Resource access authorization verification method and system
Technical field
The present invention relates to Internet resources security fields, more particularly, relate to a kind of can be used between at least two systemsResource access authorization verification method and system.
Background technology
Current network Development is more and more faster, and the spread speed of information increases day by day. Protect for the resource on network,Paid close attention to by vast IT enterprises. The resource here includes, but are not limited to: the electronics of invoice bill, pay sheet, reimbursement voucherScanned copy, encrypt file transmission, charge video, audio frequency, various documents etc. If resource is not protected, probably stealChain, the file event such as divulge a secret.
Generally browsing an important phenomenon and be exactly a complete page is not to be once all sent to client. If request is the page with many pictures and out of Memory, a Http request so is at first transmittedWhat return is the text of this page, then by the browser of client, the explanation of this section of text is carried out, and also finds whereinHave picture, the browser of client can send Http request more so, this picture so after this request is processedFile can be sent to client, and then browser can be placed to picture the tram of the page, like this one completePerhaps, the page will be asked through many Http of transmission can be by complete demonstration.
Based on such mechanism, will produce a problem, that steals chain problem exactly: do not have in a website if be exactlyPlay said information in the page, for example pictorial information, it completely can be by other website that is connected to of this picture so. Like thisWithout any the website use of resource the resource of other website show viewer, improved the visit capacity of oneself, and largePart viewer can not find again easily, and obvious like this, the website that has been utilized resource for that is inequitable. OneA little objectionable websites expand own site contents in order not increase cost, often usurp the link of other websites. Infringement on the one handThe legitimate interests of original web, increased the weight of again on the other hand the burden of server.
If steal the chain person image resource of browser server easily, the significant data comprising in image so is just depositedIn the possibility of divulging a secret, steal the URL link that chain person only need to know picture, can download picture, deposit this locality, be forwarded to itHis website.
Summary of the invention
The technical problem to be solved in the present invention is, provides a kind of and can effectively ensure that the resource access authorization of resource security testsCard method and system.
The technical solution adopted for the present invention to solve the technical problems is: a kind of resource access authorization verification method is provided,For the resource access between client-requested system and Resource Supply system, comprise the following steps:
S1: client-requested system is sent resource request instruction, in described resource request instruction, include authentication secret, withAnd customer parameter information;
S2: Resource Supply system receives described resource request instruction, and described authentication secret is verified, be verifiedEnter step S3;
S3: Resource Supply system is carried out request permissions checking according to customer parameter information, after request permissions is verified,Return to the resource corresponding with described resource request instruction.
In resource access authorization verification method of the present invention, described client-requested system and Resource Supply system areWeb application system.
In resource access authorization verification method of the present invention, described method also comprises step S4: described client-requestedThe privately owned shared key of the common negotiation of system and Resource Supply system, is provided with key authentication data in described Resource Supply systemStorehouse;
In described step S2, the authentication secret in described resource request instruction is entered in described key authentication databaseRow checking, is verified and enters step S3, haves no right visit information otherwise return.
In resource access authorization verification method of the present invention, described step S3 comprises:
S3-1: described Resource Supply system by the internal memory of described customer parameter information and described Resource Supply systemJoin data and carry out request permissions checking, after request permissions is verified, execution step S3-2, cannot lead in request permissions checkingOut-of-date, execution step S3-3;
S3-2: described Resource Supply system is exported the page according to described resource request instruction load resource, and loading moneyWhen resource corresponding to source output page face, again from send the client-requested system of described resource request instruction, obtain user's ginsengNumber information, and carry out request permissions checking with the matched data in the internal memory of described Resource Supply system, verify at request permissionsBy rear, return to corresponding resource;
S3-3: described Resource Supply system is by the user who stores in described customer parameter information and described Resource Supply systemMate in storehouse, after coupling is passed through, described customer parameter information is written in the internal memory of described Resource Supply systemJoin in data, then perform step S3-1 and S3-2; When coupling cannot by time, return and have no right visit information.
In the described step S3-1 of resource access authorization verification method of the present invention, described customer parameter information comprises useName in an account book and the user right corresponding with user name; Described matched data comprises authorized user name and right with authorized user nameThe authorized user authority of answering; Carrying out request permissions when checking, described user name and user right can with described authorized user nameDuring with authorized user permission match, verify by request permissions, otherwise cannot pass through.
In the described step S3-2 of resource access authorization verification method of the present invention, loading resource output page face correspondenceResource time, the OPADD of resolving resource corresponding label, is transmitted to Handle every address and processes; This Handle receivesTo after the request of address, get the parameter value in address, and again get and in client-requested system, obtain customer parameter information,After request permissions is verified, return to corresponding resource according to the parameter value in address.
In the described step S3-3 of resource access authorization verification method of the present invention, described client-requested system is passed throughWebService calls the mandate interface module of described Resource Supply system, by authorizing interface module to receive described user's ginsengNumber information, and mate with the user library of storing in described Resource Supply system, after coupling is passed through, by described customer parameterInformation is written in the matched data in the internal memory of described Resource Supply system.
The present invention also provides a kind of resource access authorization verification system, comprises client-requested system and the money of connecting communicationSource provides system, and described client-requested system comprises request module, and for sending resource request instruction, described resource request refers toIn order, include authentication secret and customer parameter information;
Described Resource Supply system comprises:
Access authentication module, for verifying the authentication secret from described client-requested system;
Authority Verification module, carries out request permissions for the customer parameter information to from described client-requested system and testsCard;
Processing module, for according to the result of described access authentication module and Authority Verification module, to from describedThe resource request instruction of client-requested system is processed; And
Memory module, stores key authentication database and user library.
In resource access authorization verification system of the present invention, described Resource Supply system also comprises:
Internal memory, for storing matched data; And
Authorize interface module, with described Memory linkage, for the customer parameter from described client-requested system is believedBreath mates with described user library, and is described matched data by the described customer parameter information processing of coupling, and is stored inIn described internal memory.
In resource access authorization verification system of the present invention, described Authority Verification module and described Memory linkage, in the futureMatched data in customer parameter information and the described internal memory of described client-requested system is carried out request permissions checking.
Implement the present invention and there is following beneficial effect: by multiple-authentications such as authentication secret, request permissions checkings, guaranteedThe security of resource; And all checkings all complete in Resource Supply system, can effectively avoid the illegal of client-requested systemDistort, improved the security of resource.
In addition, due to request permissions checking only need with internal memory in matching list carry out, matching list is as the relation of light weightData, have avoided taking too much Resource Supply system resource, and without frequently with database, the client of memory moduleRequest System is carried out mutual frequently, has effectively improved runnability.
In addition, even leak at resource link, also can ensure the safety of this resource, because when there being disabled user to askWhen resource, all can arrive all the time the Resource Supply system resource that conducts interviews, and when access resources, must verify mandate, non-like thisMethod user cannot read resource all the time, thereby has guaranteed the security of resource.
Brief description of the drawings
Below in conjunction with drawings and Examples, the invention will be further described, in accompanying drawing:
Fig. 1 is the schematic block diagram of an embodiment of resource access authorization verification system of the present invention;
Fig. 2 is the schematic flow diagram of the authorisation step of an embodiment of resource access authorization verification method of the present invention;
Fig. 3 is the schematic flow diagram of the resource request of an embodiment of resource access authorization verification method of the present invention.
Detailed description of the invention
As shown in Figure 1, be an embodiment of resource access authorization verification system of the present invention, comprise can communication connectingClient-requested system 10 and Resource Supply system 20. In the present embodiment, this client-requested system 10 and Resource Supply systemSystem 20 is Web application system. Wherein, Web application system is applied to WebService technology, and WebService is one and answersWith assembly, its logicality is to provide geodata and services for other application programs. Each application program is by procotol and regulationSome standard data formats (Http, XML, Soap) visit WebService, obtain by inner execution of WebServiceResults needed. WebService can carry out any function from simple request to complicated business processing. Once dispose withAfter, the service that it is disposed can be found and call to other WebService application programs.
Wherein, client-requested system 10, for to Resource Supply system 20 request resource, comprises request module 11, forSend resource request instruction. In this resource request instruction, include authentication secret and customer parameter information etc., certainly, also bagDraw together the specifying information of request resource etc.
This Resource Supply system 20, as server, for client-requested system 10 provides resource, comprises access checking mouldPiece 21, Authority Verification module 22, processing module 22, memory module 24, internal memory 25 etc.
This access authentication module 21 is for to verifying from the authentication secret of client-requested system 10, by testingCard key and key authentication database carry out contrast verification, to determine that whether client-requested system 10 is as validated user.
This Authority Verification module 22 is carried out request permissions for the customer parameter information to from client-requested system 10Checking, by the matched data in customer parameter information and internal memory 25 is contrasted, to determine this client-requested system 10Whether there is the authority of corresponding resource.
This processing module 22 is for according to the result of access authentication module 21 and Authority Verification module 22, to from visitorThe resource request instruction of family end Request System 10 is processed, to return to the money of request by the request of verifying and have an authoritySource.
This memory module 24 is for storage key validation database and user library etc., and confession is verified, licensed.
Further, this Resource Supply system 20 is also provided with authorizes interface module 26, is connected, for will be from internal memory 25The customer parameter information of client-requested system 10 is mated with the user library of memory module 24, and by the customer parameter of couplingInformation processing is matched data, and is stored in internal memory 25, uses for Authority Verification module 22, is about to from client-requestedMatched data in customer parameter information and the internal memory 25 of system 10 is carried out request permissions checking.
As shown in Figure 2,3, be an embodiment of resource access authorization verification method of the present invention. In the present embodiment,The method comprises checking configuration step, authorisation step and checking authorisation step etc.
(not shown) in configuration step, client-requested system 10 and privately owned the sharing of the common negotiation of Resource Supply system 20Key (as Passport key), in Resource Supply system 20, be provided with key authentication database, identify thus clientWhether Internet access Resource Supply system 20 of Request System 10.
Before providing system 20, access resources can read key authentication database one time, checking client Request System 10The key of holding. Permit if meet Resource Supply system 20 key calling, just accessible resource provides system 20. If closeKey does not meet, and will be judged to be malice and authorize or authorize and illegally distorted, and returns and haves no right to access.
This key can adopt Passport key, specifies a private cipher key to deposit key in test by Resource Supply system 20In the allocation list field of card database. Client-requested system 10 can be carried key to Resource Supply system 20, carries out key and testsCard. If key conforms to allocation list field, think these client-requested system 10 Internet access; Otherwise output haves no right to accessInformation, for example, return have no right access notifications, make mistakes notice etc.
As shown in Figure 2, send resource request instruction request resource in client-requested system 10 to Resource Supply system 20Time (S201), must carry out request permissions checking (S202), Resource Supply system 20 by customer parameter information and internal memory 25Join data and carry out request permissions checking, after request permissions is verified, return to the resource corresponding with resource request instruction(S203); In the time that request permissions checking cannot be passed through, need authorize client-requested system 10.
Client-requested system 10 is called the mandate interface module 26 of Resource Supply system 20 by WebService, logicalCross mandate interface module 26 and receive customer parameter information (S204), and with the memory module 24 of Resource Supply system 20 in storageUser library mates (S205), after coupling is passed through, customer parameter information is written to the internal memory 25 of Resource Supply system 20Matched data in (S206); When coupling cannot by time, return and have no right visit information (S207).
Understandable, in this internal memory 25, can preserve overall matched data, in this table, preserve all authorized usersName and the authorized user authority corresponding with this authorized user name. And Resource Supply system 20 can record this authorized user nameAuthority record, generate daily record, deposit database in.
Exactly because in internal memory 25, preserve the relation data of light weight, thus reach can be not too much the Resource Supply that takiesThe resource of system 20, can be not frequently not mutual with database, client-requested system 10 yet, effectively improve runnability.
As shown in Figure 3, be the flow chart that client-requested system 10 is sent a resource request, first, user is to clientEnd Request System 10 request resource. These users of client-requested system 10 checking request of sending of whether having the right, if had the right, visitorFamily end Request System 10 is sent resource request instruction, includes authentication secret and customer parameter information in resource request instruction;If had no right, output haves no right to check prompting.
Client-requested system 10 loads user's resource request instruction, and resource request instruction is issued to Resource Supply systemSystem 20, for example, export Resource Supply system 20 to by WebServer.
Resource Supply system 20 receives resource request instruction, and the authentication secret of resource request instruction is verified,When checking cannot be passed through, output haves no right to check prompting; While being verified, also do not write Resource Supply in this customer parameter informationWhen the internal memory 25 of system 20, carry out the foregoing step that client-requested system 10 is authorized.
In the time that customer parameter information has deposited internal memory 25 in, client-requested system 10 is quoted the money of Resource Supply system 20The source output page; And, these users of Resource Supply system 20 checking requests for page of whether having the right.
The matched data in customer parameter information and internal memory 25 is carried out request permissions checking by Resource Supply system 20. UserParameter information comprises user name and the user right corresponding with user name; Matched data comprise authorized user name and with awardAuthorized user authority corresponding to power user name. In the time carrying out request permissions checking, user name and user right energy and authorized userWhen name and authorized user permission match, verify by request permissions, otherwise cannot pass through.
In the time that checking client Request System 10 is had no right the access resources output page, output haves no right to check instruction.
In the time of the checking client Request System 10 Internet access resource output page, continue checking and whether have the right to ask this pageThe corresponding resource of face, after being verified, normally output. Otherwise output haves no right to check instruction.
In the time loading resource corresponding to resource output page face, the OPADD of resolving resource corresponding label, turns every addressIssuing a Handle processes; This Handle receives after the request of address, gets the parameter value in address, and again gets visitorIn family end Request System 10, obtain customer parameter information, after request permissions is verified, return according to the parameter value in addressCorresponding resource; Thereby, even if the link of resource page leak or circulate away, visitor carry out page resource access time,Also need authentication of users parameter information again, disabled user cannot, by checking, just have no right to browse the resource of actual request, also withoutMethod is carried out subscriber authorisation, has further improved the security of system.
In addition, even if the resource of the client-requested system 10 output page is revealed or circulates away, illegal user alsoBe to pass through above-mentioned mandate, checking, can play equally the risk that prevents resource stealing, further improved the peace of systemQuan Xing.
Between above-mentioned each technical characterictic, can be combined into as required various embodiment, again not repeat. CanUnderstand, above embodiment has only expressed the preferred embodiment of the present invention, and it describes comparatively concrete and in detail, but can not be because ofThis and be interpreted as the restriction to the scope of the claims of the present invention; It should be pointed out that for the person of ordinary skill of the art,Do not depart under the prerequisite of the present invention design, can carry out independent assortment to above-mentioned technical characterstic, can also make some distortion andImprove, these all belong to protection scope of the present invention; Therefore, all equivalents of doing with the claims in the present invention scope with repairAdorn, all should belong to the covering scope of the claims in the present invention.