CN106790119A - A kind of beam-based alignment method and system - Google Patents

A kind of beam-based alignment method and system Download PDF

Info

Publication number
CN106790119A
CN106790119A CN201611226188.7A CN201611226188A CN106790119A CN 106790119 A CN106790119 A CN 106790119A CN 201611226188 A CN201611226188 A CN 201611226188A CN 106790119 A CN106790119 A CN 106790119A
Authority
CN
China
Prior art keywords
attribute
attribute information
request
property value
service provider
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611226188.7A
Other languages
Chinese (zh)
Other versions
CN106790119B (en
Inventor
路松峰
付四凯
慕少琼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201611226188.7A priority Critical patent/CN106790119B/en
Publication of CN106790119A publication Critical patent/CN106790119A/en
Application granted granted Critical
Publication of CN106790119B publication Critical patent/CN106790119B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of beam-based alignment method and system, wherein, the realization of method includes authorizing and revocation for body attribute information and specific main body, the collection of environment attribute information, the establishment of strategy, implementation of strategies, run mode attribute is obtained and the unified request of data response mode in these parts, access control is realized by the control to Subjective and Objective attribute information and environment attribute information, security is poor during traditional access control can be solved, rights management difficulty is big, a series of problems such as extension is difficult, so as to realize efficient access control.

Description

A kind of beam-based alignment method and system
Technical field
The invention belongs to access control technology field, more particularly, to a kind of beam-based alignment method and System.
Background technology
Access control technology is prevented by the disabled user of unauthorized mainly for the protection of the data in large scale system are shared in Access.With the high speed development of the development of information technology, particularly internet, access control technology has also obtained considerable hair Exhibition.
Can be divided into for access control scheme by the difference according to authorization:Self contained navigation (Discretionary Access Control, DAC), forced symmetric centralization (Mandatory Access Control, MAC) and based role Access control (Role-Based Access Control, RBAC).Self contained navigation is by the owner of object to the object of oneself It is managed, is decided whether to authorize other main bodys, this control by oneself object access right or part access right by owner oneself Mode processed is autonomous, and user can selectively share his file by the wish of oneself with other users.But this side Method can cause serious safety problem, transfer of right problem, for example, A possesses resource R, A passes to B access rights, and B Access rights are passed to C, such C there has also been the access rights of resource R, can cause the leakage of data;Forced symmetric centralization leads to The access limitation that cannot avoid is crossed to prevent directly or indirectly illegal invasion, forcing the subject and object of access has certain Safe class, decides whether to allow principal access object, although strict due to MAC modes by the safe class of Subjective and Objective Clear and definite grade classification and rights management are welcome by the military strictly and very much, but which lacks flexibility;Based on angle The access control of color is widely closed as the promising replacement of traditional access control (such as autonomous access, forcing to access) Note, in RBAC, user can possess multiple convenient management to user right of different roles, wherein, role be user and The bridge of access rights, but with the development of information technology especially Internet technology, the Internet resources of many enterprises start Become dispersion, and data value volume and range of product also ceaselessly increasing, therefore existing access control technology be difficult it is full The demand of sufficient enterprise.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of beam-based alignment side Method and system, its object is to provide a kind of efficient access control side for the Internet resources with dispersiveness for not stopping to increase Method, unifies resources accessing control consistent, and thus the traditional access control of solution is dumb, and granularity is big, unmanageable technical problem.
To achieve the above object, according to one aspect of the present invention, there is provided a kind of beam-based alignment method, Including:
(1) data providing judges whether user to be visited belongs to authentic user, if it is not, then will be to be visited The access request of user is redirected to service provider;
(2) access request of redirection is construed to certification request and obtains the request of attribute information by service provider, and The certification request and the request for obtaining attribute information are redirected to identity provider;
(3) identity provider carries out preliminary certification, if certification success, obtains body attribute information;
(4) certification request of user to be visited is redirected to attribute authority (aa) and carries out further certification by identity provider;
(5) attribute authority (aa) produces an early warning value, and judge the early warning value after further certification request is received Whether exceed threshold value of warning, if exceeding, assistant authentification is carried out by identity provider, and perform step (6), if being not above, Then it is directly entered step (6);
(6) if further certification success, return to further certification to identity provider and successfully instruct, provided by identity Side's inquiry environment attribute log acquisition environment attribute information;
(7) identity provider produces security assertion markup language SAML instructions, and SAML instructions are redirected into clothes Business provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
(8) service provider sends response and instructs after the SAML instructions are received to data providing, is carried by data Supplier sends to the browser of user to be visited and set up session between a certification cookie and the browser of user to be visited, its In, include body attribute information and environment attribute information in the response instruction;
(9) policy enforcement point captures the access request of authentic user to be visited, collects storage and declares file in standard In body attribute information, environment attribute information and data providing object attribute information, then to strategic decision-making device send The access request of user to be visited;
(10) strategic decision-making device determination strategy implements body attribute information, environment attribute information and the object category that point is provided Property information whether can make access judgement determine, if so, then perform step (12), if it is not, then perform step (11);
(11) obtaining plug-in unit by run mode attribute carries out complementary attribute information acquisition request, and performs step (12);
(12) determined to allow or refuse the access of user to be visited according to the strategy produced from tactical management center Request;
(13) strategic decision-making device returns to policy enforcement point by court verdict is accessed, and is performed by policy enforcement point and accesses judgement As a result.
Preferably, following sub-step is specifically included in step (11):
(11-1) run mode attribute obtains plug-in unit and obtains the attribute-name that the judgement that conducts interviews determines to need, and is then locally delaying Deposit whether the lookup attribute-name was requested in Preset Time, if so, then performing step (11-2), otherwise, perform step Suddenly (11-3);
The corresponding property value of the attribute-name is returned to strategic decision-making device by (11-2);
(11-3) obtains plug-in unit and sends request to agreement third side from run mode attribute, obtains the corresponding category of the attribute-name Property value;
After (11-4) agreement third side obtains the attribute-name, inquiry request is sent to service provider;
(11-5) service provider receive agreement third side transmission inquiry request after, by attribute query plug-in unit to Caching sends inquiry request in time, to confirm to whether there is the corresponding property value of the attribute-name in caching in time, if not existing, Step (11-6) is then performed, otherwise, service provider obtains the property value that attribute query plug-in unit is obtained from caching in time, and holds Row step (11-9);
The attribute-name is sent to service provider and carries out property value acquisition request by (11-6) attribute query plug-in unit;
(11-7) service provider is provided after the property value for receiving the transmission of attribute query plug-in unit obtains request to identity Side sends property value inquiry request;
The property value inquiry request that (11-8) identity provider response service provider sends, sends to service provider and looks into The property value ask;
(11-9) service provider verifies the validity of property value, and after being verified, performs step (11-10);
(11-10) service provider sends property value response instruction to agreement third side, in the property value response instruction Including the effective property value for getting;
The property value for receiving is sent to run mode attribute and obtains plug-in unit by (11-11) agreement third side, by run mode attribute Obtain plug-in unit and property value is sent to strategic decision-making device.
It is another aspect of this invention to provide that a kind of beam-based alignment system is provided, including:Data are provided Side, service provider, identity provider, attribute authority (aa), environment attribute daily record, policy enforcement point, standard statement file, strategy are determined Plan device, run mode attribute obtain plug-in unit and tactical management center;
The data providing, for judging whether user to be visited belongs to authentic user, if it is not, then will The access request of user to be visited is redirected to the service provider;
The service provider, for the access request of redirection to be construed into certification request and asking for attribute information is obtained Ask, and the request of the certification request and acquisition attribute information is redirected to the identity provider;
The identity provider, for carrying out preliminary certification, if certification success, obtains body attribute information;
The identity provider, be additionally operable to by the certification request of user to be visited be redirected to the attribute authority (aa) enter advance The certification of one step;
The attribute authority (aa), for after further certification request is received, producing an early warning value, and judges described Whether early warning value exceedes threshold value of warning, if exceeding, assistant authentification is carried out by the identity provider;
The attribute authority (aa), is additionally operable to, in further certification success, be returned to the identity provider and further recognized Demonstrate,prove and successfully instruct, the environment attribute log acquisition environment attribute information is inquired about by the identity provider;
The identity provider, for producing security assertion markup language SAML to instruct, and SAML instructions is reset To the service provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
The service provider, is additionally operable to after the SAML instructions are received, and response is sent to the data providing Instruction, by the data providing to browser one certification cookie of transmission of user to be visited and browsing for user to be visited Session is set up between device, wherein, include body attribute information and environment attribute information in the response instruction;
The policy enforcement point, the access request for capturing authentic user to be visited collects storage in the mark The object attribute information of body attribute information, environment attribute information and the data providing in quasi- statement file, Ran Houxiang The strategic decision-making device sends the access request of user to be visited;
The strategic decision-making device, for judging body attribute information, environment attribute information that the policy enforcement point is provided And whether object attribute information can make access judgement and determine;
The run mode attribute obtains plug-in unit, for the master provided using the policy enforcement point in the strategic decision-making device When body attribute information, environment attribute information and object attribute information can not make access judgement decision, carry out complementary Attribute information obtains request;
The strategic decision-making device, is additionally operable in body attribute information, the environment attribute provided using the policy enforcement point Information and object attribute information can make access judgement and determine or aided in run mode attribute acquisition plug-in unit Property attribute information obtain request after, determined to allow according to the strategy produced from tactical management center or refuse to be visited The access request of user;
The strategic decision-making device, is additionally operable to for access court verdict to return to the policy enforcement point, real by the strategy Apply an execution and access court verdict.
Preferably, the system also includes:Agreement third side, in time caching, attribute query plug-in unit;
The run mode attribute obtain plug-in unit and the agreement third side, the service provider, the identity provider, The attribute query plug-in unit and the timely caching coordinate carries out complementary attribute information acquisition request:
The run mode attribute obtains plug-in unit, for obtaining the attribute-name that the judgement that conducts interviews determines to need, then at this Search whether the attribute-name was requested in Preset Time in ground caching, if so, then by the corresponding attribute of the attribute-name Value returns to strategic decision-making device, otherwise, is sent to the agreement third side and asked, and obtains the corresponding property value of the attribute-name;
The agreement third side, for after the attribute-name is obtained, inquiry request being sent to the service provider;
The service provider, for after the inquiry request for receiving agreement third side transmission, being looked into by the attribute Ask plug-in unit and send inquiry request to the timely caching, it is corresponding with the presence or absence of the attribute-name in the timely caching to confirm Property value, if in the presence of the category obtained from the timely caching by the service provider acquisition attribute query plug-in unit Property value;
The attribute query plug-in unit, during in the timely caching in the absence of the corresponding property value of the attribute-name, The attribute-name is sent into the service provider carries out property value acquisition request;
The service provider, is additionally operable to after the property value acquisition request that the attribute query plug-in unit sends is received, Property value inquiry request is sent to the identity provider;
The identity provider, for responding the property value inquiry request that the service provider sends, to the service The property value that provider sends a query to;
The service provider, is additionally operable to verify the validity of property value, and after being verified, in the middle of the agreement Side sends property value response instruction, and the property value response instruction includes the effective property value for getting;
The agreement third side, is additionally operable to the property value for receiving to be sent to the run mode attribute acquisition plug-in unit, by institute State run mode attribute acquisition plug-in unit and property value is sent to the strategic decision-making device.
In general, by the contemplated above technical scheme of the present invention compared with prior art, due to by Subjective and Objective Access control is realized in the control of attribute and environment attribute, can obtain following beneficial effect:
(1) control is accessed for one kind that the dispersion of cloud storage data is designed more with classification based on Subjective and Objective attribute and environment attribute Making mechanism, can take into account the ability of traditional access control, moreover it is possible to have good adaptability under more complex environments.
(2) the present invention relates to following several cores, including body attribute and specific main body are authorized and revocation, environment The collection of attribute, the establishment of strategy, implementation of strategies, run mode attribute is obtained and the unified request of data answer party in these parts Formula.
(3) the definition side of strategy fully achieves self contained navigation, forced symmetric centralization, mutual role help in the present invention Mode, the strategy also with flexible change creates and deletes function.
(4) acquisition of run mode attribute is based on local cache, and strategic decision-making device can be facilitated to make a policy faster.
Brief description of the drawings
Fig. 1 is a kind of schematic flow sheet of beam-based alignment method disclosed in the embodiment of the present invention;
Fig. 2 is that the interactive structure of each module in a kind of beam-based alignment system disclosed in the embodiment of the present invention shows It is intended to.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.As long as additionally, technical characteristic involved in invention described below each implementation method Not constituting conflict each other can just be mutually combined.
Fig. 1 show a kind of schematic flow sheet of beam-based alignment method disclosed in the embodiment of the present invention, its In, in the method shown in Fig. 1, comprise the following steps:
(1) data providing judges whether user to be visited belongs to authentic user, if it is not, then will be to be visited The access request of user is redirected to service provider;
Wherein, data providing can be by checking HTTP (the Hyper Text of user to be visited Transfer Protocol, HTTP) content come determine current user to be visited whether be authenticated mistake user.
(2) access request of redirection is construed to certification request and obtains the request of attribute information by service provider, and The certification request and the request for obtaining attribute information are redirected to identity provider;
(3) identity provider carries out preliminary certification, if certification success, obtains body attribute information;
Wherein, body attribute information can be provided by Identity Management warehouse.Identity Management warehouse is for identity provider is carried For body attribute information management, it has the function of authorizing and cancel subject identity, and master is deleted while also having and creating modification The function of body attribute information, including authorizing and cancelling for the attribute of specific main body, it is the source of body attribute information.
(4) certification request of user to be visited is redirected to attribute authority (aa) and carries out further certification by identity provider;
(5) attribute authority (aa) produces an early warning value, and judge the early warning value after further certification request is received Whether exceed threshold value of warning, if exceeding, assistant authentification is carried out by identity provider, and perform step (6), if being not above, Then it is directly entered step (6);
(6) if further certification success, return to further certification to identity provider and successfully instruct, provided by identity Side's inquiry environment attribute log acquisition environment attribute information;
(7) identity provider produces security assertion markup language SAML instructions, and SAML instructions are redirected into clothes Business provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
(8) service provider sends response and instructs after the SAML instructions are received to data providing, is carried by data Supplier sends to the browser of user to be visited and set up session between a certification cookie and the browser of user to be visited, its In, include body attribute information and environment attribute information in the response instruction;
Wherein, body attribute information and environment attribute information Store from identity provider are in standard disclaimer file.
(9) policy enforcement point captures the access request of authentic user to be visited, collects storage and declares file in standard In body attribute information, environment attribute information and data providing object attribute information, then to strategic decision-making device send The access request of user to be visited;
(10) strategic decision-making device determination strategy implements body attribute information, environment attribute information and the object category that point is provided Property information whether can make access judgement determine, if so, then perform step (12), if it is not, then perform step (11);
(11) obtaining plug-in unit by run mode attribute carries out complementary attribute information acquisition request, and performs step (12);
(12) determined to allow or refuse the access of user to be visited according to the strategy produced from tactical management center Request;
(13) strategic decision-making device returns to policy enforcement point by court verdict is accessed, and is performed by policy enforcement point and accesses judgement As a result.
Preferably, following sub-step is specifically included in step (11):
(11-1) run mode attribute obtains plug-in unit and obtains the attribute-name that the judgement that conducts interviews determines to need, and is then locally delaying Deposit whether the lookup attribute-name was requested in Preset Time, if so, then performing step (11-2), otherwise, perform step Suddenly (11-3);
The corresponding property value of the attribute-name is returned to strategic decision-making device by (11-2);
(11-3) obtains plug-in unit and sends request to agreement third side from run mode attribute, obtains the corresponding category of the attribute-name Property value;
After (11-4) agreement third side obtains the attribute-name, inquiry request is sent to service provider;
(11-5) service provider receive agreement third side transmission inquiry request after, by attribute query plug-in unit to Caching sends inquiry request in time, to confirm to whether there is the corresponding property value of the attribute-name in caching in time, if not existing, Step (11-6) is then performed, otherwise, service provider obtains the property value that attribute query plug-in unit is obtained from caching in time, and holds Row step (11-9);
The attribute-name is sent to service provider and carries out property value acquisition request by (11-6) attribute query plug-in unit;
(11-7) service provider is provided after the property value for receiving the transmission of attribute query plug-in unit obtains request to identity Side sends property value inquiry request;
The property value inquiry request that (11-8) identity provider response service provider sends, sends to service provider and looks into The property value ask;
(11-9) service provider verifies the validity of property value, and after being verified, performs step (11-10);
(11-10) service provider sends property value response instruction to agreement third side, in the property value response instruction Including the effective property value for getting;
The property value for receiving is sent to run mode attribute and obtains plug-in unit by (11-11) agreement third side, by run mode attribute Obtain plug-in unit and property value is sent to strategic decision-making device.
Fig. 2 show the interaction knot of each module in a kind of beam-based alignment system disclosed in the embodiment of the present invention Structure schematic diagram, specifically includes:
Data providing, for judging whether user to be visited belongs to authentic user, if it is not, will then wait to visit Ask that the access request of user is redirected to service provider;
Service provider, for the access request of redirection to be construed into certification request and the request of attribute information is obtained, And the request of the certification request and acquisition attribute information is redirected to identity provider;
Identity provider, for carrying out preliminary certification, if certification success, obtains body attribute information;
Wherein, body attribute information can be provided by Identity Management warehouse.Identity Management warehouse is for identity provider is carried For body attribute information management, it has the function of authorizing and cancel subject identity, and master is deleted while also having and creating modification The function of body attribute information, including authorizing and cancelling for the attribute of specific main body, it is the source of body attribute information.
Identity provider, is additionally operable to for the certification request of user to be visited to be redirected to attribute authority (aa) and is further recognized Card;
Attribute authority (aa), for after further certification request is received, producing an early warning value, and judge the early warning Whether value exceedes threshold value of warning, if exceeding, assistant authentification is carried out by identity provider;
Wherein, attribute authority (aa) (Attribute Authority, AA) is collected when environment attribute information and User logs in The system information of user, for example, location information when user logs in, it is possible thereby to limit can not accessed in the people of designated area Affiliated resource.
Attribute authority (aa), is additionally operable to, in further certification success, return to further certification to identity provider and successfully refer to Order, environment attribute log acquisition environment attribute information is inquired about by identity provider;
Wherein, the event id comprising each certification of user and attribute authority (aa) is received during user's each certification in environment attribute daily record The environment attribute information of collection.
Wherein, event log obtains the interaction that plug-in unit is responsible between identity provider and attribute authority (aa), user authentication Event id is supplied to identity provider, so that identity provider is inquired about environment attribute daily record according to the event id of user authentication and obtained Take environment attribute information.
Identity provider, for producing security assertion markup language SAML to instruct, and SAML instructions is redirected to Service provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
Service provider, is additionally operable to after the SAML instructions are received, and sending response to data providing instructs, by counting Sent to the browser of user to be visited according to provider and meeting is set up between a certification cookie and the browser of user to be visited Words, wherein, include body attribute information and environment attribute information in the response instruction;
Wherein, body attribute information and environment attribute information Store from identity provider are in standard disclaimer file. Identity provider processes function and declares acquisition body attribute information and environment attribute information in file from standard by secure password.
Wherein, whether secure password treatment function is effective for the password of service for checking credentials provider offer;
Policy enforcement point, the access request for capturing authentic user to be visited is collected storage and declares text in standard The object attribute information of body attribute information, environment attribute information and data providing in part, then sends out to strategic decision-making device Send the access request of user to be visited;
Strategic decision-making device, body attribute information, environment attribute information and object that point is provided are implemented for determination strategy Whether attribute information can make access judgement determines;
Wherein, data providing and strategic decision-making device and policy enforcement point coupling.
Run mode attribute obtain plug-in unit, for strategic decision-making device Utilization strategies implement point provide body attribute information, When environment attribute information and object attribute information can not make access judgement decision, carry out complementary attribute information and obtain Request;
Strategic decision-making device, be additionally operable to Utilization strategies implement point provide body attribute information, environment attribute information and Object attribute information can make access judgement and determine or carry out complementary attribute information in run mode attribute acquisition plug-in unit After obtaining request, determine that the access for allowing or refusing user to be visited please according to the strategy produced from tactical management center Ask;
Wherein, tactical management center is used to produce strategy, there is provided audit, the function such as daily record and report.
Strategic decision-making device, is additionally operable to for access court verdict to return to policy enforcement point, and access is performed by policy enforcement point Court verdict.
Preferably, agreement third side, in time caching, attribute query plug-in unit are gone back in the system shown in Fig. 2;And run mode belongs to Property obtain plug-in unit and agreement third side, service provider, identity provider, attribute query plug-in unit and cache cooperation in time and carry out Complementary attribute information obtains request:
Run mode attribute obtains plug-in unit, for obtaining the attribute-name that the judgement that conducts interviews determines to need, is then locally delaying Deposit whether the lookup attribute-name was requested in Preset Time, if so, then returning the corresponding property value of the attribute-name Back to strategic decision-making device, otherwise, sent to agreement third side and asked, obtain the corresponding property value of the attribute-name;
Agreement third side, for after the attribute-name is obtained, inquiry request being sent to service provider;
Service provider, for receive agreement third side transmission inquiry request after, by attribute query plug-in unit to Caching sends inquiry request in time, to confirm to whether there is the corresponding property value of the attribute-name in caching in time, if in the presence of, The property value that attribute query plug-in unit is obtained from caching in time is obtained by service provider;
Attribute query plug-in unit, in property value corresponding in the absence of the attribute-name in caching in time, by the category Property name be sent to service provider carry out property value obtain request;
Service provider, is additionally operable to after the property value for receiving the transmission of attribute query plug-in unit obtains request, is carried to identity Supplier sends property value inquiry request;
Identity provider, the property value inquiry request for responding service provider transmission, sends to service provider and looks into The property value ask;
Service provider, is additionally operable to verify the validity of property value, and after being verified, is sent to agreement third side and belonged to Property value response instruction, property value response instruction includes the effective property value for getting;
Agreement third side, is additionally operable to the property value for receiving to be sent to run mode attribute acquisition plug-in unit, by run mode attribute Obtain plug-in unit and property value is sent to strategic decision-making device.
As it will be easily appreciated by one skilled in the art that the foregoing is only presently preferred embodiments of the present invention, it is not used to The limitation present invention, all any modification, equivalent and improvement made within the spirit and principles in the present invention etc., all should include Within protection scope of the present invention.

Claims (4)

1. a kind of beam-based alignment method, it is characterised in that including:
(1) data providing judges whether user to be visited belongs to authentic user, if it is not, then by user to be visited Access request be redirected to service provider;
(2) access request of redirection is construed to certification request and obtains the request of attribute information by service provider, and by institute The request stated certification request and obtain attribute information is redirected to identity provider;
(3) identity provider carries out preliminary certification, if certification success, obtains body attribute information;
(4) certification request of user to be visited is redirected to attribute authority (aa) and carries out further certification by identity provider;
(5) whether attribute authority (aa) produces an early warning value, and judge the early warning value after further certification request is received More than threshold value of warning, if exceeding, assistant authentification is carried out by identity provider, and perform step (6), if being not above, directly Tap into step (6);
(6) if further certification success, return to further certification to identity provider and successfully instruct, looked into by identity provider Ask environment attribute log acquisition environment attribute information;
(7) identity provider produces security assertion markup language SAML instruction, and SAML instructions are redirected into service carry Supplier, wherein, include body attribute information and environment attribute information in the SAML instructions;
(8) service provider sends response and instructs, by data providing after the SAML instructions are received to data providing Sent to the browser of user to be visited and set up session between a certification cookie and the browser of user to be visited, wherein, Body attribute information and environment attribute information are included in the response instruction;
(9) policy enforcement point captures the access request of authentic user to be visited, collects and stores in standard statement file The object attribute information of body attribute information, environment attribute information and data providing, then sends to strategic decision-making device and waits to visit Ask the access request of user;
(10) strategic decision-making device determination strategy implements body attribute information, environment attribute information and the object attribute letter that point is provided Whether breath can make access judgement determines, if so, step (12) is then performed, if it is not, then performing step (11);
(11) obtaining plug-in unit by run mode attribute carries out complementary attribute information acquisition request, and performs step (12);
(12) determined to allow or refuse the access request of user to be visited according to the strategy produced from tactical management center;
(13) strategic decision-making device returns to policy enforcement point by court verdict is accessed, and is performed by policy enforcement point and accesses judgement knot Really.
2. method according to claim 1, it is characterised in that specifically include following sub-step in step (11):
(11-1) run mode attribute obtains plug-in unit and obtains the attribute-name that the judgement that conducts interviews determines to need, then in local cache Search whether the attribute-name was requested in Preset Time, if so, then performing step (11-2), otherwise, perform step (11-3);
The corresponding property value of the attribute-name is returned to strategic decision-making device by (11-2);
(11-3) obtains plug-in unit and sends request to agreement third side from run mode attribute, obtains the corresponding attribute of the attribute-name Value;
After (11-4) agreement third side obtains the attribute-name, inquiry request is sent to service provider;
(11-5) service provider receive agreement third side transmission inquiry request after, by attribute query plug-in unit to timely Caching sends inquiry request, to confirm to whether there is the corresponding property value of the attribute-name in caching in time, if not existing, holds Row step (11-6), otherwise, service provider obtains the property value that attribute query plug-in unit is obtained from caching in time, and performs step Suddenly (11-9);
The attribute-name is sent to service provider and carries out property value acquisition request by (11-6) attribute query plug-in unit;
(11-7) service provider is sent out after the property value for receiving the transmission of attribute query plug-in unit obtains request to identity provider Send property value inquiry request;
The property value inquiry request that (11-8) identity provider response service provider sends, sends a query to service provider Property value;
(11-9) service provider verifies the validity of property value, and after being verified, performs step (11-10);
(11-10) service provider sends property value response instruction to agreement third side, and the property value response instruction includes The effective property value for getting;
The property value for receiving is sent to run mode attribute and obtains plug-in unit by (11-11) agreement third side, is obtained by run mode attribute Property value is sent to strategic decision-making device by plug-in unit.
3. a kind of beam-based alignment system, it is characterised in that including:Data providing, service provider, identity are carried Supplier, attribute authority (aa), environment attribute daily record, policy enforcement point, standard statement file, strategic decision-making device, run mode attribute are obtained Plug-in unit and tactical management center;
The data providing, for judging whether user to be visited belongs to authentic user, if it is not, will then wait to visit Ask that the access request of user is redirected to the service provider;
The service provider, for the access request of redirection to be construed into certification request and the request of attribute information is obtained, And the request of the certification request and acquisition attribute information is redirected to the identity provider;
The identity provider, for carrying out preliminary certification, if certification success, obtains body attribute information;
The identity provider, being additionally operable to for the certification request of user to be visited to be redirected to the attribute authority (aa) is carried out further Certification;
The attribute authority (aa), for after further certification request is received, producing an early warning value, and judge the early warning Whether value exceedes threshold value of warning, if exceeding, assistant authentification is carried out by the identity provider;
The attribute authority (aa), is additionally operable in further certification success, to the identity provider return further certification into Work(is instructed, and the environment attribute log acquisition environment attribute information is inquired about by the identity provider;
The identity provider, for producing security assertion markup language SAML to instruct, and SAML instructions is redirected to The service provider, wherein, include body attribute information and environment attribute information in the SAML instructions;
The service provider, is additionally operable to after the SAML instructions are received, and sending response to the data providing instructs, By the data providing to the browser of user to be visited send a certification cookie and user to be visited browser it Between set up session, wherein, include body attribute information and environment attribute information in response instruction;
The policy enforcement point, the access request for capturing authentic user to be visited collects storage in the standard Shen The object attribute information of body attribute information, environment attribute information and the data providing in prescribed paper, then to described Strategic decision-making device sends the access request of user to be visited;
The strategic decision-making device, for judge body attribute information, environment attribute information that the policy enforcement point provides and Whether object attribute information can make access judgement determines;
The run mode attribute obtains plug-in unit, for the main body category provided using the policy enforcement point in the strategic decision-making device Property information, environment attribute information and object attribute information can not make access judgement determine when, carry out complementary attribute Information acquisition request;
The strategic decision-making device, is additionally operable in body attribute information, the environment attribute information provided using the policy enforcement point And object attribute information can make access judgement and determine or carried out in run mode attribute acquisition plug-in unit complementary After attribute information obtains request, determined to allow or refuse user to be visited according to the strategy produced from tactical management center Access request;
The strategic decision-making device, is additionally operable to for access court verdict to return to the policy enforcement point, by the policy enforcement point Perform and access court verdict.
4. system according to claim 3, it is characterised in that the system also includes:Agreement third side, in time caching, Attribute query plug-in unit;
The run mode attribute obtains plug-in unit and the agreement third side, the service provider, the identity provider, described Attribute query plug-in unit and the timely caching coordinate carries out complementary attribute information acquisition request:
The run mode attribute obtains plug-in unit, for obtaining the attribute-name that the judgement that conducts interviews determines to need, is then locally delaying Deposit whether the lookup attribute-name was requested in Preset Time, if so, then returning the corresponding property value of the attribute-name Back to strategic decision-making device, otherwise, sent to the agreement third side and asked, obtain the corresponding property value of the attribute-name;
The agreement third side, for after the attribute-name is obtained, inquiry request being sent to the service provider;
The service provider, for after the inquiry request for receiving agreement third side transmission, being inserted by the attribute query Part sends inquiry request to the timely caching, to confirm to whether there is the corresponding attribute of the attribute-name in the timely caching Value, if in the presence of the property value obtained from the timely caching by the service provider acquisition attribute query plug-in unit;
The attribute query plug-in unit, during in the timely caching in the absence of the corresponding property value of the attribute-name, by institute State attribute-name be sent to the service provider carry out property value obtain request;
The service provider, is additionally operable to after the property value acquisition request that the attribute query plug-in unit sends is received, to institute State identity provider and send property value inquiry request;
The identity provider, for responding the property value inquiry request that the service provider sends, provides to the service The property value that side sends a query to;
The service provider, is additionally operable to verify the validity of property value, and after being verified, is sent out to the agreement third side Property value is sent to respond instruction, the property value response instruction includes the effective property value for getting;
The agreement third side, is additionally operable to the property value for receiving to be sent to the run mode attribute acquisition plug-in unit, by the fortune Row state attribute obtains plug-in unit and property value is sent into the strategic decision-making device.
CN201611226188.7A 2016-12-27 2016-12-27 A kind of beam-based alignment method and system Expired - Fee Related CN106790119B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611226188.7A CN106790119B (en) 2016-12-27 2016-12-27 A kind of beam-based alignment method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611226188.7A CN106790119B (en) 2016-12-27 2016-12-27 A kind of beam-based alignment method and system

Publications (2)

Publication Number Publication Date
CN106790119A true CN106790119A (en) 2017-05-31
CN106790119B CN106790119B (en) 2019-06-07

Family

ID=58922063

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611226188.7A Expired - Fee Related CN106790119B (en) 2016-12-27 2016-12-27 A kind of beam-based alignment method and system

Country Status (1)

Country Link
CN (1) CN106790119B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818907A (en) * 2017-11-21 2019-05-28 航天信息股份有限公司 One kind being based on UCON model user anonymity access method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120060207A1 (en) * 2010-09-03 2012-03-08 Ebay Inc. Role-based attribute based access control (rabac)
CN102694867A (en) * 2012-06-06 2012-09-26 江苏大学 Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture)
CN104378386A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for cloud data confidentiality protection and access control
US20150295939A1 (en) * 2010-12-30 2015-10-15 Axiomatics Ab System and method for evaluating a reverse query

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120060207A1 (en) * 2010-09-03 2012-03-08 Ebay Inc. Role-based attribute based access control (rabac)
US20150295939A1 (en) * 2010-12-30 2015-10-15 Axiomatics Ab System and method for evaluating a reverse query
CN102694867A (en) * 2012-06-06 2012-09-26 江苏大学 Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture)
CN104378386A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for cloud data confidentiality protection and access control

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
倪川: "基于属性的支持策略本体推理的访问控制方法研究", 《计算机科学》 *
商铮等: "面向业务流程访问控制策略及决策优化方法", 《计算机工程与应用》 *
朱秋力: "面向服务的访问控制系统的设计与实现", 《中国优秀硕士学位论文全文数据库》 *
沈海波等: "Web服务中结合XACML的基于属性的访问控制模型", 《计算机应用》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818907A (en) * 2017-11-21 2019-05-28 航天信息股份有限公司 One kind being based on UCON model user anonymity access method and system

Also Published As

Publication number Publication date
CN106790119B (en) 2019-06-07

Similar Documents

Publication Publication Date Title
CN104144158B (en) Method and apparatus for the automatic agreement based on strategy
CN103532981B (en) A kind of identity trustship towards many tenants authenticates cloud resource access control system and control method
JP6426189B2 (en) System and method for biometric protocol standard
US8613051B2 (en) System and method for COPPA compliance for online education
CN106134154A (en) The technology that the authentication token operation utilizing machine to generate services
CN109314704A (en) Function is nullified for multi-tenant identity and the single-sign-on and single-point of data safety management cloud service
US20060010442A1 (en) System and method for managing security meta-data in a reverse proxy
CN106534199B (en) Distributed system certification and rights management platform under big data environment based on XACML and SAML
CN110300102A (en) A kind of Internet of Things safety access system and method based on block chain
WO2018213519A1 (en) Secure electronic transaction authentication
US20100299738A1 (en) Claims-based authorization at an identity provider
Ceccarelli et al. Continuous and transparent user identity verification for secure internet services
CN102571873B (en) Bidirectional security audit method and device in distributed system
CN103220141B (en) A kind of protecting sensitive data method and system based on group key strategy
CN105117657A (en) Smart service based open authorization access design method and system
CN109587126A (en) User anthority identifying method and system
CN104504340B (en) A kind of forced access control method based on power system security label
CN112187800B (en) Attribute-based access control method with anonymous access capability
CN102571874B (en) On-line audit method and device in distributed system
KR20150026587A (en) Apparatus, method and computer readable recording medium for providing notification of log-in from new equipments
Mustafić et al. Behavioral biometrics for persistent single sign-on
US11075922B2 (en) Decentralized method of tracking user login status
CN104994086B (en) A kind of control method and device of data-base cluster permission
CN106790119B (en) A kind of beam-based alignment method and system
CN105379176B (en) System and method for verifying the request of SCEP certificate registration

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190607

Termination date: 20191227

CF01 Termination of patent right due to non-payment of annual fee