CN106534148A - Access control method and device for application - Google Patents
Access control method and device for application Download PDFInfo
- Publication number
- CN106534148A CN106534148A CN201611069910.0A CN201611069910A CN106534148A CN 106534148 A CN106534148 A CN 106534148A CN 201611069910 A CN201611069910 A CN 201611069910A CN 106534148 A CN106534148 A CN 106534148A
- Authority
- CN
- China
- Prior art keywords
- access rights
- control system
- master control
- access
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000012795 verification Methods 0.000 claims abstract description 141
- 238000013475 authorization Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 14
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 11
- 230000000052 comparative effect Effects 0.000 claims description 7
- 238000003860 storage Methods 0.000 claims description 5
- 238000000151 deposition Methods 0.000 claims 1
- 238000004891 communication Methods 0.000 abstract description 14
- 230000006854 communication Effects 0.000 abstract description 14
- 230000006870 function Effects 0.000 description 16
- 230000008569 process Effects 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 244000035744 Hura crepitans Species 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000024241 parasitism Effects 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides an access control method and device of an application, wherein the method comprises the following steps: after receiving an access request of the application, the container system sends the access request to the master control system through a pre-established container channel; after receiving the access request of the application, the master control system carries out authority verification on the received access request of the application according to the access authority strategy currently stored in the master control system and returns an authority verification result through a container channel; and when the container system determines that the received permission verification result is allowed, operating according to the access request of the application. By utilizing the embodiment of the invention, even if a malicious program invades the container system, the communication mode and the communication path between the container system and the main control system are difficult to obtain, the main control system is difficult to invade, the access authority strategy cannot be obtained from the main control system, the access authority strategy still needs to be controlled, and the confidential information in the terminal equipment is difficult to steal; thereby the security of the information in the terminal equipment is promoted on the whole.
Description
Technical field
The present invention relates to field of terminal technology, specifically, the present invention relates to the access management-control method and dress of a kind of application
Put.
Background technology
With developing and scientific and technological process for society, the terminal unit such as smart mobile phone, panel computer and electronic reader is wide
General popularization.Operating system is usually mounted with terminal unit, is usually mounted with multiple applications in operating system.Multiple applications have
Several functions have met the demand of user.
In order to ensure the safety of system, operating system generally needs to be managed the access rights of application therein control
System.The access management-control method of existing application, after typically operating system receives the access request of a certain application, according to wherein
The access rights strategy of multiple applications of storage, judges whether the application should have the authority involved by the access request;If
It is then to respond the access request;Otherwise ignore the access request.
However, the access rights strategy accessed involved by management-control method of existing application is to be set in advance in operating system
In.Once operating system is invaded by rogue program, rogue program is easy to obtain the access rights strategy in this operating system,
And then access rights strategy can be changed, the control of the multiple system resources in causing rogue program to obtain to terminal unit easily
Authority processed;So as to rogue program can perform the destruction row such as classified information of access user according to the control authority for obtaining
For easily bringing loss to user.The safety of the access management-control method of existing application is have impact on the whole.
To sum up, the access rights strategy that the access management-control method of existing application is related to has the low defect of safety,
Cause the management-control method that accesses of existing application that there is the relatively low defect of safety.
The content of the invention
Shortcoming of the present invention for existing mode, proposes a kind of access management-control method of application and device, existing to solve
With the presence of the relatively low problem of technology safety.
Embodiments of the invention are according on one side, there is provided a kind of access management-control method of application, including:
After containment system receives the access request of its application, sent to master control system by the container path of built in advance;
After the master control system receives the access request of the application, according to visit currently stored in the master control system
Authorization policy is asked, the access request of the application to receiving carries out Authority Verification, and passes through the container path returning right
Limit the result;
When the containment system determines the Authority Verification result for receiving for allowing, entered according to the access request of the application
Row operation.
Embodiments of the invention additionally provide a kind of access control device of application according on the other hand, including:Master control
System and at least one containment system;
Each containment system includes:
Access request processing module, for receiving after the access request which is applied, by the container path of built in advance to master
Control system sends;It is determined that when the Authority Verification result for receiving is for allowing, being operated according to the access request of the application;
The master control system includes:
Access authority verification module, for receiving after the access request of the application, according in the master control system when
The access rights strategy of front storage, the access request of the application to receiving carry out Authority Verification, and pass through the container
Passage returns authority the result.
It is preferred that the master control system also includes:
Access rights strategy acquisition module, for receiving after access rights update notification, obtains phase from cloud server
The access rights strategy answered;
Access rights policy update module, carries out legitimate verification for the access rights strategy to obtaining;Work as institute
State legitimate verification result for it is legal when, the access rights strategy to having been stored in the master control system is updated.
It is preferred that the containment system also includes:
Access rights strategy acquisition module, for receiving after access rights update notification, obtains phase from cloud server
The access rights strategy answered;The access rights strategy for obtaining is sent to the master control system by the container path;
The master control system also includes:
Access rights policy update module, carries out legitimate verification for the access rights strategy to obtaining;Work as institute
State legitimate verification result for it is legal when, the access rights strategy to having been stored in the master control system is updated.
It is preferred that the access authority verification module is additionally operable to after the container path returns authority the result,
When the Authority Verification result for allow when, the master control system record the access request of the application, said container system and
Involved access rights strategy;When detect access rights strategy occur update, and update after access rights strategy to institute
When stating the Authority Verification result of the access request of application and being updated to forbid, by container path to described using affiliated container system
System returns the Authority Verification result after updating;And
When the access request processing module is additionally operable to determine the Authority Verification result after receiving the renewal for forbidding,
Stop responding the access request of the application.
It is preferred that the access rights strategy acquisition module is specifically for obtaining corresponding access from the cloud server
Authorization policy and its encrypted digest value and corresponding public key;And
The access rights policy update module is specifically for entering to the encrypted data for obtaining according to the public key for obtaining
Row decryption;When successful decryption, the digest value decrypted is obtained;After determining the digest value of access rights strategy of acquisition,
It is compared with the digest value after decryption;When comparative result is consistent, determine that the legitimate verification result is legal.
It is preferred that the access authority verification module is specifically for according to the currently stored appearance in the master control system
The access rights strategy of device system, the access request of the application to receiving carry out the Authority Verification of container levels;When described
When the Authority Verification result of container levels is for allowing, according to the access right of the currently stored master control system in the master control system
Limit strategy, the access request of the application to receiving carry out the Authority Verification of master stage;When the authority of the master stage is tested
When card result is to forbid, it is determined that final Authority Verification result is for forbidding, and by the container path to the containment system
Return;Wherein, the access rights strategy includes:The access of the access rights strategy and the containment system of the master control system
Authorization policy.
It is preferred that the access authority verification module is related to the master specifically for the access request when the application simultaneously
The access rights of the access rights strategy of currently stored described safe domain system and the non-secure domains system in control system
When tactful, according to the access rights strategy of the safe domain system, the authority of container levels is carried out to the access request of the application
Checking;Wherein, the access rights strategy of the containment system includes the access rights strategy of security domain containment system and non-security
The access rights strategy of domain containment system.
In the embodiment of the present invention, access rights strategy is all arranged in master control system, the containment system on master control system upper strata
After receiving the access request wherein applied, access request is forwarded to into master control system, by master control system according to it is default wherein
Access rights strategy Authority Verification is carried out to access request, when authority the result for allow when, notify the containment system root
Operated according to access request.Even if containment system is invaded by rogue program, due to there is no access rights plan in containment system
Slightly, rogue program cannot obtain access rights strategy from containment system;As master control system is located at the lower floor, no of containment system
The function of directly being interacted with user is provided, user cannot installation procedure into master control system, even if rogue program disguises oneself as
Using or parasitism also cannot be installed in master control system in the application, greatly strengthen the safety of master control system;Malice journey
Sequence is difficult to obtain the communication mode and approach between containment system and master control system, even if having invaded containment system, it is also difficult to invade
Enter master control system, it is impossible to obtain access rights strategy from master control system, still will be controlled by access rights strategy, it is difficult to
Steal the classified information in terminal unit;Therefore can be managed in control process in the access request to applying and ensure to access
The safety of authorization policy, so that improve the safety of the information in terminal unit on the whole.
The additional aspect of the present invention and advantage will be set forth in part in the description, and these will become from the following description
Obtain substantially, or recognized by the practice of the present invention.
Description of the drawings
Of the invention above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments
It is substantially and easy to understand, wherein:
Block schematic illustrations of the Fig. 1 for the internal structure of the terminal unit of the embodiment of the present invention;
Fig. 2 and Fig. 3 is respectively two kinds of dynamic updating methods of the access rights strategy of the terminal unit of the embodiment of the present invention
Schematic flow sheet;
Schematic flow sheets of the Fig. 4 for the access management-control method of the application of the embodiment of the present invention;
Fig. 5 and Fig. 6 is respectively the framework of the internal structure of two kinds of access control devices of the application of the embodiment of the present invention and shows
It is intended to.
Specific embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from start to finish
Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached
The embodiment of figure description is exemplary, is only used for explaining the present invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " one " used herein, " one
It is individual ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that arranging used in the description of the present invention
Diction " including " refers to there is the feature, integer, step, operation, element and/or component, but it is not excluded that existing or adding
One or more other features, integer, step, operation, element, component and/or their group.It should be understood that when we claim unit
Part is " connected " or during " coupled " to another element, and it can be directly connected or coupled to other elements, or can also exist
Intermediary element.Additionally, " connection " used herein or " coupling " can include wireless connection or wireless coupling.It is used herein to arrange
Diction "and/or" includes one or more associated wholes for listing item or any cell and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined all terms used herein are (including technology art
Language and scientific terminology), with art of the present invention in those of ordinary skill general understanding identical meaning.Should also
It is understood by, those terms defined in such as general dictionary, it should be understood that with the context with prior art
The consistent meaning of meaning, and unless by specific definitions as here, will not otherwise use idealization or excessively formal implication
To explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal unit " had both included wireless communication
The equipment of number receptor, which only possesses the equipment of the wireless signal receiver of non-emissive ability, includes again receiving and launches hardware
Equipment, which has the equipment of the reception that on bidirectional communication link, can carry out two-way communication and transmitting hardware.This equipment
Can include:Honeycomb or other communication equipments, there is single line display or multi-line display or no multi-line to show for which
The honeycomb of device or other communication equipments;PCS (Personal Communications Service, PCS Personal Communications System), which can
With combine voice, data processing, fax and/or its communication ability;PDA (Personal Digital Assistant, it is personal
Digital assistants), which can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day
Go through and/or GPS (Global Positioning System, global positioning system) receptor;Conventional laptop and/or palm
Type computer or other equipment, its have and/or conventional laptop and/or palmtop computer including radio frequency receiver or its
His equipment." terminal " used herein above, " terminal unit " they can be portable, can transport, installed in the vehicles (aviation,
Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth
And/or any other position in space is run." terminal " used herein above, " terminal unit " can also be communication terminal, on
Network termination, music/video playback terminal, for example, can be PDA, MID (Mobile Internet Device, mobile Internet
Equipment) and/or the equipment such as the mobile phone with music/video playing function, or intelligent television, Set Top Box.
In the embodiment of the present invention, the access management-control method to applying is improved.Containment system receives its application
After access request, sent to master control system by the container path of built in advance;After master control system receives the access request of application, root
According to access rights strategy currently stored in master control system, the access request of the application to receiving carries out Authority Verification, and leads to
Cross container path and return authority the result;When containment system determines the Authority Verification result for receiving for allowing, according to application
Access request operated.It can be seen that, in the embodiment of the present invention, access rights strategy is all arranged in master control system, master control system
After the containment system on system upper strata receives the access request wherein applied, access request is forwarded to into master control system, by master control system
System basis is preset in access rights strategy therein carries out Authority Verification to access request, when authority the result is for allowing,
Notify that the containment system is operated according to access request.Even if containment system is invaded by rogue program, due in containment system
There is no access rights strategy, rogue program cannot obtain access rights strategy from containment system;Again as appearance cannot be obtained
Communication mode and channel between device system and master control system, it is impossible to obtain access rights strategy from master control system;Therefore can
To be managed in control process the safety for ensureing access rights strategy in the access request to applying, so as to be lifted on the whole
Conduct interviews the safety of management control to application.
The technical scheme of the embodiment of the present invention is introduced below in conjunction with the accompanying drawings specifically.
In technical scheme, the block schematic illustration of the internal structure of terminal unit as shown in figure 1, including:Master control
System and at least one containment system.
Wherein, at least one containment system can include the first containment system, second container system ..., N containers system
System.N is more than 2 positive integer.
Containment system in the embodiment of the present invention, is provided in creating with Linux container (container) Intel Virtualization Technology
Operating system in the container built.Operating system can be traditional (SuSE) Linux OS or Unix operating systems,
Can be android system or Ubuntu systems for being derived based on (SuSE) Linux OS etc., can also be with Windows
Windows systems based on platform etc..In fact, the containment system in the present invention is not limited to the aforementioned operation system for enumerating
System, can cover all operating systems that can be run in a reservoir.For ease of description, below using android system as appearance
Technical scheme is illustrated as a example by device system.
Master control system can be that above-mentioned traditional operating system, or be improved to traditional operating system is obtained
Operating system.Master control system includes kernel.Kernel is kernel, or is obtained after increasing functional module on the basis of kernel
Enhancement mode kernel for arriving.It is preferred that said vesse system sends call request or access request to master control system, by master control
System is called kernel to realize various functions.
Master control system is mainly used in carrying out AM/BAM management to multiple containers system, interacts with each containment system.
It is preferred that master control system can be communicated with containment system by container path.Further, container path can be with
It is socket (socket) passage.One containment system sends container path request to create to master control system;Master control system is connected to
After the request of the containment system, a pair of descriptors (socketpair) of a socket file and the socket files are created,
And name for this pair of descriptor;By this pair of descriptor and its name registration master control system NSS (Name Space Server,
Name space is serviced) in virtual unit;The title of a descriptor in a pair of the descriptors for succeeding in registration is returned to into the appearance
Device system;The containment system is obtained after corresponding descriptor from NSS virtual units according to the title of descriptor, can be retouched by this
State to accord with and communicated with the master control system for possessing the socket files another descriptors.
In the embodiment of the present invention, the access rights that are stored with master control system strategy.It is preferred that the visit in the embodiment of the present invention
Ask that authorization policy can be specifically MDM (Mobile Device Management, mobile device management) tactful.
Terminal unit in the embodiment of the present invention is all registered in advance in cloud server.Bag has been recorded in cloud server
Include mark, communicating number and the currently used access rights strategy of terminal unit, and list belonging to the user of terminal unit
Position, and the information such as post.Access rights strategy includes:Using access rights and corresponding application scenarios;Application scenarios include
It is following at least one:Using affiliated containment system, the AM/BAM state of containment system, time.
Embodiments provide a kind of dynamic updating method of terminal unit access rights strategy, the flow process of the method
Schematic diagram is as shown in Fig. 2 comprise the steps:
S201:After the access rights strategy that cloud server is stored in determining terminal unit needs to update, to the terminal
Equipment issues access rights update notification.
For example, in cloud server, one of terminal unit specific access rights strategy includes that user can be in inoperative
Photographic head in time using terminal equipment, operationally between can not use photographic head;When cloud server receives the terminal
When 9 points to the 18 points changes from Monday to Friday of the working time of equipment user turn at 8 points to 19 points, the concrete access right is updated
The working time of the user in limit strategy.The access rights strategy that further cloud server is stored in determining the terminal unit is needed
It is updated.
For another example, cloud server record terminal unit user occupational information be police, the access right of the terminal unit
Limit strategy includes:Can be forbidden during user's execution task with the shoot function of using terminal equipment during user's non task
The shoot function of using terminal equipment.Need the information of execution task and determine when cloud server receives the Police users
Going out last time, to be handed down to the access rights strategy stored by the terminal unit be comprising can be with the shoot function of using terminal equipment
It is tactful when, determine needs by the access rights policy update stored in the terminal unit for forbidding using setting using the terminal
Standby shoot function.
After the access rights strategy that cloud server is stored in determining terminal unit needs to update, under the terminal unit
Send out access rights update notification.
S202:After master control system receives access rights update notification, corresponding access rights are obtained from cloud server
Strategy.
It is preferred that after master control system receives the access rights update notification that cloud server is issued, from cloud server
Obtaining needs the Jing of the access rights strategy of renewal, the access rights strategy private by the terminal unit that cloud server is determined
The digest value and public key corresponding with the private key of key encryption.
S203:Master control system carries out legitimate verification to the access rights strategy for obtaining, and determines the legitimate verification result
It is whether legal;When legitimate verification result is legal, execution step S204;When legitimate verification result is illegal, suddenly
The access rights strategy for slightly obtaining.
It is preferred that master control system is according to the public key for obtaining, the encrypted data to obtaining are decrypted.
When successful decryption, illustrate that the digest value of Jing private key encryptions is not tampered with, be safe, so as to obtain plucking for decryption
It is worth.When decryption failure, illustrate that the digest value of Jing private key encryptions is likely to be tampered, it is no longer safe, delete the visit for obtaining
Ask authorization policy, the digest value of the Jing private key encryptions of the access rights strategy and public key corresponding with the private key;Or, will
The access rights strategy of acquisition, the digest value of the Jing private key encryptions of the access rights strategy and public key corresponding with the private key
Move in security sandbox.
After master control system determines the digest value of access rights strategy of acquisition, it is compared with the digest value after decryption;
When comparative result is consistent, illustrates that the access rights strategy for obtaining is not tampered with, be safe, determine legitimate verification result
For legal, execution step S204.
When it is inconsistent that master control system determines comparative result, illustrate that the access rights strategy for obtaining is likely to be usurped
Change, it is no longer safe, legitimate verification result is determined for illegal, the access rights strategy of deletion acquisition, the access rights plan
The digest value and public key corresponding with the private key of Jing private key encryptions slightly;Or, by the access rights strategy for obtaining, the visit
Ask that the digest value and public key corresponding with the private key of the Jing private key encryptions of authorization policy are moved in security sandbox.Further, it is main
Control system can reacquire access rights strategy.
S204:Access rights strategy to having been stored in master control system is updated.
Master control system is carried out more according to the access rights strategy for obtaining, the access rights strategy to having been stored in master control system
Newly.
Due to lower floor of the master control system in containment system, generally direct interaction is not carried out with user, rogue program is usual
The communication mode and channel of the containment system in the embodiment of the present invention and master control system cannot be obtained, it is difficult to invade master control system,
Distort or destroy the access rights strategy stored in master control system;The safety of the access rights strategy for therefore storing in master control system
Property, the safety of the access rights strategy stored in significantly larger than traditional containment system.
Embodiments provide the dynamic updating method of another kind of terminal unit access rights strategy, the stream of the method
Journey schematic diagram is as shown in figure 3, comprise the steps:
S301:After the access rights strategy that cloud server is stored in determining terminal unit needs to update, to the terminal
Equipment issues access rights update notification.
Method in this step is consistent with the method in above-mentioned steps S201, and here is omitted.
S302:After containment system receives access rights update notification, corresponding access rights are obtained from cloud server
Strategy.
It is preferred that after containment system receives the access rights update notification that cloud server is issued, from cloud server
Obtaining needs the Jing of the access rights strategy of renewal, the access rights strategy private by the terminal unit that cloud server is determined
The digest value and public key corresponding with the private key of key encryption.
S303:The access rights strategy for obtaining is sent to master control system by containment system by container path.
The access rights strategy that application in containment system will be obtained, by advance between the containment system and master control system
The container path of foundation, sends to master control system.
S304:Master control system carries out legitimate verification to the access rights strategy for obtaining, and determines the legitimate verification result
It is whether legal;When legitimate verification result is legal, execution step S305;When legitimate verification result is illegal, suddenly
The access rights strategy for slightly obtaining.
Method in this step is consistent with the method in above-mentioned steps S203, and here is omitted.
S305:Access rights strategy to having been stored in master control system is updated.
It is preferred that master control system receive access rights strategy after, and the access rights strategy to storing in master control system
Before being updated, it is determined that the application in the containment system of access rights strategy is sent by container path, set up with request and hold
Whether the application of device passage is consistent;If consistent, illustrate that the application for sending access rights strategy is not invaded by rogue program, then to master
The access rights strategy stored in control system is updated;If inconsistent, illustrate that the application for sending access rights strategy is likely to
Invaded by rogue program, then delete access rights strategy, the summary of the Jing private key encryptions of the access rights strategy of acquisition
Value, and public key corresponding with the private key;Or, the Jing private keys of the access rights strategy of acquisition, the access rights strategy are added
Close digest value and public key corresponding with the private key are moved in security sandbox.
Other methods in this step are consistent with the method in above-mentioned steps S204, and here is omitted.
Based on the access rights strategy of above-mentioned acquisition, the flow process of the access management-control method of the application of the embodiment of the present invention is illustrated
Figure is as shown in figure 4, comprise the steps:
S401:After containment system receives the access request of its application, sent out to master control system by the container path of built in advance
Send.
The application that containment system is received in the containment system is asked after request, by being pre-created for putting for system resource
The containment system and master control system between container path, to master control system send.
S402:After master control system receives the access request of application, according to access rights currently stored in master control system
Strategy, the access request of the application to receiving carry out Authority Verification, and return authority the result by container path.
Specifically, after master control system receives the access request of application, the currently stored access rights from master control system
The authority for putting the function of asking that request is related to is found out in strategy, as Authority Verification result.Authority Verification result can be pin
Permission information to the authority of at least one function and forbid information.At least one function can include it is following at least one:Clap
Take the photograph, record, network insertion, mobile communication, instant messaging etc..
It is preferred that in the flow process implementation procedure as shown in Figure 4 of the embodiment of the present invention, such as Fig. 2 in the embodiment of the present invention
Or the flow process shown in 3 is likely to also perform at the same time.That is, in flow process implementation procedure as shown in Figure 4, terminal unit
The access rights strategy of middle storage is likely to be occurred to update.
Therefore, when authority the result for allow when, master control system record application access request, said container system and
Involved access rights strategy.
When master control system detect access rights strategy occur update, and update after access rights strategy to apply visit
When asking that the Authority Verification result of request is updated to forbid, after the containment system belonging to container path to application is returned and is updated
Authority Verification result.
It is preferred that access rights strategy can include:The access rights strategy and the access right of containment system of master control system
Limit strategy.
And, according to the access rights strategy of containment system currently stored in master control system, to the application that receives
Access request carries out the Authority Verification of container levels.Specifically, master control system determines the affiliated appearance of the application for sending access request
Device system, and then the access rights strategy of the containment system stored in determining master control system;According to the container determined
The access rights strategy of system, the access request of the application to receiving carry out Authority Verification, using the Authority Verification as container
The Authority Verification of level.
When the Authority Verification result of container levels is for allowing, according to the access of master control system currently stored in master control system
Authorization policy, the access request of the application to receiving carry out the Authority Verification of master stage.Specifically, according in master control system when
The access rights strategy of the master control system of front storage, the access request of the application to receiving carry out Authority Verification, by the authority
Verify the Authority Verification as master stage.
When the Authority Verification result of container levels be allow, and master stage Authority Verification result for forbid when, it is determined that finally
Authority Verification result for forbidding, and returned to containment system by container path.
It can easily be seen that as the priority of the access rights strategy of master control system is higher than the access rights plan of containment system
Omit, therefore, the Authority Verification result of the container levels determined even from the access rights strategy of containment system is permission, as long as
The Authority Verification result of the master stage determined according to the access rights strategy of master control system for forbidding, tie by final Authority Verification
Fruit is to forbid.Even if the authority access strategy of containment system occurs leakage, distorted by rogue program, cannot also obtain by master control system
The authority forbidden by the access rights strategy of system, improves the safety of terminal unit.
Additionally, when the Authority Verification result of container levels be forbid, and master stage Authority Verification result for allow when, it is determined that
Final Authority Verification result is for forbidding, and is returned to containment system by container path.
When the Authority Verification result of container levels be allow, and master stage Authority Verification result for allow when, it is determined that finally
Authority Verification result for allow, and by container path to containment system return.
Further, the access rights strategy of containment system can include:The access rights strategy of security domain containment system and
The access rights strategy of non-secure domains containment system.
And, the access rights of currently stored safe domain system in the access request of application is related to master control system simultaneously
Strategy, and non-secure domains system access rights strategy when, the visit according to the access rights strategy of safe domain system, to applying
Ask that request carries out the Authority Verification of container levels.
It can easily be seen that as the priority of the access rights strategy of safe domain system is higher than the access right of non-secure domains system
Limit strategy, therefore, when the function of accessing required by the access request applied while safety currently stored in being related to master control system
During the access rights strategy of the access rights strategy of domain system and non-secure domains system, according to the access right of safe domain system
Limit strategy, the access request to applying carry out the Authority Verification of container levels.Even if the authority access strategy of non-secure domains system is sent out
It is raw to leak, distorted by rogue program, the authority forbidden by the access rights strategy of safe domain system cannot be also obtained, is improved
The safety of terminal unit.
It is preferred that access rights strategy includes:Using access rights and corresponding application scenarios;Under application scenarios include
State at least one:Using affiliated containment system, the AM/BAM state of containment system, time.
And, master control system can according to send access request application said container system AM/BAM state, it is determined that
Go out containment system in foreground or during backstage, the corresponding access rights strategy of difference.When the affiliated appearance of application for sending access request
When device system is in foreground, the corresponding access rights strategy in foreground is according to currently stored containment system in master control system,
The access request of the application to receiving carries out Authority Verification, and returns authority the result by container path.
S403:When containment system determines the Authority Verification result for receiving for allowing, carried out according to the access request of application
Operation.
Specifically, the application of access request is sent in containment system, after container path receives Authority Verification result,
The result that defines the competence is allowed or is forbidden;When the result is defined the competence for allowing, according to the access request of application
Operated;When the result being defined the competence for forbidding, ignore the access request of application.
It is preferred that when the Authority Verification result that the containment system last time receives be allow, and according to application visit
In asking the operating process of request, the Authority Verification result after the renewal for same access request is received.Containment system determines
When the Authority Verification result after updating is received for forbidding, stop responding the access request applied, for example, terminate basis
Using access request operation.
Based on the access management-control method of above-mentioned application, the embodiment of the present invention additionally provides a kind of access management and control dress of application
Put, the device is arranged in the terminal unit of the embodiment of the present invention, block schematic illustration such as Fig. 5 institutes of the internal structure of the device
Show, including:Master control system and at least one containment system.
Each containment system includes:Access request processing module 501.
Wherein, it is after access request processing module 501 is used for receiving the access request which is applied, logical by the container of built in advance
Road is sent to master control system;It is determined that when the Authority Verification result for receiving is for allowing, being operated according to the access request of application.
Master control system includes:Access authority verification module 511.
Access authority verification module 511 is used for receiving access request processing module 501 by answering that container path sends
After access request, according to access rights strategy currently stored in master control system, the access request of the application to receiving
Authority Verification is carried out, and authority the result is returned by container path.
It is preferred that as shown in figure 5, the master control system of the embodiment of the present invention also includes:Access rights strategy acquisition module 512
With access rights policy update module 513.
Wherein, after access rights strategy acquisition module 512 is used for receiving access rights update notification, from cloud server
Obtain corresponding access rights strategy.
Access rights policy update module 513 carries out legitimate verification for the access rights strategy to obtaining;When legal
Property the result for it is legal when, the access rights strategy to having been stored in master control system is updated.
It is preferred that the access authority verification module 511 in master control system is additionally operable to return Authority Verification by container path
As a result after, when authority the result is for allowing, the access request of master control system record application, said container system and involved
Access rights strategy;When detect access rights strategy occur update, and update after access rights strategy to apply visit
When asking that the Authority Verification result of request is updated to forbid, after the containment system belonging to container path to application is returned and is updated
Authority Verification result.
And, the access request processing module 501 in containment system is additionally operable to determine the Authority Verification received after updating
As a result for, when forbidding, stopping is responded to the access request applied.
It is preferred that access rights strategy acquisition module 512 is specifically for obtaining corresponding access rights from cloud server
Tactful and its encrypted digest value and corresponding public key.
And, access rights policy update module 513 is specifically for the encrypted number according to the public key for obtaining to acquisition
According to being decrypted;When successful decryption, the digest value decrypted is obtained;After determining the digest value of access rights strategy of acquisition,
It is compared with the digest value after decryption;When comparative result is consistent, determine that legitimate verification result is legal.
It is preferred that access authority verification module 511 is specifically for according to containment system currently stored in master control system
Access rights strategy, the access request of the application to receiving carry out the Authority Verification of container levels;When the Authority Verification of container levels
When as a result for allowing, according to the access rights strategy of master control system currently stored in master control system, to the application that receives
Access request carries out the Authority Verification of master stage;When the Authority Verification result of master stage is for forbidding, it is determined that final authority is tested
Card result is for forbidding, and is returned to containment system by container path;Wherein, access rights strategy includes:The visit of master control system
Ask the access rights strategy of authorization policy and containment system.
It is preferred that access authority verification module 511 is specifically for when the access request applied is while be related in master control system
During the access rights strategy of the access rights strategy of currently stored safe domain system and non-secure domains system, according to safety
The access rights strategy of domain system, the access request to applying carry out the Authority Verification of container levels;Wherein, the access of containment system
Authorization policy includes the access rights strategy of the access rights strategy and non-secure domains containment system of security domain containment system.
The access authority verification module 511 in access request processing module 501, master control system in said vesse system,
The implementation method of 513 function of access rights strategy acquisition module 512 and access rights policy update module, may be referred to as described above
The particular content of the process step of Fig. 2 and Fig. 4, here is omitted.
Based on the access management-control method of above-mentioned application, the embodiment of the present invention additionally provides a kind of access management and control dress of application
Put, the device is arranged in the terminal unit of the embodiment of the present invention, block schematic illustration such as Fig. 6 institutes of the internal structure of the device
Show, including:Master control system and at least one containment system.
Each containment system includes:Access request processing module 601.
Wherein, it is after access request processing module 601 is used for receiving the access request which is applied, logical by the container of built in advance
Road is sent to master control system;It is determined that when the Authority Verification result for receiving is for allowing, being operated according to the access request of application.
Master control system includes:Access authority verification module 611.
Access authority verification module 611 is used for receiving access request processing module 601 by answering that container path sends
After access request, according to access rights strategy currently stored in master control system, the access request of the application to receiving
Authority Verification is carried out, and authority the result is returned by container path.
It is preferred that as shown in fig. 6, the containment system of the embodiment of the present invention also includes:Access rights strategy acquisition module
602。
After access rights strategy acquisition module 602 is used for receiving access rights update notification, obtain from cloud server
Corresponding access rights strategy;The access rights strategy for obtaining is sent to master control system by container path.
And, as shown in fig. 6, the master control system of the embodiment of the present invention also includes:Access rights policy update module 612.
Access rights policy update module 612 carries out legitimate verification for the access rights strategy to obtaining;When legal
Property the result for it is legal when, the access rights strategy to having been stored in master control system is updated.
It is preferred that the access authority verification module 611 in master control system is additionally operable to return Authority Verification by container path
As a result after, when authority the result is for allowing, the access request of master control system record application, said container system and involved
Access rights strategy;When detect access rights strategy occur update, and update after access rights strategy to apply visit
When asking that the Authority Verification result of request is updated to forbid, after the containment system belonging to container path to application is returned and is updated
Authority Verification result.
And, the access request processing module 601 in containment system is additionally operable to determine the Authority Verification received after updating
As a result for, when forbidding, stopping is responded to the access request applied.
It is preferred that access rights strategy acquisition module 602 is specifically for obtaining corresponding access rights from cloud server
Tactful and its encrypted digest value and corresponding public key.
And, access rights policy update module 612 is specifically for the encrypted number according to the public key for obtaining to acquisition
According to being decrypted;When successful decryption, the digest value decrypted is obtained;After determining the digest value of access rights strategy of acquisition,
It is compared with the digest value after decryption;When comparative result is consistent, determine that legitimate verification result is legal.
It is preferred that access authority verification module 611 is specifically for according to containment system currently stored in master control system
Access rights strategy, the access request of the application to receiving carry out the Authority Verification of container levels;When the Authority Verification of container levels
When as a result for allowing, according to the access rights strategy of master control system currently stored in master control system, to the application that receives
Access request carries out the Authority Verification of master stage;When the Authority Verification result of master stage is for forbidding, it is determined that final authority is tested
Card result is for forbidding, and is returned to containment system by container path;Wherein, access rights strategy includes:The visit of master control system
Ask the access rights strategy of authorization policy and containment system.
It is preferred that access authority verification module 611 is specifically for when the access request applied is while be related in master control system
During the access rights strategy of the access rights strategy of currently stored safe domain system and non-secure domains system, according to safety
The access rights strategy of domain system, the access request to applying carry out the Authority Verification of container levels;Wherein, the access of containment system
Authorization policy includes the access rights strategy of the access rights strategy and non-secure domains containment system of security domain containment system.
Access request processing module 601 in said vesse system, and access rights strategy acquisition module 602, Yi Jizhu
Access authority verification module 611 in control system, and 612 function of access rights policy update module implementation method, Ke Yican
The particular content of the process step such as above-mentioned Fig. 3 and Fig. 4 is examined, here is omitted.
In the embodiment of the present invention, access rights strategy is all arranged in master control system, the containment system on master control system upper strata
After receiving the access request wherein applied, access request is forwarded to into master control system, by master control system according to it is default wherein
Access rights strategy Authority Verification is carried out to access request, when authority the result for allow when, notify the containment system root
Operated according to access request.Even if containment system is invaded by rogue program, due to there is no access rights plan in containment system
Slightly, rogue program cannot obtain access rights strategy from containment system;As master control system is located at the lower floor, no of containment system
The function of directly being interacted with user is provided, user cannot installation procedure into master control system, even if rogue program disguises oneself as
Using or parasitism also cannot be installed in master control system in the application, greatly strengthen the safety of master control system;Malice journey
Sequence is difficult to obtain the communication mode and approach between containment system and master control system, even if having invaded containment system, it is also difficult to invade
Enter master control system, it is impossible to obtain access rights strategy from master control system, still will be controlled by access rights strategy, it is difficult to
Steal the classified information in terminal unit;Therefore can be managed in control process in the access request to applying and ensure to access
The safety of authorization policy, so that improve the safety to the information in terminal unit on the whole.
And, in the embodiment of the present invention, the master control system or containment system in terminal unit is received under cloud server
After the authorization policy update notification sent out, manually intervened without the need for technical staff, the version of whole operation system need not be updated, just
Access rights strategy, and the access rights for having been stored in automatically updating this terminal unit can be obtained from cloud server automatically
Strategy, realizes the dynamic renewal of access rights strategy in this terminal unit, greatly improves renewal access rights strategy just
Profit.And, master control system carries out legitimate verification to the access rights strategy for obtaining, when being verified as legal, it is ensured that obtain
The access rights strategy for taking is not tampered with, and then the renewal of the authorization policy that conducted interviews according to legal access rights strategy, can
To ensure safety of the access rights strategy in dynamic updating process.Therefore, the embodiment of the present invention can ensure access right
On the basis of limit security policy, the dynamic renewal of access rights strategy, and the access rights strategy updated based on dynamic are realized
Access request to applying carries out management and control;Both the classified information in terminal unit had been protected, easily dynamic can have been updated and visited again
Authorization policy is asked, the efficiency of the access request of management and control application is lifted.
Further, in the embodiment of the present invention, master control system or containment system can obtain access right from cloud server
During limit strategy, the digest value and public key of the encrypted access rights strategy is obtained in the lump, and by master control system to acquisition
Access rights strategy carries out legitimate verification.Whether the digest value for obtaining can be decrypted according to the public key for obtaining, be sentenced
Whether the disconnected access rights strategy for obtaining is tampered;Whether the access rights strategy for comparing checking acquisition according to digest value is usurped
Change;When the comparative result of successful decryption and digest value is consistent, determine that the legitimate verification result is legal, according to legal visit
Ask that authorization policy carries out policy update;So as to the probability that the access rights strategy that reduce further acquisition is tampered, further
Strengthen the safety of the dynamic renewal access rights strategy of the embodiment of the present invention, and then enhancing updates access based on dynamic on the whole
The safety of the access management and control process of the application of authorization policy, lifts the safety of information in terminal unit.
Additionally, in the embodiment of the present invention, when authority the result is for allowing, the access of master control system record application please
Ask, said container system and involved access rights strategy.When master control system detect access rights strategy occur update, and
When the Authority Verification result of access request of the access rights strategy after renewal to applying is updated to forbid, to the appearance belonging to application
Device system is returned;Stop responding the access request applied by the containment system.So as to the terminal in the embodiment of the present invention
When the transmission dynamic of the access rights strategy stored in equipment updates, immediately according to the access rights strategy after renewal to application
Access request re-starts Authority Verification, so that the access rights strategy after updating produces effect in time, asks to accessing in time
Ask and limited, can prevent the classified information in terminal unit from leaking, further lift the safety of information in terminal unit.
Those skilled in the art of the present technique are appreciated that the present invention includes being related to for performing in operation described herein
One or more of equipment.These equipment can be for needed for purpose and specially design and manufacture, or can also include general
Known device in computer.These equipment have the computer program being stored in which, and these computer programs are optionally
Activation is reconstructed.During such computer program can be stored in equipment (for example, computer) computer-readable recording medium or it is stored in
It is suitable to store and e-command is coupled in any kind of medium of bus respectively, the computer-readable medium is included but not
Be limited to any kind of disk (including floppy disk, hard disk, CD, CD-ROM and magneto-optic disk), ROM (Read-Only Memory, only
Read memorizer), RAM (Random Access Memory, immediately memorizer), EPROM (Erasable Programmable
Read-Only Memory, Erarable Programmable Read only Memory), EEPROM (Electrically Erasable
Programmable Read-Only Memory, EEPROM), flash memory, magnetic card or light line card
Piece.It is, computer-readable recording medium include being stored in the form of it can read by equipment (for example, computer) or transmission information any Jie
Matter.
Those skilled in the art of the present technique be appreciated that can be realized with computer program instructions these structure charts and/or
The combination of each frame and these structure charts and/or block diagram and/or the frame in flow graph in block diagram and/or flow graph.This technology is led
Field technique personnel be appreciated that can by these computer program instructions be supplied to general purpose computer, special purpose computer or other
The processor of programmable data processing method realizing, so as to pass through the process of computer or other programmable data processing methods
Device is performing the scheme specified in the frame or multiple frames of structure chart disclosed by the invention and/or block diagram and/or flow graph.
Various operations that those skilled in the art of the present technique had been discussed in being appreciated that the present invention, method, in flow process
Step, measure, scheme can be replaced, changed, combined or deleted.Further, it is each with what is discussed in the present invention
Kind of operation, method, other steps in flow process, measure, scheme can also be replaced, changed, reset, decomposed, combined or deleted.
Further, it is of the prior art with the various operations disclosed in the present invention, method, flow process in step, measure, scheme
Can also be replaced, changed, reset, decomposed, combined or deleted.
The above is only some embodiments of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. the access management-control method of a kind of application, it is characterised in that include:
After containment system receives the access request of its application, sent to master control system by the container path of built in advance;
After the master control system receives the access request of the application, according to access right currently stored in the master control system
Limit strategy, the access request of the application to receiving carry out Authority Verification, and are tested by container path return authority
Card result;
When the containment system determines the Authority Verification result for receiving for allowing, grasped according to the access request of the application
Make.
2. method according to claim 1, it is characterised in that the access rights strategy in the master control system is by under
State what method dynamic updated:
After the master control system receives access rights update notification, corresponding access rights strategy is obtained from cloud server;
The master control system carries out legitimate verification to the access rights strategy for obtaining;
When the legitimate verification result is legal, the access rights strategy to having been stored in the master control system is carried out more
Newly.
3. method according to claim 1, it is characterised in that the access rights strategy in the master control system is by under
State what method dynamic updated:
After the containment system receives access rights update notification, corresponding access rights strategy is obtained from cloud server;
The access rights strategy for obtaining is sent to the master control system by the containment system by the container path;
The master control system carries out legitimate verification to the access rights strategy for obtaining;
When the legitimate verification result is legal, the access rights strategy to having been stored in the master control system is carried out more
Newly.
4. according to the method in claim 2 or 3, it is characterised in that described that Authority Verification is returned by the container path
As a result, after, also include:
When the Authority Verification result is for allowing, the master control system records the access request of the application, said container system
System and involved access rights strategy;
When the master control system detect access rights strategy occur update, and update after access rights strategy to the application
The Authority Verification result of access request when being updated to forbid, returned using affiliated containment system to described by container path
Authority Verification result after renewal;
When the containment system determines the Authority Verification result after receiving the renewal for forbidding, stop the visit to the application
Ask that request is responded.
5. according to the method in claim 2 or 3, it is characterised in that described to obtain corresponding access right from cloud server
Limit strategy, including:
Corresponding access rights strategy and its encrypted digest value and corresponding public key are obtained from the cloud server;With
And
The master control system carries out legitimate verification to the access rights strategy for obtaining, including:
The master control system is decrypted to the encrypted data for obtaining according to the public key for obtaining;
When successful decryption, the digest value decrypted is obtained;
After determining the digest value of access rights strategy of acquisition, it is compared with the digest value after decryption;
When comparative result is consistent, determine that the legitimate verification result is legal.
6. method according to claim 1, it is characterised in that the access rights strategy includes:The master control system
The access rights strategy of access rights strategy and the containment system;And it is described according to currently stored in the master control system
Access rights strategy, the access request of the application to receiving carry out Authority Verification, including:
According to the access rights strategy of the currently stored containment system in the master control system, the application to receiving
Access request carry out the Authority Verification of container levels;
When the Authority Verification result of the container levels is for allowing, according to the currently stored master control system in the master control system
The access rights strategy of system, the access request of the application to receiving carry out the Authority Verification of master stage;
When the Authority Verification result of the master stage is for forbidding, it is determined that final Authority Verification result is for forbidding, and pass through institute
State container path to return to the containment system.
7. method according to claim 6, it is characterised in that the access rights strategy of the containment system includes security domain
The access rights strategy of the access rights strategy and non-secure domains containment system of containment system;And
The access rights strategy according to the currently stored containment system in the master control system, described in receiving
Using access request carry out the Authority Verification of container levels, including:
The access of currently stored described safe domain system in the access request of the application is related to the master control system simultaneously
During the access rights strategy of authorization policy and the non-secure domains system, according to the access rights plan of the safe domain system
Slightly, the Authority Verification of container levels is carried out to the access request of the application.
8. the access control device of a kind of application, it is characterised in that include:Master control system and at least one containment system;
Each containment system includes:
Access request processing module, for receiving after the access request which is applied, by the container path of built in advance to master control system
System sends;It is determined that when the Authority Verification result for receiving is for allowing, being operated according to the access request of the application;
The master control system includes:
Access authority verification module, for receiving after the access request of the application, according to currently depositing in the master control system
The access rights strategy of storage, the access request of the application to receiving carry out Authority Verification, and pass through the container path
Return authority the result.
9. device according to claim 8, it is characterised in that the master control system also includes:
Access rights strategy acquisition module, for receiving after access rights update notification, obtains corresponding from cloud server
Access rights strategy;
Access rights policy update module, carries out legitimate verification for the access rights strategy to obtaining;When the conjunction
When method the result is legal, the access rights strategy to having been stored in the master control system is updated.
10. device according to claim 8, it is characterised in that the containment system also includes:
Access rights strategy acquisition module, for receiving after access rights update notification, obtains corresponding from cloud server
Access rights strategy;The access rights strategy for obtaining is sent to the master control system by the container path;
The master control system also includes:
Access rights policy update module, carries out legitimate verification for the access rights strategy to obtaining;When the conjunction
When method the result is legal, the access rights strategy to having been stored in the master control system is updated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611069910.0A CN106534148B (en) | 2016-11-29 | 2016-11-29 | Access control method and device for application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611069910.0A CN106534148B (en) | 2016-11-29 | 2016-11-29 | Access control method and device for application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106534148A true CN106534148A (en) | 2017-03-22 |
| CN106534148B CN106534148B (en) | 2020-02-14 |
Family
ID=58355051
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611069910.0A Active CN106534148B (en) | 2016-11-29 | 2016-11-29 | Access control method and device for application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534148B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850688A (en) * | 2017-03-29 | 2017-06-13 | 宁夏灵智科技有限公司 | cloud platform key generation method and system |
| CN107395706A (en) * | 2017-07-13 | 2017-11-24 | 北京元心科技有限公司 | Mobile equipment and method and device for managing and controlling multi-system mobile equipment |
| CN107622213A (en) * | 2017-09-06 | 2018-01-23 | 努比亚技术有限公司 | A kind of data access method, terminal and computer-readable recording medium |
| CN107894886A (en) * | 2017-11-23 | 2018-04-10 | 北京九章云极科技有限公司 | The method, apparatus and terminal device of a kind of operation code |
| CN108182095A (en) * | 2018-01-16 | 2018-06-19 | 湖北省楚天云有限公司 | A kind of application dispositions method, device and equipment |
| CN109040069A (en) * | 2018-08-06 | 2018-12-18 | 江苏易安联网络技术有限公司 | A kind of dissemination method, delivery system and the access method of cloud application program |
| CN109241783A (en) * | 2018-08-14 | 2019-01-18 | 中国科学院信息工程研究所 | Mobile terminal manages implementation of strategies method and device |
| CN110008234A (en) * | 2019-04-11 | 2019-07-12 | 北京百度网讯科技有限公司 | A kind of business datum searching method, device and electronic equipment |
| CN110222480A (en) * | 2019-06-13 | 2019-09-10 | 红鼎互联(广州)信息科技有限公司 | The system and method that a kind of pair of software permission and behavior carry out security management and control |
| CN111222153A (en) * | 2020-01-07 | 2020-06-02 | 腾讯科技(深圳)有限公司 | Application program authority management method and device and storage medium |
| CN111259417A (en) * | 2020-01-13 | 2020-06-09 | 奇安信科技集团股份有限公司 | File processing method and device |
| CN111787006A (en) * | 2020-06-30 | 2020-10-16 | 北京经纬恒润科技有限公司 | Access control method and system for security application |
| CN112596740A (en) * | 2020-12-28 | 2021-04-02 | 北京千方科技股份有限公司 | Program deployment method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103383724A (en) * | 2013-06-28 | 2013-11-06 | 记忆科技(深圳)有限公司 | Storing device and data access authority management method thereof |
| CN103514397A (en) * | 2013-09-29 | 2014-01-15 | 西安酷派软件科技有限公司 | Server, terminal and authority management and permission method |
| WO2015109593A1 (en) * | 2014-01-27 | 2015-07-30 | 华为技术有限公司 | Virtualization method and apparatus, and computer device |
| CN105872256A (en) * | 2016-06-03 | 2016-08-17 | 用友网络科技股份有限公司 | Mobile terminal access control method and system based on scene sensing |
-
2016
- 2016-11-29 CN CN201611069910.0A patent/CN106534148B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103383724A (en) * | 2013-06-28 | 2013-11-06 | 记忆科技(深圳)有限公司 | Storing device and data access authority management method thereof |
| CN103514397A (en) * | 2013-09-29 | 2014-01-15 | 西安酷派软件科技有限公司 | Server, terminal and authority management and permission method |
| WO2015109593A1 (en) * | 2014-01-27 | 2015-07-30 | 华为技术有限公司 | Virtualization method and apparatus, and computer device |
| CN105872256A (en) * | 2016-06-03 | 2016-08-17 | 用友网络科技股份有限公司 | Mobile terminal access control method and system based on scene sensing |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850688A (en) * | 2017-03-29 | 2017-06-13 | 宁夏灵智科技有限公司 | cloud platform key generation method and system |
| CN106850688B (en) * | 2017-03-29 | 2018-05-01 | 宁夏灵智科技有限公司 | Cloud platform key generation method and system |
| CN107395706A (en) * | 2017-07-13 | 2017-11-24 | 北京元心科技有限公司 | Mobile equipment and method and device for managing and controlling multi-system mobile equipment |
| CN107622213A (en) * | 2017-09-06 | 2018-01-23 | 努比亚技术有限公司 | A kind of data access method, terminal and computer-readable recording medium |
| CN107894886A (en) * | 2017-11-23 | 2018-04-10 | 北京九章云极科技有限公司 | The method, apparatus and terminal device of a kind of operation code |
| CN108182095A (en) * | 2018-01-16 | 2018-06-19 | 湖北省楚天云有限公司 | A kind of application dispositions method, device and equipment |
| CN109040069A (en) * | 2018-08-06 | 2018-12-18 | 江苏易安联网络技术有限公司 | A kind of dissemination method, delivery system and the access method of cloud application program |
| CN109241783A (en) * | 2018-08-14 | 2019-01-18 | 中国科学院信息工程研究所 | Mobile terminal manages implementation of strategies method and device |
| CN109241783B (en) * | 2018-08-14 | 2021-04-06 | 中国科学院信息工程研究所 | Implementation method and device for mobile terminal management and control strategy |
| CN110008234A (en) * | 2019-04-11 | 2019-07-12 | 北京百度网讯科技有限公司 | A kind of business datum searching method, device and electronic equipment |
| CN110222480A (en) * | 2019-06-13 | 2019-09-10 | 红鼎互联(广州)信息科技有限公司 | The system and method that a kind of pair of software permission and behavior carry out security management and control |
| CN111222153A (en) * | 2020-01-07 | 2020-06-02 | 腾讯科技(深圳)有限公司 | Application program authority management method and device and storage medium |
| CN111259417A (en) * | 2020-01-13 | 2020-06-09 | 奇安信科技集团股份有限公司 | File processing method and device |
| CN111787006A (en) * | 2020-06-30 | 2020-10-16 | 北京经纬恒润科技有限公司 | Access control method and system for security application |
| CN112596740A (en) * | 2020-12-28 | 2021-04-02 | 北京千方科技股份有限公司 | Program deployment method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106534148B (en) | 2020-02-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534148A (en) | Access control method and device for application | |
| CN106778291B (en) | The partition method and isolating device of application program | |
| US10691793B2 (en) | Performance of distributed system functions using a trusted execution environment | |
| CN110414268B (en) | Access control method, device, equipment and storage medium | |
| TWI549019B (en) | Computer-implemented method, computer system, and computer-readable storage device for tamper proof localtion services | |
| CN104683336B (en) | A kind of Android private data guard method and system based on security domain | |
| US20180337771A1 (en) | Policy enforcement via peer devices using a blockchain | |
| CN106330984B (en) | Dynamic updating method and device of access control strategy | |
| CN101572660B (en) | Comprehensive control method for preventing leakage of data | |
| US20060206720A1 (en) | Method, program and system for limiting I/O access of client | |
| CN102034052A (en) | Operation system architecture based on separation of permissions and implementation method thereof | |
| GB2520056A (en) | Digital data retention management | |
| US20190028456A1 (en) | System and method for injecting a tag into a computing resource | |
| CN106911814A (en) | Large-scale data distributed storage method | |
| CN114553540A (en) | Zero-trust-based Internet of things system, data access method, device and medium | |
| CN107147649A (en) | Data-optimized dispatching method based on cloud storage | |
| CN107135223A (en) | The data persistence method of Mass Data Management system | |
| CN106685981A (en) | Multi-system data encryption transmission method and device | |
| CN110766850B (en) | Visitor information management method, access control system, server and storage medium | |
| Sikder et al. | A survey on android security: development and deployment hindrance and best practices | |
| CN106778228A (en) | Control the method and device of application call | |
| CN101324913B (en) | Method and apparatus for protecting computer file | |
| CN104462899A (en) | Trust access control method for comprehensive avionics system | |
| CN106789928A (en) | Unlocking method and device based on system bidirectional authentication | |
| Zhang et al. | A Small Leak Will Sink Many Ships: Vulnerabilities Related to mini-programs Permissions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210128 Address after: 101300 room 153, 1 / F, building 17, 16 Caixiang East Road, Nancai Town, Shunyi District, Beijing Patentee after: Yuanxin Information Technology Group Co.,Ltd. Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Beijing Patentee before: BEIJING YUANXIN SCIENCE & TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20170322 Assignee: Beijing Yuanxin Junsheng Technology Co.,Ltd. Assignor: Yuanxin Information Technology Group Co.,Ltd. Contract record no.: X2021110000018 Denomination of invention: Application access control method and device Granted publication date: 20200214 License type: Common License Record date: 20210531 |
|
| EE01 | Entry into force of recordation of patent licensing contract |