Summary of the invention
The embodiment of the present invention provides access method and the device of a kind of cross-domain resource, it is possible to realize the visit of cross-domain resource
Ask, simplify the operation of customer access network security domain.
In order to solve above-mentioned technical problem, the embodiment of the invention discloses following technical scheme:
The present invention provides the access method of a kind of cross-domain resource, including:
The access map relation of the second security domain obtaining the first security domain and be in other security domains;
Receive the access request logging in described first security domain, described access request is authenticated;
When described access request is by certification, according to described access map relation, described second security domain is carried out cross-domain
Access.
Further, described acquisition the first security domain and the access map relation of the second security domain being in other security domains, wrap
Include:
Set up described first security domain and associate the incidence relation of described second security domain, and described incidence relation is synchronized to institute
State the second security domain;
The operation system standard that preset resource maps, by described operation system standard synchronisation to described second security domain, in order to
In described second security domain carries out security domain according to described operation system standard, resource maps and obtains mapping result information;
Receive the described mapping result information that described second security domain returns;
According to described mapping result information, authorize described first security domain to have and access the visit of resource in described second security domain
Ask authority.
The present invention also provides for the access method of a kind of cross-domain resource, including:
The access map relation of the first security domain obtaining the second security domain and be in other security domains;
According to described access map relation, in described second security domain carries out security domain, resource maps;
When logging in the access request of described first security domain by certification, according to described access map relation, described second
Security domain accepts the cross-domain access to described second security domain that described first security domain is initiated.
Further, described acquisition the second security domain and the access map relation of the first security domain being in other security domains, wrap
Include:
Receive the incidence relation associating described second security domain that described first security domain synchronizes to come;
Receive the operation system standard of the resource mapping that described first security domain synchronizes to come.
Further, described according to described access map relation, in described second security domain carries out security domain, resource maps, bag
Include:
Carry out and the associating of described first security domain according to described incidence relation;
In carrying out security domain according to described operation system standard, resource maps, and obtains mapping result information;
Described mapping result information is sent, in order to described first security domain is according to described mapping result to described first security domain
Information, authorizes described first security domain to have and accesses the access rights of resource in described second security domain.
The present invention also provides for the access device of a kind of cross-domain resource, including:
First access map Relation acquisition module, for obtaining the first security domain and the second security domain being in other security domains
Access map relation;
Access request authentication module, for receiving the access request logging in described first security domain, enters described access request
Row certification;
Cross-domain access modules, for when described access request is by certification, according to described access map relation, to described
Second security domain carries out cross-domain access.
Further, described first access map Relation acquisition module, including:
Territory incidence relation sets up unit, associates the incidence relation of described second security domain for setting up described first security domain;
Territory incidence relation transmitting element, for being synchronized to described second security domain by described incidence relation;
System standard preset unit, the operation system standard mapped for preset resource;
System standard transmitting element, for by described operation system standard synchronisation to described second security domain, in order to described the
In two security domains carry out security domain according to described operation system standard, resource maps and obtains mapping result information;
Mapping result receives unit, for receiving the described mapping result information that described second security domain returns;
Permission grant unit, for according to described mapping result information, authorizes described first security domain to have access described the
The access rights of resource in two security domains.
The present invention also provides for the access device of a kind of cross-domain resource, including:
Second access map Relation acquisition module, for obtaining the second security domain and the first security domain being in other security domains
Access map relation;
Resource mapping module, for according to described access map relation, in described second security domain carries out security domain, resource is reflected
Penetrate;
Access accepts module, for when the access request of described first security domain of login is by certification, according to described access
Mapping relations, described second security domain accepts the cross-domain access to described second security domain that described first security domain is initiated.
Further, described second access map Relation acquisition module, including:
Territory incidence relation receives unit, for described second security domain that associates receiving that described first security domain synchronizes to come
Incidence relation;
System standard receives unit, for receiving the business that in described first security domain synchronizes the security domain come, resource maps
System standard.
Further, described resource mapping module, including:
Territory associative cell, for carrying out and the associating of described first security domain according to described incidence relation;
Resource mapping unit in territory, in carry out security domain according to described operation system standard, resource maps, and is reflected
Penetrate object information;
Mapping result transmitting element, for sending described mapping result information to described first security domain, in order to described first
Security domain according to described mapping result information, authorizes described first security domain to have and accesses resource in described second security domain
Access rights.
In the embodiment of the present invention, obtain the first security domain and the access map relation of the second security domain being in other security domains
By the first security domain, receive the access request logging in the first security domain;When access request is by certification, thus according to
Access map relation, it is achieved the second security domain is carried out cross-domain access.Visible, due to the second security domain and the first security domain
Between there is access map relation, therefore, user only need to log in the first security domain, can be directly to the second safety authorized
Territory carries out cross-domain access, conducts interviews certification without additionally entering the second security domain, thus reduces access network security territory
Authenticating step, accelerate access security domain speed;Conduct interviews recognize simultaneously as be not required to additionally to enter the second security domain
Card, it is possible to reduce the probability that user authentication information is revealed, improves the safety of system.
Detailed description of the invention
For the technical scheme making those skilled in the art be more fully understood that in the embodiment of the present invention, and the present invention is made to implement
The above-mentioned purpose of example, feature and advantage can become apparent from understandable, below in conjunction with the accompanying drawings to technical side in the embodiment of the present invention
Case is described in further detail.
Providing the access method of a kind of cross-domain resource in the embodiment of the present invention, idiographic flow is as it is shown in figure 1, may include that
Step 101, obtain the first security domain and the access map relation of the second security domain being in other security domains.
In the embodiment of the present invention, network security territory user logged in is referred to as " the first security domain ", by user by first
The network security territory of the cross-domain access of security domain is referred to as " the second security domain ".In actual application scenarios, the second security domain may be
One or more network security territories being in other security domains.
In order to realize final cross-domain access, it is necessary first to the access map obtaining the first security domain and the second security domain is closed
System, in concrete application scenarios, can be with preset first security domain and the access map relation of the second security domain.By this access
Mapping relations, it is achieved in the first security domain, resource is with the mapping of resource in the second security domain.
Step 102, reception log in the access request of the first security domain, are authenticated access request.
In the embodiment of the present invention, when user needs to carry out cross-domain access, need to access the first security domain, in the first safety
Perform to log in the access operation of the first security domain on territory.
Generally, user understands the log-on messages such as the account of preset login security domain, password under security domain.Thus, Yong Hu
The log-on messages such as preset account, password are inputted, to log in the first security domain under first security domain.
In the embodiment of the present invention, when the first security domain receive user input login the first security domain access request it
After, i.e. current access request is authenticated, such as: the account of input, password when user is logged in the first security domain
Information is authenticated, if user currently logs in the account of input, encrypted message and preset account, message in cipher manner of breathing one
Cause, then current accessed passes through certification.
Step 103, when access request is by certification, according to access map relation, the second security domain is carried out cross-domain visit
Ask.
In this step, when Client-initiated access request is by certification, user's Successful login the first security domain.By obtaining
The access map relation taken, user can cross-domain entrance the second security domain, and then the resource in the second security domain is visited
Ask.
In the embodiment of the present invention, obtain the first security domain and the access map of the second security domain being in other security domains is closed
System, by the first security domain, receives the access request logging in the first security domain;When access request is by certification, thus
According to access map relation, it is achieved the second security domain is carried out cross-domain access.Visible, due to the second security domain and the first peace
There is access map relation between universe, therefore, user only need to log in the first security domain, can be directly to second authorized
Security domain carries out cross-domain access, conducts interviews certification without additionally entering the second security domain, thus reduces access network peace
The authenticating step of universe, accelerates to access the speed of security domain;Visit simultaneously as be not required to additionally enter the second security domain
Ask certification, it is possible to reduce the probability that user authentication information is revealed, improve the safety of system.
In one embodiment of the invention, above-mentioned steps 101 realize flow process in detail as in figure 2 it is shown, can include with
Lower execution step:
Step 201, set up the first security domain and associate the incidence relation of the second security domain, and incidence relation is synchronized to second
Security domain.
In this step, it is necessary first to set up the pass the first security domain and the second security domain being associated in the first security domain
Connection relation, meanwhile, is synchronized to the second security domain by this incidence relation, in order to the second security domain obtains this incidence relation.Logical
Crossing this incidence relation, binding together the second security domain being accessed operation with to the access of the first security domain operation, it may be assumed that
As long as the certification that user is by the first security domain, after Successful login the first security domain, can be without logging in the second safety
In the case of territory, initiate the access to the second security domain.
The operation system standard that step 202, preset resource map, by operation system standard synchronisation to the second security domain, with
Just in the second security domain carries out security domain according to operation system standard, resource maps and obtains mapping result information.
In this step, the first security domain may bind other security domains multiple simultaneously, in order to unify in these security domains
Resource mapping method, the first security domain can be with a preset operation system standard, it may be assumed that the operation system standard that resource maps,
And by this operation system standard synchronisation to the second security domain.By this operation system standard to the resource mapping side in security domain
Formula carries out specification, and other security domains outside the first security domain are required to carry out in intrinsic safety universe according to this operation system standard
Resource map.
Specifically, the first security domain is according to the combing of resource data in other security domains, and generating all security domains can unify
The operation system standard used.Generally, operation system standard need to cover 18 big operation systems, divides with multilevel hierarchy, example
As: for secondary structure, first nodes can include network management system, data system etc., the two-level node under network management system
Telephone traffic network, data network management, transmission network management etc. can be included.Operation system standard can be being to show, then with tree-like form
Operation system in other security domains is shown with the form of same tree.
When the second security domain completes according to operation system standard after resource maps in security domain, will to be mapped knot accordingly
Really information.
Step 203, receive second security domain return mapping result information.
In this step, in the second security domain completes security domain according to operation system standard, resource maps, and obtains mapping knot
Really after information, this mapping result information will be returned to the first security domain.Specifically, mapping result information can be carried
The object information of resource mapping is carried out, it may be assumed that whether the second security domain is successfully completed resource and maps in second security domain, logical
Cross mapping result information so that the first security domain can know that the resource in the second security domain maps situation.
Step 204, according to mapping result information, authorize the first security domain to have and access the access of resource in the second security domain
Authority.
In this step, after the first security domain receives the mapping result information that the second security domain returns, i.e. according to mapping
Object information judges that whether being successfully completed resource in the second security domain maps, if being successfully completed money in the second security domain
Source maps, then authorize the first security domain to have in the first security domain and access the access rights of resource in the second security domain,
Complete resource and the mapping of related resource in the second security domain in the first security domain eventually.
In concrete application scenarios, the Collective qualification platform quickly accessing cross-domain resource, this platform can be provided the user in advance
Concentrating and represent the Resources list of user's Internet access, user, by clicking on resource link, directly accesses cross-domain resource, and nothing
Different resource systems need to be arrived respectively be authenticated accessing, it is achieved that user once just can be cross-domain at Collective qualification platform authentication
Access multiple resource;Meanwhile, resource information can be stored with the form of bill by this platform, and can provide raw
Become bill and forward bill function, such as: by this Collective qualification platform, perform the interpolation of cross-domain security domain, deletion,
Editor or import operation, be managed the incidence relation of the security domain realizing cross-domain access, when completing cross-domain security domain
After management, the cross-domain security domain that notice is corresponding automatically is associated relationships synchronization;Use similar fashion, by this concentration
Authentication platform, performs the interpolation of operation system standard, deletes, edits or import operation, uses all security domains are unified
Operation system standard be managed, after the management of finishing service system standard, the cross-domain safety that automatically notice is corresponding
Territory carries out operation system standard synchronisation.
Said process, from the first security domain side, describes the related procedure of the access method of cross-domain resource, below from second
Security domain side, continues to describe the related procedure of the access method of cross-domain resource in detail.
Providing the access method of a kind of cross-domain resource in the embodiment of the present invention, idiographic flow is as it is shown on figure 3, may include that
Step 301, obtain the second security domain and the access map relation of the first security domain being in other security domains.
In the embodiment of the present invention, in order to realize final cross-domain access, the second security domain is also required to obtain and be in other peaces
The access map relation of the first security domain of universe.
In concrete application scenarios, can be first in preset first security domain of the first security domain and the access map of the second security domain
Relation, by this access map relation, it is achieved in the first security domain, resource is with the mapping of resource in the second security domain.When
After completing the preset operation of access map relation in one security domain, then need to send to this access map relationships synchronization
Two security domains, in order to the second security domain obtains this access map relation, and then, the second security domain can reflect according to this access
The relation of penetrating carries out the resource in inherently safe territory and maps.
Step 302, according to access map relation, the second security domain carries out resource in security domain and maps.
In this step, after the second security domain obtains access map relation, then according to this access map relation, pacify
In universe, resource maps.
Step 303, when logging in the access request of the first security domain by certification, according to access map relation, the second peace
Universe accepts the cross-domain access to the second security domain that the first security domain is initiated.
In this step, when user needs to carry out cross-domain access, need to access the first security domain, the first security domain is held
Row logs in the access operation of the first security domain.Generally, user can the account of preset login security domain, password under security domain
Etc. log-on message.Thus, user inputs the log-on messages such as preset account, password under the first security domain, to log in
One security domain.
After the first security domain receives the access request of login the first security domain that user inputs, i.e. to current access
Request is authenticated, such as: when user logs in the first security domain, the account of input, encrypted message are authenticated, if
It is consistent that user currently logs in the account of input, encrypted message and preset account, encrypted message, then current accessed is passed through
Certification.
When Client-initiated access request is by certification, user's Successful login the first security domain.By access map relation,
User can cross-domain entrance the second security domain, and then the resource in the second security domain is conducted interviews.
In the embodiment of the present invention, obtain the first security domain and the access map of the second security domain being in other security domains is closed
System, by the first security domain, receives the access request logging in the first security domain;When access request is by certification, thus
According to access map relation, it is achieved the second security domain is carried out cross-domain access.Visible, due to the second security domain and the first peace
There is access map relation between universe, therefore, user only need to log in the first security domain, can be directly to second authorized
Security domain carries out cross-domain access, conducts interviews certification without additionally entering the second security domain, thus reduces access network peace
The authenticating step of universe, accelerates to access the speed of security domain;Visit simultaneously as be not required to additionally enter the second security domain
Ask certification, it is possible to reduce the probability that user authentication information is revealed, improve the safety of system.
In one embodiment of the invention, above-mentioned steps 301 realize flow process in detail as shown in Figure 4, can include with
Lower execution step:
Step 401, the second security domain receive the first security domain and synchronize the incidence relation of association the second security domain come.
In this step, need in the first security domain, set up the association the first security domain and the second security domain being associated and close
System, meanwhile, is synchronized to the second security domain by this incidence relation, in order to the second security domain obtains this incidence relation.By this
Incidence relation, binds together the second security domain accesses operation with operating the access of the first security domain, it may be assumed that
Want user's certification by the first security domain, after Successful login the first security domain, can be without logging in the second security domain
In the case of, initiate the access to the second security domain.
Step 402, the second security domain receive the operation system standard of the resource mapping that the first security domain synchronizes to come.
In this step, the first security domain may bind other security domains multiple simultaneously, in order to unify in these security domains
Resource mapping method, the first security domain can be with a preset operation system standard, it may be assumed that the business that in security domain, resource maps
System standard, and by this operation system standard synchronisation to the second security domain.By this operation system standard in security domain
Resource mapping method carries out specification, and other security domains outside the first security domain are required to carry out according to this operation system standard
Resource in intrinsic safety universe maps.
After obtaining the operation system standard of incidence relation and resource mapping, the second security domain successfully obtains and first simultaneously
The access map relation of security domain.
In the present invention on the basis of an embodiment, in an alternative embodiment of the invention, above-mentioned steps 302 detailed
Realize flow process as it is shown in figure 5, step performed below can be included:
Step 501, the second security domain are carried out and the associating of the first security domain according to incidence relation;
In step 502, the second security domain carry out security domain according to operation system standard, resource maps, and obtains mapping result
Information;
Step 503, the second security domain send mapping result information to the first security domain, in order to the first security domain is according to mapping
Object information, authorizes the first security domain to have and accesses the access rights of resource in the second security domain.
In this embodiment, when the second security domain receives incidence relation and the operation system standard that the first security domain synchronizes to come
Afterwards, can carry out and the associating of the first security domain according to incidence relation, and carry out in security domain according to operation system standard
Resource maps.
When the second security domain completes, in security domain after resource mapping, to return to the first security domain according to operation system standard
Mapping result information, carries out the object information of resource mapping in mapping result information in can carrying the second security domain, it may be assumed that
Whether the second security domain is successfully completed resource map, by mapping result information so that the first security domain can know the
Resource in two security domains maps situation.If the second security domain being successfully completed resource map, then in the first safety
In in territory, mandate the first security domain has access the second security domain, the access rights of resource, are finally completed the first security domain domestic-investment
Source and the mapping of related resource in the second security domain.
The access method of corresponding above-mentioned cross-domain resource, present invention also offers the access device of a kind of cross-domain resource.
As shown in Figure 6, being the access device embodiment of a kind of cross-domain resource of the first security domain side, this device is the most permissible
Including:
First access map Relation acquisition module 601, for the second peace obtaining the first security domain be in other security domains
The access map relation of universe;
Access request authentication module 602, for receiving the access request logging in the first security domain, enters described access request
Row certification;
Cross-domain access modules 603, for when access request is by certification, according to access map relation, to the second safety
Territory carries out cross-domain access.
In the embodiment of the present invention, in order to realize final cross-domain access, it is necessary first to by the first access map Relation acquisition
Module, obtains the access map relation of the first security domain and the second security domain.In concrete application scenarios, can be with preset first
The access map relation of security domain and the second security domain.By this access map relation, it is achieved in the first security domain, resource is same
The mapping of resource in second security domain.
When user needs to carry out cross-domain access, need to access the first security domain, access request authentication module performs step on
Record the access operation of the first security domain.Generally, user can the account of preset login security domain, password etc. step under security domain
Record information.Thus, user inputs the log-on messages such as preset account, password under the first security domain, to log in the first peace
Universe.After the first security domain receives the access request of login the first security domain that user inputs, i.e. to current visit
The request of asking is authenticated, such as: when user logs in the first security domain, the account of input, encrypted message are authenticated, as
Really user currently to log in the account of input, encrypted message and preset account, encrypted message consistent, then current accessed is led to
Cross certification.
When Client-initiated access request is by certification, user's Successful login the first security domain.By cross-domain access modules,
According to access map relation preset in the first security domain, user can cross-domain entrance the second security domain, and then to the second peace
Resource in universe conducts interviews.
In the embodiment of the present invention, obtain the first security domain and the access map of the second security domain being in other security domains is closed
System, by the first security domain, receives the access request logging in the first security domain;When access request is by certification, thus
According to access map relation, it is achieved the second security domain is carried out cross-domain access.Visible, due to the second security domain and the first peace
There is access map relation between universe, therefore, user only need to log in the first security domain, can be directly to second authorized
Security domain carries out cross-domain access, conducts interviews certification without additionally entering the second security domain, thus reduces access network peace
The authenticating step of universe, accelerates to access the speed of security domain;Visit simultaneously as be not required to additionally enter the second security domain
Ask certification, it is possible to reduce the probability that user authentication information is revealed, improve the safety of system.
In one embodiment of the invention, as it is shown in fig. 7, above-mentioned first access map Relation acquisition module, specifically may be used
To include:
Territory incidence relation sets up unit 701, associates the incidence relation of the second security domain for setting up the first security domain;
Territory incidence relation transmitting element 702, for being synchronized to the second security domain by incidence relation;
System standard preset unit 703, the operation system standard mapped for preset resource;
System standard transmitting element 704, is used for operation system standard synchronisation to the second security domain, in order to the second security domain
In carrying out security domain according to operation system standard, resource maps and obtains mapping result information;
Mapping result receives unit 705, for receiving the mapping result information that the second security domain returns;
Permission grant unit 706, for according to mapping result information, authorizes the first security domain to have access the second security domain
The access rights of interior resource.
Correspondingly, present invention also offers the access device of the another kind of cross-domain resource being arranged at the second security domain.
As shown in Figure 8, for being arranged at the access device embodiment of a kind of cross-domain resource of the second security domain, this device is concrete
May include that
Second access map Relation acquisition module 801, for the first peace obtaining the second security domain be in other security domains
The access map relation of universe;
Resource mapping module 802, for according to access map relation, in the second security domain carries out security domain, resource maps;
Access accepts module 803, for when logging in the access request of the first security domain by certification, according to access map
Relation, the second security domain accepts the cross-domain access to the second security domain that the first security domain is initiated.
In the embodiment of the present invention, obtain the first security domain and the access map of the second security domain being in other security domains is closed
System, by the first security domain, receives the access request logging in the first security domain;When access request is by certification, thus
According to access map relation, it is achieved the second security domain is carried out cross-domain access.Visible, due to the second security domain and the first peace
There is access map relation between universe, therefore, user only need to log in the first security domain, can be directly to second authorized
Security domain carries out cross-domain access, conducts interviews certification without additionally entering the second security domain, thus reduces access network peace
The authenticating step of universe, accelerates to access the speed of security domain;Visit simultaneously as be not required to additionally enter the second security domain
Ask certification, it is possible to reduce the probability that user authentication information is revealed, improve the safety of system.
In one embodiment of the invention, as it is shown in figure 9, above-mentioned second access map Relation acquisition module, specifically may be used
To include:
Territory incidence relation receives unit 901, receives, for the second security domain, the association second that the first security domain synchronizes to come and pacifies
The incidence relation of universe;
System standard receives unit 902, receives resource in the security domain that the first security domain synchronization comes for the second security domain
The operation system standard mapped.
In one embodiment of the invention, as shown in Figure 10, above-mentioned resource mapping module, specifically may include that
Territory associative cell 1001, is carried out and the associating of the first security domain according to described incidence relation for the second security domain;
Resource mapping unit 1002 in territory, in the second security domain carries out security domain according to operation system standard, resource is reflected
Penetrate, and obtain mapping result information;
Mapping result transmitting element 1003, sends mapping result information for the second security domain to the first security domain, in order to the
One security domain according to mapping result information, authorizes the first security domain to have and accesses the access rights of resource in the second security domain.
Those skilled in the art is it can be understood that arrive, for convenience and simplicity of description, the system of foregoing description,
The specific works process of device and unit, is referred to the corresponding process in preceding method embodiment, does not repeats them here.
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited thereto, and any
Those familiar with the art, in the technical scope that the invention discloses, can readily occur in change or replace, answering
Contain within protection scope of the present invention.Therefore, protection scope of the present invention should be described with scope of the claims
It is as the criterion.