CN112311768B - Policy center, control system, method, medium, and device for non-http protocol application - Google Patents
Policy center, control system, method, medium, and device for non-http protocol application Download PDFInfo
- Publication number
- CN112311768B CN112311768B CN202011052740.1A CN202011052740A CN112311768B CN 112311768 B CN112311768 B CN 112311768B CN 202011052740 A CN202011052740 A CN 202011052740A CN 112311768 B CN112311768 B CN 112311768B
- Authority
- CN
- China
- Prior art keywords
- user
- access control
- authentication
- control system
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The present disclosure provides a policy center, a control system, a method, a medium, and a device for non-http protocol application, wherein the system includes: the external network user equipment and the service system host further comprise: the system comprises a policy center and a trusted access control system; the strategy center is used for generating an access control strategy of a user, authenticating an access request of the user and sending the authentication result to the trusted access control system; the strategy center is connected with the credible access control system; the trusted access control system is used for performing trusted access control on an access request of a user; the external network user equipment is connected with the credible access control system through the routing equipment, and the external network equipment controlled by credible access of the credible access control system is connected with the service system host of the internal network. By the scheme, credible access control can be realized for all IP services of enterprises, the Internet and government affair networks, and the safety of the whole application service system is improved.
Description
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a policy center, a control system, a method, a medium, and a device for non-http protocol application.
Background
With the gradual entrance of the zero trust protection system into implementation on the ground, there are more and more demands for trusted access control on application access of multiple protocols. Because the user message is subjected to trusted access control, and the identity of the user of the message is identified through the message, the main application supported by the current trusted access control is http application, and certain technical difficulties exist in trusted access control of other non-http applications.
Currently, trusted access control for applications mainly focuses on trusted access control for http applications, and the identity of a user is mainly identified by a cookie, and is transferred by the cookie in a service request message.
The prior art mainly has the following defects:
the prior art mainly supports web services, and for application services of other protocols, an effective technical means is lacked to support trusted access control; meanwhile, non-web application services, many services also have strong safety protection requirements, and real-time trusted access control needs to be realized based on a zero trust protection architecture.
Disclosure of Invention
The method aims to solve the technical problem that the prior art cannot meet the trusted access control of non-http application.
To achieve the above technical object, the present disclosure provides a non-http protocol application policy center, including:
the identity authentication unit is used for authenticating the user and generating a user token after the authentication is passed;
and the transmission unit is used for transmitting the user token to the trusted access control system.
Further, the identity authentication unit authenticates the identity of the user specifically through biometric authentication and/or user password authentication and/or electronic signature authentication.
Further, the biometric authentication specifically includes: fingerprint authentication and/or face recognition authentication.
To achieve the above technical object, the present disclosure provides an access control system for a non-http protocol application, including: the external network user equipment and the service system host further comprise:
the system comprises a policy center and a trusted access control system;
the strategy center is used for generating an access control strategy of the user, authenticating the access request of the user and sending the authentication result to the trusted access control system;
the strategy center is connected with the credible access control system;
the trusted access control system is used for performing trusted access control on an access request of a user;
The external network user equipment is connected with the credible access control system through the routing equipment, and the external network equipment controlled by credible access of the credible access control system is connected with the service system host of the internal network.
Further, the trusted access control system is specifically configured to:
extracting a source IP address when a service request for accessing a non-http application service arrives;
and inquiring the identity ID information by using the source IP address as a user name, judging whether the identity ID information exists, and redirecting to an authentication page if the identity ID information does not exist.
Further, in the present invention, it is preferable that,
the strategy center is also used for user authentication, and when the user authentication is passed, a user token is generated for the user and is sent to the trusted access control system;
the trusted access control system is also used for establishing a user Identity (ID) table entry after the user token is obtained.
Further, the user identity ID entry specifically includes:
a user name, a user IP address, and a user token.
In order to achieve the above technical object, the present disclosure can also provide a trusted access control method for a non-http protocol application, which is applied to the access control system for the non-http protocol application, and includes:
the user accesses the IP application of the non-http protocol and sends the request to the trusted access control system;
The trusted access control system extracts a source IP of the request message, inquires the user identity ID table item according to the source IP, and inquires and judges whether a matching item exists in the user identity ID table item;
if yes, obtaining a user Identity (ID) table item, and extracting a user token in the user ID table item;
if not, the user is redirected to a user authentication interface to authenticate the user.
Further, in the present invention, it is preferable that,
after extracting the user token, the method further comprises:
the trusted access control system sends the user access resource identifier to the policy center for authority authentication, wherein the user access resource identifier specifically comprises: information of destination IP address, port number and/or user token;
the strategy center authenticates the user according to the user token and the user access resource identifier, and if the authentication is passed, the request message is released; and if not, discarding the request message.
Further, the process of authenticating the user specifically includes:
the strategy center authenticates the user, and a user token is generated after the authentication is passed;
the strategy center sends the user token to a trusted access control system;
the trusted access control system creates a user Identity (ID) entry.
To achieve the above technical object, the present disclosure can also provide a computer storage medium having computer program instructions stored thereon, the computer program instructions specifically including:
The identity authentication unit is used for authenticating the identity of the user, and a user token is generated after the authentication is passed;
and sending the generated user token to a trusted access control system after the authentication is passed.
Further, the authenticating the identity of the user by using the identity authentication unit specifically includes:
and authenticating the identity of the user through biometric authentication and/or user password authentication and/or electronic signature authentication.
Further, the biometric authentication specifically includes: fingerprint authentication and/or face recognition authentication.
In order to achieve the technical object, the present disclosure further provides an electronic device, which includes a memory and a processor, and further includes the non-http protocol application policy center.
The beneficial effect of this disclosure does:
a method for trusted security protection of applications of a non-Http protocol is provided. Real-time authentication for access to non-web applications is enabled,
the scheme disclosed by the invention does not need to install a client, does not change the original flow and the original message, is easy to realize and has strong implementability.
By the scheme, credible access control can be realized for all IP services of enterprises, the Internet and government affair networks, and the safety of the whole application service system is improved.
Drawings
Fig. 1 shows a schematic structural diagram of embodiment 2 of the present disclosure;
fig. 2 shows a flow diagram of embodiment 3 of the present disclosure;
fig. 3 shows a schematic structural diagram of embodiment 5 of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that these descriptions are illustrative only and are not intended to limit the scope of the present disclosure. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
Various structural schematics according to embodiments of the present disclosure are shown in the figures. The figures are not drawn to scale, wherein certain details are exaggerated and possibly omitted for clarity of presentation. The shapes of various regions, layers, and relative sizes and positional relationships therebetween shown in the drawings are merely exemplary, and deviations may occur in practice due to manufacturing tolerances or technical limitations, and a person skilled in the art may additionally design regions/layers having different shapes, sizes, relative positions, as actually required.
The present disclosure relates to the interpretation of terms:
the zero trust security protection architecture comprises the following steps: it is meant that there is no policy granting default trust to the system based on the physical or network location of the system (i.e., local area network or internet). Access to the data resource is granted when the user needs the resource and authentication (user and device) is performed before the connection is established. And a zero trust architecture is required to perform security risk monitoring on a network service system, a user terminal and user behaviors and evaluate the credibility of the network service system, the user terminal and the user behaviors. And adjusting the access authority of the user in real time according to the credibility, and simultaneously authenticating each access request of the user to ensure the real-time minimization of the access authority of the user.
And (3) trusted access control: through a trusted access control gateway (an access control execution system in a zero trust security protection system), each access request of a user needs to be authenticated to a policy center of a zero trust security protection architecture, and the policy center confirms whether the user has the authority to access the service request according to the trusted level of the user and the security sensitivity level of the access service. The strategy center sends the authentication result to the credible access control gateway, and the credible access control gateway determines whether to pass the request message or not according to the authentication result.
The first embodiment is as follows:
the present disclosure provides a non-http protocol application policy center, comprising:
the identity authentication unit is used for authenticating the user and generating a user token after the authentication is passed;
and the transmission unit is used for transmitting the user token to the trusted access control system.
Specifically, the identity authentication unit authenticates the identity of the user specifically by biometric authentication and/or user password authentication and/or electronic signature authentication.
Preferably, the biometric authentication specifically includes: fingerprint authentication and/or face recognition authentication.
The identity authentication unit used in the method can flexibly select the fingerprint identification module or the face identification module commonly used in the prior art according to the specific user identity type. The specific type of fingerprint identification module or face identification module selected can be selected by those skilled in the art according to actual authentication requirements, and will not be described herein.
The second embodiment:
as shown in fig. 1:
the present disclosure provides an access control system for a non-http protocol application, comprising: the external network user equipment, the routing equipment and the service system host further comprise:
the policy center and the trusted access control system in the first embodiment;
the strategy center is used for generating an access control strategy of the user, authenticating the access request of the user and sending the authentication result to the trusted access control system;
the strategy center is connected with the credible access control system;
the trusted access control system is used for performing trusted access control on an access request of a user;
the trusted access control specifically refers to dynamic authentication of an access request of a user:
for example, risk assessment is carried out on a user access request, the user access request is dynamically divided into a high-level risk level, a medium-level risk level and a low-level risk level, access limitation is given to the access request with high risk, and only a small part of intranet service system hosts can be accessed; a wide access limit can be given to the low-risk access request, and the access to most intranet service system hosts is allowed.
Specifically, the trusted access control system is specifically configured to:
extracting a source IP address when a service request for accessing a non-http application service arrives;
And inquiring identity ID information by using the source IP address as a user name, judging whether the identity ID information exists, and redirecting to an authentication page if the identity ID information does not exist.
The external network user equipment is connected with the credible access control system through the routing equipment, and the external network equipment controlled by credible access of the credible access control system is connected with the service system host of the internal network.
Authentication, as referred to in this disclosure, refers to verifying that a user has the right to access a system. Traditional authentication is verified by means of a password. This approach presupposes that each user obtaining the password is already authorized. When the user is established, a password is allocated to the user, and the password of the user can be specified by an administrator or can be applied by the user.
The authentication mode used by the present disclosure is a token authentication mode:
token authentication mode flow:
the client uses the account secret to log in;
the server side verifies the account password;
after the account password verification is passed, the server generates a token and sends the token to the client;
the client stores the token through a cookie or other modes;
the client sends a request later and needs to bring a token;
And the server side verifies the validity of the token, and if the token passes the verification, the server side returns the resource, and if the token does not pass the verification, the server side returns the 401 state code.
Wherein the 401 status code indicates that the current request requires authentication or verification by the user.
And the token verification is more flexible and is suitable for most scenes.
The solution of the commonly used token authentication mode is JWT, which encrypts json with related user information in a flexible way and can be specifically designed according to requirements.
The JWT referred to in this disclosure is JSON Web Token (abbreviated JWT), which is currently the most popular cross-domain authentication solution.
The principle of JWT is that after authentication by the server, an object in JSON format is generated and sent back to the client, for example:
{
"user name": "admin" was added to the reaction mixture,
"role": "super supervisor" of the device,
"expiration time": "2020-08-1300: 00: 00 rotating page
}
Later, when the client communicates with the server, the JSON object needs to be sent back. The server recognizes the user identity solely by this object.
To prevent the user from tampering with the data, the server will add a signature when generating this object.
The server no longer saves any session data, i.e. the server becomes stateless, so that the extension is easier to implement.
The strategy center is also used for user authentication, and when the user authentication passes, a user token is generated for the user and is sent to the trusted access control system;
the trusted access control system is also used for establishing a user Identity (ID) table entry after the user token is obtained.
Specifically, the user identity ID entry specifically includes:
a user name, a user IP address, and a user token.
Example three:
as shown in fig. 2:
the present disclosure also provides a trusted access control method for a non-http protocol application, which is applied to the access control system for the non-http protocol application, and includes:
s201: the user accesses the IP application of the non-http protocol and sends a request to the trusted access control system;
the IP application refers to a non-extranet program application, and the non-extranet program application may be a conventional application program to which a TCP/IP protocol is applied.
S202: the trusted access control system extracts a source IP of a request message, inquires the user identity ID table item according to the source IP, and inquires and judges whether a matching item exists in the user identity ID table item;
s2021: if yes, obtaining the user identity ID table item, and extracting a user token in the user identity ID table item; alternatively, the first and second electrodes may be,
s2022: if not, the user authentication interface is redirected to authenticate the user.
Further, in the present invention,
after the extracting the user token in S2021, the method further includes:
the trusted access control system sends the user access resource identification to the policy center for authority authentication;
in particular, the amount of the solvent to be used,
the strategy center authenticates the user according to the user token and the user access resource identifier, and if the authentication is passed, the request message is released; and if not, discarding the request message.
Specifically, the user access resource identifier specifically includes: information of destination IP address, port number and/or user token;
the strategy center authenticates the user according to the user token and the user access resource identifier, and if the authentication is passed, the request message is released; and if not, discarding the request message.
Further, the process of authenticating the user specifically includes:
the strategy center authenticates the user, and a user token is generated after the authentication is passed;
the policy center sends a user token to the trusted access control system;
the trusted access control system creates a user Identity (ID) entry.
After authentication, if the user needs to access again, after the user access request reaches the trusted access control system, starting an access authentication process according to the user Identity (ID) table entry.
Example four:
the present disclosure can also provide
A computer storage medium having computer program instructions stored thereon, the computer instructions comprising in particular:
the identity authentication unit is used for authenticating the identity of the user, and a user token is generated after the authentication is passed;
and sending the generated user token to a trusted access control system after the authentication is passed.
Specifically, the authenticating the identity of the user by using the identity authentication unit specifically includes:
and authenticating the identity of the user through biometric authentication and/or user password authentication and/or electronic signature authentication.
Further, the biometric authentication specifically includes: fingerprint authentication and/or face recognition authentication.
The computer storage medium of the present disclosure may be implemented with a semiconductor memory, a magnetic core memory, a magnetic drum memory, or a magnetic disk memory.
Semiconductor memories are mainly used as semiconductor memory elements of computers, and there are two types, Mos and bipolar memory elements. Mos devices have high integration, simple process, but slow speed. The bipolar element has the advantages of complex process, high power consumption, low integration level and high speed. NMos and CMos were introduced to make Mos memory dominate in semiconductor memory. NMos is fast, e.g. 45ns for 1K bit sram from intel. The CMos power consumption is low, and the access time of the 4K-bit CMos static memory is 300 ns. The semiconductor memories described above are all Random Access Memories (RAMs), i.e. read and write new contents randomly during operation. And a semiconductor Read Only Memory (ROM), which can be read out randomly but cannot be written in during operation, is used to store solidified programs and data. The ROM is classified into a non-rewritable fuse type ROM, PROM, and a rewritable EPROM.
The magnetic core memory has the characteristics of low cost and high reliability, and has more than 20 years of practical use experience. Core memories were widely used as main memories before the mid 70's. The storage capacity can reach more than 10 bits, and the access time is 300ns at the fastest speed. The international typical magnetic core memory has the capacity of 4 MS-8 MB and the access period of 1.0-1.5 mus. After semiconductor memory is rapidly developed to replace magnetic core memory as a main memory location, magnetic core memory can still be applied as a large-capacity expansion memory.
Drum memory, an external memory for magnetic recording. Because of its fast information access speed and stable and reliable operation, it is being replaced by disk memory, but it is still used as external memory for real-time process control computers and medium and large computers. In order to meet the needs of small and micro computers, subminiature magnetic drums have emerged, which are small, lightweight, highly reliable, and convenient to use.
Magnetic disk memory, an external memory for magnetic recording. It combines the advantages of drum and tape storage, i.e. its storage capacity is larger than that of drum, its access speed is faster than that of tape storage, and it can be stored off-line, so that the magnetic disk is widely used as large-capacity external storage in various computer systems. Magnetic disks are generally classified into two main categories, hard disks and floppy disk memories.
Hard disk memories are of a wide variety. The structure is divided into a replaceable type and a fixed type. The replaceable disk is replaceable and the fixed disk is fixed. The replaceable and fixed magnetic disks have both multi-disk combinations and single-chip structures, and are divided into fixed head types and movable head types. The fixed head type magnetic disk has a small capacity, a low recording density, a high access speed, and a high cost. The movable head type magnetic disk has a high recording density (up to 1000 to 6250 bits/inch) and thus a large capacity, but has a low access speed compared with a fixed head magnetic disk. The storage capacity of a magnetic disk product can reach several hundred megabytes with a bit density of 6250 bits per inch and a track density of 475 tracks per inch. The disk set of the multiple replaceable disk memory can be replaced, so that the disk set has large off-body capacity, large capacity and high speed, can store large-capacity information data, and is widely applied to an online information retrieval system and a database management system.
Example five:
the present disclosure also provides an electronic device, which includes a memory and a processor, and further includes the non-http protocol application policy center.
Fig. 3 is a schematic diagram of an internal structure of an electronic device in one embodiment. As shown in fig. 3, the electronic device includes a processor, a storage medium, a memory, and a network interface connected through a system bus. The storage medium of the computer device stores an operating system, a database and computer readable instructions, the database can store control information sequences, and the computer readable instructions, when executed by the processor, can enable the processor to implement a trusted access control method for non-http protocol application. The processor of the electrical device is used to provide computing and control capabilities to support the operation of the entire computer device. The memory of the computer device may have stored therein computer readable instructions that, when executed by the processor, may cause the processor to perform a trusted access control method for non-http protocol applications. The network interface of the computer device is used for connecting and communicating with the terminal. Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
The policy center is specifically a non-http protocol application policy center provided in the first embodiment of the present disclosure, and specifically includes:
the identity authentication unit is used for authenticating the user and generating a user token after the authentication is passed;
and the transmission unit is used for transmitting the user token to the trusted access control system.
Specifically, the identity authentication unit authenticates the identity of the user specifically by biometric authentication and/or user password authentication and/or electronic signature authentication.
Preferably, the biometric authentication specifically includes: fingerprint authentication and/or face recognition authentication.
The identity authentication unit used in the method can flexibly select the fingerprint identification module or the face identification module commonly used in the prior art according to the specific user identity type. The specific type of fingerprint identification module or face identification module selected can be selected by those skilled in the art according to actual authentication requirements, and will not be described herein.
The processor may be composed of an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital processing chips, graphics processors, and combinations of various control chips. The processor is a control core (control unit) of the electronic device, connects various components of the whole electronic device by using various interfaces and lines, and executes various functions and processes data of the electronic device by running or executing programs or modules (for example, executing a remote data read/write program, etc.) stored in the memory and calling data stored in the memory.
The bus may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The bus may be divided into an address bus, a data bus, a control bus, etc. The bus is arranged to enable connected communication between the memory and at least one processor or the like.
Fig. 3 shows only an electronic device with components, and those skilled in the art will appreciate that the structure shown in fig. 3 is not limiting to the electronic device, and may include fewer or more components than shown, or some components may be combined, or a different arrangement of components.
For example, although not shown, the electronic device may further include a power supply (such as a battery) for supplying power to each component, and preferably, the power supply may be logically connected to the at least one processor through a power management device, so that functions such as charge management, discharge management, and power consumption management are implemented through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The electronic device may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
Further, the electronic device may further include a network interface, and optionally, the network interface may include a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used to establish a communication connection between the electronic device and another electronic device.
Optionally, the electronic device may further comprise a user interface, which may be a Display (Display), an input unit (such as a Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (organic light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable, among other things, for displaying information processed in the electronic device and for displaying a visualized user interface.
Further, the computer usable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
The present disclosure provides a trusted security protection system and method for applications of non-Http protocols. Real-time authentication for access to non-web applications is enabled,
The scheme disclosed by the invention does not need to install a client, does not change the original flow and message, is easy to realize and has strong implementability.
By the scheme, credible access control can be realized for all IP services of enterprises, the Internet and government affair networks, and the safety of the whole application service system is improved.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (8)
1. An access control system for a non-http protocol application, comprising: the external network user equipment and the service system host are characterized by further comprising:
a trusted access control system and a policy center;
the strategy center is used for generating an access control strategy of the user, authenticating an access request of the user and sending an authentication result to the trusted access control system;
the strategy center is connected with the credible access control system;
The trusted access control system is used for performing trusted access control on an access request of a user;
the external network user equipment is connected with the trusted access control system through routing equipment, and the external network user equipment controlled by trusted access of the trusted access control system is connected with the service system host of the internal network;
the policy center comprises:
the identity authentication unit is used for authenticating the user and generating a user token after the authentication is passed;
the transmission unit is used for sending the user token to the trusted access control system;
the identity authentication unit authenticates the identity of the user through biometric authentication and/or user password authentication and/or electronic signature authentication;
the biometric authentication specifically includes: fingerprint authentication and/or face recognition authentication.
2. The system of claim 1, wherein the trusted access control system is specifically configured to:
extracting a source IP address when a service request for accessing a non-http application service arrives;
and inquiring identity ID information by using the source IP address as a user name, judging whether the identity ID information exists, and redirecting to an authentication page if the identity ID information does not exist.
3. The system of claim 1,
the strategy center is also used for user authentication, and when the user authentication is passed, a user token is generated for the user and is sent to the trusted access control system;
the trusted access control system is also used for establishing a user Identity (ID) table entry after the user token is obtained.
4. The system according to claim 3, wherein the user ID entry specifically comprises:
a user name, a user IP address, and a user token.
5. A trusted access control method for a non-http protocol application, applied to an access control system for the non-http protocol application as claimed in any one of claims 1 to 4, the method comprising:
the user accesses the IP application of the non-http protocol and sends a request to the trusted access control system;
the trusted access control system extracts a source IP of a request message, inquires the user identity ID table item according to the source IP, and inquires and judges whether a matching item exists in the user identity ID table item;
if yes, obtaining the user identity ID table item, and extracting a user token in the user identity ID table item;
if not, the user authentication interface is redirected to authenticate the user.
6. The method of claim 5,
after the extracting the user token, the method further comprises:
the trusted access control system sends a user access resource identifier to the policy center for authority authentication, wherein the user access resource identifier specifically comprises: information of destination IP address, port number and/or user token;
the strategy center authenticates the user according to the user token and the user access resource identifier, and if the authentication is passed, the request message is released; and if not, discarding the request message.
7. The method according to claim 5, wherein the process of authenticating the user specifically comprises:
the strategy center authenticates the user, and a user token is generated after the authentication is passed;
the policy center sends a user token to the trusted access control system;
the trusted access control system creates a user Identity (ID) entry.
8. The method according to claim 7, wherein the policy center specifically authenticates the user comprising:
and authenticating the identity of the user by using the identity authentication unit through biometric authentication and/or user password authentication and/or electronic signature authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011052740.1A CN112311768B (en) | 2020-09-29 | 2020-09-29 | Policy center, control system, method, medium, and device for non-http protocol application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011052740.1A CN112311768B (en) | 2020-09-29 | 2020-09-29 | Policy center, control system, method, medium, and device for non-http protocol application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112311768A CN112311768A (en) | 2021-02-02 |
| CN112311768B true CN112311768B (en) | 2022-06-28 |
Family
ID=74489218
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011052740.1A Active CN112311768B (en) | 2020-09-29 | 2020-09-29 | Policy center, control system, method, medium, and device for non-http protocol application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112311768B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113783844A (en) * | 2021-08-13 | 2021-12-10 | 中国光大银行股份有限公司 | Zero-trust access control method and device and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102884517A (en) * | 2009-05-28 | 2013-01-16 | 卡金公司 | System and methods for providing stateless security management for web applications using non-HTTP communications protocols |
| US8752140B1 (en) * | 2012-09-11 | 2014-06-10 | Sprint Communications Company L.P. | System and methods for trusted internet domain networking |
| CN109861968A (en) * | 2018-12-13 | 2019-06-07 | 平安科技(深圳)有限公司 | Resource access control method, device, computer equipment and storage medium |
| CN110401672A (en) * | 2019-08-06 | 2019-11-01 | 郑州信大捷安信息技术股份有限公司 | A kind of network access control system and method based on Microsoft Loopback Adapter |
| CN110535884A (en) * | 2019-09-26 | 2019-12-03 | 招商局金融科技有限公司 | Method, apparatus and storage medium across access control between business system |
| CN110730174A (en) * | 2019-10-16 | 2020-01-24 | 东软集团股份有限公司 | Network access control method, device, equipment and medium |
-
2020
- 2020-09-29 CN CN202011052740.1A patent/CN112311768B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102884517A (en) * | 2009-05-28 | 2013-01-16 | 卡金公司 | System and methods for providing stateless security management for web applications using non-HTTP communications protocols |
| US8752140B1 (en) * | 2012-09-11 | 2014-06-10 | Sprint Communications Company L.P. | System and methods for trusted internet domain networking |
| CN109861968A (en) * | 2018-12-13 | 2019-06-07 | 平安科技(深圳)有限公司 | Resource access control method, device, computer equipment and storage medium |
| CN110401672A (en) * | 2019-08-06 | 2019-11-01 | 郑州信大捷安信息技术股份有限公司 | A kind of network access control system and method based on Microsoft Loopback Adapter |
| CN110535884A (en) * | 2019-09-26 | 2019-12-03 | 招商局金融科技有限公司 | Method, apparatus and storage medium across access control between business system |
| CN110730174A (en) * | 2019-10-16 | 2020-01-24 | 东软集团股份有限公司 | Network access control method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112311768A (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10834086B1 (en) | Hybrid cloud-based authentication for flash storage array access | |
| US11550895B2 (en) | Systems and mechanism to control the lifetime of an access token dynamically based on access token use | |
| EP3304845B1 (en) | Authorization and authentication in a cloud-based storage array | |
| US8141138B2 (en) | Auditing correlated events using a secure web single sign-on login | |
| JP4916136B2 (en) | System and method for providing security to applications | |
| US9100398B2 (en) | Enhancing directory service authentication and authorization using contextual information | |
| Sehgal et al. | A cross section of the issues and research activities related to both information security and cloud computing | |
| CN106452772B (en) | Terminal authentication method and device | |
| JP2015501996A (en) | Secure user authentication and certification against remote servers | |
| KR20040049272A (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
| CN110268406B (en) | Password security | |
| CN111869179B (en) | Location-based access controlled access to resources | |
| CN101155112B (en) | Virtual special terminal, network service system and service access method | |
| CN112311768B (en) | Policy center, control system, method, medium, and device for non-http protocol application | |
| CN114244568B (en) | Security access control method, device and equipment based on terminal access behavior | |
| CN102571874A (en) | On-line audit method and device in distributed system | |
| CN106529216B (en) | Software authorization system and software authorization method based on public storage platform | |
| JP2003208269A (en) | Secondary storage device having security mechanism and its access control method | |
| CN111488597A (en) | Safety audit system suitable for cross-network safety area | |
| CN109639695A (en) | Dynamic identity authentication method, electronic equipment and storage medium based on mutual trust framework | |
| CN113051611B (en) | Authority control method of online file and related product | |
| CN114780327A (en) | Server monitoring method, asset management method and PCIE card | |
| CN115664686A (en) | Login method, login device, computer equipment and storage medium | |
| JP2008276806A (en) | Storage device | |
| US20220247750A1 (en) | Evaluating access requests using assigned common actor identifiers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |