CN114301778B - Access control method and device - Google Patents
Access control method and device Download PDFInfo
- Publication number
- CN114301778B CN114301778B CN202111642990.5A CN202111642990A CN114301778B CN 114301778 B CN114301778 B CN 114301778B CN 202111642990 A CN202111642990 A CN 202111642990A CN 114301778 B CN114301778 B CN 114301778B
- Authority
- CN
- China
- Prior art keywords
- access
- control
- access request
- flow
- parameter values
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 73
- 238000004590 computer program Methods 0.000 claims description 18
- 238000011217 control strategy Methods 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 5
- 239000000758 substrate Substances 0.000 claims 3
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for controlling access, and relates to the field of resource management. One embodiment of the method comprises the following steps: the method comprises the steps that an access request sent by a client can be received, one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request are searched from custom configuration information; constructing a control flow strategy corresponding to the access request; and releasing or prohibiting the access request according to the control flow strategy. The flexibility of determining configuration parameters and the flexibility of managing and controlling access granularity are improved through the self-defining configuration information; by dynamically constructing the control flow strategy, the problem of poor flexibility caused by the fact that the configuration file or code needs to be modified in order to modify the control flow strategy in the existing method is solved, the problem that the system needs to be restarted for modifying the configuration information in the existing method is solved, and the flexibility and the efficiency of the control flow are improved.
Description
Technical Field
The present invention relates to the field of resource management, and in particular, to a method and apparatus for controlling access.
Background
In a distributed system of multiple service types, the system is required to maintain stability and high availability under the condition of high concurrency, and the system stability and high availability can be realized by controlling the flow (current limit) of an access request at present.
Current methods of controlling access request traffic typically utilize a setup profile or code, specify a control policy for setup user information (e.g., user identification, user IP address, etc.), when some traffic scenarios require modification of the control policy (e.g., adding or modifying control parameters), require modification of an existing setup profile or code, and require restarting the system to validate the modified control policy; therefore, the existing method has the problems of higher coupling and poorer flexibility of configuration control strategies, and has the problems of larger granularity and lower efficiency of control flow of access requests.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for controlling access, which can receive an access request sent by a client, and find one or more first flow configuration parameter values and/or one or more control parameter values that match an access resource location identifier of the access request from custom configuration information; constructing a control flow strategy corresponding to the access request; and releasing or prohibiting the access request according to the control flow strategy. The flexibility of determining configuration parameters and the flexibility of managing and controlling access granularity are improved through the self-defining configuration information; by dynamically constructing the control flow strategy, the problem of poor flexibility caused by the fact that the configuration file or code needs to be modified in order to modify the control flow strategy in the existing method is solved, the problem that the system needs to be restarted for modifying the configuration information in the existing method is solved, and the flexibility and the efficiency of the control flow are improved.
To achieve the above object, according to one aspect of the embodiments of the present invention, there is provided a method of controlling access, including: receiving an access request sent by a client, and searching one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request from user-defined configuration information; constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value; and releasing or prohibiting the access request according to the control flow strategy.
Optionally, the method for controlling access is further characterized by comprising: acquiring a user identifier of the access request; searching one or more second flow configuration parameter values matched with the user identification from user information items associated with the access resource positioning identification included in the custom flow configuration information; executing the step of releasing or prohibiting the access request according to the control flow strategy under the condition that any second flow configuration parameter value is found; and if not, releasing the access request.
Optionally, the method for controlling access is further characterized by comprising:
Determining a user identifier to be configured; configuring corresponding user access information for the user identification to be configured, and storing the corresponding relation between the user identification and the user access information; said looking up one or more second flow configuration parameter values matching said user identification comprises: and according to the corresponding relation, one or more second flow configuration parameter values matched with the user access information are searched.
Optionally, the method for controlling access is further characterized by comprising:
Acquiring a positioning identifier of an access resource to be configured; configuring one or more corresponding flow configuration parameter values and/or one or more control parameter values for the access resource positioning identifier to be configured; and storing the corresponding relation between the access resource positioning identification and one or more first flow configuration parameter values and/or one or more control parameter values, and generating custom configuration information based on the corresponding relation.
Optionally, the method for controlling access is characterized in that
The generating custom configuration information based on the correspondence relationship includes: storing the corresponding relation between the access resource positioning identification and one or more first flow configuration parameter values into set custom flow configuration information; and/or storing the corresponding relation between the access resource positioning identification and one or more control parameter values into the set custom control information;
optionally, the method for controlling access is further characterized by comprising:
And configuring a user information item for the access resource positioning identification to be configured, and adding the user information item to the custom configuration information.
Optionally, the method of controlling access is characterized in that,
Constructing a control flow policy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value, including: inputting the matched first flow configuration parameter value and/or the control parameter value into a strategy code module, and outputting information corresponding to the control flow strategy by utilizing the strategy code module to combine the first flow configuration parameter value and/or the control parameter value; and storing information corresponding to the control flow strategy.
Optionally, the method of controlling access is characterized in that,
And according to the control flow strategy, releasing or prohibiting the access request, including: if the access information of the access request meets the control flow strategy, prohibiting the access request; otherwise, the access request is released.
Optionally, the method for controlling access is further characterized by comprising:
For the case that the control parameter value is a time range control parameter value, receiving an access request sent by a client, and storing the access request and an access time point of the access request; calculating an access time range of the access request; and if the calculated access time range of the access request is within the time range control parameter value contained in the control flow strategy, determining that the access request does not meet the control flow strategy.
Optionally, the method for controlling access is further characterized by comprising:
Counting the access times of the access requests aiming at the condition that the control parameter value is a frequency control parameter value; and if the counted access times of the access requests are within the times control parameter value contained in the control flow strategy, determining that the access requests do not meet the control flow strategy.
Optionally, the method for controlling access is characterized in that:
Judging whether the access time range of the access request is smaller than the time range control parameter value or not according to the condition that the control parameter value comprises the time range control parameter value and the frequency control parameter value, and if so, acquiring the access frequency of the access request; and under the condition that the access times are smaller than the times control parameter value, determining that the access request does not meet the flow control strategy.
Optionally, the method for controlling access is further characterized by comprising: analyzing the control category corresponding to the access request from the access resource positioning identifier; searching corresponding custom configuration information for the access resource positioning identifier based on the control category; constructing a control flow strategy corresponding to the access request, including: and constructing a control flow strategy corresponding to the access request for the control category.
Optionally, the method of controlling access is characterized in that,
The custom configuration information includes a switch option for indicating whether the flow configuration parameter value is valid; further comprises: determining the state of the switch option corresponding to the access resource positioning identifier in the custom configuration information; and in the case that the state indication of the switch option is determined to be on, executing the step of searching one or more first flow configuration parameter values matched with the access resource positioning identification of the access request from the custom configuration information.
Optionally, the method for controlling access is further characterized by comprising:
Receiving an update request for the custom configuration information; according to the to-be-updated access resource positioning identifier contained in the update request, and one or more flow configuration parameter values and/or one or more control parameter values corresponding to the to-be-updated access resource positioning identifier; updating the custom configuration information.
To achieve the above object, according to a second aspect of an embodiment of the present invention, there is provided an apparatus for controlling access, comprising: the system comprises an information searching module, a strategy constructing module and a control access module; wherein,
The searching information module is used for receiving an access request sent by a client, and searching one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request from the custom configuration information;
The construction strategy module is used for constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value;
and the control access module is used for releasing or prohibiting the access request according to the control flow strategy.
In order to achieve the above object, according to a third aspect of an embodiment of the present invention, there is provided an electronic device for controlling access, including: one or more processors; and a storage means for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method of any of the methods of controlling access described above.
To achieve the above object, according to a fourth aspect of embodiments of the present invention, there is provided a computer-readable medium having stored thereon a computer program, characterized in that the program, when executed by a processor, implements a method as described in any one of the above methods of controlling access.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided a computer product. The computer program product of the embodiment of the invention comprises a computer program, and the program is executed by a processor to realize the control access method provided by the embodiment of the invention.
One embodiment of the above invention has the following advantages or benefits: the method comprises the steps that an access request sent by a client can be received, one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request are searched from custom configuration information; constructing a control flow strategy corresponding to the access request; and releasing or prohibiting the access request according to the control flow strategy. The flexibility of determining configuration parameters and the flexibility of managing and controlling access granularity are improved through the self-defining configuration information; by dynamically constructing the control flow strategy, the problem of poor flexibility caused by the fact that the configuration file or code needs to be modified in order to modify the control flow strategy in the existing method is solved, the problem that the system needs to be restarted for modifying the configuration information in the existing method is solved, and the flexibility and the efficiency of the control flow are improved.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a flow chart of a method for controlling access according to one embodiment of the present invention;
FIG. 2 is a flow diagram of controlling access provided by one embodiment of the present invention;
FIG. 3 is a schematic diagram of an apparatus for controlling access according to an embodiment of the present invention;
FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 5 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
As shown in fig. 1, an embodiment of the present invention provides a method for controlling access, which may include the following steps:
Step S101: and receiving an access request sent by a client, and searching one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request from the custom configuration information.
Specifically, the access request may be an access request to a micro-service-based business system (e.g., a financial system, a corporate management system, etc.), where the business system is, for example, a micro-service system implemented based on SpringCloud micro-service framework; the receiver that receives the access request sent by the client may be a service gateway in the micro service system, for example, the Zuul gateway included in the micro service system based on SpringCloud architecture may be used to receive the access request sent by the client, so as to further process (e.g. authenticate, control, etc.) the access request.
Further, matching parameters are searched from custom configuration information according to access resource positioning identifiers (such as Uniform Resource Locator, uniform resource locators and URLs) corresponding to the access requests, wherein the custom configuration information comprises custom flow configuration information or custom control information or a combination of the custom flow configuration information and the custom control information.
Specifically, the custom flow configuration information includes one or more first flow configuration parameter values corresponding to the access resource location identifier; the method for configuring the first flow configuration parameter value for the access resource positioning identifier comprises the following steps: acquiring a positioning identifier of an access resource to be configured; configuring one or more corresponding flow configuration parameter values for the access resource positioning identifier to be configured; and storing the corresponding relation between the access resource positioning identification and one or more first flow configuration parameter values, and storing the corresponding relation between the access resource positioning identification and one or more first flow configuration parameter values into the set custom flow configuration information.
TABLE 1
| Accessing resource location identification | Rights | Roles and roles | Region coding | Switch option |
| url1 | 1 | 1 | 130102 | true |
| url2 | 1 | 130102 | true | |
| url3 | 130102 | true |
Table 1 is an example of custom flow configuration information, where rights, roles, region coding, and switching options are flow configuration parameters; the values corresponding to the respective flow configuration parameters are flow configuration parameter values, as exemplified in table 1: the values of the plurality of first flow configuration parameters corresponding to the access resource positioning identifier url1 are respectively as follows: rights 1, roles 1, region code 130102, etc.; the flow configuration parameters and the corresponding flow configuration parameter values are set according to application scenes, in the example of table 1, the authority can represent the authority setting of accessing a webpage corresponding to a certain access resource positioning identifier, and '1' represents the prohibition of access; roles may represent roles corresponding to the user sending the access resource location identification (url) (e.g., administrator 1, general user 2, set user 3, etc.); the region code may represent a code corresponding to a geographic range (e.g., provincial level range, municipal level range, regional level range, etc.) to which the access resource location identification is transmitted. Setting each first configuration flow parameter value for url1 correspondingly, namely configuring the corresponding relation between the access resource positioning identifier and one or more first flow configuration parameter values; as shown in table 1, table 1 stores a plurality of correspondence relationships, that is, correspondence relationships between the access resource location identifier and one or more of the first flow configuration parameter values are stored in the set custom flow configuration information.
Further, the custom control information includes one or more control parameter values corresponding to the access resource location identifier; the method for configuring the control parameter values for the access resource positioning identifiers comprises the following steps: acquiring a positioning identifier of an access resource to be configured; configuring one or more corresponding control parameter values for the access resource positioning identifier to be configured; and storing the corresponding relation between the access resource positioning identification and one or more control parameter values, and storing the corresponding relation between the access resource positioning identification and one or more control parameter values into the set custom control information.
TABLE 2
| Accessing resource location identification | Time range control parameters | Number of times control parameter |
| url1 | 100 Seconds | 50 |
| url2 | 60 Seconds | 100 |
| url3 | 200 Seconds | 200 |
Table 2 is an example of custom control information, where the time range control parameter and the frequency control parameter are control parameters, the time range control parameter value (for example, 100 seconds) and the frequency control parameter value (for example, 100 times) are control parameter values corresponding to the control parameters, and as shown in the example of table 2, the plurality of control parameter values corresponding to the access resource location identifier url1 are respectively: the time range control parameter value is 100, and the frequency control parameter value is 50; policies representing access control to access resource location identifier url1 include: the maximum number of allowed accesses within 100 seconds is 50. As shown in table 2, the data table corresponding to table 2 may store the correspondence between the access resource location identifier and one or more control parameter values, that is, the correspondence between the access resource location identifier and one or more control parameter values is stored in the set custom control information.
Namely, obtaining the access resource positioning identification to be configured; configuring one or more corresponding flow configuration parameter values and/or one or more control parameter values for the access resource positioning identifier to be configured; and storing the corresponding relation between the access resource positioning identification and one or more first flow configuration parameter values and/or one or more control parameter values, and generating custom configuration information based on the corresponding relation. Further, the generating custom configuration information based on the correspondence relationship includes: storing the corresponding relation between the access resource positioning identification and one or more first flow configuration parameter values into set custom flow configuration information; and/or storing the corresponding relation between the access resource positioning identification and one or more control parameter values into the set custom control information. The custom traffic configuration information or custom control information may be stored in a data table, a file, or the like.
Further, acquiring a user identifier of the access request; the method for obtaining can obtain the user identification and one or more pieces of user access information (such as user authority, user role, area code, other information and the like) configured for the user identification from the user session corresponding to the access request (namely, the user session generated after the user logs in); the method for configuring the user access information comprises the following steps: determining a user identifier to be configured; configuring corresponding user access information for the user identification to be configured, and storing the corresponding relation between the user identification and the user access information; the user identifier to be configured may be a user name, a user identity ID, a user IP address, etc. Further, configuring user information items (including, for example, user identification, user authority, user role, region code, other user information, etc.) for the access resource location identification to be configured, and adding the user information items to the custom configuration information. Wherein the user information item may be included in a plurality of custom flow configuration parameters.
Further, one or more second traffic configuration parameter values matched with the user identification are searched from user information items associated with the access resource positioning identification included in the custom traffic configuration information; executing the step of releasing or prohibiting the access request according to the control flow strategy under the condition that any second flow configuration parameter value is found; and if not, releasing the access request. Said looking up one or more second flow configuration parameter values matching said user identification comprises: and according to the corresponding relation, one or more second flow configuration parameter values matched with the user access information are searched. It can be appreciated that the sender of the access request may be a plurality of different users, so that the user access information corresponding to the user identifier is utilized to further search one or more second traffic configuration parameter values (for example, values corresponding to parameters such as user authority, user role, region code, etc.) matched with the user identifier from the user information items associated with the access resource positioning identifier in the custom traffic configuration information, thereby reducing the granularity of judging access (for the user and the interface level). The step of releasing or prohibiting the access request according to the control flow policy is identical to the description of step S103, and will not be described in detail herein. It is understood that the second flow configuration parameter value may be included in the first flow configuration parameter value, depending on the application scenario.
Further, the custom configuration information includes a switch option for indicating whether the flow configuration parameter value is valid; further comprises: determining the state of a switch option corresponding to the access resource positioning identifier in the custom configuration information; and in the case that the state indication of the switch option is determined to be on, executing the step of searching one or more first flow configuration parameter values matched with the access resource positioning identification of the access request from the custom configuration information. Taking table 1 as an example, table 1 shows parameters of "switch options", whether to validate the corresponding configuration parameter values is indicated by the state of the switch options being "true" or "false", and if the parameter value is "true", determining that the state of the switch options is indicated as on; in the "on" case, the step of looking up one or more first traffic configuration parameter values matching the access resource location identity of the access request from the custom configuration information is performed. By setting the switch option, the flexibility of constructing the control flow strategy through the custom configuration information is further improved.
Further, the custom configuration information may be updated; specifically, receiving an update request for the custom configuration information; according to the to-be-updated access resource positioning identifier contained in the update request, and one or more flow configuration parameter values and/or one or more control parameter values corresponding to the to-be-updated access resource positioning identifier; updating the custom flow configuration information. The access resource positioning identifier to be updated may be an existing access resource positioning identifier or a newly added access resource positioning identifier, and one or more corresponding flow configuration parameter values and/or one or more corresponding control parameter values to be modified (or added), so as to update the custom configuration information; therefore, the flexibility and the efficiency of controlling access are further improved by updating the custom configuration information.
Step S102: and constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value.
Specifically, the control flow policy corresponding to the access request is constructed based on the matched first flow configuration parameter value or control parameter value described in step S101, or a combination of the first flow configuration parameter value and the control parameter value.
The following describes the control flow strategy by taking table 1 in combination with table 2:
Aiming at an access request, accessing a resource positioning identifier url1, wherein the constructed control flow strategy 1 is as follows; url1: user controls with region code 130102, role 1, rights 1 can be accessed 50 times within 100 seconds;
The resource positioning identifier url2 is accessed aiming at the access request, and the constructed control flow strategy 2 is as follows: url2, user control with region code 130102 and role 1 can access 100 times in 60 seconds, etc.
Further, constructing a control flow policy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value, including: inputting the matched first flow configuration parameter value and/or the control parameter value into a strategy code module, and outputting information corresponding to the control flow strategy by utilizing the strategy code module to combine the first flow configuration parameter value and/or the control parameter value; and storing information corresponding to the control flow strategy.
The policy code module may be a code written based on a custom RateLimitKeyGenerator component included in the current limiting tool RATELIMITER, and the policy code module may be configured to process a first flow configuration parameter value and/or a combination (e.g., a string splice, a string combination, etc.) of the control parameter value and an access resource location identifier corresponding to the access request of the input policy code module, and then output information corresponding to the control flow policy (e.g., a string or data indicating information included in the control flow policy 1 example); further, information corresponding to the control flow strategy aiming at the access resource positioning identification is stored in a cache, so that the efficiency of matching the control flow strategy is improved.
Further, analyzing the control category corresponding to the access request from the access resource positioning identifier; searching corresponding custom configuration information for the access resource positioning identifier based on the control category; constructing a control flow strategy corresponding to the access request, including: and constructing a control flow strategy corresponding to the access request for the control category. Wherein, the control category may be related to a business scenario, for example, as follows: control of sensitive information, mobile phone short message transaction, message push transaction and other control categories; it can be appreciated that custom configuration information corresponding to a control class can be configured for different control classes; and corresponding control flow strategies are constructed aiming at different control categories, so that the accuracy of access control is further improved, and the flexibility of granularity of management access control is improved.
Step S103: and releasing or prohibiting the access request according to the control flow strategy.
Specifically, according to the control flow policy, releasing or prohibiting the access request includes: if the access information of the access request meets the control flow strategy, prohibiting the access request; otherwise, the access request is released. The description of the control flow strategy is identical to that of step S102, and will not be repeated here. It can be understood that the purpose of controlling the access requests can be to control the number of access requests, and further control the access requests after judging based on the information corresponding to the access requests, so as to improve the information security of the micro-service system and improve the stability and usability of the system.
For example: the user access information configured by the user 1 sending the access resource location identifier url1 includes any one of role 1, authority 1 and region code 130102, if the control flow policy 1 constructed according to url1 is satisfied, the access request corresponding to url1 sent by the user 1 is prohibited, where the prohibition may include: waiting, slowing down, stopping, etc.; for example: if the user access information configured by the user 2 sending url1 does not include role 1, authority 1 and region code 130102, the access request corresponding to the access resource positioning identifier url1 is released to continue to access the service of the micro-service system to obtain feedback information or data if the control flow strategy 1 constructed according to the access resource positioning identifier url1 is not satisfied.
Further, the control parameter values corresponding to the control parameters included in the control flow strategy include: time range control parameter values and/or number of times control parameter values:
For the case that the control parameter value is a time range control parameter value, receiving an access request sent by a client, and storing the access request and an access time point of the access request; calculating an access time range of the access request; and if the calculated access time range of the access request is within the time range control parameter value contained in the control flow strategy, determining that the access request does not meet the control flow strategy. Specifically, taking table 2 as an example, the control flow policy of the access resource location identifier url1 corresponding to the access request includes a time range control parameter value (for example, 100 seconds), the set key1 value may be used to store the access time point of each access resource location identifier url1, and the access time range of the access request is calculated according to the time point of first receiving url1 access and the subsequent time point of receiving url1 access, if the calculated access time range of the access request is within the time range control parameter value (for example, 100 seconds) included in the control flow policy, it is determined that the access request does not meet the control flow policy; i.e. release the access request corresponding to url 1.
Counting the access times of the access requests aiming at the condition that the control parameter value is a frequency control parameter value; and if the counted access times of the access requests are within the times control parameter value contained in the control flow strategy, determining that the access requests do not meet the control flow strategy. Specifically, taking table 2 as an example, for example: the control flow strategy of the access resource positioning identifier url1 corresponding to the access request comprises a frequency control parameter value (for example, 50 times), each url1 can be saved by using the set key2 value so as to count the access frequency of the access request, and if the counted access frequency of the access request is within the frequency control parameter value (for example, 50 times) contained in the control flow strategy, the access request is determined not to meet the control flow strategy; i.e. release the access request corresponding to url 1.
Preferably, for the case that the control parameter value includes a time range control parameter value and a frequency control parameter value, it is determined whether the access time range of the access request is smaller than the time range control parameter value, and if so, the access frequency of the access request is obtained; and under the condition that the access times are smaller than the times control parameter value, determining that the access request does not meet the flow control strategy. Specifically, taking table 2 as an example, for example: the control flow policy of url1 corresponding to the access request includes a time range control parameter value (100 seconds) and a number of times control parameter value (e.g., 50 times); on the basis of judging the access time range of the access request corresponding to the access resource positioning identifier url1, counting the access times of the access request corresponding to the access resource positioning identifier url1, and determining that the access request does not meet the flow control strategy under the condition that the access times are smaller than the time control parameter value; for example: and if the number of access times within 100 seconds is less than 50, determining that the access request does not meet the flow control strategy, namely releasing the access request corresponding to url1, otherwise, prohibiting the access request.
As shown in fig. 2, an embodiment of the present invention provides a method for controlling access, which may include the steps of:
Step S201: and receiving an access request sent by the client.
Step S202: and searching one or more first flow configuration parameter values matched with the access resource positioning identification of the access request from the custom configuration information.
Step S203: and searching one or more control parameter values matched with the access resource positioning identification of the access request from the custom configuration information.
Step S204: and constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and the control parameter value.
Step S205: it is determined whether the control flow policy is satisfied, if yes, step S207 is performed, otherwise step S206 is performed.
Step S206: and releasing the access request.
Step S207: and prohibiting the access request.
Specifically, step S201 to step S207 describe the flow of executing control access for the access resource location identifier in the case where the access resource location identifier is correspondingly configured with the flow configuration parameter value and the control parameter value. The description of searching for one or more first flow configuration parameter values matching the access resource location identifier of the access request from the custom configuration information, and searching for one or more control parameter values matching the access resource location identifier of the access request from the custom configuration information is consistent with the description of step S101, and will not be repeated here. The description of constructing the control flow policy corresponding to the access request based on the matched first flow configuration parameter value and the control parameter value is identical to the description of step S102, and will not be described herein. The description of whether the control flow policy determination release or prohibition of access request is satisfied is identical to that of step S103, and will not be described in detail here.
As shown in fig. 3, an embodiment of the present invention provides an apparatus 300 for controlling access, including: a search information module 301, a construction strategy module 302 and a control access module 303; wherein,
The search information module 301 is configured to receive an access request sent by a client, and search one or more first flow configuration parameter values and/or one or more control parameter values that match an access resource location identifier of the access request from custom configuration information;
The construction policy module 302 is configured to construct a control flow policy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value;
the control access module 303 is configured to release or prohibit the access request according to the control flow policy.
The embodiment of the invention also provides an electronic device for controlling access, which comprises: one or more processors; and a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method provided by any of the embodiments described above.
The embodiment of the invention also provides a computer readable medium, on which a computer program is stored, which when executed by a processor implements the method provided by any of the above embodiments.
The computer program product of the present invention comprises a computer program which, when executed by a processor, implements the control access method in embodiments of the present invention.
Fig. 4 illustrates an exemplary system architecture 400 of a method of controlling access or an apparatus of controlling access to which embodiments of the present invention may be applied.
As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405. The network 404 is used as a medium to provide communication links between the terminal devices 401, 402, 403 and the server 405. The network 404 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 405 via the network 404 using the terminal devices 401, 402, 403 to receive or send messages or the like. Various client applications, such as an electronic mall client application, an electronic bank client application, a financial application client, etc., may be installed on the terminal devices 401, 402, 403.
The terminal devices 401, 402, 403 may be various electronic devices having a display screen and supporting various client applications including, but not limited to, smartphones, tablets, laptop and desktop computers, and the like.
The server 405 may be a server providing various services, such as a background management server providing support for client applications used by the user with the terminal devices 401, 402, 403. The background management server can process the received access request and feed back the processing result of releasing or prohibiting the access request to the terminal equipment.
It should be noted that, the method for access control provided in the embodiment of the present invention is generally executed by the server 405, and accordingly, the device for access control is generally disposed in the server 405.
It should be understood that the number of terminal devices, networks and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 5, there is illustrated a schematic diagram of a computer system 500 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 5 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU) 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data required for the operation of the system 500 are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input section 506 including a keyboard, a mouse, and the like; an output portion 507 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as needed so that a computer program read therefrom is mounted into the storage section 508 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 509, and/or installed from the removable media 511. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 501.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules and/or units involved in the embodiments of the present invention may be implemented in software, or may be implemented in hardware. The described modules and/or units may also be provided in a processor, e.g., may be described as: a processor includes a lookup information module, a build policy module, and a control access module. The names of these modules do not constitute a limitation on the module itself in some cases, for example, a control access module may also be described as "a module that passes or disables the access request according to the control traffic policy".
As another aspect, the present invention also provides a computer program product comprising a computer program which, when executed by a processor, implements the control access method in the embodiments of the present invention.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include: receiving an access request sent by a client, and searching one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request from user-defined configuration information; constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value; and releasing or prohibiting the access request according to the control flow strategy.
According to the embodiment of the invention, the access request sent by the client can be received, and one or more first flow configuration parameter values and/or one or more control parameter values matched with the access resource positioning identification of the access request are searched from the custom configuration information; constructing a control flow strategy corresponding to the access request; and releasing or prohibiting the access request according to the control flow strategy. The flexibility of determining configuration parameters and the flexibility of managing and controlling access granularity are improved through the self-defining configuration information; by dynamically constructing the control flow strategy, the problem of poor flexibility caused by the fact that the configuration file or code needs to be modified in order to modify the control flow strategy in the existing method is solved, the problem that the system needs to be restarted for modifying the configuration information in the existing method is solved, and the flexibility and the efficiency of the control flow are improved.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (15)
1. A method of controlling access, comprising:
an access request sent by a client is received,
Searching one or more first flow configuration parameter values and/or one or more control parameter values matched with the access resource positioning identification of the access request from the custom configuration information;
constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value;
releasing or prohibiting the access request according to the control flow strategy;
the method further comprises the steps of: acquiring a positioning identifier of an access resource to be configured; configuring one or more corresponding flow configuration parameter values and/or one or more control parameter values for the access resource positioning identifier to be configured; storing the corresponding relation between the access resource positioning identification and one or more flow configuration parameter values and/or one or more control parameter values, and generating custom configuration information based on the corresponding relation; the generating custom configuration information based on the correspondence relationship includes: storing the corresponding relation between the access resource positioning identification and one or more flow configuration parameter values into set custom flow configuration information; and/or storing the corresponding relation between the access resource positioning identification and one or more control parameter values into the set custom control information;
The method further comprises the steps of: analyzing a control category corresponding to the access request from the access resource positioning identifier of the access request; searching corresponding custom configuration information for the access resource positioning identifier based on the control category; the constructing the control flow strategy corresponding to the access request comprises the following steps: constructing a control flow strategy corresponding to the access request for the control category; wherein the control class is associated with a business scenario.
2. The method as recited in claim 1, further comprising: acquiring a user identifier of the access request;
searching one or more second flow configuration parameter values matched with the user identification from user information items associated with the access resource positioning identification included in the custom flow configuration information;
executing the step of releasing or prohibiting the access request according to the control flow strategy under the condition that any second flow configuration parameter value is found;
and if not, releasing the access request.
3. The method as recited in claim 2, further comprising:
determining a user identifier to be configured;
configuring corresponding user access information for the user identification to be configured, and storing the corresponding relation between the user identification and the user access information;
Said looking up one or more second flow configuration parameter values matching said user identification comprises:
And according to the corresponding relation, one or more second flow configuration parameter values matched with the user access information are searched.
4. The method as recited in claim 1, further comprising:
And configuring a user information item for the access resource positioning identification to be configured, and adding the user information item to the custom configuration information.
5. The method of claim 1, wherein the step of determining the position of the substrate comprises,
Constructing a control flow policy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value, including:
Inputting the matched first flow configuration parameter value and/or the control parameter value into a strategy code module, and outputting information corresponding to the control flow strategy by utilizing the strategy code module to combine the first flow configuration parameter value and/or the control parameter value;
and storing information corresponding to the control flow strategy.
6. The method of claim 1, wherein the step of determining the position of the substrate comprises,
And according to the control flow strategy, releasing or prohibiting the access request, including:
if the access information of the access request meets the control flow strategy, prohibiting the access request; otherwise, the access request is released.
7. The method as recited in claim 6, further comprising:
for the case where the control parameter value is a time range control parameter value,
Receiving an access request sent by a client, and storing the access request and an access time point of the access request;
Calculating an access time range of the access request;
And if the calculated access time range of the access request is within the time range control parameter value contained in the control flow strategy, determining that the access request does not meet the control flow strategy.
8. The method as recited in claim 6, further comprising:
for the case where the control parameter value is a frequency control parameter value,
Counting the access times of the access request;
And if the counted access times of the access requests are within the times control parameter value contained in the control flow strategy, determining that the access requests do not meet the control flow strategy.
9. The method according to claim 6, wherein:
for the case where the control parameter values include a time range control parameter value and a number of times control parameter value,
Judging whether the access time range of the access request is smaller than the time range control parameter value, if so, acquiring the access times of the access request;
And under the condition that the access times are smaller than the times control parameter value, determining that the access request does not meet the flow control strategy.
10. The method of claim 1, wherein the step of determining the position of the substrate comprises,
The custom configuration information includes a switch option for indicating whether the flow configuration parameter value is valid;
Further comprises: determining the state of the switch option corresponding to the access resource positioning identifier in the custom configuration information;
and in the case that the state indication of the switch option is determined to be on, executing the step of searching one or more first flow configuration parameter values matched with the access resource positioning identification of the access request from the custom configuration information.
11. The method as recited in claim 1, further comprising:
receiving an update request for the custom configuration information;
According to the to-be-updated access resource positioning identifier contained in the update request, and one or more flow configuration parameter values and/or one or more control parameter values corresponding to the to-be-updated access resource positioning identifier;
Updating the custom configuration information.
12. An apparatus for controlling access, comprising: the system comprises an information searching module, a strategy constructing module and a control access module; wherein,
The searching information module is used for receiving an access request sent by a client, and searching one or more first flow configuration parameter values and/or one or more control parameter values matched with an access resource positioning identifier of the access request from the custom configuration information;
The construction strategy module is used for constructing a control flow strategy corresponding to the access request based on the matched first flow configuration parameter value and/or the control parameter value;
The control access module is used for releasing or prohibiting the access request according to the control flow strategy;
the device is also used for acquiring the access resource positioning identification to be configured; configuring one or more corresponding flow configuration parameter values and/or one or more control parameter values for the access resource positioning identifier to be configured; storing the corresponding relation between the access resource positioning identification and one or more flow configuration parameter values and/or one or more control parameter values, and generating custom configuration information based on the corresponding relation; the generating custom configuration information based on the correspondence relationship includes: storing the corresponding relation between the access resource positioning identification and one or more flow configuration parameter values into set custom flow configuration information; and/or storing the corresponding relation between the access resource positioning identification and one or more control parameter values into the set custom control information;
the device is further configured to parse a control class corresponding to the access request from the access resource location identifier of the access request; searching corresponding custom configuration information for the access resource positioning identifier based on the control category; the constructing the control flow strategy corresponding to the access request comprises the following steps: constructing a control flow strategy corresponding to the access request for the control category; wherein the control class is associated with a business scenario.
13. An electronic device, comprising:
one or more processors;
Storage means for storing one or more programs,
When executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-11.
14. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-11.
15. A computer program product comprising a computer program, characterized in that the program, when executed by a processor, implements the method according to any of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111642990.5A CN114301778B (en) | 2021-12-29 | 2021-12-29 | Access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111642990.5A CN114301778B (en) | 2021-12-29 | 2021-12-29 | Access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301778A CN114301778A (en) | 2022-04-08 |
| CN114301778B true CN114301778B (en) | 2024-05-03 |
Family
ID=80970926
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111642990.5A Active CN114301778B (en) | 2021-12-29 | 2021-12-29 | Access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301778B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103065074A (en) * | 2012-12-14 | 2013-04-24 | 北京思特奇信息技术股份有限公司 | Uniform Resource Locator (URL) authority control method based on fine granularity |
| CN105187413A (en) * | 2015-08-20 | 2015-12-23 | 中国联合网络通信集团有限公司 | URL (Uniform Resource Locator) filtering method and system |
| WO2017219891A1 (en) * | 2016-06-23 | 2017-12-28 | 中兴通讯股份有限公司 | Access control method and apparatus in service restriction |
| CN112202682A (en) * | 2020-09-27 | 2021-01-08 | 平安国际智慧城市科技股份有限公司 | Interface flow control method and device, computer equipment and storage medium |
| CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10212167B2 (en) * | 2016-02-27 | 2019-02-19 | Gryphon Online Safety, Inc. | Method and system to enable controlled safe internet browsing |
| US11301572B2 (en) * | 2016-02-27 | 2022-04-12 | Gryphon Online Safety, Inc. | Remotely controlling access to online content |
-
2021
- 2021-12-29 CN CN202111642990.5A patent/CN114301778B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103065074A (en) * | 2012-12-14 | 2013-04-24 | 北京思特奇信息技术股份有限公司 | Uniform Resource Locator (URL) authority control method based on fine granularity |
| CN105187413A (en) * | 2015-08-20 | 2015-12-23 | 中国联合网络通信集团有限公司 | URL (Uniform Resource Locator) filtering method and system |
| WO2017219891A1 (en) * | 2016-06-23 | 2017-12-28 | 中兴通讯股份有限公司 | Access control method and apparatus in service restriction |
| CN112202682A (en) * | 2020-09-27 | 2021-01-08 | 平安国际智慧城市科技股份有限公司 | Interface flow control method and device, computer equipment and storage medium |
| CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于流量特征的接入网访问控制研究;唐翯祎;《中国博士学位论文全文数据库 信息科技辑 2021年第02期》;20210215;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301778A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113495921B (en) | Routing method and device for database cluster | |
| US9544288B2 (en) | Messaging gateway | |
| CN111460129B (en) | Method, device, electronic equipment and storage medium for generating identification | |
| CN110471848B (en) | Method and device for dynamically returning message | |
| CN113076153B (en) | Interface calling method and device | |
| CN110795315A (en) | Method and device for monitoring service | |
| CN112445868A (en) | Service message processing method and device | |
| CN116303608A (en) | Data processing method and device for application service | |
| US11599673B2 (en) | Ascertaining network devices used with anonymous identifiers | |
| CN113010238A (en) | Permission determination method, device and system for micro application call interface | |
| CN114301778B (en) | Access control method and device | |
| CN112948138A (en) | Method and device for processing message | |
| CN110765445B (en) | Method and device for processing request | |
| CN114979256A (en) | Message pushing method and device, electronic equipment and computer readable medium | |
| CN113138943B (en) | Method and device for processing request | |
| CN113742617A (en) | Cache updating method and device | |
| CN113556370A (en) | Service calling method and device | |
| CN111209014A (en) | Parameter checking method and device | |
| CN113360939B (en) | Security access control method and device | |
| CN113760886B (en) | Method, apparatus, device and computer readable medium for providing data service | |
| CN113495747B (en) | Gray scale release method and device | |
| CN110262756B (en) | Method and device for caching data | |
| CN112448931B (en) | Network hijacking monitoring method and device | |
| CN116701499A (en) | Method and device for processing request | |
| CN116932558A (en) | Form data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |