CN114301778A - Method and device for controlling access - Google Patents
Method and device for controlling access Download PDFInfo
- Publication number
- CN114301778A CN114301778A CN202111642990.5A CN202111642990A CN114301778A CN 114301778 A CN114301778 A CN 114301778A CN 202111642990 A CN202111642990 A CN 202111642990A CN 114301778 A CN114301778 A CN 114301778A
- Authority
- CN
- China
- Prior art keywords
- access
- access request
- control
- flow
- parameter value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 73
- 238000004590 computer program Methods 0.000 claims description 21
- 238000011217 control strategy Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 4
- 239000000126 substance Substances 0.000 claims description 3
- 229910044991 metal oxide Inorganic materials 0.000 claims 3
- 150000004706 metal oxides Chemical class 0.000 claims 3
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Abstract
The invention discloses a method and a device for controlling access, and relates to the field of resource management. One embodiment of the method comprises: the method comprises the steps that an access request sent by a client side can be received, and one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request are searched from self-defined configuration information; constructing a control flow strategy corresponding to the access request; and releasing or prohibiting the access request according to the control flow strategy. By customizing the configuration information, the flexibility of determining the configuration parameters and the flexibility of managing and controlling the access granularity are improved; by dynamically constructing the control flow strategy, the problem of poor flexibility caused by the fact that a configuration file or a code needs to be modified in order to modify the control flow strategy in the existing method is solved, the problem that the system needs to be restarted in order to modify configuration information in the existing method is solved, and the flexibility and the efficiency of control flow are improved.
Description
Technical Field
The present invention relates to the field of resource management, and in particular, to a method and an apparatus for controlling access.
Background
In a distributed system with multiple service types, the system is required to maintain stability and high availability under high concurrency, and currently, the stability and the high availability of the system can be generally realized by controlling the flow (current limitation) of access requests and the like.
The existing method for controlling access request traffic usually utilizes a setting configuration file or code to specify a control policy for setting user information (such as user identification, user IP address, etc.), when some service scenarios need to modify the control policy (such as adding or modifying control parameters), the existing setting configuration file or code needs to be modified, and the system needs to be restarted to make the modified control policy effective; therefore, the problems of high coupling and poor flexibility of configuration control strategies exist in the conventional method, and the problems of high granularity and low efficiency of the control flow of the access request exist at the same time.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for controlling access, which can receive an access request sent by a client, and search, from user-defined configuration information, one or more first traffic configuration parameter values and/or one or more control parameter values that match an access resource location identifier of the access request; constructing a control flow strategy corresponding to the access request; and releasing or prohibiting the access request according to the control flow strategy. By customizing the configuration information, the flexibility of determining the configuration parameters and the flexibility of managing and controlling the access granularity are improved; by dynamically constructing the control flow strategy, the problem of poor flexibility caused by the fact that a configuration file or a code needs to be modified in order to modify the control flow strategy in the existing method is solved, the problem that the system needs to be restarted in order to modify configuration information in the existing method is solved, and the flexibility and the efficiency of control flow are improved.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a method of controlling access, including: receiving an access request sent by a client, and searching one or more first traffic configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request from custom configuration information; constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the matched control parameter value; and releasing or prohibiting the access request according to the control flow strategy.
Optionally, the method for controlling access is further characterized by: acquiring a user identifier of the access request; searching one or more second flow configuration parameter values matched with the user identification from a user information item associated with the access resource positioning identification and included in the user-defined flow configuration information; under the condition that any one second flow configuration parameter value is found, the step of releasing or forbidding the access request according to the control flow strategy is executed; and if the access request is not found, the access request is released.
Optionally, the method for controlling access is further characterized by:
determining a user identifier to be configured; configuring corresponding user access information for the user identifier to be configured, and storing the corresponding relation between the user identifier and the user access information; the searching for one or more second traffic configuration parameter values matching the user identification comprises: and searching one or more second flow configuration parameter values matched with the user access information according to the corresponding relation.
Optionally, the method for controlling access is further characterized by:
acquiring a positioning identifier of an access resource to be configured; configuring one or more corresponding flow configuration parameter values and/or one or more corresponding control parameter values for the to-be-configured access resource positioning identifier; and storing the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values and/or one or more control parameter values, and generating user-defined configuration information based on the corresponding relation.
Optionally, the method of controlling access is characterized by
Generating the custom configuration information based on the corresponding relation comprises the following steps: storing the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values into set custom flow configuration information; and/or storing the corresponding relation between the access resource positioning identifier and one or more control parameter values into set self-defined control information;
optionally, the method for controlling access is further characterized by:
and configuring a user information item for the to-be-configured access resource positioning identifier, and adding the user information item to the custom configuration information.
Optionally, the method of controlling access, characterized in that,
constructing a control flow policy corresponding to the access request based on the matched first flow configuration parameter value and/or the matched control parameter value, including: inputting the matched first flow configuration parameter value and/or the matched control parameter value into a policy code module, combining the first flow configuration parameter value and/or the matched control parameter value by using the policy code module, and outputting information corresponding to the control flow policy; and storing information corresponding to the control flow strategy.
Optionally, the method of controlling access, characterized in that,
according to the control flow strategy, releasing or forbidding the access request comprises the following steps: if the access information of the access request meets the control flow strategy, forbidding the access request; otherwise, the access request is released.
Optionally, the method for controlling access is further characterized by:
receiving an access request sent by a client and storing the access request and an access time point of the access request aiming at the condition that the control parameter value is a time range control parameter value; calculating an access time range of the access request; and if the calculated access time range of the access request is within the time range control parameter value contained in the control flow strategy, determining that the access request does not satisfy the control flow strategy.
Optionally, the method for controlling access is further characterized by:
counting the access times of the access request aiming at the condition that the control parameter value is a time control parameter value; and if the counted access times of the access request are within the time control parameter value contained in the control flow policy, determining that the access request does not satisfy the control flow policy.
Optionally, the method of controlling access is characterized by:
judging whether the access time range of the access request is smaller than the time range control parameter value or not according to the condition that the control parameter value comprises the time range control parameter value and the time control parameter value, and if so, acquiring the access time of the access request; and determining that the access request does not satisfy the flow control strategy under the condition that the access times are smaller than the time control parameter value.
Optionally, the method for controlling access is further characterized by: analyzing the control category corresponding to the access request from the access resource positioning identifier; searching corresponding user-defined configuration information for the access resource positioning identifier based on the control category; constructing a control flow strategy corresponding to the access request, including: and constructing a control flow strategy corresponding to the access request for the control category.
Optionally, the method of controlling access, characterized in that,
the custom configuration information comprises a switch option for indicating whether the flow configuration parameter value is effective; further comprising: determining the state of the switch option corresponding to the access resource positioning identifier in the self-defined configuration information; and under the condition that the state indication of the switch option is determined to be on, searching one or more first flow configuration parameter values matched with the access resource positioning identification of the access request from the user-defined configuration information.
Optionally, the method for controlling access is further characterized by:
receiving an update request for the custom configuration information; according to the access resource positioning identifier to be updated contained in the updating request, and one or more flow configuration parameter values and/or one or more control parameter values corresponding to the access resource positioning identifier to be updated; and updating the custom configuration information.
To achieve the above object, according to a second aspect of an embodiment of the present invention, there is provided an apparatus for controlling access, including: the system comprises an information searching module, a strategy building module and an access control module; wherein the content of the first and second substances,
the search information module is used for receiving an access request sent by a client and searching one or more first flow configuration parameter values and/or one or more control parameter values matched with the access resource positioning identifier of the access request from custom configuration information;
the policy construction module is configured to construct a control traffic policy corresponding to the access request based on the matched first traffic configuration parameter value and/or the matched control parameter value;
and the control access module is used for releasing or forbidding the access request according to the control flow strategy.
To achieve the above object, according to a third aspect of the embodiments of the present invention, there is provided an electronic device for controlling access, including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out a method as claimed in any one of the above methods of controlling access.
To achieve the above object, according to a fourth aspect of embodiments of the present invention, there is provided a computer-readable medium on which a computer program is stored, characterized in that the program, when executed by a processor, implements the method as in any one of the above methods of controlling access.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided a computer product. A computer program product according to an embodiment of the present invention includes a computer program, and when the computer program is executed by a processor, the computer program implements the access control method according to an embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: the method comprises the steps that an access request sent by a client side can be received, and one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request are searched from self-defined configuration information; constructing a control flow strategy corresponding to the access request; and releasing or prohibiting the access request according to the control flow strategy. By customizing the configuration information, the flexibility of determining the configuration parameters and the flexibility of managing and controlling the access granularity are improved; by dynamically constructing the control flow strategy, the problem of poor flexibility caused by the fact that a configuration file or a code needs to be modified in order to modify the control flow strategy in the existing method is solved, the problem that the system needs to be restarted in order to modify configuration information in the existing method is solved, and the flexibility and the efficiency of control flow are improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a flow chart illustrating a method for controlling access according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a method for controlling access according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an apparatus for controlling access according to an embodiment of the present invention;
FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 5 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
As shown in fig. 1, an embodiment of the present invention provides a method for controlling access, which may include the following steps:
step S101: and receiving an access request sent by a client, and searching one or more first traffic configuration parameter values and/or one or more control parameter values matched with the access resource positioning identification of the access request from the custom configuration information.
Specifically, the access request can be an access request to a micro-service-based business system (such as a financial system, a company management system, etc.), wherein the business system is, for example, a micro-service system implemented based on a spring cloud micro-service framework; the receiver receiving the access request sent by the client may be a service gateway in the micro service system, for example, the Zuul gateway included in the micro service system based on the SpringCloud architecture may be utilized to receive the access request sent by the client, so as to further process the access request (e.g., authenticate, control, etc.).
Further, searching matching parameters from the custom configuration information according to an access Resource location identifier (e.g., Uniform Resource Locator, URL) corresponding to the access request, where the custom configuration information includes custom flow configuration information, or custom control information, or a combination of the two.
Specifically, the custom flow configuration information includes one or more first flow configuration parameter values corresponding to the access resource location identifier; the method for configuring the first traffic configuration parameter value for the access resource location identifier comprises the following steps: acquiring a positioning identifier of an access resource to be configured; configuring one or more corresponding flow configuration parameter values for the to-be-configured access resource positioning identifier; and storing the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values, and storing the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values into set custom flow configuration information.
TABLE 1
| Accessing resource location identification | Authority | Character | Region coding | Switch option |
| url1 | 1 | 1 | 130102 | true |
| url2 | 1 | 130102 | true | |
| url3 | 130102 | true |
Table 1 is an example of custom flow configuration information, where authority, role, area code, and switch option are flow configuration parameters; the values corresponding to the respective traffic configuration parameters are traffic configuration parameter values, as shown in the example of table 1: the multiple first traffic configuration parameter values corresponding to the access resource location identifier url1 are respectively: authority is 1, role is 1, region code is 130102, etc.; in the example of table 1, the permission may represent a permission setting for accessing a web page corresponding to a certain access resource location identifier, and "1" represents prohibition of access; the role can represent the role corresponding to the user sending the access resource location identifier (url) (for example, the administrator is 1, the common user is 2, the set user is 3, etc.); the region code may represent a code corresponding to a geographical range (e.g., provincial range, city range, district range, etc.) to which the visited resource location identifier is transmitted. Setting each first configuration flow parameter value for url1 correspondingly, namely, setting a corresponding relation between a configuration access resource positioning identifier and one or more first flow configuration parameter values; as shown in table 1, table 1 stores a plurality of corresponding relationships, that is, the corresponding relationship between the access resource location identifier and one or more first traffic configuration parameter values is stored in the set custom traffic configuration information.
Further, the self-defined control information comprises one or more control parameter values corresponding to the access resource positioning identification; the method for configuring the control parameter value for the access resource positioning identifier comprises the following steps: acquiring a positioning identifier of an access resource to be configured; configuring one or more corresponding control parameter values for the to-be-configured access resource positioning identifier; and storing the corresponding relation between the access resource positioning identifier and one or more control parameter values, and storing the corresponding relation between the access resource positioning identifier and one or more control parameter values into set custom control information.
TABLE 2
| Accessing resource location identification | Time range control parameter | Number of times control parameter |
| url1 | 100 seconds | 50 |
| url2 | 60 seconds | 100 |
| url3 | 200 seconds | 200 |
Table 2 shows an example of the custom control information, where the time range control parameter and the time count control parameter are control parameters, and the time range control parameter value (for example, 100 seconds) and the time count control parameter value (for example, 100 times) are control parameter values corresponding to the control parameters, as shown in the example of table 2, a plurality of control parameter values corresponding to the access resource location identifier url1 are: the time range control parameter value is 100, and the frequency control parameter value is 50; policies representing access controls to access the resource location identification url1 include: the maximum number of allowed accesses in the 100 second range is 50. As shown in table 2, the data table corresponding to table 2 may be used to store the corresponding relationship between the access resource location identifier and one or more of the control parameter values, that is, the corresponding relationship between the access resource location identifier and one or more of the control parameter values is stored in the set custom control information.
Namely, acquiring a positioning identifier of the access resource to be configured; configuring one or more corresponding flow configuration parameter values and/or one or more corresponding control parameter values for the to-be-configured access resource positioning identifier; and storing the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values and/or one or more control parameter values, and generating user-defined configuration information based on the corresponding relation. Further, the generating the custom configuration information based on the corresponding relationship includes: storing the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values into set custom flow configuration information; and/or storing the corresponding relation between the access resource positioning identification and one or more control parameter values into set custom control information. The custom flow configuration information or the custom control information may be stored in a data table, a file, or the like.
Further, acquiring a user identifier of the access request; the obtaining method can obtain the user identifier and one or more user access information (such as user authority, user role, area code, other information, and the like) configured for the user identifier from the user session corresponding to the access request (i.e., the user session generated after the user logs in); the method for configuring the user access information comprises the following steps: determining a user identifier to be configured; configuring corresponding user access information for the user identifier to be configured, and storing the corresponding relation between the user identifier and the user access information; the user identifier to be configured may be a user name, a user identity ID, a user IP address, and the like. Further, configuring a user information item (for example, including a user identifier, a user authority, a user role, an area code, other user information, and the like) for the to-be-configured access resource positioning identifier, and adding the user information item to the custom configuration information. The user information item may be included in a plurality of custom traffic configuration parameters.
Further, one or more second flow configuration parameter values matched with the user identification are searched from a user information item associated with the access resource positioning identification and included in the user-defined flow configuration information; under the condition that any one second flow configuration parameter value is found, the step of releasing or forbidding the access request according to the control flow strategy is executed; and if the access request is not found, the access request is released. The searching for one or more second traffic configuration parameter values matching the user identification comprises: and searching one or more second flow configuration parameter values matched with the user access information according to the corresponding relation. It can be understood that the sender of the access request may be a plurality of different users, and therefore, the user access information corresponding to the user identifier is used to further search the user information item associated with the access resource location identifier in the custom traffic configuration information for one or more second traffic configuration parameter values (e.g., values corresponding to parameters such as user permissions, user roles, area codes, and the like) matching the user identifier, thereby reducing the granularity of determining access (for the user and the interface level). The step of releasing or prohibiting the access request according to the control traffic policy is consistent with the description of step S103, and is not described herein again. It will be appreciated that the second flow configuration parameter value may be included with the first flow configuration parameter value, depending on the application scenario.
Further, the custom configuration information includes a switch option for indicating whether the flow configuration parameter value is in effect; further comprising: determining the state of a switch option corresponding to the access resource positioning identifier in the self-defined configuration information; and under the condition that the state indication of the switch option is determined to be on, searching one or more first flow configuration parameter values matched with the access resource positioning identification of the access request from the user-defined configuration information. Taking table 1 as an example, table 1 shows parameters of "switch option", and whether to validate a corresponding configuration parameter value is indicated by the state of the switch option being "true" or "false", and in the case that the parameter value is "true", it is determined that the state indication of the switch option is on; in the case of "on", the step of finding one or more first traffic configuration parameter values from the custom configuration information that match the access resource location identification of the access request is performed. By setting the switch option, the flexibility of constructing the control flow strategy through the custom configuration information is further improved.
Further, custom configuration information may be updated; specifically, receiving an update request aiming at the custom configuration information; according to the access resource positioning identifier to be updated contained in the updating request, and one or more flow configuration parameter values and/or one or more control parameter values corresponding to the access resource positioning identifier to be updated; and updating the custom flow configuration information. The access resource positioning identifier to be updated may be an existing access resource positioning identifier or a newly added access resource positioning identifier, and one or more corresponding flow configuration parameter values and/or one or more corresponding control parameter values to be modified (or added), so as to update the custom configuration information; therefore, by updating the self-defined configuration information, the flexibility and the efficiency of access control are further improved.
Step S102: and constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the matched control parameter value.
Specifically, a control traffic policy corresponding to the access request is constructed based on the matched first traffic configuration parameter value or control parameter value described in step S101, or a combination of the first traffic configuration parameter value and the control parameter value.
The flow control strategy is described below by way of example in table 1 in conjunction with table 2:
aiming at the access request access resource positioning identifier url1, the constructed control flow policy 1 is; url 1: the user control with the region code of 130102, the role of 1 and the authority of 1 can be accessed 50 times within 100 seconds;
for the access request to access the resource location identifier url2, the constructed control traffic policy 2 is: url2, user control coded 130102 for region, role 1, can be accessed 100 times in 60 seconds, etc.
Further, constructing a control traffic policy corresponding to the access request based on the matched first traffic configuration parameter value and/or the matched control parameter value, including: inputting the matched first flow configuration parameter value and/or the matched control parameter value into a policy code module, combining the first flow configuration parameter value and/or the matched control parameter value by using the policy code module, and outputting information corresponding to the control flow policy; and storing information corresponding to the control flow strategy.
The policy code module may be a code written by a custom ratelimit keygenerator component included in a rate limit tool, and after a first traffic configuration parameter value and/or a control parameter value input to the policy code module and an access resource location identifier corresponding to an access request are combined (for example, character string splicing, character string combination, and the like) by using the policy code module, information corresponding to a control traffic policy (for example, a character string or data indicating information included in an example of a control traffic policy 1) is output; further, information corresponding to the control flow strategy for the access resource positioning identifier is stored in a cache, so that the efficiency of matching the control flow strategy is improved.
Further, analyzing a control category corresponding to the access request from the access resource positioning identifier; searching corresponding user-defined configuration information for the access resource positioning identifier based on the control category; constructing a control flow strategy corresponding to the access request, including: and constructing a control flow strategy corresponding to the access request for the control category. The control category may be related to a service scenario, for example: control categories of sensitive information, mobile phone short message transaction, message push transaction and the like; it will be appreciated that for different control categories, custom configuration information corresponding to the control category may be configured; and corresponding control flow strategies are constructed according to different control categories, so that the accuracy of access control is further improved, and the flexibility of managing the granularity of access control is improved.
Step S103: and releasing or prohibiting the access request according to the control flow strategy.
Specifically, the passing or prohibiting the access request according to the control traffic policy includes: if the access information of the access request meets the control flow strategy, forbidding the access request; otherwise, the access request is released. The description of the control flow policy is the same as that of step S102, and is not repeated here. It can be understood that the purpose of controlling the access requests, in addition to controlling the number of the access requests, may be controlled after determination based on information corresponding to the access requests, so as to improve the information security of the microservice system, and improve the stability and availability of the system.
For example: if the user access information configured by the user 1 who sends the access resource location identifier url1 includes any one of role 1, authority 1 and region code 130102, and if the control traffic policy 1 constructed according to url1 is satisfied, the access request corresponding to url1 sent by the user 1 is prohibited, and the prohibition may include: wait, slow down, block, etc.; for example: if the user access information configured by the user 2 who sends the url1 does not include the role 1, the authority 1 and the area code 130102, if the control flow policy 1 constructed according to the access resource location identifier url1 is not satisfied, the access request corresponding to the access resource location identifier url1 is released, so that the service of continuing accessing the microservice system obtains feedback information or data.
Further, the control parameter values corresponding to the control parameters included in the control flow policy include: time range control parameter values and/or number of times control parameter values:
receiving an access request sent by a client and storing the access request and an access time point of the access request aiming at the condition that the control parameter value is a time range control parameter value; calculating an access time range of the access request; and if the calculated access time range of the access request is within the time range control parameter value contained in the control flow strategy, determining that the access request does not satisfy the control flow strategy. Specifically, taking table 2 as an example, the control traffic policy of the access resource location identifier url1 corresponding to the access request includes a time range control parameter value (e.g., 100 seconds), the access time point of each access resource location identifier url1 may be saved by using the set value of key1, the access time range of the access request is calculated according to the time point of first receiving url1 access and the subsequent time point of receiving url1 access, and if the calculated access time range of the access request is within the time range control parameter value (e.g., 100 seconds) included in the control traffic policy, it is determined that the access request does not satisfy the control traffic policy; i.e., passes the access request corresponding to url 1.
Counting the access times of the access request aiming at the condition that the control parameter value is a time control parameter value; and if the counted access times of the access request are within the time control parameter value contained in the control flow policy, determining that the access request does not satisfy the control flow policy. Specifically, taking table 2 as an example, for example: the control flow policy of the access resource location identifier url1 corresponding to the access request contains a number control parameter value (for example, 50 times), each url1 may be saved by using a set value of key2 to count the number of accesses of the access request, and if the counted number of accesses of the access request is within the number control parameter value (for example, 50 times) contained in the control flow policy, it is determined that the access request does not satisfy the control flow policy; i.e., passes the access request corresponding to url 1.
Preferably, for the condition that the control parameter value includes a time range control parameter value and a time control parameter value, determining whether the access time range of the access request is smaller than the time range control parameter value, if so, acquiring the access time of the access request; and determining that the access request does not satisfy the flow control strategy under the condition that the access times are smaller than the time control parameter value. Specifically, taking table 2 as an example, for example: the control flow policy of url1 corresponding to the access request includes a time range control parameter value (100 seconds) and a number of times control parameter value (e.g. 50 times); then on the basis of judging the access time range of the access request corresponding to the access resource location identifier url1, counting the access times of the access request corresponding to the access resource location identifier url1, and under the condition that the access times are smaller than the time control parameter value, determining that the access request does not satisfy the flow control strategy; for example: and if the access times within 100 seconds are less than 50 times, determining that the access request does not meet the flow control strategy, namely releasing the access request corresponding to the url1, otherwise, prohibiting the access request.
As shown in fig. 2, an embodiment of the present invention provides a method for controlling access, which may include the following steps:
step S201: and receiving an access request sent by the client.
Step S202: and searching one or more first flow configuration parameter values matched with the access resource positioning identification of the access request from the self-defined configuration information.
Step S203: and searching one or more control parameter values matched with the access resource positioning identification of the access request from the self-defined configuration information.
Step S204: and constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and the matched control parameter value.
Step S205: and judging whether the control flow strategy is met, if so, executing step S207, otherwise, executing step S206.
Step S206: and releasing the access request.
Step S207: the access request is prohibited.
Specifically, step S201 to step S207 describe a flow of executing control access on the access resource location identifier when the flow configuration parameter value and the control parameter value are configured correspondingly by the access resource location identifier according to the custom configuration information. The description of finding one or more first traffic configuration parameter values matching the access resource location identifier of the access request from the custom configuration information and finding one or more control parameter values matching the access resource location identifier of the access request from the custom configuration information is consistent with the description of step S101, and is not repeated here. Regarding the configuration parameter value and the control parameter value based on the matched first traffic, the description of constructing the control traffic policy corresponding to the access request is consistent with the description of step S102, and is not repeated here. The description of determining whether the control traffic policy is satisfied to determine whether to release or prohibit the access request is consistent with the description of step S103, and is not repeated here.
As shown in fig. 3, an embodiment of the present invention provides an apparatus 300 for controlling access, including: the information searching module 301, the policy constructing module 302 and the access control module 303; wherein the content of the first and second substances,
the search information module 301 is configured to receive an access request sent by a client, and search, from the user-defined configuration information, one or more first traffic configuration parameter values and/or one or more control parameter values that are matched with an access resource location identifier of the access request;
the policy construction module 302 is configured to construct a control traffic policy corresponding to the access request based on the matched first traffic configuration parameter value and/or the matched control parameter value;
the control access module 303 is configured to release or prohibit the access request according to the control traffic policy.
An embodiment of the present invention further provides an electronic device for controlling access, including: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the method provided by any one of the above embodiments.
Embodiments of the present invention further provide a computer-readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method provided in any of the above embodiments.
The computer program product of the invention comprises a computer program which, when executed by a processor, implements the method of controlling access in embodiments of the invention.
Fig. 4 shows an exemplary system architecture 400 of a method of controlling access or an apparatus for controlling access to which embodiments of the present invention may be applied.
As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405. The network 404 serves as a medium for providing communication links between the terminal devices 401, 402, 403 and the server 405. Network 404 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 401, 402, 403 to interact with a server 405 over a network 404 to receive or send messages or the like. The terminal devices 401, 402, 403 may have various client applications installed thereon, such as an e-mall client application, an e-banking client application, a financial application client, and the like.
The terminal devices 401, 402, 403 may be various electronic devices having display screens and supporting various client applications, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 405 may be a server providing various services, such as a background management server providing support for client applications used by users with the terminal devices 401, 402, 403. The background management server can process the received access request and feed back the processing result of releasing or prohibiting the access request to the terminal equipment.
It should be noted that the method for controlling access provided by the embodiment of the present invention is generally executed by the server 405, and accordingly, the apparatus for controlling access is generally disposed in the server 405.
It should be understood that the number of terminal devices, networks, and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 5, shown is a block diagram of a computer system 500 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU)501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the system 500 are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 501.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules and/or units described in the embodiments of the present invention may be implemented by software, and may also be implemented by hardware. The described modules and/or units may also be provided in a processor, and may be described as: a processor includes a lookup information module, a build policy module, and a control access module. Where the names of these modules do not in some cases constitute a limitation on the module itself, for example, a control access module may also be described as a "module that passes or disallows the access request according to the control traffic policy".
As another aspect, the present invention also provides a computer program product comprising a computer program which, when executed by a processor, implements the method of controlling access in embodiments of the present invention.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving an access request sent by a client, and searching one or more first traffic configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request from custom configuration information; constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the matched control parameter value; and releasing or prohibiting the access request according to the control flow strategy.
The embodiment of the invention can receive an access request sent by a client, and search one or more first traffic configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request from the custom configuration information; constructing a control flow strategy corresponding to the access request; and releasing or prohibiting the access request according to the control flow strategy. By customizing the configuration information, the flexibility of determining the configuration parameters and the flexibility of managing and controlling the access granularity are improved; by dynamically constructing the control flow strategy, the problem of poor flexibility caused by the fact that a configuration file or a code needs to be modified in order to modify the control flow strategy in the existing method is solved, the problem that the system needs to be restarted in order to modify configuration information in the existing method is solved, and the flexibility and the efficiency of control flow are improved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (18)
1. A method of controlling access, comprising:
receiving an access request sent by a client,
searching one or more first flow configuration parameter values and/or one or more control parameter values matched with the access resource positioning identification of the access request from the self-defined configuration information;
constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the matched control parameter value;
and releasing or prohibiting the access request according to the control flow strategy.
2. The method of claim 1, further comprising: acquiring a user identifier of the access request;
searching one or more second flow configuration parameter values matched with the user identification from a user information item associated with the access resource positioning identification and included in the user-defined flow configuration information;
under the condition that any one second flow configuration parameter value is found, the step of releasing or forbidding the access request according to the control flow strategy is executed;
and if the access request is not found, the access request is released.
3. The method of claim 2, further comprising:
determining a user identifier to be configured;
configuring corresponding user access information for the user identifier to be configured, and storing the corresponding relation between the user identifier and the user access information;
the searching for one or more second traffic configuration parameter values matching the user identification comprises:
and searching one or more second flow configuration parameter values matched with the user access information according to the corresponding relation.
4. The method of claim 1, further comprising:
acquiring a positioning identifier of an access resource to be configured;
configuring one or more corresponding flow configuration parameter values and/or one or more corresponding control parameter values for the to-be-configured access resource positioning identifier; and storing the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values and/or one or more control parameter values, and generating user-defined configuration information based on the corresponding relation.
5. The method of claim 4, wherein the step of removing the metal oxide layer comprises removing the metal oxide layer from the metal oxide layer
Generating the custom configuration information based on the corresponding relation comprises the following steps:
storing the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values into set custom flow configuration information;
and/or the presence of a gas in the gas,
and storing the corresponding relation between the access resource positioning identification and one or more control parameter values into set self-defined control information.
6. The method of claim 1, further comprising:
and configuring a user information item for the to-be-configured access resource positioning identifier, and adding the user information item to the custom configuration information.
7. The method of claim 1,
constructing a control flow policy corresponding to the access request based on the matched first flow configuration parameter value and/or the matched control parameter value, including:
inputting the matched first flow configuration parameter value and/or the matched control parameter value into a policy code module, combining the first flow configuration parameter value and/or the matched control parameter value by using the policy code module, and outputting information corresponding to the control flow policy;
and storing information corresponding to the control flow strategy.
8. The method of claim 1,
according to the control flow strategy, releasing or forbidding the access request comprises the following steps:
if the access information of the access request meets the control flow strategy, forbidding the access request; otherwise, the access request is released.
9. The method of claim 8, further comprising:
for the case where the control parameter value is a time-range control parameter value,
receiving an access request sent by a client, and storing the access request and an access time point of the access request;
calculating an access time range of the access request;
and if the calculated access time range of the access request is within the time range control parameter value contained in the control flow strategy, determining that the access request does not satisfy the control flow strategy.
10. The method of claim 8, further comprising:
for the case where the control parameter value is a number of times control parameter value,
counting the access times of the access request;
and if the counted access times of the access request are within the time control parameter value contained in the control flow policy, determining that the access request does not satisfy the control flow policy.
11. The method of claim 8, wherein:
for the case where the control parameter values include time range control parameter values and number of times control parameter values,
judging whether the access time range of the access request is smaller than the time range control parameter value, if so, acquiring the access times of the access request;
and determining that the access request does not satisfy the flow control strategy under the condition that the access times are smaller than the time control parameter value.
12. The method of claim 1, further comprising:
analyzing the control category corresponding to the access request from the access resource positioning identifier;
searching corresponding user-defined configuration information for the access resource positioning identifier based on the control category;
constructing a control flow strategy corresponding to the access request, including:
and constructing a control flow strategy corresponding to the access request for the control category.
13. The method of claim 1,
the custom configuration information comprises a switch option for indicating whether the flow configuration parameter value is effective;
further comprising: determining the state of the switch option corresponding to the access resource positioning identifier in the self-defined configuration information;
and under the condition that the state indication of the switch option is determined to be on, searching one or more first flow configuration parameter values matched with the access resource positioning identification of the access request from the user-defined configuration information.
14. The method of claim 1, further comprising:
receiving an update request for the custom configuration information;
according to the access resource positioning identifier to be updated contained in the updating request, and one or more flow configuration parameter values and/or one or more control parameter values corresponding to the access resource positioning identifier to be updated;
and updating the custom configuration information.
15. An apparatus for controlling access, comprising: the system comprises an information searching module, a strategy building module and an access control module; wherein the content of the first and second substances,
the search information module is used for receiving an access request sent by a client and searching one or more first flow configuration parameter values and/or one or more control parameter values matched with the access resource positioning identifier of the access request from custom configuration information;
the policy construction module is configured to construct a control traffic policy corresponding to the access request based on the matched first traffic configuration parameter value and/or the matched control parameter value;
and the control access module is used for releasing or forbidding the access request according to the control flow strategy.
16. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-14.
17. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-14.
18. A computer program product comprising a computer program, characterized in that the program, when executed by a processor, implements the method according to any one of claims 1-14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111642990.5A CN114301778B (en) | 2021-12-29 | Access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111642990.5A CN114301778B (en) | 2021-12-29 | Access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301778A true CN114301778A (en) | 2022-04-08 |
| CN114301778B CN114301778B (en) | 2024-05-03 |
Family
ID=
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103065074A (en) * | 2012-12-14 | 2013-04-24 | 北京思特奇信息技术股份有限公司 | Uniform Resource Locator (URL) authority control method based on fine granularity |
| CN105187413A (en) * | 2015-08-20 | 2015-12-23 | 中国联合网络通信集团有限公司 | URL (Uniform Resource Locator) filtering method and system |
| US20170250989A1 (en) * | 2016-02-27 | 2017-08-31 | Gryphon Online Safety, Inc. | Method and System to Enable Controlled Safe Internet Browsing |
| WO2017219891A1 (en) * | 2016-06-23 | 2017-12-28 | 中兴通讯股份有限公司 | Access control method and apparatus in service restriction |
| US20200372161A1 (en) * | 2016-02-27 | 2020-11-26 | Gryphon Online Safety, Inc. | Remotely Controlling Access to Online Content |
| CN112202682A (en) * | 2020-09-27 | 2021-01-08 | 平安国际智慧城市科技股份有限公司 | Interface flow control method and device, computer equipment and storage medium |
| CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103065074A (en) * | 2012-12-14 | 2013-04-24 | 北京思特奇信息技术股份有限公司 | Uniform Resource Locator (URL) authority control method based on fine granularity |
| CN105187413A (en) * | 2015-08-20 | 2015-12-23 | 中国联合网络通信集团有限公司 | URL (Uniform Resource Locator) filtering method and system |
| US20170250989A1 (en) * | 2016-02-27 | 2017-08-31 | Gryphon Online Safety, Inc. | Method and System to Enable Controlled Safe Internet Browsing |
| US20200372161A1 (en) * | 2016-02-27 | 2020-11-26 | Gryphon Online Safety, Inc. | Remotely Controlling Access to Online Content |
| WO2017219891A1 (en) * | 2016-06-23 | 2017-12-28 | 中兴通讯股份有限公司 | Access control method and apparatus in service restriction |
| CN112202682A (en) * | 2020-09-27 | 2021-01-08 | 平安国际智慧城市科技股份有限公司 | Interface flow control method and device, computer equipment and storage medium |
| CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 唐翯祎: "基于流量特征的接入网访问控制研究", 《中国博士学位论文全文数据库 信息科技辑 2021年第02期》, 15 February 2021 (2021-02-15) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108305072B (en) | Method, apparatus, and computer storage medium for deploying a blockchain network | |
| CN113495921B (en) | Routing method and device for database cluster | |
| CN111460506A (en) | Data access control method and device | |
| US9679159B2 (en) | Mobile privacy information proxy | |
| CN111460129A (en) | Method and device for generating identification, electronic equipment and storage medium | |
| CN110648216A (en) | Wind control method and device | |
| CN116303608A (en) | Data processing method and device for application service | |
| CN110321252B (en) | Skill service resource scheduling method and device | |
| CN109391658B (en) | Account data synchronization method and equipment, storage medium and terminal thereof | |
| CN113010238A (en) | Permission determination method, device and system for micro application call interface | |
| CN112905990A (en) | Access method, client, server and access system | |
| CN116775167A (en) | Service processing method, device, electronic equipment and computer readable medium | |
| CN116743785A (en) | Cloud network data storage method, device, equipment and medium based on fog calculation | |
| CN112948138A (en) | Method and device for processing message | |
| CN115801299B (en) | Meta universe identity authentication method, device, equipment and storage medium | |
| CN114301778B (en) | Access control method and device | |
| US10482397B2 (en) | Managing identifiers | |
| CN115438333A (en) | Authority distribution method and device | |
| CN114301778A (en) | Method and device for controlling access | |
| CN110765445B (en) | Method and device for processing request | |
| CN114417318A (en) | Third-party page jumping method and device and electronic equipment | |
| CN113946816A (en) | Cloud service-based authentication method and device, electronic equipment and storage medium | |
| CN114372078A (en) | Data security protection method and device | |
| CN109087097B (en) | Method and device for updating same identifier of chain code | |
| CN113742617A (en) | Cache updating method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |