CN110971572A - Authentication method, server and client - Google Patents
Authentication method, server and client Download PDFInfo
- Publication number
- CN110971572A CN110971572A CN201811149956.2A CN201811149956A CN110971572A CN 110971572 A CN110971572 A CN 110971572A CN 201811149956 A CN201811149956 A CN 201811149956A CN 110971572 A CN110971572 A CN 110971572A
- Authority
- CN
- China
- Prior art keywords
- service request
- access control
- processed
- control rule
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides an authentication method, a server and a client, wherein the method comprises the following steps: the server sends a first indication message to the client; the first indication message comprises an identifier of each user associated with the client and an access control rule associated with each user, and the first indication message is used for indicating the client to authenticate the service request message to be processed through the access control rule; a server receives a service request message to be processed sent by a client and authenticated by an access control rule; the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined; the server authenticates the authenticated service request message according to the access control rule, so that the load of the server is reduced when the service request message is authenticated, and the processing efficiency of the service request message is improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an authentication method, a server, and a client.
Background
In the prior art, when authenticating a service request packet, a server usually completes an authentication process for the service request packet. For example, the client may send a service request packet to the server, so that after receiving the service request packet, the server authenticates the service request packet through the access control rule, and if the access control rule has an authentication rule corresponding to the service request packet and the authentication rule indicates that the service request packet is allowed to be processed, it is determined that the service request packet is successfully authenticated; if the authentication rule indicates that the service request message is rejected to be processed, determining that the service request message fails to be authenticated; on the contrary, if the access control rule does not have the authentication rule corresponding to the service request message, if the authentication result of the service person request message cannot be determined, the service request message needs to be authenticated for the second time through the global control rule.
However, when the user equipment sends more service request messages, and each service request message corresponds to at least one model node, or only one service request message is sent, but the service request message includes more model nodes, if the authentication results of the service request messages or one service request message cannot be determined by the access control rule, the global control rule needs to be traversed for each model node in the content modules to authenticate the service request message, but this may cause a large load on the server, so that the processing efficiency of the service request message is low.
Disclosure of Invention
The application provides an authentication method, a server and a client, which can reduce the load of the server when the service request message is authenticated, thereby improving the processing efficiency of the service request message.
In a first aspect, an embodiment of the present application provides an authentication method, where the authentication method may include:
the server sends a first indication message to the client; the first indication message comprises an identifier of each user associated with the client and an access control rule associated with each user, and the first indication message is used for indicating the client to authenticate the service request message to be processed through the access control rule;
a server receives a service request message to be processed sent by a client and authenticated by an access control rule; the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined;
and the server authenticates the authenticated service request message according to the access control rule.
Therefore, compared with the prior art, the authentication method provided by the embodiment of the application does not directly authenticate all the service requests to be processed by the server, but by sending the access control rules associated with it to the client, so that the client performs a first authentication according to the received access control rules, and only the successfully authenticated pending service request message and/or the pending service request message for which the authentication result cannot be determined are sent to the server, and no longer sends the pending service request message with failed authentication, so that the server only needs to perform secondary authentication on the pending service request message with successful authentication and/or the pending service request message with uncertain authentication result, and the to-be-processed service request message which fails to be authenticated does not need to be authenticated, so that the load of the server is reduced, and the processing efficiency of the service request message is improved.
In a possible implementation manner, when the authenticated to-be-processed service request packet is a successfully-authenticated to-be-processed service request packet and a to-be-processed service request packet that cannot determine an authentication result, or the authenticated to-be-processed service request packet is a to-be-processed service request packet that cannot determine an authentication result, the server authenticates the authenticated to-be-processed service request packet according to an access control rule, which may include:
and the server authenticates the authenticated service request message according to the access control rule and the global control rule in sequence.
In a possible implementation manner, the authenticating, by the server, the service request packet after the authentication according to the access control rule may include:
the server obtains the identification of the user corresponding to the authenticated service request message to be processed,
the server determines an access control rule associated with the user in the access control rule according to the identification of the user;
and the server authenticates the authenticated service request message to be processed according to the access control rule associated with the user.
In a possible implementation manner, the determining, by the server, the access control rule associated with the user in the access control rule according to the identifier of the user includes:
the server determines a user group to which the user belongs according to the user identification and the corresponding relation between the user identification and the user group;
the server determines an access control rule corresponding to the user group to which the user belongs in the access control rule set according to the user group to which the user belongs and the corresponding relation between the user group and the access control rule;
and the server determines the access control rule associated with the user in the access control rule corresponding to the user group to which the user belongs according to the user identification.
In a possible implementation manner, the authenticating, by the server, the service request packet after the authenticating according to the global control rule includes:
if the global control rule indicates that the to-be-processed service request message of which the authentication result cannot be determined is allowed to be processed, the server determines that the to-be-processed service request message of which the authentication result cannot be determined is successfully authenticated; alternatively, the first and second electrodes may be,
and if the global control rule indicates that the to-be-processed service request message of which the authentication result cannot be determined is not allowed to be processed, the server determines that the to-be-processed service request message of which the authentication result cannot be determined fails to be authenticated.
In one possible implementation, the authentication method may further include:
when the access control rule changes, the server sends a second indication message to the client; the second indication message includes the identifier of each user and the updated access control rule associated with each user, and the second indication message is used for indicating the client to authenticate the service request message to be processed according to the updated access control rule.
In one possible implementation, the sending, by the server, the first indication message to the client may include:
a preset channel is established between the server and the client;
the server sends a first indication message to the client through a preset channel;
wherein, establish between server and the client and predetermine the passageway, include:
the server sends a first hello message to the client; the first hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set);
the server receives a second hello message sent by the client; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set);
and the server establishes a preset channel with the client according to the NACM capability set.
In a second aspect, an embodiment of the present application further provides an authentication method, where the authentication method may include:
the method comprises the steps that a client receives a first indication message sent by a server; the first indication message comprises the identification of each user and an access control rule associated with each user;
the client authenticates the service request message to be processed according to the access control rule to obtain the authenticated service request message to be processed, wherein the authenticated service request message to be processed is the successfully authenticated service request message to be processed and/or the service request message to be processed of which the authentication result cannot be determined;
and the client sends the authenticated to-be-processed service request message to the server so that the server authenticates the authenticated to-be-processed service request message according to the access control rule.
In one possible implementation manner, when the authenticated to-be-processed service request packet is a successfully authenticated to-be-processed service request packet and a to-be-processed service request packet that cannot determine an authentication result, or the authenticated to-be-processed service request packet is a to-be-processed service request packet that cannot determine an authentication result, the client sends the authenticated to-be-processed service request packet to the server, so that the server authenticates the authenticated to-be-processed service request packet according to an access control rule, including:
and the client sends the authenticated to-be-processed service request message to the server so that the server authenticates the authenticated to-be-processed service request message sequentially according to the access control rule and the global control rule.
In a possible implementation manner, the authenticating, by the client, the to-be-processed service request packet according to the access control rule includes:
the client determines an access control rule associated with the user in the access control rule according to the user identifier corresponding to the service request message to be processed;
and the client authenticates the service request message to be processed according to the access control rule associated with the user.
In a possible implementation manner, the authenticating, by the client, the to-be-processed service request packet according to the access control rule associated with the user includes:
if the access control rule associated with the user has an authentication rule corresponding to the service request message to be processed, and the authentication rule indicates that the service request message to be processed is allowed to be processed, the client determines that the authentication of the service request message to be processed is successful; alternatively, the first and second electrodes may be,
if the access control rule associated with the user has an authentication rule corresponding to the service request message to be processed, and the authentication rule indicates that the service request message to be processed is not allowed to be processed, the client determines that the authentication of the service request message to be processed fails; alternatively, the first and second electrodes may be,
if the authentication rule corresponding to the service request message to be processed does not exist in the access control rule associated with the user, the client cannot determine the authentication result of the service request message to be processed.
In a possible implementation manner, the receiving, by a client, a first indication message sent by a server includes:
a preset channel is established between the client and the server;
the client receives a first indication message sent by the server through a preset channel;
wherein, establish the default channel between client and the server, include:
a client receives a first hello message sent by a server; the first hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set);
the client sends a second hello message to the server; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set);
and the client establishes a preset channel with the server according to the NACM capability set.
In a possible implementation manner, after the client receives the first indication message sent by the server, the method further includes:
the client stores the access control rules associated with each user.
In one possible implementation, the authentication method may further include:
and when the client determines that the preset channel is interrupted, deleting the stored access control rules associated with each user.
In one possible implementation, the authentication method may further include:
when the access control rule associated with each user of the server is changed, the client receives a second indication message sent by the server; the second indication message comprises the identification of each user and the updated access control rule associated with each user;
and the client authenticates the service request message to be processed according to the updated access control rule.
In a third aspect, an embodiment of the present application further provides a server, where the server may include:
the sending unit is used for sending a first indication message to the client; the first indication message comprises an identifier of each user associated with the client and an access control rule associated with each user, and the first indication message is used for indicating the client to authenticate the service request message to be processed through the access control rule;
the receiving unit is used for receiving a service request message to be processed, which is sent by a client and authenticated by an access control rule; the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined;
and the processing unit is used for authenticating the service request message after authentication according to the access control rule.
In a possible implementation manner, when the authenticated to-be-processed service request message is a successfully-authenticated to-be-processed service request message and a to-be-processed service request message for which an authentication result cannot be determined, or the authenticated to-be-processed service request message is a to-be-processed service request message for which an authentication result cannot be determined, the processing unit is specifically configured to authenticate the authenticated service request message sequentially according to the access control rule and the global control rule.
In a possible implementation manner, the processing unit is specifically configured to obtain an identifier of a user corresponding to the authenticated service request packet to be processed, and determine an access control rule associated with the user according to the identifier of the user in the access control rule; and then, the authenticated service request message to be processed is authenticated according to the access control rule associated with the user.
In a possible implementation manner, the processing unit is specifically configured to determine a user group to which the user belongs according to the user identifier and a corresponding relationship between the user identifier and the user group; determining an access control rule corresponding to the user group to which the user belongs in an access control rule set according to the user group to which the user belongs and the corresponding relation between the user group and the access control rule; and determining the access control rule associated with the user in the access control rule corresponding to the user group to which the user belongs according to the user identification.
In a possible implementation manner, the processing unit is specifically configured to determine that the authentication of the pending service request packet incapable of determining the authentication result is successful if the global control rule indicates that the pending service request packet incapable of determining the authentication result is allowed to be processed; or, if the global control rule indicates that the to-be-processed service request message of which the authentication result cannot be determined is not allowed to be processed, determining that the to-be-processed service request message of which the authentication result cannot be determined fails to be authenticated.
In a possible implementation manner, the sending unit is further configured to send a second indication message to the client when the access control rule changes; the second indication message includes the identifier of each user and the updated access control rule associated with each user, and the second indication message is used for indicating the client to authenticate the service request message to be processed according to the updated access control rule.
In a possible implementation manner, the processing unit is further configured to establish a preset channel with the client;
the sending unit is specifically used for sending a first indication message to the client through a preset channel;
the sending unit is further used for sending the first hello message to the client; the first hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set);
the receiving unit is also used for receiving a second hello message sent by the client; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set);
and the processing unit is specifically used for establishing a preset channel with the client according to the NACM capability set.
In a fourth aspect, an embodiment of the present application further provides a client, where the client may include:
the receiving unit is used for receiving a first indication message sent by the server; the first indication message comprises the identification of each user and an access control rule associated with each user;
the processing unit is used for authenticating the service request message to be processed according to the access control rule to obtain the authenticated service request message to be processed, wherein the authenticated service request message to be processed is the service request message to be processed which is successfully authenticated and/or the service request message to be processed which can not determine the authentication result;
and the sending unit is used for sending the authenticated to-be-processed service request message to the server so that the server authenticates the authenticated to-be-processed service request message according to the access control rule.
In a possible implementation manner, when the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and a to-be-processed service request message for which an authentication result cannot be determined, or the authenticated to-be-processed service request message is a to-be-processed service request message for which an authentication result cannot be determined, the sending unit is specifically configured to send the authenticated to-be-processed service request message to the server, so that the server authenticates the authenticated to-be-processed service request message sequentially according to the access control rule and the global control rule.
In a possible implementation manner, the processing unit is provided with an access control rule for determining user association in the access control rule according to a user identifier corresponding to the service request message to be processed; and according to the access control rule associated with the user, authenticating the service request message to be processed.
In a possible implementation manner, the processing unit is specifically configured to determine that the authentication of the to-be-processed service request packet is successful if an authentication rule corresponding to the to-be-processed service request packet exists in the user-associated access control rule and the authentication rule indicates that the to-be-processed service request packet is allowed to be processed; or, if an authentication rule corresponding to the service request message to be processed exists in the access control rule associated with the user and the authentication rule indicates that the service request message to be processed is not allowed to be processed, determining that the authentication of the service request message to be processed fails; or, if the authentication rule corresponding to the service request message to be processed does not exist in the access control rule associated with the user, the authentication result of the service request message to be processed cannot be determined.
In a possible implementation manner, the processing unit is further configured to establish a preset channel with the server;
the sending unit is specifically used for receiving a first indication message sent by the server through a preset channel;
the receiving unit is further configured to receive a first hello message sent by the server; the first hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set);
the sending unit is further used for sending a second hello message to the server; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set);
and the processing unit is specifically used for establishing a preset channel with the server according to the NACM capability set.
In a possible implementation manner, the client may further include:
and the storage unit is used for storing the access control rule associated with each user.
In a possible implementation manner, the processing unit is further configured to delete the stored access control rule associated with each user when determining that the preset channel is interrupted.
In a possible implementation manner, the receiving unit is further configured to receive a second indication message sent by the server when an access control rule associated with each user of the server changes; the second indication message comprises the identification of each user and the updated access control rule associated with each user;
and the processing unit is also used for authenticating the service request message to be processed according to the updated access control rule.
In a fifth aspect, an embodiment of the present application further provides a server, where the server may include a processor and a memory;
wherein the memory is used for storing program instructions;
and the processor is used for calling and executing the program instructions stored in the memory to execute the authentication method of any one of the first aspect.
In a sixth aspect, an embodiment of the present application further provides a client, where the client may include a processor and a memory;
wherein the memory is used for storing program instructions;
and the processor is used for calling and executing the program instructions stored in the memory and executing the authentication method shown in any one of the second aspect.
In a seventh aspect, an embodiment of the present invention is a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor of a server, the authentication method shown in any one of the above first aspects is executed, or when the computer program is executed by a processor of a client, the authentication method shown in any one of the above second aspects is executed.
In an eighth aspect, an embodiment of the present application further provides an authentication system, where the authentication system may include the server shown in any one of the above third aspects and the client shown in any one of the above fourth aspects; alternatively, the authentication system may comprise the server of any one of the above fifth aspects and the client of any one of the above sixth aspects.
According to the authentication method, the server and the client provided by the embodiment of the application, when the service request message is authenticated, the server can firstly send a first indication message to the client; the first indication message comprises an identifier of each user associated with the client and an access control rule associated with each user, and the first indication message is used for indicating the client to authenticate the service request message to be processed through the access control rule; after authenticating the service request message to be processed according to the access control rule at the client, sending the service request message to be processed authenticated by the client through the access control rule to the server; the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined, so that the server can authenticate the authenticated service request message according to the access control rule. Compared with the prior art, the server does not directly authenticate all the service requests to be processed, but sends the access control rules associated with the server to the client so that the client performs primary authentication according to the received access control rules, and only sends the service request messages to be processed which are successfully authenticated and/or the service request messages to be processed which can not determine the authentication result to the server, but does not send the service request messages to be processed which are failed in authentication.
Drawings
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic diagram of an authentication method according to an embodiment of the present application;
fig. 3 is a schematic diagram of another authentication method provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of a server according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a client according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another client according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of another server provided in the embodiment of the present application;
fig. 8 is a schematic structural diagram of another client according to an embodiment of the present application.
Detailed Description
The embodiment of the application can be applied to various communication systems, such as: in the following description, some terms in the present application are explained to facilitate understanding by a person skilled in the art, in a Global System for mobile communication (GSM) System, a Code Division Multiple Access (CDMA) System, a Wideband Code Division Multiple Access (WCDMA) System, a General Packet Radio Service (GPRS), a Long Term Evolution (LTE), a 5G communication System, or other systems that may appear in the future. It should be noted that, when the scheme of the embodiment of the present application is applied to a 5G system or other systems that may appear in the future, names of network devices and clients may change, but this does not affect implementation of the scheme of the embodiment of the present application.
Fig. 1 is a schematic view of an application scenario provided by an embodiment of the present application, where the authentication method provided by the present application may be applied to a network architecture of a server and a client, where one server may interact with one or more clients, and one client may correspond to one or more users. When the service request message is authenticated, each client can firstly send the service request message to be processed to the server, and the server can authenticate the service request message according to the access control rule and then authenticate the service request message of which the authentication result cannot be determined according to the global control rule, but the load of the server is larger, so that the processing efficiency of the service request message is lower.
Wherein, 1) the server is mainly used for maintaining the information data of the managed device and responding the request of the client, and reporting the management data to the client sending the request. And the server analyzes the data after receiving the request of the client, processes the request with the help of an internal Netconf framework, and then returns a response to the client.
2) The network management center of the whole network of the client mainly utilizes network management protocols such as NETCONF and the like to carry out system management on the network equipment.
3) "plurality" means two or more, and other terms are analogous. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
In order to solve the problem that the processing efficiency of a service request message is low due to a large load of a server when the service request message is authenticated in the prior art, the embodiment of the application provides an authentication method, wherein in the authentication method, the server can firstly send a first indication message to a client; the first indication message comprises an identifier of each user associated with the client and an access control rule associated with each user, and the first indication message is used for indicating the client to authenticate the service request message to be processed through the access control rule; after authenticating the service request message to be processed according to the access control rule at the client, sending the service request message to be processed authenticated by the client through the access control rule to the server; the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined, so that after the server receives the authenticated to-be-processed service request message, if the authenticated to-be-processed service request message is the successfully authenticated to-be-processed service request message, the server authenticates the authenticated service request message according to an access control rule; if the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and a to-be-processed service request message of which the authentication result cannot be determined, or if the authenticated to-be-processed service request message is a to-be-processed service request message of which the authentication result cannot be determined, the server authenticates the authenticated service request message sequentially according to the access control rule and the global control rule. Compared with the prior art, the server does not directly authenticate all the service requests to be processed, but sends the access control rules associated with the server to the client so that the client performs primary authentication according to the received access control rules, and only sends the service request messages to be processed which are successfully authenticated and/or the service request messages to be processed which can not determine the authentication result to the server, but does not send the service request messages to be processed which are failed in authentication.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. For example, please refer to fig. 2, where fig. 2 is a schematic diagram of an authentication method provided in an embodiment of the present application, and the authentication method may include:
s201, a preset channel is established between the server and the client.
For example, in the embodiment of the present application, the preset pass may be a netconf session, that is, the server needs to establish a netconf session with the client first. For example, establishing the channel between the server and the client may include: the server sends a first hello message to the client; the first hello message comprises a newly-added distributed Netconf access control model capability set (named distributed-nacm capability set); receiving a second hello message sent by the client; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set (named distributed-NACM capability set); after determining that both the first hello message and the second hello message include the distributed NACM capability set, the server may establish a preset channel between the client and the NACM capability set included in the first hello message and the second hello message, and at this time, both the server and the client support distributed-NACM capability sets, so that the server may add an access control rule associated with a user in a first indication message (for example, a notification message) and send the notification message to the client through a Netconf session.
After the server establishes the preset channel with the client, the following S202 may be executed:
s202, the server sends a first indication message to the client through a preset channel.
The first indication message comprises the identification of each user associated with the client and the access control rule associated with each user, and the first indication message is used for indicating the client to authenticate the service request message to be processed through the access control rule.
Wherein, the access control rule is a Non-Global control rule (Non-Global control rules). It should be noted here that, when the server sends the first indication message to the client through the preset channel, the server may send only the identifier of each user associated with the client and the access control rule associated with each user to the client, so that after receiving the first indication message, the client saves the access control rule associated with each user, and executes the following S203:
s203, the client authenticates the service request message to be processed according to the access control rule to obtain the authenticated service request message to be processed.
The authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined.
In the embodiment of the present application, because the problem that the processing efficiency of the service request packet is low due to a large load of the server when the service request packet is authenticated in the prior art is considered, according to the authentication method provided in the embodiment of the present application, when the service request packet is authenticated, the server may first send the access control rule associated with each user to the client through the preset channel, so that the client may first authenticate the service request packet to be processed according to the access control rule when receiving the access control rule, thereby obtaining the service request packet to be processed after the first authentication.
Optionally, when the client authenticates the to-be-processed service request packet according to the access control rule, the client may first determine, according to the identifier of the user corresponding to the to-be-processed service request packet, an access control rule associated with the user in the access control rule; and then, according to the determined user-associated access control rule, authenticating the service request message to be processed. Further, when the service request message to be processed is authenticated according to the determined user-associated access control rule, if the authentication rule corresponding to the service request message to be processed exists in the user-associated access control rule and the authentication rule indicates that the service request message to be processed is allowed to be processed, the client determines that the authentication of the service request message to be processed is successful; or, if the access control rule associated with the user has an authentication rule corresponding to the service request message to be processed, and the authentication rule indicates that the service request message to be processed is not allowed to be processed, the client determines that the authentication of the service request message to be processed fails; or, if the authentication rule corresponding to the service request message to be processed does not exist in the access control rule associated with the user, the client cannot determine the authentication result of the service request message to be processed.
After the client authenticates the service request message to be processed for the first time according to the access control rule, the authentication result corresponding to each service request message to be processed can be obtained. For example, the authentication result may be authentication success, authentication failure, or failure to determine the authentication result. It should be noted that, in the embodiment of the present application, after obtaining the authentication result corresponding to each service request packet to be processed, not all the pending service request messages corresponding to the authentication result are sent to the server for secondary authentication, but only sends the successfully authenticated pending service request message and/or the pending service request message that cannot determine the authentication result to the server for secondary authentication, in other words, the pending service request that fails to be authenticated is not sent to the server again, thus, the server only needs to perform secondary authentication on the successfully authenticated pending service request message and/or the pending service request message for which the authentication result cannot be determined, and the to-be-processed service request message which fails to be authenticated does not need to be authenticated, so that the load of the server is reduced, and the processing efficiency of the service request message is improved.
After authenticating the service request message to be processed according to the access control rule and obtaining the authenticated service request message to be processed, the client may send the authenticated service request message to be processed to the server, so that the server performs secondary authentication on the authenticated service request message to be processed, that is, the following S204 is executed:
and S204, the client sends the service request message to be processed after the client is authenticated by the access control rule to the server.
The authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined.
S205, the server authenticates the authenticated service request message according to the access control rule.
After the server receives the service request message to be processed after the client is authenticated by the access control rule through the above S204, the server can authenticate the authenticated service request message according to the access control rule. It should be noted that, when the server authenticates the authenticated service request packet according to the access control rule, and when the authenticated to-be-processed service request packet is only a successfully authenticated to-be-processed service request packet, the server may authenticate the authenticated to-be-processed service request packet according to the access control rule only, so as to obtain an authentication result of the authenticated to-be-processed service request packet. When the authenticated to-be-processed service request message is a to-be-processed service request message for which the authentication result cannot be determined, the authenticated to-be-processed service request message may be authenticated according to an access control rule, and in general, the authentication result of the to-be-processed service request message according to the access control rule is the same as the authentication result of the to-be-processed service request message according to the access control rule of the client, so that after the server authenticates the authenticated to-be-processed service request message according to the access control rule of the server, the authentication result of the authenticated to-be-processed service request message still cannot be determined, and the authenticated to-be-processed service request message needs to be authenticated again according to the global control rule, thereby obtaining the authentication result of the authenticated to-be-processed service request message. When the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and a to-be-processed service request message for which the authentication result cannot be determined, the successfully authenticated to-be-processed service request message and the to-be-processed service request message for which the authentication result cannot be determined can be authenticated according to the access control rule of the server, under the normal condition, the authentication result of the to-be-processed service request message according to the access control rule of the server is the same as the authentication result of the to-be-processed service request message according to the access control rule of the client, so that after the successfully authenticated to-be-processed service request message and the to-be-processed service request message for which the authentication result cannot be determined are authenticated by the server according to the access control rule of the server, the successfully authenticated to-be-processed service request message can be obtained, and for the authentication result of the to-be-processed, the authenticated service request message to be processed needs to be authenticated again according to the global control rule, so as to obtain the authentication result of the authenticated service request message to be processed.
Optionally, after receiving the service request message to be processed authenticated by the client according to the access control rule, the server may determine, according to the user identifier corresponding to the authenticated service request message to be processed, the user group to which the user belongs according to the user identifier and the corresponding relationship between the user identifier and the user group; after determining the user group to which the user belongs, determining an access control rule corresponding to the user group to which the user belongs in an access control rule set according to the user group to which the user belongs and the corresponding relation between the user group and the access control rule; thus, after the access control rule corresponding to the user group to which the user belongs is determined, the server can determine the access control rule associated with the user in the access control rule corresponding to the user group to which the user belongs according to the identification of the user.
When the server authenticates the authenticated service request message according to the user-associated access control rule, the authentication method is similar to the method for authenticating the service request message to be processed by the client according to the user-associated access control rule, and herein, the embodiment of the present application is not repeated. After authenticating the authenticated service request message according to the access control rule associated with the user, if there is a service request message for which the authentication result cannot be determined, the server may authenticate the authenticated service request message according to the global control rule, specifically: if the global control rule indicates that the to-be-processed service request message of which the authentication result cannot be determined is allowed to be processed, the server determines that the to-be-processed service request message of which the authentication result cannot be determined is successfully authenticated; or, if the global control rule indicates that the to-be-processed service request message of which the authentication result cannot be determined is not allowed to be processed, the server determines that the authentication of the to-be-processed service request message of which the authentication result cannot be determined fails, so that the authentication result of the to-be-processed service request message of which the authentication result cannot be determined is obtained.
Therefore, according to the authentication method provided by the embodiment of the application, when the service request message to be processed is authenticated, the server can firstly send the access control rule associated with each user to the client, so that after the client receives the access control rule associated with each user, the service request message to be processed can be authenticated for the first time according to the access control rule, and the service request message to be processed, which is successfully authenticated and/or cannot determine the authentication result, obtained by the first authentication is sent to the server, so that the server can perform secondary authentication on the service request message after authentication according to the access control rule. Compared with the prior art, the server does not directly authenticate all the service requests to be processed, but sends the access control rules associated with the server to the client so that the client performs primary authentication according to the received access control rules, and only sends the service request messages to be processed which are successfully authenticated and/or the service request messages to be processed which can not determine the authentication result to the server, but does not send the service request messages to be processed which are failed in authentication.
Based on the embodiment shown in fig. 2, it should be further noted that when the client performs authentication according to the access authentication rule sent by the server, and when the access control rule at the server side changes, the server needs to notify the client of the updated access control rule, so as to avoid the client authenticating the service request packet to be processed by using the access control rule before updating, thereby improving the accuracy of the client authenticating the service request packet to be processed. For example, please refer to fig. 3, where fig. 3 is a schematic diagram of another authentication method provided in the embodiment of the present application, and the authentication method may further include:
s301, when the access control rule changes, the server sends a second indication message to the client.
The second indication message includes the identifier of each user and the updated access control rule associated with each user, and the second indication message is used for indicating the client to authenticate the service request message to be processed according to the updated access control rule.
For example, when it is determined that the access control rule changes, the identifier of each user and the updated access control rule associated with each user may also be added to the extended notification message and sent to the client through netconfession, and because the client also supports distributed-nacm capability set, the client may parse the notification message after receiving the notification message and store the updated access control rule associated with the user and included in the notification message, so as to perform authentication according to the updated access control rule, that is, the following S302:
s302, the client authenticates the service request message to be processed according to the updated access control rule.
Optionally, when the client authenticates the to-be-processed service request packet according to the updated access control rule, the client may first determine, according to the identifier of the user corresponding to the to-be-processed service request packet, the user-associated access control rule in the updated access control rule; and then, according to the determined user-associated access control rule, authenticating the service request message to be processed. Further, when the service request message to be processed is authenticated according to the determined updated access control rule associated with the user, if an authentication rule corresponding to the service request message to be processed exists in the updated access control rule associated with the user and the authentication rule indicates that the service request message to be processed is allowed to be processed, the client determines that the authentication of the service request message to be processed is successful; or, if the updated access control rule associated with the user has an authentication rule corresponding to the service request message to be processed, and the authentication rule indicates that the service request message to be processed is not allowed to be processed, the client determines that the authentication of the service request message to be processed fails; or, if the updated access control rule associated with the user does not have the authentication rule corresponding to the service request message to be processed, the client cannot determine the authentication result of the service request message to be processed, so as to obtain the authentication result corresponding to each service request message to be processed, and complete the first authentication of the service request message to be processed.
In addition, it should be noted that in the embodiment shown in fig. 2 or fig. 3, after the preset channel is established, the client may detect the current state of the preset channel in real time, and of course, the client may also detect the current state of the preset channel at intervals of a preset duration, and if the client determines that the preset channel is interrupted, the stored access control rule associated with each user may be deleted, so as to save the memory of the client.
Fig. 4 is a schematic structural diagram of a server 40 according to an embodiment of the present application, and for example, please refer to fig. 4, the server 40 may include:
a sending unit 401, configured to send a first indication message to a client; the first indication message comprises the identification of each user associated with the client and the access control rule associated with each user, and the first indication message is used for indicating the client to authenticate the service request message to be processed through the access control rule.
A receiving unit 402, configured to receive a to-be-processed service request message sent by a client and authenticated by an access control rule; the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined.
The processing unit 403 is configured to authenticate the authenticated service request packet according to the access control rule.
Optionally, when the authenticated to-be-processed service request packet is a successfully-authenticated to-be-processed service request packet and a to-be-processed service request packet that cannot determine an authentication result, or the authenticated to-be-processed service request packet is a to-be-processed service request packet that cannot determine an authentication result, the processing unit 403 is specifically configured to authenticate the authenticated service request packet according to the access control rule and the global control rule in sequence.
Optionally, the processing unit 403 is specifically configured to obtain an identifier of a user corresponding to the authenticated to-be-processed service request packet, and determine an access control rule associated with the user according to the identifier of the user in the access control rule; and then, the authenticated service request message to be processed is authenticated according to the access control rule associated with the user.
Optionally, the processing unit 403 is specifically configured to determine a user group to which the user belongs according to the user identifier and the corresponding relationship between the user identifier and the user group; determining an access control rule corresponding to the user group to which the user belongs in an access control rule set according to the user group to which the user belongs and the corresponding relation between the user group and the access control rule; and determining the access control rule associated with the user in the access control rule corresponding to the user group to which the user belongs according to the user identification.
Optionally, the processing unit 403 is specifically configured to determine that the authentication of the to-be-processed service request packet that cannot determine the authentication result is successful if the global control rule indicates that the to-be-processed service request packet that cannot determine the authentication result is allowed to be processed; or, if the global control rule indicates that the to-be-processed service request message of which the authentication result cannot be determined is not allowed to be processed, determining that the to-be-processed service request message of which the authentication result cannot be determined fails to be authenticated.
Optionally, the sending unit 401 is further configured to send a second indication message to the client when the access control rule changes; the second indication message includes the identifier of each user and the updated access control rule associated with each user, and the second indication message is used for indicating the client to authenticate the service request message to be processed according to the updated access control rule.
Optionally, the processing unit 403 is further configured to establish a preset channel with the client.
The sending unit 401 is specifically configured to send a first indication message to the client through a preset channel.
The sending unit 401 is further configured to send a first hello packet to the client; the first hello message comprises a newly-added distributed Netconf access control model NACM capability set (named distributed-NACM capability set).
The receiving unit 402 is further configured to receive a second hello packet sent by the client; the second hello message comprises a newly-added distributed Netconf access control model NACM capability set (named distributed-NACM capability set).
The processing unit 403 is specifically configured to establish a preset channel with the client according to the NACM capability set.
The server 40 shown in the embodiment of the present application may execute the technical solution of the authentication method on the server 40 side shown in any one of the above embodiments, and the implementation principle and the beneficial effect of the technical solution are similar to those of the authentication method on the server 40 side, and are not described herein again.
Fig. 5 is a schematic structural diagram of a client 50 according to an embodiment of the present application, for example, please refer to fig. 5, where the client 50 may include:
a receiving unit 501, configured to receive a first indication message sent by a server; the first indication message comprises the identification of each user and the access control rule associated with each user.
The processing unit 502 is configured to authenticate the to-be-processed service request packet according to the access control rule, to obtain an authenticated to-be-processed service request packet, where the authenticated to-be-processed service request packet is a successfully-authenticated to-be-processed service request packet and/or a to-be-processed service request packet for which an authentication result cannot be determined.
A sending unit 503, configured to send the authenticated to-be-processed service request packet to the server, so that the server authenticates the authenticated to-be-processed service request packet according to the access control rule.
Optionally, when the authenticated to-be-processed service request packet is a successfully-authenticated to-be-processed service request packet and a to-be-processed service request packet that cannot determine an authentication result, or the authenticated to-be-processed service request packet is a to-be-processed service request packet that cannot determine an authentication result, the sending unit 503 is specifically configured to send the authenticated to-be-processed service request packet to the server, so that the server authenticates the authenticated to-be-processed service request packet sequentially according to the access control rule and the global control rule.
Optionally, the processing unit 502 is configured to determine, in the access control rule, an access control rule associated with the user according to the identifier of the user corresponding to the service request packet to be processed; and according to the access control rule associated with the user, authenticating the service request message to be processed.
Optionally, the processing unit 502 is specifically configured to determine that the authentication of the to-be-processed service request packet is successful if an authentication rule corresponding to the to-be-processed service request packet exists in the user-associated access control rule, and the authentication rule indicates that the to-be-processed service request packet is allowed to be processed; or, if an authentication rule corresponding to the service request message to be processed exists in the access control rule associated with the user and the authentication rule indicates that the service request message to be processed is not allowed to be processed, determining that the authentication of the service request message to be processed fails; or, if the authentication rule corresponding to the service request message to be processed does not exist in the access control rule associated with the user, the authentication result of the service request message to be processed cannot be determined.
Optionally, the processing unit 502 is further configured to establish a preset channel with the server.
The sending unit 503 is specifically configured to receive the first indication message sent by the server through a preset channel.
The receiving unit 501 is further configured to receive a first hello packet sent by the server; the first hello message comprises a newly-added distributed Netconf access control model NACM capability set (named distributed-NACM capability set).
The sending unit 503 is further configured to send a second hello packet to the server; the second hello message comprises a newly-added distributed Netconf access control model NACM capability set (named distributed-NACM capability set).
The processing unit 502 is specifically configured to establish a preset channel with the server according to the NACM capability set.
Optionally, the client 50 further includes a storage unit 504, for example, please refer to fig. 6, and fig. 6 is a schematic structural diagram of another client 50 according to an embodiment of the present application.
The storage unit 504 is configured to store an access control rule associated with each user.
Optionally, the processing unit 502 is further configured to delete the stored access control rule associated with each user when determining that the preset channel is interrupted.
Optionally, the receiving unit 501 is further configured to receive a second indication message sent by the server when the access control rule associated with each user of the server changes; the second indication message comprises the identification of each user and the updated access control rule associated with each user;
the processing unit 502 is further configured to authenticate the service request packet to be processed according to the updated access control rule.
The client 50 shown in the embodiment of the present application may execute the technical solution of the authentication method on the client 50 side shown in any one of the above embodiments, and the implementation principle and the beneficial effect of the technical solution are similar to those of the authentication method on the client 50 side, and are not described herein again.
Fig. 7 is a schematic structural diagram of another server 70 provided in the embodiment of the present application, for example, please refer to fig. 7, and the server 70 may further include a processor 701 and a memory 702.
A memory 702 for storing program instructions;
the processor 701 is configured to call and execute the program instructions stored in the memory 702 to execute the authentication method on the server 70 side shown in any of the above embodiments.
The server 70 shown in the embodiment of the present application may execute the technical solution of the authentication method on the server 70 side shown in any one of the above embodiments, and the implementation principle and the beneficial effect of the technical solution are similar to those of the authentication method on the server 70 side, and are not described herein again.
Fig. 8 is a schematic structural diagram of another client 80 according to an embodiment of the present application, where the client 80 may include a processor 801 and a memory 802;
wherein, the memory 802 is used for storing program instructions;
the processor 801 is configured to call and execute the program instructions stored in the memory 802 to perform the authentication method on the client 80 side shown in any of the above embodiments.
The client 80 shown in the embodiment of the present application may execute the technical solution of the authentication method on the client 80 side shown in any one of the above embodiments, and the implementation principle and the beneficial effect of the technical solution are similar to those of the authentication method on the client 80 side, and are not described here again.
The embodiment of the present application further provides an authentication system, which may include the server shown in fig. 4 and the client shown in fig. 5; alternatively, the authentication system may include the server shown in fig. 7 and the client shown in fig. 8, and the implementation principle and the beneficial effect of the authentication system are similar to those of the authentication method, and are not described herein again.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor of a server, the method for authenticating the server side is executed, or when the computer program is executed by a processor of a client, the method for authenticating the client side is executed.
The processor in each of the above embodiments may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a Random Access Memory (RAM), a flash memory, a read-only memory (ROM), a programmable ROM, an electrically erasable programmable memory, a register, or other storage media that are well known in the art. The storage medium is located in the memory 1002, and the processor 1001 reads the instructions in the memory 1002 and performs the steps of the method in combination with the hardware.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Claims (33)
1. A method of authentication, the method comprising:
the server sends a first indication message to the client; the first indication message comprises an identifier of each user associated with the client and an access control rule associated with each user, and the first indication message is used for indicating the client to authenticate a service request message to be processed through the access control rule;
the server receives a service request message to be processed, which is sent by the client and authenticated by an access control rule; the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined;
and the server authenticates the authenticated service request message according to the access control rule.
2. The method according to claim 1, wherein when the authenticated pending service request packet is a pending service request packet that is successfully authenticated and a pending service request packet that cannot determine an authentication result, or the authenticated pending service request packet is a pending service request packet that cannot determine an authentication result, the server authenticates the authenticated service request packet according to the access control rule, including:
and the server authenticates the authenticated service request message according to the access control rule and the global control rule in sequence.
3. The method according to claim 1 or 2, wherein the server authenticates the authenticated service request packet according to the access control rule, including:
the server obtains the user identification corresponding to the authenticated service request message to be processed,
the server determines an access control rule associated with the user according to the identification of the user in the access control rule;
and the server authenticates the authenticated service request message to be processed according to the access control rule associated with the user.
4. The method of claim 3, wherein the server determines the access control rule associated with the user from the access control rule identified by the user, comprising:
the server determines a user group to which the user belongs according to the user identification and the corresponding relation between the user identification and the user group;
the server determines the access control rule corresponding to the user group to which the user belongs in an access control rule set according to the user group to which the user belongs and the corresponding relation between the user group and the access control rule;
and the server determines the access control rule associated with the user in the access control rule corresponding to the user group to which the user belongs according to the identification of the user.
5. The method of claim 2, wherein the server authenticates the authenticated service request packet according to a global control rule, comprising:
if the global control rule indicates that the to-be-processed service request message of which the authentication result cannot be determined is allowed to be processed, the server determines that the to-be-processed service request message of which the authentication result cannot be determined is successfully authenticated; alternatively, the first and second electrodes may be,
and if the global control rule indicates that the to-be-processed service request message of which the authentication result cannot be determined is not allowed to be processed, the server determines that the to-be-processed service request message of which the authentication result cannot be determined fails to be authenticated.
6. The method according to any one of claims 1-5, further comprising:
when the access control rule changes, the server sends a second indication message to the client; the second indication message includes the identifier of each user and the updated access control rule associated with each user, and the second indication message is used for indicating the client to authenticate the service request message to be processed according to the updated access control rule.
7. The method according to any of claims 1-6, wherein the server sends a first indication message to the client, comprising:
a preset channel is established between the server and the client;
the server sends the first indication message to the client through the preset channel;
establishing a preset channel between the server and the client, wherein the preset channel comprises the following steps:
the server sends a first hello message to the client; the first hello message comprises a distributed Netconf Access Control Model (NACM) capability set;
the server receives a second hello message sent by the client; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set;
and the server establishes the preset channel with the client according to the NACM capability set.
8. A method of authentication, the method comprising:
the method comprises the steps that a client receives a first indication message sent by a server; the first indication message comprises the identification of each user and an access control rule associated with each user;
the client authenticates the service request message to be processed according to the access control rule to obtain the authenticated service request message to be processed, wherein the authenticated service request message to be processed is the service request message to be processed which is successfully authenticated and/or the service request message to be processed which can not determine the authentication result;
and the client sends the authenticated to-be-processed service request message to the server so that the server authenticates the authenticated to-be-processed service request message according to the access control rule.
9. The method according to claim 8, wherein when the authenticated pending service request packet is a pending service request packet that is successfully authenticated and a pending service request packet that cannot determine an authentication result, or the authenticated pending service request packet is a pending service request packet that cannot determine an authentication result, the client sends the authenticated pending service request packet to the server, so that the server authenticates the authenticated pending service request packet according to the access control rule, including:
and the client sends the authenticated to-be-processed service request message to the server so that the server authenticates the authenticated to-be-processed service request message sequentially according to the access control rule and the global control rule.
10. The method according to claim 8 or 9, wherein the authenticating, by the client, the service request packet to be processed according to the access control rule comprises:
the client determines an access control rule associated with the user in the access control rule according to the user identifier corresponding to the service request message to be processed;
and the client authenticates the service request message to be processed according to the access control rule associated with the user.
11. The method according to claim 10, wherein the authenticating, by the client, the pending service request packet according to the access control rule associated with the user comprises:
if the access control rule associated with the user has an authentication rule corresponding to the service request message to be processed, and the authentication rule indicates that the service request message to be processed is allowed to be processed, the client determines that the service request message to be processed is successfully authenticated; alternatively, the first and second electrodes may be,
if the access control rule associated with the user has an authentication rule corresponding to the service request message to be processed, and the authentication rule indicates that the service request message to be processed is not allowed to be processed, the client determines that the authentication of the service request message to be processed fails; alternatively, the first and second electrodes may be,
and if the authentication rule corresponding to the service request message to be processed does not exist in the access control rule associated with the user, the client cannot determine the authentication result of the service request message to be processed.
12. The method according to any one of claims 8-11, wherein the client receives a first indication message sent by a server, and comprises:
a preset channel is established between the client and the server;
the client receives the first indication message sent by the receiving server through the preset channel;
the method for establishing the preset channel between the client and the server comprises the following steps:
the client receives a first hello message sent by the server; the first hello message comprises a distributed Netconf Access Control Model (NACM) capability set;
the client sends a second hello message to the server; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set;
and the client establishes the preset channel with the server according to the NACM capability set.
13. The method of claim 12, wherein after receiving the first indication message sent by the server, the client further comprises:
and the client stores the access control rule associated with each user.
14. The method of claim 13, further comprising:
and when the client determines that the preset channel is interrupted, deleting the stored access control rules associated with the users.
15. The method according to any one of claims 8-14, further comprising:
when the access control rule associated with each user of the server is changed, the client receives a second indication message sent by the server; wherein, the second indication message comprises the identification of each user and the updated access control rule associated with each user;
and the client authenticates the service request message to be processed according to the updated access control rule.
16. A server, characterized in that the server comprises:
the sending unit is used for sending a first indication message to the client; the first indication message comprises an identifier of each user associated with the client and an access control rule associated with each user, and the first indication message is used for indicating the client to authenticate a service request message to be processed through the access control rule;
a receiving unit, configured to receive a to-be-processed service request message sent by the client and authenticated by an access control rule; the authenticated to-be-processed service request message is a successfully authenticated to-be-processed service request message and/or a to-be-processed service request message of which the authentication result cannot be determined;
and the processing unit is used for authenticating the service request message after authentication according to the access control rule.
17. The server according to claim 16, wherein when the authenticated pending service request packet is a pending service request packet that is successfully authenticated and a pending service request packet that cannot determine an authentication result, or the authenticated pending service request packet is a pending service request packet that cannot determine an authentication result, the processing unit is specifically configured to authenticate the authenticated service request packet sequentially according to the access control rule and the global control rule.
18. The server according to claim 16 or 17,
the processing unit is specifically configured to obtain an identifier of a user corresponding to the authenticated to-be-processed service request packet, and determine an access control rule associated with the user according to the identifier of the user in the access control rule; and then, the authenticated service request message to be processed is authenticated according to the access control rule associated with the user.
19. The server according to claim 18,
the processing unit is specifically configured to determine a user group to which the user belongs according to the user identifier and a correspondence between the user identifier and the user group; determining the access control rule corresponding to the user group to which the user belongs in an access control rule set according to the user group to which the user belongs and the corresponding relation between the user group and the access control rule; and determining the access control rule associated with the user in the access control rule corresponding to the user group to which the user belongs according to the user identifier.
20. The server according to claim 17,
the processing unit is specifically configured to determine that the authentication of the to-be-processed service request packet with the authentication result being undetermined is successful if the global control rule indicates that the to-be-processed service request packet with the authentication result being undetermined is allowed to be processed; or, if the global control rule indicates that the pending service request packet of which the authentication result cannot be determined is not allowed to be processed, determining that the pending service request packet of which the authentication result cannot be determined fails to be authenticated.
21. The server according to any one of claims 16-20,
the sending unit is further configured to send a second indication message to the client when the access control rule changes; the second indication message includes the identifier of each user and the updated access control rule associated with each user, and the second indication message is used for indicating the client to authenticate the service request message to be processed according to the updated access control rule.
22. The server according to any one of claims 16-21,
the processing unit is also used for establishing a preset channel with the client;
the sending unit is specifically configured to send the first indication message to the client through the preset channel;
the sending unit is further configured to send a first hello packet to the client; the first hello message comprises a distributed Netconf Access Control Model (NACM) capability set;
the receiving unit is further configured to receive a second hello packet sent by the client; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set;
the processing unit is specifically configured to establish the preset channel between the NACM capability set and the client.
23. A client, the client comprising:
the receiving unit is used for receiving a first indication message sent by the server; the first indication message comprises the identification of each user and an access control rule associated with each user;
the processing unit is used for authenticating the service request message to be processed according to the access control rule to obtain the authenticated service request message to be processed, wherein the authenticated service request message to be processed is the service request message to be processed which is successfully authenticated and/or the service request message to be processed which can not determine the authentication result;
and the sending unit is used for sending the authenticated to-be-processed service request message to the server so that the server authenticates the authenticated to-be-processed service request message according to the access control rule.
24. The client according to claim 23, wherein when the authenticated pending service request packet is a pending service request packet that is successfully authenticated and a pending service request packet that cannot determine an authentication result, or the authenticated pending service request packet is a pending service request packet that cannot determine an authentication result, the sending unit is specifically configured to send the authenticated pending service request packet to the server, so that the server authenticates the authenticated pending service request packet sequentially according to the access control rule and the global control rule.
25. The client according to claim 23 or 24,
the processing unit is provided with a user identifier corresponding to the service request message to be processed, and the access control rule associated with the user is determined in the access control rule; and authenticating the service request message to be processed according to the access control rule associated with the user.
26. The client of claim 25,
the processing unit is specifically configured to determine that the authentication of the to-be-processed service request packet is successful if an authentication rule corresponding to the to-be-processed service request packet exists in the user-associated access control rule and the authentication rule indicates that the to-be-processed service request packet is allowed to be processed; or, if an authentication rule corresponding to the service request message to be processed exists in the access control rule associated with the user and the authentication rule indicates that the service request message to be processed is not allowed to be processed, determining that the authentication of the service request message to be processed fails; or, if the authentication rule corresponding to the service request message to be processed does not exist in the access control rule associated with the user, the authentication result of the service request message to be processed cannot be determined.
27. The client according to any of the claims 23-26,
the processing unit is also used for establishing a preset channel with the server;
the sending unit is specifically configured to receive the first indication message sent by the receiving server through the preset channel;
the receiving unit is further configured to receive a first hello packet sent by the server; the first hello message comprises a distributed Netconf Access Control Model (NACM) capability set;
the sending unit is further configured to send a second hello packet to the server; the second hello message comprises a distributed Netconf Access Control Model (NACM) capability set;
the processing unit is specifically configured to establish the preset channel with the server according to the NACM capability set.
28. The client of claim 27, further comprising:
and the storage unit is used for storing the access control rule associated with each user.
29. The client of claim 28,
and the processing unit is further configured to delete the stored access control rule associated with each user when the preset channel is determined to be interrupted.
30. The client according to any of the claims 23-29,
the receiving unit is further configured to receive a second indication message sent by the server when an access control rule associated with each user of the server changes; wherein, the second indication message comprises the identification of each user and the updated access control rule associated with each user;
and the processing unit is also used for authenticating the service request message to be processed according to the updated access control rule.
31. A server, comprising a processor and a memory;
wherein the memory is to store program instructions;
the processor, for calling and executing the program instructions stored in the memory, performs the authentication method of any of the above claims 1-7.
32. A client comprising a processor and a memory;
wherein the memory is to store program instructions;
the processor, which is used to call and execute the program instructions stored in the memory, executes the authentication method of any one of the above claims 8-15.
33. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor of a server, carries out the authentication method of any one of the preceding claims 1 to 7, or which, when being executed by a processor of a client, carries out the authentication method of any one of the preceding claims 8 to 15.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811149956.2A CN110971572A (en) | 2018-09-29 | 2018-09-29 | Authentication method, server and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811149956.2A CN110971572A (en) | 2018-09-29 | 2018-09-29 | Authentication method, server and client |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110971572A true CN110971572A (en) | 2020-04-07 |
Family
ID=70027608
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811149956.2A Pending CN110971572A (en) | 2018-09-29 | 2018-09-29 | Authentication method, server and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110971572A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1553656A (en) * | 2003-06-06 | 2004-12-08 | 华为技术有限公司 | Method for user cut-in authorization in wireless local net |
| CN105516099A (en) * | 2015-11-30 | 2016-04-20 | 北京奇艺世纪科技有限公司 | Business side access method and device, and business side access rule configuration method and device |
| CN105743643A (en) * | 2016-04-26 | 2016-07-06 | 百度在线网络技术(北京)有限公司 | Communication security detection method and device |
| CN106027644A (en) * | 2016-05-18 | 2016-10-12 | 广州市忆科计算机系统有限公司 | Service checking method and system |
| CN106101090A (en) * | 2016-06-07 | 2016-11-09 | 中国建设银行股份有限公司 | Operational approach and rule engine system for regulation engine |
| US20170111396A1 (en) * | 2014-07-18 | 2017-04-20 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof |
| US20170364576A1 (en) * | 2016-06-15 | 2017-12-21 | Empow Cyber Security Ltd. | Classification of security rules |
| CN107958551A (en) * | 2017-12-29 | 2018-04-24 | 福建省农村信用社联合社 | A kind of full channel remote centralized authoring system of the expansible bank of business |
-
2018
- 2018-09-29 CN CN201811149956.2A patent/CN110971572A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1553656A (en) * | 2003-06-06 | 2004-12-08 | 华为技术有限公司 | Method for user cut-in authorization in wireless local net |
| US20170111396A1 (en) * | 2014-07-18 | 2017-04-20 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof |
| CN105516099A (en) * | 2015-11-30 | 2016-04-20 | 北京奇艺世纪科技有限公司 | Business side access method and device, and business side access rule configuration method and device |
| CN105743643A (en) * | 2016-04-26 | 2016-07-06 | 百度在线网络技术(北京)有限公司 | Communication security detection method and device |
| CN106027644A (en) * | 2016-05-18 | 2016-10-12 | 广州市忆科计算机系统有限公司 | Service checking method and system |
| CN106101090A (en) * | 2016-06-07 | 2016-11-09 | 中国建设银行股份有限公司 | Operational approach and rule engine system for regulation engine |
| US20170364576A1 (en) * | 2016-06-15 | 2017-12-21 | Empow Cyber Security Ltd. | Classification of security rules |
| CN107958551A (en) * | 2017-12-29 | 2018-04-24 | 福建省农村信用社联合社 | A kind of full channel remote centralized authoring system of the expansible bank of business |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107770815B (en) | MEC method and equipment based on position | |
| CN110691384B (en) | Network slice using method and device | |
| US11096051B2 (en) | Connection establishment method, device, and system | |
| US9992760B2 (en) | Method for updating RPLMN information and user equipment | |
| US11140737B2 (en) | Session processing method in wireless communications and terminal device | |
| CN110581809A (en) | Data processing method, multi-SIM card service function management entity and terminal equipment | |
| CN111083718A (en) | Session management method, network function and network system | |
| US20200007385A1 (en) | Compromised network node detection system | |
| CN110650029B (en) | Configuration method and device | |
| US20170126828A1 (en) | Sending Method and Apparatus and Computer Storage Medium of Notification Message | |
| EP3185598B1 (en) | Application registration method and apparatus | |
| WO2018166328A1 (en) | Information processing method, apparatus, computer readable storage medium and electronic device | |
| CN112218342A (en) | Method, device and system for realizing core network sub-slice disaster tolerance | |
| CN110798453B (en) | Data processing method and device for one-key login | |
| WO2017220021A1 (en) | Short message processing method and apparatus | |
| CN114450991A (en) | Wireless communication method for registration procedure | |
| CN111432354B (en) | Method, device and system for changing MCPTT user and MCPTT group association relation | |
| CN115297447B (en) | Long short message merging method, system, equipment and storage medium | |
| US20210328887A1 (en) | Method for performing task processing on common service entity, common service entity, apparatus and medium for task processing | |
| CN110971572A (en) | Authentication method, server and client | |
| CN113709729B (en) | Data processing method, device, network equipment and terminal | |
| US10206241B2 (en) | Session management | |
| CN114691734A (en) | Cache control method and device, computer readable medium and electronic device | |
| CN109548020B (en) | Compensation method and device after authentication failure, server and storage medium | |
| CN111859082A (en) | Identification analysis method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200407 |