CN107657182A - A kind of method for strengthening media data control of authority reliability - Google Patents
A kind of method for strengthening media data control of authority reliability Download PDFInfo
- Publication number
- CN107657182A CN107657182A CN201710972256.2A CN201710972256A CN107657182A CN 107657182 A CN107657182 A CN 107657182A CN 201710972256 A CN201710972256 A CN 201710972256A CN 107657182 A CN107657182 A CN 107657182A
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- file
- authorization message
- white list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of method for strengthening media data control of authority reliability, comprise the following steps:Authorize, user initiates certification request, if certification success, object handles engine return to usertoken values to user;The usertoken values got are passed to control program by user;Control program is to object handles engine requests authorization message;Object handles engine returns to authorization message to control program;Control program sets authorization message into driver;Driver carries out user right judgement according to authorization message.This programme is by setting object handles engine and control program to be controlled the data access process of user, to realize to rights management and data access, make service-user and storage user's binding, service-user is consistent with the authority of storage user, and realizes the purpose of enhancing security reliability.
Description
Technical field
The present invention relates to media data processing method, more particularly to a kind of side for strengthening media data control of authority reliability
Method.
Background technology
Existing media data authority control method uses single authority control method from operation layer, and with traditional file
The control of authority method of system sets the access rights of file.Following three deficiencies be present in such authority control method:
1) security reliability is poor:Existing media data authority control method is to metadata and the control of authority dynamics ratio of file
It is weaker, it is many simply to have accomplished the control of authority of material for the media data of radio, TV and film industries, but it is only limitted to file for file
The write-in of aspect, control etc. is read, user can not be directed to safe and reliable control of authority is provided.
2) authority separates:Existing media data authority control method has been carried out point to service-user and the authority of storage user
From can not be managed collectively.
3) volume controlled is not accurate:The Statisti-cal control of real-time and precise is not carried out to the memory space quota of user, causes to use
Family writes file space-consuming excess, and quota is used in mix.
The content of the invention
It is an object of the invention to:For in existing media data authority control method, service-user can only access first number
According to storage user can only access file, and service-user and the authority of storage user are separated from each other, so as to cause to metadata and text
Caused by the control dynamics of part are weak the problem of security reliability difference, it is reliable that the present invention provides a kind of enhancing media data control of authority
The method of property.
The technical solution adopted by the present invention is as follows:
A kind of method for strengthening media data control of authority reliability, comprises the following steps,
(1) authorize:Media business mandate is carried out by object handles engine and process white list is set, obtains and authorizes letter
Breath;
(2) user, authentication authorization and accounting user initiate certification request, if certification success, object handles engine return to user
Usertoken values;
(3) the usertoken values got are passed to control program by user;
(4) control program is to object handles engine requests authorization message;
(5) object handles engine returns to authorization message to control program;
(6) control program sets authorization message into driver;
(7) driver carries out user right judgement according to authorization message, if user right is legal, is performed to storage
Corresponding operation, then performs step (8);Otherwise, refusal operation;
(8) driver is by the feedback of the information of file operation to control program.
Further, driver includes:IRP_CREATE functions are establishment, open file and file, IRP_READ
Function is reads file, and IRP_WRITE functions are written document, and IRP_CLOSE functions are to close file, IRP_SET_
INFORMATION functions are renaming, delete file.
Further, authorization message includes user's white list, managed UNC paths, the operation allowed.
Further, it is the step of media business mandate in step (1):
(111) authority for obtaining file access path is distributed for DB role;
(112) it is Unit folder allocation memory space quota sizes;
(113) it is the authority of Unit folder allocation file operations, including reads file, written document, deletes file;
(114) DB role is distributed for service-user;
(115) storage user is established into corresponding relation with Unit files;
(116) service-user and storage user are bound one by one.
Further, the setting steps of process white list are in step (1):
(121) process white list is set in object handles engine;
(122) process white list information is sent to driver by object handles engine;
(123) process initiates access request;
(124) driver carries out filtering interception according to process white list information, judges the process belonged in white list then
Allow access request, denied access is asked if the process in white list that is not belonging to.
Further, user right judgment step is:
(71) authentication procedure obtains authority corresponding to role by the role of certification user in calculation procedure (2);
(72) role-security of the user obtained in step (1) recorded internal memory by authentication procedure, and access path is returned
Back to user terminal;
(73) access path that user terminal returns according to step (72) is initiated to access the request of material;
(74) authentication procedure judges the legitimacy of user's request by the role-security of record, that is, judges that user's request is
It is no in authorization message, if user request in authorization message, judge that user right is legal, otherwise, user right does not conform to
Method.
In summary, by adopting the above-described technical solution, the beneficial effects of the invention are as follows:
1. security reliability is strong:The security access mechanisms such as flexibly powerful authentication, mandate, white list are mutually tied in this programme
Close, by the way that white list mechanism is combined with licensing scheme, to be authenticated to user, the access of storing process is authorized for user
Authority, so as to strengthen the security reliability of media data.
2. authority is unified:In this programme, it can not unify to avoid operation layer user from being separated with the authority of accumulation layer user
Management, service-user and storage user are bound one by one, realize the unification of DB authorities and storage authority, service-user can be with
By the binding relationship established with storage user, the operation in corresponding authority is realized.
3. capacity is precisely controlled:The operational feedback of user is passed through by control to control program by driver IRP_WRITE
Processing procedure ordered pair user storage space capacity carries out in real time precisely statistics, realizes the volume controlled that application program writes to file.
Brief description of the drawings
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the overview flow chart of the present invention;
Fig. 2 is authorization flow figure of the present invention;
Fig. 3 is authorizing procedure figure of the present invention;
Fig. 4 is process white list flow chart of the present invention.
Embodiment
All features disclosed in this specification, or disclosed all methods or during the step of, except mutually exclusive
Feature and/or step beyond, can combine in any way.
The present invention is elaborated with reference to Fig. 1, Fig. 2, Fig. 3, Fig. 4.
In this programme, service-user is referred in the media data of prior art accesses, and accesses the user of metadata;Deposit
Storage user is referred in the media data of prior art accesses, and accesses the user of file.
A kind of method for strengthening media data control of authority reliability, comprises the following steps,
(1) authorize:Media business mandate is carried out by object handles engine and process white list is set, obtains and authorizes letter
Breath;
(2) user initiates certification request, the user authentication authorization and accounting user for initiating certification request, if certification success, at object
Manage engine and return to usertoken values to user;
(3) the usertoken values got are passed to control program by user;Control program is used for the mistake of management and control mandate
Journey, usertoken is transmitted to object handles engine as a pipeline, authorization message is calculated and authorization message is returned to drive
It is dynamic.
(4) control program is to object handles engine requests authorization message;
(5) object handles engine returns to authorization message to control program;
(6) control program sets authorization message into driver;
(7) driver carries out user right judgement according to authorization message, if user right is legal, is performed to storage
Corresponding operation, then performs step (8);Otherwise, refusal operation;
(8) driver is by the feedback of the information of file operation to control program.Wherein IRP_WRITE can be to the storage of user
Spatial content carries out accurate statistics and fed back.
Driver:For IRP_CREATE functions to create, opening file and file, IRP_READ functions are reading file,
IRP_WRITE functions are written document, and IRP_CLOSE functions to close file, attach most importance to life by IRP_SET_INFORMATION functions
Name, delete file.
Further, authorization message includes user's white list, managed UNC paths, the operation allowed and others
Other authorization messages that those skilled in the art are contemplated that.
For media business feature, media materials include the metadata existed in database D B and the text deposited in storage
Part, therefore when authorizing, service-user and storage user have been done and bound one by one, has been awarded in a manner of " role+authority " for user
Give the authority of DB role and stored authority of the user to Unit files, ensure control of authority of the service-user with storing user
Unified, authorization flow figure is as shown in Figure 2.
Further, the step of media business mandate is:
(111) authority for obtaining file access path is distributed for DB role;
(112) it is Unit folder allocation memory space quota sizes;
(113) it is the authority of Unit folder allocation file operations, including reads file, written document, deletes file;
(114) DB role is distributed for service-user;
(115) storage user is established into corresponding relation with Unit files;
(116) service-user and storage user are bound one by one.
The process of the white list of setting in authorization message is:
(121) process white list is set in object handles engine;
(122) process white list information is sent to driver by object handles engine;
(123) process initiates access request;
(124) driver carries out filtering interception according to process white list information, judges the process belonged in white list then
Allow access request, denied access is asked if the process in white list that is not belonging to.
Further, user right judgment step is:
(71) authentication procedure obtains authority corresponding to role by the role of the certification user in calculation procedure (2);Calculate
During certification user right, the character list of user is obtained first, and union is taken to character list, then in conjunction with the visit of role bindings
Authority is asked, obtains the authority that user is possessed.
(72) role-security of the user obtained in step (1) recorded internal memory by authentication procedure, and access path is returned
Back to user terminal;
(73) access path that user terminal returns according to step (72) is initiated to access the request of material;
(74) authentication procedure judges the legitimacy of user's request by the role-security of record, that is, judges that user's request is
It is no in authorization message, if user request in authorization message, judge that user right is legal, otherwise, user right does not conform to
Method.
Claims (6)
- A kind of 1. method for strengthening media data control of authority reliability, it is characterised in that comprise the following steps,(1) authorize:Media business mandate is carried out by object handles engine and process white list is set, obtains authorization message;(2) user, authentication authorization and accounting user initiate certification request, if certification success, object handles engine return to user Usertoken values;(3) the usertoken values got are passed to control program by user;(4) control program is to object handles engine requests authorization message;(5) object handles engine returns to authorization message to control program;(6) control program sets authorization message into driver;(7) driver carries out user right judgement according to authorization message, if user right is legal, is performed to storage corresponding Operation, then perform step (8);Otherwise, refusal operation;(8) driver is by the feedback of the information of file operation to control program.
- A kind of 2. method for strengthening media data control of authority reliability according to claim 1, it is characterised in that driving Program includes:For IRP_CREATE functions to create, opening file and file, IRP_READ functions are to read file, IRP_WRITE Function is written document, and to close file, IRP_SET_INFORMATION functions are renaming, delete text IRP_CLOSE functions Part.
- 3. a kind of method for strengthening media data control of authority reliability according to claim 1, it is characterised in that authorize Information includes user's white list, managed UNC paths, the operation allowed.
- 4. according to a kind of method of any described enhancing media data control of authority reliabilities of claim 1-3, its feature exists It is in the step of, media business mandate:(111) authority for obtaining file access path is distributed for DB role;(112) it is Unit folder allocation memory space quota sizes;(113) it is the authority of Unit folder allocation file operations, including reads file, written document, deletes file;(114) DB role is distributed for service-user;(115) storage user is established into corresponding relation with Unit files;(116) service-user and storage user are bound one by one.
- 5. according to a kind of method of any described enhancing media data control of authority reliabilities of claim 1-3, its feature exists With the setting steps of process white list are in step (1):(121) process white list is set in object handles engine;(122) process white list information is sent to driver by object handles engine;(123) process initiates access request;(124) driver carries out filtering interception according to process white list information, and the process for judging to belong in white list then allows Access request, denied access is asked if the process in white list that is not belonging to.
- A kind of 6. method for strengthening media data control of authority reliability according to claim 4, it is characterised in that user Authority judgment step is:(71) authentication procedure obtains authority corresponding to role by the role of the certification user in calculation procedure (2);(72) role-security of the user obtained in step (1) recorded internal memory by authentication procedure, and access path is returned to User terminal;(73) access path that user terminal returns according to step (72) is initiated to access the request of material;(74) authentication procedure by the role-security of record come judge user ask legitimacy, i.e., judge user ask whether In authorization message, if user's request judges that user right is legal, otherwise, user right is illegal in authorization message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710972256.2A CN107657182B (en) | 2017-10-18 | 2017-10-18 | Method for enhancing reliability of media data authority control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710972256.2A CN107657182B (en) | 2017-10-18 | 2017-10-18 | Method for enhancing reliability of media data authority control |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107657182A true CN107657182A (en) | 2018-02-02 |
CN107657182B CN107657182B (en) | 2020-12-01 |
Family
ID=61118400
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710972256.2A Active CN107657182B (en) | 2017-10-18 | 2017-10-18 | Method for enhancing reliability of media data authority control |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107657182B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101227285A (en) * | 2008-01-29 | 2008-07-23 | 中兴通讯股份有限公司 | System and method for dynamic controlling terminal user authority |
CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
CN103077354A (en) * | 2013-02-19 | 2013-05-01 | 成都索贝数码科技股份有限公司 | Method for controlling Windows file system access permissions |
US20140343989A1 (en) * | 2013-05-16 | 2014-11-20 | Phantom Technologies, Inc. | Implicitly linking access policies using group names |
CN105227315A (en) * | 2015-08-31 | 2016-01-06 | 青岛海尔智能家电科技有限公司 | A kind of Web application authentication method, server and system thereof |
CN106685955A (en) * | 2016-12-28 | 2017-05-17 | 武汉微创光电股份有限公司 | Radius-based video monitoring platform security certification method |
CN107026825A (en) * | 2016-02-02 | 2017-08-08 | 中国移动通信集团陕西有限公司 | A kind of method and system for accessing big data system |
-
2017
- 2017-10-18 CN CN201710972256.2A patent/CN107657182B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101227285A (en) * | 2008-01-29 | 2008-07-23 | 中兴通讯股份有限公司 | System and method for dynamic controlling terminal user authority |
CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
CN103077354A (en) * | 2013-02-19 | 2013-05-01 | 成都索贝数码科技股份有限公司 | Method for controlling Windows file system access permissions |
US20140343989A1 (en) * | 2013-05-16 | 2014-11-20 | Phantom Technologies, Inc. | Implicitly linking access policies using group names |
CN105227315A (en) * | 2015-08-31 | 2016-01-06 | 青岛海尔智能家电科技有限公司 | A kind of Web application authentication method, server and system thereof |
CN107026825A (en) * | 2016-02-02 | 2017-08-08 | 中国移动通信集团陕西有限公司 | A kind of method and system for accessing big data system |
CN106685955A (en) * | 2016-12-28 | 2017-05-17 | 武汉微创光电股份有限公司 | Radius-based video monitoring platform security certification method |
Also Published As
Publication number | Publication date |
---|---|
CN107657182B (en) | 2020-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220263809A1 (en) | Method and system for digital rights management of documents | |
EP3447667B1 (en) | Cryptographic security for a distributed data storage | |
EP2492839B1 (en) | Method and system for authenticating a user | |
DE602004009354T2 (en) | Registering or sub-registering a digital rights management server in a digital rights management architecture | |
CN109190410A (en) | A kind of log behavior auditing method based on block chain under cloud storage environment | |
EP2332313B1 (en) | Method for storing data, computer program product, id token and computer system | |
CA2623141A1 (en) | Content cryptographic firewall system | |
CN101729550A (en) | Digital content safeguard system based on transparent encryption and decryption method thereof | |
DE60026137T2 (en) | REGISTRATION OF COPY-PROOF MATERIAL IN A DEPOSIT / RESERVE SYSTEM | |
CA2448555A1 (en) | Digital rights management | |
DE102013108020A1 (en) | Authentication scheme for activating a special privilege mode in a secure electronic control unit | |
CN107301544A (en) | A kind of safe Wallet System of block chain | |
CN107968763B (en) | Group file management system and method | |
CN101739361A (en) | Access control method, access control device and terminal device | |
KR20030096248A (en) | Method and apparatus for tracking status of resource in a system for managing use of the resources | |
CN107609408B (en) | Method for controlling file operation behavior based on filter driver | |
CN102724137B (en) | Method and system for safely using credible mobile storage medium in off-line state | |
CN115242383A (en) | Block chain-based data right multiparty sharing management method | |
CN110633172A (en) | USB flash disk and data synchronization method thereof | |
US8296826B1 (en) | Secure transfer of files | |
US8321915B1 (en) | Control of access to mass storage system | |
CN107657182A (en) | A kind of method for strengthening media data control of authority reliability | |
WO2018059964A1 (en) | Method for the secured access of data of a vehicle | |
CN107247907A (en) | A kind of electric automobile interconnects Information Security Defending System | |
CN105205403A (en) | Method and system for managing and controlling file data of local area network based on file filtering |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |