A kind of access control method and system
Technical field
The invention belongs to the control of authority technical field of application system/operation system, particularly relate to a kind of access controlling party
Method and system.
Background technology
The basic function that the software system that authorization access control is general all has, the most classical is the access of based role
Control (RBAC, Role-Based Access Control), RBAC model generally comprises: user's (main body), role, resource (as
Menu, function, uniform resource position mark URL) etc., wherein, (m, n, q are nature to user, role and resource specifically m:n:q
Number) relation, i.e. one user can have multiple role, and a role has multiple resource.Which dish one user has
Singly, which function (operation) can be used, can determine according to these three layers of relations.
Access control scheme based on RBAC model is the most single, and it cannot meet large enterprise's level system for the most of the same trade or business
The more fine-grained control requirement of business scene, as assumed, certain system includes the business scenarios such as engineering, archives, information bank, for work
Journey scene, it is desirable to authorize by engineering on the basis of RBAC model, such as certain user are able to access that the construction day of engineering A
Will, can be added the builder's diary of engineering A, revises, the operation such as deletion;But the builder's diary to engineering B, Zhi Nengcha
See, it is impossible to add, revise or delete;The most all functions of builder's diary and data to engineering C are the most invisible, and another user is then
Having engineering A, the full powers access rights (check, newly-built, revise, delete) etc. of B, C, RBAC model is due to control mode more
Single, then cannot realize more fine-grained authorization control according to business scenario.
Under traditional approach, for large enterprise's level system for the control requirement of different business scene, typically system is pressed
Different business scene, splits into different subsystems such as above engineering, archives, information bank etc., and for each subsystem, root
In service layer, its access control policy being customized exploitation by hard coded mode according to business demand, this kind of mode exists out
Sending out efficiency big drawback low, random, and lack system-level standard control logic, the control strategy between each subsystem may
Inconsistent, cause affecting system architecture and stablize and user operation experience.
Summary of the invention
In view of this, it is an object of the invention to provide a kind of access control method and system, it is intended to solve prior art
The problem that exists of control mode, support the different business scene of operation system is carried out more fine-grained control of authority.
To this end, the present invention is disclosed directly below technical scheme:
A kind of access control method, including:
Intercepting and capturing the service request that user sends to operation system, described service request includes first user mark, authorizes in fact
Example mark and resource identification;Wherein, described operation system includes at least one business scenario, and each business scenario correspondence one is corresponding
Authorized instances set, a respective application example of each authorized instances in described authorized instances set and corresponding service scene
The resource collection provided is corresponding;The target resource that described resource identification is corresponding belongs to the resource set that target authorized instances is corresponding
Closing, described target authorized instances is the authorized instances that described authorized instances mark is corresponding;
Based on described first user mark, described authorized instances mark, described resource identification and the mandate pass prestored
Coefficient evidence, verifies whether described user has the authority of the described target resource accessed under described target authorized instances;
If it has, then send described service request to described operation system so that described operation system responds described industry
Business request;If do not had, then carry out predetermined fault processing.
Said method, it is preferred that the corresponding corresponding authorized domain of each business scenario in described operation system, each
The corresponding authorized instances set of described authorized domain and candidate role set;Each candidate angle in described candidate role set
The part or all of resource that color is corresponding with at least one authorized instances under corresponding authorized domain is corresponding;Described mandate relation
Data include ID and authorize the corresponding relation between role, and described mandate role belongs to described candidate role set;
Then described based on described first user mark, described authorized instances mark, described resource identification and prestore
Authorize relation data, verify whether described user has the authority bag of the described target resource accessed under described target authorized instances
Include:
According to the ID of authorized user and authorize the corresponding relation between role, and each candidate role with award accordingly
Corresponding relation between power example and resource, verifies described first user mark and described target authorized instances and described target resource
Whether mate;
If it does, then described user has the authority of the described target resource accessed under described target authorized instances;As
Fruit does not mates, and the most described user does not have the authority of the described target resource accessed under described target authorized instances.
Said method, it is preferred that the corresponding overall situation authorized domain of described operation system, described overall situation authorized domain corresponding and
An only corresponding system-level authorized instances, resource collection corresponding to described system-level authorized instances is to be by described operation system
The set of irrespective of size resource composition.
Said method, it is preferred that also include:
When the application example that the business scenario of described operation system is corresponding changes, to the application example changed
Carry out the authorized instances information updating synchronized.
Said method, it is preferred that when the described application example corresponding when the business scenario of described operation system changes,
The authorized instances information updating synchronizing the application example changed includes:
When business scenario produces newly-increased application example, it is that described business scenario is newly-increased by default sync cap
Application example produces corresponding authorized instances;
When the application example that business scenario is corresponding occurs amendment, by described sync cap, described business scenario is occurred
The authorized instances that the application example of amendment is corresponding carries out corresponding information amendment;
When the application example that business scenario is corresponding is deleted, removed the application example being deleted by described sync cap
Corresponding authorized instances.
A kind of access control system, including:
Interception module, for intercepting and capturing the service request that user sends to operation system, described service request includes the first use
Family mark, authorized instances mark and resource identification;Wherein, described operation system includes at least one business scenario, each business
The corresponding corresponding authorized instances set of scene, each authorized instances in described authorized instances set and corresponding service scene
The resource collection that one respective application example provides is corresponding;The target resource that described resource identification is corresponding belongs to target authorized instances
Corresponding resource collection, described target authorized instances is the authorized instances that described authorized instances mark is corresponding;
Authentication module, for based on described first user mark, described authorized instances mark, described resource identification and in advance
The mandate relation data of storage, verifies whether described user has the described target resource under the described target authorized instances of access
Authority;
Control module, for when being verified, then sends described service request to described operation system so that described industry
Business system responds described service request;Obstructed out-of-date in checking, carry out predetermined fault processing.
Said system, it is preferred that the corresponding corresponding authorized domain of each business scenario in described operation system, each
The corresponding authorized instances set of described authorized domain and candidate role set;Each candidate angle in described candidate role set
The part or all of resource that color is corresponding with at least one authorized instances under corresponding authorized domain is corresponding;Described mandate relation
Data include ID and authorize the corresponding relation between role, and described mandate role belongs to described candidate role set;
The most described authentication module includes:
Authentication unit, the corresponding relation between the ID and mandate role of foundation authorized user, and respectively wait
Corresponding relation between color and the corresponding authorized instances of selecting the role and resource, verifies described first user mark and described target authorized instances
And whether described target resource mates;
Determine unit, for when coupling, determine that described user has the described mesh accessed under described target authorized instances
The authority of mark resource;Do not mating, determining that described user does not have the described target resource accessed under described target authorized instances
Authority.
Said system, it is preferred that also include:
Synchronized update module is for when the application example that the business scenario of described operation system is corresponding changes, right
The application example changed carries out the authorized instances information updating synchronized.
Said system, it is preferred that described synchronized update module includes:
First lock unit, for when business scenario produces newly-increased application example, by default sync cap being
The application example that described business scenario increases newly produces corresponding authorized instances;
Second lock unit, when the application example corresponding at business scenario occurs amendment, by described sync cap
The authorized instances that the application example revised is corresponding is occurred to carry out corresponding information amendment described business scenario;
3rd lock unit is for when the application example that business scenario is corresponding is deleted, clear by described sync cap
Except the authorized instances corresponding to application example being deleted.
In sum, large-scale enterprise-level operation system usually contains at least one business scenario, each business scenario meeting
Correspondence comprises at least one application example, and based on this, the application method, on the basis of RBAC model, adds new model pair
As authorized instances, wherein, authorized instances is corresponding, namely with the concrete application example of business scenario in operation system
Say, all corresponding corresponding authorized instances set of each business scenario that operation system comprises, each in authorized instances set
The resource collection that authorized instances provides with a respective application example of corresponding service scene is corresponding.As can be seen here, the application side
Method, by newly-increased model object authorized instances, can realize by each business scenario, operation system is carried out more fine-grained awarding
Power resource divides, when applying the application, can be based on this more fine-grained authorization resources dividing condition, and in control of authority aspect
It is respectively provided with under this scene the multiple candidate roles corresponding to different resource authority for each business scenario, i.e. achieves by industry
Business scene carries out the candidate role under scene and arranges, follow-up when user accesses system, the business scenario can having based on user
Under role, it is carried out more fine-grained access privilege control by business scenario, it is seen that the application overcomes prior art and deposits
Problem, can effectively meet the more fine-grained control requirement for different business scene of large enterprise's level system.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Inventive embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to according to
The accompanying drawing provided obtains other accompanying drawing.
Fig. 1 is the access control method flow chart that the embodiment of the present invention one provides;
Fig. 2 is the access control method flow chart that the embodiment of the present invention two provides;
Fig. 3-Fig. 4 is the structural representation of the access control system that the embodiment of the present invention three provides.
Detailed description of the invention
For the sake of quoting and understanding, the technical term that is used below, write a Chinese character in simplified form or summary of abridging is explained as follows:
Resource: the functional resources information that system has, is a tree, including the menu of system, function (button),
Service or interface IP address etc..
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise
Embodiment, broadly falls into the scope of protection of the invention.
Embodiment one
The embodiment of the present application one provides a kind of access control method, and the method is applicable to large enterprise's level system by business
Scene carries out more fine-grained authorization control, and with reference to the access control method flow chart shown in Fig. 1, the method can include following
Step:
S101: intercept and capture the service request that user sends to operation system, described service request includes first user mark, awards
Power instance identification and resource identification;Wherein, described operation system includes at least one business scenario, each business scenario correspondence one
Corresponding authorized instances set, each authorized instances in described authorized instances set and a respective application of corresponding service scene
The resource collection that example provides is corresponding;The target resource that described resource identification is corresponding belongs to the resource that target authorized instances is corresponding
Set, described target authorized instances is the authorized instances that described authorized instances mark is corresponding.
S102: based on described first user mark, described authorized instances mark, described resource identification and awarding of prestoring
Power relation data, verifies whether described user has the authority of the described target resource accessed under described target authorized instances.
S103: if it has, then send described service request to described operation system so that described operation system responds institute
State service request.
S104: if do not had, then carry out predetermined fault processing.
Next the application scheme is realized process to be described in detail.
Large-scale enterprise-level operation system usually contains at least one business scenario, such as industry such as engineering, archives and information bank
Business scene, each business scenario correspondence can comprise at least one application example, and as a example by engineering, it can include engineering A, engineering
The application example such as B, engineering C, each application example provides corresponding resource collection respectively, such as menu, function and/or URL
Various resources such as (Uniform Resoure Locator, URLs).The pin existed based on large enterprise's level system
More fine-grained demand for control to different business scene, the application method, on the basis of RBAC model, adds new mould
Type Object Authorization example, wherein, authorized instances is corresponding, the most just with the concrete application example of business scenario in operation system
It is to say, all corresponding corresponding authorized instances set of each business scenario that operation system comprises, every in authorized instances set
The resource collection that one authorized instances provides with a respective application example of corresponding service scene is corresponding.
The application is simultaneous for the business scenario of operation system increases this object of authorized domain, and wherein authorized domain is used for
By different business scene, operation system is carried out field during authorization control divide, it is assumed that operation system include engineering, archives and
The different scene such as information bank, then corresponding can be divided into system regions, engineering field, archives field by the authorized domain of operation system
And each authorized domain such as information bank field, a corresponding business scenario of authorized domain, and for system regions, then its tool
Body is corresponding with whole operation system, is system-level authorized domain.
Reality under each authorized instances corresponding to a certain business scenario specifically authorized domain corresponding to this business scenario
Example, the authorized domain that i.e. one business scenario is corresponding correspondence can comprise a corresponding authorized instances set, with project scenarios be still
Example, under the authorized domain i.e. engineering field that this scene is corresponding, can correspondence include engineering A authorized instances, engineering B authorized instances,
Engineering C authorized instances etc., wherein, authorized instances is specially and by business scenario, operation system is carried out more fine-grained mandate control
Time processed, required some association base data for business scenario application example, the most described engineering A authorized instances specifically may be used
To include that the job number of engineering A, responsible person and/or account information etc. are for being associated with engineering A in operation system
Some basic datas, and for archives authorized instances, then it specifically can include the classification of documents number, such as engineering archive number, finance
File numbers etc., the association base data of some necessity by comprising, authorized instances can realize and corresponding service in operation system
Respective application example under scene is associated, and then a series of resources that can realize providing with respective application example are associated.
And system regions only one of which example, it represents whole system itself, and the resource that this example is corresponding is specially system
Resource outside the resource that in the resource of rank, i.e. operation system, each business scenario is provided.Thus, in the application, business
Some resource that system provides necessarily belongs to some authorized domain, specifically belongs to system level resources or scene level by this resource
Resource is corresponding respectively belongs to system regions or authorized domain corresponding to corresponding service scene.
On the basis of increasing authorized domain and two objects of authorized instances, the application utilizes authorized domain and authorization object
By business scenario, operation system is carried out more fine-grained authorization resources divide, specifically, can be in control of authority aspect for industry
Business scenario that business system includes builds authorized domain, the business such as the engineering that such as includes for operation system, archives, information bank
Scene, builds the authorized domain such as corresponding engineering, archives, information bank, and under each authorized domain, by corresponding service scene bag
The application example contained, builds the authorized instances set under this authorized domain, is simultaneous for each authorized instances, corresponding for its association
The resource information of the resource collection that application example provides.Claim control plane created comprise authorized domain, authorized instances,
The three-level structure of resource information, it is achieved that operation system is carried out more fine-grained authorization resources by business scenario and divides.
Afterwards, separate role can be carried out for each authorized domain and arrange, for a certain authorized domain, specifically may be used
Practical business demand according to this field is respectively provided with the multiple candidate roles corresponding to different access authority/resource claim, often
The one candidate role part or all of resource corresponding with at least one authorized instances under corresponding authorized domain is corresponding;With work
As a example by journey field, multiple authorized instances such as engineering A that can comprise for engineering field, engineering B, engineering C, and each authorizes real
The different resource information that example is corresponding, arranges multiple candidate roles such as role 1, role 2, role 3, and each candidate role has not
With access rights, such as role 1 can carry out full powers access (check, additions and deletions such), angle to engineerings all under engineering field
Color 2 is able to access that the builder's diary of engineering A, can be added the builder's diary of engineering A, revises, the operation such as deletion;But it is right
The builder's diary of engineering B, can only check, it is impossible to adds, revise or deletes;Builder's diary the most all functions sum to engineering C
According to the most invisible etc..Analogously, for the authorized domain such as archives, information bank, can pre-set by its business demand equally
The candidate role of the most corresponding a series of different access authorities.
On this basis, can be real by the role needed for distributing for it under the authorized domain that it is required for each user
Now pressing business scenario for each user and configure corresponding access rights/access authorization for resource, same user can be at multiple business scenarios/award
The multiple roles matched are had respectively under power field, thus, this user can pass through its phase having under multiple business scenarios
Answering role, the resource that multiple business scenarios carry out corresponding authority accesses.Such as, it is assumed that Director-General Of Works has angle at engineering field
Color x, this role x can carry out full powers access to all engineering resources of engineering field, and it has role y in archives field,
This role y is only capable of carrying out the associated profiles that engineering archive number is corresponding full powers access, and for corresponding being correlated with of financial affairs archive number
Archives the most only have checks authority etc., thus Director-General Of Works can be based on described role x, role y respectively to project scenarios and archives
Scene carries out the access of corresponding authority.
By described above, the application by mandate model extension for comprising user, authorized instances, role, resource etc.
Model object, and described each model object: between user, authorized instances, role, resource, there is the relation of m:n:q:r, wherein, m,
N, q, r are natural number, by the mandate model of this extension, can effectively meet large enterprise's level system for different business field
The more fine-grained control requirement of scape.
Building mandate model and be on the basis of user distributes corresponding role based on authorizing model, can be to user to business
The access process of system carries out corresponding access privilege control.
Specifically, when user sends service request to operation system, as user is sent to operation system by client
During service request, intercepting the service request of user, this service request includes the first user mark of described user, authorized instances mark
Knowing and resource identification (such as ID, authorized instances ID, resource ID etc.), wherein, the target resource that this resource identification is corresponding belongs to
The resource collection that target authorized instances is corresponding, described target authorized instances is the authorized instances that described authorized instances mark is corresponding.
Afterwards, close in the mandate safeguarded based on described first user mark, described authorized instances mark, described resource identification
Match query item in coefficient evidence, if the match is successful, is then verified, otherwise verifies and do not pass through.Specifically, inquiry can be first passed through
Corresponding relation data between the ID authorized and mandate role, determine that described first user identifies whether that existence matches
Mandate role, if it is present continue to inquire about the corresponding relation data between each candidate role and corresponding authorized instances and resource,
Determine whether these corresponding relation data exist and authorize role (the mandate role that first user mark is corresponding), described mesh with described
The occurrence that mark authorized instances, described target resource are corresponding, if there is corresponding occurrence, then characterizes this user and exists institute
State the authority that the described target resource under target authorized instances conducts interviews, thus be verified;Otherwise, the most do not possess accordingly
Accessing claim, checking is not passed through.
When being verified, the customer service request intercepted can be let pass, send it to described operation system, from
And make described operation system perform to respond operation accordingly based on this service request;If checking is not passed through, then return to user
Return error message, access unsuccessfully.
When being embodied as the present invention, mandate model construction and authority control that the application provides can be realized on the application server
Process processed, and as an infrastructure component of large-scale application system, this infrastructure component is for each business field of operation system
Scape can provide consistent system-level control strategy, the development process of control strategy provided herein and industry in operation system
The development process of business scene is separate, thus with prior art in for each business scenario, according to business demand by hard
There is essence difference in the mode that its access control policy is customized developing by coded system in service layer, therefore applies this Shen
Scheme please can effectively ensure that the system architecture of operation system is stable, the operating experience of user can be promoted.
As can be seen here, the application method, by newly-increased model object authorized instances, can realize pressing operation system
Each business scenario carries out more fine-grained authorization resources and divides, when applying the application, and can be based on this more fine-grained mandate
Resource dividing condition, is respectively provided with under this scene corresponding to different resource authority for each business scenario in control of authority aspect
Multiple candidate roles, i.e. achieve and carry out candidate role's setting by business scenario, follow-up when user accesses system, can base
Role under the business scenario that user has, carries out more fine-grained access privilege control to it by business scenario, it is seen that this
Application overcomes the problem that prior art exists, and can effectively meet large enterprise's level system more particulate for different business scene
The control requirement of degree.
Embodiment two
In the present embodiment two, with reference to the flow chart of the access control method shown in Fig. 2, described method can also include following
Step:
S105: when the application example that the business scenario of described operation system is corresponding changes, should to change
The authorized instances information updating synchronized is carried out with example.
Specifically, when business scenario produces newly-increased application example, awarded corresponding by default sync cap
It is that described newly-increased application example produces corresponding authorized instances under power field;Such as, in project scenarios, if newly-increased
Engineering D, then generate, by described sync cap, the authorized instances that engineering D is corresponding under engineering field, as generated the engineering of engineering D
Numbering, responsible person etc.;
When the application example that business scenario is corresponding occurs amendment, by described sync cap in corresponding authorized domain
Under authorized instances corresponding to application example that amendment occurs is carried out corresponding information amendment;As the responsible person when engineering A sends out
During changing, then by described sync cap, specifically the director's information in authorized instances to engineering A is updated;
When the application example that business scenario is corresponding is deleted, by described sync cap under corresponding authorized domain
Remove the authorized instances corresponding to application example being deleted, such as, when engineering B is deleted in operation system, then pass through
Described sync cap carries out synchronization removal to the authorized instances of engineering B under engineering field.
Follow-up, corresponding management personnel, the management personnel such as system-level management personnel or business scenario level/authorized domain level can
Delineation of power or the mandate of role is carried out based on the new authorized instances information after synchronized update.
It should be noted that system regions only one of which example, it represents whole system itself, it is not necessary to be updated same
Step.Also, it should be noted the priority execution order of step S105 of the present embodiment and above step S101-S104 is not limited to
Order shown in Fig. 2, wherein, the renewal of authorized instances information is the corresponding data change produced with business scenario in operation system
Synchronization is carried out, and i.e. when operation system produces corresponding data change, data-interface in real time, synchronously updates corresponding mandate
Example information, therefore in actual application, the execution of this step S105 is not limited to the implementation status of step S101-S104, in step
S101-S104 be not carried out or perform during all can data situation based on operation system, authorized instances information is carried out
Required real-time update.
The present embodiment, by when the data of operation system occur to become, utilizes the mandate that sync cap synchronized update is corresponding real
Example information, can effectively safeguard the concordance of control of authority section information and service layer information, and then can effectively guarantee business system
The high degree of accuracy of system access privilege control.
Embodiment three
The open one of the present embodiment three accesses control system, access control method phase disclosed in this system and above example
Corresponding.
Corresponding to embodiment one, with reference to the structural representation of the access control system shown in Fig. 3, this system can include cutting
Obtain module 100, authentication module 200 and control module 300.
Interception module 100, for intercepting and capturing the service request that user sends to operation system, described service request includes first
ID, authorized instances mark and resource identification;Wherein, described operation system includes at least one business scenario, Mei Geye
The corresponding corresponding authorized instances set of business scene, each authorized instances in described authorized instances set and corresponding service scene
One respective application example provide resource collection corresponding;It is real that the target resource that described resource identification is corresponding belongs to target mandate
The resource collection that example is corresponding, described target authorized instances is the authorized instances that described authorized instances mark is corresponding.
Authentication module 200, for based on described first user mark, described authorized instances mark, described resource identification and
The mandate relation data prestored, verifies whether described user has the described target money accessed under described target authorized instances
The authority in source.
Described authentication module 200 includes authentication unit and determines unit.
Authentication unit, the corresponding relation between foundation ID and mandate role, and each candidate role are with corresponding
Corresponding relation between authorized instances and resource, verifies described first user mark and described target authorized instances and described target money
Whether source mates;
Determine unit, for when coupling, determine that described user has the described mesh accessed under described target authorized instances
The authority of mark resource;Do not mating, determining that described user does not have the described target resource accessed under described target authorized instances
Authority.
Control module 300, for when being verified, then sends described service request to described operation system so that institute
State operation system and respond described service request;Obstructed out-of-date in checking, carry out predetermined fault processing.
Corresponding to embodiment two, with reference to the structural representation of the access control system shown in Fig. 4, described system can also be wrapped
Including synchronized update module 400, this module includes the first lock unit, the second lock unit and the 3rd lock unit.
First lock unit, for when business scenario produces newly-increased application example, by default sync cap being
Described newly-increased application example produces corresponding authorized instances;
Second lock unit, when the application example corresponding at business scenario occurs amendment, by described sync cap
The authorized instances that the application example that amendment occurs is corresponding is carried out corresponding information amendment;
3rd lock unit is for when the application example that business scenario is corresponding is deleted, clear by described sync cap
Except the authorized instances corresponding to application example being deleted.
For access control system disclosed for the embodiment of the present invention three, owing to it is public with embodiment one to embodiment two
The access control method opened is corresponding, so describe is fairly simple, relevant similarity refers to embodiment one to embodiment
In two, the explanation of access control method part, the most no longer describes in detail.
It should be noted that each embodiment in this specification all uses the mode gone forward one by one to describe, each embodiment weight
Point explanation is all the difference with other embodiments, and between each embodiment, identical similar part sees mutually.
For convenience of description, it is divided into various module or unit to be respectively described with function when describing system above or device.
Certainly, the function of each unit can be realized in same or multiple softwares and/or hardware when implementing the application.
As seen through the above description of the embodiments, those skilled in the art it can be understood that to the application can
The mode adding required general hardware platform by software realizes.Based on such understanding, the technical scheme essence of the application
On the part that in other words prior art contributed can embody with the form of software product, this computer software product
Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer equipment
(can be personal computer, server, or the network equipment etc.) performs some of each embodiment of the application or embodiment
Method described in part.
Finally, in addition it is also necessary to explanation, in this article, the relational terms of such as first, second, third and fourth or the like
It is used merely to separate an entity or operation with another entity or operating space, and not necessarily requires or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " comprising " or it is any
Other variants are intended to comprising of nonexcludability, so that include the process of a series of key element, method, article or equipment
Not only include those key elements, but also include other key elements being not expressly set out, or also include for this process, side
The key element that method, article or equipment are intrinsic.In the case of there is no more restriction, statement " including ... " limit
Key element, it is not excluded that there is also other identical element in including the process of described key element, method, article or equipment.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For Yuan, under the premise without departing from the principles of the invention, it is also possible to make some improvements and modifications, these improvements and modifications also should
It is considered as protection scope of the present invention.