CN106341428A - Cross-domain access control method and system - Google Patents
Cross-domain access control method and system Download PDFInfo
- Publication number
- CN106341428A CN106341428A CN201611027508.6A CN201611027508A CN106341428A CN 106341428 A CN106341428 A CN 106341428A CN 201611027508 A CN201611027508 A CN 201611027508A CN 106341428 A CN106341428 A CN 106341428A
- Authority
- CN
- China
- Prior art keywords
- domain
- user
- cross
- access
- resource request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000013507 mapping Methods 0.000 claims abstract description 30
- 238000004458 analytical method Methods 0.000 claims description 14
- 235000014510 cooky Nutrition 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 230000000149 penetrating effect Effects 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 16
- 230000008569 process Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Tourism & Hospitality (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Strategic Management (AREA)
- Human Resources & Organizations (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Marketing (AREA)
- Theoretical Computer Science (AREA)
- Primary Health Care (AREA)
- General Health & Medical Sciences (AREA)
- Economics (AREA)
- Health & Medical Sciences (AREA)
- Educational Administration (AREA)
- Development Economics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a cross-domain access control method and system. According to the method, a cross-domain access resource request sent by a user is received, wherein the cross-domain access is redirected to an identity providing terminal; the identity providing terminal verifies and approves user information of the cross-domain access resource request and then sends an extra-domain message mark; the extra-domain message mark is received; and according to a pre-established mapping relationship, the extra-domain message mark is generated into an intra-domain message mark, the intra-domain message mark is sent to the user, and the user carries the intra-domain message mark to obtain intra-domain access permission. Therefore, the system access fine granularity is increased and the user registration complexity is reduced. The user can carry out operations like registration simply and directly without the need to spend lots of time on registration.
Description
Technical field
The present invention relates to communication technical field, more particularly, to a kind of cross-domain access control method and system.
Background technology
E-Government cloud computing as a distributed heterogeneous system, various resource distributions in different security domains, and
Existing software application, almost cannot complete in an independent system, typically all can be related to the mutual association between not same area
Make.Different security domains has different strategies for access control, and therefore, how cross-domain access control policy is current electricity
One of key issue facing in sub- government affairs cloud computing application.Meanwhile, the cross-domain access of E-Government cloud computing also has user
The not enough safety defect of resource-sharing access control fine granularity, for above-mentioned two subject matter, make use of iam herein
(identity and access management) " identification and access control management ", openstack and smal
(security assertion markup language) security assertion markup language technology is electric to form a whole set of fine granularity
Sub- government affairs cloud computing cross-domain access control method.
Iam is a set of comprehensive foundation and safeguards digital identity mechanism, and is provided that the industry that effective and safe it resource accesses
Business flow process and management means, thus realize the unified authentication of organizational information assets, mandate and identity data centralized management with
Audit.Identity and Access Management Access are a set of business processing flows, are also one and are used for creating, safeguard and use propping up of digital identity
Hold base structure.It mainly possess have single-sign-on (sso), powerful authentication management, based on tactful centralized mandate and examine
The functions such as meter, dynamic authorization, enterprise's manageability.
Iam is one of important products of cloud computing development, and the standard of iam and specification will be helpful to enforcement body in electronics political affairs
In business cloud computing, cross-domain access implements effective, efficient user's Access Management Access practice and flow process.
Saml is a standard based on xml, recognizes for exchanging between different security domains (security domain)
Card and authorization data.Define Identity Provider ip (identity provider) and ISP sp in saml standard
(service provider), both constitutes different security domain said before.Saml is the service of oasis organization security
The product of technical committee (security services technical committee), can be used to transmit user identity
Prove, can be with the cross-domain transmission of user identity of applying electronic government affairs cloud computing.
A kind of method of the prior art is: open (bulletin) number: cn103546567a, a kind of denomination of invention: credible cloud
No certificate cross-domain authentication method in computing environment, the no certificate cross-domain authentication method in this patent utilization is credible cloud computing environment is not
The fine granularity aspect of cross-domain access can be controlled, information security degree in terms of cloud access for the user so can be led to decline.
Content of the invention
The embodiment provides a kind of cross-domain access control method and system, the present invention following scheme of offer:
The cross-domain access resource request that receive user is sent;Wherein, described cross-domain access resource request is redirected to
Identity provides end;After providing end that the described cross-domain user information authentication accessing resource request is passed through by identity, send overseas disappearing
Breath mark;
Receive described overseas message flag;
According to the mapping relations pre-building, described overseas message flag is generated message flag in domain, and by described domain
Message flag sends to user, carries message flag in described domain by user and obtains access rights in domain.
Determined according to described assessment result by Policy Enforcement Point in domain and access resource request mandate in described user domain or refuse
Absolutely.
According to the said method of the present invention, described identity provides end according to Lightweight Directory Access Protocol ldap server to sending out
Act the user accessing to be verified.
According to the said method of the present invention, described overseas message flag is generated by the mapping relations that described basis pre-builds
Message flag in domain, comprising:
After identity provides end that the described cross-domain user information authentication accessing resource request is passed through, to described cross-domain access
The user profile of resource request generates smal and asserts as overseas message flag;
According to the mapping relations pre-building by described overseas message flag, fill user's key message and generate message in domain
Mark, wherein, described key message, comprising:
Header and subject name and phrase that described cross-domain access resource request comprises.
According to the said method of the present invention, described message flag in described domain carried by user obtain access rights in domain,
Including:
Message flag in described domain is embedded in user browser;
Message flag in the described domain of embedded user browser is extracted by home server, and creates in user's access domain
Reply cookie, user browser is guided the access website to domain.
Said method according to the present invention, comprising:
By access resource request in Policy Enforcement Point receive user domain in domain;
Query analysis are carried out to the attribute accessing resource request in described user domain by policy information point in domain, and will analyze
Result feeds back to Policy Enforcement Point in described domain;
Accessing resource according to described analysis result by policy decision point in the inquiry of tactical management point with described user domain please
Seek corresponding strategy, and described strategy is estimated, assessment result is fed back to Policy Enforcement Point in domain;
According to a further aspect in the invention, also provide a kind of cross-domain access control system, comprising:
Receiver module: its cross-domain access resource request being sent for receive user;Wherein, described cross-domain access resource
Request is redirected to identity and provides end;There is provided end that the described cross-domain user information authentication accessing resource request is passed through by identity
Afterwards, send overseas message flag;
It is additionally operable to receive described overseas message flag;
Sending module: it is used for, according to the mapping relations pre-building, described overseas message flag is generated message mark in domain
Will, and message flag in described domain is sent to user, message flag in described domain is carried by user and obtains access rights in domain.
According to a further aspect in the invention, described identity provides end according to Lightweight Directory Access Protocol ldap server to sending out
Act the user accessing to be verified.
According to a further aspect in the invention, described sending module specifically for:
After identity provides end that the described cross-domain user information authentication accessing resource request is passed through, to described cross-domain access
The user profile of resource request generates smal and asserts as overseas message flag;
According to the mapping relations pre-building by described overseas message flag, fill user's key message and generate message in domain
Mark, wherein, described key message, comprising:
Header and subject name and phrase that described cross-domain access resource request comprises.
According to a further aspect in the invention, described sending module specifically for:
Message flag in described domain is embedded in user browser;
Message flag in the described domain of embedded user browser is extracted by home server, and creates in user's access domain
Reply cookie, user browser is guided the access website to domain.
According to a further aspect in the invention, comprising:
Performing module: it is used for by access resource request in Policy Enforcement Point receive user domain in domain;
Query analysis are carried out to the attribute accessing resource request in described user domain by policy information point in domain, and will analyze
Result feeds back to Policy Enforcement Point in described domain;
Accessing resource according to described analysis result by policy decision point in the inquiry of tactical management point with described user domain please
Seek corresponding strategy, and described strategy is estimated, assessment result is fed back to Policy Enforcement Point in domain;
Determined according to described assessment result by Policy Enforcement Point in domain and access resource request mandate in described user domain or refuse
Absolutely.By the technical scheme that embodiments of the invention described above provide can be seen that embodiment of the present invention receive user sent across
Domain browsing resource request;Wherein, described cross-domain access resource request is redirected to identity provides end;There is provided end by identity to institute
State cross-domain access resource request user information authentication pass through after, send overseas message flag;Receive described overseas message flag;
According to the mapping relations pre-building, described overseas message flag is generated message flag in domain, and by message flag in described domain
Send to user, message flag in described domain is carried by user and obtains access rights in domain.System can be increased and access fine granularity,
Reduce User logs in complexity.User without take a significant amount of time log in above operated, can simply directly be stepped on
The activities such as record.The feature of the identity information management maximum asserted based on saml is can be with dispersing maintenance subscriber identity information, that is, not
Need to provide the id side of service directly to verify long-distance user, but assert that publisher sets up trusting relationship and is with the saml in cooperation domain
Can.The authentication of user is carried out in this domain of user, and such user avoids the need for special voucher and carries out cross-domain resource access.
Brief description
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to required use in embodiment description
Accompanying drawing be briefly described it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this
For the those of ordinary skill of field, without having to pay creative labor, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is the application scenario diagram of the embodiment of the present invention one;
A kind of process chart of cross-domain access control method that Fig. 2 provides for the embodiment of the present invention one;
A kind of system module figure of cross-domain access control system that Fig. 3 provides for the embodiment of the present invention two.
Specific embodiment
For ease of the understanding to the embodiment of the present invention, do further below in conjunction with accompanying drawing taking several specific embodiments as a example
Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment one
This embodiment offers a kind of handling process of cross-domain access control method as shown in Fig. 2 in the present embodiment, including
In domain, service platform provides modules and overseas modules, wherein by the service providing end of service platform in domain, connects
Receive the operation of overseas access, as shown in Figure 3,
User's application iam (identity and access management) " identification and Access Management Access " is carried out
Sso single-sign-on, then initiates the service providing end that cross-domain access resource request enters into service platform in domain, is provided by service
Described cross-domain access resource request is redirected to identity and provides end by end;
Service providing end is the entity using identity data, and identity provides the entity of end service body information, is mainly responsible for
The certification of user and the management of identity information;
As follows in the process step of service providing end:
The cross-domain access resource request that step 11, receive user are sent;Wherein, described cross-domain access resource request is weighed
Being directed to identity provides end;After providing end that the described cross-domain user information authentication accessing resource request is passed through by identity, send
Overseas message flag;
When the described cross-domain resource request that accesses is redirected to the identity by identity offer end subscriber for the identity offer end, user
The username and password of oneself is provided;
Wherein, if described cross-domain access resource request certification is not over service providing end will be with described in browser
Cross-domain access resource request is re-introduced into above home server;
Described identity provides end according to Lightweight Directory Access Protocol ldap server, the user initiating to access to be verified;
If the verification passes, end is provided to send overseas message flag by identity;
Step 12, the described overseas message flag of reception;
Described overseas message flag is generated message flag in domain by the mapping relations that step 13, basis pre-build, and will
In described domain, message flag sends to user, carries message flag in described domain by user and obtains access rights in domain.
According to the mapping relations pre-building, described overseas message flag is generated message flag in domain,
In the present embodiment, set up a mapping policy document definition group from source domain to aiming field, role or attribute and reflect
Penetrate relation.A usual mapping policy file is made up of a series of map element.When the user's access from certain source domain is another
During the resource of individual aiming field, first pass through group, role mapping relation is mapped, obtain this user corresponding all in aiming field
Group, role, corresponding group after being then based on this user mapping in aiming field again, role conducts interviews control.Here, if reflecting
The source domain penetrating relation is based role, then be also contemplated that whole father roles in source domain for the user when being mapped.Here
To should have a mapping policy filename, a mapping policy document definition is from a domain (source domain) for one mapping policy list item
To the group of another domain (aiming field), role or attribute mapping relations.A usual mapping policy file is by a series of mapping
Element is constituted.Agreement that mapping policy is source Authorized Domain and target Authorized Domain to be reached according to respective security strategy and both sides and make
Fixed.
Specifically, after identity provides end that the described cross-domain user information authentication accessing resource request is passed through, generate
Smal asserts as overseas message flag;The user profile of the present embodiment is exactly the checking information representing user identity, if logical
Cross certification, generate smal Assertion Markup's certification by being used as overseas message flag, if certification is not over generation smal breaks
Speech labelling certification is not over as overseas message flag;
According to the mapping relations pre-building by described overseas message flag, fill user's key message and generate message in domain
Mark,
Wherein, described key message, comprising:
Header and subject name and phrase phrase that described cross-domain access resource request comprises;Wherein, header bag
The other information such as the title containing identity provider and effect duration.
Specifically, header, subject name and phrase are comprised in mapping policy file, header is exactly to comprise in file
Some information sources, subject name is exactly file name, and phrase is exactly the sentence comprising every row information in file.According to mapping policy
File filling user's key message generates message flag in domain.
Described message flag carried in described domain by user obtain access rights in domain, comprising:
Message flag in described domain is embedded in user browser;
Message flag in the described domain of embedded user browser is extracted by home server, and creates in user's access domain
Reply cookie, user browser is guided the access website to domain.
After gain access, execute in service platform in domain and operate as follows:
By access resource request in Policy Enforcement Point receive user domain in domain;
Query analysis are carried out to the attribute accessing resource request in described user domain by policy information point in domain, and will analyze
Result feeds back to Policy Enforcement Point in described domain;
Accessing resource according to described analysis result by policy decision point in the inquiry of tactical management point with described user domain please
Seek corresponding strategy, and described strategy is estimated, assessment result is fed back to Policy Enforcement Point in domain;
Determined according to described assessment result by Policy Enforcement Point in domain and access resource request mandate in described user domain or refuse
Absolutely.
Embodiment two
This embodiment offers a kind of cross-domain access control system, it implements structure as shown in figure 3, specifically can wrap
Include following module:
Receiver module 31: its cross-domain access resource request being sent for receive user;Wherein, described cross-domain access provides
Source request is redirected to identity and provides end;There is provided end that the described cross-domain user information authentication accessing resource request is led to by identity
Later, send overseas message flag;
It is additionally operable to receive described overseas message flag;
Sending module 32: it is used for, according to the mapping relations pre-building, described overseas message flag is generated message in domain
Mark, and message flag in described domain is sent to user, message flag in described domain is carried by user and obtains access right in domain
Limit.
Described identity provides end according to Lightweight Directory Access Protocol ldap server, the user initiating to access to be verified.
Described sending module 32 specifically for:
After identity provides end that the described cross-domain user information authentication accessing resource request is passed through, to described cross-domain access
The user profile of resource request generates smal and asserts as overseas message flag;
According to the mapping relations pre-building by described overseas message flag, fill user's key message and generate message in domain
Mark, wherein, described key message, comprising:
Header and subject name and phrase that described cross-domain access resource request comprises.
Described sending module 32 specifically for:
Message flag in described domain is embedded in user browser;
Message flag in the described domain of embedded user browser is extracted by home server, and creates in user's access domain
Reply cookie, user browser is guided the access website to domain.
A kind of cross-domain access control system, comprising:
Performing module 33: it is used for by access resource request in Policy Enforcement Point receive user domain in domain;
Query analysis are carried out to the attribute accessing resource request in described user domain by policy information point in domain, and will analyze
Result feeds back to Policy Enforcement Point in described domain;
Accessing resource according to described analysis result by policy decision point in the inquiry of tactical management point with described user domain please
Seek corresponding strategy, and described strategy is estimated, assessment result is fed back to Policy Enforcement Point in domain;
Determined according to described assessment result by Policy Enforcement Point in domain and access resource request mandate in described user domain or refuse
Absolutely.
The detailed process carrying out cross-domain access with the system of the embodiment of the present invention is similar with preceding method embodiment, herein not
Repeat again.
In sum, the embodiment of the present invention be can be seen that by the technical scheme being provided by embodiments of the invention described above
The cross-domain access resource request that embodiment of the present invention receive user is sent;Wherein, described cross-domain access resource request is reset
There is provided end to identity;After providing end that the described cross-domain user information authentication accessing resource request is passed through by identity, sending domain
Outer message flag;Receive described overseas message flag;According to the mapping relations pre-building, described overseas message flag is generated
Message flag in domain, and message flag in described domain is sent to user, message flag in described domain is carried by user and obtains domain
Interior access rights.System can be increased and access fine granularity, reduce User logs in complexity.User is stepping on without taking a significant amount of time
Record is operated above, can simply directly carry out the activity such as logging in.The spy of the identity information management maximum asserted based on saml
Levy be can with dispersing maintenance subscriber identity information, that is, do not need provide service id side directly verify long-distance user, but with conjunction
The saml making domain asserts that publisher sets up trusting relationship.The authentication of user is carried out in this domain of user, such user
Avoid the need for special voucher and carry out cross-domain resource access.
One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or
Flow process is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
Mode by software plus necessary general hardware platform to be realized.Based on such understanding, technical scheme essence
On in other words prior art is contributed partly can be embodied in the form of software product, this computer software product
Can be stored in storage medium, such as rom/ram, magnetic disc, CD etc., include some instructions use so that a computer equipment
(can be personal computer, server, or network equipment etc.) executes some of each embodiment of the present invention or embodiment
Partly described method.
Each embodiment in this specification is all described by the way of going forward one by one, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for device or
For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, referring to method in place of correlation
The part of embodiment illustrates.Apparatus and system embodiment described above is only schematically wherein said conduct
Separating component explanation unit can be or may not be physically separate, as the part that unit shows can be or
Person may not be physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can root
Factually border need select the purpose to realize this embodiment scheme for some or all of module therein.Ordinary skill
Personnel are not in the case of paying creative work, you can to understand and to implement.
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto,
Any those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in,
All should be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims
It is defined.
Claims (10)
1. a kind of cross-domain access control method is it is characterised in that include:
The cross-domain access resource request that receive user is sent;Wherein, described cross-domain access resource request is redirected to identity
End is provided;After providing end that the described cross-domain user information authentication accessing resource request is passed through by identity, send overseas message mark
Will;
Receive described overseas message flag;
According to the mapping relations pre-building, described overseas message flag is generated message flag in domain, and by message in described domain
Mark sends to user, carries message flag in described domain by user and obtains access rights in domain.
Determined according to described assessment result by Policy Enforcement Point in domain and in described user domain, access resource request mandate or refusal.
2. a kind of cross-domain access control method according to claim 1 it is characterised in that
Described identity provides end according to Lightweight Directory Access Protocol ldap server, the user initiating to access to be verified.
3. a kind of cross-domain access control method according to claim 1 is it is characterised in that reflecting of pre-building of described basis
Described overseas message flag is generated message flag in domain by relation of penetrating, comprising:
After identity provides end that the described cross-domain user information authentication accessing resource request is passed through, to described cross-domain access resource
The user profile of request generates smal and asserts as overseas message flag;
According to the mapping relations pre-building by described overseas message flag, fill user's key message and generate message mark in domain
Will, wherein, described key message, comprising:
Header and subject name and phrase that described cross-domain access resource request comprises.
4. a kind of cross-domain access control method according to claim 1 is it is characterised in that described carry described domain by user
Interior message flag obtains access rights in domain, comprising:
Message flag in described domain is embedded in user browser;
Message flag in the described domain of embedded user browser is extracted by home server, and creates the reply in user's access domain
Cookie, user browser is guided the access website to domain.
5. a kind of cross-domain access control method according to any one of Claims 1-4 is it is characterised in that include:
By access resource request in Policy Enforcement Point receive user domain in domain;
Query analysis are carried out to the attribute accessing resource request in described user domain by policy information point in domain, and by analysis result
Feed back to Policy Enforcement Point in described domain;
Inquired about and access resource request phase in described user domain in tactical management point according to described analysis result by policy decision point
The strategy answered, and described strategy is estimated, assessment result is fed back to Policy Enforcement Point in domain.
6. a kind of cross-domain access control system is it is characterised in that include:
Receiver module: its cross-domain access resource request being sent for receive user;Wherein, described cross-domain access resource request
Being redirected to identity provides end;After providing end that the described cross-domain user information authentication accessing resource request is passed through by identity,
Send overseas message flag;
It is additionally operable to receive described overseas message flag;
Sending module: it is used for, according to the mapping relations pre-building, described overseas message flag is generated message flag in domain,
And send message flag in described domain to user, message flag in described domain is carried by user and obtains access rights in domain.
7. a kind of cross-domain access control system according to claim 6 it is characterised in that
Described identity provides end according to Lightweight Directory Access Protocol ldap server, the user initiating to access to be verified.
8. a kind of cross-domain access control system according to claim 6 is it is characterised in that described sending module is specifically used
In:
After identity provides end that the described cross-domain user information authentication accessing resource request is passed through, to described cross-domain access resource
The user profile of request generates smal and asserts as overseas message flag;
According to the mapping relations pre-building by described overseas message flag, fill user's key message and generate message mark in domain
Will, wherein, described key message, comprising:
Header and subject name and phrase that described cross-domain access resource request comprises.
9. a kind of cross-domain access control system according to claim 6 is it is characterised in that described sending module is specifically used
In:
Message flag in described domain is embedded in user browser;
Message flag in the described domain of embedded user browser is extracted by home server, and creates the reply in user's access domain
Cookie, user browser is guided the access website to domain.
10. a kind of cross-domain access control system according to any one of claim 6 to 9 is it is characterised in that include:
Performing module: it is used for by access resource request in Policy Enforcement Point receive user domain in domain;
Query analysis are carried out to the attribute accessing resource request in described user domain by policy information point in domain, and by analysis result
Feed back to Policy Enforcement Point in described domain;
Inquired about and access resource request phase in described user domain in tactical management point according to described analysis result by policy decision point
The strategy answered, and described strategy is estimated, assessment result is fed back to Policy Enforcement Point in domain;
Determined according to described assessment result by Policy Enforcement Point in domain and in described user domain, access resource request mandate or refusal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611027508.6A CN106341428A (en) | 2016-11-21 | 2016-11-21 | Cross-domain access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611027508.6A CN106341428A (en) | 2016-11-21 | 2016-11-21 | Cross-domain access control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106341428A true CN106341428A (en) | 2017-01-18 |
Family
ID=57841489
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611027508.6A Pending CN106341428A (en) | 2016-11-21 | 2016-11-21 | Cross-domain access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106341428A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106534223A (en) * | 2017-01-22 | 2017-03-22 | 上海新炬网络信息技术有限公司 | Key algorithm and log auditing based Openstack access control method |
| CN107205013A (en) * | 2016-03-18 | 2017-09-26 | 阿姆有限公司 | Combination for the control interface of multiple communication domains |
| CN107368601A (en) * | 2017-07-26 | 2017-11-21 | 成都三零盛安信息系统有限公司 | local data access method and device |
| CN107391568A (en) * | 2017-06-16 | 2017-11-24 | 福建省华渔教育科技有限公司 | Break through the method and its system of cross-domain request limitation |
| CN108234136A (en) * | 2018-01-25 | 2018-06-29 | 北京深思数盾科技股份有限公司 | A kind of safety access method, terminal device and system |
| CN108243164A (en) * | 2016-12-26 | 2018-07-03 | 航天信息股份有限公司 | A kind of E-Government cloud computing cross-domain access control method and system |
| CN110769001A (en) * | 2019-11-01 | 2020-02-07 | 北京天融信网络安全技术有限公司 | Cross-domain authentication method and cross-domain access method |
| CN111314318A (en) * | 2020-01-20 | 2020-06-19 | 扆亮海 | Cross-domain authorized access control system for safety interoperation between different domains |
| CN112243013A (en) * | 2019-07-16 | 2021-01-19 | 中国移动通信集团浙江有限公司 | Method, system, server and storage medium for realizing cross-domain resource caching |
| CN113572734A (en) * | 2021-06-24 | 2021-10-29 | 福建师范大学 | Cross-domain access control method based on block chain in mobile edge calculation |
| WO2023000413A1 (en) * | 2021-07-22 | 2023-01-26 | 中国科学院深圳先进技术研究院 | Adaptive cross-domain access authentication method and system, and terminal and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
| CN101707594A (en) * | 2009-10-21 | 2010-05-12 | 南京邮电大学 | Single sign on based grid authentication trust model |
| CN101764692A (en) * | 2009-12-31 | 2010-06-30 | 公安部第三研究所 | Cross-domain dynamic fine-grained access control method |
| CN102694867A (en) * | 2012-06-06 | 2012-09-26 | 江苏大学 | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) |
| US20130227663A1 (en) * | 2010-10-08 | 2013-08-29 | Telefonica S.A. | Method, a system and a network element for ims control layer authentication from external domains |
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| US20140359696A1 (en) * | 2013-06-04 | 2014-12-04 | Edmond Scientific Company | Interoperability between authorization protocol and enforcement protocol |
-
2016
- 2016-11-21 CN CN201611027508.6A patent/CN106341428A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
| CN101707594A (en) * | 2009-10-21 | 2010-05-12 | 南京邮电大学 | Single sign on based grid authentication trust model |
| CN101764692A (en) * | 2009-12-31 | 2010-06-30 | 公安部第三研究所 | Cross-domain dynamic fine-grained access control method |
| US20130227663A1 (en) * | 2010-10-08 | 2013-08-29 | Telefonica S.A. | Method, a system and a network element for ims control layer authentication from external domains |
| CN102694867A (en) * | 2012-06-06 | 2012-09-26 | 江苏大学 | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) |
| US20140359696A1 (en) * | 2013-06-04 | 2014-12-04 | Edmond Scientific Company | Interoperability between authorization protocol and enforcement protocol |
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107205013B (en) * | 2016-03-18 | 2021-06-22 | 阿姆有限公司 | Combination of control interfaces for multiple communication domains |
| CN107205013A (en) * | 2016-03-18 | 2017-09-26 | 阿姆有限公司 | Combination for the control interface of multiple communication domains |
| CN108243164A (en) * | 2016-12-26 | 2018-07-03 | 航天信息股份有限公司 | A kind of E-Government cloud computing cross-domain access control method and system |
| CN108243164B8 (en) * | 2016-12-26 | 2021-10-15 | 航天网安技术(深圳)有限公司 | Cross-domain access control method and system for E-government cloud computing |
| CN108243164B (en) * | 2016-12-26 | 2021-09-10 | 航天信息股份有限公司 | Cross-domain access control method and system for E-government cloud computing |
| CN106534223A (en) * | 2017-01-22 | 2017-03-22 | 上海新炬网络信息技术有限公司 | Key algorithm and log auditing based Openstack access control method |
| CN106534223B (en) * | 2017-01-22 | 2019-10-25 | 上海新炬网络信息技术股份有限公司 | Openstack access control method based on key algorithm and log audit |
| CN107391568A (en) * | 2017-06-16 | 2017-11-24 | 福建省华渔教育科技有限公司 | Break through the method and its system of cross-domain request limitation |
| CN107391568B (en) * | 2017-06-16 | 2020-01-21 | 福建省华渔教育科技有限公司 | Method and system for breaking through cross-domain request limitation |
| CN107368601A (en) * | 2017-07-26 | 2017-11-21 | 成都三零盛安信息系统有限公司 | local data access method and device |
| CN108234136A (en) * | 2018-01-25 | 2018-06-29 | 北京深思数盾科技股份有限公司 | A kind of safety access method, terminal device and system |
| CN112243013A (en) * | 2019-07-16 | 2021-01-19 | 中国移动通信集团浙江有限公司 | Method, system, server and storage medium for realizing cross-domain resource caching |
| CN110769001A (en) * | 2019-11-01 | 2020-02-07 | 北京天融信网络安全技术有限公司 | Cross-domain authentication method and cross-domain access method |
| CN110769001B (en) * | 2019-11-01 | 2022-05-17 | 北京天融信网络安全技术有限公司 | Cross-domain authentication method and cross-domain access method |
| CN111314318A (en) * | 2020-01-20 | 2020-06-19 | 扆亮海 | Cross-domain authorized access control system for safety interoperation between different domains |
| CN113572734A (en) * | 2021-06-24 | 2021-10-29 | 福建师范大学 | Cross-domain access control method based on block chain in mobile edge calculation |
| CN113572734B (en) * | 2021-06-24 | 2023-04-28 | 福建师范大学 | Cross-domain access control method based on block chain in mobile edge calculation |
| WO2023000413A1 (en) * | 2021-07-22 | 2023-01-26 | 中国科学院深圳先进技术研究院 | Adaptive cross-domain access authentication method and system, and terminal and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106341428A (en) | Cross-domain access control method and system | |
| AU2019206006B2 (en) | System and method for biometric protocol standards | |
| US11165579B2 (en) | Decentralized data authentication | |
| US8839395B2 (en) | Single sign-on between applications | |
| US6668322B1 (en) | Access management system and method employing secure credentials | |
| US11122047B2 (en) | Invitation links with enhanced protection | |
| Carretero et al. | Federated identity architecture of the European eID system | |
| US9825938B2 (en) | System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration | |
| CN103179134A (en) | Single sign on method and system based on Cookie and application server thereof | |
| EP3017390B1 (en) | Method and system related to authentication of users for accessing data networks | |
| CN206212040U (en) | A kind of real-name authentication system for express delivery industry | |
| Sharma et al. | Identity and access management-a comprehensive study | |
| CN109495486B (en) | Single-page Web application integration CAS method based on JWT | |
| CN109981287A (en) | A kind of code signature method and its storage medium | |
| US20130312068A1 (en) | Systems and methods for administrating access in an on-demand computing environment | |
| Faynberg et al. | On dynamic access control in Web 2.0 and beyond: Trends and technologies | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| Cusack et al. | Evaluating single sign-on security failure in cloud services | |
| CN108243164A (en) | A kind of E-Government cloud computing cross-domain access control method and system | |
| Simpson et al. | Maintaining zero trust with federation | |
| US20160171613A1 (en) | Backing management | |
| Chandersekaran et al. | Information sharing and federation | |
| Linkies et al. | SAP security and risk management | |
| Trias et al. | Enterprise level security | |
| CN112511565B (en) | Request response method and device, computer readable storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170118 |
|
| RJ01 | Rejection of invention patent application after publication |