CN110311926A - A kind of application access control method, system and medium - Google Patents
A kind of application access control method, system and medium Download PDFInfo
- Publication number
- CN110311926A CN110311926A CN201910694093.5A CN201910694093A CN110311926A CN 110311926 A CN110311926 A CN 110311926A CN 201910694093 A CN201910694093 A CN 201910694093A CN 110311926 A CN110311926 A CN 110311926A
- Authority
- CN
- China
- Prior art keywords
- access
- request
- access request
- rule
- main body
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
Present disclose provides a kind of application access control method, system and media.The described method includes: intercepting at least one access request to access to access object;Authentication is carried out to the access main body of the access request;After the authentication passes through, the access request is determined according to access rule, if it is determined that passing through, the access request is forwarded to access object corresponding with the access request, otherwise, refuse the access request or the access request is determined according to the access rule again, wherein described determine including that at least one of the access main body according to the access request of the access request, access object, access operation or contextual information of the access request are determined according to access rule.It realizes and to be formed unified towards applying more, the application access control of multisystem enhances the safety of application access.
Description
Technical field
This disclosure relates to a kind of application access control method, system and medium.
Background technique
With the development of internet technology and be widely applied, bring many conveniences to people's lives, network and
People's lives are closely bound up, therefore Web vector graphic is receive more and more attention safely and payes attention to.Thus occur very much
Application access control system, such as self contained navigation system according to the identity of user and allows access authority to determine its visit
It asks operation, then such as mutual role help system, by the different permission of type ascribed role, realizes and determined according to role access permission
Its access operation.Guarantee the safety of accessed object by these application access control systems.
But application access control system in the prior art is the access strategy control based on static rights mostly, such as
It is controlled by the way that access strategy is arranged in application program or website, when user needs to access the application program or website, is passed through
Application program or website itself judge whether with access authority which kind of operation can be carried out.Unified face is not formed
To applying more, the application access control of multisystem, and when accessing the attribute change of main body, it is difficult to perceive in time, makes phase
The response answered.The attribute change of access main body herein includes the environment attribute of main body, such as time, the sky of principal access object
Between etc. factors.
Summary of the invention
An aspect of this disclosure provides a kind of application access control method, which comprises intercepts to access visitor
The access request that body accesses;Authentication is carried out to the access main body of the access request;And work as the authentication
By rear, the access request is determined according to access rule, if it is determined that pass through, the access request is forwarded to and institute
The corresponding access object of access request is stated, otherwise, refuses the access request or to the access request again according to the visit
Ask that rule is determined, wherein it is described according to access rule determine include according to the access request access main body, visit
At least one of the contextual information for asking object, access operation or access request is determined.
Optionally, described to intercept the access request to access to access object, including the access request is connect
Pipe, the adapter tube include at least one of DNS interception, browser interception, the interception based on port, IP-based interception.
Optionally, the access main body to the access request carry out authentication include: to the access request into
The detection of row legitimacy;And after the access request is detected by the legitimacy, identity is carried out to the access main body and is recognized
Card.
Optionally, described after the authentication passes through, judgement packet is carried out according to access rule to the access request
It includes: generating decision request;The decision request is forwarded to access and determines agency, to determine agency according to institute by the access
Access rule is stated to be determined;And obtain it is described access determine agency response results, wherein using the response results as
The result that the access request is determined according to access rule.
Optionally, before the generation decision request further include: obtain access entrained in the access request and enable
Board;And the identification access token is to obtain the access main body of the access request, access object, access operation or access
At least one of contextual information of request.
Optionally, described that the decision request is forwarded to after access determines agency, it further include when receiving the visit
When asking the notice for the data transmission security Status Change for determining that agency sends, processing of the revocation to the access request is forced.
Optionally, described that the access request is forwarded to access object corresponding with the access request, including by institute
It states access request and the access token is forwarded to access object corresponding with the access request.
Optionally, the method also includes the record logs that are determined according to access rule the access request;System
Count the flowing of access to access to the access object;And send the log and flow.
Another aspect provides a kind of application access control systems for the disclosure, which is characterized in that the system comprises: it asks
Acquisition module is sought, for intercepting the access request to access to access object;Authentication module, for being asked to the access
The access main body asked carries out authentication;Determination module is accessed, for after the authentication passes through, to the access request
Determined according to access rule, if it is determined that passing through, the access request is forwarded to access corresponding with the access request
Otherwise object is refused the access request or is determined according to the access rule again the access request, wherein institute
It states and determine including the access main body according to the access request, access object, access operation or access according to access rule
At least one of contextual information of request is determined.
Disclosure another aspect provides a kind of computer readable storage medium, is stored thereon with computer program, should
Application access control method as described above is realized when program is executed by processor.
Detailed description of the invention
In order to which the disclosure and its advantage is more fully understood, referring now to being described below in conjunction with attached drawing, in which:
Fig. 1 diagrammatically illustrates the method flow diagram of the application access control method of embodiment of the present disclosure offer;
Fig. 2 diagrammatically illustrates the application scenario diagram of the application access control method of embodiment of the present disclosure offer;
Fig. 3 diagrammatically illustrates the visit passed through in the application access control method that the embodiment of the present disclosure provides to authentication
Ask that main body determines that agency carries out the step flow chart that access rule determines at least once by access;
Fig. 4 diagrammatically illustrates the block diagram of the application access control system of embodiment of the present disclosure offer;And
Fig. 5 diagrammatically illustrates the block diagram for the application access control system that another embodiment of the disclosure provides.
Specific embodiment
Hereinafter, will be described with reference to the accompanying drawings embodiment of the disclosure.However, it should be understood that these descriptions are only exemplary
, and it is not intended to limit the scope of the present disclosure.In the following detailed description, to elaborate many specific thin convenient for explaining
Section is to provide the comprehensive understanding to the embodiment of the present disclosure.It may be evident, however, that one or more embodiments are not having these specific thin
It can also be carried out in the case where section.In addition, in the following description, descriptions of well-known structures and technologies are omitted, to avoid
Unnecessarily obscure the concept of the disclosure.
Term as used herein is not intended to limit the disclosure just for the sake of description specific embodiment.It uses herein
The terms "include", "comprise" etc. show the presence of the feature, step, operation and/or component, but it is not excluded that in the presence of
Or add other one or more features, step, operation or component.
Before illustrating the specific implementation process of the embodiment of the present disclosure, noun involved by the embodiment of the present disclosure is carried out
Explanation.Wherein, access main body described below refers to the entity of an active, including user, user group, terminal, host or
Person's application program etc., access object refer to a passively entity, controlled is wanted to the access of object, can be application program,
File, record, byte, field or processor, memory, network node etc..It should be noted that access main body and visit
Ask object relationship be it is opposite, when one access main body by another access main body access, when becoming access target, should
Accessed access main body becomes to access object.In addition, access rule judgement refers to whether judgement access main body is allowed to
Access access object.
In the prior art, for example, when user accesses the resource of back-end server by terminal device transmission access request
When, it is normally based on static rights and accesses control.Access control based on static rights, it will usually based in access request
User name or password it is whether legal access authorization whether, and often do not account for generate access request contextual information
(that is, temporal information relevant to the access request or space environment information) generates the safety of the resource of back-end server
Influence.Wherein, temporal information relevant to the access request for example can be the letter such as generation time section of the access request
Breath.Space environment information relevant to the access request, for example, generate the IP address of the terminal device of the access request,
The hardware configuration or software configuration information of terminal device, the type for the client application installed on the terminal device or version letter
The information etc. of network environment used in carrying out data transmission between breath or terminal device and back-end server.
In the prior art, the access control based on static rights can not efficiently identify out the letter of the loophole in access request
Breath, will lead to resource leakage or the loss of back-end server.Such as when the terminal device security level that user uses is too low or
There are security breaches etc. or certain evils for the used network that carries out data transmission between person's terminal device and back-end server
When the behavior that the user that anticipates passes through the simulant-clients application such as attack tool on the terminal device carries out malicious access, based on static state
The access control of permission can not just successfully manage such security risk.
The embodiment of the present disclosure proposes a kind of application access control method.Identity is carried out in the access main body to access request to recognize
, can also be further to access request according to access rule after card, access operation or contextual information pair based on access request
Access request further progress authorization judgement, to improve the safeguard protection to accessed resource.
One embodiment of the disclosure provides a kind of application access control method, and referring to Fig. 1 and Fig. 2, Fig. 2 is the disclosure
The application scenario diagram for a kind of application access control method that embodiment provides, wherein application access policy enforcement means 22 are corresponding
In the example of the device of the application access control method of the application disclosure, the application access of the corresponding disclosure of access control system 25
Access in control method determines agency 25, and the client application installed in terminal 21 corresponds to the application access control side of the disclosure
Access main body in method, controlled application 23 correspond to the access object 23 in the application access control method of the disclosure.
The method includes the steps S101~step S103 contents:
In step S101, obtains access main body 21 and issue the access request to access to access object 23.In a reality
It applies in example, step S101 specifically can be the access request for intercepting and accessing to access object 23.For example, application access plan
Slightly executive device 22 can regard access object 23 as monitored object, when there is the access request to the access object 23,
Before the access request accesses to access object 23, the access request is intercepted.
In a feasible mode, the process of the acquisition access request include will access main body sending access request into
Row adapter tube, the adapter tube include DNS interception, browser interception, the interception based on port, at least one in IP-based interception
Kind.The purpose of adapter tube is to access main body, such as the access request of user carries out water conservancy diversion, uniformly, by force by one
Property processed mode all access requests water conservancy diversion and summarize, access object 23 can be so managed collectively, and can
Subsequent access rule judgement is avoided to be bypassed.The adapter tube and acquisition correspond to the access adapter tube module in Fig. 2.
After adapter tube, the open process of a port also may be present, which is not open, only to passing through authorization
The access main body of certification is opened according to agreed terms, which may include that port is knocked at the door.The open-ended
Process corresponds to the module that Fig. 2 middle port is hidden, that is to say, that the port default is not open, only to the access master of authorization identifying
Body carries out Open Dynamic, to reduce malice port scan bring risk.S102 can be entered step after open-ended.
In step S102, authentication is carried out to the access main body of the access request.
Wherein it is possible to legitimacy detection be carried out to the access request first, to the access request for having legitimacy
Corresponding access main body carries out authentication;Wherein, legitimacy detection includes: that malicious access detection, access request are big
Small detection and the detection that flow control is carried out based on request speed, request connection number, access-hours.
Namely before authentication, legitimacy detection is carried out to access request, to realize the purpose for improving safety.
Malicious access detection can as have for any detection method in the prior art when detecting it is not malicious access
Standby legitimacy.Access request size detection, can be set preset value, when access request size is within the scope of the preset value
When, as have legitimacy.The detection of flow control is carried out based on request speed, request connection number, access-hours, or
Based on request speed, request connection number, access-hours flow set preset value, when flowing of access the preset value range it
When interior, as has legitimacy.The detection of these types of legitimacy can occur individually or simultaneously, and the embodiment of the present disclosure is to this
It is not especially limited.The detection of the legitimacy can correspond to the security hardening module in Fig. 2, and the process of the authentication can be with
Corresponding to the access registrar module in Fig. 2.
Then, after the access request is detected by the legitimacy, authentication is carried out to the access main body.It should
The process of authentication can be realized by any one in the prior art, such as by way of username and password
Carry out authentication.
Agency 25, which carries out at least one, to be determined by access to the access request that authentication passes through in step S103
Secondary access rule determines, if it is determined that passing through, the access request is forwarded to access object 23 corresponding with the request, no
Then, refuse the access request or re-start authentication.
In one embodiment, step S103 specifically can be after the authentication passes through, to the access request
Determined according to access rule, if it is determined that passing through, the access request is forwarded to access corresponding with the access request
Otherwise object 23 is refused the access request or is determined according to the access rule again the access request, wherein
It is described according to access rule carry out determine include according to the access request access main body, access object 23, access operation or
At least one of contextual information of access request is determined.According to an embodiment of the invention, the access request is upper
Context information may include generate the access request terminal 21 information (for example, terminal 21 type (for example, mobile phone terminal,
The end Ipad or computer end), and/or terminal 21 hardware configuration information and/or software configuration information (for example, operating system or
Security level etc.)), the information of client application that is installed in terminal 21 is (for example, the type and/or version of client application
This), terminal 21 and storage access object 23 back-end server between carry out data transmission the used network information (for example,
The type of network and the security level of network), period for generating the access request, generating the access request
At least one of information such as amount of access or the/access frequency of object 23 are accessed described in period.
In a feasible mode, the access main body passed through to authentication determines that agency 25 carries out by access
Access rule determines at least once, comprising: decision request is generated to the access main body that authentication passes through, by the decision request
It is forwarded to access and determines agency 25, determine that agency 25 carries out access rule at least once and determines by access, obtain access and determine
Act on behalf of 25 response results, wherein using the response results as the knot determined according to access rule the access request
Fruit.The process that the access determines in step S103 corresponds to the access control module in Fig. 2.
Specifically, it can be realized referring to Fig. 3, step S103 with S201 through the following steps~step S203:
In step S201, the access token for the access main body that authentication passes through is obtained, that is, is obtained in the access request
Entrained access token.
As described in step s 102, the process of the authentication can by it is in the prior art it is any into
Row is realized, such as authentication is carried out by way of username and password.
Access token is the object for describing process or thread-safe context, the information that access token is included be with
The identity and authority information of the relevant process of user or thread.The access token is before the access request, and user passes through end
What end 21 was got when logging in from application access policy enforcement means 22.Specifically, after user passes through authentication, also
It is that application access policy enforcement means 22 by the password that inputs user and can be stored in safety database when logging in
Password compares.If password is correct, an access token can be generated for user in application access policy enforcement means 22 at this time.It
Afterwards, which requests all carry the access token every time.Therefore, access order is carried in the access request
Board.
In step S202, the access main body of the access request is identified and obtained, accesses object 23 and access operation, with
And the contextual information of access request.According to an embodiment of the invention, step S202 specifically can be the identification access token
To obtain the access operation of the access request or the contextual information of access request.
The access main body of the access request is identified and obtained from access request, accesses object 23 and access operation, is visited
Ask the contextual information of request (for example, access source IP, the user-agent of access, the time of access, the source page of access
Face, and the information such as geographical location of access).
In step S203, decision request is generated.Later, the decision request is forwarded to access in step S204 and determines generation
Reason is to determine that agency 25 carries out access rule at least once and determines by access.Then, it in step S205, obtains access and determines generation
Manage 25 response results, wherein using the response results as the result determined according to access rule the access request.
Wherein, it can be by access main body, access object 23, power that access, which determines that the access rule in agency 25 determines,
Limit strategy, in conjunction with the attribute of real time access main body, and/or the attribute of access object 23, dynamic adjusts access rule, realizes dynamic
Access to state judgement.This dynamically accesses judgement and namely refers to and repeatedly determined according to access rule.And it should be according to access
Rule determine may include that authorization determines.
It should be noted that determine that agency 25 carries out access rule at least once and determines by access, it can be for when access
An access rule is carried out when the attribute of main body changes to determine.Wherein, the attribute for accessing main body, which changes, can be, example
Change as accessed time, space, network environment etc. that when environmental information locating for main body changes or user logs in (such as just
Begin setting must be using local network carry out resource access, access main body it is initially use be local network carry out resource visit
It asks, but for some reason, situations such as network environment becomes WiFi network from local network).
It is described to be forwarded to the decision request in order to keep the data transmission procedure of the embodiment of the present disclosure safer reliable
Access determines after agency 25, further includes: determines that the data transmission security state that agency 25 sends becomes when receiving the access
When notice more, forces to cancel the application access policy enforcement means 22 and determine to act on behalf of 25 (i.e. access controls with the access
System 25) between data transmission, i.e., interruption data transmission.In one embodiment, application access policy enforcement means 22 can
To force processing of the revocation to the access request, such as abandon the access request.Access herein determines that agency 25 sends
Data transmission security Status Change notice, refer to that the access determines that agency 25 perceives the change of environmental correclation to influence
It to when certain sessions, can give notice, to force to cancel the application access policy enforcement means and access judgement generation
Data transmission between reason 25, guarantees safety.
In addition, the access request is forwarded to access object corresponding with the access request described in step S103
23, comprising: the access request and access token are forwarded to access object 23 corresponding with the access request.It will be described
Access request is forwarded to access object 23 corresponding with the access request and can be executed by the access forwarding module in Fig. 2.
The method also includes: the log determined according to access rule to the access request, statistics are recorded to institute
State the flowing of access that access object 23 accesses.According to an embodiment of the invention, the record determines log and statistics access
The process of flow can be respectively by the access log module and access Audit Module execution in Fig. 2.Also, application access strategy is held
Luggage, which is set, can be set interface in 22, the interface is for sending the log and flow.The interface can be for example, Fig. 2
In the interface that is attached with risk and trust evaluation system 24.It can be to the risk and trust evaluation system 24 by the interface
The log and flow are provided.
In conclusion all access requests that the disclosure is issued by uniformly obtaining access main body, to access object
It is managed collectively, and authentication is carried out to the access main body of the access request, determine that agency 25 carries out extremely by access
A few access rule determines.Judge whether for access request to be forwarded to access object based on judgement result.By this method, it realizes
Formed it is unified towards apply more, the application access control of multisystem, and when the contextual information of access request (for example,
Access the attribute of main body) when changing, dynamically determines according to access rule, constantly can dynamically be determined to authorize
Decision, and then response can be executed according to the result of decision, enhance the safety of application access.
Referring to fig. 4, Fig. 4 illustrates the block diagram of the application access control system of embodiment of the present disclosure offer.Such as Fig. 4
Shown, which includes: request module 401, is issued for obtaining access main body to access object
23 access requests to access, such as intercept the access request to access to access object 23;Authentication module 402,
Authentication is carried out for the access main body to the access request;Determination module 403 is accessed, for leading to when the authentication
Later, the access request is determined according to access rule, if it is determined that pass through, by the access request be forwarded to it is described
Otherwise the corresponding access object 23 of access request refuses the access request or to the access request again according to the visit
Ask that rule is determined, wherein described determine including the access request according to the access request according to access rule
Access main body, access object 23, at least one of access operation or the contextual information of the access request sentenced
It is fixed.
It is module according to an embodiment of the present disclosure, submodule, unit, any number of or in which any more in subelement
A at least partly function can be realized in a module.It is single according to the module of the embodiment of the present disclosure, submodule, unit, son
Any one or more in member can be split into multiple modules to realize.According to the module of the embodiment of the present disclosure, submodule,
Any one or more in unit, subelement can at least be implemented partly as hardware circuit, such as field programmable gate
Array (FPGA), programmable logic array (PLA), system on chip, the system on substrate, the system in encapsulation, dedicated integrated electricity
Road (ASIC), or can be by the hardware or firmware for any other rational method for integrate or encapsulate to circuit come real
Show, or with any one in three kinds of software, hardware and firmware implementations or with wherein any several appropriately combined next reality
It is existing.Alternatively, can be at least by part according to one or more of the module of the embodiment of the present disclosure, submodule, unit, subelement
Ground is embodied as computer program module, when the computer program module is run, can execute corresponding function.
For example, any number of in request module 401, authentication module 402 and access determination module 403
It may be incorporated in a module and realize or any one module therein can be split into multiple modules.Alternatively, these
At least partly function of one or more modules in module can be combined at least partly function of other modules, and one
It is realized in a module.In accordance with an embodiment of the present disclosure, request module 401, authentication module 402 and access determine
At least one of module 403 can at least be implemented partly as hardware circuit, such as field programmable gate array (FPGA),
Programmable logic array (PLA), system on chip, the system on substrate, the system in encapsulation, specific integrated circuit (ASIC), or
Can be realized by carrying out the hardware such as any other rational method that is integrated or encapsulating or firmware to circuit, or with software,
Any one in three kinds of implementations of hardware and firmware several appropriately combined is realized with wherein any.Alternatively, request
Obtaining at least one of module 401, authentication module 402 and access determination module 403 can be at least by partly
It is embodied as computer program module, when the computer program module is run, corresponding function can be executed.
Fig. 5 diagrammatically illustrates the block diagram for the application access control system that another embodiment of the disclosure provides.
As shown in figure 5, application access control system 500 includes processor 510, computer readable storage medium 520.Using
Access control system 500 can execute the method according to the embodiment of the present disclosure.
Specifically, processor 510 for example may include general purpose microprocessor, instruction set processor and/or related chip group
And/or special microprocessor (for example, specific integrated circuit (ASIC)), etc..Processor 510 can also include using for caching
The onboard storage device on way.Processor 510 can be the different movements for executing the method flow according to the embodiment of the present disclosure
Single treatment unit either multiple processing units.
Computer readable storage medium 520, such as can be non-volatile computer readable storage medium, specific example
Including but not limited to: magnetic memory apparatus, such as tape or hard disk (HDD);Light storage device, such as CD (CD-ROM);Memory, such as
Random access memory (RAM) or flash memory;Etc..
Computer readable storage medium 520 may include computer program 521, which may include generation
Code/computer executable instructions execute processor 510 according to the embodiment of the present disclosure
Method or its any deformation.
Computer program 521 can be configured to have the computer program code for example including computer program module.Example
Such as, in the exemplary embodiment, the code in computer program 521 may include one or more program modules, for example including
521A, module 521B ....It should be noted that the division mode and number of module are not fixation, those skilled in the art can
To be combined according to the actual situation using suitable program module or program module, when these program modules are combined by processor 510
When execution, processor 510 is executed according to the method for the embodiment of the present disclosure or its any deformation.
According to an embodiment of the invention, request module 401, authentication module 402 and access determination module
At least one of 403 can be implemented as the computer program module with reference to Fig. 5 description can when being executed by processor 510
To realize corresponding operating described above.
The disclosure additionally provides a kind of computer-readable medium, which, which can be in above-described embodiment, retouches
Included in the equipment/device/system stated;It is also possible to individualism, and without in the supplying equipment/device/system.On
It states computer-readable medium and carries one or more program, when said one or multiple programs are performed, realize root
According to the method for the embodiment of the present disclosure.
In accordance with an embodiment of the present disclosure, computer-readable medium can be computer-readable signal media or computer can
Read storage medium either the two any combination.Computer readable storage medium for example can be --- but it is unlimited
In system, device or the device of --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor, or any above combination.It calculates
The more specific example of machine readable storage medium storing program for executing can include but is not limited to: have the electrical connection, portable of one or more conducting wires
Formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable programmable read only memory
(EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device or
The above-mentioned any appropriate combination of person.In the disclosure, computer readable storage medium can be it is any include or storage program
Tangible medium, which can be commanded execution system, device or device use or in connection.And in this public affairs
In opening, computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal,
In carry computer-readable program code.The data-signal of this propagation can take various forms, including but not limited to
Electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be computer-readable
Any computer-readable medium other than storage medium, the computer-readable medium can send, propagate or transmit for by
Instruction execution system, device or device use or program in connection.The journey for including on computer-readable medium
Sequence code can transmit with any suitable medium, including but not limited to: wireless, wired, optical cable, radiofrequency signal etc., or
Above-mentioned any appropriate combination.
It will be understood by those skilled in the art that the feature recorded in each embodiment and/or claim of the disclosure can
To carry out multiple combinations or/or combination, even if such combination or combination are not expressly recited in the disclosure.Particularly, exist
In the case where not departing from disclosure spirit or teaching, the feature recorded in each embodiment and/or claim of the disclosure can
To carry out multiple combinations and/or combination.All these combinations and/or combination each fall within the scope of the present disclosure.
Although the disclosure, art technology has shown and described referring to the certain exemplary embodiments of the disclosure
Personnel it should be understood that in the case where the spirit and scope of the present disclosure limited without departing substantially from the following claims and their equivalents,
A variety of changes in form and details can be carried out to the disclosure.Therefore, the scope of the present disclosure should not necessarily be limited by above-described embodiment,
But should be not only determined by appended claims, also it is defined by the equivalent of appended claims.
Claims (10)
1. a kind of application access control method, which is characterized in that the described method includes:
Intercept the access request to access to access object;
Authentication is carried out to the access main body of the access request;And
After the authentication passes through, the access request is determined according to access rule, if it is determined that pass through, it will be described
Access request is forwarded to access object corresponding with the access request, otherwise, refuses the access request or to the access
Request is determined according to the access rule again, wherein described carry out determining to include according to the access according to access rule
The access main body of the access request of request accesses in the contextual information of object, access operation or the access request at least
One is determined.
2. the method according to claim 1, wherein the access that the interception accesses to access object is asked
It asks, comprising:
The access request is taken over, the adapter tube includes DNS interception, browser interception, the interception based on port or base
In at least one of the interception of IP.
3. the method according to claim 1, wherein the access main body to the access request carries out identity
Certification, comprising:
Legitimacy detection is carried out to the access request;
After the access request is detected by the legitimacy, authentication is carried out to the access main body.
4. the method according to claim 1, wherein described after the authentication passes through, to the access
Request is determined according to access rule, comprising:
Generate decision request;
By the decision request be forwarded to access determine agency, with by the access judgement act on behalf of according to the access rule into
Row determines;And
Obtain it is described access determine agency response results, wherein using the response results as to the access request according to
The result that access rule is determined.
5. according to the method described in claim 4, it is characterized in that, before the generation decision request, further includes:
Obtain access token entrained in the access request;
The access token is identified to obtain the access main body of the access request of the access request, access object, access
At least one of operation or the contextual information of access request.
6. according to the method described in claim 5, it is characterized in that, described be forwarded to access judgement agency for the decision request
Later, further includes:
When receiving the notice for the data transmission security Status Change that the access determines that agency sends, force revocation to described
The processing of access request.
7. according to the method described in claim 5, it is characterized in that, described be forwarded to the access request is asked with the access
Seek corresponding access object, comprising:
The access request and the access token are forwarded to access object corresponding with the access request.
8. the method according to claim 1, wherein the method also includes:
Record the log determined according to access rule the access request;
The flowing of access to access to the access object is counted, and
Send the log and flow.
9. a kind of application access control system, which is characterized in that the system comprises:
Request module, for intercepting the access request to access to access object;
Authentication module carries out authentication for the access main body to the access request;
Determination module is accessed, for being determined according to access rule the access request after authentication passes through,
If it is determined that passing through, the access request is forwarded to access object corresponding with the access request, otherwise, refuses the access
Request determines the access request according to the access rule again, wherein described determined according to access rule
Access main body, access object, access operation or the access request including the access request according to the access request
At least one of contextual information determined.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The application access control method as described in claim 1-8 is realized when execution.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910108557X | 2019-02-02 | ||
CN201910108557.XA CN109660563A (en) | 2019-02-02 | 2019-02-02 | A kind of application access control method, system and medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110311926A true CN110311926A (en) | 2019-10-08 |
CN110311926B CN110311926B (en) | 2023-02-21 |
Family
ID=66122220
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910108557.XA Pending CN109660563A (en) | 2019-02-02 | 2019-02-02 | A kind of application access control method, system and medium |
CN201910694093.5A Active CN110311926B (en) | 2019-02-02 | 2019-07-29 | Application access control method, system and medium |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910108557.XA Pending CN109660563A (en) | 2019-02-02 | 2019-02-02 | A kind of application access control method, system and medium |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN109660563A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111756644A (en) * | 2020-06-30 | 2020-10-09 | 深圳壹账通智能科技有限公司 | Hot spot current limiting method, system, equipment and storage medium |
CN112311788A (en) * | 2020-10-28 | 2021-02-02 | 北京锐安科技有限公司 | Access control method, device, server and medium |
CN114448721A (en) * | 2022-03-11 | 2022-05-06 | 全球能源互联网研究院有限公司南京分公司 | Vulnerability noninductive relieving device and method |
CN116361760A (en) * | 2023-06-01 | 2023-06-30 | 湖南三湘银行股份有限公司 | Identity authentication device based on biological probe technology |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110113351B (en) * | 2019-05-14 | 2022-08-16 | 辽宁途隆科技有限公司 | CC attack protection method and device, storage medium and computer equipment |
CN110830459A (en) * | 2019-10-25 | 2020-02-21 | 云深互联(北京)科技有限公司 | Stealth security agent access method, gateway terminal, client and equipment |
CN115412270A (en) * | 2021-05-27 | 2022-11-29 | 华为技术有限公司 | Access control method based on application identity, related device and system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101465856A (en) * | 2008-12-31 | 2009-06-24 | 杭州华三通信技术有限公司 | Method and system for controlling user access |
CN104639650A (en) * | 2015-02-27 | 2015-05-20 | 杭州华三通信技术有限公司 | Fine granularity distributive interface access control method and device |
CN104866772A (en) * | 2015-05-07 | 2015-08-26 | 中国科学院信息工程研究所 | Computer access control method and system based on physical environment perception |
CN105991614A (en) * | 2015-03-03 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Open authorization, resource access method and device, and a server |
CN106302606A (en) * | 2015-06-08 | 2017-01-04 | 中国移动通信集团湖南有限公司 | A kind of across application access method and device |
US20180159861A1 (en) * | 2016-02-25 | 2018-06-07 | Red Hat, Inc. | Access guards for multi-tenant logging |
-
2019
- 2019-02-02 CN CN201910108557.XA patent/CN109660563A/en active Pending
- 2019-07-29 CN CN201910694093.5A patent/CN110311926B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101465856A (en) * | 2008-12-31 | 2009-06-24 | 杭州华三通信技术有限公司 | Method and system for controlling user access |
CN104639650A (en) * | 2015-02-27 | 2015-05-20 | 杭州华三通信技术有限公司 | Fine granularity distributive interface access control method and device |
CN105991614A (en) * | 2015-03-03 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Open authorization, resource access method and device, and a server |
CN104866772A (en) * | 2015-05-07 | 2015-08-26 | 中国科学院信息工程研究所 | Computer access control method and system based on physical environment perception |
CN106302606A (en) * | 2015-06-08 | 2017-01-04 | 中国移动通信集团湖南有限公司 | A kind of across application access method and device |
US20180159861A1 (en) * | 2016-02-25 | 2018-06-07 | Red Hat, Inc. | Access guards for multi-tenant logging |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111756644A (en) * | 2020-06-30 | 2020-10-09 | 深圳壹账通智能科技有限公司 | Hot spot current limiting method, system, equipment and storage medium |
CN112311788A (en) * | 2020-10-28 | 2021-02-02 | 北京锐安科技有限公司 | Access control method, device, server and medium |
CN114448721A (en) * | 2022-03-11 | 2022-05-06 | 全球能源互联网研究院有限公司南京分公司 | Vulnerability noninductive relieving device and method |
CN114448721B (en) * | 2022-03-11 | 2023-06-13 | 全球能源互联网研究院有限公司南京分公司 | Loophole noninductive relieving device and method |
CN116361760A (en) * | 2023-06-01 | 2023-06-30 | 湖南三湘银行股份有限公司 | Identity authentication device based on biological probe technology |
CN116361760B (en) * | 2023-06-01 | 2023-08-15 | 湖南三湘银行股份有限公司 | Identity authentication device based on biological probe technology |
Also Published As
Publication number | Publication date |
---|---|
CN110311926B (en) | 2023-02-21 |
CN109660563A (en) | 2019-04-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110311926A (en) | A kind of application access control method, system and medium | |
US11507680B2 (en) | System and method for access control using network verification | |
US10650156B2 (en) | Environmental security controls to prevent unauthorized access to files, programs, and objects | |
CN112597472B (en) | Single sign-on method, device and storage medium | |
CN110414268B (en) | Access control method, device, equipment and storage medium | |
US8997187B2 (en) | Delegating authorization to applications on a client device in a networked environment | |
US9769266B2 (en) | Controlling access to resources on a network | |
CN111416822B (en) | Method for access control, electronic device and storage medium | |
CA2797378C (en) | Validating updates to domain name system records | |
US20120303827A1 (en) | Location Based Access Control | |
CN110300125A (en) | API Access control method and API Access agent apparatus | |
US20140109194A1 (en) | Authentication Delegation | |
CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
CN107396362B (en) | Method and equipment for carrying out wireless connection pre-authorization on user equipment | |
CN101702724A (en) | Safe control method and device of network access | |
US10924481B2 (en) | Processing system for providing console access to a cyber range virtual environment | |
US10505918B2 (en) | Cloud application fingerprint | |
CN113569179A (en) | Subsystem access method and device based on unified website | |
CN117081800A (en) | Proxy method and system for accessing B/S application by zero trust hierarchy | |
CN116155565B (en) | Data access control method and device | |
CN112511565B (en) | Request response method and device, computer readable storage medium and electronic equipment | |
AU2014235152B9 (en) | Delegating authorization to applications on a client device in a networked environment | |
CN116318811A (en) | Network request verification authentication method and device based on trusted node | |
CN117729036A (en) | Cloud resource access method, system, equipment and medium | |
CN116956262A (en) | Unified authentication and authorization method, device and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |