CN110311926A - A kind of application access control method, system and medium - Google Patents

A kind of application access control method, system and medium Download PDF

Info

Publication number
CN110311926A
CN110311926A CN201910694093.5A CN201910694093A CN110311926A CN 110311926 A CN110311926 A CN 110311926A CN 201910694093 A CN201910694093 A CN 201910694093A CN 110311926 A CN110311926 A CN 110311926A
Authority
CN
China
Prior art keywords
access
request
access request
rule
main body
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910694093.5A
Other languages
Chinese (zh)
Other versions
CN110311926B (en
Inventor
魏勇
简明
张泽洲
左英男
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd filed Critical Qianxin Technology Group Co Ltd
Publication of CN110311926A publication Critical patent/CN110311926A/en
Application granted granted Critical
Publication of CN110311926B publication Critical patent/CN110311926B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

Present disclose provides a kind of application access control method, system and media.The described method includes: intercepting at least one access request to access to access object;Authentication is carried out to the access main body of the access request;After the authentication passes through, the access request is determined according to access rule, if it is determined that passing through, the access request is forwarded to access object corresponding with the access request, otherwise, refuse the access request or the access request is determined according to the access rule again, wherein described determine including that at least one of the access main body according to the access request of the access request, access object, access operation or contextual information of the access request are determined according to access rule.It realizes and to be formed unified towards applying more, the application access control of multisystem enhances the safety of application access.

Description

A kind of application access control method, system and medium
Technical field
This disclosure relates to a kind of application access control method, system and medium.
Background technique
With the development of internet technology and be widely applied, bring many conveniences to people's lives, network and People's lives are closely bound up, therefore Web vector graphic is receive more and more attention safely and payes attention to.Thus occur very much Application access control system, such as self contained navigation system according to the identity of user and allows access authority to determine its visit It asks operation, then such as mutual role help system, by the different permission of type ascribed role, realizes and determined according to role access permission Its access operation.Guarantee the safety of accessed object by these application access control systems.
But application access control system in the prior art is the access strategy control based on static rights mostly, such as It is controlled by the way that access strategy is arranged in application program or website, when user needs to access the application program or website, is passed through Application program or website itself judge whether with access authority which kind of operation can be carried out.Unified face is not formed To applying more, the application access control of multisystem, and when accessing the attribute change of main body, it is difficult to perceive in time, makes phase The response answered.The attribute change of access main body herein includes the environment attribute of main body, such as time, the sky of principal access object Between etc. factors.
Summary of the invention
An aspect of this disclosure provides a kind of application access control method, which comprises intercepts to access visitor The access request that body accesses;Authentication is carried out to the access main body of the access request;And work as the authentication By rear, the access request is determined according to access rule, if it is determined that pass through, the access request is forwarded to and institute The corresponding access object of access request is stated, otherwise, refuses the access request or to the access request again according to the visit Ask that rule is determined, wherein it is described according to access rule determine include according to the access request access main body, visit At least one of the contextual information for asking object, access operation or access request is determined.
Optionally, described to intercept the access request to access to access object, including the access request is connect Pipe, the adapter tube include at least one of DNS interception, browser interception, the interception based on port, IP-based interception.
Optionally, the access main body to the access request carry out authentication include: to the access request into The detection of row legitimacy;And after the access request is detected by the legitimacy, identity is carried out to the access main body and is recognized Card.
Optionally, described after the authentication passes through, judgement packet is carried out according to access rule to the access request It includes: generating decision request;The decision request is forwarded to access and determines agency, to determine agency according to institute by the access Access rule is stated to be determined;And obtain it is described access determine agency response results, wherein using the response results as The result that the access request is determined according to access rule.
Optionally, before the generation decision request further include: obtain access entrained in the access request and enable Board;And the identification access token is to obtain the access main body of the access request, access object, access operation or access At least one of contextual information of request.
Optionally, described that the decision request is forwarded to after access determines agency, it further include when receiving the visit When asking the notice for the data transmission security Status Change for determining that agency sends, processing of the revocation to the access request is forced.
Optionally, described that the access request is forwarded to access object corresponding with the access request, including by institute It states access request and the access token is forwarded to access object corresponding with the access request.
Optionally, the method also includes the record logs that are determined according to access rule the access request;System Count the flowing of access to access to the access object;And send the log and flow.
Another aspect provides a kind of application access control systems for the disclosure, which is characterized in that the system comprises: it asks Acquisition module is sought, for intercepting the access request to access to access object;Authentication module, for being asked to the access The access main body asked carries out authentication;Determination module is accessed, for after the authentication passes through, to the access request Determined according to access rule, if it is determined that passing through, the access request is forwarded to access corresponding with the access request Otherwise object is refused the access request or is determined according to the access rule again the access request, wherein institute It states and determine including the access main body according to the access request, access object, access operation or access according to access rule At least one of contextual information of request is determined.
Disclosure another aspect provides a kind of computer readable storage medium, is stored thereon with computer program, should Application access control method as described above is realized when program is executed by processor.
Detailed description of the invention
In order to which the disclosure and its advantage is more fully understood, referring now to being described below in conjunction with attached drawing, in which:
Fig. 1 diagrammatically illustrates the method flow diagram of the application access control method of embodiment of the present disclosure offer;
Fig. 2 diagrammatically illustrates the application scenario diagram of the application access control method of embodiment of the present disclosure offer;
Fig. 3 diagrammatically illustrates the visit passed through in the application access control method that the embodiment of the present disclosure provides to authentication Ask that main body determines that agency carries out the step flow chart that access rule determines at least once by access;
Fig. 4 diagrammatically illustrates the block diagram of the application access control system of embodiment of the present disclosure offer;And
Fig. 5 diagrammatically illustrates the block diagram for the application access control system that another embodiment of the disclosure provides.
Specific embodiment
Hereinafter, will be described with reference to the accompanying drawings embodiment of the disclosure.However, it should be understood that these descriptions are only exemplary , and it is not intended to limit the scope of the present disclosure.In the following detailed description, to elaborate many specific thin convenient for explaining Section is to provide the comprehensive understanding to the embodiment of the present disclosure.It may be evident, however, that one or more embodiments are not having these specific thin It can also be carried out in the case where section.In addition, in the following description, descriptions of well-known structures and technologies are omitted, to avoid Unnecessarily obscure the concept of the disclosure.
Term as used herein is not intended to limit the disclosure just for the sake of description specific embodiment.It uses herein The terms "include", "comprise" etc. show the presence of the feature, step, operation and/or component, but it is not excluded that in the presence of Or add other one or more features, step, operation or component.
Before illustrating the specific implementation process of the embodiment of the present disclosure, noun involved by the embodiment of the present disclosure is carried out Explanation.Wherein, access main body described below refers to the entity of an active, including user, user group, terminal, host or Person's application program etc., access object refer to a passively entity, controlled is wanted to the access of object, can be application program, File, record, byte, field or processor, memory, network node etc..It should be noted that access main body and visit Ask object relationship be it is opposite, when one access main body by another access main body access, when becoming access target, should Accessed access main body becomes to access object.In addition, access rule judgement refers to whether judgement access main body is allowed to Access access object.
In the prior art, for example, when user accesses the resource of back-end server by terminal device transmission access request When, it is normally based on static rights and accesses control.Access control based on static rights, it will usually based in access request User name or password it is whether legal access authorization whether, and often do not account for generate access request contextual information (that is, temporal information relevant to the access request or space environment information) generates the safety of the resource of back-end server Influence.Wherein, temporal information relevant to the access request for example can be the letter such as generation time section of the access request Breath.Space environment information relevant to the access request, for example, generate the IP address of the terminal device of the access request, The hardware configuration or software configuration information of terminal device, the type for the client application installed on the terminal device or version letter The information etc. of network environment used in carrying out data transmission between breath or terminal device and back-end server.
In the prior art, the access control based on static rights can not efficiently identify out the letter of the loophole in access request Breath, will lead to resource leakage or the loss of back-end server.Such as when the terminal device security level that user uses is too low or There are security breaches etc. or certain evils for the used network that carries out data transmission between person's terminal device and back-end server When the behavior that the user that anticipates passes through the simulant-clients application such as attack tool on the terminal device carries out malicious access, based on static state The access control of permission can not just successfully manage such security risk.
The embodiment of the present disclosure proposes a kind of application access control method.Identity is carried out in the access main body to access request to recognize , can also be further to access request according to access rule after card, access operation or contextual information pair based on access request Access request further progress authorization judgement, to improve the safeguard protection to accessed resource.
One embodiment of the disclosure provides a kind of application access control method, and referring to Fig. 1 and Fig. 2, Fig. 2 is the disclosure The application scenario diagram for a kind of application access control method that embodiment provides, wherein application access policy enforcement means 22 are corresponding In the example of the device of the application access control method of the application disclosure, the application access of the corresponding disclosure of access control system 25 Access in control method determines agency 25, and the client application installed in terminal 21 corresponds to the application access control side of the disclosure Access main body in method, controlled application 23 correspond to the access object 23 in the application access control method of the disclosure.
The method includes the steps S101~step S103 contents:
In step S101, obtains access main body 21 and issue the access request to access to access object 23.In a reality It applies in example, step S101 specifically can be the access request for intercepting and accessing to access object 23.For example, application access plan Slightly executive device 22 can regard access object 23 as monitored object, when there is the access request to the access object 23, Before the access request accesses to access object 23, the access request is intercepted.
In a feasible mode, the process of the acquisition access request include will access main body sending access request into Row adapter tube, the adapter tube include DNS interception, browser interception, the interception based on port, at least one in IP-based interception Kind.The purpose of adapter tube is to access main body, such as the access request of user carries out water conservancy diversion, uniformly, by force by one Property processed mode all access requests water conservancy diversion and summarize, access object 23 can be so managed collectively, and can Subsequent access rule judgement is avoided to be bypassed.The adapter tube and acquisition correspond to the access adapter tube module in Fig. 2.
After adapter tube, the open process of a port also may be present, which is not open, only to passing through authorization The access main body of certification is opened according to agreed terms, which may include that port is knocked at the door.The open-ended Process corresponds to the module that Fig. 2 middle port is hidden, that is to say, that the port default is not open, only to the access master of authorization identifying Body carries out Open Dynamic, to reduce malice port scan bring risk.S102 can be entered step after open-ended.
In step S102, authentication is carried out to the access main body of the access request.
Wherein it is possible to legitimacy detection be carried out to the access request first, to the access request for having legitimacy Corresponding access main body carries out authentication;Wherein, legitimacy detection includes: that malicious access detection, access request are big Small detection and the detection that flow control is carried out based on request speed, request connection number, access-hours.
Namely before authentication, legitimacy detection is carried out to access request, to realize the purpose for improving safety. Malicious access detection can as have for any detection method in the prior art when detecting it is not malicious access Standby legitimacy.Access request size detection, can be set preset value, when access request size is within the scope of the preset value When, as have legitimacy.The detection of flow control is carried out based on request speed, request connection number, access-hours, or Based on request speed, request connection number, access-hours flow set preset value, when flowing of access the preset value range it When interior, as has legitimacy.The detection of these types of legitimacy can occur individually or simultaneously, and the embodiment of the present disclosure is to this It is not especially limited.The detection of the legitimacy can correspond to the security hardening module in Fig. 2, and the process of the authentication can be with Corresponding to the access registrar module in Fig. 2.
Then, after the access request is detected by the legitimacy, authentication is carried out to the access main body.It should The process of authentication can be realized by any one in the prior art, such as by way of username and password Carry out authentication.
Agency 25, which carries out at least one, to be determined by access to the access request that authentication passes through in step S103 Secondary access rule determines, if it is determined that passing through, the access request is forwarded to access object 23 corresponding with the request, no Then, refuse the access request or re-start authentication.
In one embodiment, step S103 specifically can be after the authentication passes through, to the access request Determined according to access rule, if it is determined that passing through, the access request is forwarded to access corresponding with the access request Otherwise object 23 is refused the access request or is determined according to the access rule again the access request, wherein It is described according to access rule carry out determine include according to the access request access main body, access object 23, access operation or At least one of contextual information of access request is determined.According to an embodiment of the invention, the access request is upper Context information may include generate the access request terminal 21 information (for example, terminal 21 type (for example, mobile phone terminal, The end Ipad or computer end), and/or terminal 21 hardware configuration information and/or software configuration information (for example, operating system or Security level etc.)), the information of client application that is installed in terminal 21 is (for example, the type and/or version of client application This), terminal 21 and storage access object 23 back-end server between carry out data transmission the used network information (for example, The type of network and the security level of network), period for generating the access request, generating the access request At least one of information such as amount of access or the/access frequency of object 23 are accessed described in period.
In a feasible mode, the access main body passed through to authentication determines that agency 25 carries out by access Access rule determines at least once, comprising: decision request is generated to the access main body that authentication passes through, by the decision request It is forwarded to access and determines agency 25, determine that agency 25 carries out access rule at least once and determines by access, obtain access and determine Act on behalf of 25 response results, wherein using the response results as the knot determined according to access rule the access request Fruit.The process that the access determines in step S103 corresponds to the access control module in Fig. 2.
Specifically, it can be realized referring to Fig. 3, step S103 with S201 through the following steps~step S203:
In step S201, the access token for the access main body that authentication passes through is obtained, that is, is obtained in the access request Entrained access token.
As described in step s 102, the process of the authentication can by it is in the prior art it is any into Row is realized, such as authentication is carried out by way of username and password.
Access token is the object for describing process or thread-safe context, the information that access token is included be with The identity and authority information of the relevant process of user or thread.The access token is before the access request, and user passes through end What end 21 was got when logging in from application access policy enforcement means 22.Specifically, after user passes through authentication, also It is that application access policy enforcement means 22 by the password that inputs user and can be stored in safety database when logging in Password compares.If password is correct, an access token can be generated for user in application access policy enforcement means 22 at this time.It Afterwards, which requests all carry the access token every time.Therefore, access order is carried in the access request Board.
In step S202, the access main body of the access request is identified and obtained, accesses object 23 and access operation, with And the contextual information of access request.According to an embodiment of the invention, step S202 specifically can be the identification access token To obtain the access operation of the access request or the contextual information of access request.
The access main body of the access request is identified and obtained from access request, accesses object 23 and access operation, is visited Ask the contextual information of request (for example, access source IP, the user-agent of access, the time of access, the source page of access Face, and the information such as geographical location of access).
In step S203, decision request is generated.Later, the decision request is forwarded to access in step S204 and determines generation Reason is to determine that agency 25 carries out access rule at least once and determines by access.Then, it in step S205, obtains access and determines generation Manage 25 response results, wherein using the response results as the result determined according to access rule the access request.
Wherein, it can be by access main body, access object 23, power that access, which determines that the access rule in agency 25 determines, Limit strategy, in conjunction with the attribute of real time access main body, and/or the attribute of access object 23, dynamic adjusts access rule, realizes dynamic Access to state judgement.This dynamically accesses judgement and namely refers to and repeatedly determined according to access rule.And it should be according to access Rule determine may include that authorization determines.
It should be noted that determine that agency 25 carries out access rule at least once and determines by access, it can be for when access An access rule is carried out when the attribute of main body changes to determine.Wherein, the attribute for accessing main body, which changes, can be, example Change as accessed time, space, network environment etc. that when environmental information locating for main body changes or user logs in (such as just Begin setting must be using local network carry out resource access, access main body it is initially use be local network carry out resource visit It asks, but for some reason, situations such as network environment becomes WiFi network from local network).
It is described to be forwarded to the decision request in order to keep the data transmission procedure of the embodiment of the present disclosure safer reliable Access determines after agency 25, further includes: determines that the data transmission security state that agency 25 sends becomes when receiving the access When notice more, forces to cancel the application access policy enforcement means 22 and determine to act on behalf of 25 (i.e. access controls with the access System 25) between data transmission, i.e., interruption data transmission.In one embodiment, application access policy enforcement means 22 can To force processing of the revocation to the access request, such as abandon the access request.Access herein determines that agency 25 sends Data transmission security Status Change notice, refer to that the access determines that agency 25 perceives the change of environmental correclation to influence It to when certain sessions, can give notice, to force to cancel the application access policy enforcement means and access judgement generation Data transmission between reason 25, guarantees safety.
In addition, the access request is forwarded to access object corresponding with the access request described in step S103 23, comprising: the access request and access token are forwarded to access object 23 corresponding with the access request.It will be described Access request is forwarded to access object 23 corresponding with the access request and can be executed by the access forwarding module in Fig. 2.
The method also includes: the log determined according to access rule to the access request, statistics are recorded to institute State the flowing of access that access object 23 accesses.According to an embodiment of the invention, the record determines log and statistics access The process of flow can be respectively by the access log module and access Audit Module execution in Fig. 2.Also, application access strategy is held Luggage, which is set, can be set interface in 22, the interface is for sending the log and flow.The interface can be for example, Fig. 2 In the interface that is attached with risk and trust evaluation system 24.It can be to the risk and trust evaluation system 24 by the interface The log and flow are provided.
In conclusion all access requests that the disclosure is issued by uniformly obtaining access main body, to access object It is managed collectively, and authentication is carried out to the access main body of the access request, determine that agency 25 carries out extremely by access A few access rule determines.Judge whether for access request to be forwarded to access object based on judgement result.By this method, it realizes Formed it is unified towards apply more, the application access control of multisystem, and when the contextual information of access request (for example, Access the attribute of main body) when changing, dynamically determines according to access rule, constantly can dynamically be determined to authorize Decision, and then response can be executed according to the result of decision, enhance the safety of application access.
Referring to fig. 4, Fig. 4 illustrates the block diagram of the application access control system of embodiment of the present disclosure offer.Such as Fig. 4 Shown, which includes: request module 401, is issued for obtaining access main body to access object 23 access requests to access, such as intercept the access request to access to access object 23;Authentication module 402, Authentication is carried out for the access main body to the access request;Determination module 403 is accessed, for leading to when the authentication Later, the access request is determined according to access rule, if it is determined that pass through, by the access request be forwarded to it is described Otherwise the corresponding access object 23 of access request refuses the access request or to the access request again according to the visit Ask that rule is determined, wherein described determine including the access request according to the access request according to access rule Access main body, access object 23, at least one of access operation or the contextual information of the access request sentenced It is fixed.
It is module according to an embodiment of the present disclosure, submodule, unit, any number of or in which any more in subelement A at least partly function can be realized in a module.It is single according to the module of the embodiment of the present disclosure, submodule, unit, son Any one or more in member can be split into multiple modules to realize.According to the module of the embodiment of the present disclosure, submodule, Any one or more in unit, subelement can at least be implemented partly as hardware circuit, such as field programmable gate Array (FPGA), programmable logic array (PLA), system on chip, the system on substrate, the system in encapsulation, dedicated integrated electricity Road (ASIC), or can be by the hardware or firmware for any other rational method for integrate or encapsulate to circuit come real Show, or with any one in three kinds of software, hardware and firmware implementations or with wherein any several appropriately combined next reality It is existing.Alternatively, can be at least by part according to one or more of the module of the embodiment of the present disclosure, submodule, unit, subelement Ground is embodied as computer program module, when the computer program module is run, can execute corresponding function.
For example, any number of in request module 401, authentication module 402 and access determination module 403 It may be incorporated in a module and realize or any one module therein can be split into multiple modules.Alternatively, these At least partly function of one or more modules in module can be combined at least partly function of other modules, and one It is realized in a module.In accordance with an embodiment of the present disclosure, request module 401, authentication module 402 and access determine At least one of module 403 can at least be implemented partly as hardware circuit, such as field programmable gate array (FPGA), Programmable logic array (PLA), system on chip, the system on substrate, the system in encapsulation, specific integrated circuit (ASIC), or Can be realized by carrying out the hardware such as any other rational method that is integrated or encapsulating or firmware to circuit, or with software, Any one in three kinds of implementations of hardware and firmware several appropriately combined is realized with wherein any.Alternatively, request Obtaining at least one of module 401, authentication module 402 and access determination module 403 can be at least by partly It is embodied as computer program module, when the computer program module is run, corresponding function can be executed.
Fig. 5 diagrammatically illustrates the block diagram for the application access control system that another embodiment of the disclosure provides.
As shown in figure 5, application access control system 500 includes processor 510, computer readable storage medium 520.Using Access control system 500 can execute the method according to the embodiment of the present disclosure.
Specifically, processor 510 for example may include general purpose microprocessor, instruction set processor and/or related chip group And/or special microprocessor (for example, specific integrated circuit (ASIC)), etc..Processor 510 can also include using for caching The onboard storage device on way.Processor 510 can be the different movements for executing the method flow according to the embodiment of the present disclosure Single treatment unit either multiple processing units.
Computer readable storage medium 520, such as can be non-volatile computer readable storage medium, specific example Including but not limited to: magnetic memory apparatus, such as tape or hard disk (HDD);Light storage device, such as CD (CD-ROM);Memory, such as Random access memory (RAM) or flash memory;Etc..
Computer readable storage medium 520 may include computer program 521, which may include generation Code/computer executable instructions execute processor 510 according to the embodiment of the present disclosure Method or its any deformation.
Computer program 521 can be configured to have the computer program code for example including computer program module.Example Such as, in the exemplary embodiment, the code in computer program 521 may include one or more program modules, for example including 521A, module 521B ....It should be noted that the division mode and number of module are not fixation, those skilled in the art can To be combined according to the actual situation using suitable program module or program module, when these program modules are combined by processor 510 When execution, processor 510 is executed according to the method for the embodiment of the present disclosure or its any deformation.
According to an embodiment of the invention, request module 401, authentication module 402 and access determination module At least one of 403 can be implemented as the computer program module with reference to Fig. 5 description can when being executed by processor 510 To realize corresponding operating described above.
The disclosure additionally provides a kind of computer-readable medium, which, which can be in above-described embodiment, retouches Included in the equipment/device/system stated;It is also possible to individualism, and without in the supplying equipment/device/system.On It states computer-readable medium and carries one or more program, when said one or multiple programs are performed, realize root According to the method for the embodiment of the present disclosure.
In accordance with an embodiment of the present disclosure, computer-readable medium can be computer-readable signal media or computer can Read storage medium either the two any combination.Computer readable storage medium for example can be --- but it is unlimited In system, device or the device of --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor, or any above combination.It calculates The more specific example of machine readable storage medium storing program for executing can include but is not limited to: have the electrical connection, portable of one or more conducting wires Formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device or The above-mentioned any appropriate combination of person.In the disclosure, computer readable storage medium can be it is any include or storage program Tangible medium, which can be commanded execution system, device or device use or in connection.And in this public affairs In opening, computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal, In carry computer-readable program code.The data-signal of this propagation can take various forms, including but not limited to Electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be computer-readable Any computer-readable medium other than storage medium, the computer-readable medium can send, propagate or transmit for by Instruction execution system, device or device use or program in connection.The journey for including on computer-readable medium Sequence code can transmit with any suitable medium, including but not limited to: wireless, wired, optical cable, radiofrequency signal etc., or Above-mentioned any appropriate combination.
It will be understood by those skilled in the art that the feature recorded in each embodiment and/or claim of the disclosure can To carry out multiple combinations or/or combination, even if such combination or combination are not expressly recited in the disclosure.Particularly, exist In the case where not departing from disclosure spirit or teaching, the feature recorded in each embodiment and/or claim of the disclosure can To carry out multiple combinations and/or combination.All these combinations and/or combination each fall within the scope of the present disclosure.
Although the disclosure, art technology has shown and described referring to the certain exemplary embodiments of the disclosure Personnel it should be understood that in the case where the spirit and scope of the present disclosure limited without departing substantially from the following claims and their equivalents, A variety of changes in form and details can be carried out to the disclosure.Therefore, the scope of the present disclosure should not necessarily be limited by above-described embodiment, But should be not only determined by appended claims, also it is defined by the equivalent of appended claims.

Claims (10)

1. a kind of application access control method, which is characterized in that the described method includes:
Intercept the access request to access to access object;
Authentication is carried out to the access main body of the access request;And
After the authentication passes through, the access request is determined according to access rule, if it is determined that pass through, it will be described Access request is forwarded to access object corresponding with the access request, otherwise, refuses the access request or to the access Request is determined according to the access rule again, wherein described carry out determining to include according to the access according to access rule The access main body of the access request of request accesses in the contextual information of object, access operation or the access request at least One is determined.
2. the method according to claim 1, wherein the access that the interception accesses to access object is asked It asks, comprising:
The access request is taken over, the adapter tube includes DNS interception, browser interception, the interception based on port or base In at least one of the interception of IP.
3. the method according to claim 1, wherein the access main body to the access request carries out identity Certification, comprising:
Legitimacy detection is carried out to the access request;
After the access request is detected by the legitimacy, authentication is carried out to the access main body.
4. the method according to claim 1, wherein described after the authentication passes through, to the access Request is determined according to access rule, comprising:
Generate decision request;
By the decision request be forwarded to access determine agency, with by the access judgement act on behalf of according to the access rule into Row determines;And
Obtain it is described access determine agency response results, wherein using the response results as to the access request according to The result that access rule is determined.
5. according to the method described in claim 4, it is characterized in that, before the generation decision request, further includes:
Obtain access token entrained in the access request;
The access token is identified to obtain the access main body of the access request of the access request, access object, access At least one of operation or the contextual information of access request.
6. according to the method described in claim 5, it is characterized in that, described be forwarded to access judgement agency for the decision request Later, further includes:
When receiving the notice for the data transmission security Status Change that the access determines that agency sends, force revocation to described The processing of access request.
7. according to the method described in claim 5, it is characterized in that, described be forwarded to the access request is asked with the access Seek corresponding access object, comprising:
The access request and the access token are forwarded to access object corresponding with the access request.
8. the method according to claim 1, wherein the method also includes:
Record the log determined according to access rule the access request;
The flowing of access to access to the access object is counted, and
Send the log and flow.
9. a kind of application access control system, which is characterized in that the system comprises:
Request module, for intercepting the access request to access to access object;
Authentication module carries out authentication for the access main body to the access request;
Determination module is accessed, for being determined according to access rule the access request after authentication passes through, If it is determined that passing through, the access request is forwarded to access object corresponding with the access request, otherwise, refuses the access Request determines the access request according to the access rule again, wherein described determined according to access rule Access main body, access object, access operation or the access request including the access request according to the access request At least one of contextual information determined.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor The application access control method as described in claim 1-8 is realized when execution.
CN201910694093.5A 2019-02-02 2019-07-29 Application access control method, system and medium Active CN110311926B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910108557X 2019-02-02
CN201910108557.XA CN109660563A (en) 2019-02-02 2019-02-02 A kind of application access control method, system and medium

Publications (2)

Publication Number Publication Date
CN110311926A true CN110311926A (en) 2019-10-08
CN110311926B CN110311926B (en) 2023-02-21

Family

ID=66122220

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910108557.XA Pending CN109660563A (en) 2019-02-02 2019-02-02 A kind of application access control method, system and medium
CN201910694093.5A Active CN110311926B (en) 2019-02-02 2019-07-29 Application access control method, system and medium

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201910108557.XA Pending CN109660563A (en) 2019-02-02 2019-02-02 A kind of application access control method, system and medium

Country Status (1)

Country Link
CN (2) CN109660563A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756644A (en) * 2020-06-30 2020-10-09 深圳壹账通智能科技有限公司 Hot spot current limiting method, system, equipment and storage medium
CN112311788A (en) * 2020-10-28 2021-02-02 北京锐安科技有限公司 Access control method, device, server and medium
CN114448721A (en) * 2022-03-11 2022-05-06 全球能源互联网研究院有限公司南京分公司 Vulnerability noninductive relieving device and method
CN116361760A (en) * 2023-06-01 2023-06-30 湖南三湘银行股份有限公司 Identity authentication device based on biological probe technology

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113351B (en) * 2019-05-14 2022-08-16 辽宁途隆科技有限公司 CC attack protection method and device, storage medium and computer equipment
CN110830459A (en) * 2019-10-25 2020-02-21 云深互联(北京)科技有限公司 Stealth security agent access method, gateway terminal, client and equipment
CN115412270A (en) * 2021-05-27 2022-11-29 华为技术有限公司 Access control method based on application identity, related device and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465856A (en) * 2008-12-31 2009-06-24 杭州华三通信技术有限公司 Method and system for controlling user access
CN104639650A (en) * 2015-02-27 2015-05-20 杭州华三通信技术有限公司 Fine granularity distributive interface access control method and device
CN104866772A (en) * 2015-05-07 2015-08-26 中国科学院信息工程研究所 Computer access control method and system based on physical environment perception
CN105991614A (en) * 2015-03-03 2016-10-05 阿里巴巴集团控股有限公司 Open authorization, resource access method and device, and a server
CN106302606A (en) * 2015-06-08 2017-01-04 中国移动通信集团湖南有限公司 A kind of across application access method and device
US20180159861A1 (en) * 2016-02-25 2018-06-07 Red Hat, Inc. Access guards for multi-tenant logging

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465856A (en) * 2008-12-31 2009-06-24 杭州华三通信技术有限公司 Method and system for controlling user access
CN104639650A (en) * 2015-02-27 2015-05-20 杭州华三通信技术有限公司 Fine granularity distributive interface access control method and device
CN105991614A (en) * 2015-03-03 2016-10-05 阿里巴巴集团控股有限公司 Open authorization, resource access method and device, and a server
CN104866772A (en) * 2015-05-07 2015-08-26 中国科学院信息工程研究所 Computer access control method and system based on physical environment perception
CN106302606A (en) * 2015-06-08 2017-01-04 中国移动通信集团湖南有限公司 A kind of across application access method and device
US20180159861A1 (en) * 2016-02-25 2018-06-07 Red Hat, Inc. Access guards for multi-tenant logging

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756644A (en) * 2020-06-30 2020-10-09 深圳壹账通智能科技有限公司 Hot spot current limiting method, system, equipment and storage medium
CN112311788A (en) * 2020-10-28 2021-02-02 北京锐安科技有限公司 Access control method, device, server and medium
CN114448721A (en) * 2022-03-11 2022-05-06 全球能源互联网研究院有限公司南京分公司 Vulnerability noninductive relieving device and method
CN114448721B (en) * 2022-03-11 2023-06-13 全球能源互联网研究院有限公司南京分公司 Loophole noninductive relieving device and method
CN116361760A (en) * 2023-06-01 2023-06-30 湖南三湘银行股份有限公司 Identity authentication device based on biological probe technology
CN116361760B (en) * 2023-06-01 2023-08-15 湖南三湘银行股份有限公司 Identity authentication device based on biological probe technology

Also Published As

Publication number Publication date
CN110311926B (en) 2023-02-21
CN109660563A (en) 2019-04-19

Similar Documents

Publication Publication Date Title
CN110311926A (en) A kind of application access control method, system and medium
US11507680B2 (en) System and method for access control using network verification
US10650156B2 (en) Environmental security controls to prevent unauthorized access to files, programs, and objects
CN112597472B (en) Single sign-on method, device and storage medium
CN110414268B (en) Access control method, device, equipment and storage medium
US8997187B2 (en) Delegating authorization to applications on a client device in a networked environment
US9769266B2 (en) Controlling access to resources on a network
CN111416822B (en) Method for access control, electronic device and storage medium
CA2797378C (en) Validating updates to domain name system records
US20120303827A1 (en) Location Based Access Control
CN110300125A (en) API Access control method and API Access agent apparatus
US20140109194A1 (en) Authentication Delegation
CN116319024A (en) Access control method and device of zero trust system and zero trust system
CN107396362B (en) Method and equipment for carrying out wireless connection pre-authorization on user equipment
CN101702724A (en) Safe control method and device of network access
US10924481B2 (en) Processing system for providing console access to a cyber range virtual environment
US10505918B2 (en) Cloud application fingerprint
CN113569179A (en) Subsystem access method and device based on unified website
CN117081800A (en) Proxy method and system for accessing B/S application by zero trust hierarchy
CN116155565B (en) Data access control method and device
CN112511565B (en) Request response method and device, computer readable storage medium and electronic equipment
AU2014235152B9 (en) Delegating authorization to applications on a client device in a networked environment
CN116318811A (en) Network request verification authentication method and device based on trusted node
CN117729036A (en) Cloud resource access method, system, equipment and medium
CN116956262A (en) Unified authentication and authorization method, device and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant