CN112559994B - Access control method, device, equipment and storage medium - Google Patents
Access control method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112559994B CN112559994B CN202011567677.5A CN202011567677A CN112559994B CN 112559994 B CN112559994 B CN 112559994B CN 202011567677 A CN202011567677 A CN 202011567677A CN 112559994 B CN112559994 B CN 112559994B
- Authority
- CN
- China
- Prior art keywords
- electronic certificate
- requester
- sent
- authentication
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 72
- 230000002159 abnormal effect Effects 0.000 claims description 2
- 239000003795 chemical substances by application Substances 0.000 description 38
- 238000010586 diagram Methods 0.000 description 18
- 238000004590 computer program Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 238000010200 validation analysis Methods 0.000 description 5
- 230000003139 buffering effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
- G06F3/0622—Securing storage systems in relation to access
Abstract
The disclosure provides an access control method, an access control device and a storage medium, relates to the technical field of computers, and can be used in the field of cloud computing. The specific implementation scheme is as follows: receiving a first service access request sent by a first requester; the first service access request carries first identity information of a first requester; and sending the first electronic certificate to the first requester under the condition that the first electronic certificate corresponding to the first identity information exists, so that the first requester accesses the target service data according to the first electronic certificate. According to the embodiment of the disclosure, the service access efficiency can be improved.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an access control method, apparatus, device, and storage medium.
Background
Currently, the number of users of cloud disk reaches hundreds of millions, and the storage amount of service data is huge. In order to avoid illegal access to service data by intranet users, authentication and authorization are usually performed for access of intranet users, and access is allowed only when authentication and authorization are passed. However, since the authentication and authentication process takes a long time, there is a problem in that the access control efficiency is low.
Disclosure of Invention
The present disclosure provides an access control method, apparatus, device, and storage medium.
According to a first aspect of the present disclosure, there is provided an access control method, including:
receiving a first service access request sent by a first requester; the first service access request carries first identity information of the first requester;
and sending the first electronic certificate to the first requester under the condition that the first electronic certificate corresponding to the first identity information exists, so that the first requester accesses target service data according to the first electronic certificate.
According to a second aspect of the present disclosure, there is provided another access control method comprising:
receiving an initial electronic certificate sent by an agent; the initial electronic credential is sent by a first requestor to the proxy;
authenticating the initial electronic certificate;
generating a first electronic credential for the initial electronic credential if authentication passes;
and returning the first electronic certificate to the proxy so that the proxy stores the first electronic certificate and establishes a corresponding relation between the first electronic certificate and first identity information of the first requester.
According to a third aspect of the present disclosure, there is provided yet another access control method, comprising:
receiving a first electronic certificate sent by a requested party; the first electronic certificate is sent to the requested party by a first requesting party;
and sending an authentication passing instruction to the requested party under the condition that first authority information corresponding to the first electronic certificate exists, so that the requested party returns corresponding target service data to the first requested party.
According to a fourth aspect of the present disclosure, there is provided a further access control method comprising:
receiving a first electronic certificate sent by an agent; the first electronic credential is sent by a first requestor to the proxy;
authenticating the first electronic certificate;
under the condition that authentication is passed, acquiring first authority information corresponding to the first electronic certificate;
and returning the first authority information to the agent so that the agent stores the first authority information and the corresponding relation between the first electronic certificate and the first authority information.
According to a fifth aspect of the present disclosure, there is provided an access control apparatus comprising:
the first receiving module is used for receiving a first service access request sent by a first requester; the first service access request carries first identity information of the first requester;
And the first sending module is used for sending the first electronic certificate to the first requester under the condition that the first electronic certificate corresponding to the first identity information exists, so that the first requester accesses the target service data according to the first electronic certificate.
According to a sixth aspect of the present disclosure, there is provided another access control apparatus comprising:
the first receiving module is used for receiving the initial electronic certificate sent by the proxy; the initial electronic credential is sent by a first requestor to the proxy;
the first authentication module is used for authenticating the initial electronic certificate;
the first generation module is used for generating a first electronic certificate aiming at the initial electronic certificate under the condition that authentication is passed;
and the first return module is used for returning the first electronic certificate to the proxy so that the proxy stores the first electronic certificate and establishes a corresponding relation between the first electronic certificate and first identity information of the first requester.
According to a seventh aspect of the present disclosure, there is provided yet another access control apparatus comprising:
the first receiving module is used for receiving a first electronic certificate sent by a requested party; the first electronic certificate is sent to the requested party by a first requesting party;
And the first sending module is used for sending an authentication passing instruction to the requested party under the condition that the first authority information corresponding to the first electronic certificate exists, so that the requested party returns corresponding target service data to the first requested party.
According to an eighth aspect of the present disclosure, there is provided still another access control apparatus comprising:
the receiving module is used for receiving the first electronic certificate sent by the agency; the first electronic credential is sent by a first requestor to the proxy;
the authentication module is used for authenticating the first electronic certificate;
the acquisition module is used for acquiring first authority information corresponding to the first electronic certificate under the condition that authentication is passed;
and the return module is used for returning the first authority information to the proxy so that the proxy stores the first authority information and the corresponding relation between the first electronic certificate and the first authority information.
According to a ninth aspect of the present disclosure, there is provided an electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of the embodiments of the present disclosure.
According to a tenth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any of the embodiments of the present disclosure.
According to an eleventh aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method in any of the embodiments of the present disclosure.
According to the technical scheme, the access control safety can be guaranteed, the time consumption for accessing the target service data can be shortened, and the service data access efficiency is further effectively improved. In addition, the technical scheme is also suitable for high concurrency access of the online requesters.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
The drawings are for a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
fig. 1 is a schematic view of an application scenario according to an embodiment of the present disclosure.
FIG. 2 is a flow diagram I according to an embodiment of the present disclosure;
FIG. 3 is a second flow diagram according to an embodiment of the present disclosure;
FIG. 4 is a flow diagram III according to an embodiment of the present disclosure;
FIG. 5 is a flow diagram I according to another embodiment of the present disclosure;
FIG. 6 is a second flow diagram according to another embodiment of the present disclosure;
FIG. 7 is a schematic flow diagram I according to yet another embodiment of the present disclosure;
FIG. 8 is a second flow diagram according to yet another embodiment of the present disclosure;
FIG. 9 is a schematic flow chart diagram according to yet another embodiment of the present disclosure;
FIG. 10 is a block diagram of a structure according to an embodiment of the present disclosure;
FIG. 11 is a block diagram of a structure according to another embodiment of the present disclosure;
FIG. 12 is a block diagram of a structure according to yet another embodiment of the present disclosure;
FIG. 13 is a block diagram of a structure according to yet another embodiment of the present disclosure;
fig. 14 is a block diagram of an electronic device used to implement an access control method of an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic view of an application scenario according to an embodiment of the present disclosure. As shown in fig. 1, a first supplicant 101 authenticates a service access request of the first supplicant 101 through a first agent 102 and an authentication center 103, and generates an electronic credential for the access request. The requested party 111 authenticates the electronic certificate sent by the first requesting party 101 through the second proxy 112 and the authentication center 113, and provides the target service data to the first requesting party 101 in case the authentication passes, so that the first requesting party 101 accesses. The control center 121 may be used to transmit a buffering time range for the electronic certificate to the first agent 102 and the second agent 112, the data center 131 may be used to transmit registration information of the first supplicant 101 to the authentication center 103 and the authentication center 113, and the like.
In the embodiment of the disclosure, the generation (encryption) and authentication (decryption) of the electronic certificate adopt a preset encryption and decryption algorithm to ensure that the electronic certificate cannot be counterfeited, only the authentication center 103 which generates the electronic certificate can acquire the private key to authenticate the electronic certificate, and only the authentication center 113 can acquire the private key to authenticate the electronic certificate.
In one implementation, first supplicant 101, first agent 102, and authentication center 103 may be deployed on a first server, and supplicant 111, second agent 112, and authentication center 113 may be deployed on a second server. Therefore, authentication and authentication are carried out locally, which is favorable for improving authentication efficiency and authentication efficiency, and further improving access control efficiency.
As an alternative application example, the first server may be an application server and the second server may be a file server.
As another optional application example, the first server and the second server may be cloud storage devices such as a network disk, a cloud disk, and the like.
Fig. 2 shows a schematic diagram according to an embodiment of the disclosure, which may be applied to a first agent or a control center, as shown in fig. 2, the method may include:
s201, receiving a first service access request sent by a first requester; the first service access request carries first identity information of a first requester;
s202, sending the first electronic certificate to a first requester under the condition that the first electronic certificate corresponding to the first identity information exists, so that the first requester accesses the target service data according to the first electronic certificate.
Wherein the first requestor may be an online requestor of an intranet. The first identity information of the first requestor includes, but is not limited to, an identification number, an account number, an IP address, etc. of the first requestor, as embodiments of the present disclosure are not limited in this regard.
In one application, the present time of the first electronic certificate is a randomly generated cache time, so that the first electronic certificate can be sent to the first requester only if the first electronic certificate is received within the cache time range, so that the first requester can access the target service data. Thus, the first requester is favorably controlled to carry out high concurrency access in the cache time range; in addition, since the cache time is randomly generated, the security of access control can be further improved, and the balance of the access efficiency and the security is facilitated through a random strategy.
Preferably, the first electronic certificate may be an electronic certificate generated after passing the authentication for the initial electronic certificate. The initial electronic certificate is an electronic certificate generated after the second service access request sent by the first requester passes the authentication. In this way, by generating the first electronic certificate through authentication of the initial electronic certificate, security of access can be ensured.
In one manner of application, as shown in fig. 1, the method may be applied to a first proxy 102 between a first supplicant 101 and an authentication center 103. The first proxy 101 receives a first service access request sent by a first requester 101; the first service access request carries first identity information; the first proxy 101 determines whether a first electronic certificate corresponding to the first identity information exists or not according to the first identity information from the pre-stored correspondence between the plurality of electronic certificates and the plurality of identity information, and if the first electronic certificate corresponding to the first identity information exists, sends the first electronic certificate to the first requester 101, so that the first requester 101 can access the target service data according to the first electronic certificate. In this way, when the first requester 101 needs to perform service data access, the first service access request may be directly sent, so that the first proxy 102 directly returns the corresponding first electronic credential to the first requester 101, and further the first proxy 102 does not need to authenticate the first service access request of the first requester 101 again through the authentication center 103, which can effectively improve the access efficiency of service data and is suitable for high concurrent access of the online requester under the condition of ensuring security. For example, the number of accesses by the online requestor may exceed 60.
According to the embodiment of the disclosure, by pre-storing a plurality of electronic certificates and the corresponding relation between the plurality of electronic certificates and a plurality of identity information, when a first service access request sent by a first requester is received, whether the first electronic certificate corresponding to the first identity information exists or not can be determined according to the first identity information carried by the first service access request, and the first electronic certificate is directly sent to the first requester under the condition that the first electronic certificate corresponding to the first identity information exists is determined, so that the first requester accesses target service data according to the first electronic certificate. Therefore, the security of access control can be ensured, the service access request of the first requester does not need to be authenticated, the time consumption for accessing the target service data can be shortened, and the access efficiency of the service data is further effectively improved. Furthermore, the method is also suitable for high concurrency access by online requesters.
In one embodiment, as shown in fig. 3, the method may further comprise:
s301, under the condition that a first electronic certificate does not exist, an authentication instruction is sent to a first requester so that the first requester can acquire the initial electronic certificate;
S302, receiving an initial electronic certificate acquired by a first requester;
s303, sending the initial electronic certificate to the authentication center so that the authentication center generates a first electronic certificate according to the initial electronic certificate;
s304, receiving and sending the first electronic certificate from the authentication center to the first requester.
In one example, the first electronic certificate is provided with a cache time range, and the first agent deletes the first electronic certificate when the storage time of the first electronic certificate exceeds the cache time range, and then when the first agent receives a first service access request sent by the first requester, it can be determined that the first electronic certificate does not exist. At this time, the first proxy sends an authentication instruction to the first requester, so that the first requester reacquires the initial electronic certificate.
When the first proxy receives the initial electronic certificate sent by the first requester, the initial electronic certificate is sent to the authentication center, so that the authentication center authenticates the initial electronic certificate and generates the first electronic certificate under the condition that the authentication passes.
When the first agent receives the first electronic certificate from the authentication center, the first electronic certificate is sent to the first requester, so that the first requester accesses the target service data according to the first electronic certificate.
In this embodiment, when the first electronic certificate corresponding to the first identity information does not exist, the authentication center performs identity authentication on the first requester again, generates the first electronic certificate when the authentication passes, and sends the first electronic certificate to the first requester, so that access security can be ensured.
In one embodiment, as shown in fig. 3, the method may further comprise:
s305, establishing a corresponding relation between the first identity information and the first electronic certificate.
Based on the above, when the first service access request sent by the first requester is received again, whether the corresponding first electronic certificate exists or not can be determined by using the first identity information carried by the first service access request, and when the corresponding first electronic certificate exists, the first electronic certificate is directly sent to the first requester without re-authenticating the first access request through an authentication center, so that the access control efficiency can be effectively improved.
In one embodiment, the first electronic certificate is provided with a cache time range, and the method further includes:
and deleting the first electronic certificate and the corresponding relation between the first electronic certificate and the first identity information under the condition that the storage time of the first electronic certificate exceeds the caching time range.
The cache time range can be randomly generated, so that the first electronic certificate and the corresponding relation between the first electronic certificate and the first identity information are randomly deleted, and the security of access control can be further improved.
In one embodiment, as shown in fig. 4, the sending of the first electronic certificate to the first requester in step S202 may include:
s401, setting an effective time range for a first electronic certificate;
s402, sending the set first electronic certificate to the first requester so that the first requester accesses the target service data within the effective time range.
Wherein the effective time range is a randomly generated time range. The time range may be a time length, or may be a specific time period, for example, within 15 minutes, within 7 minutes, 12:00-12:15, etc., which is not limited by the present disclosure.
In step S402, by sending the first electronic certificate with the validation time range to the first requester, the first requester sends the first electronic certificate to the requester storing the target service data in the validation time range, and the requester may determine the validity of the first electronic certificate by determining whether the sending time of the first electronic certificate is within the validation time range. Specifically, when the requested party determines that the sending time of the first electronic certificate is within the effective time range, the first electronic certificate is a legal certificate; otherwise, the certificate is illegal. Based on the method, the efficiency of the validity verification of the first electronic certificate can be improved.
In one application, the cache time range and/or the validation time range may be generated by the control center and sent to the first agent; the cache time range and/or the validation time range may also be the first proxy generation. The present disclosure does not limit the manner in which the cache time range is generated.
The embodiment of the disclosure also provides an access control method of another embodiment. As shown in fig. 1, the method may be applied to the authentication center 103. As shown in fig. 5, the method may include:
s501, receiving an initial electronic certificate sent by an agent; the initial electronic certificate is sent to the proxy by the first requester;
s502, authenticating the initial electronic certificate;
s503, generating a first electronic certificate aiming at the initial electronic certificate under the condition that authentication is passed;
s504, returning the first electronic certificate to the proxy so that the proxy stores the first electronic certificate and establishes a corresponding relation between the first electronic certificate and the first identity information of the first requester.
The initial electronic credential may be an electronic credential generated after the authentication center authenticates the second service access request sent by the first requester. The agent may be the first agent in fig. 1.
In the embodiment, the first electronic certificate is returned to the proxy so that the proxy stores the first electronic certificate and the corresponding relation between the first electronic certificate and the first identity information; furthermore, when the agent receives the first service access request sent by the first requester, the first electronic certificate corresponding to the first identity information can be determined according to the corresponding relation between the first identity information carried by the first service access request and the first electronic certificate, and then the first electronic certificate is directly sent to the first requester, without authentication of the first service access request by an authentication center, so that the access control efficiency can be effectively improved.
In one embodiment, as shown in fig. 6, before receiving the initial electronic certificate sent by the proxy, the method may further include:
s601, receiving a second service access request sent by a first requester; the second service access request carries second identity information of the first requester;
s602, acquiring registration information corresponding to the second identity information;
s603, authenticating the second identity information and the registration information;
s604, generating an initial electronic certificate under the condition that authentication is passed;
s605, returning the initial electronic certificate to the first requester.
The second identity information may be audit information (user), service information (service), group information (group), role information (role) of the first requester, and form quadruple (user, service, group, role) information to identify and identify the requester. Wherein the auditing party information is business party information for auditing the registration information, such as administrator information; the service information is a type of service provided for the requesting party, e.g., access to user privacy data; the grouping information is the rights to provide services to the requesting party, e.g., the access rights are read; the role information sets a role type for the requestor.
In step S602, the registration information may be plural, and at least one may be randomly acquired from the plural registration information corresponding to the second identity information. For example, the registration information may be at least one of an account number, a process name, a process path, an MD (Message-Digest Algorithm) 5 hash value, a command line, and the like of the second requester, and may further include a binding relationship between the registration information and the host. The host can be one host or several hosts, and can also be a larger number of host sets. The binding between the registration information and the host may be binding the registration information with machine information of the host. Therefore, the method is favorable for positioning the target business data access and improving the access safety.
Wherein the second identity information may be registered for the requesting party, for example: the registration provided by the requesting party is subjected to multi-level auditing, and auditing party information (user), service information (service), group information (group) and role information (role) are set to form four-element group (user, service, group, role) information so as to carry out identity and authority identification on the requesting party.
In one implementation, registration information for each requestor may be maintained in a data center, which may provide the required registration information to each requestor and requested party.
Based on the authentication, the security of the authentication can be improved and the forged identity can be prevented by authenticating the second identity information and the registration information corresponding to the second identity information which is randomly acquired; and, the initial electronic certificate is generated and returned to the first requester after the authentication is passed, so that the security of the initial electronic certificate generation can be improved.
Fig. 7 shows a flow diagram of an access control method according to yet another embodiment of the present disclosure. The method may be applied to a second agent or control center, as shown in fig. 7, and may include:
s701, receiving a first electronic certificate sent by a requested party; the first electronic certificate is sent to the requested party by the first requesting party;
And S702, sending an authentication passing instruction to the requested party under the condition that the first authority information corresponding to the first electronic certificate exists, so that the requested party returns corresponding target service data to the first requested party.
In one way, the method may be applied to a second proxy between the requested party and the authentication center, as shown in fig. 1. The second agent receives a first electronic certificate sent by a requested party; the second agent determines whether first authority information corresponding to the first electronic certificate exists or not from the corresponding relation between the prestored plurality of electronic certificates and the plurality of authority information, and sends an authentication passing instruction to the requested party under the condition that the first authority information exists, so that the requested party returns target service data to the first requesting party. Therefore, when the requested party receives the first electronic certificate, whether the first electronic certificate has the access right or not can be determined directly through the second proxy, authentication on the first electronic certificate is not needed through the authentication center, and the access efficiency of the service data can be effectively improved under the condition of ensuring the safety, and the method is suitable for high-concurrency access of the online requesting party.
In one embodiment, as shown in fig. 8, the method may further comprise:
S801, sending a first electronic certificate to an authentication center under the condition that first authority information corresponding to the first electronic certificate does not exist, so that the authentication center obtains the first authority information corresponding to the first electronic certificate;
s802, under the condition that first authority information acquired by an authentication center is received, an authentication passing instruction is sent to a requested party, so that the requested party returns corresponding target service data to the first requested party.
In one example, the first authority information has a cache time range, and the second agent deletes the first authority information when the first authority information exceeds the cache time range, so that when the second agent receives the first electronic certificate, it can be determined that the first authority information corresponding to the first electronic certificate does not exist. At this time, the second agent sends the first electronic certificate to the authentication center so that the authentication center authenticates the first electronic certificate and acquires the first authority information corresponding to the first electronic certificate under the condition that the authentication passes;
when the second agent receives the first authority information acquired by the authentication center, an authentication passing instruction is sent to the requested party, so that the requested party returns corresponding target service data to the first requested party.
Based on this, the security of access can be ensured.
In one embodiment, as shown in fig. 8, the method may further comprise:
under the condition that the first authority information acquired by the authentication center is received, the corresponding relation between the first authority information and the first electronic certificate is established.
Based on the above, when the first electronic certificate sent by the requested party is received again, whether the first authority information corresponding to the first electronic certificate exists or not can be determined by utilizing the corresponding relation between the first authority information and the first electronic certificate, and when the first authority information corresponding to the first electronic certificate exists, an authentication passing instruction is directly sent to the requested party without authenticating the first electronic certificate, so that the access efficiency can be effectively improved.
In one embodiment, the first electronic certificate is provided with a buffering time range, and the method may further include:
and deleting the first electronic certificate and the corresponding relation between the first electronic certificate and the first authority information under the condition that the storage time of the first electronic certificate exceeds the caching time range.
The cache time range can be randomly generated, so that the first electronic certificate and the corresponding relation between the first electronic certificate and the first authority information are randomly deleted, and the security of access control can be further improved.
In one embodiment, the method may further comprise:
under the condition of receiving fixed authentication information sent by a requested party, sending an authentication passing instruction to the requested party so as to enable the requested party to return corresponding target service data to a first request party; the fixed authentication information is generated when the first requester makes an abnormality with respect to the authentication center.
The fixed authentication information may include first identity information of the first requester, an IP address, login failure, and the like. The fixed authentication information may be implemented by the first requester in a software development kit (Software Development Kit, SDK), for example, the first requester may preset an anomaly identification for various anomalies so that when a corresponding anomaly occurs in the authentication center, corresponding fixed authentication information is generated.
In one application mode, when the second agent receives the fixed authentication information, an authentication passing instruction is sent to the requested party according to the fixed authentication information, so that the requested party directly returns target service data to the first requested party, and normal service access is ensured.
In one example, the method may further comprise: and transmitting alarm information corresponding to the abnormality to the requested party when the fixed authentication information transmitted by the requested party is received.
Therefore, the requested party can conveniently check the abnormal situation and avoid the disaster recovery strategy loophole.
In one embodiment, the method may further comprise:
and under the condition of receiving a service access request sent by a second requester, sending an authentication passing instruction to the requested party so that the requested party returns corresponding target service data to the second requester according to the service access request, wherein the second requester is a service testing party or a service developing party.
Wherein the second requestor may also be considered as an offline requestor of the intranet. The second requester mainly performs service test and development on the authentication center, the first agent, the second agent, the control center, the data center and the like. For example, more than 30 service testers or service developers may have access to them.
In this embodiment, under the condition that the service access request of the second requester is received, the second requester can directly access the target service data by directly sending the authentication passing instruction to the second requester, which is beneficial to improving service testing and development efficiency.
Fig. 9 shows a flow diagram in accordance with yet another embodiment of the disclosure. The method may be applied to an authentication center, as shown in fig. 9, and may include:
S901, receiving a first electronic certificate sent by an agent; the first electronic certificate is sent to the agent by the first requester;
s902, authenticating the first electronic certificate;
s903, under the condition that authentication is passed, acquiring first authority information corresponding to a first electronic certificate;
s904, returning the first authority information to the proxy so that the proxy stores the corresponding relation between the first electronic certificate and the first authority information.
In one implementation, the agent in the method may be the second agent in fig. 1. The electronic certificate may be sent by the first supplicant to the requested party and further sent by the requested party through the agent to the authentication center.
In this embodiment, the generated electronic certificate and the identity information are returned to the proxy, so that the proxy stores the electronic certificate and the corresponding relation between the electronic certificate and the identity information, and the proxy can directly determine the validity of the electronic certificate sent by the requester by using the stored electronic certificate and the corresponding relation between the electronic certificate and the identity information without the requester authenticating by sending the electronic certificate to the authentication center. Therefore, the security of access control can be ensured, the authentication efficiency can be improved, the access control efficiency can be further improved, and the method is suitable for high-concurrency access of an online requester.
In one embodiment, step S903 may include:
decrypting the electronic certificate to obtain corresponding registration information;
and determining the authority information corresponding to the electronic certificate according to the corresponding relation between the registration information and the authority information.
Based on the above, under the condition that authentication is passed, the corresponding authority information is obtained by decrypting the electronic certificate, so that the security of identity information determination can be improved.
In one application manner, the method applied to the first agent and the second agent in the above embodiment may also be applied to the control center, so that the partial access control of the first requester and the second requester for the target service data of the requested party may be performed in the control center.
In one application, the first requestor, the second requestor, and the requestor may be intranet users, the target business data may be private data of the client, and the type may be application program interface (Application Programming Interface, API) file data. The method of the embodiment of the disclosure is suitable for authentication and authorization of the internal API interface authority. Therefore, the method can avoid the intranet users from illegally accessing the private data of the clients, and is beneficial to safety protection of the private data of the clients.
According to an embodiment of the present disclosure, the present disclosure further provides an access control apparatus 1000, which may include:
a first receiving module 1010, configured to receive a first service access request sent by a first requester; the first service access request carries first identity information of a first requester;
and the first sending module 1020 is configured to send the first electronic certificate to the first requester, in the case that the first electronic certificate corresponding to the first identity information exists, so that the first requester accesses the target service data according to the first electronic certificate.
In one embodiment, the apparatus may further include:
the second sending module is used for sending an authentication instruction to the first requester under the condition that the first electronic certificate does not exist, so that the first requester can acquire the initial electronic certificate;
the second receiving module is used for receiving the initial electronic certificate acquired by the first requester;
the third sending module is used for sending the initial electronic certificate to the authentication center so that the authentication center generates a first electronic certificate according to the initial electronic certificate;
and the receiving and transmitting module is used for receiving and transmitting the first electronic certificate from the authentication center to the first requester.
In one embodiment, the apparatus may further include:
The establishing module is used for establishing the corresponding relation between the first identity information and the first electronic certificate.
In one embodiment, the first electronic certificate is provided with a buffering time range, and the apparatus may further include:
and the deleting module is used for deleting the first electronic certificate and the corresponding relation between the first electronic certificate and the first identity information under the condition that the storage time of the first electronic certificate exceeds the caching time range.
In one embodiment, the first transmitting module 1020 may include:
the setting sub-module is used for setting an effective time range for the first electronic certificate;
and the sending sub-module is used for sending the set first electronic certificate to the first requester so that the first requester can access the target service data within the effective time range.
According to an embodiment of the present disclosure, the present disclosure further provides another access control apparatus 1100, which may include:
a first receiving module 1110, configured to receive an initial electronic certificate sent by an agent; the initial electronic certificate is sent to the proxy by the first requester;
a first authentication module 1120, configured to authenticate an initial electronic credential;
a first generation module 1130 for generating a first electronic credential for the initial electronic credential if the authentication passes;
The first return module 1140 is configured to return the first electronic certificate to the proxy, so that the proxy stores the first electronic certificate, and establishes a correspondence between the first electronic certificate and the first identity information of the first requester.
In one embodiment, the apparatus may further include:
the second receiving module is used for receiving a second service access request sent by the first requesting party; the second service access request carries second identity information of the first requester;
the acquisition module is used for acquiring registration information corresponding to the second identity information;
the second authentication module is used for authenticating the second identity information and the registration information;
the second generation module is used for generating an initial electronic certificate under the condition that the authentication is passed;
and the second return module is used for returning the initial electronic certificate to the first requester.
According to an embodiment of the present disclosure, the present disclosure further provides still another access control apparatus 1200, which may include:
a first receiving module 1210, configured to receive a first electronic certificate sent by a requested party; the first electronic certificate is sent to the requested party by the first requesting party;
the first sending module 1220 is configured to send an authentication pass instruction to the requested party when the first authority information corresponding to the first electronic certificate exists, so that the requested party returns corresponding target service data to the first requested party.
In one embodiment, the apparatus may further include:
the second sending module is used for sending the first electronic certificate to the authentication center under the condition that the first authority information corresponding to the first electronic certificate does not exist, so that the authentication center can acquire the first authority information corresponding to the first electronic certificate;
and the first receiving and transmitting module is used for transmitting an authentication passing instruction to the requested party under the condition of receiving the first authority information acquired by the authentication center so as to enable the requested party to return corresponding target service data to the first requested party.
In one embodiment, the apparatus may further include:
the establishing module is used for establishing the corresponding relation between the first authority information and the first electronic certificate under the condition that the first authority information acquired by the authentication center is received.
In one embodiment, the first electronic certificate is provided with a buffering time range, and the apparatus may further include:
and the deleting module is used for deleting the first electronic certificate and the corresponding relation between the first electronic certificate and the first authority information under the condition that the storage time of the first electronic certificate exceeds the caching time range.
In one embodiment, the apparatus may further include:
The second transceiver module is used for sending an authentication passing instruction to the requested party under the condition of receiving the fixed authentication information sent by the requested party so as to enable the requested party to return corresponding target service data to the first requested party; the fixed authentication information is generated when the first requester makes an abnormality with respect to the authentication center.
In one embodiment, the apparatus may further include:
and the third transceiver module is used for sending an authentication passing instruction to the requested party under the condition of receiving the service access request sent by the second request party, so that the requested party returns corresponding target service data to the second request party according to the service access request, and the second request party is a service testing party or a service developing party.
According to an embodiment of the present disclosure, the present disclosure further provides still another access control apparatus 1300, which may include:
a receiving module 1310, configured to receive a first electronic credential sent by an agent; the first electronic certificate is sent to the agent by the first requester;
an authentication module 1320 for authenticating the first electronic certificate;
an obtaining module 1330, configured to obtain first rights information corresponding to the first electronic certificate if the authentication passes;
The return module 1340 is configured to return the first permission information to the proxy, so that the proxy stores the first permission information and a corresponding relationship between the first electronic certificate and the first permission information.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 14 shows a schematic block diagram of an example electronic device 1400 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 14, the apparatus 1400 includes a computing unit 1401 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 1402 or a computer program loaded from a storage unit 1408 into a Random Access Memory (RAM) 1403. In the RAM 1403, various programs and data required for the operation of the device 1400 can also be stored. The computing unit 1401, the ROM 1402, and the RAM 1403 are connected to each other through a bus 1404. An input output (I/O) interface 1405 is also connected to the bus 1404.
Various components in device 1400 are connected to I/O interface 1405, including: an input unit 1406 such as a keyboard, a mouse, or the like; an output unit 1407 such as various types of displays, speakers, and the like; a storage unit 1408 such as a magnetic disk, an optical disk, or the like; and a communication unit 1409 such as a network card, a modem, a wireless communication transceiver, and the like. The communication unit 1409 allows the device 1400 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunications networks.
The computing unit 1401 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 1401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 1401 performs the respective methods and processes described above, such as an access control method. For example, in some embodiments, the access control method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 1408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 1400 via the ROM1402 and/or the communication unit 1409. When a computer program is loaded into RAM 1403 and executed by computing unit 1401, one or more steps of the access control method described above may be performed. Alternatively, in other embodiments, the computing unit 1401 may be configured to perform the access control method by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. Generating a relationship of client and server by computer programs running on the respective computers and having a client-server relationship to each other; the server may be a server of a distributed system or a server that incorporates a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (18)
1. An access control method, comprising:
receiving a first service access request sent by a first requester; the first service access request carries first identity information of the first requester;
transmitting a first electronic certificate corresponding to the first identity information to the first requester under the condition that the first electronic certificate exists, so that the first requester accesses target service data according to the first electronic certificate;
Sending an authentication instruction to the first requester to enable the first requester to acquire an initial electronic credential when the first electronic credential does not exist;
receiving an initial electronic certificate acquired by the first requester;
sending the initial electronic certificate to an authentication center so that the authentication center generates the first electronic certificate according to the initial electronic certificate;
the first electronic credential is received from the authentication center and sent to the first supplicant.
2. The method of claim 1, wherein after receiving the first electronic credential sent by the authentication center, further comprising:
and establishing a corresponding relation between the first identity information and the first electronic certificate.
3. The method of claim 2, wherein the first electronic credential is provided with a cache time range, the method further comprising:
and deleting the first electronic certificate and the corresponding relation between the first electronic certificate and the first identity information under the condition that the storage time of the first electronic certificate exceeds the caching time range.
4. The method of claim 1, wherein sending the first electronic credential to the first requestor comprises:
Setting an effective time range for the first electronic certificate;
and sending the set first electronic certificate to the first requester so that the first requester accesses target service data within the effective time range.
5. An access control method, comprising:
receiving an initial electronic certificate sent by a first agent; the initial electronic credential is sent by a first requestor to the first agent;
authenticating the initial electronic certificate;
generating a first electronic credential for the initial electronic credential if authentication passes;
returning the first electronic certificate to the first proxy so that the first proxy stores the first electronic certificate and establishes a corresponding relation between the first electronic certificate and first identity information of the first requester;
wherein before receiving the initial electronic certificate sent by the first agent, the method further comprises: receiving a second service access request sent by the first requester; the second service access request carries second identity information of the first requester; acquiring registration information corresponding to the second identity information; authenticating the second identity information and the registration information; generating the initial electronic certificate under the condition that authentication is passed; the initial electronic certificate is returned to the first requester.
6. An access control method, comprising:
receiving a first electronic certificate sent by a requested party; the first electronic certificate is sent to the requested party by a first requesting party;
sending an authentication passing instruction to the requested party under the condition that first authority information corresponding to the first electronic certificate exists, so that the requested party returns corresponding target service data to the first requested party;
the first electronic certificate is sent to the first requester by a first proxy under the condition that the first electronic certificate corresponding to first identity information of the first requester exists, so that the first requester accesses target service data according to the first electronic certificate; the first identity information is carried in a first service access request; the first service access request is sent to the first proxy by the first requester; the first electronic certificate is further sent by the first agent to an authentication center in the absence of the first electronic certificate, so that the authentication center generates according to the initial electronic certificate, and the first electronic certificate is sent to the first agent by the authentication center and is sent to the first requester by the first agent; the initial electronic certificate is used for sending an authentication instruction to the first requester by the first proxy so as to enable the first requester to acquire the authentication instruction.
7. The method of claim 6, further comprising:
transmitting the first electronic certificate to an authentication center under the condition that first authority information corresponding to the first electronic certificate does not exist, so that the authentication center acquires the first authority information corresponding to the first electronic certificate;
and under the condition that the first authority information acquired by the authentication center is received, sending an authentication passing instruction to the requested party so that the requested party returns corresponding target service data to the first requested party.
8. The method of claim 7, further comprising:
and under the condition that the first authority information acquired by the authentication center is received, establishing a corresponding relation between the first authority information and the first electronic certificate.
9. The method of claim 8, the first electronic credential being provided with a cache time range, the method further comprising:
and deleting the first electronic certificate and the corresponding relation between the first electronic certificate and the first authority information under the condition that the storage time of the first electronic certificate exceeds the caching time range.
10. The method of claim 6, further comprising:
Under the condition of receiving fixed authentication information sent by the requested party, sending an authentication passing instruction to the requested party so as to enable the requested party to return corresponding target service data to the first requested party; the fixed authentication information is generated when the first requester is abnormal to an authentication center.
11. The method of claim 6, further comprising:
and under the condition that a service access request sent by a second requester is received, sending an authentication passing instruction to the requested party so that the requested party returns corresponding target service data to the second requester according to the service access request, wherein the second requester is a service tester or a service developer.
12. An access control method, comprising:
receiving a first electronic certificate sent by a second agent; the first electronic certificate is sent to the second agent by a first requester;
authenticating the first electronic certificate;
under the condition that authentication is passed, acquiring first authority information corresponding to the first electronic certificate;
returning the first authority information to the second agent so that the second agent stores the first authority information and the corresponding relation between the first electronic certificate and the first authority information;
The first electronic certificate is sent to the first requester by a first proxy under the condition that the first electronic certificate corresponding to first identity information of the first requester exists, so that the first requester accesses target service data according to the first electronic certificate; the first identity information is carried in a first service access request; the first service access request is sent to the first proxy by the first requester; the first electronic certificate is further sent by the first agent to an authentication center in the absence of the first electronic certificate, so that the authentication center generates according to the initial electronic certificate, and the first electronic certificate is sent to the first agent by the authentication center and is sent to the first requester by the first agent; the initial electronic certificate is used for sending an authentication instruction to the first requester by the first proxy so as to enable the first requester to acquire the authentication instruction.
13. An access control apparatus comprising:
the first receiving module is used for receiving a first service access request sent by a first requester; the first service access request carries first identity information of the first requester;
The first sending module is used for sending the first electronic certificate to the first requester under the condition that the first electronic certificate corresponding to the first identity information exists, so that the first requester accesses target service data according to the first electronic certificate;
the access control device is further configured to: sending an authentication instruction to the first requester to enable the first requester to acquire an initial electronic credential when the first electronic credential does not exist; receiving an initial electronic certificate acquired by the first requester; sending the initial electronic certificate to an authentication center so that the authentication center generates the first electronic certificate according to the initial electronic certificate; the first electronic credential is received from the authentication center and sent to the first supplicant.
14. An access control apparatus comprising:
the first receiving module is used for receiving the initial electronic certificate sent by the first agent; the initial electronic credential is sent by a first requestor to the first agent;
the first authentication module is used for authenticating the initial electronic certificate;
the first generation module is used for generating a first electronic certificate aiming at the initial electronic certificate under the condition that authentication is passed;
The first return module is used for returning the first electronic certificate to the first proxy so as to enable the first proxy to store the first electronic certificate and establish a corresponding relation between the first electronic certificate and first identity information of the first requester;
wherein the access control device is further configured to: before receiving an initial electronic certificate sent by the first proxy, receiving a second service access request sent by the first requester; the second service access request carries second identity information of the first requester; acquiring registration information corresponding to the second identity information; authenticating the second identity information and the registration information; generating the initial electronic certificate under the condition that authentication is passed; the initial electronic certificate is returned to the first requester.
15. An access control apparatus comprising:
the first receiving module is used for receiving a first electronic certificate sent by a requested party; the first electronic certificate is sent to the requested party by a first requesting party;
the first sending module is used for sending an authentication passing instruction to the requested party under the condition that first authority information corresponding to the first electronic certificate exists, so that the requested party returns corresponding target service data to the first requested party;
The first electronic certificate is sent to the first requester by a first proxy under the condition that the first electronic certificate corresponding to first identity information of the first requester exists, so that the first requester accesses target service data according to the first electronic certificate; the first identity information is carried in a first service access request; the first service access request is sent to the first proxy by the first requester; the first electronic certificate is further sent by the first agent to an authentication center in the absence of the first electronic certificate, so that the authentication center generates according to the initial electronic certificate, and the first electronic certificate is sent to the first agent by the authentication center and is sent to the first requester by the first agent; the initial electronic certificate is used for sending an authentication instruction to the first requester by the first proxy so as to enable the first requester to acquire the authentication instruction.
16. An access control apparatus comprising:
the receiving module is used for receiving the first electronic certificate sent by the second agent; the first electronic certificate is sent to the second agent by a first requester;
The authentication module is used for authenticating the first electronic certificate;
the acquisition module is used for acquiring first authority information corresponding to the first electronic certificate under the condition that authentication is passed;
the return module is used for returning the first authority information to the second agent so that the second agent stores the first authority information and the corresponding relation between the first electronic certificate and the first authority information;
the first electronic certificate is sent to the first requester by a first proxy under the condition that the first electronic certificate corresponding to first identity information of the first requester exists, so that the first requester accesses target service data according to the first electronic certificate; the first identity information is carried in a first service access request; the first service access request is sent to the first proxy by the first requester; the first electronic certificate is further sent by the first agent to an authentication center in the absence of the first electronic certificate, so that the authentication center generates according to the initial electronic certificate, and the first electronic certificate is sent to the first agent by the authentication center and is sent to the first requester by the first agent; the initial electronic certificate is used for sending an authentication instruction to the first requester by the first proxy so as to enable the first requester to acquire the authentication instruction.
17. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-12.
18. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011567677.5A CN112559994B (en) | 2020-12-25 | 2020-12-25 | Access control method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011567677.5A CN112559994B (en) | 2020-12-25 | 2020-12-25 | Access control method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112559994A CN112559994A (en) | 2021-03-26 |
| CN112559994B true CN112559994B (en) | 2023-12-01 |
Family
ID=75033141
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011567677.5A Active CN112559994B (en) | 2020-12-25 | 2020-12-25 | Access control method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112559994B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113204759A (en) * | 2021-05-28 | 2021-08-03 | 北京市商汤科技开发有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN113596840A (en) * | 2021-07-30 | 2021-11-02 | 成都卫士通信息产业股份有限公司 | Service processing method, device and related equipment |
| WO2023173908A1 (en) * | 2022-03-17 | 2023-09-21 | 华为云计算技术有限公司 | Method, apparatus and system for accessing file, and storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051631A (en) * | 2012-12-21 | 2013-04-17 | 国云科技股份有限公司 | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system |
| CN103178969A (en) * | 2013-04-16 | 2013-06-26 | 河南有线电视网络集团有限公司 | Service authentication method and system |
| WO2016119343A1 (en) * | 2015-01-30 | 2016-08-04 | 北京佰才邦技术有限公司 | Data acquisition method, apparatus and system |
| US9967248B1 (en) * | 2015-12-28 | 2018-05-08 | Amazon Technologies Inc. | System for authenticating and processing service requests |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN109815656A (en) * | 2018-12-11 | 2019-05-28 | 平安科技(深圳)有限公司 | Login authentication method, device, equipment and computer readable storage medium |
| US10360366B1 (en) * | 2017-09-15 | 2019-07-23 | Symantec Corporation | Systems and methods for providing two-factor authentication with an enterprise gateway when an authentication server is unavailable |
| CN110287682A (en) * | 2019-07-01 | 2019-09-27 | 北京芯盾时代科技有限公司 | A kind of login method, apparatus and system |
| CN110447033A (en) * | 2017-02-10 | 2019-11-12 | 布鲁塔隆公司 | The certification of limitation is accessed based on client |
| CN110535648A (en) * | 2018-05-24 | 2019-12-03 | 腾讯科技(深圳)有限公司 | Electronic certificate is generated and verified and key controlling method, device, system and medium |
| CN111093197A (en) * | 2019-12-31 | 2020-05-01 | 北大方正集团有限公司 | Authority authentication method, authority authentication system and computer readable storage medium |
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
-
2020
- 2020-12-25 CN CN202011567677.5A patent/CN112559994B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051631A (en) * | 2012-12-21 | 2013-04-17 | 国云科技股份有限公司 | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system |
| CN103178969A (en) * | 2013-04-16 | 2013-06-26 | 河南有线电视网络集团有限公司 | Service authentication method and system |
| WO2016119343A1 (en) * | 2015-01-30 | 2016-08-04 | 北京佰才邦技术有限公司 | Data acquisition method, apparatus and system |
| US9967248B1 (en) * | 2015-12-28 | 2018-05-08 | Amazon Technologies Inc. | System for authenticating and processing service requests |
| CN110447033A (en) * | 2017-02-10 | 2019-11-12 | 布鲁塔隆公司 | The certification of limitation is accessed based on client |
| US10360366B1 (en) * | 2017-09-15 | 2019-07-23 | Symantec Corporation | Systems and methods for providing two-factor authentication with an enterprise gateway when an authentication server is unavailable |
| CN110535648A (en) * | 2018-05-24 | 2019-12-03 | 腾讯科技(深圳)有限公司 | Electronic certificate is generated and verified and key controlling method, device, system and medium |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN109815656A (en) * | 2018-12-11 | 2019-05-28 | 平安科技(深圳)有限公司 | Login authentication method, device, equipment and computer readable storage medium |
| CN110287682A (en) * | 2019-07-01 | 2019-09-27 | 北京芯盾时代科技有限公司 | A kind of login method, apparatus and system |
| CN111093197A (en) * | 2019-12-31 | 2020-05-01 | 北大方正集团有限公司 | Authority authentication method, authority authentication system and computer readable storage medium |
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 一种交互式身份认证及访问控制安全信息平台的设计与实现;陈占芳;马天宇;宋红伟;李鹏鹏;王欢;蒋振刚;冯欣;;长春理工大学学报(自然科学版)(Z2);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112559994A (en) | 2021-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11669805B2 (en) | Single sign-on through customer authentication systems | |
| CN112559994B (en) | Access control method, device, equipment and storage medium | |
| US10171250B2 (en) | Detecting and preventing man-in-the-middle attacks on an encrypted connection | |
| US11870769B2 (en) | System and method for identifying a browser instance in a browser session with a server | |
| US9497210B2 (en) | Stateless attestation system | |
| US8677466B1 (en) | Verification of digital certificates used for encrypted computer communications | |
| US9742765B2 (en) | Authentication system and authentication method | |
| CN108880822B (en) | Identity authentication method, device and system and intelligent wireless equipment | |
| US9881304B2 (en) | Risk-based control of application interface transactions | |
| US10212151B2 (en) | Method for operating a designated service, service unlocking method, and terminal | |
| US9462011B2 (en) | Determining trustworthiness of API requests based on source computer applications' responses to attack messages | |
| WO2022247359A1 (en) | Cluster access method and apparatus, electronic device, and medium | |
| CN112491776B (en) | Security authentication method and related equipment | |
| CN110365684B (en) | Access control method and device for application cluster and electronic equipment | |
| CN112968910B (en) | Replay attack prevention method and device | |
| Aljawarneh et al. | A web client authentication system using smart card for e-systems: initial testing and evaluation | |
| US11784993B2 (en) | Cross site request forgery (CSRF) protection for web browsers | |
| KR20200125279A (en) | User Identification Method Using Block Chain and System thereof | |
| CN109639695A (en) | Dynamic identity authentication method, electronic equipment and storage medium based on mutual trust framework | |
| US10798077B1 (en) | Securely authenticating untrusted operating environments | |
| US9787658B2 (en) | Login system based on server, login server, and verification method thereof | |
| US20210119986A1 (en) | Time-based token trust depreciation | |
| CN106330818B (en) | Protection method and system for embedded page of client | |
| JP2013003820A (en) | Information processor and information processing method | |
| CN115150154B (en) | User login authentication method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |