CN106790119A - A kind of beam-based alignment method and system - Google Patents
A kind of beam-based alignment method and system Download PDFInfo
- Publication number
- CN106790119A CN106790119A CN201611226188.7A CN201611226188A CN106790119A CN 106790119 A CN106790119 A CN 106790119A CN 201611226188 A CN201611226188 A CN 201611226188A CN 106790119 A CN106790119 A CN 106790119A
- Authority
- CN
- China
- Prior art keywords
- attribute
- attribute information
- request
- property value
- service provider
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of beam-based alignment method and system, wherein, the realization of method includes authorizing and revocation for body attribute information and specific main body, the collection of environment attribute information, the establishment of strategy, implementation of strategies, run mode attribute is obtained and the unified request of data response mode in these parts, access control is realized by the control to Subjective and Objective attribute information and environment attribute information, security is poor during traditional access control can be solved, rights management difficulty is big, a series of problems such as extension is difficult, so as to realize efficient access control.
Description
Technical field
The invention belongs to access control technology field, more particularly, to a kind of beam-based alignment method and
System.
Background technology
Access control technology is prevented by the disabled user of unauthorized mainly for the protection of the data in large scale system are shared in
Access.With the high speed development of the development of information technology, particularly internet, access control technology has also obtained considerable hair
Exhibition.
Can be divided into for access control scheme by the difference according to authorization:Self contained navigation (Discretionary
Access Control, DAC), forced symmetric centralization (Mandatory Access Control, MAC) and based role
Access control (Role-Based Access Control, RBAC).Self contained navigation is by the owner of object to the object of oneself
It is managed, is decided whether to authorize other main bodys, this control by oneself object access right or part access right by owner oneself
Mode processed is autonomous, and user can selectively share his file by the wish of oneself with other users.But this side
Method can cause serious safety problem, transfer of right problem, for example, A possesses resource R, A passes to B access rights, and B
Access rights are passed to C, such C there has also been the access rights of resource R, can cause the leakage of data;Forced symmetric centralization leads to
The access limitation that cannot avoid is crossed to prevent directly or indirectly illegal invasion, forcing the subject and object of access has certain
Safe class, decides whether to allow principal access object, although strict due to MAC modes by the safe class of Subjective and Objective
Clear and definite grade classification and rights management are welcome by the military strictly and very much, but which lacks flexibility;Based on angle
The access control of color is widely closed as the promising replacement of traditional access control (such as autonomous access, forcing to access)
Note, in RBAC, user can possess multiple convenient management to user right of different roles, wherein, role be user and
The bridge of access rights, but with the development of information technology especially Internet technology, the Internet resources of many enterprises start
Become dispersion, and data value volume and range of product also ceaselessly increasing, therefore existing access control technology be difficult it is full
The demand of sufficient enterprise.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of beam-based alignment side
Method and system, its object is to provide a kind of efficient access control side for the Internet resources with dispersiveness for not stopping to increase
Method, unifies resources accessing control consistent, and thus the traditional access control of solution is dumb, and granularity is big, unmanageable technical problem.
To achieve the above object, according to one aspect of the present invention, there is provided a kind of beam-based alignment method,
Including:
(1) data providing judges whether user to be visited belongs to authentic user, if it is not, then will be to be visited
The access request of user is redirected to service provider;
(2) access request of redirection is construed to certification request and obtains the request of attribute information by service provider, and
The certification request and the request for obtaining attribute information are redirected to identity provider;
(3) identity provider carries out preliminary certification, if certification success, obtains body attribute information;
(4) certification request of user to be visited is redirected to attribute authority (aa) and carries out further certification by identity provider;
(5) attribute authority (aa) produces an early warning value, and judge the early warning value after further certification request is received
Whether exceed threshold value of warning, if exceeding, assistant authentification is carried out by identity provider, and perform step (6), if being not above,
Then it is directly entered step (6);
(6) if further certification success, return to further certification to identity provider and successfully instruct, provided by identity
Side's inquiry environment attribute log acquisition environment attribute information;
(7) identity provider produces security assertion markup language SAML instructions, and SAML instructions are redirected into clothes
Business provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
(8) service provider sends response and instructs after the SAML instructions are received to data providing, is carried by data
Supplier sends to the browser of user to be visited and set up session between a certification cookie and the browser of user to be visited, its
In, include body attribute information and environment attribute information in the response instruction;
(9) policy enforcement point captures the access request of authentic user to be visited, collects storage and declares file in standard
In body attribute information, environment attribute information and data providing object attribute information, then to strategic decision-making device send
The access request of user to be visited;
(10) strategic decision-making device determination strategy implements body attribute information, environment attribute information and the object category that point is provided
Property information whether can make access judgement determine, if so, then perform step (12), if it is not, then perform step (11);
(11) obtaining plug-in unit by run mode attribute carries out complementary attribute information acquisition request, and performs step (12);
(12) determined to allow or refuse the access of user to be visited according to the strategy produced from tactical management center
Request;
(13) strategic decision-making device returns to policy enforcement point by court verdict is accessed, and is performed by policy enforcement point and accesses judgement
As a result.
Preferably, following sub-step is specifically included in step (11):
(11-1) run mode attribute obtains plug-in unit and obtains the attribute-name that the judgement that conducts interviews determines to need, and is then locally delaying
Deposit whether the lookup attribute-name was requested in Preset Time, if so, then performing step (11-2), otherwise, perform step
Suddenly (11-3);
The corresponding property value of the attribute-name is returned to strategic decision-making device by (11-2);
(11-3) obtains plug-in unit and sends request to agreement third side from run mode attribute, obtains the corresponding category of the attribute-name
Property value;
After (11-4) agreement third side obtains the attribute-name, inquiry request is sent to service provider;
(11-5) service provider receive agreement third side transmission inquiry request after, by attribute query plug-in unit to
Caching sends inquiry request in time, to confirm to whether there is the corresponding property value of the attribute-name in caching in time, if not existing,
Step (11-6) is then performed, otherwise, service provider obtains the property value that attribute query plug-in unit is obtained from caching in time, and holds
Row step (11-9);
The attribute-name is sent to service provider and carries out property value acquisition request by (11-6) attribute query plug-in unit;
(11-7) service provider is provided after the property value for receiving the transmission of attribute query plug-in unit obtains request to identity
Side sends property value inquiry request;
The property value inquiry request that (11-8) identity provider response service provider sends, sends to service provider and looks into
The property value ask;
(11-9) service provider verifies the validity of property value, and after being verified, performs step (11-10);
(11-10) service provider sends property value response instruction to agreement third side, in the property value response instruction
Including the effective property value for getting;
The property value for receiving is sent to run mode attribute and obtains plug-in unit by (11-11) agreement third side, by run mode attribute
Obtain plug-in unit and property value is sent to strategic decision-making device.
It is another aspect of this invention to provide that a kind of beam-based alignment system is provided, including:Data are provided
Side, service provider, identity provider, attribute authority (aa), environment attribute daily record, policy enforcement point, standard statement file, strategy are determined
Plan device, run mode attribute obtain plug-in unit and tactical management center;
The data providing, for judging whether user to be visited belongs to authentic user, if it is not, then will
The access request of user to be visited is redirected to the service provider;
The service provider, for the access request of redirection to be construed into certification request and asking for attribute information is obtained
Ask, and the request of the certification request and acquisition attribute information is redirected to the identity provider;
The identity provider, for carrying out preliminary certification, if certification success, obtains body attribute information;
The identity provider, be additionally operable to by the certification request of user to be visited be redirected to the attribute authority (aa) enter advance
The certification of one step;
The attribute authority (aa), for after further certification request is received, producing an early warning value, and judges described
Whether early warning value exceedes threshold value of warning, if exceeding, assistant authentification is carried out by the identity provider;
The attribute authority (aa), is additionally operable to, in further certification success, be returned to the identity provider and further recognized
Demonstrate,prove and successfully instruct, the environment attribute log acquisition environment attribute information is inquired about by the identity provider;
The identity provider, for producing security assertion markup language SAML to instruct, and SAML instructions is reset
To the service provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
The service provider, is additionally operable to after the SAML instructions are received, and response is sent to the data providing
Instruction, by the data providing to browser one certification cookie of transmission of user to be visited and browsing for user to be visited
Session is set up between device, wherein, include body attribute information and environment attribute information in the response instruction;
The policy enforcement point, the access request for capturing authentic user to be visited collects storage in the mark
The object attribute information of body attribute information, environment attribute information and the data providing in quasi- statement file, Ran Houxiang
The strategic decision-making device sends the access request of user to be visited;
The strategic decision-making device, for judging body attribute information, environment attribute information that the policy enforcement point is provided
And whether object attribute information can make access judgement and determine;
The run mode attribute obtains plug-in unit, for the master provided using the policy enforcement point in the strategic decision-making device
When body attribute information, environment attribute information and object attribute information can not make access judgement decision, carry out complementary
Attribute information obtains request;
The strategic decision-making device, is additionally operable in body attribute information, the environment attribute provided using the policy enforcement point
Information and object attribute information can make access judgement and determine or aided in run mode attribute acquisition plug-in unit
Property attribute information obtain request after, determined to allow according to the strategy produced from tactical management center or refuse to be visited
The access request of user;
The strategic decision-making device, is additionally operable to for access court verdict to return to the policy enforcement point, real by the strategy
Apply an execution and access court verdict.
Preferably, the system also includes:Agreement third side, in time caching, attribute query plug-in unit;
The run mode attribute obtain plug-in unit and the agreement third side, the service provider, the identity provider,
The attribute query plug-in unit and the timely caching coordinate carries out complementary attribute information acquisition request:
The run mode attribute obtains plug-in unit, for obtaining the attribute-name that the judgement that conducts interviews determines to need, then at this
Search whether the attribute-name was requested in Preset Time in ground caching, if so, then by the corresponding attribute of the attribute-name
Value returns to strategic decision-making device, otherwise, is sent to the agreement third side and asked, and obtains the corresponding property value of the attribute-name;
The agreement third side, for after the attribute-name is obtained, inquiry request being sent to the service provider;
The service provider, for after the inquiry request for receiving agreement third side transmission, being looked into by the attribute
Ask plug-in unit and send inquiry request to the timely caching, it is corresponding with the presence or absence of the attribute-name in the timely caching to confirm
Property value, if in the presence of the category obtained from the timely caching by the service provider acquisition attribute query plug-in unit
Property value;
The attribute query plug-in unit, during in the timely caching in the absence of the corresponding property value of the attribute-name,
The attribute-name is sent into the service provider carries out property value acquisition request;
The service provider, is additionally operable to after the property value acquisition request that the attribute query plug-in unit sends is received,
Property value inquiry request is sent to the identity provider;
The identity provider, for responding the property value inquiry request that the service provider sends, to the service
The property value that provider sends a query to;
The service provider, is additionally operable to verify the validity of property value, and after being verified, in the middle of the agreement
Side sends property value response instruction, and the property value response instruction includes the effective property value for getting;
The agreement third side, is additionally operable to the property value for receiving to be sent to the run mode attribute acquisition plug-in unit, by institute
State run mode attribute acquisition plug-in unit and property value is sent to the strategic decision-making device.
In general, by the contemplated above technical scheme of the present invention compared with prior art, due to by Subjective and Objective
Access control is realized in the control of attribute and environment attribute, can obtain following beneficial effect:
(1) control is accessed for one kind that the dispersion of cloud storage data is designed more with classification based on Subjective and Objective attribute and environment attribute
Making mechanism, can take into account the ability of traditional access control, moreover it is possible to have good adaptability under more complex environments.
(2) the present invention relates to following several cores, including body attribute and specific main body are authorized and revocation, environment
The collection of attribute, the establishment of strategy, implementation of strategies, run mode attribute is obtained and the unified request of data answer party in these parts
Formula.
(3) the definition side of strategy fully achieves self contained navigation, forced symmetric centralization, mutual role help in the present invention
Mode, the strategy also with flexible change creates and deletes function.
(4) acquisition of run mode attribute is based on local cache, and strategic decision-making device can be facilitated to make a policy faster.
Brief description of the drawings
Fig. 1 is a kind of schematic flow sheet of beam-based alignment method disclosed in the embodiment of the present invention;
Fig. 2 is that the interactive structure of each module in a kind of beam-based alignment system disclosed in the embodiment of the present invention shows
It is intended to.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.As long as additionally, technical characteristic involved in invention described below each implementation method
Not constituting conflict each other can just be mutually combined.
Fig. 1 show a kind of schematic flow sheet of beam-based alignment method disclosed in the embodiment of the present invention, its
In, in the method shown in Fig. 1, comprise the following steps:
(1) data providing judges whether user to be visited belongs to authentic user, if it is not, then will be to be visited
The access request of user is redirected to service provider;
Wherein, data providing can be by checking HTTP (the Hyper Text of user to be visited
Transfer Protocol, HTTP) content come determine current user to be visited whether be authenticated mistake user.
(2) access request of redirection is construed to certification request and obtains the request of attribute information by service provider, and
The certification request and the request for obtaining attribute information are redirected to identity provider;
(3) identity provider carries out preliminary certification, if certification success, obtains body attribute information;
Wherein, body attribute information can be provided by Identity Management warehouse.Identity Management warehouse is for identity provider is carried
For body attribute information management, it has the function of authorizing and cancel subject identity, and master is deleted while also having and creating modification
The function of body attribute information, including authorizing and cancelling for the attribute of specific main body, it is the source of body attribute information.
(4) certification request of user to be visited is redirected to attribute authority (aa) and carries out further certification by identity provider;
(5) attribute authority (aa) produces an early warning value, and judge the early warning value after further certification request is received
Whether exceed threshold value of warning, if exceeding, assistant authentification is carried out by identity provider, and perform step (6), if being not above,
Then it is directly entered step (6);
(6) if further certification success, return to further certification to identity provider and successfully instruct, provided by identity
Side's inquiry environment attribute log acquisition environment attribute information;
(7) identity provider produces security assertion markup language SAML instructions, and SAML instructions are redirected into clothes
Business provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
(8) service provider sends response and instructs after the SAML instructions are received to data providing, is carried by data
Supplier sends to the browser of user to be visited and set up session between a certification cookie and the browser of user to be visited, its
In, include body attribute information and environment attribute information in the response instruction;
Wherein, body attribute information and environment attribute information Store from identity provider are in standard disclaimer file.
(9) policy enforcement point captures the access request of authentic user to be visited, collects storage and declares file in standard
In body attribute information, environment attribute information and data providing object attribute information, then to strategic decision-making device send
The access request of user to be visited;
(10) strategic decision-making device determination strategy implements body attribute information, environment attribute information and the object category that point is provided
Property information whether can make access judgement determine, if so, then perform step (12), if it is not, then perform step (11);
(11) obtaining plug-in unit by run mode attribute carries out complementary attribute information acquisition request, and performs step (12);
(12) determined to allow or refuse the access of user to be visited according to the strategy produced from tactical management center
Request;
(13) strategic decision-making device returns to policy enforcement point by court verdict is accessed, and is performed by policy enforcement point and accesses judgement
As a result.
Preferably, following sub-step is specifically included in step (11):
(11-1) run mode attribute obtains plug-in unit and obtains the attribute-name that the judgement that conducts interviews determines to need, and is then locally delaying
Deposit whether the lookup attribute-name was requested in Preset Time, if so, then performing step (11-2), otherwise, perform step
Suddenly (11-3);
The corresponding property value of the attribute-name is returned to strategic decision-making device by (11-2);
(11-3) obtains plug-in unit and sends request to agreement third side from run mode attribute, obtains the corresponding category of the attribute-name
Property value;
After (11-4) agreement third side obtains the attribute-name, inquiry request is sent to service provider;
(11-5) service provider receive agreement third side transmission inquiry request after, by attribute query plug-in unit to
Caching sends inquiry request in time, to confirm to whether there is the corresponding property value of the attribute-name in caching in time, if not existing,
Step (11-6) is then performed, otherwise, service provider obtains the property value that attribute query plug-in unit is obtained from caching in time, and holds
Row step (11-9);
The attribute-name is sent to service provider and carries out property value acquisition request by (11-6) attribute query plug-in unit;
(11-7) service provider is provided after the property value for receiving the transmission of attribute query plug-in unit obtains request to identity
Side sends property value inquiry request;
The property value inquiry request that (11-8) identity provider response service provider sends, sends to service provider and looks into
The property value ask;
(11-9) service provider verifies the validity of property value, and after being verified, performs step (11-10);
(11-10) service provider sends property value response instruction to agreement third side, in the property value response instruction
Including the effective property value for getting;
The property value for receiving is sent to run mode attribute and obtains plug-in unit by (11-11) agreement third side, by run mode attribute
Obtain plug-in unit and property value is sent to strategic decision-making device.
Fig. 2 show the interaction knot of each module in a kind of beam-based alignment system disclosed in the embodiment of the present invention
Structure schematic diagram, specifically includes:
Data providing, for judging whether user to be visited belongs to authentic user, if it is not, will then wait to visit
Ask that the access request of user is redirected to service provider;
Service provider, for the access request of redirection to be construed into certification request and the request of attribute information is obtained,
And the request of the certification request and acquisition attribute information is redirected to identity provider;
Identity provider, for carrying out preliminary certification, if certification success, obtains body attribute information;
Wherein, body attribute information can be provided by Identity Management warehouse.Identity Management warehouse is for identity provider is carried
For body attribute information management, it has the function of authorizing and cancel subject identity, and master is deleted while also having and creating modification
The function of body attribute information, including authorizing and cancelling for the attribute of specific main body, it is the source of body attribute information.
Identity provider, is additionally operable to for the certification request of user to be visited to be redirected to attribute authority (aa) and is further recognized
Card;
Attribute authority (aa), for after further certification request is received, producing an early warning value, and judge the early warning
Whether value exceedes threshold value of warning, if exceeding, assistant authentification is carried out by identity provider;
Wherein, attribute authority (aa) (Attribute Authority, AA) is collected when environment attribute information and User logs in
The system information of user, for example, location information when user logs in, it is possible thereby to limit can not accessed in the people of designated area
Affiliated resource.
Attribute authority (aa), is additionally operable to, in further certification success, return to further certification to identity provider and successfully refer to
Order, environment attribute log acquisition environment attribute information is inquired about by identity provider;
Wherein, the event id comprising each certification of user and attribute authority (aa) is received during user's each certification in environment attribute daily record
The environment attribute information of collection.
Wherein, event log obtains the interaction that plug-in unit is responsible between identity provider and attribute authority (aa), user authentication
Event id is supplied to identity provider, so that identity provider is inquired about environment attribute daily record according to the event id of user authentication and obtained
Take environment attribute information.
Identity provider, for producing security assertion markup language SAML to instruct, and SAML instructions is redirected to
Service provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
Service provider, is additionally operable to after the SAML instructions are received, and sending response to data providing instructs, by counting
Sent to the browser of user to be visited according to provider and meeting is set up between a certification cookie and the browser of user to be visited
Words, wherein, include body attribute information and environment attribute information in the response instruction;
Wherein, body attribute information and environment attribute information Store from identity provider are in standard disclaimer file.
Identity provider processes function and declares acquisition body attribute information and environment attribute information in file from standard by secure password.
Wherein, whether secure password treatment function is effective for the password of service for checking credentials provider offer;
Policy enforcement point, the access request for capturing authentic user to be visited is collected storage and declares text in standard
The object attribute information of body attribute information, environment attribute information and data providing in part, then sends out to strategic decision-making device
Send the access request of user to be visited;
Strategic decision-making device, body attribute information, environment attribute information and object that point is provided are implemented for determination strategy
Whether attribute information can make access judgement determines;
Wherein, data providing and strategic decision-making device and policy enforcement point coupling.
Run mode attribute obtain plug-in unit, for strategic decision-making device Utilization strategies implement point provide body attribute information,
When environment attribute information and object attribute information can not make access judgement decision, carry out complementary attribute information and obtain
Request;
Strategic decision-making device, be additionally operable to Utilization strategies implement point provide body attribute information, environment attribute information and
Object attribute information can make access judgement and determine or carry out complementary attribute information in run mode attribute acquisition plug-in unit
After obtaining request, determine that the access for allowing or refusing user to be visited please according to the strategy produced from tactical management center
Ask;
Wherein, tactical management center is used to produce strategy, there is provided audit, the function such as daily record and report.
Strategic decision-making device, is additionally operable to for access court verdict to return to policy enforcement point, and access is performed by policy enforcement point
Court verdict.
Preferably, agreement third side, in time caching, attribute query plug-in unit are gone back in the system shown in Fig. 2;And run mode belongs to
Property obtain plug-in unit and agreement third side, service provider, identity provider, attribute query plug-in unit and cache cooperation in time and carry out
Complementary attribute information obtains request:
Run mode attribute obtains plug-in unit, for obtaining the attribute-name that the judgement that conducts interviews determines to need, is then locally delaying
Deposit whether the lookup attribute-name was requested in Preset Time, if so, then returning the corresponding property value of the attribute-name
Back to strategic decision-making device, otherwise, sent to agreement third side and asked, obtain the corresponding property value of the attribute-name;
Agreement third side, for after the attribute-name is obtained, inquiry request being sent to service provider;
Service provider, for receive agreement third side transmission inquiry request after, by attribute query plug-in unit to
Caching sends inquiry request in time, to confirm to whether there is the corresponding property value of the attribute-name in caching in time, if in the presence of,
The property value that attribute query plug-in unit is obtained from caching in time is obtained by service provider;
Attribute query plug-in unit, in property value corresponding in the absence of the attribute-name in caching in time, by the category
Property name be sent to service provider carry out property value obtain request;
Service provider, is additionally operable to after the property value for receiving the transmission of attribute query plug-in unit obtains request, is carried to identity
Supplier sends property value inquiry request;
Identity provider, the property value inquiry request for responding service provider transmission, sends to service provider and looks into
The property value ask;
Service provider, is additionally operable to verify the validity of property value, and after being verified, is sent to agreement third side and belonged to
Property value response instruction, property value response instruction includes the effective property value for getting;
Agreement third side, is additionally operable to the property value for receiving to be sent to run mode attribute acquisition plug-in unit, by run mode attribute
Obtain plug-in unit and property value is sent to strategic decision-making device.
As it will be easily appreciated by one skilled in the art that the foregoing is only presently preferred embodiments of the present invention, it is not used to
The limitation present invention, all any modification, equivalent and improvement made within the spirit and principles in the present invention etc., all should include
Within protection scope of the present invention.
Claims (4)
1. a kind of beam-based alignment method, it is characterised in that including:
(1) data providing judges whether user to be visited belongs to authentic user, if it is not, then by user to be visited
Access request be redirected to service provider;
(2) access request of redirection is construed to certification request and obtains the request of attribute information by service provider, and by institute
The request stated certification request and obtain attribute information is redirected to identity provider;
(3) identity provider carries out preliminary certification, if certification success, obtains body attribute information;
(4) certification request of user to be visited is redirected to attribute authority (aa) and carries out further certification by identity provider;
(5) whether attribute authority (aa) produces an early warning value, and judge the early warning value after further certification request is received
More than threshold value of warning, if exceeding, assistant authentification is carried out by identity provider, and perform step (6), if being not above, directly
Tap into step (6);
(6) if further certification success, return to further certification to identity provider and successfully instruct, looked into by identity provider
Ask environment attribute log acquisition environment attribute information;
(7) identity provider produces security assertion markup language SAML instruction, and SAML instructions are redirected into service carry
Supplier, wherein, include body attribute information and environment attribute information in the SAML instructions;
(8) service provider sends response and instructs, by data providing after the SAML instructions are received to data providing
Sent to the browser of user to be visited and set up session between a certification cookie and the browser of user to be visited, wherein,
Body attribute information and environment attribute information are included in the response instruction;
(9) policy enforcement point captures the access request of authentic user to be visited, collects and stores in standard statement file
The object attribute information of body attribute information, environment attribute information and data providing, then sends to strategic decision-making device and waits to visit
Ask the access request of user;
(10) strategic decision-making device determination strategy implements body attribute information, environment attribute information and the object attribute letter that point is provided
Whether breath can make access judgement determines, if so, step (12) is then performed, if it is not, then performing step (11);
(11) obtaining plug-in unit by run mode attribute carries out complementary attribute information acquisition request, and performs step (12);
(12) determined to allow or refuse the access request of user to be visited according to the strategy produced from tactical management center;
(13) strategic decision-making device returns to policy enforcement point by court verdict is accessed, and is performed by policy enforcement point and accesses judgement knot
Really.
2. method according to claim 1, it is characterised in that specifically include following sub-step in step (11):
(11-1) run mode attribute obtains plug-in unit and obtains the attribute-name that the judgement that conducts interviews determines to need, then in local cache
Search whether the attribute-name was requested in Preset Time, if so, then performing step (11-2), otherwise, perform step
(11-3);
The corresponding property value of the attribute-name is returned to strategic decision-making device by (11-2);
(11-3) obtains plug-in unit and sends request to agreement third side from run mode attribute, obtains the corresponding attribute of the attribute-name
Value;
After (11-4) agreement third side obtains the attribute-name, inquiry request is sent to service provider;
(11-5) service provider receive agreement third side transmission inquiry request after, by attribute query plug-in unit to timely
Caching sends inquiry request, to confirm to whether there is the corresponding property value of the attribute-name in caching in time, if not existing, holds
Row step (11-6), otherwise, service provider obtains the property value that attribute query plug-in unit is obtained from caching in time, and performs step
Suddenly (11-9);
The attribute-name is sent to service provider and carries out property value acquisition request by (11-6) attribute query plug-in unit;
(11-7) service provider is sent out after the property value for receiving the transmission of attribute query plug-in unit obtains request to identity provider
Send property value inquiry request;
The property value inquiry request that (11-8) identity provider response service provider sends, sends a query to service provider
Property value;
(11-9) service provider verifies the validity of property value, and after being verified, performs step (11-10);
(11-10) service provider sends property value response instruction to agreement third side, and the property value response instruction includes
The effective property value for getting;
The property value for receiving is sent to run mode attribute and obtains plug-in unit by (11-11) agreement third side, is obtained by run mode attribute
Property value is sent to strategic decision-making device by plug-in unit.
3. a kind of beam-based alignment system, it is characterised in that including:Data providing, service provider, identity are carried
Supplier, attribute authority (aa), environment attribute daily record, policy enforcement point, standard statement file, strategic decision-making device, run mode attribute are obtained
Plug-in unit and tactical management center;
The data providing, for judging whether user to be visited belongs to authentic user, if it is not, will then wait to visit
Ask that the access request of user is redirected to the service provider;
The service provider, for the access request of redirection to be construed into certification request and the request of attribute information is obtained,
And the request of the certification request and acquisition attribute information is redirected to the identity provider;
The identity provider, for carrying out preliminary certification, if certification success, obtains body attribute information;
The identity provider, being additionally operable to for the certification request of user to be visited to be redirected to the attribute authority (aa) is carried out further
Certification;
The attribute authority (aa), for after further certification request is received, producing an early warning value, and judge the early warning
Whether value exceedes threshold value of warning, if exceeding, assistant authentification is carried out by the identity provider;
The attribute authority (aa), is additionally operable in further certification success, to the identity provider return further certification into
Work(is instructed, and the environment attribute log acquisition environment attribute information is inquired about by the identity provider;
The identity provider, for producing security assertion markup language SAML to instruct, and SAML instructions is redirected to
The service provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
The service provider, is additionally operable to after the SAML instructions are received, and sending response to the data providing instructs,
By the data providing to the browser of user to be visited send a certification cookie and user to be visited browser it
Between set up session, wherein, include body attribute information and environment attribute information in response instruction;
The policy enforcement point, the access request for capturing authentic user to be visited collects storage in the standard Shen
The object attribute information of body attribute information, environment attribute information and the data providing in prescribed paper, then to described
Strategic decision-making device sends the access request of user to be visited;
The strategic decision-making device, for judge body attribute information, environment attribute information that the policy enforcement point provides and
Whether object attribute information can make access judgement determines;
The run mode attribute obtains plug-in unit, for the main body category provided using the policy enforcement point in the strategic decision-making device
Property information, environment attribute information and object attribute information can not make access judgement determine when, carry out complementary attribute
Information acquisition request;
The strategic decision-making device, is additionally operable in body attribute information, the environment attribute information provided using the policy enforcement point
And object attribute information can make access judgement and determine or carried out in run mode attribute acquisition plug-in unit complementary
After attribute information obtains request, determined to allow or refuse user to be visited according to the strategy produced from tactical management center
Access request;
The strategic decision-making device, is additionally operable to for access court verdict to return to the policy enforcement point, by the policy enforcement point
Perform and access court verdict.
4. system according to claim 3, it is characterised in that the system also includes:Agreement third side, in time caching,
Attribute query plug-in unit;
The run mode attribute obtains plug-in unit and the agreement third side, the service provider, the identity provider, described
Attribute query plug-in unit and the timely caching coordinate carries out complementary attribute information acquisition request:
The run mode attribute obtains plug-in unit, for obtaining the attribute-name that the judgement that conducts interviews determines to need, is then locally delaying
Deposit whether the lookup attribute-name was requested in Preset Time, if so, then returning the corresponding property value of the attribute-name
Back to strategic decision-making device, otherwise, sent to the agreement third side and asked, obtain the corresponding property value of the attribute-name;
The agreement third side, for after the attribute-name is obtained, inquiry request being sent to the service provider;
The service provider, for after the inquiry request for receiving agreement third side transmission, being inserted by the attribute query
Part sends inquiry request to the timely caching, to confirm to whether there is the corresponding attribute of the attribute-name in the timely caching
Value, if in the presence of the property value obtained from the timely caching by the service provider acquisition attribute query plug-in unit;
The attribute query plug-in unit, during in the timely caching in the absence of the corresponding property value of the attribute-name, by institute
State attribute-name be sent to the service provider carry out property value obtain request;
The service provider, is additionally operable to after the property value acquisition request that the attribute query plug-in unit sends is received, to institute
State identity provider and send property value inquiry request;
The identity provider, for responding the property value inquiry request that the service provider sends, provides to the service
The property value that side sends a query to;
The service provider, is additionally operable to verify the validity of property value, and after being verified, is sent out to the agreement third side
Property value is sent to respond instruction, the property value response instruction includes the effective property value for getting;
The agreement third side, is additionally operable to the property value for receiving to be sent to the run mode attribute acquisition plug-in unit, by the fortune
Row state attribute obtains plug-in unit and property value is sent into the strategic decision-making device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611226188.7A CN106790119B (en) | 2016-12-27 | 2016-12-27 | A kind of beam-based alignment method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611226188.7A CN106790119B (en) | 2016-12-27 | 2016-12-27 | A kind of beam-based alignment method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106790119A true CN106790119A (en) | 2017-05-31 |
CN106790119B CN106790119B (en) | 2019-06-07 |
Family
ID=58922063
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611226188.7A Expired - Fee Related CN106790119B (en) | 2016-12-27 | 2016-12-27 | A kind of beam-based alignment method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106790119B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109818907A (en) * | 2017-11-21 | 2019-05-28 | 航天信息股份有限公司 | One kind being based on UCON model user anonymity access method and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120060207A1 (en) * | 2010-09-03 | 2012-03-08 | Ebay Inc. | Role-based attribute based access control (rabac) |
CN102694867A (en) * | 2012-06-06 | 2012-09-26 | 江苏大学 | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) |
CN104378386A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Method for cloud data confidentiality protection and access control |
US20150295939A1 (en) * | 2010-12-30 | 2015-10-15 | Axiomatics Ab | System and method for evaluating a reverse query |
-
2016
- 2016-12-27 CN CN201611226188.7A patent/CN106790119B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120060207A1 (en) * | 2010-09-03 | 2012-03-08 | Ebay Inc. | Role-based attribute based access control (rabac) |
US20150295939A1 (en) * | 2010-12-30 | 2015-10-15 | Axiomatics Ab | System and method for evaluating a reverse query |
CN102694867A (en) * | 2012-06-06 | 2012-09-26 | 江苏大学 | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) |
CN104378386A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Method for cloud data confidentiality protection and access control |
Non-Patent Citations (4)
Title |
---|
倪川: "基于属性的支持策略本体推理的访问控制方法研究", 《计算机科学》 * |
商铮等: "面向业务流程访问控制策略及决策优化方法", 《计算机工程与应用》 * |
朱秋力: "面向服务的访问控制系统的设计与实现", 《中国优秀硕士学位论文全文数据库》 * |
沈海波等: "Web服务中结合XACML的基于属性的访问控制模型", 《计算机应用》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109818907A (en) * | 2017-11-21 | 2019-05-28 | 航天信息股份有限公司 | One kind being based on UCON model user anonymity access method and system |
Also Published As
Publication number | Publication date |
---|---|
CN106790119B (en) | 2019-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104144158B (en) | Method and apparatus for the automatic agreement based on strategy | |
CN103532981B (en) | A kind of identity trustship towards many tenants authenticates cloud resource access control system and control method | |
JP6426189B2 (en) | System and method for biometric protocol standard | |
US8613051B2 (en) | System and method for COPPA compliance for online education | |
CN106134154A (en) | The technology that the authentication token operation utilizing machine to generate services | |
CN109314704A (en) | Function is nullified for multi-tenant identity and the single-sign-on and single-point of data safety management cloud service | |
US20060010442A1 (en) | System and method for managing security meta-data in a reverse proxy | |
CN106534199B (en) | Distributed system certification and rights management platform under big data environment based on XACML and SAML | |
CN110300102A (en) | A kind of Internet of Things safety access system and method based on block chain | |
WO2018213519A1 (en) | Secure electronic transaction authentication | |
US20100299738A1 (en) | Claims-based authorization at an identity provider | |
Ceccarelli et al. | Continuous and transparent user identity verification for secure internet services | |
CN102571873B (en) | Bidirectional security audit method and device in distributed system | |
CN103220141B (en) | A kind of protecting sensitive data method and system based on group key strategy | |
CN105117657A (en) | Smart service based open authorization access design method and system | |
CN109587126A (en) | User anthority identifying method and system | |
CN104504340B (en) | A kind of forced access control method based on power system security label | |
CN112187800B (en) | Attribute-based access control method with anonymous access capability | |
CN102571874B (en) | On-line audit method and device in distributed system | |
KR20150026587A (en) | Apparatus, method and computer readable recording medium for providing notification of log-in from new equipments | |
Mustafić et al. | Behavioral biometrics for persistent single sign-on | |
US11075922B2 (en) | Decentralized method of tracking user login status | |
CN104994086B (en) | A kind of control method and device of data-base cluster permission | |
CN106790119B (en) | A kind of beam-based alignment method and system | |
CN105379176B (en) | System and method for verifying the request of SCEP certificate registration |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190607 Termination date: 20191227 |
|
CF01 | Termination of patent right due to non-payment of annual fee |