CN113905381B - Service processing method, device, equipment and readable storage medium - Google Patents
Service processing method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN113905381B CN113905381B CN202111212393.9A CN202111212393A CN113905381B CN 113905381 B CN113905381 B CN 113905381B CN 202111212393 A CN202111212393 A CN 202111212393A CN 113905381 B CN113905381 B CN 113905381B
- Authority
- CN
- China
- Prior art keywords
- client
- service system
- network
- target service
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 21
- 238000003860 storage Methods 0.000 title claims abstract description 10
- 238000012545 processing Methods 0.000 claims abstract description 71
- 238000000034 method Methods 0.000 claims abstract description 33
- 238000012795 verification Methods 0.000 claims description 92
- 238000004519 manufacturing process Methods 0.000 description 66
- 238000007726 management method Methods 0.000 description 30
- 238000012544 monitoring process Methods 0.000 description 24
- 238000010586 diagram Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 10
- 238000004590 computer program Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 5
- 239000003245 coal Substances 0.000 description 5
- 238000013473 artificial intelligence Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000007613 environmental effect Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000013523 data management Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 229910000831 Steel Inorganic materials 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000010959 steel Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
- H04W12/64—Location-dependent; Proximity-dependent using geofenced areas
Abstract
The application provides a service processing method, a device, equipment and a readable storage medium, wherein the method comprises the following steps: receiving a service processing request sent by a client, wherein the service processing request is used for accessing a service system, and the service processing request comprises a user type of a user and an identification of a target service system to be accessed; determining service configuration information corresponding to the client according to the user type, wherein the service configuration information comprises a signal area of the client, a network type of the client and an identifier of the client; and when the client is positioned in the signal area range of the client, accessing the target service system according to the network type of the client, the identification of the client and the identification of the target service system. The security of the access network is improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a service processing method, apparatus, device, and readable storage medium.
Background
The fifth generation mobile communication technology (5th Generation Mobile Communication Technology,5G) has different requirements for security of network access in different application scenarios, and therefore, network usage rights of clients need to be managed and controlled.
Currently, network usage rights of clients are managed through AAA (Authentication, authorization, accounting) servers inside the enterprise. For example, when the client accesses the enterprise network through the 5G network, the AAA server may determine, according to the account number of the client, whether the client has the authority to access the enterprise network, and if so, the client may access the enterprise network. However, when the authority is controlled by the AAA server, the client can access the enterprise network as long as the account of the client has the access authority, thereby resulting in lower security of the access network.
Disclosure of Invention
The application provides a service processing method, a device, equipment and a readable storage medium, which are used for solving the technical problem of low security of access network in the prior art.
The application provides a service processing method, which comprises the following steps:
receiving a service processing request sent by a client, wherein the service processing request is used for accessing a service system, and the service processing request comprises a user type of a user and an identification of a target service system to be accessed;
determining service configuration information corresponding to the client according to the user type, wherein the service configuration information comprises a signal area of the client, a network type of the client and an identifier of the client;
And when the client is positioned in the signal area range of the client, accessing the target service system according to the network type of the client, the identification of the client and the identification of the target service system.
In one possible implementation manner, according to the network type of the client, the identifier of the client, and the identifier of the target service system, accessing the target service system includes:
according to the identification of the target service system, determining network information corresponding to the target service system, wherein the network information comprises the network type of the target service system and the access address of the target service system;
and accessing the target service system according to the network type of the client, the identification of the client and the network information.
In one possible implementation manner, accessing the target service system according to the network type of the client, the identifier of the client and the network information includes:
verifying whether the client can access the target service system according to the network type of the target service system and the network type of the client to obtain a verification result, wherein the verification result is verification success or verification failure;
And accessing the target service system according to the verification result, the identification of the client and the access address of the target service system.
In one possible implementation manner, according to the verification result, the identification of the client and the access address of the target service system, accessing the target service system includes:
if the verification result is verification failure, determining that the client fails to access the target service system;
and if the verification result is that the verification is successful, accessing the target service system according to the identification of the client and the access address of the target service system.
In one possible implementation manner, according to the identification of the client and the access address of the target service system, accessing the target service system includes:
if the identifier of the client comprises the access address of the target service system, determining that the client can access the target service system;
and if the identification of the client does not comprise the access address of the target service system, determining that the access of the client to the target service system fails.
In one possible implementation manner, according to the network type of the target service system and the network type of the client, verifying whether the client can access the target service system, to obtain a verification result includes:
if the network type of the client is the same as the network type of the target service system, determining that the verification result is successful;
and if the network type of the client is different from the network type of the target service system, determining that the verification result is verification failure.
In a possible implementation manner, determining service configuration information corresponding to the client according to the user type includes:
acquiring a first preset relation, wherein the first preset relation comprises at least one user type and service configuration information corresponding to each user type;
and determining service configuration information corresponding to the client according to the user type and the first preset relation.
In a second aspect, the present application provides a service processing apparatus, including a receiving module, a determining module, and an accessing module, where:
the receiving module is used for receiving a service processing request sent by a client, wherein the service processing request is used for accessing a service system, and the service processing request comprises the user type of a user and the identification of a target service system to be accessed;
The determining module is used for determining service configuration information corresponding to the client according to the user type, wherein the service configuration information comprises a signal area of the client, a network type of the client and an identifier of the client;
the access module is used for accessing the target service system according to the network type of the client, the identification of the client and the identification of the target service system when the client is positioned in the signal area range of the client.
In a possible implementation manner, the access module is specifically configured to:
according to the identification of the target service system, determining network information corresponding to the target service system, wherein the network information comprises the network type of the target service system and the access address of the target service system;
and accessing the target service system according to the network type of the client, the identification of the client and the network information.
In a possible implementation manner, the access module is specifically configured to:
verifying whether the client can access the target service system according to the network type of the target service system and the network type of the client to obtain a verification result, wherein the verification result is verification success or verification failure;
And accessing the target service system according to the verification result, the identification of the client and the access address of the target service system.
In a possible implementation manner, the access module is specifically configured to:
if the verification result is verification failure, determining that the client fails to access the target service system;
and if the verification result is that the verification is successful, accessing the target service system according to the identification of the client and the access address of the target service system.
In a possible implementation manner, the access module is specifically configured to:
if the identifier of the client comprises the access address of the target service system, determining that the client can access the target service system;
and if the identification of the client does not comprise the access address of the target service system, determining that the access of the client to the target service system fails.
In a possible implementation manner, the access module is specifically configured to:
if the network type of the client is the same as the network type of the target service system, determining that the verification result is successful;
And if the network type of the client is different from the network type of the target service system, determining that the verification result is verification failure.
In one possible implementation manner, the determining module is specifically configured to:
acquiring a first preset relation, wherein the first preset relation comprises at least one user type and service configuration information corresponding to each user type;
and determining service configuration information corresponding to the client according to the user type and the first preset relation.
In a third aspect, the present application provides a service processing apparatus, including: a processor, a memory;
the memory stores computer-executable instructions;
the processor executing computer-executable instructions stored in the memory, causing the processor to perform the business processing method of any one of the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for implementing the traffic processing method of any of the first aspects when the computer-executable instructions are executed by a processor.
The application provides a service processing method, a device, equipment and a readable storage medium, which are used for receiving a service processing request sent by a client, wherein the service processing request is used for accessing a service system, the service processing request comprises a user type of a user and an identifier of a target service system to be accessed, service configuration information corresponding to the client is determined according to the user type, the service configuration information comprises a signal area of the client, a network type of the client and the identifier of the client, and when the client is positioned in the signal area of the client, the target service system is accessed according to the network type of the client, the identifier of the client and the identifier of the target service system. In the method, when the client accesses the business system in the enterprise, the 5G network server can accurately determine the corresponding business configuration information in the 5G network server according to the type of the user, if the client is not in the signal area of the client, the client cannot access the business system of the enterprise, so that the condition of network access only through the client account can be avoided, and the authority of the client can be differentially managed from the network side by adding the business configuration information in the 5G network server, thereby improving the security of access network.
Drawings
Fig. 1 is a schematic architecture diagram of a network system according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a service processing method according to an embodiment of the present application;
fig. 3 is a schematic process diagram of receiving a service processing request according to an embodiment of the present application;
fig. 4 is a flowchart of a method for accessing a target service system according to an embodiment of the present application;
fig. 5 is a schematic process diagram of a service processing method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a service processing device according to an embodiment of the present application;
fig. 7 is a schematic hardware structure of a service processing device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the related art, when the authority of the 5G network is controlled, the network usage authority of the client may be controlled by an AAA server inside the enterprise. For example, when a client accesses a device management system in an enterprise through a 5G network, the AAA server may determine, according to an account number of the client, whether the client can access the device management system, if so, the client may directly access the device management system, and if not, the client cannot access the device management system. However, when the network authority of the client is controlled by the AAA server, the AAA server can only be added in the enterprise, the network authority of the client cannot be controlled at the 5G network side, and the client can access the network in the enterprise as long as the account of the client has the access authority, so that the security of accessing the network is lower.
In order to solve the technical problem of low security of access network in the related art, the embodiment of the application provides a service processing method, which receives a service processing request sent by a client, wherein the service processing request is used for accessing a service system, the service processing request comprises a user type of a user and an identifier of a target service system to be accessed, service configuration information corresponding to the client is determined according to the user type, the service configuration information comprises a signal area of the client, a network type of the client and the identifier of the client, when the client is located in the signal area of the client, network information corresponding to the target service system is determined according to the identifier of the target service system, the network information comprises the network type of the target service system and an access address of the target service system, and the target service system is accessed according to the network type of the client, the identifier of the client and the network information. Therefore, when the client accesses the business system in the enterprise, the 5G network server can accurately determine the corresponding business configuration information in the 5G network server according to the type of the user, if the client is not in the signal area of the client, the client cannot access the business system of the enterprise, so that the condition of network access only through the client account can be avoided, and the authority of the client can be differentially managed from the network side by adding the business configuration information into the 5G network server, so that the security of access to the network can be improved.
Next, the architecture of the network system of the present application will be described with reference to fig. 1.
Fig. 1 is a schematic architecture diagram of a network system according to an embodiment of the present application. Please refer to fig. 1, which includes a 5G network architecture. The 5G network architecture comprises a client, a 5G base station, a user plane module, an access and mobility management module, a unified data management module, a policy control module, a session management module, an enterprise intranet and an enterprise extranet. The user plane module is used for forwarding user plane data, identifying data and service and executing strategy. The access and mobility management module is used for controlling the network access authority of the client and the mobility flow. The unified data management module is used for storing the subscription data of the client and is matched with the session management module and the access and mobility management module to realize mobility management and session management of the client. The strategy control module is used for controlling the dynamic strategy of the client. The session management module is used for session establishment, session modification, session release and routing. An intranet is a network within an enterprise. The extranet is the internet outside the enterprise.
The following describes the technical solutions of the present disclosure and how the technical solutions of the present disclosure solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present disclosure will be described below with reference to the accompanying drawings.
Fig. 2 is a flow chart of a service processing method according to an embodiment of the present application. Referring to fig. 2, the method may include:
s201, receiving a service processing request sent by a client, wherein the service processing request is used for accessing a service system.
The execution body of the embodiment of the present application may be a server, or may be a service processing device disposed in the server, where the service processing device may be implemented by software, or may be implemented by a combination of software and hardware. Alternatively, the server may be a server of a 5G network. For example, a user using a terminal device may use a 5G network through a server of the 5G network.
The client may be an application in a terminal device used by the user. The terminal device is any device with a data processing function.
For example, the terminal device may be a mobile phone, a computer, a tablet computer, or the like. The service processing request is for accessing a service system. The service system may be a system of an intranet. For example, business systems of a manufacturing enterprise may include automation control systems, equipment remote control systems, equipment status monitoring systems, video monitoring and artificial intelligence recognition systems, environmental monitoring systems, production management and analysis systems, office systems, internet applications, and the like.
The automated control system may be a system that controls the automated operation of equipment in a production plant. For example, the automation control system may be a distribution automation system of electrical power.
The equipment remote control system can be a system for remotely and wirelessly controlling equipment in a production workshop by workers through a network. For example, a worker may remotely operate a forklift in a production plant via a 5G network.
The equipment status monitoring system may be a system that monitors the status of equipment in a production plant. For example, the equipment status monitoring system may monitor the equipment status of the production plant via sensors. For example, the plant status monitoring system may monitor the power plant boiler status.
The video monitoring and artificial intelligence recognition system can monitor the production park. For example, the video monitoring and artificial intelligence recognition system can monitor the production park through images acquired by cameras, industrial cameras and other photographing devices. For example, the video surveillance and artificial intelligence recognition system may be a security system for a production campus.
The environmental monitoring system may be a system that detects the environment of the production area. For example, the environmental monitoring system may monitor variables such as ambient temperature, ambient humidity, etc. of the production area. For example, the environmental monitoring system may be disposed in a production scenario downhole in a coal mine, thereby monitoring the environment downhole in the coal mine.
The production management and analysis system may be a system that manages the generated data. For example, the production management and analysis system may perform statistics, analysis, and presentation of production data via reports.
Office systems are used for administrative management. The internet application is an internet application outside the intranet.
The service processing request comprises the user type of the user and the identification of the target service system to be accessed. The user type may include at least one of: production control equipment type, production auxiliary equipment type, production management type, administration type, resident type.
The production control device type user is a user who controls control type devices in a production flow. For example, a production control device type user may control a coal conveyor belt of a coal mine, a shore bridge crane of a port, or the like.
The production auxiliary equipment type user is a user monitoring the state of production equipment and the production environment. For example, a production auxiliary equipment type user may monitor the status of the production equipment and the production environment through sensors, cameras, etc. devices. For example, the production auxiliary equipment can be various sensors underground in a coal mine, and video monitoring cameras of factories.
The production management type user is a user participating in the production flow. For example, a production management type user may be a person in a factory responsible for operating a production line, maintaining mechanical (electronic) equipment.
Administrative type users are administrative users who do not directly contact the production facility. For example, administrative type users may be staff of functional departments (sales, markets, etc.) of the enterprise, business analysts, technology developers, etc.
Resident type users are non-enterprise internal users. For example, a resident type user may be a family member of an enterprise staff, a social staff having business transactions with the enterprise, and so on.
The target service system may be a service system to be accessed, and the identifier of the target service system may be ID information of the service system to be accessed.
For example, if the service processing request is for accessing the automation control system, the target service system is the automation control system, and the identifier of the target service system is ID information of the automation control system; if the service processing request is used for accessing the equipment remote control system, the target service system is the equipment remote control system, and the identification of the target service system is the identification of the equipment remote control system.
Alternatively, the 5G network server may receive the service processing request through the terminal device. For example, a user may send a service processing request to a 5G network server through an application in a cell phone.
Next, a procedure for receiving a service processing request transmitted from a client will be described with reference to fig. 3.
Fig. 3 is a schematic process diagram of receiving a service processing request according to an embodiment of the present application. Referring to fig. 3, the method includes: terminal equipment and a server. The terminal equipment comprises a page 101 and a page 102, wherein the page 101 is a main page of the terminal equipment. The page 101 includes a plurality of applications. For example, applications such as memos, calculators, emails, music, weather, control applications, etc., are included in page 101. When the user clicks on the control application, the terminal device jumps from page 101 to page 102.
Referring to fig. 3, a page 102 is a page corresponding to a service system. Among these, the page 102 includes an icon of an automation control system, an icon of an internet application, an icon of an environment monitoring system, and an icon of a device status monitoring system. When a user clicks an Internet application, the terminal equipment sends a service processing request to the server, wherein the service processing request is used for requesting to access the Internet application, and the service processing request comprises the user type for controlling the application to log in and the identification of the Internet application.
S202, determining service configuration information corresponding to the client according to the user type.
The service configuration information includes a signal area of the client, a network type of the client and an identification of the client. Wherein the signal area of the client is used to indicate the area where the client can networking. Optionally, the signal area of the client may include at least one of: production, office and living areas. Wherein the production zone is a zone in which production activities are directly performed. For example, the production area may be a warehouse, foundry, production shop, etc. area of a steel plant. The office area may be an area where production management, administration, etc. are performed. For example, an office area may include an office building area, an office campus, or the like. The living area may be a residential area of employees and family members. For example, living areas may include dormitory building areas, sports and recreational areas, dining halls, and the like for employees and family members.
The network type of the client may be an intranet or an extranet. Wherein the intranet is used to access business systems within the enterprise.
For example, if the network type of the client is an intranet type, the client may access a service system such as an automation control system and a remote control system of a device in the enterprise, but the client cannot access the external internet. The extranet is used to access networks outside the enterprise. For example, if the network type of the client is an extranet type, the client may access a network external to the enterprise, but the client may not access a business system internal to the enterprise.
The identification of the client may be address information of the client. For example, the identification of the client may include access addresses for a plurality of business systems. For example, the identification of the client may include an access address of the automation control system, an access address of the device remote control system, and the like.
The service configuration information corresponding to the client may be determined according to the following possible implementation manner: and acquiring a first preset relation. The first preset relation comprises at least one user type and service configuration information corresponding to each user type. For example, the first preset relationship may be as shown in table 1:
TABLE 1
| User type | Service configuration information |
| User type 1 | Service configuration information 1 |
| User type 2 | Service configuration information 2 |
| User type 3 | Service configuration information 3 |
| …… | …… |
It should be noted that table 1 is only an exemplary first preset relationship, and the first preset relationship is not limited thereto.
And determining service configuration information corresponding to the client according to the user type and the first preset relation. For example, if the user type in the service processing request is user type 1, the service configuration information corresponding to the user type is service configuration information 1; if the user type in the service processing request is user type 2, the service configuration information corresponding to the user type is service configuration information 2; if the user type in the service processing request is user type 3, the service configuration information corresponding to the user type is service configuration information 3.
Optionally, the service configuration information may be configured in a server of the 5G network, and when the service information is configured, the configuration may be performed according to the following template:
table 2 network type configuration templates
It should be noted that table 2 illustrates the network type configuration template by way of example only, and is not limiting of the network type configuration template.
As can be seen from table 2, the network type corresponding to the user whose user type is the production control device type is the intranet, the network type corresponding to the user whose user type is the production auxiliary device type is the intranet, the network type corresponding to the user whose user type is the production management type is the intranet, the network type corresponding to the user whose user type is the administrative management type is the intranet and the extranet, and the network type corresponding to the user whose user type is the resident type is the extranet.
Access rights for different user types may be achieved by signing up for different DNN (Data Network Name). The network side identifies the DNN, thereby controlling the access destination address and the access authority. And respectively signing DNN subscription to the clients in the user type through the network instruction.
TABLE 3 Signal area configuration template
| Signal region | Production zone | Office area | Living area |
| Production control device type | √ | ||
| Production auxiliary equipment type | √ | √ | |
| Production management type | √ | √ | √ |
| Administrative management type | √ | ||
| Resident type | √ |
It should be noted that table 3 illustrates the signal region configuration template by way of example only, and is not limited to the signal region configuration template.
As can be seen from table 3, the signal areas corresponding to the users of the production control device type are the production areas, the signal areas corresponding to the users of the production auxiliary device type are the production areas, the signal areas corresponding to the users of the production management type are the production areas, the office areas and the living areas, the signal areas corresponding to the users of the administration management type are the office areas and the living areas, and the signal areas corresponding to the users of the resident type are the living areas.
Optionally, the signal area of the user-type client may be configured by a network instruction, which is configured on a UDM network element of the core network. For example, an area template may be established according to a network instruction, where the area template includes the area number (production area, living area, office area), and then the client is associated with the area template, so that only the network is allowed to be accessed in the set area.
Table 4 service system configuration template
It should be noted that table 4 illustrates the service system configuration template by way of example only, and is not limited to the service system configuration template.
As can be seen from table 4, the service systems corresponding to the users of the production control device type are an automation control system and a device remote control system, the service systems corresponding to the users of the production auxiliary device type are a device state monitoring system, a video monitoring and artificial intelligent recognition system and an environment monitoring system, and the service systems corresponding to the users of the production management type are a device state monitoring system, a video monitoring and artificial intelligent recognition system, an environment monitoring system, a production management and analysis system and an office system. Because resident type users can only access the extraenterprise network and cannot access the intranet, resident type users cannot access the business system.
Optionally, the service system corresponding to the user type may be configured through a network instruction. The network instructions are configured on core network SMF (session management function), UPF (user plane function) network elements. For example, a network instruction may be configured for the IP address of the service system that the client is allowed to access, and the IP address of the service system outside the instruction is not accessible to the client.
Optionally, according to the configuration template, the 5G network authority corresponding to the user type can be flexibly configured, and a temporary client can be added to access the network. For example, if a maintainer outside the enterprise applies to repair the enterprise equipment, corresponding network permissions can be configured for the temporary client at the 5G network server, so that the temporary client is prevented from accessing a network irrelevant to equipment repair, and when the maintainer leaves the enterprise, the network permissions of the temporary client can be deleted, so that the security of network access can be improved.
And S203, accessing the target service system according to the network type of the client, the identification of the client and the identification of the target service system when the client is positioned in the signal area range of the client.
It may be determined whether the client is within the signal region of the client according to the following possible implementation: and acquiring the position information of the client and the signal area of the client, and determining whether the client is positioned in the signal area of the client according to the position information and the information area of the client. The location information is used for indicating the location of the terminal equipment of the installation client. For example, the location of the terminal device, and thus the location of the client, may be determined by a positioning system in the terminal device. If the position of the client is within the signal area range of the client, determining that the client is within the signal area range of the client, and if the position of the client is not within the signal area range of the client, determining that the client is not within the signal area range of the client. For example, when the signal area of the client is a production area, if the client is located in a living area, the client cannot access the target service system, and the client fails to access the target service system.
The access to the target business system can be made according to the following possible implementation manner: and determining the network information corresponding to the target service system according to the identification of the target service system. The network information comprises the network type of the target service system and the access address of the target service system.
The network type of the target business system is used to indicate the networks that are allowed to access the target business system. For example, if the network type of the target service system is an intranet type, the client can only access the target service system through the intranet, and if the network type of the target service system is an extraenterprise type, the client can only access the target service system through the extraenterprise internet. The access address of the target service system may be an IP address of the target service system. For example, the client may access the target business system through the IP address of the target business system.
Optionally, the network information corresponding to the target service system may be determined according to the following possible implementation manner: and obtaining a second preset relation. The second preset relation comprises at least one service system identifier and network information corresponding to each service system identifier. For example, the second preset relationship may be as shown in table 5:
TABLE 5
| Identification of business systems | Network information |
| Sign 1 | Network information 1 |
| Sign 2 | Network information 2 |
| Sign 3 | Network information 3 |
| …… | …… |
It should be noted that table 5 is only an exemplary second preset relationship, and is not limited to the first preset relationship.
And determining network information corresponding to the target service system according to the identification of the target service system and the second preset relation. For example, if the identifier of the target service system included in the service processing request is identifier 1, the network information corresponding to the target service system is network information 1; if the identifier of the target service system included in the service processing request is identifier 2, the network information corresponding to the target service system is network information 2; if the identifier of the target service system included in the service processing request is identifier 3, the network information corresponding to the target service system is network information 3.
And accessing the target service system according to the network type of the client, the identification of the client and the network information.
The embodiment of the application provides a service processing method, which is used for receiving a service processing request sent by a client, wherein the service processing request is used for accessing a service system, the service processing request comprises a user type of a user and an identifier of a target service system to be accessed, service configuration information corresponding to the client is determined according to the user type, the service configuration information comprises a signal area of the client, a network type of the client and the identifier of the client, network information corresponding to the target service system is determined according to the identifier of the target service system, the network information comprises the network type of the target service system and an access address of the target service system, and the target service system is accessed according to the network type of the client, the identifier of the client and the network information. In this way, if the client is not in the signal area of the client, the client cannot access the business system of the enterprise, so that the situation that network access is performed only through the client account can be avoided, if the client is in the signal area of the client, the network information corresponding to the target business system can be further determined through the identification of the target business system, the target business system is accessed according to the network type of the client, the identification of the client and the network information, and the authority of the client can be differentially managed from the network side by adding the business configuration information into the 5G network server, so that the security of the access network can be improved.
Based on the embodiment shown in fig. 2, the detailed process of accessing the target service system according to the network type of the client, the identifier of the client, and the network information will be further described with reference to fig. 4.
Fig. 4 is a flowchart of a method for accessing a target service system according to an embodiment of the present application.
Referring to fig. 4, the method includes:
s401, according to the network type of the target service system and the network type of the client, verifying whether the client can access the target service system or not, and obtaining a verification result.
The verification result is verification success or verification failure. Alternatively, it may be verified whether the client has access to the target business system according to the following possible implementation: if the network type of the client is the same as the network type of the target service system, the verification result is determined to be successful. If the network type of the client is different from the network type of the target service system, determining that the verification result is verification failure. For example, when the network type of the target service system is the intranet type, if the network type of the client is the intranet type, the verification result is determined to be successful in verification, and if the network type of the client is the extraenterprise internet, the verification result is determined to be failed in verification; when the network type of the target service system is the extranet, if the network type of the client is the intranet type, the verification result is determined to be verification failure, and if the network type of the client is the extranet, the verification result is determined to be verification success.
S402, accessing the target service system according to the verification result, the identification of the client and the access address of the target service system.
According to the verification result, the identification of the client and the access address of the target service system, the target service system is accessed under the following two conditions:
case 1: the verification result is verification failure.
If the verification result is verification failure, determining that the client fails to access the target service system. For example, if the network type of the target service system is the extranet and the network type of the client is the intranet, the verification result is determined to be verification failure, and at this time, the client cannot access the target service system.
In this case, although the location of the client is located within the signal area of the client, if the network type that the client can use is different from the network type of the target service system, it is described that the client cannot access the target service system, for example, the signal area of the client is a living area and the client is located within the living area, but if the network type of the client is an extranet type, the client cannot access the equipment system of the production area. This may improve the security of the access network.
Case 2: the verification result is that the verification is successful.
If the verification result is that the verification is successful, the target service system is accessed according to the identification of the client and the access address of the target service system. For example, if the network type of the target service system is the intranet type, the network type of the client is the intranet type, and then the verification result is determined to be verification success, and at this time, the server also needs to determine whether the client can access the target service system according to the identifier of the client and the access address of the target service system.
Alternatively, the target business system may be accessed according to the following possible implementation manner: if the identification of the client comprises the access address of the target service system, the client is determined to be capable of accessing the target service system, and if the identification of the client does not comprise the access address of the target service system, the client is determined to fail to access the target service system. For example, when the target service system is an automation control system, if the identifier of the client includes an IP address of the automation control system, the client may access the automation control system, and when the target service system is a device remote control system, if the identifier of the client includes an IP address of the device remote control system, the client may access the device remote control system. For example, when the target service system is an automation control system, if the identifier of the client only includes the IP address of the remote control system of the device and does not include the IP address of the automation control system, the client cannot access the automation control system.
The embodiment of the application provides a method for accessing a target service system, which is used for verifying whether a client can access the target service system according to the network type of the target service system and the network type of the client, obtaining a verification result, if the verification result is verification failure, determining that the client fails to access the target service system, and if the verification result is verification success, accessing the target service system according to the identification of the client and the access address of the target service system. Therefore, when the client is positioned in the signal area range of the client, the user type can be further verified, the authority of the client is differentially managed from the network side, the flexibility of the authority management is improved, and the security of the access network is further improved.
On the basis of any one of the above embodiments, a procedure of the above service processing method will be described below with reference to fig. 5.
Fig. 5 is a schematic process diagram of a service processing method according to an embodiment of the present application. Please refer to fig. 5, which includes a terminal device and a server. Wherein, the business system page is displayed in the screen of the terminal equipment. The business system page comprises a plurality of business systems such as an automatic control system, an Internet application, a device state monitoring system and the like. When a user clicks an automatic control system, the terminal equipment generates a service processing request. The service processing request comprises a user type and an identification of a target service system, wherein the user type is a production control equipment type, and the identification of the target service system indicates an automatic control system.
Referring to fig. 5, when the server receives a service processing request, service configuration information corresponding to the client is determined according to the type of the production control device. The service configuration information comprises a signal area of the client, a network type of the client and an identifier of the client. The signal area of the client is a production area, the network type of the client is an enterprise intranet, and the identification of the client comprises an automatic control system IP and an equipment state monitoring system IP.
Referring to fig. 5, the signal area of the client includes a production area, an office area and a living area, and the terminal device can be determined to be located in the production area by the positioning system in the terminal device, that is, the client is located in the signal area of the client, at this time, the server determines the network information corresponding to the automation control system. The network information comprises the enterprise intranet and the IP of the automatic control system, and the client can successfully access the automatic control system because the network type of the client is the enterprise intranet and the identification of the client comprises the IP of the automatic control system.
Referring to fig. 5, when the client can successfully access the automation control system, the display page of the terminal device jumps to the automation control system page. The automation control system page comprises an icon of the equipment 1, an icon of the equipment 2, an icon of the equipment 3 and the like. When the user clicks the icon of any one device, the terminal device may display a control page of the device, and the user may control the device in the control page of the device. Therefore, when the client is not in the signal area of the client, the client cannot access the business system of the enterprise, and further, the situation that network access is performed only through the client account can be avoided, when the client is in the signal area of the client, the 5G network server can further determine the network information corresponding to the target business system through the identification of the target business system, access the target business system according to the network type of the client, the identification of the client and the network information, and the authority of the client can be differentially managed from the network side by adding the business configuration information into the 5G network server, so that the security of access to the network can be improved.
Fig. 6 is a schematic structural diagram of a service processing device according to an embodiment of the present application. Referring to fig. 6, the service processing apparatus 10 includes a receiving module 11, a determining module 12, and an accessing module 13, wherein:
the receiving module 11 is configured to receive a service processing request sent by a client, where the service processing request is used to access a service system, and the service processing request includes a user type of a user and an identifier of a target service system to be accessed;
the determining module 12 is configured to determine, according to the user type, service configuration information corresponding to the client, where the service configuration information includes a signal area of the client, a network type of the client, and an identifier of the client;
the access module 13 is configured to access the target service system according to a network type of the client, an identifier of the client, and an identifier of the target service system when the client is located within a signal area of the client.
In a possible embodiment, the access module 13 is specifically configured to:
according to the identification of the target service system, determining network information corresponding to the target service system, wherein the network information comprises the network type of the target service system and the access address of the target service system;
And accessing the target service system according to the network type of the client, the identification of the client and the network information.
In a possible embodiment, the access module 13 is specifically configured to:
verifying whether the client can access the target service system according to the network type of the target service system and the network type of the client to obtain a verification result, wherein the verification result is verification success or verification failure;
and accessing the target service system according to the verification result, the identification of the client and the access address of the target service system.
In a possible embodiment, the access module 13 is specifically configured to:
if the verification result is verification failure, determining that the client fails to access the target service system;
and if the verification result is that the verification is successful, accessing the target service system according to the identification of the client and the access address of the target service system.
In a possible embodiment, the access module 13 is specifically configured to:
if the identifier of the client comprises the access address of the target service system, determining that the client can access the target service system;
And if the identification of the client does not comprise the access address of the target service system, determining that the access of the client to the target service system fails.
In a possible embodiment, the access module 13 is specifically configured to:
if the network type of the client is the same as the network type of the target service system, determining that the verification result is successful;
and if the network type of the client is different from the network type of the target service system, determining that the verification result is verification failure.
In one possible implementation, the determining module 12 is specifically configured to:
acquiring a first preset relation, wherein the first preset relation comprises at least one user type and service configuration information corresponding to each user type;
and determining service configuration information corresponding to the client according to the user type and the first preset relation.
The service processing device provided in the embodiment of the present application may execute the technical solution shown in the foregoing method embodiment, and its implementation principle and beneficial effects are similar, and will not be described herein again.
The service processing device shown in the embodiment of the application may be a chip, a hardware module, a processor, or the like. Of course, the service processing device may take other forms, which are not specifically limited in the embodiments of the present application.
Fig. 7 is a schematic hardware structure of a service processing device according to an embodiment of the present application. Referring to fig. 7, the service processing apparatus 20 may include: a processor 21 and a memory 22, wherein the processor 21 and the memory 22 may communicate; the processor 21 and the memory 22 are in communication via a communication bus 23, said memory 22 being adapted to store program instructions, said processor 21 being adapted to invoke the program instructions in the memory for performing the method of handling traffic as shown in any of the method embodiments described above.
Optionally, the service processing device 20 may also include a communication interface, which may include a transmitter and/or a receiver.
Alternatively, the processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor or in a combination of hardware and software modules within a processor.
The present application provides a readable storage medium having a computer program stored thereon; the computer program is configured to implement the service processing method according to any of the above embodiments.
Embodiments of the present application provide a computer program product comprising instructions that, when executed, cause a computer to perform the above-described business processing method.
All or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a readable memory. The program, when executed, performs steps including the method embodiments described above; and the aforementioned memory (storage medium) includes: read-only memory (ROM), RAM, flash memory, hard disk, solid state disk, magnetic tape, floppy disk, optical disk, and any combination thereof.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, embedded processor, or other programmable terminal device to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable terminal device to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable terminal device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer implemented process such that the instructions which execute on the computer or other programmable device provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the embodiments of the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to encompass such modifications and variations.
In the present application, the term "include" and variations thereof may refer to non-limiting inclusion; the term "or" and variations thereof may refer to "and/or". The terms "first," "second," and the like in this application are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. In the present application, "plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
Claims (6)
1. A service processing method applied to a server of a 5G network, comprising:
receiving a service processing request sent by a client, wherein the service processing request is used for accessing a service system, and the service processing request comprises a user type of a user and an identification of a target service system to be accessed;
determining service configuration information corresponding to the client according to the user type, wherein the service configuration information comprises a signal area of the client, a network type of the client and an identifier of the client; the identification of the client comprises an access address of at least one service system; the network type of the client is configured according to a network type configuration template, and different DNN configurations are signed through network instructions; the signal area of the client is configured on a core network UDM network element through a network instruction according to a signal area configuration template; the access address of the service system is configured on core network SMF and UPF network elements through network instructions according to a service system configuration template;
When the client is positioned in the signal area range of the client, determining network information corresponding to the target service system according to the identification of the target service system, wherein the network information comprises the network type of the target service system and the access address of the target service system;
verifying whether the client can access the target service system according to the network type of the target service system and the network type of the client to obtain a verification result, wherein the verification result is verification success or verification failure;
if the verification result is verification failure, determining that the client fails to access the target service system;
if the verification result is that the verification is successful, accessing the target service system according to the identification of the client and the access address of the target service system;
the accessing the target service system according to the identification of the client and the access address of the target service system comprises the following steps:
if the identifier of the client comprises the access address of the target service system, determining that the client can access the target service system;
And if the identification of the client does not comprise the access address of the target service system, determining that the access of the client to the target service system fails.
2. The method of claim 1, wherein verifying whether the client can access the target service system based on the network type of the target service system and the network type of the client, to obtain a verification result, comprises:
if the network type of the client is the same as the network type of the target service system, determining that the verification result is successful;
and if the network type of the client is different from the network type of the target service system, determining that the verification result is verification failure.
3. The method according to claim 1, wherein determining service configuration information corresponding to the client according to the user type includes:
acquiring a first preset relation, wherein the first preset relation comprises at least one user type and service configuration information corresponding to each user type;
and determining service configuration information corresponding to the client according to the user type and the first preset relation.
4. The service processing device is characterized by comprising a receiving module, a determining module and an accessing module, wherein:
the receiving module is used for receiving a service processing request sent by a client, wherein the service processing request is used for accessing a service system, and the service processing request comprises the user type of a user and the identification of a target service system to be accessed;
the determining module is used for determining service configuration information corresponding to the client according to the user type, wherein the service configuration information comprises a signal area of the client, a network type of the client and an identifier of the client; the identification of the client comprises an access address of at least one service system; the identification of the client comprises an access address of at least one service system; the network type of the client is configured according to a network type configuration template, and different DNN configurations are signed through network instructions; the signal area of the client is configured on a core network UDM network element through a network instruction according to a signal area configuration template; the access address of the service system is configured on core network SMF and UPF network elements through network instructions according to a service system configuration template;
The access module is used for accessing the target service system according to the network type of the client, the identification of the client and the identification of the target service system when the client is positioned in the signal area range of the client;
the access module is specifically configured to determine, according to the identifier of the target service system, network information corresponding to the target service system, where the network information includes a network type of the target service system and an access address of the target service system; verifying whether the client can access the target service system according to the network type of the target service system and the network type of the client to obtain a verification result, wherein the verification result is verification success or verification failure; if the verification result is verification failure, determining that the client fails to access the target service system; if the verification result is that the verification is successful, accessing the target service system according to the identification of the client and the access address of the target service system;
the access module is specifically configured to determine that the client can access the target service system if the identifier of the client includes an access address of the target service system; and if the identification of the client does not comprise the access address of the target service system, determining that the access of the client to the target service system fails.
5. A service processing apparatus, comprising: a processor, a memory;
the memory stores computer-executable instructions;
the processor executing computer-executable instructions stored in the memory, causing the processor to perform the traffic processing method according to any one of claims 1 to 3.
6. A computer readable storage medium having stored therein computer executable instructions for implementing the service processing method of any of claims 1 to 3 when the computer executable instructions are executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111212393.9A CN113905381B (en) | 2021-10-18 | 2021-10-18 | Service processing method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111212393.9A CN113905381B (en) | 2021-10-18 | 2021-10-18 | Service processing method, device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113905381A CN113905381A (en) | 2022-01-07 |
| CN113905381B true CN113905381B (en) | 2024-04-16 |
Family
ID=79192535
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111212393.9A Active CN113905381B (en) | 2021-10-18 | 2021-10-18 | Service processing method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113905381B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895860A (en) * | 2010-06-29 | 2010-11-24 | 中兴通讯股份有限公司 | Method and system for limiting EVDO (Evolution Data Only) system region mobility |
| CN106209750A (en) * | 2015-05-08 | 2016-12-07 | 深圳市腾讯计算机系统有限公司 | A kind of network allocation method, server, network access equipment and system |
| CN110311899A (en) * | 2019-06-17 | 2019-10-08 | 平安医疗健康管理股份有限公司 | Multiservice system access method, device and server |
| CN111756737A (en) * | 2020-06-24 | 2020-10-09 | 中国平安财产保险股份有限公司 | Data transmission method, device, system, computer equipment and readable storage medium |
| CN112738100A (en) * | 2020-12-29 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Authentication method, device, authentication equipment and authentication system for data access |
| CN113179271A (en) * | 2021-04-28 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Intranet security policy detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10986602B2 (en) * | 2018-02-09 | 2021-04-20 | Intel Corporation | Technologies to authorize user equipment use of local area data network features and control the size of local area data network information in access and mobility management function |
| CN110972092B (en) * | 2018-09-30 | 2021-02-23 | 华为技术有限公司 | Local area network communication method, device and system |
-
2021
- 2021-10-18 CN CN202111212393.9A patent/CN113905381B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895860A (en) * | 2010-06-29 | 2010-11-24 | 中兴通讯股份有限公司 | Method and system for limiting EVDO (Evolution Data Only) system region mobility |
| CN106209750A (en) * | 2015-05-08 | 2016-12-07 | 深圳市腾讯计算机系统有限公司 | A kind of network allocation method, server, network access equipment and system |
| CN110311899A (en) * | 2019-06-17 | 2019-10-08 | 平安医疗健康管理股份有限公司 | Multiservice system access method, device and server |
| CN111756737A (en) * | 2020-06-24 | 2020-10-09 | 中国平安财产保险股份有限公司 | Data transmission method, device, system, computer equipment and readable storage medium |
| CN112738100A (en) * | 2020-12-29 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Authentication method, device, authentication equipment and authentication system for data access |
| CN113179271A (en) * | 2021-04-28 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Intranet security policy detection method and device |
Non-Patent Citations (3)
| Title |
|---|
| HUAWEI 等. "S2-2106257 Indication of DNS configuration for edge service v1".3GPP tsg_sa\wg2_arch.2021,全文. * |
| ZTE. "S2-2104721r04 Clarification on TSCAI for the non TSC service".3GPP tsg_sa\wg2_arch.2021,全文. * |
| 面向5G的多接入边缘计算架构设计与应用;陈强;储云凤;朱皆一;;通信技术;20200810(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113905381A (en) | 2022-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021036265A1 (en) | Method and device for edge cloud fusion management | |
| US9491183B1 (en) | Geographic location-based policy | |
| US9460591B2 (en) | Event notification | |
| CN104244174B (en) | The acquisition methods and server of the geographical location information of terminal | |
| CN104299286A (en) | Attendance method and system for public security inspection tour | |
| CN104954352A (en) | Security system access detection | |
| CN109743532B (en) | Doorbell control method, electronic equipment, doorbell system and storage medium | |
| US20220253520A1 (en) | Methods and systems for verifying applications | |
| CN105099986A (en) | Network game data sharing method and server | |
| US9081945B2 (en) | Information processing device and method | |
| CN105743752A (en) | Wireless linkage node network and node device thereof | |
| CN106254366A (en) | For the identification processing method patrolled and examined, Apparatus and system | |
| CN106030555A (en) | Privacy zone | |
| CN107872440B (en) | Identity authentication method, device and system | |
| CN105260870A (en) | Identity identification method, identity identification system and identity identification terminal | |
| US11018934B2 (en) | Systems and methods for automated access to relevant information in a mobile computing environment | |
| CN106685891A (en) | Verification method and apparatus for accessing network | |
| CN105631715A (en) | Advertisement updating supervision method and device | |
| CN104932874A (en) | Terminal and control method thereof | |
| KR101059058B1 (en) | Apparatus, method and system for service access control based on user location | |
| CN112272355B (en) | Visitor monitoring management method and system | |
| CN113905381B (en) | Service processing method, device, equipment and readable storage medium | |
| JP6071109B2 (en) | Portable terminal device and program | |
| US20230096372A1 (en) | Localized authorization for secure communication | |
| WO2015149530A1 (en) | M2m application service method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |