attribute's certificate;
Database, for maintaining system data;
Described rights management service parts further include:
The application management unit, for all application apparatus are registered, when log-on message sends variation, send to the empowerment management unit to revise and authorize relationship request message;
The population management unit, for from the CA LIST SERVER, obtaining personal information, and generation, maintenance customer's community information, when user group's information sends while changing, send to the empowerment management unit to revise and authorize relationship request message;
The empowerment management unit, for setting up the mandate relation between user group and application role, or receive the modification mandate relationship request message of sending other unit, described new authorization message is sent to the Attribute certificate issue apparatus and signed and issued;
Described rights management device also comprises:
Data synchronization check Service Part, for according to custom strategies, carry out verification to the consistency of distributing data on database and PMI LIST SERVER.
2. the implementation method of an authentication management system, wherein empowerment management server, application apparatus, user's set, by the network interconnection, is characterized in that, comprise the following steps:
Step 1: the rights management service parts of rights management device obtain digital certificate from the CA LIST SERVER, read personnel and corresponding agency information;
Step 2: the rights management service parts of rights management device generate the user group;
Step 3: the rights management service parts of rights management device read the corresponding application role of several application apparatus;
Step 4: the rights management service parts of rights management device are set up the mandate relation between user group and application role;
Step 5: the rights management service parts of rights management device are sent to the Attribute certificate issue apparatus by described authorization message;
Step 6: the Attribute certificate issue apparatus is signed and issued Attribute certificate, and described Attribute certificate is returned to the Attribute certificate issuing service parts of rights management device;
Step 7: the Attribute certificate issuing service parts of rights management device are distributed to described Attribute certificate on the PMI LIST SERVER.
3. the implementation method of a kind of authentication management system according to claim 2 is characterized in that: the generative process that further includes regular colony in step 2:
The keeper is by PMS manager definition rule colony expression formula, and the population management unit of rights management service parts, according to regular colony expression formula, reads the customer attribute information in digital certificate, creates corresponding regular colony.
4. the implementation method of a kind of authentication management system according to claim 2 is characterized in that: the generative process that further includes working group in step 2:
The keeper checks personal information and relevant institutional framework information by the PMS manager, and select the some personnel on the organization tree to define working group, the population management unit of rights management service parts reads the work item information of keeper's definition, creates corresponding working group.
5. the implementation method of a kind of authentication management system according to claim 2 is characterized in that: also include following steps:
Step 1: the user uses digital certificate login application apparatus;
Step 2: application apparatus forwards user's logging request to middleware device;
Step 3, middleware device are verified user's digital certificate information;
Does step 4: middleware device judge that whether user's digital certificate is by checking? if, by checking, do not turn to step 6, this flow process finishes;
Step 5: middleware device is search rule group property certificate, working group's Attribute certificate and personal attribute's certificate from the PMI LIST SERVER, and obtains described user's application Role Information in the dependency certificate;
Step 6: middleware device returns to application apparatus by the application Role Information obtained;
Step 7: application apparatus, according to described application Role Information, is authorized the user corresponding access rights;
Step 8: this flow process finishes.
6. the implementation method of a kind of authentication management system according to claim 5, it is characterized in that: described step 5 further includes following steps:
(1), middleware device search rule group property certificate from the PMI LIST SERVER;
(2), middleware device judges that described user belongs to the regular colony in described regular group property certificate? if no, turn to step (4);
(3), middleware device obtains described user's application Role Information from regular group property certificate;
(4), middleware device search work group Attribute certificate from the PMI LIST SERVER;
(5), middleware device judges that described user belongs to the working group in described working group Attribute certificate? if no, turn to step (7);
(6), middleware device obtains described user's application Role Information from working group's Attribute certificate;
(7), middleware device is from PMI LIST SERVER search personal attribute certificate;
(8), middleware device judges whether to have personal attribute's certificate of described user? if have, middleware device obtains described user's application Role Information from personal attribute's certificate.
7. the implementation method of a kind of authentication management system according to claim 2 is characterized in that: if when authorization message has produced variation, further comprising the steps of:
Step 1: the keeper revises authorization message by the PMS manager;
Step 2:PMS manager is transmitted to the corresponding component in the rights management device by the request of described modification authorization message;
Step 3: the corresponding component in the rights management device is processed described request, sends to revise to the empowerment management unit of the rights management service parts of rights management device and authorizes relationship request message;
Step 4: the empowerment management unit reads described message, and searches the Attribute certificate relevant to modification information in database;
Step 5: the empowerment management unit is added into Attribute Certificate Revocation List by the described Attribute certificate found, and Attribute Certificate Revocation List and the new mandate relation produced are sent to the Attribute certificate issue apparatus;
Step 6: the Attribute certificate issue apparatus is signed and issued new Attribute certificate and Attribute Certificate Revocation List, and returns to Attribute certificate issuing service parts;
Step 7: Attribute certificate issuing service parts send to the PMI LIST SERVER by described new Attribute certificate and Attribute Certificate Revocation List;
Step 8:PMI LIST SERVER is deleted corresponding Attribute certificate by Attribute Certificate Revocation List, and issues new Attribute certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910217965 CN102088360B (en) | 2009-12-08 | 2009-12-08 | Distributed authorization management system and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910217965 CN102088360B (en) | 2009-12-08 | 2009-12-08 | Distributed authorization management system and implementation method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102088360A CN102088360A (en) | 2011-06-08 |
| CN102088360B true CN102088360B (en) | 2013-12-25 |
Family
ID=44099982
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910217965 Active CN102088360B (en) | 2009-12-08 | 2009-12-08 | Distributed authorization management system and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102088360B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102868525A (en) * | 2011-07-04 | 2013-01-09 | 航天信息股份有限公司 | Authorization management method based on digital certificate |
| CN103166911B (en) * | 2011-12-09 | 2017-06-13 | 阿里巴巴集团控股有限公司 | A kind of version management server right management method and equipment |
| CN103685165A (en) * | 2012-09-06 | 2014-03-26 | 深圳第七大道网络技术有限公司 | Service processing method and service server |
| CN102843261B (en) * | 2012-09-18 | 2015-11-18 | 平顶山中选自控系统有限公司 | A kind of distributed right management method of coal preparation plant MES based role |
| CN103281180B (en) * | 2013-04-18 | 2015-12-23 | 暨南大学 | User is protected to access the bill generation method of privacy in a kind of network service |
| CN105577665B (en) * | 2015-12-24 | 2019-06-18 | 西安电子科技大学 | Identity and access control management system and method under a kind of cloud environment |
| CN107276965B (en) * | 2016-04-07 | 2021-05-14 | 阿里巴巴集团控股有限公司 | Authority control method and device of service discovery component |
| US10951421B2 (en) * | 2016-11-28 | 2021-03-16 | Ssh Communications Security Oyj | Accessing hosts in a computer network |
| WO2019072039A1 (en) * | 2017-10-09 | 2019-04-18 | 华为技术有限公司 | Service certificate management method, terminal, and server |
| CN111984936B (en) * | 2019-05-23 | 2023-06-30 | 腾讯科技(深圳)有限公司 | Authorization distribution method, device, server and storage medium |
| CN112559976B (en) * | 2020-12-08 | 2024-03-19 | 广联达科技股份有限公司 | Product authorization method and system |
| CN113297589B (en) * | 2021-03-31 | 2024-04-16 | 阿里巴巴创新公司 | Method, device and system for setting cluster permission |
| CN113704733B (en) * | 2021-08-31 | 2024-03-08 | 上海万向区块链股份公司 | Privacy verifiable dynamic DID authentication method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008011098A (en) * | 2006-06-28 | 2008-01-17 | Ntt Docomo Inc | Attribute information verification method, revocation information generating apparatus, service provision source apparatus, and attribute information verification system |
| CN101453475A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Authentication management system and method |
| CN101640687A (en) * | 2009-08-31 | 2010-02-03 | 国家信息中心 | Privilege management system and method |
-
2009
- 2009-12-08 CN CN 200910217965 patent/CN102088360B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008011098A (en) * | 2006-06-28 | 2008-01-17 | Ntt Docomo Inc | Attribute information verification method, revocation information generating apparatus, service provision source apparatus, and attribute information verification system |
| CN101453475A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Authentication management system and method |
| CN101640687A (en) * | 2009-08-31 | 2010-02-03 | 国家信息中心 | Privilege management system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102088360A (en) | 2011-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102088360B (en) | Distributed authorization management system and implementation method thereof | |
| CN102088351B (en) | Authorization management system and implementation method thereof | |
| US6941476B2 (en) | Information storage | |
| DE69534490T2 (en) | METHOD FOR THE SAFE APPLICATION OF DIGITAL SIGNATURES IN A COMMERCIAL ENCRYPTION SYSTEM | |
| US10410213B2 (en) | Encapsulated security tokens for electronic transactions | |
| CN100542092C (en) | Distributed access control method in multistage securities | |
| CN109194708A (en) | A kind of distributed memory system and its identity identifying method based on block chain technology | |
| CN106534199B (en) | Distributed system certification and rights management platform under big data environment based on XACML and SAML | |
| CN109241753A (en) | A kind of data sharing method and system based on block chain | |
| CN109643242A (en) | Safe design and framework for multi-tenant HADOOP cluster | |
| CN112906029B (en) | Method and system for controlling user authority through identification analysis | |
| CN103152179A (en) | Uniform identity authentication method suitable for multiple application systems | |
| CN106302435A (en) | A kind of based on grouping of the world economy classification decentralized management system | |
| US11250423B2 (en) | Encapsulated security tokens for electronic transactions | |
| CN108322468A (en) | Identity authorization system | |
| Bai et al. | Decentralized and self-sovereign identity in the era of blockchain: a survey | |
| CN112199448A (en) | Industrial and commercial registration method and system based on block chain | |
| CN107832602A (en) | A kind of unified electronic seal system based on mark | |
| CN105046125A (en) | OA system application access method based on leveling system | |
| CN102088350B (en) | Directory service-based authorization management system and implementation method thereof | |
| CN103916267B (en) | The cyberspace identity management system of three-decker | |
| CN113656839A (en) | Electronic academic certificate management system based on alliance chain | |
| CN115842649A (en) | Cross-region and cross-system identity authentication method | |
| Maier et al. | Vis-a-vis verification: Social network identity management through real world interactions | |
| CN104052613A (en) | Service access management subsystem of distributed public safety video information sensing platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |