CN111182537A - Network access method, device and system for mobile application - Google Patents
Network access method, device and system for mobile application Download PDFInfo
- Publication number
- CN111182537A CN111182537A CN201911414910.3A CN201911414910A CN111182537A CN 111182537 A CN111182537 A CN 111182537A CN 201911414910 A CN201911414910 A CN 201911414910A CN 111182537 A CN111182537 A CN 111182537A
- Authority
- CN
- China
- Prior art keywords
- mobile application
- network access
- gateway
- client
- gateway server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000004891 communication Methods 0.000 claims description 21
- 238000013507 mapping Methods 0.000 claims description 21
- 230000005540 biological transmission Effects 0.000 claims description 8
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 230000006399 behavior Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000005538 encapsulation Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a network access method, a device and a system of mobile application, wherein the method comprises the following steps: receiving a network access request sent by a mobile application client through mobile application gateway equipment; analyzing and acquiring client information contained in the network access request, and performing user authentication operation according to the client information; and when the authentication is successful, returning a safe gateway server address to the mobile application client, so that the mobile application client initiates a network connection request to a safe gateway server corresponding to the safe gateway server address through the mobile application gateway equipment. The security gateway server is hidden behind third-party equipment such as a control center and the like and is not directly exposed in the public network, so that an attacker cannot detect the address information of the security gateway server, and the security of the server is improved.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a network access method, a device and a system for mobile application.
Background
Currently, with the increasing popularity of the internet and mobile devices, the number of mobile applications is increasing. Typically, a large number of mobile applications are installed in a mobile device. These mobile applications typically require access to the network through a mobile application client to implement networking functionality. In the existing mode, the mobile application client can directly access the security gateway server through the mobile application gateway device.
However, the inventor finds that the mode has at least the following defects in the process of implementing the invention: in the mode that the mobile application client is directly accessed to the security gateway server through the mobile application gateway equipment, the security gateway server is directly exposed in the public network, once the server has a bug, the server is likely to be attacked by the network, and further potential safety hazards exist.
Disclosure of Invention
In view of the above, the present invention is proposed to provide a network access method, apparatus and system for mobile applications that overcomes or at least partially solves the above problems.
According to an aspect of the present invention, there is provided a network access method for a mobile application, including:
receiving a network access request sent by a mobile application client through mobile application gateway equipment;
analyzing and acquiring client information contained in the network access request, and performing user authentication operation according to the client information;
and when the authentication is successful, returning a safe gateway server address to the mobile application client, so that the mobile application client initiates a network connection request to a safe gateway server corresponding to the safe gateway server address through the mobile application gateway equipment.
Optionally, the returning the security gateway server address to the mobile application client includes:
inquiring a preset server mapping table, and determining a safety gateway server address corresponding to the mobile application gateway equipment according to the server mapping table;
returning a security gateway server address to the mobile application client through the mobile application gateway device;
the server mapping table is used for storing mapping relations between the mobile application gateway devices and the safety gateway server addresses.
Optionally, the initiating, by the mobile application client, a network connection request to the security gateway server corresponding to the security gateway server address through the mobile application gateway device includes:
and responding to a network connection request sent by the mobile application client, and establishing an encrypted transmission channel for communicating with the mobile application client by the security gateway server.
Optionally, the establishing, by the secure gateway server, an encrypted transmission channel for communicating with the mobile application client includes:
and the secure gateway server and the mobile application client establish the encryption transmission channel through a preset communication protocol.
Optionally, the method is applied to an SDP control center device, and the SDP control center device is connected to each mobile application gateway device.
According to another aspect of the present invention, there is provided a network access device for mobile applications, including:
the receiving module is suitable for receiving a network access request sent by a mobile application client through mobile application gateway equipment;
the authentication module is suitable for analyzing and acquiring the client information contained in the network access request and carrying out user authentication operation according to the client information;
and the sending module is suitable for returning a safe gateway server address to the mobile application client when the authentication is successful, so that the mobile application client initiates a network connection request to a safe gateway server corresponding to the safe gateway server address through the mobile application gateway equipment.
According to still another aspect of the present invention, there is provided a network access system for a mobile application, including: the network access device for the mobile application, the mobile application gateway equipment and the security gateway server are provided.
Optionally, the number of the mobile application gateway devices is multiple, and each mobile application gateway device is connected to the network access apparatus; the network access device is used for storing the mapping relation between each security gateway server and each mobile application gateway device through a preset server mapping table.
According to still another aspect of the present invention, there is provided an electronic apparatus including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the network access method of the mobile application.
According to still another aspect of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, where the executable instruction causes a processor to perform operations corresponding to the network access method for the mobile application.
In the network access method, the device and the system of the mobile application provided by the invention, when a network access request sent by a mobile application client through a mobile application gateway device is received, the client information contained in the network access request is obtained and user authentication operation is carried out, and only when authentication is successful, the address of a security gateway server is returned to the mobile application client. Therefore, in this method, the mobile application client cannot directly access the security gateway server through the mobile application gateway device, and must be accessible after being authenticated by a third-party device such as a control center. Therefore, the security gateway server is hidden behind third-party equipment such as a control center and the like and is not directly exposed in the public network, so that an attacker cannot detect the address information of the security gateway server, and the security of the server is improved.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 shows a flow diagram of a network access method for a mobile application according to an embodiment of the invention;
fig. 2 is a flowchart illustrating a network access method of a mobile application according to another embodiment of the present invention;
fig. 3 shows a schematic structural diagram of a network access device of a mobile application according to yet another embodiment of the present invention;
FIG. 4 shows a schematic structural diagram of an electronic device according to the present invention;
fig. 5 shows a system architecture diagram of a network access system.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 is a flowchart illustrating a network access method for a mobile application according to an embodiment of the present invention, where the method includes:
step S110: and receiving a network access request sent by the mobile application client through the mobile application gateway equipment.
Specifically, when the mobile application client needs to access the network, a network access request needs to be sent through the mobile application gateway device. The mobile application gateway device may be a mobile application gateway SDK or a mobile application gateway client, and is configured to receive and process a network access request from the mobile application client, and forward the received network access request to an execution main body in the method.
The execution main body in the method is an authentication control device, for example, the execution main body can be an SDP control center device, and the authentication control device can perform authentication operation on the mobile application client, so that access security is improved.
Step S120: analyzing and acquiring the client information contained in the network access request, and performing user authentication operation according to the client information.
Specifically, the authentication control device parses the network access request to obtain the client information contained therein. Wherein the client information includes: content related to the mobile application client, such as a client device identification, a client user account, and the like. In addition, the client information may further include: and content related to the mobile application gateway device, such as a gateway device identifier and the like. Correspondingly, user authentication operation is carried out according to the client information so as to confirm whether the mobile application client to be accessed is a legal client.
Step S130: and when the authentication is successful, returning the address of the security gateway server to the mobile application client, so that the mobile application client initiates a network connection request to the security gateway server corresponding to the address of the security gateway server through the mobile application gateway equipment.
Specifically, when the authentication is successful, it indicates that the mobile application client to be accessed is a valid client. And correspondingly, returning the address of the server side of the security gateway to the mobile application client. In specific implementation, the address of the security gateway server may be directly returned to the mobile application client, or the address of the security gateway server may be returned to the mobile application client through the mobile application gateway device.
After receiving the address of the secure gateway server, the mobile application client can initiate a network connection request to the secure gateway server corresponding to the address of the secure gateway server, thereby realizing network access operation.
Therefore, in this method, the mobile application client cannot directly access the security gateway server through the mobile application gateway device, and must be accessible after being authenticated by a third-party device such as a control center. Therefore, the security gateway server is hidden behind third-party equipment such as a control center and the like and is not directly exposed in the public network, so that an attacker cannot detect the address information of the security gateway server, and the security of the server is improved.
Fig. 2 is a flowchart illustrating a network access method for a mobile application according to another embodiment of the present invention. As shown in fig. 2, the method includes:
step S210: and the SDP control center equipment receives a network access request sent by the mobile application client through the mobile application gateway equipment.
The SDP control center device may be various network devices such as an SDP control center server and the like for implementing the SDP control function. And the SDP control center device is respectively connected with each mobile application gateway device so as to receive and process the network access request from each mobile application gateway device.
Specifically, when the mobile application client needs to access the network, a network access request needs to be sent through the mobile application gateway device. The mobile application gateway device may be a mobile application gateway SDK or a mobile application gateway client, and the like, and is configured to receive and process a network access request from the mobile application client, and forward the received network access request to the SDP control center device.
Step S220: and the SDP control center equipment analyzes and acquires the client information contained in the network access request and performs user authentication operation according to the client information.
Specifically, the SDP control center device parses the network access request to obtain the client information contained therein. Wherein the client information includes: content related to the mobile application client, such as a client device identifier, a client user account, etc.; and content related to the mobile application gateway device, such as a gateway device identification, etc. Correspondingly, user authentication operation is carried out according to the client information so as to confirm whether the mobile application client to be accessed is a legal client.
Illegal malicious clients can be screened out through user authentication operation, and therefore network risks caused by illegal access of the malicious clients are avoided. For example, when the authentication fails, it indicates that the mobile application client to be accessed may have malicious behavior, and therefore, a network access request of the mobile application client needs to be intercepted.
In specific implementation, the authentication operation can be performed in a plurality of ways:
in an optional implementation manner, the acquired client information is directly compared with client information stored in a preset white list or black list, and whether the mobile application client to be accessed is safe is determined according to a comparison result. The method directly authenticates the authority according to the static client information, and is convenient and quick.
In yet another optional implementation manner, VSA encapsulation processing is performed in advance for a mobile application in a mobile application client, where a VSA (virtual security area) is a virtual security domain, and is used to implement a security protection function through a virtual machine technology. Correspondingly, the VSA encapsulation processing is to encapsulate the mobile application by using the VSA virtual machine technology, so that the mobile application runs in the virtual machine, thereby facilitating the supervision of the mobile application behavior by using the VSA virtual machine. Correspondingly, the application behavior information of the mobile application is dynamically monitored, and whether the mobile application executes the violation in the preset blacklist or not is judged according to the monitoring result. Specifically, after the VSA encapsulation processing, application behavior information of the mobile application is dynamically monitored by the virtual machine to determine various real-time behaviors of the mobile application. The preset blacklist is used for storing known violation behaviors, and correspondingly, the monitored application behaviors of the mobile application are compared with the violation behaviors stored in the preset blacklist to determine whether the mobile application executes the violation behaviors in the preset blacklist or not. If the mobile application is monitored to execute the illegal behavior in the preset blacklist, the mobile application is indicated to be the non-secure application, and the authentication result is failure. Wherein the violation behaviors in the preset blacklist include at least one of the following: acquiring equipment information, calling a camera, acquiring positioning information and acquiring recording information; wherein the device information includes: address book information, image information, and IMEI information stored in the device. Therefore, all operation behaviors in the preset blacklist are behaviors for illegally acquiring data, and potential safety hazards can be brought to safe operation of the terminal equipment, so that interception is needed.
Step S230: and when the authentication is successful, returning the address of the security gateway server to the mobile application client.
Specifically, when the authentication is successful, it indicates that the mobile application client to be accessed is a valid client. And correspondingly, returning the address of the security gateway server to the mobile application client through the mobile application gateway equipment.
Because the SDP control center device is connected to multiple mobile application gateway devices at the same time, and there are multiple security gateway servers that can be accessed, in order to determine quickly and accurately which security gateway server the current mobile application client should access, a server mapping table is stored in the SDP control center device in advance, where the server mapping table is used to store mapping relationships between the security gateway servers and the mobile application gateway devices.
Correspondingly, in the step, a preset server mapping table is inquired, and a safety gateway server address corresponding to the mobile application gateway equipment is determined according to the server mapping table; returning the address of the security gateway server to the mobile application client through the mobile application gateway equipment; the server mapping table is used for storing mapping relations between the mobile application gateway devices and the security gateway server addresses.
Step S240: and the mobile application client initiates a network connection request to a security gateway server corresponding to the address of the security gateway server through the mobile application gateway equipment.
After receiving the address of the secure gateway server, the mobile application client can initiate a network connection request to the secure gateway server corresponding to the address of the secure gateway server, thereby realizing network access operation.
Accordingly, in response to a network connection request sent by the mobile application client, the secure gateway server establishes an encrypted transport channel for communicating with the mobile application client. The security of the network content can be obviously improved by encrypting the transmission channel. The secure gateway server and the mobile application client establish the encryption transmission channel through a preset communication protocol. Therefore, the mobile application client must establish communication connection through a proprietary communication protocol, and therefore network security is further improved.
The security gateway server can be a server corresponding to the intranet, so that the security of the intranet is improved.
For convenience of understanding, the implementation manner in the embodiment of the present invention is described in detail below by taking a specific example as an example:
this example is implemented based on the SDP framework. Among other things, software defined boundaries (SDP) is a security framework developed by the Cloud Security Association (CSA) that enables control of access to resources based on identity. The framework is based on the "new toKnow" model of the U.S. department of defense — each terminal must be authenticated before connecting to the server, ensuring that each device is allowed access. The core idea is to hide the core network assets and facilities through the SDP architecture, so that the core network assets and facilities are not directly exposed under the Internet, and the network assets and facilities are protected from external security threats.
The inventor finds that when the mobile application accesses the intranet through a traditional mobile application gateway or a Virtual Private Network (VPN), a client of a mobile application security gateway needs to establish a connection with a server, so that the server of the mobile application security gateway is exposed in a public network, and if the server has a leak, the mobile application security gateway is possibly utilized, thereby causing network risks.
In order to solve the above problem, the present example provides a secure access method for a mobile application based on an SDP architecture, based on which a server of a secure gateway for a mobile application has no DNS or IP address exposed to the outside; only authenticated clients can connect using proprietary protocols. Moreover, since the service end of the mobile application security gateway is hidden behind the SDP control center, an attacker cannot detect the DNS or the IP address of the service end, so that the attack cannot be carried out, and the service security of the mobile application security gateway is ensured.
Specifically, the mobile application secure access service flow based on the SDP architecture is as follows:
first, an SDP control center comes online and provides services to the outside, and the SDP control center may be an EMM (enterprise mobility management) or other control platform.
The mobile application client then initiates a request to the SDP control center via the mobile application security gateway SDK (i.e., the mobile application gateway device), asking for the server address of the mobile application security gateway.
And finally, after the user passes the authentication, the SDP control center returns the address of the server side of the security gateway of the mobile application.
Correspondingly, the mobile application client side initiates a connection request to the mobile application security gateway server side through the mobile application security gateway SDK. The mobile application security gateway server accepts the request, establishes encrypted transmission from the mobile application client to the mobile application security gateway server, and establishes a connection from the mobile application security gateway server to the mobile application server.
It can be seen that this example provides a secure access method for a mobile application based on an SDP architecture, and based on this method, a server of the mobile application has no DNS or IP address exposed to the outside, and can only connect with an authorized client using a proprietary protocol. Moreover, since the service end of the mobile application is hidden behind the SDP control center, an attacker cannot detect the DNS or IP address of the service end, and thus the attack cannot be performed, thereby ensuring the service security of the mobile application.
Fig. 3 is a schematic structural diagram of a network access device for mobile applications according to another embodiment of the present invention, and as shown in fig. 3, the system includes:
a receiving module 31, adapted to receive a network access request sent by a mobile application client through a mobile application gateway device;
the authentication module 32 is adapted to analyze and obtain the client information contained in the network access request, and perform user authentication operation according to the client information;
and the sending module 33 is adapted to, when the authentication is successful, return a secure gateway server address to the mobile application client, so that the mobile application client initiates a network connection request to a secure gateway server corresponding to the secure gateway server address through the mobile application gateway device.
The specific structure and the working principle of each module may refer to the description of the corresponding step in the method embodiment, and are not described herein again.
Another embodiment of the present invention further provides a network access system for mobile applications, including: the network access device (i.e. SDP control center) for the mobile application, the mobile application gateway device, and the security gateway server are described above. The number of the mobile application gateway devices is multiple, and each mobile application gateway device is connected with the network access device respectively; the network access device is used for storing the mapping relation between each security gateway server and each mobile application gateway device through a preset server mapping table.
Fig. 5 shows a system architecture diagram of a network access system. As shown in fig. 5, the hidden terminal (i.e., the mobile application client) accesses the security gateway server located in the hidden network through the mobile security gateway. The SDP control center is connected with the mobile security gateway and is used for realizing the user authentication function. The hidden network is provided with a cloud server (namely a security gateway server), an HQ/data center device, a plurality of APPs and the like. The cloud server can also be SaaS equipment and the like.
The embodiment of the present application provides a non-volatile computer storage medium, where the computer storage medium stores at least one executable instruction, and the computer executable instruction may execute the network access method of the mobile application in any method embodiment described above.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.
As shown in fig. 4, the electronic device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein:
the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408.
A communication interface 404 for communicating with network elements of other devices, such as clients or other servers.
The processor 402 is configured to execute the program 410, and may specifically perform relevant steps in the above embodiments of the domain name resolution method.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU, or an application specific Integrated Circuit ASIC (application specific Integrated Circuit), or one or more Integrated circuits configured to implement an embodiment of the present invention. The electronic device comprises one or more processors, which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may be specifically configured to cause the processor 402 to perform the operations in the above-described method embodiments.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in an electronic device according to embodiments of the present invention. The present invention may also be embodied as apparatus or system programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several systems, several of these systems may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (10)
1. A network access method for mobile application comprises the following steps:
receiving a network access request sent by a mobile application client through mobile application gateway equipment;
analyzing and acquiring client information contained in the network access request, and performing user authentication operation according to the client information;
and when the authentication is successful, returning a safe gateway server address to the mobile application client, so that the mobile application client initiates a network connection request to a safe gateway server corresponding to the safe gateway server address through the mobile application gateway equipment.
2. The method of claim 1, wherein the returning a security gateway server address to the mobile application client comprises:
inquiring a preset server mapping table, and determining a safety gateway server address corresponding to the mobile application gateway equipment according to the server mapping table;
returning a security gateway server address to the mobile application client through the mobile application gateway device;
the server mapping table is used for storing mapping relations between the mobile application gateway devices and the safety gateway server addresses.
3. The method of claim 1, wherein the mobile application client initiating, by the mobile application gateway device, a network connection request to a security gateway server corresponding to the security gateway server address comprises:
and responding to a network connection request sent by the mobile application client, and establishing an encrypted transmission channel for communicating with the mobile application client by the security gateway server.
4. The method of claim 3, wherein the secure gateway server establishing an encrypted transport channel for communication with the mobile application client comprises:
and the secure gateway server and the mobile application client establish the encryption transmission channel through a preset communication protocol.
5. The method according to any of claims 1-4, wherein the method is used in an SDP control center device, and the SDP control center device is connected to each mobile application gateway device.
6. A network access device for mobile applications, comprising:
the receiving module is suitable for receiving a network access request sent by a mobile application client through mobile application gateway equipment;
the authentication module is suitable for analyzing and acquiring the client information contained in the network access request and carrying out user authentication operation according to the client information;
and the sending module is suitable for returning a safe gateway server address to the mobile application client when the authentication is successful, so that the mobile application client initiates a network connection request to a safe gateway server corresponding to the safe gateway server address through the mobile application gateway equipment.
7. A network access system for mobile applications, comprising: the network access device, the mobile application gateway equipment and the security gateway server of claim 6.
8. The system of claim 7, wherein the number of the mobile application gateway devices is plural, and each mobile application gateway device is connected to the network access device; the network access device is used for storing the mapping relation between each security gateway server and each mobile application gateway device through a preset server mapping table.
9. An electronic device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the network access method of the mobile application as claimed in any one of claims 1-5.
10. A computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the network access method for a mobile application according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911414910.3A CN111182537A (en) | 2019-12-31 | 2019-12-31 | Network access method, device and system for mobile application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911414910.3A CN111182537A (en) | 2019-12-31 | 2019-12-31 | Network access method, device and system for mobile application |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111182537A true CN111182537A (en) | 2020-05-19 |
Family
ID=70652364
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911414910.3A Pending CN111182537A (en) | 2019-12-31 | 2019-12-31 | Network access method, device and system for mobile application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111182537A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111787008A (en) * | 2020-06-30 | 2020-10-16 | 北京指掌易科技有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN112468517A (en) * | 2021-01-25 | 2021-03-09 | 广州大学 | Tracing-resistant anonymous communication network access method, system and device |
| CN113905081A (en) * | 2021-09-29 | 2022-01-07 | 鼎捷软件股份有限公司 | Data gateway system and data intercommunication method |
| CN114301639A (en) * | 2021-12-13 | 2022-04-08 | 杭州迪普科技股份有限公司 | Connection establishing method and device |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102938756A (en) * | 2011-08-15 | 2013-02-20 | 中兴通讯股份有限公司 | Selection method and device of policy servers |
| CN102984045A (en) * | 2012-12-05 | 2013-03-20 | 网神信息技术(北京)股份有限公司 | Access method of Virtual Private Network and Virtual Private Network client |
| CN105554084A (en) * | 2015-12-10 | 2016-05-04 | 杭州古北电子科技有限公司 | System and method for generating one-time resource address and mapping between one-time resource address and real resource address |
| CN107104929A (en) * | 2016-02-23 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defending against network attacks |
| CN108737585A (en) * | 2017-04-19 | 2018-11-02 | 中兴通讯股份有限公司 | The distribution method and device of IP address |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109561066A (en) * | 2018-10-15 | 2019-04-02 | 深圳前海达闼云端智能科技有限公司 | Data processing method and device, terminal and access point computer |
| CN110365701A (en) * | 2019-07-30 | 2019-10-22 | 深圳前海达闼云端智能科技有限公司 | The management method of customer terminal equipment, calculates equipment and storage medium at device |
| CN110602112A (en) * | 2019-09-19 | 2019-12-20 | 四川长虹电器股份有限公司 | MQTT (multiple quantum dots technique) secure data transmission method |
| CN114650159A (en) * | 2020-12-21 | 2022-06-21 | 中兴通讯股份有限公司 | Service processing method and device, electronic equipment and storage medium |
-
2019
- 2019-12-31 CN CN201911414910.3A patent/CN111182537A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102938756A (en) * | 2011-08-15 | 2013-02-20 | 中兴通讯股份有限公司 | Selection method and device of policy servers |
| CN102984045A (en) * | 2012-12-05 | 2013-03-20 | 网神信息技术(北京)股份有限公司 | Access method of Virtual Private Network and Virtual Private Network client |
| CN105554084A (en) * | 2015-12-10 | 2016-05-04 | 杭州古北电子科技有限公司 | System and method for generating one-time resource address and mapping between one-time resource address and real resource address |
| CN107104929A (en) * | 2016-02-23 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defending against network attacks |
| CN108737585A (en) * | 2017-04-19 | 2018-11-02 | 中兴通讯股份有限公司 | The distribution method and device of IP address |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109561066A (en) * | 2018-10-15 | 2019-04-02 | 深圳前海达闼云端智能科技有限公司 | Data processing method and device, terminal and access point computer |
| CN110365701A (en) * | 2019-07-30 | 2019-10-22 | 深圳前海达闼云端智能科技有限公司 | The management method of customer terminal equipment, calculates equipment and storage medium at device |
| CN110602112A (en) * | 2019-09-19 | 2019-12-20 | 四川长虹电器股份有限公司 | MQTT (multiple quantum dots technique) secure data transmission method |
| CN114650159A (en) * | 2020-12-21 | 2022-06-21 | 中兴通讯股份有限公司 | Service processing method and device, electronic equipment and storage medium |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111787008A (en) * | 2020-06-30 | 2020-10-16 | 北京指掌易科技有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN111787008B (en) * | 2020-06-30 | 2023-01-20 | 北京指掌易科技有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN112468517A (en) * | 2021-01-25 | 2021-03-09 | 广州大学 | Tracing-resistant anonymous communication network access method, system and device |
| CN113905081A (en) * | 2021-09-29 | 2022-01-07 | 鼎捷软件股份有限公司 | Data gateway system and data intercommunication method |
| CN113905081B (en) * | 2021-09-29 | 2024-02-27 | 鼎捷软件股份有限公司 | Data intercommunication method for data gateway system |
| CN114301639A (en) * | 2021-12-13 | 2022-04-08 | 杭州迪普科技股份有限公司 | Connection establishing method and device |
| CN114301639B (en) * | 2021-12-13 | 2024-02-27 | 杭州迪普科技股份有限公司 | Connection establishment method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| EP3069231B1 (en) | Automated sdk ingestion | |
| CN111182537A (en) | Network access method, device and system for mobile application | |
| WO2016188256A1 (en) | Application access authentication method, system, apparatus and terminal | |
| CN105430011B (en) | A kind of method and apparatus detecting distributed denial of service attack | |
| US10419431B2 (en) | Preventing cross-site request forgery using environment fingerprints of a client device | |
| CN108243188B (en) | Interface access, interface call and interface verification processing method and device | |
| CN104580553B (en) | Method and device for identifying network address translation equipment | |
| CN110855666B (en) | Gateway equipment activation method, device, equipment and medium based on end cloud cooperation | |
| CN107070931B (en) | Cloud application data uploading/accessing method and system and cloud proxy server | |
| CN106209727B (en) | Session access method and device | |
| CN107294910B (en) | Login method and server | |
| CN108712376B (en) | Verification method and device for server login | |
| CN111935123B (en) | Method, equipment and storage medium for detecting DNS spoofing attack | |
| CN113347072A (en) | VPN resource access method, device, electronic equipment and medium | |
| CN112600852A (en) | Vulnerability attack processing method, device, equipment and storage medium | |
| CN108009439B (en) | Resource request method, device and system | |
| CN111726328B (en) | Method, system and related device for remotely accessing a first device | |
| CN112804222B (en) | Data transmission method, device, equipment and storage medium based on cloud deployment | |
| CN110049106B (en) | Service request processing system and method | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| CN116633638A (en) | Enhanced identity authentication and resource access control system | |
| CN111147625A (en) | Method, device and storage medium for acquiring local external network IP address | |
| CN113709136B (en) | Access request verification method and device | |
| CN113162922B (en) | Client data acquisition method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200519 |