CN107071040A - A kind of authority control method and system based on filec descriptor and session - Google Patents

A kind of authority control method and system based on filec descriptor and session Download PDF

Info

Publication number
CN107071040A
CN107071040A CN201710271349.2A CN201710271349A CN107071040A CN 107071040 A CN107071040 A CN 107071040A CN 201710271349 A CN201710271349 A CN 201710271349A CN 107071040 A CN107071040 A CN 107071040A
Authority
CN
China
Prior art keywords
session
called
authority
role
file descriptor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710271349.2A
Other languages
Chinese (zh)
Other versions
CN107071040B (en
Inventor
文曦畅
王秋明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201710271349.2A priority Critical patent/CN107071040B/en
Publication of CN107071040A publication Critical patent/CN107071040A/en
Application granted granted Critical
Publication of CN107071040B publication Critical patent/CN107071040B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of authority control method based on filec descriptor and session and system, this method includes:In advance in the new link information that reception system is called, the threaded file descriptor associated with the new link information and session are set up, and the session is marked by the threaded file descriptor;When the process progress system of application program is called, system is called according to corresponding threaded file descriptor and is identified by session;The session authority of the affiliated current sessions called to system is identified;Called according to the corresponding session control of authority current system of current sessions.After service processes receive new connection, pass through the threaded file descriptor flag session, system is called and is identified by session, session authority to current sessions is identified, called according to the session control of authority current system of current sessions, the control realized the attribute that process user and file are not limited to when process execution system is called and carry out authority.

Description

A kind of authority control method and system based on filec descriptor and session
Technical field
The present invention relates to access rights administrative skill field, more particularly to a kind of power based on filec descriptor and session Limit control method and system.
Background technology
With the development of science and technology, increasing Internet user obtains extranets by way of remote access The shared resource of network.Want to realize remote access, it is necessary to which the client of user is connected to service by way of Telnet Device, is then back to client by the corresponding information in server called data storehouse.
However, in the Internet, applications, server provides different services, i.e., different client tools for different users There are different corresponding access rights.Each client can only obtain the information in database in the access authority range of itself.It is logical In the case of often, when user is being remotely accessed, server carries out the judgement that system calls authority, directly makees under normal circumstances Data (file and catalogue) and database for file system are connected, and so-called system calls the process of referring to be absorbed in operation system System kernel execution system function is called, such as establishment file, modification file and configuration processor.And System Privileges be commonly referred to as be Authority when system is called, in typical case, the owning user group that authority is generally run by file attribute and process are determined.Work as process Execution system will be limited to when calling by the attribute of process user and file.
Thus, how to realize the attribute that process user and file are not limited to when process execution system is called and weighed The control of limit, is the current technical issues that need to address of those skilled in the art.
The content of the invention
It is an object of the invention to provide a kind of authority control method based on filec descriptor and session and system, Ke Yishi The attribute of process user and file is now not limited to when process execution system is called and the control of authority is carried out.
In order to solve the above technical problems, the invention provides following technical scheme:
A kind of authority control method based on filec descriptor and session, including:
In advance in the new link information that reception system is called, the threaded file description associated with the new link information is set up Symbol and session, and the session is marked by the threaded file descriptor;
When the process progress system of application program is called, the system is called according to corresponding threaded file descriptor It is identified by session;
The session authority of the affiliated current sessions called to the system is identified;
Called according to the corresponding session control of authority current system of the current sessions.
Preferably, it is described advance in the new link information that reception system is called, set up what is associated with the new link information Threaded file descriptor and session, and the session is marked by the threaded file descriptor, including:
In advance in the new link information that reception system is called, the threaded file description associated with the new link information is set up Symbol;
Set up the session associated with the new link information;
Each threaded file descriptor is mapped in a session or null session one by one.
Preferably, it is described when the process progress system of application program is called, according to corresponding threaded file descriptor pair The system is called to be identified by session, including:
When the process progress system of application program is called, judge that current system is called and whether include default threaded file Descriptor;
If so, then updating the system calls what affiliated current sessions were mapped for the default threaded file descriptor Session;
Current system is performed to call;
Judge that current system calls the new threaded file whether generated different from the default threaded file descriptor to retouch State symbol;
If so, the new threaded file descriptor then is mapped into current sessions.
Preferably, the session authority of the affiliated current sessions called to the system is identified, including:
Obtain the IP address of the initiating terminal for the current sessions that the system is called;
According to the IP address and default role's configuration information, the affiliated role of the current sessions is recognized;
According to the affiliated role of the current sessions, the corresponding session authority configuration of the role is transferred.
Preferably, the session authority of the affiliated current sessions called to the system is identified, including:
Judge whether include default conversation role authentication information in the session information of the current sessions;
If so, then obtaining the conversation role authentication information, and gone out according to the conversation role authentication information discriminance analysis The role of the initiating terminal of the session information, obtains the session authority configuration of the role.
Preferably, the session authority of the affiliated current sessions called to the system is identified, including:
Pre-establish the virtual communication network tunnel for presetting role's communication;
The source tunnel of the current sessions is identified, to judge the role belonging to the current sessions;
Role according to belonging to the current sessions transfers corresponding session authority configuration.
A kind of authority control system based on filec descriptor and session, including:
Pretreatment module, for called in advance in reception system new link information when, set up and closed with the new link information The threaded file descriptor of connection and session, and the session is marked by the threaded file descriptor;
Identification module, when being called for the process progress system in application program, according to corresponding threaded file descriptor The system is called and is identified by session;
Authority recognition module, the session authority of the affiliated current sessions for being called to the system is identified;
System calling module, for being called according to the corresponding session control of authority current system of the current sessions.
Preferably, the pretreatment module includes:
Descriptor construction unit, for called in advance in reception system new link information when, set up with this it is new connection believe Cease the threaded file descriptor of association;
Session construction unit, for setting up the session associated with the new link information;
First map unit, for each threaded file descriptor to be mapped into a session or null session one by one In.
Preferably, the identification module includes:
First judging unit, for application program process carry out system call when, judge current system call whether Include default threaded file descriptor;
Session updates unit, for when judging that current system is called comprising default threaded file descriptor, updating institute The system of stating calls the session that affiliated current sessions are mapped for the default threaded file descriptor;
Execution unit, is called for performing current system;
Second judging unit, is described for judging that current system calls whether to generate different from the default threaded file The new threaded file descriptor of symbol;
Second map unit, then be mapped to current sessions by the new threaded file descriptor.
Preferably, the authority recognition module includes:
First acquisition unit, the IP address of the initiating terminal for obtaining the current sessions that the system is called;
Role's recognition unit, for according to the IP address and default role's configuration information, recognizing the current sessions Affiliated role;
First authority transfers unit, for the affiliated role according to the current sessions, transfers the corresponding session of the role Authority configuration.
Preferably, the authority recognition module includes:
Whether recognize in 3rd judging unit, the session information for judging the current sessions comprising default conversation role Demonstrate,prove information;
Second acquisition unit, it is pre- for being included in the session information that the 3rd judging unit judges the current sessions If conversation role authentication information when, obtain the conversation role authentication information, and know according to the conversation role authentication information The role of the initiating terminal of the session information is not analyzed, obtains the session authority configuration of the role.
Preferably, the authority recognition module includes:
Communication tunnel sets up unit, for pre-establishing the virtual communication network tunnel for presetting role's communication;
Source tunnel recognition unit, is identified for the source tunnel to the current sessions, described current to judge Role belonging to session;
Second authority transfers unit, transfers corresponding session authority for the role according to belonging to the current sessions and matches somebody with somebody Put.
Compared with prior art, above-mentioned technical proposal has advantages below:
A kind of authority control method based on filec descriptor and session that the embodiment of the present invention is provided, including:In advance In the new link information that reception system is called, the threaded file descriptor associated with the new link information and session are set up, and The session is marked by the threaded file descriptor;When the process progress system of application program is called, according to corresponding Threaded file descriptor system called be identified by session;The session authority of the affiliated current sessions called to system is entered Row identification;Called according to the corresponding session control of authority current system of current sessions.After service processes receive new connection, i.e., When receiving new task, the threaded file descriptor associated with the new connection and session are created, and retouch by the threaded file State symbol and mark the session, be identified in this manner it is possible to be called to system by session, and call according to system involved connection Filec descriptor adjusts current sessions, and the session authority to current sessions is identified, according to the session authority control of current sessions Current system processed is called, it is possible to achieve the attribute of process user and file are not limited to when process execution system is called and is carried out The control of authority.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis These accompanying drawings obtain other accompanying drawings.
The authority control method based on filec descriptor and session that Fig. 1 is provided by a kind of embodiment of the invention Flow chart;
The session recognition methods flow chart that Fig. 2 is provided by one embodiment of the present invention;
The authority control system based on filec descriptor and session that Fig. 3 is provided by a kind of embodiment of the invention Structural representation.
Embodiment
The core of the present invention is to provide a kind of authority control method based on filec descriptor and session and system, Ke Yishi The attribute of process user and file is now not limited to when process execution system is called and the control of authority is carried out.
In order that the above objects, features and advantages of the present invention can become apparent it is understandable, below in conjunction with the accompanying drawings to this hair Bright embodiment is described in detail.
Detail is elaborated in the following description to fully understand the present invention.But the present invention can with it is a variety of not It is same as other manner described here to implement, those skilled in the art can do class in the case of without prejudice to intension of the present invention Like popularization.Therefore the present invention is not limited by following public embodiment.
It refer to Fig. 1, the power based on filec descriptor and session that Fig. 1 is provided by a kind of embodiment of the invention Limit control method flow chart.
A kind of embodiment of the present invention provides a kind of authority control method based on filec descriptor and session, Including:
S11:In advance in the new link information that reception system is called, the threaded file associated with the new link information is set up Descriptor and session, and the session is marked by the threaded file descriptor.
In one embodiment of the invention, in advance in the new link information that reception system is called, set up new with this The threaded file descriptor of link information association and session, and the session is marked by the threaded file descriptor, wrap Include:In advance in the new link information that reception system is called, the threaded file descriptor associated with the new link information is set up;Build The vertical session associated with new link information;Each threaded file descriptor is mapped in a session or null session one by one.
In the present embodiment, threaded file descriptor refers to indicating file or the company of opening in process or operating system The Digital ID connect, or referred to as file handle.Session refers to that after service processes receive new connection system is its point With a session, the session is associated with being connected, and so-called connection refers to application program and database connection in system. Each threaded file descriptor is mapped in a session or null session, to represent current sessions and session association.
S12:When the process progress system of application program is called, system is called according to corresponding threaded file descriptor It is identified by session.
When the process progress system of application program is called, system is called by meeting according to corresponding threaded file descriptor Words are identified, including:When the process progress system of application program is called, judge that whether current system is called comprising default Threaded file descriptor;If so, then more new system calls affiliated current sessions to be reflected by the default threaded file descriptor The session penetrated;Current system is performed to call;Judge that current system is called whether to generate different from default threaded file descriptor New threaded file descriptor;If so, the new threaded file descriptor then is mapped into current sessions.
It should be noted that server calls the data in database according to service processes, what so-called service processes referred to New connection is received in the application system for being server to outside listening port, and the process of service is provided, (www takes such as apache Business device), vsftpd (ftp server).After service processes receive new connection, system can distribute a session, the session for it It is associated, is controlled with the authority that will pass through session to be called to system with being connected.
In the present embodiment, illustrated so that default threaded file descriptor is descriptor parameters fd as an example.Such as Fig. 2 It is shown, the session recognition methods flow chart that Fig. 2 is provided by one embodiment of the present invention.It is in the process of application program When system is called, system is called according to corresponding threaded file descriptor and is identified by session, including:
S21:When carry out system is called, judge whether system current system includes file descriptor parameter fd in calling.
S22:If so, it is the session that fd maps then to update current sessions.
S23:Current system is performed to call.
S24:Judge that system is called and whether generate new file descriptor parameter fd-new.
S25:If so, fd-new then is mapped into current sessions.
Afterwards, the system calls end.
In the present embodiment, the identification that conversates is known according to threaded file descriptor, session identification is constantly according to system Call the threaded file descriptor being related to adjust current sessions, and new filec descriptor is mapped to current sessions.Work as establishment During subprocess, subprocess inherits current sessions.
S13:The session authority of the affiliated current sessions called to system is identified.
In one embodiment of the invention, the session authority of the affiliated current sessions called to system is identified, Including:The IP address of the initiating terminal for the current sessions that acquisition system is called;According to IP address and default role's configuration information, Recognize the affiliated role of current sessions;According to the affiliated role of current sessions, the corresponding session authority configuration of the role is transferred.
In the present embodiment, role is to refer to user identity, and an identity possesses one group of operating right configuration in systems. Wonder the authority of client (i.e. the initiating terminal of session), the session institute just set up in the present embodiment by client The identity information of the role of category, i.e. identification initiate the identity of the client of the session, have only known about the identity of the client, Server could assign the corresponding authority of the client and be called to carry out system.By the IP address for the initiating terminal for reading session To recognize the identity for the client for initiating session.Such as when there is two clients to access server, the IP address of customer end A is 192.168.1.1, its identity is keeper, and default authority is " all ";The IP address of customer end B is 123.45.67.89. Its identity is domestic consumer, and default authority is " part ".Then when a certain client accesses server and initiates session, service Device reads the IP address for the client for initiating session, and the identity information of the client can be obtained according to its IP address, such as reads Be customer end A IP address, then judge client now as keeper, correspondingly, you can service the client corresponding Authority controls the current system to call.Due to each client with being respectively provided with an IP unique, different from other clients Location, therefore, by the IP address for recognizing the client for initiating session, you can the identity of identification client, and transfer corresponding power Limit is carried out control system and called.
In another embodiment of the invention, the session authority of the affiliated current sessions called to system is known Not, including:Judge whether include default conversation role authentication information in the session information of current sessions;If so, then obtaining institute Conversation role authentication information is stated, and go out according to the conversation role authentication information discriminance analysis initiating terminal of the session information Role, obtains the session authority configuration of the role.
In the present embodiment, the identification of role is carried out using re-authentication.Centre can be introduced in re-authentication Agency so that all data for reaching server first pass through middle-agent, middle-agent passes to again after being authenticated to connection Server makes requests on.
Specifically, client sends request content to middle-agent, and whether middle-agent is judged in session information comprising pre- If conversation role authentication information, if not having, return needs the prompt message of certification, client again by with authentication information please Ask content to send to middle-agent, after middle-agent is by certification, then by request content and related Role Information send to Server, server is back to client by content is replied.In this process, the visitor for initiating session is recognized by middle-agent The identity at family end.
In another embodiment of the invention, the session authority of the affiliated current sessions called to system is known Not, including:Pre-establish the virtual communication network tunnel for presetting role's communication;The source tunnel of current sessions is known Not, to judge the role belonging to current sessions;Role according to belonging to current sessions transfers corresponding session authority configuration.
In the present embodiment, role's identification is carried out using tunnel style.In this process, client by with server Virtual private communication network tunnel is set up, the identification of role is carried out by distinguishing source tunnel.Such as when client role is divided into Keeper and during domestic consumer, the tunnel that Administrator Client and server are communicated is virtual private communication network tunnel, And the tunnel that domestic consumer's client and server is communicated accesses for general network, so, when client and server is built During vertical session, only it need to recognize that the source tunnel of session can determine that the identity information of the role belonging to session.
S14:Called according to the corresponding session control of authority current system of current sessions.
Further, system can also be judged as needed on the basis of being called according to session control of authority current system System calls the system its own right for whether meeting system.Herein, session can indicate which role the session belongs to, i.e., should Client or user belonging to session, and different roles possesses one group of operating right configuration according to identity in systems. The different respective session authorities of session correspondence.When user, which wants carry out system, to be called, it is necessary to the inspection for the authority that conversates Look into, judge the data access authority of the corresponding role of the session by the inspection of session authority, and system itself access rights Inspection be used for judge that system can be supplied to the data access authority of the role, only when the data that system is called can be by meeting Current system can be performed during the inspection of right of speech limit to call.
In the present embodiment, illustrated by taking a specific embodiment as an example.
Provided with a http-server S, IP address 200.200.0.1, the power based on filec descriptor and session is applied Control method is limited, source IP address 192.168.0.1 is specified and possesses administrator role (have to All Files can write permission), it is other Source address is domestic consumer role (read-only to All Files)
Assuming that user's secondary IP address sends http request for a 192.168.0.2 terminal:POST/ changepasswd.phpUser=test&pass=test, the purpose is to change user test password, the logic of program By open disk on file and modify.
Its whole process is as follows:
1. user has been initiated to 200.200.0.1 connection requests from 192.168.0.2;
2. server receives the connection request, now a filec descriptor is created, corresponding session information also by Create, and the session information is associated with this filec descriptor;
3. session is obtained according to the inquiry of the IP address of user's initiating terminal, this user role is domestic consumer;
4. user sends POST/changepasswd.phpUser=test&pass=test, server program starts Perform Modify password logic;
5. server program opens cryptogam, the filec descriptor of the cryptogam is obtained, according to the method for the present invention, Learn that this descriptor belongs to user 192.168.0.2 session (being created in step 2);
6. server program writes to cryptogam, session authority is at this moment checked, learns that the user does not allow file Write-in;
7. return to server program write-in failure, the information of insufficient permission;
8. the trial failure of user's Modify password;
9. the process of server program and user's trial write-in cryptogam is recorded to database for rear above Continuous audit.
Further, keeper logs in from 192.168.0.1, then in step 3, and user role is identified as keeper, then Follow-up operation can be all cleared.
It should be noted that after the failure of user's Modify password, if still wanting to carry if power performs Modify password operation again, It can carry out in the following manner:
A1:Tunnel or re-authentication are selected, tunnel or authentication information are carried in the request at this moment initiated, in step 3 Other roles, other roles can be judged as if configured to allowing to change this cryptogam, just can be successfully modified.
It should also be noted that, mainly checking authority configuration according to tunnel or authentication information after power is put forward, carry after power Role can be reselected, the role can also be keeper.
Wherein, session authority is the access rights for illustrating the corresponding role of the session, so that being called in judgement system is It is not no when meeting authority, the attribute without removing the judgement system file attribute called and the owning user run again, greatly Simplify the deterministic process of authority.The inspection for introducing session authority is called to come for clothes for the demand for system of application program Authority when system is called is carried out in business device and carries out inspection verification, to control the authority of application program, is realized when process is performed The attribute of process user and file is not limited to when system is called and the control of authority is carried out.
It should be noted that during whole Communications service herein, system, which is called, mainly includes application program pair Disk file system carries out file read-write system and called, and the system that application program connects read-write to the database of database program Call.The inspection for carrying out carrying out authority in both cases when system is called judges.
It should also be noted that, system, which is called, also includes the system that database program carries out reading and writing data to database data Call, due to having little significance for technically scope check, therefore, in the present embodiment, system herein can not be adjusted Judged with scope check is carried out.
It refer to Fig. 3, the power based on filec descriptor and session that Fig. 3 is provided by a kind of embodiment of the invention Limit control system architecture schematic diagram.
Correspondingly, one embodiment of the present invention additionally provides a kind of control of authority system based on filec descriptor and session System, including:Pretreatment module 31, for called in advance in reception system new link information when, set up with the new link information The threaded file descriptor of association and session, and the session is marked by the threaded file descriptor;Identification module 32, When calling for the process progress system in application program, system is called by session to enter according to corresponding threaded file descriptor Row identification;Authority recognition module 33, the session authority of the affiliated current sessions for being called to system is identified;System is called Module 34, for being called according to the corresponding session control of authority current system of current sessions.
Further, pretreatment module includes:Descriptor construction unit, for the new connection called in advance in reception system During information, the threaded file descriptor associated with the new link information is set up;Session construction unit, for setting up with being newly connected letter Cease the session of association;First map unit, for each threaded file descriptor to be mapped into a session or null session one by one In.
Identification module, including:First judging unit, when calling for the process progress system in application program, judges to work as Whether preceding system is called includes default threaded file descriptor;Session updates unit, for calling bag in judgement current system During containing default threaded file descriptor, more new system calls affiliated current sessions to be the default threaded file descriptor institute The session of mapping;Execution unit, is called for performing current system;Second judging unit, be for judging that current system is called The no new threaded file descriptor generated different from default threaded file descriptor;Second map unit, then by the new connection Filec descriptor is mapped to current sessions.
In one embodiment of the invention, authority recognition module includes:First acquisition unit, is adjusted for obtaining system The IP address of the initiating terminal of current sessions;Role's recognition unit, for matching somebody with somebody confidence according to IP address and default role Breath, recognizes the affiliated role of current sessions;First authority transfers unit, for the affiliated role according to current sessions, transfers this The corresponding session authority configuration of role.
In the present embodiment, the client of session to recognize is initiated by the IP address for the initiating terminal for reading session Identity.Such as when there is two clients to access server, the IP address of customer end A is 192.168.1.1, and its identity is management Member, default authority is " all ";The IP address of customer end B is that 123.45.67.89. its identity is domestic consumer, default power It is limited to " part ".Then when a certain client accesses server and initiates session, server reads the client of initiation session IP address, the identity information of the client can be obtained according to its IP address, and what is such as read is the IP address of customer end A, then sentences Fixed client now is keeper, correspondingly, you can service the corresponding authority of the client to control current system to call. Due to each client be respectively provided with one it is unique, different from the IP address of other clients, therefore, pass through and recognize and initiate session The IP address of client, you can the identity of identification client, and transfer corresponding authority and carry out control system and call.
In another embodiment of the invention, authority recognition module includes:3rd judging unit, it is current for judging Whether default conversation role authentication information is included in the session information of session;Second acquisition unit, for judging single the 3rd When member judges to include default conversation role authentication information in the session information of current sessions, the conversation role certification letter is obtained Breath, and go out according to the conversation role authentication information discriminance analysis role of the initiating terminal of the session information, obtain the role Session authority configuration.
In the present embodiment, the identification of role is carried out using re-authentication.Centre can be introduced in re-authentication Agency, middle-agent is above-mentioned session authority recognition module so that the data of all arrival servers first pass through middle-agent, Middle-agent passes to server after being authenticated to connection and made requests on again.
Specifically, client sends request content to middle-agent, and whether middle-agent is judged in session information comprising pre- If conversation role authentication information, if not having, return needs the prompt message of certification, client again by with authentication information please Ask content to send to middle-agent, after middle-agent is by certification, then by request content and related Role Information send to Server, server is back to client by content is replied.In this process, the visitor for initiating session is recognized by middle-agent The identity at family end.
In another embodiment of the invention, authority recognition module includes:Communication tunnel sets up unit, for advance Set up the virtual communication network tunnel for presetting role's communication;Source tunnel recognition unit, for the source to current sessions Tunnel is identified, to judge the role belonging to current sessions;Second authority transfers unit, for according to belonging to current sessions Role transfers corresponding session authority configuration.
In the present embodiment, role's identification is carried out using tunnel style.In this process, client by with server Virtual private communication network tunnel is set up, the identification of role is carried out by distinguishing source tunnel.Such as when client role is divided into Keeper and during domestic consumer, the tunnel that Administrator Client and server are communicated is virtual private communication network tunnel, And the tunnel that domestic consumer's client and server is communicated accesses for general network, so, when client and server is built During vertical session, only it need to recognize that the source tunnel of session can determine that the identity information of the role belonging to session.
In the present embodiment, after service processes receive new connection, that is, when receiving new task, create new with this Threaded file descriptor and the session of association are connected, and by the threaded file descriptor flag session, in this manner it is possible to right System is called to be identified by session, calls involved threaded file descriptor to adjust current sessions according to system, to carry out Session is recognized, is called according to the session control of authority current system of the current sessions of identification.
Herein, session can indicate the session belongs to which role, i.e. client belonging to the session or user, And different roles possesses one group of operating right configuration according to identity in systems.Different session correspondences is respective can right of speech Limit.When user, which wants carry out system, to be called, it is necessary to the inspection for the authority that conversates, judged by the inspection of session authority The data access authority of the corresponding role of the session, and the inspection of system itself access rights is used for judging that system can be supplied to The data access authority of the role, can only be performed current when the data that system is called can be by the inspection of session authority System is called.
Wherein, session authority is the access rights for illustrating the corresponding role of the session, so that being called in judgement system is It is not no when meeting authority, the attribute without removing the judgement system file attribute called and the owning user run again, greatly Simplify the deterministic process of authority.The inspection for introducing session authority is called to come for clothes for the demand for system of application program Authority when system is called is carried out in business device and carries out inspection verification, to control the authority of application program, is realized when process is performed The attribute of process user and file is not limited to when system is called and the control of authority is carried out.
In summary, authority control method and system provided by the present invention based on filec descriptor and session, in clothes Business process is received after new connection, that is, when receiving new task, create the threaded file descriptor that is associated with the new connection and Session, and by the threaded file descriptor flag session, be identified in this manner it is possible to be called to system by session, root Involved threaded file descriptor is called to adjust current sessions according to system, with the identification that conversates, according to the current meeting of identification The session control of authority current system of words is called.Session authority is the access rights for illustrating the corresponding role of the session, so that Judge system call whether meet authority when, without the affiliated use removed the judgement system file attribute called again and run The attribute at family, greatly simplifies the deterministic process of authority.Call that introduce can right of speech for the demand for system of application program Limit inspection come in server carry out system call when authority carry out inspection verification, to control the authority of application program, The control for realizing the attribute that process user and file are not limited to when process execution system is called and carrying out authority.
A kind of authority control method and system based on filec descriptor and session provided by the present invention are carried out above It is discussed in detail.Specific case used herein is set forth to the principle and embodiment of the present invention, above example Illustrate that being only intended to help understands the present invention and its core concept.It should be pointed out that for those skilled in the art For, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these improve and repaiied Decorations are also fallen into the protection domain of the claims in the present invention.

Claims (12)

1. a kind of authority control method based on filec descriptor and session, it is characterised in that including:
In advance in the new link information that reception system is called, set up the threaded file descriptor that is associated with the new link information and Session, and the session is marked by the threaded file descriptor;
When the process progress system of application program is called, the system is called by meeting according to corresponding threaded file descriptor Words are identified;
The session authority of the affiliated current sessions called to the system is identified;
Called according to the corresponding session control of authority current system of the current sessions.
2. according to the method described in claim 1, it is characterised in that the new link information called in advance in reception system When, the threaded file descriptor associated with the new link information and session are set up, and by the threaded file descriptor to the meeting Words are marked, including:
In advance in the new link information that reception system is called, the threaded file descriptor associated with the new link information is set up;
Set up the session associated with the new link information;
Each threaded file descriptor is mapped in a session or null session one by one.
3. method according to claim 2, it is characterised in that described when the process progress system of application program is called, The system is called according to corresponding threaded file descriptor and is identified by session, including:
When the process progress system of application program is called, judge that whether current system is called comprising the description of default threaded file Symbol;
If so, then updating the meeting that the system calls affiliated current sessions to be mapped for the default threaded file descriptor Words;
Current system is performed to call;
Judge that current system calls the new threaded file descriptor whether generated different from the default threaded file descriptor;
If so, the new threaded file descriptor then is mapped into current sessions.
4. the method according to any one of claims 1 to 3, it is characterised in that it is described the system is called belonging to work as The session authority of preceding session is identified, including:
Obtain the IP address of the initiating terminal for the current sessions that the system is called;
According to the IP address and default role's configuration information, the affiliated role of the current sessions is recognized;
According to the affiliated role of the current sessions, the corresponding session authority configuration of the role is transferred.
5. the method according to any one of claims 1 to 3, it is characterised in that it is described the system is called belonging to work as The session authority of preceding session is identified, including:
Judge whether include default conversation role authentication information in the session information of the current sessions;
If so, then obtaining the conversation role authentication information, and the meeting is gone out according to the conversation role authentication information discriminance analysis The role of the initiating terminal of information is talked about, the session authority configuration of the role is obtained.
6. the method according to any one of claims 1 to 3, it is characterised in that it is described the system is called belonging to work as The session authority of preceding session is identified, including:
Pre-establish the virtual communication network tunnel for presetting role's communication;
The source tunnel of the current sessions is identified, to judge the role belonging to the current sessions;
Role according to belonging to the current sessions transfers corresponding session authority configuration.
7. a kind of authority control system based on filec descriptor and session, it is characterised in that including:
Pretreatment module, for called in advance in reception system new link information when, set up and associate with the new link information Threaded file descriptor and session, and the session is marked by the threaded file descriptor;
Identification module, when being called for the process progress system in application program, according to corresponding threaded file descriptor to institute The system of stating is called to be identified by session;
Authority recognition module, the session authority of the affiliated current sessions for being called to the system is identified;
System calling module, for being called according to the corresponding session control of authority current system of the current sessions.
8. system according to claim 7, it is characterised in that the pretreatment module includes:
Descriptor construction unit, for called in advance in reception system new link information when, set up and closed with the new link information The threaded file descriptor of connection;
Session construction unit, for setting up the session associated with the new link information;
First map unit, for each threaded file descriptor to be mapped in a session or null session one by one.
9. system according to claim 8, it is characterised in that the identification module includes:
Whether the first judging unit, when being called for the process progress system in application program, judge that current system is called and include Default threaded file descriptor;
Session updates unit, for when judging that current system is called comprising default threaded file descriptor, updating the system System calls the session that affiliated current sessions are mapped for the default threaded file descriptor;
Execution unit, is called for performing current system;
Whether the second judging unit, generate different from the default threaded file descriptor for judging that current system is called New threaded file descriptor;
Second map unit, then be mapped to current sessions by the new threaded file descriptor.
10. the system according to any one of claim 7 to 9, it is characterised in that the authority recognition module includes:
First acquisition unit, the IP address of the initiating terminal for obtaining the current sessions that the system is called;
Role's recognition unit, for according to the IP address and default role's configuration information, recognizing the institute of the current sessions Belong to role;
First authority transfers unit, for the affiliated role according to the current sessions, transfers the corresponding session authority of the role Configuration.
11. the system according to any one of claim 7 to 9, it is characterised in that the authority recognition module includes:
Whether default conversation role certification letter is included in 3rd judging unit, the session information for judging the current sessions Breath;
Second acquisition unit, it is default for being included in the session information that the 3rd judging unit judges the current sessions During conversation role authentication information, the conversation role authentication information is obtained, and according to conversation role authentication information identification point The role of the initiating terminal of the session information is separated out, the session authority configuration of the role is obtained.
12. the system according to any one of claim 7 to 9, it is characterised in that the authority recognition module includes:
Communication tunnel sets up unit, for pre-establishing the virtual communication network tunnel for presetting role's communication;
Source tunnel recognition unit, is identified for the source tunnel to the current sessions, to judge the current sessions Affiliated role;
Second authority transfers unit, and corresponding session authority configuration is transferred for the role according to belonging to the current sessions.
CN201710271349.2A 2017-04-24 2017-04-24 Authority control method and system based on file descriptor and session Active CN107071040B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710271349.2A CN107071040B (en) 2017-04-24 2017-04-24 Authority control method and system based on file descriptor and session

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710271349.2A CN107071040B (en) 2017-04-24 2017-04-24 Authority control method and system based on file descriptor and session

Publications (2)

Publication Number Publication Date
CN107071040A true CN107071040A (en) 2017-08-18
CN107071040B CN107071040B (en) 2020-05-01

Family

ID=59605240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710271349.2A Active CN107071040B (en) 2017-04-24 2017-04-24 Authority control method and system based on file descriptor and session

Country Status (1)

Country Link
CN (1) CN107071040B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110009267A (en) * 2018-01-04 2019-07-12 中集冷云(北京)冷链科技有限公司 Cold Chain Logistics transport power concocting method and Cold Chain Logistics transport power deployment device
CN114428951A (en) * 2022-04-01 2022-05-03 北京时代亿信科技股份有限公司 Method and device for controlling access authority of network file system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1773413A (en) * 2004-11-10 2006-05-17 中国人民解放军国防科学技术大学 Character constant weight method
US20130291051A1 (en) * 2012-04-26 2013-10-31 Helen Balinsky System call interception
CN103986741A (en) * 2013-02-08 2014-08-13 株式会社日立制作所 Cloud data system, cloud data center, and resource management method of the cloud data center
CN104270427A (en) * 2014-09-18 2015-01-07 用友优普信息技术有限公司 Session control method and device
CN104467923A (en) * 2013-09-16 2015-03-25 北京三星通信技术研究有限公司 Apparatus interacting method, apparatus and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1773413A (en) * 2004-11-10 2006-05-17 中国人民解放军国防科学技术大学 Character constant weight method
US20130291051A1 (en) * 2012-04-26 2013-10-31 Helen Balinsky System call interception
CN103986741A (en) * 2013-02-08 2014-08-13 株式会社日立制作所 Cloud data system, cloud data center, and resource management method of the cloud data center
CN104467923A (en) * 2013-09-16 2015-03-25 北京三星通信技术研究有限公司 Apparatus interacting method, apparatus and system
CN104270427A (en) * 2014-09-18 2015-01-07 用友优普信息技术有限公司 Session control method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110009267A (en) * 2018-01-04 2019-07-12 中集冷云(北京)冷链科技有限公司 Cold Chain Logistics transport power concocting method and Cold Chain Logistics transport power deployment device
CN114428951A (en) * 2022-04-01 2022-05-03 北京时代亿信科技股份有限公司 Method and device for controlling access authority of network file system

Also Published As

Publication number Publication date
CN107071040B (en) 2020-05-01

Similar Documents

Publication Publication Date Title
US11122030B2 (en) Methods, systems, devices, and products for web services
CN103001999B (en) For privately owned Cloud Server, intelligent apparatus client and the method for public cloud network
CN107493280A (en) Method, intelligent gateway and the certificate server of user authentication
US8522333B2 (en) Client/server system for communicating according to the standard protocol OPC UA and having single sign-on mechanisms for authenticating, and method for performing single sign-on in such a system
US10971159B2 (en) Cross account access for a virtual personal assistant via voice printing
US10972556B1 (en) Location-based functionality for voice-capturing devices
CN107133516A (en) A kind of authority control method and system
US8402511B2 (en) LDAPI communication across OS instances
CN112788031A (en) Envoy architecture-based micro-service interface authentication system, method and device
CN107257337A (en) A kind of shared authority control method of multiterminal and its system
CN113341798A (en) Method, system, device, equipment and storage medium for remotely accessing application
EP2160863A1 (en) Multiple user authentications on a communications device
CN103780711A (en) Address assignment method and address assignment system for intelligent access type decision, and AAA system
CN113765655A (en) Access control method, device, equipment and storage medium
CN107294910A (en) A kind of login method and server
CN107071040A (en) A kind of authority control method and system based on filec descriptor and session
US20040083296A1 (en) Apparatus and method for controlling user access
CN104469770B (en) Towards WLAN authentication methods, platform and the system of third-party application
US11166147B2 (en) Roaming among different types of networks
CN113194099A (en) Data proxy method and proxy server
CN107018140A (en) A kind of authority control method and system
US6961772B1 (en) Transparent connection type binding by address range
CN113742701B (en) System and method for opening AR/VR service, gateway device, AR/VR device and storage medium
JP2006229699A (en) System for providing session control service
CN107038382A (en) A kind of authority control method and system based on filec descriptor and session

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant