CN115955327A - Interception authentication method and device based on document system - Google Patents

Interception authentication method and device based on document system Download PDF

Info

Publication number
CN115955327A
CN115955327A CN202211474170.4A CN202211474170A CN115955327A CN 115955327 A CN115955327 A CN 115955327A CN 202211474170 A CN202211474170 A CN 202211474170A CN 115955327 A CN115955327 A CN 115955327A
Authority
CN
China
Prior art keywords
level
restriction
limit
user
service function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211474170.4A
Other languages
Chinese (zh)
Inventor
纪欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Wodong Tianjun Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN202211474170.4A priority Critical patent/CN115955327A/en
Publication of CN115955327A publication Critical patent/CN115955327A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses an interception authentication method and device based on a document system, and relates to the technical field of information security. One embodiment of the method comprises: receiving a document system login request sent by a terminal, wherein the document system login request carries a user identifier; querying a security restriction table according to the user identifier to obtain security restriction information corresponding to the user identifier, where the security restriction information includes a restriction level, and the restriction level includes a system level restriction or a function level restriction; if the limit level is system level limit, returning an error prompt to the terminal to limit user login; and if the restriction level is the function level restriction, returning login page data to the terminal. The implementation method can solve the technical problem that the document system cannot control the user with abnormal behaviors.

Description

Interception authentication method and device based on document system
Technical Field
The invention relates to the technical field of cooperative office and information security, in particular to an interception authentication method and device based on a document system.
Background
Currently, many organizations (businesses, schools, etc.) are beginning to use collaborative office documentation to carry out everyday work. Documents are basically stored in a document system, but the document system has no other protection mechanisms except for authority control and system security. If the user with normal authority behaves abnormally, such as downloading a large number of confidential documents, adding external dangerous users or malicious comments, the document system cannot control the user with abnormal behavior.
Disclosure of Invention
In view of this, embodiments of the present invention provide an interception and authentication method and apparatus based on a document system, so as to solve a technical problem that the document system cannot manage and control a user with abnormal behavior.
In order to achieve the above object, according to an aspect of an embodiment of the present invention, there is provided an interception authentication method based on a document system, including:
receiving a document system login request sent by a terminal, wherein the document system login request carries a user identifier;
querying a safety restriction table according to the user identifier to obtain safety restriction information corresponding to the user identifier, wherein the safety restriction information comprises a restriction level, and the restriction level comprises a system level restriction or a function level restriction;
if the limit level is system level limit, returning an error prompt to the terminal to limit user login; and if the restriction level is the function level restriction, returning login page data to the terminal.
Optionally, if the restriction level is a function level restriction, after the login page data is returned to the terminal, the method further includes:
receiving a service function operation request sent by the terminal, wherein the service function operation request carries a user identifier and a service function identifier;
inquiring a limited service function list according to the service function identifier so as to judge whether the service function is a limited service function;
if so, inquiring the safety restriction table according to the user identification, and if the user identification exists in the safety restriction table and the restriction level is the function level restriction, returning an error prompt to the terminal to restrict the user from operating the service function;
and if not, responding to the service function operation request.
Optionally, if the restriction level is a function level restriction, after the login page data is returned to the terminal, the method further includes:
and if the user identification does not exist in the safety restriction table, responding to the service function operation request.
Optionally, if the restriction level is a function level restriction, after the login page data is returned to the terminal, the method further includes:
receiving a service function operation request sent by the terminal, wherein the service function operation request carries a user identifier and a service function identifier;
inquiring a safety limit table according to the user identification, and if the user identification exists in the safety limit table and the limit level is a function level limit, inquiring a limited service function list corresponding to the limit level identification according to a limit level identification configured in the function level limit so as to judge whether the service function is a limited service function;
if yes, returning an error prompt to the terminal to limit the user to operate the service function;
and if not, responding to the service function operation request.
Optionally, before receiving the service function operation request sent by the terminal, the method further includes:
in the safety limit table, if the limit level is a function level limit, configuring a limit level identifier in the function level limit;
and configuring the corresponding relation between each restriction grade identification and the restricted service function list.
Optionally, the receiving a document system login request sent by a terminal further includes:
receiving an authority configuration request, wherein the authority configuration request carries a user identifier and safety limit information corresponding to the user identifier;
inquiring the safety limit table according to the user identification, and judging whether the user identification exists in the safety limit table; if so, updating the safety limit information in the safety limit table according to the safety limit information carried in the authority configuration request; if not, the safety restriction information carried in the permission configuration request is stored in the safety restriction table.
Optionally, before receiving a document system login request sent by a terminal, where the document system login request carries a user identifier, the method further includes:
receiving the message of the message queue according to the pre-subscribed message queue;
analyzing the message to obtain a user identifier;
updating the safety limit table according to the message queue and the user identification; wherein the message queue has a correspondence with the restriction level.
Optionally, after updating the safety limit table according to the message queue and the user identifier, the method further includes:
configuring the state of the safety restriction information corresponding to the user identification to be examined and approved;
sending an approval request to an approval person, wherein the approval request carries safety restriction information to be approved;
and updating the state of the safety restriction information to be normal in response to the received message that the approval result returned by the approval personnel is passed.
In addition, according to another aspect of the embodiments of the present invention, there is provided an interception authentication apparatus based on a document system, including:
the system comprises a receiving module, a processing module and a sending module, wherein the receiving module is used for receiving a document system login request sent by a terminal, and the document system login request carries a user identifier;
the authentication module is used for inquiring a safety limit table according to the user identification so as to obtain safety limit information corresponding to the user identification, wherein the safety limit information comprises a limit level, and the limit level comprises a system level limit or a function level limit; if the limit level is system level limit, returning an error prompt to the terminal to limit user login; and if the restriction level is the function level restriction, returning login page data to the terminal.
Optionally, the receiving module is further configured to: receiving a service function operation request sent by the terminal, wherein the service function operation request carries a user identifier and a service function identifier;
the authentication module is further configured to: inquiring a limited service function list according to the service function identifier so as to judge whether the service function is a limited service function; if so, inquiring the safety restriction table according to the user identification, and if the user identification exists in the safety restriction table and the restriction level is the function level restriction, returning an error prompt to the terminal to restrict the user from operating the service function; and if not, responding to the service function operation request.
Optionally, the authentication module is further configured to:
and if the user identification does not exist in the safety restriction table, responding to the service function operation request.
Optionally, the receiving module is further configured to: receiving a service function operation request sent by the terminal, wherein the service function operation request carries a user identifier and a service function identifier;
the authentication module is further configured to: inquiring a safety limit table according to the user identification; if the user identifier exists in the safety restriction table and the restriction level is a function level restriction, inquiring a restricted service function list corresponding to the restriction level identifier according to the restriction level identifier configured in the function level restriction, thereby judging whether the service function is a restricted service function; if yes, returning an error prompt to the terminal to limit the user to operate the service function; and if not, responding to the service function operation request.
Optionally, the system further comprises a configuration module, configured to:
in the safety limit table, if the limit level is a function level limit, configuring a limit level identifier in the function level limit;
and configuring the corresponding relation between each restriction grade identifier and the restricted service function list.
Optionally, the configuration module is further configured to:
receiving an authority configuration request, wherein the authority configuration request carries a user identifier and safety limit information corresponding to the user identifier;
inquiring the safety limit table according to the user identification, and judging whether the user identification exists in the safety limit table; if so, updating the safety limit information in the safety limit table according to the safety limit information carried in the authority configuration request; if not, the safety restriction information carried in the permission configuration request is stored in the safety restriction table.
Optionally, the configuration module is further configured to:
receiving the message of the message queue according to the pre-subscribed message queue;
analyzing the message to obtain a user identifier;
updating the safety limit table according to the message queue and the user identification; wherein the message queue has a correspondence with the restriction level.
Optionally, the configuration module is further configured to:
after the safety limit table is updated according to the message queue and the user identification, configuring the state of the safety limit information corresponding to the user identification as to-be-examined and approved;
sending an approval request to an approval person, wherein the approval request carries safety limit information to be approved;
and updating the state of the safety restriction information to be normal in response to receiving a message that an approval result returned by the approval personnel is passed.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method of any of the embodiments described above.
According to another aspect of the embodiments of the present invention, there is also provided a computer readable medium, on which a computer program is stored, the program, when executed by a processor, implementing the method according to any of the embodiments described above.
According to another aspect of the embodiments of the present invention, there is also provided a computer program product comprising a computer program which, when executed by a processor, implements the method of any of the above embodiments.
One embodiment of the above invention has the following advantages or benefits: the technical means that the safety limit table is inquired according to the user identification so as to obtain the safety limit information corresponding to the user identification, if the limit level is the system level limit, an error prompt is returned to the terminal to limit user login, and if the limit level is the function level limit, login page data is returned to the terminal is adopted, so that the technical problem that a document system in the prior art cannot control a user with abnormal behavior is solved. The embodiment of the invention intercepts and authenticates the user through the safety limit information configured in the safety limit table without writing safety limit codes everywhere, thereby being beneficial to improving the development efficiency and avoiding repeated development, and the user can be quickly limited by updating the safety limit table after the user with abnormal behavior is found.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. Wherein:
FIG. 1 is a flow chart of a document system based interception authentication method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of security restrictions on a user according to an embodiment of the invention;
FIG. 3 is a flowchart of a document system based interception authentication method according to a referential embodiment of the present invention;
FIG. 4 is a flowchart of a document system based interception authentication method according to another referential embodiment of the present invention;
FIG. 5 is a system architecture diagram according to an embodiment of the invention;
FIG. 6 is a flowchart of a document system-based interception authentication method according to still another referential embodiment of the present invention;
FIG. 7 is a flowchart of a document system based interception authentication method according to yet another referential embodiment of the present invention;
fig. 8 is a schematic diagram of an interception authentication apparatus based on a document system according to an embodiment of the present invention;
FIG. 9 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 10 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In the technical scheme of the present application, the acquisition, storage, use, processing, etc. of the personal information of the related user all conform to the regulations of related laws and regulations, and do not violate the customs of the public order.
Fig. 1 is a flowchart of an interception authentication method based on a document system according to an embodiment of the present invention. As an embodiment of the present invention, as shown in fig. 1, the interception authentication method based on the document system may include:
step 101, receiving a document system login request sent by a terminal, wherein the document system login request carries a user identifier.
When a user needs to log in a document system, a user identifier is input in a terminal page, and a document system login request is sent to the document system through the terminal, wherein the document system login request carries the user identifier. Optionally, the user identifier may be a user ID, and the user identifier may include a user ID and a tenant ID, which is not limited in this embodiment of the present invention.
And 102, querying a safety limit table according to the user identifier to obtain safety limit information corresponding to the user identifier, wherein the safety limit information includes a limit level, and the limit level includes a system level limit or a function level limit.
A safety restriction table may be created in advance, in which each user identifier and corresponding safety restriction information are configured, and the safety restriction information includes restriction levels, such as system level restrictions or function level restrictions. Optionally, the security restriction information may further include a status (pending or normal), a creator, a creation time, and the like. The security restriction information may also include an updater and an update time if the security restriction information is updated. Such information is used to indicate the status of the security restriction information, creator, creation time, updater, update time, etc.
The embodiment of the invention limits the login of the user or limits the user to use certain functions by configuring the enumeration code of the security limit level. There is a restriction level field in the security restriction table for holding an enumeration code for the restriction level. For example, the enumeration code for system level restrictions is set to 1, and the enumeration code for function level restrictions is set to 2; further, if more detailed levels of restriction exist in the function-level restriction, the enumeration code for the new restriction level may continue to be configured. For example: configuring that the user A is system level limitation through a background, wherein a value in a corresponding limitation level field of the user A in a safety limitation table is 1; for another example, user B is configured in the background to be a function level restriction, and the value in the corresponding restriction level field of user B in the security restriction table is 2.
In this step, a security restriction table is queried according to a user identifier carried in a document system login request, so as to query security restriction information corresponding to the user identifier, for example, a restriction level is a system level restriction or a function level restriction.
103, if the limit level is system level limit, returning an error prompt to the terminal to limit user login; and if the restriction level is the function level restriction, returning login page data to the terminal.
If the permission level configured in the safety restriction table by the user is system level restriction, which indicates that the user is to be intercepted, an error prompt is returned to the terminal to restrict the user from logging in the document system; if the authority level configured in the safety limit table by the user is function level limit, which indicates that the user allows to log in the document system, but the business function of the user needs to be intercepted, login page data is returned to the terminal, so that the user logs in the document system. Therefore, the embodiment of the invention can limit the users with abnormal behaviors, realize the protection of the document system and prevent the users with malicious behaviors from being damaged.
And acquiring abnormal behaviors of the user in advance, and updating the safety limit table according to an acquisition result so as to manage and control the user with abnormal behaviors. The system administrator performs security restriction on a given user (such as a user with abnormal behavior), needs to log in a collaborative document management background, and updates the security restriction table in a manual configuration mode, or automatically updates the security restriction table in a message subscription mode.
Optionally, the receiving a document system login request sent by a terminal further includes: receiving an authority configuration request, wherein the authority configuration request carries a user identifier and safety limit information corresponding to the user identifier; inquiring the safety limit table according to the user identification, and judging whether the user identification exists in the safety limit table; if so, updating the safety limit information in the safety limit table according to the safety limit information carried in the authority configuration request; if not, the safety restriction information carried in the permission configuration request is stored in the safety restriction table. As shown in fig. 2, there are two data sources of the manual configuration mode, one is manual reporting, if the reporting is true, the system administrator configures in the background, and configures the limit level according to the hazard level; the second is blacklisting from operations/from companies/from departments, with restriction levels configured in the background by the system administrator. Specifically, a system administrator sends an authority configuration request to a document system through a document management background, wherein the authority configuration request carries a user identifier and safety limit information corresponding to the user identifier; and if the user identification does not exist, storing the safety limit information carried in the authority configuration request into the safety limit table.
Optionally, before receiving a document system login request sent by a terminal, where the document system login request carries a user identifier, the method further includes: receiving the message of the message queue according to the pre-subscribed message queue; analyzing the message to obtain a user identifier; updating the safety limit table according to the message queue and the user identification; wherein the message queue has a correspondence with the restriction level. If the security restriction table is automatically updated through a message subscription method, a message queue needs to be subscribed in advance, as shown in fig. 2, such as a Message Queue (MQ) of a human resource system, a message queue of a public opinion system, and the like, each system may have a plurality of message queues, and subscribe to the message queue in advance according to actual needs, so that corresponding messages, such as a human resource personnel change message, a public opinion abnormal personnel message, and the like, may be received according to the pre-subscribed message queue, and the messages are analyzed after the messages in the message queue are received, so as to obtain user information, such as user identifiers (user ID and tenant ID), and then the security restriction table is updated according to the message queue and the user identifiers. For example, if the message queue is a message queue of a human resource system, the message queue belongs to a pre-job user, and therefore, the function level limitation (such as functions of document sharing, team publishing, approval, adding external members to a team, document downloading, document review and the like) needs to be performed on the message queue, that is, the limitation level of the user is configured as function level limitation; if the user belongs to a public opinion abnormal person, the user needs to be restricted at a system level, namely the restriction level of the user is configured as a system level restriction.
Optionally, after updating the security restriction table according to the message queue and the user identifier, the method further includes: configuring the state of the safety restriction information corresponding to the user identification to be examined and approved; sending an approval request to an approval person, wherein the approval request carries safety restriction information to be approved; and updating the state of the safety restriction information to be normal in response to receiving a message that an approval result returned by the approval personnel is passed. In order to ensure the reliability in the security restriction table, an approval process may be further added, and specifically, the state of the security restriction information corresponding to the user identifier is configured as to-be-approved, then an approval request is sent to an approval person (for example, a system administrator), the approval person logs in a background management system, the security restriction information to be approved is checked, and after the check is passed, the state of the security restriction information is updated to normal in response to receiving a message that an approval result returned by the approval person is passed.
According to the various embodiments described above, it can be seen that the embodiments of the present invention obtain the security restriction information corresponding to the user identifier by querying the security restriction table according to the user identifier, and return an error prompt to the terminal to restrict the user from logging in if the restriction level is the system level restriction, and return login page data to the terminal if the restriction level is the function level restriction, thereby solving the technical problem that the document system in the prior art cannot manage and control the user with abnormal behavior. The embodiment of the invention intercepts and authenticates the user through the safety limit information configured in the safety limit table, does not need to write the safety limit code everywhere, is beneficial to improving the development efficiency, avoids repeated development, and can quickly limit the user by updating the safety limit table after finding the user with abnormal behavior.
Fig. 3 is a flowchart of a document system-based interception authentication method according to a reference embodiment of the present invention. As another embodiment of the present invention, as shown in fig. 3, the interception authentication method based on the document system may include:
step 301, receiving a document system login request sent by a terminal, wherein the document system login request carries a user identifier.
Step 302, querying a security restriction table according to the user identifier, so as to obtain security restriction information corresponding to the user identifier, where the security restriction information includes a restriction level, and the restriction level includes a system level restriction or a function level restriction.
And step 303, if the limit level is the function level limit, returning login page data to the terminal.
If the authority level configured in the safety limit table by the user is the function level limit, which indicates that the user is allowed to log in the document system, but the business function of the user needs to be intercepted, the login page data is returned to the terminal, so that the user logs in the document system.
Step 304, receiving a service function operation request sent by the terminal, where the service function operation request carries a user identifier and a service function identifier.
Step 305, querying a limited service function list according to the service function identifier, so as to determine whether the service function is a limited service function; if yes, go to step 306; if not, go to step 308.
Step 306, querying the safety restriction table according to the user identifier, and determining whether the user identifier exists in the safety restriction table and the restriction level is a function level restriction; if yes, go to step 307, otherwise go to step 308.
Step 307, returning an error prompt to the terminal to limit the user to operate the service function.
In this embodiment, after receiving a service function operation request sent by a terminal, querying a limited service function list according to a service function identifier carried in the service function operation request, where the limited service function list is configured with a limited service function identifier, and if the service function identifier can be queried in the limited service function list, indicating that the service function is limited, further querying a security restriction table according to the user identifier, and determining whether a user identifier exists in the security restriction table and the restriction level is a function level restriction, if so, restricting the user from using the service function, so as to return an error prompt to the terminal, so as to restrict the user from operating the service function.
It is noted that if the user identifier is not present in the security restriction table, indicating that the user is not required to be restricted from operating the service function, step 308 is executed.
And 308, responding to the service function operation request.
And if the service function identification is not inquired in the limited service function list, the service function is not limited, and therefore the service function operation request is responded.
Therefore, the embodiment of the invention can limit the users with abnormal behaviors, realize the protection of the document system and prevent the users with malicious behaviors from being damaged.
In addition, in a referential embodiment of the present invention, the details of the implementation of the interception authentication method based on the document system are already described in detail in the above-mentioned interception authentication method based on the document system, so that the repeated contents are not described again.
Fig. 4 is a flowchart of a document system-based interception authentication method according to another referential embodiment of the present invention. As another embodiment of the present invention, as shown in fig. 4, the interception authentication method based on the document system may include:
step 401, receiving a document system login request sent by a terminal, where the document system login request carries a user identifier.
Step 402, querying a security restriction table according to the user identifier, thereby obtaining security restriction information corresponding to the user identifier, where the security restriction information includes a restriction level, and the restriction level includes a system level restriction or a function level restriction.
And step 403, if the restriction level is a function level restriction, returning login page data to the terminal.
If the authority level configured in the safety limit table by the user is the function level limit, which indicates that the user is allowed to log in the document system, but the business function of the user needs to be intercepted, the login page data is returned to the terminal, so that the user logs in the document system.
Step 404, receiving a service function operation request sent by the terminal, where the service function operation request carries a user identifier and a service function identifier.
Step 405, querying the safety restriction table according to the user identifier, and determining whether the user identifier exists in the safety restriction table and the restriction level is a function level restriction; if yes, go to step 406, otherwise go to step 408.
Step 406, querying a limited service function list corresponding to the limit level identifier according to the limit level identifier configured in the function level limit, thereby determining whether the service function is a limited service function; if yes, go to step 407; if not, go to step 408.
Step 407, returning an error prompt to the terminal to limit the user to operate the service function.
In this embodiment, after receiving a service function operation request sent by a terminal, a security restriction table is queried according to a user identifier carried in the service function operation request, if the user identifier can be queried in the security restriction table and a restriction level is a function level restriction, a restricted service function list (e.g., a service function such as document sharing, team publishing, etc.) corresponding to the restriction level identifier is further queried according to a restriction level identifier (e.g., a restriction level identifier is a) configured in the function level restriction, and if the service function identifier carried in the service function operation request can be queried in the restricted service function list, a user needs to be restricted from using the service function, so that an error prompt is returned to the terminal to restrict the user from operating the service function.
It is noted that if the user identifier is not present in the security restriction table, indicating that the user is not required to be restricted from operating the service function, step 408 is performed. Similarly, if the service function identifier carried in the service function operation request is not queried in the limited service function list, which indicates that the user does not need to be limited to operate the service function, step 408 is executed.
Step 408, responding to the service function operation request.
Optionally, before receiving the service function operation request sent by the terminal, the method further includes: in the safety limit table, if the limit level is a function level limit, configuring a limit level identifier in the function level limit; and configuring the corresponding relation between each restriction grade identification and the restricted service function list. In this embodiment, it is necessary to configure a restricted service function list corresponding to each restriction level identifier, where each restricted service function list may include one or more service function identifiers.
In addition, in another embodiment of the present invention, the details of the implementation of the interception authentication method based on the document system are already described in detail in the above-mentioned interception authentication method based on the document system, and therefore, the repeated contents are not described herein.
As shown in fig. 5, the embodiment of the present invention may be implemented by providing a unified security restriction interface to the outside, where a user accesses the collaborative document system, and when the collaborative document system performs login interception authentication, the security restriction interface is invoked to determine whether the user needs security restriction, and the security restriction interface queries the security restriction table. And if the system level limitation exists, directly limiting the user to log in the collaborative document system, returning an error prompt to the user, and logging in without permission. And if the login interception is passed, the user logs in the collaborative document system. The user can access the service function of the system after logging in the collaborative document system, when the user accesses the service function, the safety limit interface is called firstly to confirm whether the user needs safety limit, if the user needs the limit, the safety limit processing is carried out, an error prompt is returned to the user, and the service function is operated without permission. The embodiment of the invention is realized by the safety limit interface, can avoid writing safety limit everywhere in the service function, thereby improving the development efficiency and avoiding repeated development, and only needs to butt the safety limit interface when new service needs safety limit.
In addition, the embodiment of the invention can acquire users with abnormal behaviors in advance in an automatic mode or a manual configuration mode, and can quickly limit abnormal users by updating the safety limit table. As shown in fig. 6, there are two data sources for manual configuration, one is manual reporting, and if the reporting is true, the system administrator configures the data sources in the background and configures the limit level according to the degree of harm; the second is blacklisting from operations/from companies/from departments, with restriction levels configured in the background by the system administrator. Specifically, a system administrator calls a security restriction data acquisition interface through a document management background so as to send an authority configuration request to a document system, wherein the authority configuration request carries a user identifier (such as a user ID and a tenant ID) and security restriction information (such as a restriction level) corresponding to the user identifier, after receiving the authority configuration request, a security restriction service inquires a security restriction table stored in a structured database according to the user identifier, and the structured database returns an inquiry result; if the query result is existed, assembling the entity needing updating (including user identification, limitation level, updating time, updating person, source type, state and the like); and if the query result is not available, creating an entity, updating or storing the entity into a safety limit table in the structured database, returning an execution result to the safety limit service by the structured database, and returning the execution result to the document management background by the safety limit service.
As shown in fig. 6, if the security restriction table is automatically updated through a message subscription method, a security restriction service is required to subscribe a message queue in advance, such as a staff change Message Queue (MQ) of a human resource system, an abnormal staff message queue of a public opinion system, and the like, and the security restriction service parses a message after receiving the message in the message queue, so as to obtain user information, such as user identifiers (user ID and tenant ID), and then updates the security restriction table according to the message queue and the user identifiers. For example, if the message queue is a message queue of a human resource system, the message queue belongs to a pre-job user, and therefore, the function level limitation (such as functions of document sharing, team publishing, approval, adding external members to a team, document downloading, document review and the like) needs to be performed on the message queue, that is, the limitation level of the user is configured as function level limitation; if the user belongs to a public opinion abnormal person, the user needs to be restricted at a system level, namely the restriction level of the user is configured as a system level restriction. And then configuring the state of the safety limit information corresponding to the user identification as to-be-approved, then sending an approval request to an approval person (such as a system manager), logging in a background management system by the approval person, checking the safety limit information to be approved, and after the checking is passed, responding to a message that an approval result returned by the approval person is passed, and updating the state of the safety limit information to be normal. The data approved by the approver can be subjected to safety limitation, and finally, an execution result is returned.
As shown in fig. 7, a user accesses a collaborative document WEB/APP system, the collaborative document system invokes a collaborative document service, the collaborative document service first performs global user interception authentication, specifically, the collaborative document service invokes a security restriction interface provided by the security restriction service, a user identifier (such as a user ID and a tenant ID) needs to be transmitted when the interface is invoked, the security restriction service queries a security restriction table according to the user ID and the tenant ID (core fields include a user ID, a tenant ID, a source type, a restriction level, a status, a creator, creation time, an updater, update time, and the like), and returns a query result, the security restriction service assembles each field in the query result and returns the result to the collaborative document service, the collaborative document service determines whether the user needs to be restricted from logging in the collaborative document system according to the query result, if the restriction level is a system level restriction, an error prompt is returned to restrict the user from logging in, and if the restriction level is a function level restriction, login page data is returned.
The method comprises the steps that a user logs in and accesses a collaborative document WEB/APP system and then enters business function processing, when the user operates a certain business function, the collaborative document system judges whether the business function is a limited business function, if so, a safety restriction interface is called, user identification (such as user ID and tenant ID) is required to be transmitted when the interface is called, a safety restriction service inquires a safety restriction table according to the user ID and the tenant ID and returns an inquiry result, the safety restriction service assembles each field in the inquiry result and returns the result to the collaborative document service, the collaborative document service judges whether the user needs to be restricted to operate the business function according to the inquiry result, if the user identification of the user exists in the safety restriction table and the restriction level is function level restriction, an error prompt is returned to restrict the user to operate the business function, and if not, the user does not restrict.
Fig. 8 is a schematic diagram of an interception authentication apparatus based on a document system according to an embodiment of the present invention. As shown in fig. 8, the document system based interception authentication apparatus 800 includes a receiving module 801 and an authentication module 802; the receiving module 801 is configured to receive a document system login request sent by a terminal, where the document system login request carries a user identifier; the authentication module 802 queries a security restriction table according to the user identifier, so as to obtain security restriction information corresponding to the user identifier, where the security restriction information includes a restriction level, and the restriction level includes a system level restriction or a function level restriction; if the limit level is system level limit, returning an error prompt to the terminal to limit user login; and if the restriction level is the function level restriction, returning login page data to the terminal.
Optionally, the receiving module 801 is further configured to: receiving a service function operation request sent by the terminal, wherein the service function operation request carries a user identifier and a service function identifier;
the authentication module 802 is further configured to: inquiring a limited service function list according to the service function identifier so as to judge whether the service function is a limited service function; if so, inquiring the safety restriction table according to the user identification, and if the user identification exists in the safety restriction table and the restriction level is the function level restriction, returning an error prompt to the terminal to restrict the user from operating the service function; and if not, responding to the service function operation request.
Optionally, the authentication module 802 is further configured to:
and responding to the service function operation request if the user identification does not exist in the safety limit table.
Optionally, the receiving module 801 is further configured to: receiving a service function operation request sent by the terminal, wherein the service function operation request carries a user identifier and a service function identifier;
the authentication module 802 is further configured to: inquiring a safety limit table according to the user identification; if the user identifier exists in the safety restriction table and the restriction level is a function level restriction, inquiring a restricted service function list corresponding to the restriction level identifier according to the restriction level identifier configured in the function level restriction, so as to judge whether the service function is a restricted service function; if yes, returning an error prompt to the terminal to limit the user to operate the service function; and if not, responding to the service function operation request.
Optionally, the system further comprises a configuration module, configured to:
in the safety limit table, if the limit level is a function level limit, configuring a limit level identifier in the function level limit;
and configuring the corresponding relation between each restriction grade identifier and the restricted service function list.
Optionally, the configuration module is further configured to:
receiving an authority configuration request, wherein the authority configuration request carries a user identifier and safety limit information corresponding to the user identifier;
inquiring the safety limit table according to the user identification, and judging whether the user identification exists in the safety limit table; if so, updating the safety limit information in the safety limit table according to the safety limit information carried in the authority configuration request; if not, the safety restriction information carried in the permission configuration request is stored in the safety restriction table.
Optionally, the configuration module is further configured to:
receiving the message of the message queue according to the pre-subscribed message queue;
analyzing the message to obtain a user identifier;
updating the safety limit table according to the message queue and the user identification; wherein the message queue has a correspondence with the restriction level.
Optionally, the configuration module is further configured to:
after the safety limit table is updated according to the message queue and the user identification, configuring the state of the safety limit information corresponding to the user identification as to-be-examined and approved;
sending an approval request to an approval person, wherein the approval request carries safety restriction information to be approved;
and updating the state of the safety restriction information to be normal in response to receiving a message that an approval result returned by the approval personnel is passed.
It should be noted that, the detailed implementation of the interception and authentication apparatus based on a document system according to the present invention has been described in detail in the above interception and authentication method based on a document system, and therefore, the repeated description is not repeated here.
Fig. 9 shows an exemplary system architecture 900 of a document system based interception authentication method or a document system based interception authentication apparatus to which an embodiment of the present invention can be applied.
As shown in fig. 9, the system architecture 900 may include end devices 901, 902, 903, a network 904, and a server 905. Network 904 is the medium used to provide communication links between end devices 901, 902, 903 and server 905. Network 904 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 901, 902, 903 to interact with a server 905 over a network 904 to receive or send messages or the like. The terminal devices 901, 902, 903 may have installed thereon various messenger client applications such as, for example only, a shopping-like application, a web browser application, a search-like application, an instant messaging tool, a mailbox client, social platform software, etc.
The terminal devices 901, 902, 903 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 905 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 901, 902, 903. The background management server can analyze and process the received data such as the article information query request and the like, and feed back the processing result to the terminal equipment.
It should be noted that the document system-based interception authentication method provided by the embodiment of the present invention is generally executed by the server 905, and accordingly, the document system-based interception authentication apparatus is generally disposed in the server 905.
It should be understood that the number of terminal devices, networks, and servers in fig. 9 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 10, a block diagram of a computer system 1000 suitable for use with a terminal device implementing an embodiment of the invention is shown. The terminal device shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 10, the computer system 1000 includes a Central Processing Unit (CPU) 1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. In the RAM1003, various programs and data necessary for the operation of the system 1000 are also stored. The CPU 1001, ROM 1002, and RAM1003 are connected to each other by a bus 1004. An input/output (I/O) interface 1005 is also connected to bus 1004.
The following components are connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output portion 1007 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1008 including a hard disk and the like; and a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication part 1009 and/or installed from the removable medium 1011. The computer program executes the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 1001.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer programs according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a receiving module and an authentication module, where the names of the modules do not in some cases constitute a limitation on the module itself.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not assembled into the device. The computer readable medium carries one or more programs which, when executed by a device, implement the method of: receiving a document system login request sent by a terminal, wherein the document system login request carries a user identifier; querying a safety restriction table according to the user identifier to obtain safety restriction information corresponding to the user identifier, wherein the safety restriction information comprises a restriction level, and the restriction level comprises a system level restriction or a function level restriction; if the limit level is system level limit, returning an error prompt to the terminal to limit user login; and if the restriction level is the function level restriction, returning login page data to the terminal.
As another aspect, an embodiment of the present invention further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the method described in any of the above embodiments.
According to the technical scheme of the embodiment of the invention, because the safety limit table is inquired according to the user identification, so that the safety limit information corresponding to the user identification is obtained, if the limit level is the system level limit, an error prompt is returned to the terminal to limit the user login, and if the limit level is the function level limit, login page data is returned to the terminal, the technical problem that the document system in the prior art cannot control the user with abnormal behavior is solved. The embodiment of the invention intercepts and authenticates the user through the safety limit information configured in the safety limit table, does not need to write the safety limit code everywhere, is beneficial to improving the development efficiency, avoids repeated development, and can quickly limit the user by updating the safety limit table after finding the user with abnormal behavior.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (12)

1. An interception authentication method based on a document system is characterized by comprising the following steps:
receiving a document system login request sent by a terminal, wherein the document system login request carries a user identifier;
querying a security restriction table according to the user identifier to obtain security restriction information corresponding to the user identifier, where the security restriction information includes a restriction level, and the restriction level includes a system level restriction or a function level restriction;
if the limit level is system level limit, returning an error prompt to the terminal to limit user login; and if the restriction level is the function level restriction, returning login page data to the terminal.
2. The method of claim 1, wherein if the restriction level is a function-level restriction, after returning landing page data to the terminal, further comprising:
receiving a service function operation request sent by the terminal, wherein the service function operation request carries a user identifier and a service function identifier;
inquiring a limited service function list according to the service function identifier so as to judge whether the service function is a limited service function;
if so, inquiring the safety restriction table according to the user identification, and if the user identification exists in the safety restriction table and the restriction level is the function level restriction, returning an error prompt to the terminal to restrict the user from operating the service function;
and if not, responding to the service function operation request.
3. The method of claim 2, wherein if the restriction level is a function-level restriction, after returning login page data to the terminal, further comprising:
and responding to the service function operation request if the user identification does not exist in the safety limit table.
4. The method of claim 1, wherein if the restriction level is a function-level restriction, after returning login page data to the terminal, further comprising:
receiving a service function operation request sent by the terminal, wherein the service function operation request carries a user identifier and a service function identifier;
inquiring a safety limit table according to the user identification, and if the user identification exists in the safety limit table and the limit level is a function level limit, inquiring a limited service function list corresponding to the limit level identification according to a limit level identification configured in the function level limit so as to judge whether the service function is a limited service function;
if yes, returning an error prompt to the terminal to limit the user to operate the service function;
and if not, responding to the service function operation request.
5. The method of claim 4, wherein before receiving the service function operation request sent by the terminal, the method further comprises:
in the safety limit table, if the limit level is a function level limit, configuring a limit level identifier in the function level limit;
and configuring the corresponding relation between each restriction grade identifier and the restricted service function list.
6. The method of claim 1, wherein before receiving the document system login request sent by the terminal, the method further comprises:
receiving an authority configuration request, wherein the authority configuration request carries a user identifier and safety limit information corresponding to the user identifier;
inquiring the safety limit table according to the user identification, and judging whether the user identification exists in the safety limit table; if so, updating the safety limit information in the safety limit table according to the safety limit information carried in the authority configuration request; if not, the safety limit information carried in the permission configuration request is stored in the safety limit table.
7. The method of claim 1, wherein before receiving a document system login request sent by a terminal, the document system login request carrying a user identifier, the method further comprises:
receiving the message of the message queue according to the pre-subscribed message queue;
analyzing the message to obtain a user identifier;
updating the safety limit table according to the message queue and the user identification; wherein the message queue has a correspondence with the restriction level.
8. The method of claim 7, wherein after updating the security restriction table based on the message queue and the user identification, further comprising:
configuring the state of the safety restriction information corresponding to the user identification to be examined and approved;
sending an approval request to an approval person, wherein the approval request carries safety restriction information to be approved;
and updating the state of the safety restriction information to be normal in response to receiving a message that an approval result returned by the approval personnel is passed.
9. An interception authentication device based on a document system is characterized by comprising:
the system comprises a receiving module, a processing module and a sending module, wherein the receiving module is used for receiving a document system login request sent by a terminal, and the document system login request carries a user identifier;
the authentication module is used for inquiring a safety limit table according to the user identification so as to obtain safety limit information corresponding to the user identification, wherein the safety limit information comprises a limit level, and the limit level comprises a system level limit or a function level limit; if the limit level is system level limit, returning an error prompt to the terminal to limit user login; and if the restriction level is the function level restriction, returning login page data to the terminal.
10. An electronic device, comprising:
one or more processors;
a storage device to store one or more programs,
the one or more programs, when executed by the one or more processors, implement the method of any of claims 1-8.
11. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-8.
12. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the method of any one of claims 1-8.
CN202211474170.4A 2022-11-23 2022-11-23 Interception authentication method and device based on document system Pending CN115955327A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211474170.4A CN115955327A (en) 2022-11-23 2022-11-23 Interception authentication method and device based on document system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211474170.4A CN115955327A (en) 2022-11-23 2022-11-23 Interception authentication method and device based on document system

Publications (1)

Publication Number Publication Date
CN115955327A true CN115955327A (en) 2023-04-11

Family

ID=87290527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211474170.4A Pending CN115955327A (en) 2022-11-23 2022-11-23 Interception authentication method and device based on document system

Country Status (1)

Country Link
CN (1) CN115955327A (en)

Similar Documents

Publication Publication Date Title
CN110505162B (en) Message transmission method and device and electronic equipment
US10963370B2 (en) Default mock implementations at a server
CN107491382B (en) Log output method and device
CN111400061A (en) Data processing method and system
CN109522751B (en) Access right control method and device, electronic equipment and computer readable medium
CN110795315A (en) Method and device for monitoring service
CN108984197B (en) Code updating method and device
CN115587575A (en) Data table creation method, target data query method, device and equipment
CN111126948A (en) Processing method and device for approval process
CN111770128B (en) Message management method and device
CN113849473A (en) Operation recording method, operation recording device, electronic device, and storage medium
CN112765102B (en) File system management method and device
CN110795135A (en) Method and device for realizing injection-resolution configuration
CN113128197A (en) Method and device for managing application production versions
CN112559024A (en) Method and device for generating transaction code change list
CN113778725A (en) Data verification method and device
CN112559233B (en) Method, device, equipment and computer readable medium for identifying fault type
CN112783903B (en) Method and device for generating update log
CN115955327A (en) Interception authentication method and device based on document system
CN112073395B (en) File distribution method and device
CN114489674A (en) Data verification method and device of dynamic data model
CN112182080A (en) Data integration system and data processing method based on data integration system
CN115309612B (en) Method and device for monitoring data
CN112241332A (en) Interface compensation method and device
CN112559001A (en) Method and device for updating application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination