WO2017080381A1 - Method for processing cross-domain data, first server and second server - Google Patents

Method for processing cross-domain data, first server and second server Download PDF

Info

Publication number
WO2017080381A1
WO2017080381A1 PCT/CN2016/104053 CN2016104053W WO2017080381A1 WO 2017080381 A1 WO2017080381 A1 WO 2017080381A1 CN 2016104053 W CN2016104053 W CN 2016104053W WO 2017080381 A1 WO2017080381 A1 WO 2017080381A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
user
digital object
identifier
data operation
Prior art date
Application number
PCT/CN2016/104053
Other languages
French (fr)
Chinese (zh)
Inventor
何健飞
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017080381A1 publication Critical patent/WO2017080381A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method for processing cross-domain data, a first server, and a second server.
  • information obtained by users through the Internet or published data belongs to private data that other users cannot obtain.
  • Users can share data through some service providers that provide information distribution.
  • the data generated by the user is controlled by the service provider that is capable of data sharing.
  • the service provider uses the control of the data or information published by the user to form the autonomous domain of the service provider. Inter-access is prohibited between the autonomous domains of different service providers, that is, users belonging to the first service provider cannot access data of other users in the autonomous domain of the second service provider.
  • the present invention provides a method for processing cross-domain data, a first server, and a second server, which are capable of processing data between users belonging to different service providers.
  • a first aspect provides a method for processing cross-domain data, the method comprising: receiving, by a first server, a first data operation request sent by a user, where the first server is configured to provide an access service to a user, where The first data operation request is for requesting processing of the digital object, the first data operation request including the token of the user and the identifier of the digital object; the first server operates according to the first data operation request Determining the identifier of the digital object, determining that the target domain of the first data operation request is an autonomous domain of the second server; the first server deleting the first number Obtaining a second data operation request according to the token of the user included in the operation request, the second data operation request includes an identifier of the digital object; and the first server sends the second data operation to a second server request.
  • the first data operation request further includes an identifier of the user
  • the method further includes: the first server operating according to the first data Determining an identifier of the digital object that is included, determining that a target domain of the first data operation request is an autonomous domain of the first server; the first server according to a correspondence, a token of the user, and the user And determining that the user has passed the authentication, where the correspondence includes the token of the user and the identifier of the user; the first server obtains the operation authority of the digital object according to the identifier of the user, the number
  • the object operation authority is an operation authority of the first server to a digital object related to the user; the first server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  • the method further includes: the first server receiving an access request sent by the user, the access request is used to request to obtain a token, and the access request includes an identifier of the user; Determining, by the user, the user belongs to an autonomous domain of the first server; the first server authenticates the user; and the first server determines that the user sends an authentication to the user after passing the authentication The token of the user corresponding to the identifier of the user.
  • the first server authenticates the user, and the authentication method can be, but is not limited to, decrypting the user's digital signature through the user's public key to complete the authentication.
  • the method further includes: the first server receiving an access request sent by the user, the access request is used to request to obtain a token, and the access request includes an identifier of the user; An identifier of the user, determining that the user does not belong to an autonomous domain of the first server; the first server requests a third server to authenticate the user; the first server determines After the user authenticates by the third server, the user sends a token of the user corresponding to the identifier of the user to the user.
  • the digital object is stored in the fourth server The virtual digital object, the first server processing the digital object according to the digital object operation authority and the identifier of the digital object, comprising: the first server acquiring a location pointer according to the identifier of the digital object The location pointer is used to indicate that the fourth server stores an address of the digital object; the first server acquires the digital object from the fourth server according to the location pointer; the first server is configured according to the The digital object operates the authority to process the digital object.
  • the digital object can be a virtual digital object stored on the fourth server.
  • the virtual digital object has a unique identifier.
  • the content of the virtual digital object is not actually stored in the first server, but is a location pointer for indicating that the first server obtains the address of the content of the virtual digital object.
  • the identifier of the digital object includes the digital object group identifier; the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, including: the first server operating authority and the The digital object group identifier is processed for each member of the digital object group identifier.
  • a method for processing cross-domain data comprising: receiving, by a second server, a data operation request sent by a first server, the data operation request for requesting processing of a digital object,
  • the data operation request includes an identifier of the digital object and an identifier of the user, the autonomous domain of the second server is a target domain of the data operation request, and the second server requests the third server to authenticate the user;
  • the second server determines that the user is authenticated by the third server, obtains a digital object operation authority according to the identifier of the user in the data operation request, where the digital object operation authority is the second server. Pair with the user An operation authority of the associated digital object; the second server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  • the third server is a server for authenticating the user, and the third server is a domain corresponding to the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user.
  • the second server obtains the registration domain of the user according to the identifier of the user, and obtains the address of the third server corresponding to the registration domain, for example, the IP address of the third server.
  • the second server may request the third server to authenticate the user.
  • the method further includes: the second server determining After the user authenticates by the third server, the user sends a token of the user corresponding to the identifier of the user to the user.
  • the digital object is a virtual digital object stored in a fourth server, the second Processing, by the server, the digital object according to the digital object operation authority and the identifier of the digital object, the second server acquiring a location pointer according to the identifier of the digital object, where the location pointer is used to represent the location
  • the fourth server stores an address of the digital object; the second server acquires the digital object from the fourth server according to the location pointer; and the second server operates the authority according to the digital object
  • the digital object is processed.
  • a first server configured to provide an access service to a user
  • the first server includes: a receiving unit, configured to receive a first data operation request sent by a user, where a first data operation request for requesting processing of the digital object, the first data operation request including the token of the user and an identifier of the digital object; and a determining unit, configured to include, according to the first data operation request The identifier of the digital object, the target domain of the first data operation request is determined to be an autonomous domain of the second server, and the execution unit is configured to delete the token of the user included in the first data operation request, and obtain a second data operation request, the second data operation request includes an identifier of the digital object, and a sending unit, configured to send the second data operation request to the second server.
  • the first data operation request further includes an identifier of the user
  • the determining unit is further configured to be included according to the first data operation request Determining, by the identifier of the digital object, that the target domain of the first data operation request is an autonomous domain of the first server
  • the first server further includes: an obtaining unit, configured to use, according to the correspondence, the user's order a card and an identifier of the user, after determining that the user has passed the authentication, obtaining a digital object operation authority according to the identifier of the user, where the correspondence includes the token of the user and the identifier of the user, the number
  • the object operation authority is an operation authority of the first server to the digital object related to the user
  • the execution unit is further configured to: according to the digital object operation authority and the identifier of the digital object, the digital object Process it.
  • the receiving unit is further configured to receive an access request sent by the user, where The access request is used to request to obtain a token, and the access request includes an identifier of the user, and the determining unit is further configured to determine, according to the identifier of the user, that the user belongs to the first server.
  • the execution unit is further configured to authenticate the user, and the sending unit is further configured to: after the user passes the authentication, send the user that is corresponding to the identifier of the user to the user. Token.
  • the receiving unit is further configured to receive an access request sent by the user, where The access request is used to request to obtain a token, and the access request includes an identifier of the user, and the determining unit is further configured to determine, according to the identifier of the user, that the user does not belong to the first server.
  • An execution unit configured to request a third server to authenticate the user, where the sending unit is further configured to: after determining that the user is authenticated by the third server, send the user to the user The token of the user corresponding to the identifier of the user.
  • the digital object is stored in the fourth server a virtual digital object; the execution unit, specifically configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores the number An address of the object; acquiring the digital object from the fourth server according to the location pointer; processing the digital object according to the digital object operation authority.
  • the identifier of the digital object is included; and the executing unit is configured to process each member in the digital object group identifier according to the digital object operation authority and the digital object group identifier.
  • a second server includes: a receiving unit, configured to receive a data operation request sent by the first server, where the data operation request is used to request processing of the digital object,
  • the data operation request includes an identifier of the digital object, and an identifier of the user, the autonomous domain of the second server is a target domain of the data operation request, and an execution unit is configured to request the third server to authenticate the user;
  • a obtaining unit configured to determine, after the user is authenticated by the third server, obtain a digital object operation authority according to the identifier of the user in the digital operation request, where the digital object operation authority is the second server pair The operation authority of the digital object related to the user;
  • the execution unit is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
  • the second server further includes: a sending unit, configured to determine, after the user is authenticated by the third server, the user Sending a token of the user corresponding to the identity of the user.
  • the digital object is a virtual digital object stored in a fourth server
  • the execution unit Specifically, the method is configured to obtain a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and obtain, according to the location pointer, a location from the fourth server. a digital object; processing the digital object according to the digital object operation authority.
  • a fifth aspect provides a first server, where the first server is configured to provide an access service to a user, where the first server includes: an interface, a processor, and a memory storing the program code.
  • the processor reads the instruction corresponding to the program code from the memory, and performs the following operations according to the read instruction:
  • the processor is further configured to:
  • the digital object operation authority is an operation authority of the first server to a digital object related to the user
  • the digital object is processed according to the digital object operation authority and the identifier of the digital object.
  • the processor is further configured to:
  • an access request sent by the user where the access request is used to request to obtain a token, where the access request includes an identifier of the user; and determining the user according to the identifier of the user
  • An autonomous domain that belongs to the first server authenticates the user; and after determining that the user passes the authentication, sends the token of the user corresponding to the identifier of the user to the user through the interface.
  • the processor is further configured to:
  • the token of the user corresponding to the identifier of the user is sent to the user through the interface.
  • the digital object is stored in the fourth server Virtual digital object;
  • the processor is configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and according to the location pointer, from the The four servers acquire the digital object; the digital object is processed according to the digital object operation authority.
  • the identifier of the digital object is included; the processor is specifically configured to process, by the first server, each member in the digital object group identifier according to the digital object operation authority and the digital object group identifier.
  • a second server includes an interface, a processor, and a memory storing the program code, and the processor reads an instruction corresponding to the program code from the memory, and performs the following operations:
  • the digital object is processed according to the digital object operation authority and the identifier of the digital object.
  • the processor is further configured to determine, after the user is authenticated by the third server, Sending a token of the user corresponding to the identity of the user.
  • the digital object is a virtual digital object stored in a fourth server, where the processor Specifically, the method is configured to obtain a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and obtain, according to the location pointer, a location from the fourth server.
  • the digital object processes the digital object according to the digital object operation authority.
  • the first server receives the first data operation request sent by the user, and determines that the target domain of the first data operation request is the autonomous domain of the second server according to the identifier of the digital object included in the first data operation request.
  • a server deletes the token of the user included in the first data operation request, obtains a second data operation request, and the first server sends a second data operation request to the second server.
  • the first server After determining that the user requesting data processing is not the server in the autonomous domain of the first server, the first server sends an operation request to the second server corresponding to the target domain of the user, and the operation request of the second server to the user By processing, it is possible to process data between users belonging to different service providers.
  • FIG. 1 is a flowchart of a method for processing cross-domain data according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic structural diagram of a digital object according to Embodiment 1 of the present invention.
  • FIG. 3 is a flowchart of a method for processing cross-domain data according to Embodiment 1 of the present invention.
  • FIG. 4 is a flowchart of a method for processing cross-domain data according to Embodiment 2 of the present invention.
  • FIG. 5 is a schematic diagram of a first server according to Embodiment 3 of the present invention.
  • FIG. 6 is a schematic diagram of a second server according to Embodiment 3 of the present invention.
  • FIG. 7 is a schematic diagram of a first server according to Embodiment 3 of the present invention.
  • FIG. 8 is a schematic diagram of a second server according to Embodiment 3 of the present invention.
  • the technical solution proposed by the present invention is Receiving, by the server, the first data operation request sent by the user, determining, according to the identifier of the digital object included in the first data operation request, the target domain of the first data operation request is an autonomous domain of the second server, and the first server deletes the first data operation
  • the token of the included user is requested to obtain a second data operation request, and the first server sends a second data operation request to the second server.
  • the first server After determining that the user requesting data processing is not the server in the autonomous domain of the first server, the first server sends the operation request to the second server corresponding to the target domain of the user, and the second server processes the operation request of the user. It is possible to process data between users belonging to different service providers.
  • the domain is divided into different domains, including an access domain, a registration domain, a target domain, and a forwarding domain.
  • the access domain is the first domain connected when the user accesses the digital object. If the user does not have roaming access, the access domain and the registration domain of the user are the same domain. If the roaming access occurs, the roaming access can be obtained through the obtained access domain.
  • the registration domain is the domain in which the user can obtain the user ID by registering, that is, the registration domain assigns the user ID to the user.
  • the process of creating and exiting a user in a domain determined by each domain
  • the implementation may be created or exited, for example, by a web portal of a different service provider, or by a client program of the domain or the like.
  • a digital object corresponding to the user is generated in the domain, and the digital object may include some information used by the user for authentication, for example, but may include, but not limited to, a public key.
  • the target domain refers to the target involved in an operation, that is, the domain in which the digital object to be operated is located, for example, a server that stores the digital object to be operated.
  • Forwarding a domain means that when an operation request is received, the domain is neither an access domain nor a target domain. It is only used to send the received data operation request to the target domain, or forward the received access request to the registration domain.
  • the data operation request may be any operation for requesting creation, deletion, modification, and reading of the digital object, which is not exemplified herein.
  • the various types of domains described above are logical classifications that are distinguished from a single operational perspective of a single user.
  • the functions of the various types of domains described above are implemented simultaneously to implement various operations on different digital objects for different users.
  • a first embodiment of the present invention provides a method for processing cross-domain data. As shown in FIG. 1 , the specific processing flow of the method is as follows:
  • the user sends a first data operation request.
  • the first data operation request is used to request processing of the digital object, and the first data operation request includes the token of the user and the identifier of the digital object.
  • the processing of digital objects can be, but is not limited to, including operations such as creating, deleting, and reading digital objects.
  • FIG. 2 it is a schematic diagram of a digital object composition according to an embodiment of the present invention.
  • the digital object includes an identifier of the digital object, and an attribute of the digital object corresponding to the identifier of the digital object.
  • the identification of the digital object uniquely identifies the digital object.
  • Each digital object can have one or more attributes, and the attributes of the digital object can be constructed by a key-value pair.
  • the functional type of the key can be used to represent various permissions of the digital object, which can be the size of the digital object.
  • the permission may be an access right, a processing right, or the like.
  • Each data operation request for a digital object corresponds to A permission.
  • the value may be a user identifier that identifies the user's authority to perform a corresponding operation on the digital object.
  • the identifier of the digital object is AAAA
  • the key-value pair corresponding to AAAA is the access right-user A
  • the user whose user identifier is user A can access the digital object.
  • the value can also be an operation right, such as reading, deleting, or modifying permissions.
  • the attribute corresponding to the identifier of the digital object may also be the size of the digital object corresponding to the identifier of the digital object, and the size of the digital object may be identified by a key. For example, if a key is a size and the corresponding value is 1024 (the default is byte), the size of the digital object corresponding to the identifier of the digital object is 1024 bytes.
  • the value of the key in the attribute corresponding to the identifier of the digital object may also be the identifier of another digital object.
  • the identifier of the digital object is AAAA, and its corresponding value is BBBB.
  • some of the keys corresponding to the identifiers of the digital objects may be set to be unique, so as to avoid the problem of misunderstanding when interworking between different service domains.
  • Some of the keys can be set to be generic, and some of the keys can be set to be defined by a specific application. This key- and value-based approach defines the properties of the digital object, providing flexibility and extensibility.
  • the identifier of the digital object can be represented by a domain name, and the domain name to which the digital object belongs can be determined by the domain name. For example, if the identifier of the digital object is: URI: AAAAA.com/pic1, it can be determined that the registration domain of the digital object pic1 is AAAAA.com.
  • the first data operation request is used to delete the digital object for the user as an example. This example will continue to be used later.
  • the user sends a first data operation request to the first server, the first data operation request for requesting deletion of the digital object whose digital object is identified as AAAA.
  • the first server receives the first data operation request sent by the user.
  • the first server is configured to provide an access service to the user, and the first server corresponds to the access domain.
  • the first server determines, according to the identifier of the digital object included in the first data operation request, whether the target domain of the first data operation request is an autonomous domain of the first server, and if the determination result is no, Execute 14, if the judgment result is yes, execute 17.
  • the first server obtains an identifier of the digital object in the first data operation request, and determines, according to the identifier of the digital object, whether the target domain of the first data operation request is an autonomous domain of the first server.
  • the first server obtains the identifier of the digital object as AAAA, and determines, according to the AAAA, whether the target domain of the first data operation request is an autonomous domain of the first server.
  • the first server determines, according to the identifier of the digital object included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server, and the first server obtains the identifier of the digital object in the first data operation request. And determining, according to the identifier of the digital object, that the target domain of the received first data operation request is an autonomous domain of the second server, and executing 15.
  • the first server determines that the digital object AAAA is stored in the autonomous domain of the second server based on the identifier AAAA of the digital object.
  • the first server deletes the token of the user included in the first data operation request, and obtains a second data operation request.
  • the second data manipulation request includes an identification of the digital object.
  • the second data operation request includes AAAA.
  • the first server deletes the token of the user included in the first data operation request, and can better protect the privacy data between the user and the user, thereby improving the security of the data access.
  • the second data operation request may further include an identifier of the user, where the identifier of the user corresponds to the token of the user.
  • the second data operation request includes AAAA-BBB.
  • the first server sends a second data operation request to the second server.
  • the first server receives the first data operation request, and when the first server sends the second data operation request to the second server, may maintain an upstream (ie, the first) based on the session ID defined in the handle system protocol. Server) The correspondence between the session ID and the downstream (ie, the second server) session ID. After receiving the response message from the downstream, it can be forwarded to the corresponding upstream until it is returned to the user who sent the first data operation request.
  • the first server determines, according to the identifier of the digital object included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the first server, and the first server is based on the correspondence, the token of the user, and the identifier of the user. , to determine that the user has passed the certification.
  • the correspondence includes the token of the authenticated user and the identity of the authenticated user.
  • the first server determines that the correspondence includes the user's token and the user's identity, and determines that the user has passed the authentication.
  • the user When the user first registers, the user is provided with a registered server, for example, the server is the first server, and the first server corresponds to the registration domain, and the first server allocates the identity and user of the authenticated user to the registered user.
  • the token correspondingly, stores the correspondence between the identity of the authenticated user and the token of the user in the registration domain.
  • the first server when determining whether the user is a user who passes the authentication, the first server according to the correspondence between the identifier of the user obtained in the first data operation request and the token of the user, and the identifier of the authenticated user and the user of the user are maintained. The correspondence between the tokens is compared. If the comparison results are consistent, it is determined that the user passes the authentication. Otherwise, it is determined that the user has not passed the authentication.
  • the first server obtains the operation authority of the digital object according to the identifier of the user.
  • the digital object operation authority is the operation authority of the first server to the digital object related to the user.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  • the target domain of the first data operation request is an autonomous domain of the first server, and the first server acquires the token in the received first data operation request, according to the stored token and the user identifier.
  • the first server acquires the token in the received first data operation request, according to the stored token and the user identifier.
  • the first server processes the digital object according to the first data operation request.
  • the first server refuses to process the digital object according to the first data operation request.
  • the digital object may also be a virtual digital object stored at the fourth server.
  • the virtual digital object has a unique identifier.
  • the content of the virtual digital object is not actually stored in the first server, but is a location pointer indicating where the first server can obtain the content of the virtual digital object.
  • the virtual digital object may be the address of any one of the servers, and the address of the server may be an IP address, a MAC address, or the like.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, including:
  • the first server acquires a location pointer according to the identifier of the digital object, and the first server acquires the digital object from the fourth server according to the location pointer, and the first server processes the digital object according to the operation authority of the digital object.
  • the location pointer is used to indicate that the fourth server stores the address of the digital object.
  • the method may further include:
  • the user sends an access request.
  • the user can send an access request through a web portal or a client program, and the access request is used to request to obtain a token, and the access request includes the identifier of the user.
  • the access request is described as an example of a login request, and the login request will continue to be used later.
  • the login request contains the ID of the user.
  • the ID of the user is exemplified by the user ID.
  • the first server receives an access request sent by the user.
  • the first server determines, according to the identifier of the user, whether the user belongs to the autonomous domain of the first server. If the determination result is yes, execute 33, and if the determination result is negative, perform 35.
  • the first server determines, according to the user ID, whether the user is an autonomous domain belonging to the first server, for example, when the user ID of the autonomous domain of the first server is represented by a domain name, for example, URI: AAAAA.com/jeffrey, The domain of the user jeffrey is determined to be AAAAA.com.
  • the first server determines, according to the identifier of the user, that the user belongs to an autonomous domain of the first server, and the first server authenticates the user.
  • the first server authenticates the user, and the authentication method can be, but is not limited to, decrypting the user's digital signature through the user's public key to complete the authentication.
  • the user can be authenticated using the procedure defined in RFC3651.
  • the processing flow is as follows: the first server sends a challenge to the user; the user receives the challenge; the client-side client program or other program for access The user's private key encrypts the challenge to form a digital signature and returns it to the first server.
  • the first server receives the digital signature sent by the user side.
  • the first server decrypts the received digital signature by using the user's public key, and compares the decrypted challenge with the transmitted challenge. If they are consistent, the user is considered to be authenticated, and vice versa, the user does not pass the authentication.
  • the first server determines, after the user passes the authentication, sends a token of the user corresponding to the identifier of the user to the user.
  • the first server sends a token bound to the user to the user, and the message sent by the user carrying the token will be trusted by the first server as a message from the user.
  • a specific embodiment is an extended handle system protocol: a new response symbol (ResponseCode): RC_Login, in the body of the message, carrying a token (Token), the token can be a fixed-length random string.
  • ResponseCode a new response symbol
  • RC_Login a token
  • the token can be a fixed-length random string.
  • the first server determines, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server, and the first server requests the third server to authenticate the user.
  • the third server receives the authentication request sent by the first server.
  • the third server authenticates the user.
  • the third server is a server for authenticating the user, and the third server corresponds to the registration domain of the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user.
  • the first server determines, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server, and the first server obtains the registration domain of the user according to the user ID (user ID), and obtains the address of the third server corresponding to the registration domain, for example, Three server IP addresses, etc.
  • the first server requests the third server to authenticate the user, wherein an embodiment of the third server authenticating the user may be an extension implementation based on the RFC3652 handle protocol.
  • the specific processing flow is as follows: The third server sends a challenge challenge to the user. The user receives the challenge.
  • the client side client program or other program for access encrypts the challenge using the user's private key to form a digital signature and returns it to the third server.
  • the extended handle system protocol is based on the challenge-response verification-request and challenge-response verification-response processes defined in Section 3.5.3 of RFC3652.
  • the message operator OC_Code challenge-response auth-request is added, except in the message body.
  • the user ID is carried and sent to the third server through the handle protocol.
  • the third server receives the digital signature sent by the user side.
  • the third server decrypts the received digital signature by using the user's public key, and compares the decrypted challenge with the transmitted challenge. If they are consistent, the user is considered to be authenticated, and vice versa, the user does not pass the authentication.
  • the third server sends the authentication result to the first server.
  • the third server carries the authentication result to the first server by using the newly added message operator OC_Code: challenge-response auth-response.
  • the first server receives the authentication result sent by the third server.
  • the first server determines, after the user authenticates by the third server, sends a token of the user corresponding to the identifier of the user to the user.
  • the first server sends a token bound to the user to the user, and the subsequent message sent by the user carries the token, and the first server may use the token in the message carrying the token and the message carrying the token.
  • the identity of the user in the user to authenticate the user.
  • the digital object may be a single digital object or a group digital object.
  • the digital object group has a unique ID
  • the digital object group includes a member list, which may be specific data in the member list, or may be an identifier of another one or more digital objects.
  • the operations on the digital object include various operations on the content of the digital object itself and the attributes of the digital object, which may include, but are not limited to, operations of creating, deleting, and reading digital objects.
  • Row operations include the user performing operations on the records in the digital object, such as adding, deleting, modifying, and viewing.
  • the first server When the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the user involved is the user group, the first server performs the identifier of the user in each of the received first data operation requests. It is identified that, if it is the identifier of the user group, the first server obtains the IDs of all member users in the user group and corresponding information, such as the communication address of the member, and sends an authentication message to each member user.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the digital object involved is a digital object group, all operations on the digital object group are implemented to the digital object group. Among the members. For example, if a group of digital objects is being read, the first server will read each member of the group of digital objects.
  • the identity of the user group is BBB
  • the members of the user group include B1, B2, and B3.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object. If the user involved is a user group, in this case, the first server pair needs to separately belong to the members B1, B2, and B3 of the user group.
  • the authentication is performed and the authentication messages are sent to B1, B2, and B3, respectively. It is assumed that B1 and B2 are authenticated and B3 is not authenticated.
  • the member of the user group contains the member B3 that fails the authentication, the user group corresponding to the BBB of the user group is not authenticated. Otherwise, all members of the user group B1.
  • the identity of the digital object group is CCCC and the members of the digital object group include C1, C2, and C3.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object. If the digital object involved is the digital object group CCCC, all operations on the digital object group are implemented to the digital object group. Among the members. For example, if the CCCC is read, the first server will read C1, C2, and C3, respectively.
  • the second embodiment of the present invention provides a method for processing cross-domain data.
  • the server distinguishes, as shown in FIG. 4, the processing flow is as follows:
  • the first server sends a data operation request.
  • the second server receives a data operation request sent by the first server.
  • the data operation request is for requesting processing of the digital object, and the data operation request includes the identifier of the digital object and the identifier of the user.
  • the autonomous domain of the second server is the target domain of the data operation request.
  • the second server obtains the identity of the user in the data operation request.
  • the second server requests the third server to authenticate the user.
  • the third server receives a request sent by the second server to authenticate the user.
  • the third server authenticates the user.
  • the third server is a server for authenticating the user, and the third server corresponds to the registration domain of the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user.
  • the second server receives the data operation request, and uses the user ID of the user in the data operation request to obtain the registration domain to which the user's identity belongs, thereby obtaining the information of the third server, such as the IP address of the third server. .
  • the second server uses the handle system protocol to complete the following process: the second server returns a challenge to the user.
  • the user side encrypts the challenge using the user's private key to form a digital signature, and sends the constructed digital signature to the second server.
  • the second server receives the digital signature.
  • the second server sends the received digital signature to the third server.
  • the extended handle system protocol based on the challenge-response verification-request and challenge-response verification-response processes defined by RFC3652, newly added the message operator OC_Code: challenge-response auth-request, except for the current challenge-response verification- in the message body
  • the user ID and the App ID are passed through the handle protocol.
  • the third server receives the digital signature.
  • the third server decrypts the received digital signature with the public key of the user, and checks with the challenge.
  • the third server sends the authentication result to the second server.
  • the third server carries the authentication result by the newly added message operator OC_Code: challenge-response auth-response and sends it to the second server.
  • the second server receives the authentication result sent by the third server.
  • the second server may obtain the public key of the user by querying the identifier of the user for the next use, but if the digital signature after the decryption of the public key is invalid, the user key may be changed. The second server still needs to authenticate the user through the third server.
  • the second server determines that the user obtains the digital object operation authority according to the identifier of the user after the third server is authenticated.
  • the digital object operation authority is an operation authority of the second server to the digital object related to the user.
  • the second server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  • the digital object includes an identifier of the digital object, and an attribute of the digital object corresponding to the identifier of the digital object.
  • the identification of the digital object uniquely identifies the digital object.
  • Each digital object can have one or more attributes, and the attributes of the digital object can be constructed by a key-value pair.
  • the extended field may also be used to represent the approved user, and the value in the extended field may be the identifier of one or more approved users.
  • the identifier of the approval user is used to indicate that when the digital object needs to be operated, the approval user permission corresponding to the identifier of the approval user is required.
  • the second server obtains the operation authority of the digital object, that is, checks the permission control attribute of the digital object, checks whether the user has the authority to perform the operation, and if the second object obtains the digital object operation authority, the user has performed the operation.
  • the second server will send an approval application message before the operation of the digital object, and carry the corresponding in the approval application message.
  • the operation request information for example, the identifier of the user who applied for the operation, the approval application message may be sent to the extension field of the digital object, and the identification of the approval user corresponds to the approval user.
  • the second server obtains the approval consent message sent by the approval user, and the second server determines the operation authority of the digital object and the identifier of the digital object.
  • Digital objects are processed. If the user does not have permission to perform the operation, or does not get the consent of the approved user, the second server refuses to operate on the digital object.
  • the identifier of the first user is UE1
  • the identifier of the second user is UE2
  • the identifier of the digital object is AAAA.
  • the UE2 is included, and the UE1 sends a request to modify the digital object AAAA.
  • the data operation request, Z when the UE1 authentication is passed, the second server determines that the UE1 can modify the digital object AAAA, but the precondition for modifying the digital object AAAA needs to obtain the approval of the UE2, that is, after obtaining the permission of the UE2, The digital object AAAA can be modified.
  • the second server sends an approval application message for requesting the approval of the UE2.
  • the approval application message may include the identifier UE1 of the first user, and when the second user receives the approval application message, the first user is allowed to use the number.
  • the approval approval message is returned, and the second server performs modification on the digital object AAAA when receiving the approval consent message.
  • the method further includes:
  • the second server After determining the user's authentication by the third server, the second server sends a token of the user corresponding to the identifier of the user to the user.
  • the digital object may be a virtual digital object stored in the fourth server, and the second server processes the digital object according to the digital object operation authority and the identifier of the digital object, including: the second server acquires the location pointer according to the identifier of the digital object, The second server acquires the digital object from the fourth server according to the location pointer, and the second server processes the digital object according to the digital object operation authority.
  • the location pointer is used to indicate that the fourth server stores the address of the digital object.
  • the digital object may be a single digital object or a group digital object.
  • the digital object group has a unique ID
  • the digital object group has a member list
  • the member list may be specific data or an identifier of another digital object.
  • the operation of the digital object includes various operations on the content of the digital object itself and the attributes of the digital object, and may include, but is not limited to, operations such as creating, deleting, and reading the digital object.
  • operations on the digital object include the user performing operations on the records in the digital object, such as adding, deleting, modifying, and viewing.
  • the second server processes the digital object according to the digital object operation authority and the identifier of the digital object
  • the second server identifies the identifier of the user in each data operation request received, If it is the identifier of the user group, the second server obtains the ID of all member users in the user group and corresponding information, such as the communication address of the member, and sends an authentication message to each member user.
  • the second server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the digital object involved is a digital object group, all operations on the digital object group are implemented to the digital object group.
  • the members For example, if a group of digital objects is being read, the second server will read each member of the group of digital objects.
  • the third server of the present invention provides a first server. As shown in FIG. 5, the first server is configured to provide an access service to a user, where the first server includes:
  • the receiving unit 501 is configured to receive a first data operation request sent by the user, where the first data operation request is used to request processing on the digital object, where the first data operation request includes the user's token and the number The identity of the object.
  • the determining unit 502 is configured to determine, according to the identifier of the digital object that is included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server.
  • the executing unit 503 is configured to delete the token of the user included in the first data operation request, and obtain a second data operation request, where the second data operation request includes an identifier of the digital object.
  • the sending unit 504 is configured to send the second data operation request to the second server.
  • the first data operation request further includes an identifier of the user, and the determining unit is further configured to determine a target domain of the first data operation request according to the identifier of the digital object included in the first data operation request. Is the autonomous domain of the first server.
  • the first server further includes: an obtaining unit, configured to determine, according to the correspondence, the token of the user, and the identifier of the user, that the user has obtained the digital object operation authority according to the identifier of the user after the user has passed the authentication,
  • the correspondence relationship includes a token of the user and an identifier of the user, and the digital object operation authority is an operation authority of the first server to a digital object related to the user.
  • the execution unit is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
  • the receiving unit 501 is further configured to receive an access request sent by the user, where the access request is used to request to obtain a token, and the access request includes an identifier of the user; the determining unit 502, And is further configured to determine, according to the identifier of the user, that the user belongs to an autonomous domain of the first server; the executing unit 503 is further configured to perform authentication on the user; and the sending unit is further configured to determine After the user passes the authentication, the user's token corresponding to the identifier of the user is sent to the user.
  • the receiving unit 501 is further configured to receive an access request sent by the user, where the access request is used to request to obtain a token, and the access request includes an identifier of the user; the determining unit 502 And determining, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server; the executing unit 503 is further configured to request the third server to authenticate the user; And determining, after the user is authenticated by the third server, sending a token of the user corresponding to the identifier of the user to the user.
  • the digital object is a virtual digital object stored in the fourth server; the executing unit 503 is specifically configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to represent the fourth
  • the server stores an address of the digital object; the digital object is acquired from the fourth server according to the location pointer; and the number is determined according to the digital object operation authority Word objects are processed.
  • the identifier of the digital object includes a digital object group identifier; the executing unit 503 is specifically configured to: each of the digital object group identifiers according to the digital object operation authority and the digital object group identifier Members handle it.
  • each unit component included in the first server may be separately disposed in different devices, or may be collectively disposed in the same device, and the first server includes a receiving unit, a determining unit, an executing unit, and
  • the first server includes a receiving unit, a determining unit, an executing unit, and
  • the sending unit refers to the detailed description of the method for processing the cross-domain data in the foregoing Embodiment 1, and the third embodiment of the present invention is not described again.
  • the third embodiment of the present invention further provides a second server.
  • the second server includes:
  • the receiving unit 601 is configured to receive a data operation request sent by the first server, where the data operation request is used to request processing on the digital object, where the data operation request includes an identifier of the digital object, and an identifier of the user,
  • the autonomous domain of the second server is the target domain of the data operation request.
  • the executing unit 603 is configured to request the third server to authenticate the user.
  • the obtaining unit 602 is configured to determine, after the user is authenticated by the third server, the digital object operation authority according to the identifier of the user in the operation request, where the digital object operation authority is the second server pair The operational authority of the user-related digital object.
  • the executing unit 603 is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
  • the device further includes: a sending unit, configured to: after the user is authenticated by the third server, send a token of the user corresponding to the identifier of the user to the user.
  • the digital object is a virtual digital object stored in a fourth server, and the execution unit is configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores the An address of the digital object; acquiring the digital object from the fourth server according to the location pointer; processing the digital object according to the digital object operation authority.
  • the units included in the second server may be separately disposed in different devices, or may be collectively disposed in the same device.
  • the receiving unit, the obtaining unit, the executing unit, and the sending unit the second embodiment of the present invention is not described in detail in the third embodiment of the present invention.
  • the embodiment of the present invention further provides a first server, as shown in FIG. 7, whose structural composition is as follows:
  • the first server includes an interface 701, a memory 702, and a processor 703.
  • the interface 701, the memory 702, and the processor 703 are connected by a bus and transmit data through the bus.
  • the processor 703 reads an instruction from the program stored in the memory 702 and performs the following operations:
  • a first data operation request sent by a user where the first server is configured to provide an access service to the user, and the first data operation request is used to request processing of the digital object, where the first The data operation request includes the token of the user and an identifier of the digital object;
  • the second data operation request is sent to the second server through the interface 701.
  • the interface 701 is configured to perform the function of transmitting the first data operation request in 11 and 12 in the first embodiment.
  • the processor 703 is configured to perform all the functions in the above-mentioned 13 to 19. Specifically, the specific implementation principles of the interface 701 and the processor 703 in the first server are described in detail in the foregoing Embodiment 1, and details are not described herein again.
  • the third embodiment of the present invention also proposes a second server, such as the structure shown in FIG.
  • the second server includes an interface 801, a memory 802, and a processor 803.
  • the processor 803 included in the second server can read out an instruction from a program stored in the memory 802, and performs the following operations:
  • a data operation request sent by the first server where the data operation request is used to request processing, the data operation request includes an identifier of the digital object and an identifier of the user,
  • the autonomous domain of the second server is the target domain of the data operation request;
  • the third server After determining that the user is authenticated by the third server, obtaining a digital object operation authority according to the identifier of the user in the operation request, where the digital object operation authority is a number related to the user by the second server The operation authority of the object;
  • the digital object is processed according to the digital object operation authority and the identifier of the digital object.
  • the interface may be one or more of the following: a network interface controller (NIC) providing a wired interface, such as an Ethernet NIC,
  • the Ethernet NIC can provide a copper wire and/or fiber interface;
  • a NIC that provides a wireless interface such as a wireless local area network (WLAN) NIC.
  • WLAN wireless local area network
  • the memory may be a volatile memory such as a random-access memory (RAM) or a non-volatile memory such as a flash memory or a hard disk ( Hard disk drive (HDD) or solid-state drive (SSD); or a combination of the above types of memory
  • RAM random-access memory
  • HDD Hard disk drive
  • SSD solid-state drive
  • the processor can be a central processing unit (CPU) or a combination of a CPU and a hardware chip.
  • the signal processor can also be a network processor (NP). Either a combination of CPU and NP, or a combination of NP and hardware chips.
  • the hardware chip may be a combination of one or more of the following: an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), and a complex programmable logic device (complex) Programmable logic device, CPLD).
  • ASIC application-specific integrated circuit
  • FPGA field-programmable gate array
  • CPLD complex programmable logic device
  • embodiments of the present invention can be provided as a method, apparatus (device), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, read-only optical disks, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, read-only optical disks, optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Abstract

Disclosed are a method for processing cross-domain data, a first server and a second server. The method comprises: a first server receiving a first data operation request sent by a user, and determining a target domain of the first data operation request as an autonomous domain of a second server according to a digital object identifier included in the first data operation request; the first server deleting a user token included in the first data operation request to obtain a second data operation request; and the first server sending the second data operation request to the second server. The present invention can achieve processing of data between users belonging to different service providers.

Description

用于处理跨域数据的方法、第一服务器及第二服务器Method for processing cross-domain data, first server and second server
本申请要求于2015年11月10日提交中国专利局、申请号为CN201510760330.5、发明名称为“用于处理跨域数据的方法、第一服务器及第二服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority on Chinese patent application filed on November 10, 2015, the Chinese Patent Office, application number CN201510760330.5, and the invention titled "Method for processing cross-domain data, first server and second server" The entire content of which is incorporated herein by reference.
技术领域Technical field
本发明涉及通信技术领域,尤其是涉及一种用于处理跨域数据的方法、第一服务器及第二服务器。The present invention relates to the field of communications technologies, and in particular, to a method for processing cross-domain data, a first server, and a second server.
背景技术Background technique
目前,用户通过互联网获取的信息或发布的数据,属于其他用户不可获取的隐私数据。用户可以通过一些提供信息发布的服务商来实现数据的分享。换句话说,用户产生的数据被能够实现数据分享的服务商所控制。服务商利用对用户发布的数据或信息的控制,形成了该服务商的自治域。不同服务商的自治域间禁止相互访问,即属于第一服务商的用户不能访问第二服务商的自治域内其他用户的数据。Currently, information obtained by users through the Internet or published data belongs to private data that other users cannot obtain. Users can share data through some service providers that provide information distribution. In other words, the data generated by the user is controlled by the service provider that is capable of data sharing. The service provider uses the control of the data or information published by the user to form the autonomous domain of the service provider. Inter-access is prohibited between the autonomous domains of different service providers, that is, users belonging to the first service provider cannot access data of other users in the autonomous domain of the second service provider.
发明内容Summary of the invention
本发明提供了一种用于处理跨域数据的方法、第一服务器及第二服务器,能够实现归属不同服务商的用户间的数据的处理。The present invention provides a method for processing cross-domain data, a first server, and a second server, which are capable of processing data between users belonging to different service providers.
第一方面,提供了一种用于处理跨域数据的方法,所述方法包括:第一服务器接收用户发送的第一数据操作请求,所述第一服务器用于向用户提供接入服务,所述第一数据操作请求用于请求对数字对象进行处理,所述第一数据操作请求包括所述用户的令牌和所述数字对象的标识;所述第一服务器根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为第二服务器的自治域;所述第一服务器删除所述第一数 据操作请求包括的所述用户的令牌,获得第二数据操作请求,所述第二数据操作请求包括所述数字对象的标识;所述第一服务器向第二服务器发送所述第二数据操作请求。A first aspect provides a method for processing cross-domain data, the method comprising: receiving, by a first server, a first data operation request sent by a user, where the first server is configured to provide an access service to a user, where The first data operation request is for requesting processing of the digital object, the first data operation request including the token of the user and the identifier of the digital object; the first server operates according to the first data operation request Determining the identifier of the digital object, determining that the target domain of the first data operation request is an autonomous domain of the second server; the first server deleting the first number Obtaining a second data operation request according to the token of the user included in the operation request, the second data operation request includes an identifier of the digital object; and the first server sends the second data operation to a second server request.
结合第一方面,在第一方面的第一种可能的实现方式中,所述第一数据操作请求还包括用户的标识,所述方法还包括:所述第一服务器根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为所述第一服务器的自治域;所述第一服务器根据对应关系、所述用户的令牌和所述用户的标识,确定所述用户已通过认证,所述对应关系包括所述用户的令牌和所述用户的标识;所述第一服务器根据所述用户的标识,获得数字对象操作权限,所述数字对象操作权限为所述第一服务器对与所述用户相关的数字对象的操作权限;所述第一服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。With reference to the first aspect, in a first possible implementation manner of the first aspect, the first data operation request further includes an identifier of the user, the method further includes: the first server operating according to the first data Determining an identifier of the digital object that is included, determining that a target domain of the first data operation request is an autonomous domain of the first server; the first server according to a correspondence, a token of the user, and the user And determining that the user has passed the authentication, where the correspondence includes the token of the user and the identifier of the user; the first server obtains the operation authority of the digital object according to the identifier of the user, the number The object operation authority is an operation authority of the first server to a digital object related to the user; the first server processes the digital object according to the digital object operation authority and the identifier of the digital object.
结合第一方面或第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述第一服务器接收用户发送的第一数据操作请求之前,所述方法还包括:所述第一服务器接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;所述第一服务器根据所述用户的标识,确定所述用户属于所述第一服务器的自治域;所述第一服务器对所述用户进行认证;所述第一服务器确定所述用户通过认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。With reference to the first aspect, or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, before the first server receives the first data operation request sent by the user, the method The method further includes: the first server receiving an access request sent by the user, the access request is used to request to obtain a token, and the access request includes an identifier of the user; Determining, by the user, the user belongs to an autonomous domain of the first server; the first server authenticates the user; and the first server determines that the user sends an authentication to the user after passing the authentication The token of the user corresponding to the identifier of the user.
第一服务器对用户进行认证,其认证方法可以但不限于通过该用户的公钥来解密用户的数字签名完成认证。The first server authenticates the user, and the authentication method can be, but is not limited to, decrypting the user's digital signature through the user's public key to complete the authentication.
结合第一方面或第一方面的第一种可能的实现方式,在第一方面的第三种可能的实现方式中,所述第一服务器接收用户发送的第一数据操作请求之前,所述方法还包括:所述第一服务器接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;所述第一服务器根据所述用户的标识,确定所述用户不属于所述第一服务器的自治域;所述第一服务器请求第三服务器对所述用户进行认证;所述第一服务器确定 所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。With reference to the first aspect, or the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, before the first server receives the first data operation request sent by the user, the method The method further includes: the first server receiving an access request sent by the user, the access request is used to request to obtain a token, and the access request includes an identifier of the user; An identifier of the user, determining that the user does not belong to an autonomous domain of the first server; the first server requests a third server to authenticate the user; the first server determines After the user authenticates by the third server, the user sends a token of the user corresponding to the identifier of the user to the user.
结合第一方面至第一方面的第三种可能的实现方式中的任意一种可能的实现方式,在第一方面的第四种可能的实现方式中,所述数字对象为存储于第四服务器的虚拟数字对象,所述第一服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理包括:所述第一服务器根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;所述第一服务器根据所述位置指针,从所述第四服务器获取所述数字对象;所述第一服务器根据所述数字对象操作权限,对所述数字对象进行处理。With reference to the first aspect to any one of the possible implementations of the third possible implementation of the first aspect, in a fourth possible implementation of the first aspect, the digital object is stored in the fourth server The virtual digital object, the first server processing the digital object according to the digital object operation authority and the identifier of the digital object, comprising: the first server acquiring a location pointer according to the identifier of the digital object The location pointer is used to indicate that the fourth server stores an address of the digital object; the first server acquires the digital object from the fourth server according to the location pointer; the first server is configured according to the The digital object operates the authority to process the digital object.
数字对象可以是存储在第四服务器的虚拟数字对象,The digital object can be a virtual digital object stored on the fourth server.
虚拟数字对象有唯一的标识,虚拟数字对象的内容并没有真正存储在第一服务器中,而是一个位置指针,用于指示第一服务器获得虚拟数字对象的内容的地址。The virtual digital object has a unique identifier. The content of the virtual digital object is not actually stored in the first server, but is a location pointer for indicating that the first server obtains the address of the content of the virtual digital object.
结合第一方面的第二种至第一方面的第四种可能的实现方式中的任意一种可能的实现方式,在第一方面的第五种可能的实现方式中,所述数字对象的标识包括数字对象组标识;所述第一服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理,包括:所述第一服务器根据所述数字对象操作权限和所述数字对象组标识,对所述数字对象组标识中的每个成员进行处理。With reference to any one of the possible implementation manners of the second aspect of the first aspect, the fourth possible implementation manner of the first aspect, in the fifth possible implementation manner of the first aspect, the identifier of the digital object The digital server includes the digital object group identifier; the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, including: the first server operating authority and the The digital object group identifier is processed for each member of the digital object group identifier.
第二方面,提供了一种用于处理跨域数据的方法,所述方法包括:第二服务器接收第一服务器发送的数据操作请求,所述数据操作请求用于请求对数字对象进行处理,所述数据操作请求包括所述数字对象的标识和用户的标识,所述第二服务器的自治域为所述数据操作请求的目标域;所述第二服务器请求第三服务器对所述用户进行认证;所述第二服务器确定所述用户通过所述第三服务器的认证后,根据所述数据操作请求中的所述用户的标识获得数字对象操作权限,所述数字对象操作权限为所述第二服务器对与所述用户 相关的数字对象的操作权限;所述第二服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。In a second aspect, a method for processing cross-domain data is provided, the method comprising: receiving, by a second server, a data operation request sent by a first server, the data operation request for requesting processing of a digital object, The data operation request includes an identifier of the digital object and an identifier of the user, the autonomous domain of the second server is a target domain of the data operation request, and the second server requests the third server to authenticate the user; After the second server determines that the user is authenticated by the third server, obtains a digital object operation authority according to the identifier of the user in the data operation request, where the digital object operation authority is the second server. Pair with the user An operation authority of the associated digital object; the second server processes the digital object according to the digital object operation authority and the identifier of the digital object.
其中,第三服务器是用于对用户进行认证的服务器,第三服务器对应用户的注册域,是用户通过注册能够获得用户标识的域,即注册域为用户分配用户标识。第二服务器根据用户的标识获得用户的注册域,并获得注册域对应的第三服务器的地址,例如第三服务器的IP地址等。第二服务器可请求第三服务器对该用户进行认证。The third server is a server for authenticating the user, and the third server is a domain corresponding to the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user. The second server obtains the registration domain of the user according to the identifier of the user, and obtains the address of the third server corresponding to the registration domain, for example, the IP address of the third server. The second server may request the third server to authenticate the user.
结合第二方面,在第二方面的第一种可能的实现方式中,所述第二服务器请求第三服务器对所述用户进行认证之后,所述方法还包括:所述第二服务器确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。With reference to the second aspect, in a first possible implementation manner of the second aspect, after the second server requests the third server to authenticate the user, the method further includes: the second server determining After the user authenticates by the third server, the user sends a token of the user corresponding to the identifier of the user to the user.
结合第二方面或第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述数字对象为存储于第四服务器的虚拟数字对象,所述第二服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理包括:所述第二服务器根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;所述第二服务器根据所述位置指针,从所述第四服务器获取所述数字对象;所述第二服务器根据所述数字对象操作权限,对所述数字对象进行处理。In conjunction with the second aspect or the first possible implementation of the second aspect, in a second possible implementation of the second aspect, the digital object is a virtual digital object stored in a fourth server, the second Processing, by the server, the digital object according to the digital object operation authority and the identifier of the digital object, the second server acquiring a location pointer according to the identifier of the digital object, where the location pointer is used to represent the location The fourth server stores an address of the digital object; the second server acquires the digital object from the fourth server according to the location pointer; and the second server operates the authority according to the digital object The digital object is processed.
第三方面,提供了一种第一服务器,所述第一服务器用于向用户提供接入服务,所述第一服务器包括:接收单元,用于接收用户发送的第一数据操作请求,所述第一数据操作请求用于请求对数字对象进行处理,所述第一数据操作请求包括所述用户的令牌和所述数字对象的标识;确定单元,用于根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为第二服务器的自治域;执行单元,用于删除所述第一数据操作请求包括的所述用户的令牌,获得第二数据操作请求,所述第二数据操作请求包括所述数字对象的标识;发送单元,用于向第二服务器发送所述第二数据操作请求。 In a third aspect, a first server is provided, where the first server is configured to provide an access service to a user, and the first server includes: a receiving unit, configured to receive a first data operation request sent by a user, where a first data operation request for requesting processing of the digital object, the first data operation request including the token of the user and an identifier of the digital object; and a determining unit, configured to include, according to the first data operation request The identifier of the digital object, the target domain of the first data operation request is determined to be an autonomous domain of the second server, and the execution unit is configured to delete the token of the user included in the first data operation request, and obtain a second data operation request, the second data operation request includes an identifier of the digital object, and a sending unit, configured to send the second data operation request to the second server.
结合第三方面,在第三方面的第一种可能的实现方式中,所述第一数据操作请求还包括用户的标识;所述确定单元,还用于根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为所述第一服务器的自治域;所述第一服务器还包括:获得单元,用于根据对应关系、所述用户的令牌和所述用户的标识,确定所述用户已通过认证后,根据所述用户的标识获得数字对象操作权限,所述对应关系包括所述用户的令牌和所述用户的标识,所述数字对象操作权限为所述第一服务器对与所述用户相关的数字对象的操作权限;所述执行单元,还用于根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。With reference to the third aspect, in a first possible implementation manner of the third aspect, the first data operation request further includes an identifier of the user, and the determining unit is further configured to be included according to the first data operation request Determining, by the identifier of the digital object, that the target domain of the first data operation request is an autonomous domain of the first server; the first server further includes: an obtaining unit, configured to use, according to the correspondence, the user's order a card and an identifier of the user, after determining that the user has passed the authentication, obtaining a digital object operation authority according to the identifier of the user, where the correspondence includes the token of the user and the identifier of the user, the number The object operation authority is an operation authority of the first server to the digital object related to the user; the execution unit is further configured to: according to the digital object operation authority and the identifier of the digital object, the digital object Process it.
结合第三方面或第三方面的第一种可能的实现方式,在第三方面的第二种可能的实现方式中,所述接收单元,还用于接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;所述确定单元,还用于根据所述用户的标识,确定所述用户属于所述第一服务器的自治域;所述执行单元,还用于对所述用户进行认证;所述发送单元,还用于确定所述用户通过认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。With the third aspect or the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the receiving unit is further configured to receive an access request sent by the user, where The access request is used to request to obtain a token, and the access request includes an identifier of the user, and the determining unit is further configured to determine, according to the identifier of the user, that the user belongs to the first server. The execution unit is further configured to authenticate the user, and the sending unit is further configured to: after the user passes the authentication, send the user that is corresponding to the identifier of the user to the user. Token.
结合第三方面或第三方面的第一种可能的实现方式,在第三方面的第三种可能的实现方式中,所述接收单元,还用于接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;所述确定单元,还用于根据所述用户的标识,确定所述用户不属于所述第一服务器的自治域;所述执行单元,还用于请求第三服务器对所述用户进行认证;所述发送单元,还用于确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。With the third aspect or the first possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the receiving unit is further configured to receive an access request sent by the user, where The access request is used to request to obtain a token, and the access request includes an identifier of the user, and the determining unit is further configured to determine, according to the identifier of the user, that the user does not belong to the first server. An execution unit, configured to request a third server to authenticate the user, where the sending unit is further configured to: after determining that the user is authenticated by the third server, send the user to the user The token of the user corresponding to the identifier of the user.
结合第三方面至第三方面的第三种可能的实现方式中的任意一种可能的实现方式,在第三方面的第四种可能的实现方式中,所述数字对象为存储于第四服务器的虚拟数字对象;所述执行单元,具体用于根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字 对象的地址;根据所述位置指针,从所述第四服务器获取所述数字对象;根据所述数字对象操作权限,对所述数字对象进行处理。With reference to any one of the possible implementations of the third aspect to the third possible implementation of the third aspect, in a fourth possible implementation of the third aspect, the digital object is stored in the fourth server a virtual digital object; the execution unit, specifically configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores the number An address of the object; acquiring the digital object from the fourth server according to the location pointer; processing the digital object according to the digital object operation authority.
结合第三方面的第二种至第三方面的第四种可能的实现方式中的任意一种可能的实现方式,在第三方面的第五种可能的实现方式中,所述数字对象的标识包括数字对象组标识;所述执行单元,具体用于根据所述数字对象操作权限和所述数字对象组标识,对所述数字对象组标识中的每个成员进行处理。With reference to any one of the possible implementation manners of the fourth to third aspects of the third aspect, in a fifth possible implementation manner of the third aspect, the identifier of the digital object The digital object group identifier is included; and the executing unit is configured to process each member in the digital object group identifier according to the digital object operation authority and the digital object group identifier.
第四方面,提供了一种第二服务器,所述第二服务器包括:接收单元,用于接收第一服务器发送的数据操作请求,所述数据操作请求用于请求对数字对象进行处理,所述数据操作请求包括所述数字对象的标识,和用户的标识,所述第二服务器的自治域为所述数据操作请求的目标域;执行单元,用于请求第三服务器对所述用户进行认证;获得单元,用于确定所述用户通过所述第三服务器的认证后,根据所述数字操作请求中的用户的标识获得数字对象操作权限,所述数字对象操作权限为所述第二服务器对与所述用户相关的数字对象的操作权限;所述执行单元,还用于根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。According to a fourth aspect, a second server is provided, the second server includes: a receiving unit, configured to receive a data operation request sent by the first server, where the data operation request is used to request processing of the digital object, The data operation request includes an identifier of the digital object, and an identifier of the user, the autonomous domain of the second server is a target domain of the data operation request, and an execution unit is configured to request the third server to authenticate the user; a obtaining unit, configured to determine, after the user is authenticated by the third server, obtain a digital object operation authority according to the identifier of the user in the digital operation request, where the digital object operation authority is the second server pair The operation authority of the digital object related to the user; the execution unit is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
结合第四方面,在第四方面的第一种可能的实现方式中,所述第二服务器还包括:发送单元,用于确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the second server further includes: a sending unit, configured to determine, after the user is authenticated by the third server, the user Sending a token of the user corresponding to the identity of the user.
结合第四方面或第四方面的第一种可能的实现方式,在第四方面的第二种可能的实现方式中,所述数字对象为存储于第四服务器的虚拟数字对象,所述执行单元,具体用于根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;根据所述位置指针,从所述第四服务器获取所述数字对象;根据所述数字对象操作权限,对所述数字对象进行处理。With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect, the digital object is a virtual digital object stored in a fourth server, the execution unit Specifically, the method is configured to obtain a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and obtain, according to the location pointer, a location from the fourth server. a digital object; processing the digital object according to the digital object operation authority.
第五方面,提供了一种第一服务器,所述第一服务器用于向用户提供接入服务,所述第一服务器包括:接口、处理器和存储有程序代码的存储器, 处理器从存储器中读取与程序代码对应的指令,并按照读取的指令执行如下操作:A fifth aspect provides a first server, where the first server is configured to provide an access service to a user, where the first server includes: an interface, a processor, and a memory storing the program code. The processor reads the instruction corresponding to the program code from the memory, and performs the following operations according to the read instruction:
通过所述接口,接收用户发送的第一数据操作请求,所述第一数据操作请求用于请求对数字对象进行处理,所述第一数据操作请求包括所述用户的令牌和所述数字对象的标识;Receiving, by the interface, a first data operation request sent by a user, the first data operation request for requesting processing of a digital object, the first data operation request including the user's token and the digital object Identification
根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为第二服务器的自治域;删除所述第一数据操作请求包括的所述用户的令牌,获得第二数据操作请求,所述第二数据操作请求包括所述数字对象的标识;Determining, according to the identifier of the digital object that is included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server; deleting the user of the first data operation request a token, obtaining a second data operation request, the second data operation request including an identifier of the digital object;
通过所述接口,向第二服务器发送所述第二数据操作请求。And transmitting, by the interface, the second data operation request to the second server.
结合第五方面,在第五方面的第一种可能的实现方式中,所述处理器还用于:In conjunction with the fifth aspect, in a first possible implementation manner of the fifth aspect, the processor is further configured to:
根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为所述第一服务器的自治域;Determining, according to the identifier of the digital object that is included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the first server;
根据对应关系、所述用户的令牌和所述用户的标识,确定所述用户已通过认证后,根据所述用户的标识获得数字对象操作权限,所述对应关系包括所述用户的令牌和所述用户的标识,所述数字对象操作权限为所述第一服务器对与所述用户相关的数字对象的操作权限;Determining, according to the correspondence, the token of the user, and the identifier of the user, that the user has obtained the digital object operation authority according to the identifier of the user after the user has passed the authentication, where the correspondence includes the token of the user and The identifier of the user, the digital object operation authority is an operation authority of the first server to a digital object related to the user;
根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The digital object is processed according to the digital object operation authority and the identifier of the digital object.
结合第五方面或第五方面的第一种可能的实现方式,在第五方面的第二种可能的实现方式中,所述处理器还用于:With reference to the fifth aspect, or the first possible implementation manner of the fifth aspect, in a second possible implementation manner of the fifth aspect, the processor is further configured to:
通过所述接口,接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;根据所述用户的标识,确定所述用户属于所述第一服务器的自治域;对所述用户进行认证;确定所述用户通过认证后,通过所述接口,向所述用户发送与所述用户的标识对应的所述用户的令牌。 Receiving, by the interface, an access request sent by the user, where the access request is used to request to obtain a token, where the access request includes an identifier of the user; and determining the user according to the identifier of the user An autonomous domain that belongs to the first server; authenticates the user; and after determining that the user passes the authentication, sends the token of the user corresponding to the identifier of the user to the user through the interface.
结合第五方面或第五方面的第一种可能的实现方式,在第五方面的第三种可能的实现方式中,所述处理器还用于:With reference to the fifth aspect, or the first possible implementation manner of the fifth aspect, in a third possible implementation manner of the fifth aspect, the processor is further configured to:
通过所述接口,接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;根据所述用户的标识,确定所述用户不属于所述第一服务器的自治域;Receiving, by the interface, an access request sent by the user, where the access request is used to request to obtain a token, where the access request includes an identifier of the user; and determining the user according to the identifier of the user An autonomous domain that does not belong to the first server;
请求第三服务器对所述用户进行认证;Requesting a third server to authenticate the user;
确定所述用户通过所述第三服务器的认证后,通过所述接口,向所述用户发送与所述用户的标识对应的所述用户的令牌。After the user is authenticated by the third server, the token of the user corresponding to the identifier of the user is sent to the user through the interface.
结合第五方面至第五方面的第三种可能的实现方式中的任意一种可能的实现方式,在第五方面的第四种可能的实现方式中,所述数字对象为存储于第四服务器的虚拟数字对象;With reference to any one of the fifth possible implementation manners of the fifth aspect to the fifth aspect, in a fourth possible implementation manner of the fifth aspect, the digital object is stored in the fourth server Virtual digital object;
所述处理器,具体用于根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;根据所述位置指针,从所述第四服务器获取所述数字对象;根据所述数字对象操作权限,对所述数字对象进行处理。The processor is configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and according to the location pointer, from the The four servers acquire the digital object; the digital object is processed according to the digital object operation authority.
结合第五方面的第二种至第五方面的第四种可能的实现方式中的任意一种可能的实现方式,在第五方面的第五种可能的实现方式中,所述数字对象的标识包括数字对象组标识;所述处理器,具体用于所述第一服务器根据所述数字对象操作权限和所述数字对象组标识,对所述数字对象组标识中的每个成员进行处理。With reference to any one of the possible implementation manners of the fourth to fifth aspects of the fifth aspect, in a fifth possible implementation manner of the fifth aspect, the identifier of the digital object The digital object group identifier is included; the processor is specifically configured to process, by the first server, each member in the digital object group identifier according to the digital object operation authority and the digital object group identifier.
第六方面,提供了一种第二服务器,所述第二服务器包括接口、处理器和存储有程序代码的存储器,处理器从所述存储器中读取与程序代码对应的指令,执行如下操作:In a sixth aspect, a second server is provided, the second server includes an interface, a processor, and a memory storing the program code, and the processor reads an instruction corresponding to the program code from the memory, and performs the following operations:
通过所述接口,接收接收第一服务器发送的数据操作请求,所述数据操作请求用于请求对数字对象进行处理,所述数据操作请求包括所述数字对象的标识和用户的标识,所述第二服务器的自治域为所述数据操作请求的目标域; Receiving, by the interface, receiving, by the first server, a data operation request, where the data operation request is for processing a digital object, where the data operation request includes an identifier of the digital object and an identifier of the user, where the The autonomous domain of the second server is the target domain of the data operation request;
请求第三服务器对所述用户进行认证;Requesting a third server to authenticate the user;
确定所述用户通过所述第三服务器的认证后,根据所述数据操作请求中的用户的标识获得数字对象操作权限,所述数字对象操作权限为所述第二服务器对与所述用户相关的数字对象的操作权限;Determining, after the user is authenticated by the third server, obtaining a digital object operation authority according to the identifier of the user in the data operation request, where the digital object operation authority is related to the second server pair The operation authority of the digital object;
根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The digital object is processed according to the digital object operation authority and the identifier of the digital object.
结合第六方面,在第六方面的第一种可能的实现方式中,所述处理器,还用于确定所述用户通过所述第三服务器的认证后,通过所述接口,向所述用户发送与所述用户的标识对应的所述用户的令牌。With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the processor is further configured to determine, after the user is authenticated by the third server, Sending a token of the user corresponding to the identity of the user.
结合第六方面或第六方面的第一种可能的实现方式,在第六方面的第二种可能的实现方式中,所述数字对象为存储于第四服务器的虚拟数字对象,所述处理器,具体用于根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;根据所述位置指针,从所述第四服务器获取所述数字对象根据所述数字对象操作权限,对所述数字对象进行处理。With reference to the sixth aspect, or the first possible implementation manner of the sixth aspect, in a second possible implementation manner of the sixth aspect, the digital object is a virtual digital object stored in a fourth server, where the processor Specifically, the method is configured to obtain a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and obtain, according to the location pointer, a location from the fourth server. The digital object processes the digital object according to the digital object operation authority.
通过采用上述技术方案,第一服务器接收用户发送的第一数据操作请求,根据第一数据操作请求包括的数字对象的标识,确定第一数据操作请求的目标域为第二服务器的自治域,第一服务器删除第一数据操作请求包括的用户的令牌,获得第二数据操作请求,第一服务器向第二服务器发送第二数据操作请求。所述第一服务器在确定请求进行数据处理的用户不是所述第一服务器的自治域内的服务器后,将操作请求发送给用户的目标域对应的第二服务器,由第二服务器对用户的操作请求进行处理,能够实现归属不同服务商的用户间的数据的处理。The first server receives the first data operation request sent by the user, and determines that the target domain of the first data operation request is the autonomous domain of the second server according to the identifier of the digital object included in the first data operation request. A server deletes the token of the user included in the first data operation request, obtains a second data operation request, and the first server sends a second data operation request to the second server. After determining that the user requesting data processing is not the server in the autonomous domain of the first server, the first server sends an operation request to the second server corresponding to the target domain of the user, and the operation request of the second server to the user By processing, it is possible to process data between users belonging to different service providers.
附图说明DRAWINGS
图1为本发明实施例一提供的用于处理跨域数据的方法流程图。FIG. 1 is a flowchart of a method for processing cross-domain data according to Embodiment 1 of the present invention.
图2为本发明实施例一提供的数字对象结构示意图。 FIG. 2 is a schematic structural diagram of a digital object according to Embodiment 1 of the present invention.
图3为本发明实施例一提供的用于处理跨域数据的方法流程图。FIG. 3 is a flowchart of a method for processing cross-domain data according to Embodiment 1 of the present invention.
图4为本发明实施例二提供的用于处理跨域数据的方法流程图。4 is a flowchart of a method for processing cross-domain data according to Embodiment 2 of the present invention.
图5为本发明实施例三提供的第一服务器的示意图。FIG. 5 is a schematic diagram of a first server according to Embodiment 3 of the present invention.
图6为本发明实施例三提供的第二服务器的示意图。FIG. 6 is a schematic diagram of a second server according to Embodiment 3 of the present invention.
图7为本发明实施例三提供的第一服务器的示意图。FIG. 7 is a schematic diagram of a first server according to Embodiment 3 of the present invention.
图8为本发明实施例三提供的第二服务器的示意图。FIG. 8 is a schematic diagram of a second server according to Embodiment 3 of the present invention.
具体实施方式detailed description
针对通常情况下存在的不同服务商的自治域间禁止相互访问,即属于第一服务商的用户不能访问第二服务商的自治域内其他用户的数据的问题,本发明提出的技术方案中,第一服务器接收用户发送的第一数据操作请求,根据第一数据操作请求包括的数字对象的标识,确定第一数据操作请求的目标域为第二服务器的自治域,第一服务器删除第一数据操作请求包括的用户的令牌,获得第二数据操作请求,第一服务器向第二服务器发送第二数据操作请求。第一服务器在确定请求进行数据处理的用户不是所述第一服务器的自治域内的服务器后,将操作请求发送给用户的目标域对应的第二服务器,由第二服务器对用户的操作请求进行处理,能够实现归属不同服务商的用户间的数据的处理。For the problem that mutual access is prohibited between the autonomous domains of different service providers that are normally existed, that is, the users belonging to the first service provider cannot access the data of other users in the autonomous domain of the second service provider, and the technical solution proposed by the present invention is Receiving, by the server, the first data operation request sent by the user, determining, according to the identifier of the digital object included in the first data operation request, the target domain of the first data operation request is an autonomous domain of the second server, and the first server deletes the first data operation The token of the included user is requested to obtain a second data operation request, and the first server sends a second data operation request to the second server. After determining that the user requesting data processing is not the server in the autonomous domain of the first server, the first server sends the operation request to the second server corresponding to the target domain of the user, and the second server processes the operation request of the user. It is possible to process data between users belonging to different service providers.
下面将结合各个附图对本发明实施例技术方案的主要实现原理、具体实施方式及其对应能够达到的有益效果进行详细地阐述。The main implementation principles, specific implementation manners, and the corresponding beneficial effects that can be achieved by the technical solutions of the embodiments of the present invention are described in detail below with reference to the accompanying drawings.
在本发明各实施例提出的技术方案中,根据数据存储和数据操作的实现方式,划分为不同的域,分别包含接入域、注册域(Register domain)、目标域和转发域。其中,接入域,是用户访问数字对象时所连接的第一个域。若用户没有发生漫游接入的情况下,该用户的接入域和注册域是相同的域,若用户发生漫游接入的情况下,可以通过获取的接入域,漫游接入以获得更好的用户体验。注册域,是用户通过注册能够获得用户标识的域,即注册域为用户分配用户标识。用户在某个域中创建和退出的过程,由每个域决定如何 实现,例如可以通过不同于的服务商的网页门户(web portal),或者通过该域的客户端程序等进行创建或退出。当用户在某个域中创建成功时,在该域内将生成一个对应用户的数字对象,该数字对象中可以包含该用户用于认证的一些信息,例如可以包括但不限于是一个公钥。目标域,是指一个操作涉及的目标,即待进行操作的数字对象所在的域,例如,存储该待被操作的数字对象的服务器。转发域,是指在接收到操作请求时,该域既不是接入域,也不是目标域。只是用于将接收到的数据操作请求发给目标域,或者将接收到的接入请求转发给注册域。In the technical solution proposed by the embodiments of the present invention, according to the implementation manner of the data storage and the data operation, the domain is divided into different domains, including an access domain, a registration domain, a target domain, and a forwarding domain. The access domain is the first domain connected when the user accesses the digital object. If the user does not have roaming access, the access domain and the registration domain of the user are the same domain. If the roaming access occurs, the roaming access can be obtained through the obtained access domain. User experience. The registration domain is the domain in which the user can obtain the user ID by registering, that is, the registration domain assigns the user ID to the user. The process of creating and exiting a user in a domain, determined by each domain The implementation may be created or exited, for example, by a web portal of a different service provider, or by a client program of the domain or the like. When a user creates a success in a certain domain, a digital object corresponding to the user is generated in the domain, and the digital object may include some information used by the user for authentication, for example, but may include, but not limited to, a public key. The target domain refers to the target involved in an operation, that is, the domain in which the digital object to be operated is located, for example, a server that stores the digital object to be operated. Forwarding a domain means that when an operation request is received, the domain is neither an access domain nor a target domain. It is only used to send the received data operation request to the target domain, or forward the received access request to the registration domain.
其中,本发明提供的实施例中,数据操作请求可以是请求对数字对象进行创建、删除、修改以及读取等任意一种操作,在此不一一举例。In the embodiment provided by the present invention, the data operation request may be any operation for requesting creation, deletion, modification, and reading of the digital object, which is not exemplified herein.
上述各种类型的域是从单个用户的单个操作角度来区分的逻辑分类。在具体实施中,同时实现上述各种类型域的功能,来实现针对不同用户对不同数字对象的各种操作。The various types of domains described above are logical classifications that are distinguished from a single operational perspective of a single user. In a specific implementation, the functions of the various types of domains described above are implemented simultaneously to implement various operations on different digital objects for different users.
实施例一Embodiment 1
本发明实施例一提出一种用于处理跨域数据的方法,如图1所示,该方法具体处理流程如下述:A first embodiment of the present invention provides a method for processing cross-domain data. As shown in FIG. 1 , the specific processing flow of the method is as follows:
11,用户发送第一数据操作请求。11. The user sends a first data operation request.
其中,第一数据操作请求是用于请求对数字对象进行处理,第一数据操作请求中包括该用户的令牌和数字对象的标识。The first data operation request is used to request processing of the digital object, and the first data operation request includes the token of the user and the identifier of the digital object.
对数字对象进行处理,可以但不限于包含对数字对象进行创建、删除、读取等操作。如图2所示,为本发明实施例提出的一种数字对象组成示意图,数字对象包括数字对象的标识,以及和数字对象的标识对应的该数字对象的属性。数字对象的标识能够唯一标识该数字对象。每个数字对象可以具有一个或者多个属性,数字对象的属性可以通过键(key)-值(value)对构成。在数字对象的属性中,键的功能种类可以用于表示该数字对象的各种权限、可以是数字对象的大小。其中,若键是用于表示该数字对象的各种权限时,该权限可以是访问权限、处理权限等。每个对数字对象的数据操作请求对应 一个权限。在数字对象的属性中,值可以是用户标识,标识该用户对该数字对象有执行对应操作的权限。举一例进行详细阐述,假设数字对象的标识为AAAA,与AAAA对应的键值对为访问权限-用户A,则表示用户的标识为用户A的用户可以对该数字对象进行访问。相应地,数字对象的属性中,值还可以是操作权限,例如读取、删除或者修改权限等。The processing of digital objects can be, but is not limited to, including operations such as creating, deleting, and reading digital objects. As shown in FIG. 2, it is a schematic diagram of a digital object composition according to an embodiment of the present invention. The digital object includes an identifier of the digital object, and an attribute of the digital object corresponding to the identifier of the digital object. The identification of the digital object uniquely identifies the digital object. Each digital object can have one or more attributes, and the attributes of the digital object can be constructed by a key-value pair. In the properties of a digital object, the functional type of the key can be used to represent various permissions of the digital object, which can be the size of the digital object. Wherein, if the key is a variety of permissions for representing the digital object, the permission may be an access right, a processing right, or the like. Each data operation request for a digital object corresponds to A permission. In the attribute of the digital object, the value may be a user identifier that identifies the user's authority to perform a corresponding operation on the digital object. As an example, a detailed description assumes that the identifier of the digital object is AAAA, and the key-value pair corresponding to AAAA is the access right-user A, and the user whose user identifier is user A can access the digital object. Correspondingly, in the attributes of the digital object, the value can also be an operation right, such as reading, deleting, or modifying permissions.
在数字对象的属性中,数字对象的标识对应的属性还可以是该数字对象的标识对应的数字对象的大小,数字对象的大小可以通过键标识。例如某个键是大小(size),对应的值是1024(单位缺省为字节),则表示这个数字对象的标识对应的数字对象的大小是1024字节。In the attribute of the digital object, the attribute corresponding to the identifier of the digital object may also be the size of the digital object corresponding to the identifier of the digital object, and the size of the digital object may be identified by a key. For example, if a key is a size and the corresponding value is 1024 (the default is byte), the size of the digital object corresponding to the identifier of the digital object is 1024 bytes.
在数字对象的属性中,数字对象的标识对应的属性中的键的值还可以是另一个数字对象的标识。例如,数字对象的标识为AAAA,其对应的值为BBBB。在本发明各实施例提出的技术方案中,数字对象的标识对应的键中,一部分可以设置为唯一的,这样可以避免不同服务域之间互通时造成误解的问题。一部分键可以设置为通用的,一部分键可以设置为由特定应用定义的,这种基于键、值的的方式对数字对象的属性进行定义方法,提供了灵活性和扩展性。In the attribute of the digital object, the value of the key in the attribute corresponding to the identifier of the digital object may also be the identifier of another digital object. For example, the identifier of the digital object is AAAA, and its corresponding value is BBBB. In the technical solution proposed by the embodiments of the present invention, some of the keys corresponding to the identifiers of the digital objects may be set to be unique, so as to avoid the problem of misunderstanding when interworking between different service domains. Some of the keys can be set to be generic, and some of the keys can be set to be defined by a specific application. This key- and value-based approach defines the properties of the digital object, providing flexibility and extensibility.
数字对象的标识可以通过域名表示,通过域名可以确定出数字对象归属的注册域。例如数字对象的标识为:URI:AAAAA.com/pic1,则可以判断该数字对象pic1的注册域为AAAAA.com。The identifier of the digital object can be represented by a domain name, and the domain name to which the digital object belongs can be determined by the domain name. For example, if the identifier of the digital object is: URI: AAAAA.com/pic1, it can be determined that the registration domain of the digital object pic1 is AAAAA.com.
本发明实施例一提出的技术方案中,将以第一数据操作请求为用户请求对数字对象进行删除为例进行详细阐述。后文将继续沿用该示例。In the technical solution proposed in the first embodiment of the present invention, the first data operation request is used to delete the digital object for the user as an example. This example will continue to be used later.
用户向第一服务器发送第一数据操作请求,第一数据操作请求用于请求删除数字对象的标识为AAAA的数字对象。The user sends a first data operation request to the first server, the first data operation request for requesting deletion of the digital object whose digital object is identified as AAAA.
12,第一服务器接收用户发送的第一数据操作请求。12. The first server receives the first data operation request sent by the user.
第一服务器用于向用户提供接入服务,第一服务器对应接入域。The first server is configured to provide an access service to the user, and the first server corresponds to the access domain.
13,第一服务器根据第一数据操作请求包括的数字对象的标识,判断第一数据操作请求的目标域是否是第一服务器的自治域,如果判断结果为否, 执行14,如果判断结果为是,执行17。13. The first server determines, according to the identifier of the digital object included in the first data operation request, whether the target domain of the first data operation request is an autonomous domain of the first server, and if the determination result is no, Execute 14, if the judgment result is yes, execute 17.
第一服务器获得第一数据操作请求中的数字对象的标识,根据数字对象的标识确定第一数据操作请求的目标域是否是第一服务器的自治域。The first server obtains an identifier of the digital object in the first data operation request, and determines, according to the identifier of the digital object, whether the target domain of the first data operation request is an autonomous domain of the first server.
第一服务器获得数字对象的标识为AAAA,根据AAAA确定第一数据操作请求的目标域是否是第一服务器的自治域。The first server obtains the identifier of the digital object as AAAA, and determines, according to the AAAA, whether the target domain of the first data operation request is an autonomous domain of the first server.
14,第一服务器根据第一数据操作请求包括的数字对象的标识,确定第一数据操作请求的目标域为第二服务器的自治域,第一服务器获得第一数据操作请求中的数字对象的标识,根据数字对象的标识,确定接收到的第一数据操作请求的目标域是第二服务器的自治域,执行15。The first server determines, according to the identifier of the digital object included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server, and the first server obtains the identifier of the digital object in the first data operation request. And determining, according to the identifier of the digital object, that the target domain of the received first data operation request is an autonomous domain of the second server, and executing 15.
在上述14中,第一服务器根据数字对象的标识AAAA,确定数字对象AAAA存储在第二服务器的自治域中。In the above 14, the first server determines that the digital object AAAA is stored in the autonomous domain of the second server based on the identifier AAAA of the digital object.
15,第一服务器删除第一数据操作请求包括的用户的令牌,获得第二数据操作请求。15. The first server deletes the token of the user included in the first data operation request, and obtains a second data operation request.
第二数据操作请求包括数字对象的标识。例如第二数据操作请求中包括AAAA。The second data manipulation request includes an identification of the digital object. For example, the second data operation request includes AAAA.
第一服务器删除第一数据操作请求中包含的用户的令牌,可以较好地保护和用户之间的隐私数据,提高数据访问的安全性。The first server deletes the token of the user included in the first data operation request, and can better protect the privacy data between the user and the user, thereby improving the security of the data access.
可选地,第二数据操作请求还可以包括用户的标识,用户的标识与用户的令牌对应。Optionally, the second data operation request may further include an identifier of the user, where the identifier of the user corresponds to the token of the user.
例如,假设用户的标识为BBB时,第二数据操作请求中包括AAAA-BBB。For example, if the identity of the user is BBB, the second data operation request includes AAAA-BBB.
16,第一服务器向第二服务器发送第二数据操作请求。16. The first server sends a second data operation request to the second server.
其中,第一服务器接收第一数据操作请求,以及第一服务器向第二服务器发送第二数据操作请求时,可以基于handle系统协议中定义的会话标识(session ID),维护一个上游(即第一服务器)session ID与下游(即第二服务器)session ID之间的对应关系。这样从下游接收到响应消息之后,就可以转发到相应的上游,直至返回给发送该第一数据操作请求的用户。 The first server receives the first data operation request, and when the first server sends the second data operation request to the second server, may maintain an upstream (ie, the first) based on the session ID defined in the handle system protocol. Server) The correspondence between the session ID and the downstream (ie, the second server) session ID. After receiving the response message from the downstream, it can be forwarded to the corresponding upstream until it is returned to the user who sent the first data operation request.
17,第一服务器根据第一数据操作请求包括的数字对象的标识,确定第一数据操作请求的目标域为第一服务器的自治域,第一服务器根据对应关系、用户的令牌和用户的标识,确定用户已通过认证。The first server determines, according to the identifier of the digital object included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the first server, and the first server is based on the correspondence, the token of the user, and the identifier of the user. , to determine that the user has passed the certification.
对应关系包括通过认证的用户的令牌和通过认证的用户的标识。第一服务器确定该对应关系包括用户的令牌和该用户的标识,确定该用户已通过认证。The correspondence includes the token of the authenticated user and the identity of the authenticated user. The first server determines that the correspondence includes the user's token and the user's identity, and determines that the user has passed the authentication.
其中,在用户第一次注册时,为用户提供注册的服务器,例如该服务器时第一服务器,以及第一服务器对应注册域,第一服务器为通过注册的用户分配通过认证的用户的标识和用户的令牌,相应地,在注册域中存储该通过认证的用户的标识和用户的令牌的对应关系。后续在确定用户是否是认证通过的用户时,第一服务器根据在第一数据操作请求中获得的用户的标识和用户的令牌的对应关系,并和维护的通过认证的用户的标识和用户的令牌的对应关系比较,若比对结果一致时,确定该用户通过认证。否则,确定该用户未通过认证。When the user first registers, the user is provided with a registered server, for example, the server is the first server, and the first server corresponds to the registration domain, and the first server allocates the identity and user of the authenticated user to the registered user. The token, correspondingly, stores the correspondence between the identity of the authenticated user and the token of the user in the registration domain. Subsequently, when determining whether the user is a user who passes the authentication, the first server according to the correspondence between the identifier of the user obtained in the first data operation request and the token of the user, and the identifier of the authenticated user and the user of the user are maintained. The correspondence between the tokens is compared. If the comparison results are consistent, it is determined that the user passes the authentication. Otherwise, it is determined that the user has not passed the authentication.
18,第一服务器根据用户的标识,获得数字对象操作权限。18. The first server obtains the operation authority of the digital object according to the identifier of the user.
数字对象操作权限为第一服务器对与用户相关的数字对象的操作权限。The digital object operation authority is the operation authority of the first server to the digital object related to the user.
19,第一服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理。19. The first server processes the digital object according to the digital object operation authority and the identifier of the digital object.
在上述17至19中,第一数据操作请求的目标域是第一服务器的自治域,第一服务器在接收到的第一数据操作请求中获取令牌,根据存储的令牌和用户标识之间的对应关系,通过获取的令牌和用户的标识,确定用户已通过认证后,再根据用户的标识获得该用户的标识对应的用户的操作权限。如果该用户对该数字对象有与第一数据操作请求对应的权限,则第一服务器根据第一数据操作请求对数字对象进行处理。反之,如果该用户对该数字对象没有与第一数据操作请求对应的权限,则第一服务器拒绝对该数字对象按照第一数据操作请求进行处理。In the above 17 to 19, the target domain of the first data operation request is an autonomous domain of the first server, and the first server acquires the token in the received first data operation request, according to the stored token and the user identifier. Corresponding relationship, after obtaining the token and the identifier of the user, determining that the user has passed the authentication, and then obtaining the operation authority of the user corresponding to the identifier of the user according to the identifier of the user. If the user has rights to the digital object corresponding to the first data operation request, the first server processes the digital object according to the first data operation request. On the other hand, if the user does not have the right corresponding to the first data operation request for the digital object, the first server refuses to process the digital object according to the first data operation request.
可选地,数字对象还可以是存储在第四服务器的虚拟数字对象。 Alternatively, the digital object may also be a virtual digital object stored at the fourth server.
虚拟数字对象有唯一的标识,虚拟数字对象的内容并没有真正存储在第一服务器中,而是一个位置指针,用于指示第一服务器可以从哪里获得虚拟数字对象的内容。虚拟数字对象可以是任意一个服务器的地址,该服务器的地址可以是IP地址、MAC地址等。第一服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理包括:The virtual digital object has a unique identifier. The content of the virtual digital object is not actually stored in the first server, but is a location pointer indicating where the first server can obtain the content of the virtual digital object. The virtual digital object may be the address of any one of the servers, and the address of the server may be an IP address, a MAC address, or the like. The first server processes the digital object according to the digital object operation authority and the identifier of the digital object, including:
第一服务器根据数字对象的标识,获取位置指针,第一服务器根据位置指针,从第四服务器获取数字对象,第一服务器根据数字对象操作权限,对数字对象进行处理。其中,位置指针用于表示第四服务器存储数字对象的地址。The first server acquires a location pointer according to the identifier of the digital object, and the first server acquires the digital object from the fourth server according to the location pointer, and the first server processes the digital object according to the operation authority of the digital object. Wherein, the location pointer is used to indicate that the fourth server stores the address of the digital object.
可选地,在上述11第一服务器接收用户发送的第一数据操作请求之前,如图3所示,该方法还可以包括:Optionally, before the first server receives the first data operation request sent by the user, as shown in FIG. 3, the method may further include:
30,用户发送接入请求。30. The user sends an access request.
用户可以通过web portal或者客户端程序发送接入请求,接入请求用于请求获得令牌,接入请求包括用户的标识。以接入请求为login请求为例进行详细阐述,后文将继续沿用该login请求。login请求中包含用户的标识,该用户的标识以user ID为例。The user can send an access request through a web portal or a client program, and the access request is used to request to obtain a token, and the access request includes the identifier of the user. The access request is described as an example of a login request, and the login request will continue to be used later. The login request contains the ID of the user. The ID of the user is exemplified by the user ID.
在handle协议中,增加新的操作符(Op_Code):OC_Login,和对应的响应符(ResponseCode):RC_Login。用户发送Login请求时,Login请求中携带操作符OC_Login,Login请求正文中,携带user ID。In the handle protocol, add a new operator (Op_Code): OC_Login, and the corresponding response character (ResponseCode): RC_Login. When a user sends a Login request, the Login request carries the operator OC_Login, and the Login request body carries the user ID.
31,第一服务器接收用户发送的接入请求。31. The first server receives an access request sent by the user.
32,第一服务器根据用户的标识,确定该用户是否属于第一服务器的自治域,如果判断结果为是,执行33,反之如果判断结果为否,执行35。32. The first server determines, according to the identifier of the user, whether the user belongs to the autonomous domain of the first server. If the determination result is yes, execute 33, and if the determination result is negative, perform 35.
第一服务器根据user ID判断该用户是否是是属于第一服务器的自治域,例如:当第一服务器的自治域的用户ID是通过域名来表示时,例如URI:AAAAA.com/jeffrey,则可以判断该用户jeffrey的自治域为AAAAA.com。The first server determines, according to the user ID, whether the user is an autonomous domain belonging to the first server, for example, when the user ID of the autonomous domain of the first server is represented by a domain name, for example, URI: AAAAA.com/jeffrey, The domain of the user jeffrey is determined to be AAAAA.com.
33,第一服务器根据用户的标识,确定该用户属于第一服务器的自治域,第一服务器对用户进行认证。 33. The first server determines, according to the identifier of the user, that the user belongs to an autonomous domain of the first server, and the first server authenticates the user.
第一服务器对用户进行认证,其认证方法可以但不限于通过该用户的公钥来解密用户的数字签名完成认证。例如,可以采用RFC3651中定义的过程对用户进行认证,其处理流程如下:第一服务器向用户发送一个挑战(challenge);用户接收challenge;用户侧的客户端程序或者其它用于接入的程序使用用户的私钥对challenge进行加密,构成数字签名,返回给第一服务器。第一服务器接收用户侧发送的数字签名。第一服务器使用用户的公钥对接收到的数字签名进行解密,将解密后得到的challenge与发送的challenge进行比对,如果一致,则认为该用户通过认证,反之,则该用户不通过认证。The first server authenticates the user, and the authentication method can be, but is not limited to, decrypting the user's digital signature through the user's public key to complete the authentication. For example, the user can be authenticated using the procedure defined in RFC3651. The processing flow is as follows: the first server sends a challenge to the user; the user receives the challenge; the client-side client program or other program for access The user's private key encrypts the challenge to form a digital signature and returns it to the first server. The first server receives the digital signature sent by the user side. The first server decrypts the received digital signature by using the user's public key, and compares the decrypted challenge with the transmitted challenge. If they are consistent, the user is considered to be authenticated, and vice versa, the user does not pass the authentication.
34,第一服务器确定用户通过认证后,向用户发送与用户的标识对应的用户的令牌。34. The first server determines, after the user passes the authentication, sends a token of the user corresponding to the identifier of the user to the user.
如果认证通过,第一服务器向用户发送一个与该用户绑定的令牌,后续该用户发送的携带该令牌的消息,将被第一服务器信任为来自该用户的消息。If the authentication is passed, the first server sends a token bound to the user to the user, and the message sent by the user carrying the token will be trusted by the first server as a message from the user.
一个具体的实施例是扩展handle系统协议:新增响应符(ResponseCode):RC_Login,在消息的正文中,携带令牌(Token),token可以是一个固定长度的随机字符串。同时在第一服务器中,维护一个用户的标识与token的对应关系。A specific embodiment is an extended handle system protocol: a new response symbol (ResponseCode): RC_Login, in the body of the message, carrying a token (Token), the token can be a fixed-length random string. At the same time, in the first server, the correspondence between the identifier of a user and the token is maintained.
35,第一服务器根据用户的标识,确定用户不属于第一服务器的自治域,第一服务器请求第三服务器对用户进行认证。35. The first server determines, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server, and the first server requests the third server to authenticate the user.
36,第三服务器接收第一服务器发送的认证请求。36. The third server receives the authentication request sent by the first server.
37,第三服务器对用户进行认证。37. The third server authenticates the user.
其中第三服务器是用于对用户进行认证的服务器,第三服务器对应用户的注册域,是用户通过注册能够获得用户标识的域,即注册域为用户分配用户标识。第一服务器根据用户的标识,确定用户不属于第一服务器的自治域,第一服务器根据用户的标识(user ID)获得用户的注册域,并获得注册域对应的第三服务器的地址,例如第三服务器的IP地址等。The third server is a server for authenticating the user, and the third server corresponds to the registration domain of the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user. The first server determines, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server, and the first server obtains the registration domain of the user according to the user ID (user ID), and obtains the address of the third server corresponding to the registration domain, for example, Three server IP addresses, etc.
第一服务器请求第三服务器对该用户进行认证,其中,第三服务器对用户进行认证的一个实施例可以是基于RFC3652的handle协议进行扩展实现, 其具体处理流程如下:第三服务器向用户发送一个挑战challenge。用户接收challenge。用户侧的客户端程序或者其它用于接入的程序使用用户的私钥对challenge进行加密,构成数字签名,返回给第三服务器。比如:扩展handle系统协议,基于目前RFC3652第3.5.3节定义的challenge-response verification-request和challenge-response verification-response过程,新增加消息操作符OC_Code:challenge-response auth-request,消息正文中除了当前challenge-response verification-request操作的challenge和Challenge Response(用户的数字签名)之外,携带user ID,通过handle协议,发送给第三服务器。第三服务器接收用户侧发送的数字签名。第三服务器使用用户的公钥对接收到的数字签名进行解密,将解密后得到的challenge与发送的challenge进行比对,如果一致,则认为该用户通过认证,反之,则该用户不通过认证。The first server requests the third server to authenticate the user, wherein an embodiment of the third server authenticating the user may be an extension implementation based on the RFC3652 handle protocol. The specific processing flow is as follows: The third server sends a challenge challenge to the user. The user receives the challenge. The client side client program or other program for access encrypts the challenge using the user's private key to form a digital signature and returns it to the third server. For example, the extended handle system protocol is based on the challenge-response verification-request and challenge-response verification-response processes defined in Section 3.5.3 of RFC3652. The message operator OC_Code: challenge-response auth-request is added, except in the message body. In addition to the challenge and Challenge Response (user's digital signature) of the current challenge-response verification-request operation, the user ID is carried and sent to the third server through the handle protocol. The third server receives the digital signature sent by the user side. The third server decrypts the received digital signature by using the user's public key, and compares the decrypted challenge with the transmitted challenge. If they are consistent, the user is considered to be authenticated, and vice versa, the user does not pass the authentication.
38,第三服务器向第一服务器发送认证结果。38. The third server sends the authentication result to the first server.
第三服务器将认证结果通过新增的消息操作符OC_Code:challenge-response auth-response携带,发送给第一服务器。The third server carries the authentication result to the first server by using the newly added message operator OC_Code: challenge-response auth-response.
39,第一服务器接收第三服务器发送的认证结果。39. The first server receives the authentication result sent by the third server.
40,第一服务器确定用户通过第三服务器的认证后,向用户发送与用户的标识对应的用户的令牌。40. The first server determines, after the user authenticates by the third server, sends a token of the user corresponding to the identifier of the user to the user.
第一服务器向用户发送一个与该用户绑定的令牌,后续该用户发送的携带该令牌的消息,第一服务器可根据携带该令牌的消息中的令牌和携带该令牌的消息中的用户的标识,来对该用户进行认证。The first server sends a token bound to the user to the user, and the subsequent message sent by the user carries the token, and the first server may use the token in the message carrying the token and the message carrying the token. The identity of the user in the user to authenticate the user.
本发明实施例一上述提出的技术方案中,数字对象可以是单个数字对象,或者是数字对象组(Group Digital Object)。其中,数字对象是数字对象组时,该数字对象组有唯一的ID,数字对象组中包含成员列表,在成员列表里面可以是具体的数据,也可以是另一个或多个数字对象的标识。In the above technical solution, the digital object may be a single digital object or a group digital object. Wherein, when the digital object is a digital object group, the digital object group has a unique ID, and the digital object group includes a member list, which may be specific data in the member list, or may be an identifier of another one or more digital objects.
本发明实施例二提出的技术方案中,对数字对象进行操作,包含对数字对象本身内容和数字对象的属性的各种操作,可以包括但不限于对数字对象进行创建、删除和读取等操作。针对数据库类型的数字对象,对数字对象进 行操作包括用户对该数字对象中的记录进行操作,比如增加、删除、修改和查看等。In the technical solution proposed by the second embodiment of the present invention, the operations on the digital object include various operations on the content of the digital object itself and the attributes of the digital object, which may include, but are not limited to, operations of creating, deleting, and reading digital objects. . For digital objects of database type, for digital objects Row operations include the user performing operations on the records in the digital object, such as adding, deleting, modifying, and viewing.
在第一服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理时,如果涉及的用户是用户组第一服务器会对接收到的每个第一数据操作请求中的用户的标识进行识别,如果是用户组的标识,第一服务器获得用户组中所有成员用户的ID和相应的信息,如成员的通信地址等,将认证消息发送给每个成员用户。在第一服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理时,如果涉及的数字对象是数字对象组时,则对该数字对象组的所有操作,将实施到该数字对象组的成员中。例如如果是对某个数字对象组进行读取,则第一服务器将读取数字对象组中的每个成员。举一例进行对上述内容进行详细阐述:When the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the user involved is the user group, the first server performs the identifier of the user in each of the received first data operation requests. It is identified that, if it is the identifier of the user group, the first server obtains the IDs of all member users in the user group and corresponding information, such as the communication address of the member, and sends an authentication message to each member user. When the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the digital object involved is a digital object group, all operations on the digital object group are implemented to the digital object group. Among the members. For example, if a group of digital objects is being read, the first server will read each member of the group of digital objects. Give an example to elaborate on the above:
假设用户组的标识为BBB,用户组的成员包括B1、B2和B3。第一服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理时,如果涉及的用户是用户组,该种情况下,第一服务器对需要分别对用户组的成员B1、B2和B3进行认证,并将认证消息分别发送给B1、B2和B3。假设B1、B2通过认证,B3未通过认证,当用户组的成员中包含认证失败的成员B3时,确定该用户组的标识BBB对应的用户组未通过认证,反之,当用户组的所有成员B1、B2和B3均通过认证时,确定该用户组通过认证,这样可以较好地提高系统的安全性。在一种实施方式中,对用户组的成员进行认证完成时,假设B1、B2通过认证,B3未通过认证,也可以允许通过认证的B1、B2对数字对象进行处理。Assume that the identity of the user group is BBB, and the members of the user group include B1, B2, and B3. The first server processes the digital object according to the digital object operation authority and the identifier of the digital object. If the user involved is a user group, in this case, the first server pair needs to separately belong to the members B1, B2, and B3 of the user group. The authentication is performed and the authentication messages are sent to B1, B2, and B3, respectively. It is assumed that B1 and B2 are authenticated and B3 is not authenticated. When the member of the user group contains the member B3 that fails the authentication, the user group corresponding to the BBB of the user group is not authenticated. Otherwise, all members of the user group B1. When both B2 and B3 pass the authentication, it is determined that the user group passes the authentication, which can better improve the security of the system. In an embodiment, when the authentication of the members of the user group is completed, it is assumed that B1 and B2 are authenticated, and B3 is not authenticated, and the digital objects may be processed by the authenticated B1 and B2.
假设数字对象组的标识为CCCC,数字对象组的成员包括C1、C2和C3。第一服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理时,如果涉及的数字对象是数字对象组CCCC时,则对该数字对象组的所有操作,将实施到该数字对象组的成员中。例如如果是对CCCC进行读取,则第一服务器将分别读取C1、C2和C3。Assume that the identity of the digital object group is CCCC and the members of the digital object group include C1, C2, and C3. The first server processes the digital object according to the digital object operation authority and the identifier of the digital object. If the digital object involved is the digital object group CCCC, all operations on the digital object group are implemented to the digital object group. Among the members. For example, if the CCCC is read, the first server will read C1, C2, and C3, respectively.
实施例二 Embodiment 2
本发明实施例二提出一种用于处理跨域数据的方法,为便于阐述,本发明实施例二提出的技术方案中,将服务器做出区分,如图4所示,其处理流程如下述:The second embodiment of the present invention provides a method for processing cross-domain data. For convenience of description, in the technical solution proposed by the second embodiment of the present invention, the server distinguishes, as shown in FIG. 4, the processing flow is as follows:
40,第一服务器发送数据操作请求。40. The first server sends a data operation request.
41,第二服务器接收第一服务器发送的数据操作请求。41. The second server receives a data operation request sent by the first server.
其中,在上述40至41中,数据操作请求用于请求对数字对象进行处理,数据操作请求包括数字对象的标识和用户的标识。第二服务器的自治域为数据操作请求的目标域。Wherein, in the above 40 to 41, the data operation request is for requesting processing of the digital object, and the data operation request includes the identifier of the digital object and the identifier of the user. The autonomous domain of the second server is the target domain of the data operation request.
42,第二服务器在数据操作请求中获得用户的标识。42, the second server obtains the identity of the user in the data operation request.
43,第二服务器请求第三服务器对用户进行认证。43. The second server requests the third server to authenticate the user.
44,第三服务器接收第二服务器发送的请求对用户进行认证的请求。44. The third server receives a request sent by the second server to authenticate the user.
45,第三服务器对用户进行认证。45. The third server authenticates the user.
其中第三服务器是用于对用户进行认证的服务器,第三服务器对应用户的注册域,是用户通过注册能够获得用户标识的域,即注册域为用户分配用户标识。The third server is a server for authenticating the user, and the third server corresponds to the registration domain of the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user.
认证的具体方法:基于RFC3652的handle协议进行扩展。第二服务器收到数据操作请求,使用该数据操作请求中的用户的标识(user ID)获取用户的标识归属的注册域,从而获得相应的第三服务器的信息,比如第三服务器的IP地址等。具体地,第二服务器使用handle系统协议完成以下过程:第二服务器向用户返回一个challenge。用户侧使用用户的私钥对challenge进行加密,构成数字签名,并将构成的数字签名发送给第二服务器。第二服务器接收数字签名。第二服务器将接收到的数字签名发送给第三服务器。其中,扩展handle系统协议,基于RFC3652定义的challenge-response verification-request和challenge-response verification-response过程,新增加消息操作符OC_Code:challenge-response auth-request,消息正文中除了当前challenge-response verification-request操作的challenge和ChallengeResponse(用户的数字签名)之外,携带user ID,App ID(可选),通过handle协议, 发送给第三服务器。第三服务器接收数字签名。第三服务器用该用户的公钥对接收到的数字签名进行解密,与challenge进行核对。Specific method of authentication: Extension based on the RFC3652 handle protocol. The second server receives the data operation request, and uses the user ID of the user in the data operation request to obtain the registration domain to which the user's identity belongs, thereby obtaining the information of the third server, such as the IP address of the third server. . Specifically, the second server uses the handle system protocol to complete the following process: the second server returns a challenge to the user. The user side encrypts the challenge using the user's private key to form a digital signature, and sends the constructed digital signature to the second server. The second server receives the digital signature. The second server sends the received digital signature to the third server. Among them, the extended handle system protocol, based on the challenge-response verification-request and challenge-response verification-response processes defined by RFC3652, newly added the message operator OC_Code: challenge-response auth-request, except for the current challenge-response verification- in the message body In addition to the challenge and ChallengeResponse of the request operation, the user ID and the App ID (optional) are passed through the handle protocol. Send to the third server. The third server receives the digital signature. The third server decrypts the received digital signature with the public key of the user, and checks with the challenge.
46,第三服务器向第二服务器发送认证结果。46. The third server sends the authentication result to the second server.
第三服务器将认证结果通过新增的消息操作符OC_Code:challenge-response auth-response携带,发送给第二服务器。The third server carries the authentication result by the newly added message operator OC_Code: challenge-response auth-response and sends it to the second server.
47,第二服务器接收第三服务器发送的认证结果。47. The second server receives the authentication result sent by the third server.
为了提高认证的效率,该第二服务器可以通过查询用户的标识,获得该用户的公钥,用于下次使用,但如果该公钥解密之后的数字签名无效,有可能是用户密钥变更,第二服务器仍需通过第三服务器来对用户进行认证。In order to improve the efficiency of the authentication, the second server may obtain the public key of the user by querying the identifier of the user for the next use, but if the digital signature after the decryption of the public key is invalid, the user key may be changed. The second server still needs to authenticate the user through the third server.
48,第二服务器确定用户通过第三服务器的认证后,根据用户的标识获得数字对象操作权限。48. The second server determines that the user obtains the digital object operation authority according to the identifier of the user after the third server is authenticated.
其中数字对象操作权限为第二服务器对与用户相关的数字对象的操作权限。The digital object operation authority is an operation authority of the second server to the digital object related to the user.
49,第二服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理。49. The second server processes the digital object according to the digital object operation authority and the identifier of the digital object.
在上述方法流程中,如图2所示的数字对象组成示意图,数字对象包括数字对象的标识,以及和数字对象的标识对应的该数字对象的属性。数字对象的标识能够唯一标识该数字对象。每个数字对象可以具有一个或者多个属性,数字对象的属性可以通过键(key)-值(value)对构成。In the above method flow, as shown in the schematic diagram of the digital object shown in FIG. 2, the digital object includes an identifier of the digital object, and an attribute of the digital object corresponding to the identifier of the digital object. The identification of the digital object uniquely identifies the digital object. Each digital object can have one or more attributes, and the attributes of the digital object can be constructed by a key-value pair.
进一步地,在数字对象的key-value对中,还可以通过扩展字段,该扩展字段用于表示审批用户,扩展字段中的值可以是一个或者多个审批用户的标识。审批用户的标识是用于表示当需要对该数字对象进行操作时,需要得到该审批用户的标识对应的审批用户许可。用户通过认证之后,第二服务器获得数字对象操作权限,即查看数字对象的权限控制属性,核对该用户是否有权限实施该操作,如果第二服务器获得的数字对象操作权限是该用户有执行该操作的权限,但需要某些用户的同意,即审批,则第二服务器在对该数字对象进行操作之前,会发送一个审批申请消息,在审批申请消息中携带相应 的操作申请信息,例如申请操作的用户的标识,该审批申请消息可以发送给数字对象中扩展字段的审批用户的标识对应是审批用户。如果用户有对该数字对象进行操作处理的权限,且获得审批用户的同意,则第二服务器在获得审批用户发送的审批同意消息时,第二服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理。如果用户没有执行该操作的权限,或未得到审批用户的同意,第二服务器拒绝对该数字对象进行操作。举一例进行详细阐述:Further, in the key-value pair of the digital object, the extended field may also be used to represent the approved user, and the value in the extended field may be the identifier of one or more approved users. The identifier of the approval user is used to indicate that when the digital object needs to be operated, the approval user permission corresponding to the identifier of the approval user is required. After the user passes the authentication, the second server obtains the operation authority of the digital object, that is, checks the permission control attribute of the digital object, checks whether the user has the authority to perform the operation, and if the second object obtains the digital object operation authority, the user has performed the operation. Permission, but requires the consent of some users, that is, approval, the second server will send an approval application message before the operation of the digital object, and carry the corresponding in the approval application message. The operation request information, for example, the identifier of the user who applied for the operation, the approval application message may be sent to the extension field of the digital object, and the identification of the approval user corresponds to the approval user. If the user has the right to operate the digital object and obtain the approval of the approval user, the second server obtains the approval consent message sent by the approval user, and the second server determines the operation authority of the digital object and the identifier of the digital object. Digital objects are processed. If the user does not have permission to perform the operation, or does not get the consent of the approved user, the second server refuses to operate on the digital object. Give an example to elaborate:
假设第一用户的标识为UE1,第二用户的标识为UE2,数字对象的标识为AAAA,在数字对象AAAA的key-value对的扩展字段中,包含UE2,UE1发送请求对数字对象AAAA进行修改的数据操作请求,Z在UE1认证通过时,第二服务器确定UE1可以对数字对象AAAA进行修改,但是对数字对象AAAA进行修改的前提条件时需要得到UE2的审批,即需要获得UE2的许可之后,才可以对数字对象AAAA进行修改。此时,第二服务器发送审批申请消息,用于请求UE2的审批,该审批申请消息中可以包含第一用户的标识UE1,第二用户接收到审批申请消息时,允许第一用户UE1对该数字对象进行修改时,回复审批同意消息,则第二服务器在接收到审批同意消息时,对该数字对象AAAA执行修改。It is assumed that the identifier of the first user is UE1, the identifier of the second user is UE2, and the identifier of the digital object is AAAA. In the extension field of the key-value pair of the digital object AAAA, the UE2 is included, and the UE1 sends a request to modify the digital object AAAA. The data operation request, Z, when the UE1 authentication is passed, the second server determines that the UE1 can modify the digital object AAAA, but the precondition for modifying the digital object AAAA needs to obtain the approval of the UE2, that is, after obtaining the permission of the UE2, The digital object AAAA can be modified. At this time, the second server sends an approval application message for requesting the approval of the UE2. The approval application message may include the identifier UE1 of the first user, and when the second user receives the approval application message, the first user is allowed to use the number. When the object is modified, the approval approval message is returned, and the second server performs modification on the digital object AAAA when receiving the approval consent message.
可选地,在上述第二服务器请求第三服务器对用户进行认证之后,该方法还包括:Optionally, after the foregoing second server requests the third server to authenticate the user, the method further includes:
第二服务器确定用户通过第三服务器的认证后,向用户发送与用户的标识对应的用户的令牌。After determining the user's authentication by the third server, the second server sends a token of the user corresponding to the identifier of the user to the user.
其中,数字对象可以是存储在第四服务器的虚拟数字对象,第二服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理包括:第二服务器根据数字对象的标识,获取位置指针,第二服务器根据位置指针,从第四服务器获取数字对象,第二服务器根据数字对象操作权限,对数字对象进行处理。The digital object may be a virtual digital object stored in the fourth server, and the second server processes the digital object according to the digital object operation authority and the identifier of the digital object, including: the second server acquires the location pointer according to the identifier of the digital object, The second server acquires the digital object from the fourth server according to the location pointer, and the second server processes the digital object according to the digital object operation authority.
位置指针用于表示第四服务器存储数字对象的地址。 The location pointer is used to indicate that the fourth server stores the address of the digital object.
本发明实施例二上述提出的技术方案中,数字对象可以是单个数字对象,或者是数字对象组(Group Digital Object)。其中,数字对象组有唯一的ID,数字对象组有一个成员列表,成员列表里面可以是具体的数据,也可以是另一个数字对象的标识。In the above technical solution, the digital object may be a single digital object or a group digital object. The digital object group has a unique ID, and the digital object group has a member list, and the member list may be specific data or an identifier of another digital object.
本发明实施例二提出的技术方案中,对数字对象进行操作,包含对数字对象本身内容和数字对象属性的各种操作,可以包括但不限于对数字对象进行创建、删除和读取等操作。对于数据库类型的数字对象,对数字对象进行操作包括用户对该数字对象中的记录进行操作,比如增加、删除、修改和查看等。In the technical solution proposed by the second embodiment of the present invention, the operation of the digital object includes various operations on the content of the digital object itself and the attributes of the digital object, and may include, but is not limited to, operations such as creating, deleting, and reading the digital object. For numeric objects of the database type, operations on the digital object include the user performing operations on the records in the digital object, such as adding, deleting, modifying, and viewing.
在第二服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理时,如果涉及的用户是用户组第二服务器会对接收到的每个数据操作请求中的用户的标识进行识别,如果是用户组的标识,第二服务器获得用户组中所有成员用户的ID和相应的信息,如成员的通信地址等,将认证消息发送给每个成员用户。在第二服务器根据数字对象操作权限和数字对象的标识,对数字对象进行处理时,如果涉及的数字对象是数字对象组时,则对该数字对象组的所有操作,将实施到该数字对象组的成员中。例如如果是对某个数字对象组进行读取,则第二服务器将读取数字对象组中的每个成员。When the second server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the user involved is the user group, the second server identifies the identifier of the user in each data operation request received, If it is the identifier of the user group, the second server obtains the ID of all member users in the user group and corresponding information, such as the communication address of the member, and sends an authentication message to each member user. When the second server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the digital object involved is a digital object group, all operations on the digital object group are implemented to the digital object group. Among the members. For example, if a group of digital objects is being read, the second server will read each member of the group of digital objects.
实施例三Embodiment 3
本发明实施例三提出了第一服务器,如图5所示,所述第一服务器用于向用户提供接入服务,该第一服务器包括:The third server of the present invention provides a first server. As shown in FIG. 5, the first server is configured to provide an access service to a user, where the first server includes:
接收单元501,用于接收用户发送的第一数据操作请求,所述第一数据操作请求用于请求对数字对象进行处理,所述第一数据操作请求包括所述用户的令牌和所述数字对象的标识。The receiving unit 501 is configured to receive a first data operation request sent by the user, where the first data operation request is used to request processing on the digital object, where the first data operation request includes the user's token and the number The identity of the object.
确定单元502,用于根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为第二服务器的自治域。The determining unit 502 is configured to determine, according to the identifier of the digital object that is included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server.
执行单元503,用于删除所述第一数据操作请求包括的所述用户的令牌,获得第二数据操作请求,所述第二数据操作请求包括所述数字对象的标识。 The executing unit 503 is configured to delete the token of the user included in the first data operation request, and obtain a second data operation request, where the second data operation request includes an identifier of the digital object.
发送单元504,用于向第二服务器发送所述第二数据操作请求。The sending unit 504 is configured to send the second data operation request to the second server.
其中,所述第一数据操作请求还包括用户的标识;上述确定单元,还用于根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为所述第一服务器的自治域。The first data operation request further includes an identifier of the user, and the determining unit is further configured to determine a target domain of the first data operation request according to the identifier of the digital object included in the first data operation request. Is the autonomous domain of the first server.
上述第一服务器还包括:获得单元,用于根据对应关系、所述用户的令牌和所述用户的标识,确定所述用户已通过认证后,根据所述用户的标识获得数字对象操作权限,所述对应关系包括所述用户的令牌和所述用户的标识,所述数字对象操作权限为所述第一服务器对与所述用户相关的数字对象的操作权限。The first server further includes: an obtaining unit, configured to determine, according to the correspondence, the token of the user, and the identifier of the user, that the user has obtained the digital object operation authority according to the identifier of the user after the user has passed the authentication, The correspondence relationship includes a token of the user and an identifier of the user, and the digital object operation authority is an operation authority of the first server to a digital object related to the user.
上述执行单元,还用于根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The execution unit is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
其中,上述接收单元501,还用于接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;所述确定单元502,还用于根据所述用户的标识,确定所述用户属于所述第一服务器的自治域;所述执行单元503,还用于对所述用户进行认证;所述发送单元,还用于确定所述用户通过认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。The receiving unit 501 is further configured to receive an access request sent by the user, where the access request is used to request to obtain a token, and the access request includes an identifier of the user; the determining unit 502, And is further configured to determine, according to the identifier of the user, that the user belongs to an autonomous domain of the first server; the executing unit 503 is further configured to perform authentication on the user; and the sending unit is further configured to determine After the user passes the authentication, the user's token corresponding to the identifier of the user is sent to the user.
其中,所述接收单元501,还用于接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;所述确定单元502,还用于根据所述用户的标识,确定所述用户不属于所述第一服务器的自治域;所述执行单元503,还用于请求第三服务器对所述用户进行认证;所述发送单元,还用于确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。The receiving unit 501 is further configured to receive an access request sent by the user, where the access request is used to request to obtain a token, and the access request includes an identifier of the user; the determining unit 502 And determining, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server; the executing unit 503 is further configured to request the third server to authenticate the user; And determining, after the user is authenticated by the third server, sending a token of the user corresponding to the identifier of the user to the user.
具体地,所述数字对象为存储于第四服务器的虚拟数字对象;所述执行单元503,具体用于根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;根据所述位置指针,从所述第四服务器获取所述数字对象;根据所述数字对象操作权限,对所述数 字对象进行处理。Specifically, the digital object is a virtual digital object stored in the fourth server; the executing unit 503 is specifically configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to represent the fourth The server stores an address of the digital object; the digital object is acquired from the fourth server according to the location pointer; and the number is determined according to the digital object operation authority Word objects are processed.
具体地,所述数字对象的标识包括数字对象组标识;所述执行单元503,具体用于根据所述数字对象操作权限和所述数字对象组标识,对所述数字对象组标识中的每个成员进行处理。Specifically, the identifier of the digital object includes a digital object group identifier; the executing unit 503 is specifically configured to: each of the digital object group identifiers according to the digital object operation authority and the digital object group identifier Members handle it.
本发明实施例三上述提出的第一服务器包括的各单元组成可以分开设置在不同的设备中,也可以集中设置在同一个设备中,上述第一服务器包括的接收单元、确定单元、执行单元以及发送单元的具体实施原理请参见上述实施例一中的用于处理跨域数据的方法的详细阐述,本发明实施例三不再赘述。In the third embodiment of the present invention, each unit component included in the first server may be separately disposed in different devices, or may be collectively disposed in the same device, and the first server includes a receiving unit, a determining unit, an executing unit, and For a specific implementation principle of the sending unit, refer to the detailed description of the method for processing the cross-domain data in the foregoing Embodiment 1, and the third embodiment of the present invention is not described again.
本发明实施例三还提出一种第二服务器,如图6所示,所述第二服务器包括:The third embodiment of the present invention further provides a second server. As shown in FIG. 6, the second server includes:
接收单元601,用于接收第一服务器发送的数据操作请求,所述数据操作请求用于请求对数字对象进行处理,所述数据操作请求包括所述数字对象的标识,和用户的标识,所述第二服务器的自治域为所述数据操作请求的目标域。The receiving unit 601 is configured to receive a data operation request sent by the first server, where the data operation request is used to request processing on the digital object, where the data operation request includes an identifier of the digital object, and an identifier of the user, The autonomous domain of the second server is the target domain of the data operation request.
执行单元603,用于请求第三服务器对所述用户进行认证。The executing unit 603 is configured to request the third server to authenticate the user.
获得单元602,用于确定所述用户通过所述第三服务器的认证后,根据所述操作请求中的用户的标识获得数字对象操作权限,所述数字对象操作权限为所述第二服务器对与所述用户相关的数字对象的操作权限。The obtaining unit 602 is configured to determine, after the user is authenticated by the third server, the digital object operation authority according to the identifier of the user in the operation request, where the digital object operation authority is the second server pair The operational authority of the user-related digital object.
所述执行单元603,还用于根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The executing unit 603 is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
其中,所述装置还包括:发送单元,用于确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。The device further includes: a sending unit, configured to: after the user is authenticated by the third server, send a token of the user corresponding to the identifier of the user to the user.
所述数字对象为存储于第四服务器的虚拟数字对象,所述执行单元,具体用于根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;根据所述位置指针,从所述第四服务器获取所述数字对象;根据所述数字对象操作权限,对所述数字对象进行处理。 The digital object is a virtual digital object stored in a fourth server, and the execution unit is configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores the An address of the digital object; acquiring the digital object from the fourth server according to the location pointer; processing the digital object according to the digital object operation authority.
本发明实施例三上述提出第二服务器包括的各单元可以分开设置在不同的设备中,也可以集中设置在同一个设备中。上述第二服务器包括的接收单元、获得单元、执行单元以及发送单元的具体实施原理请参见上述实施例二中的用于处理跨域数据的方法的详细阐述,本发明实施例三不再赘述。In the third embodiment of the present invention, the units included in the second server may be separately disposed in different devices, or may be collectively disposed in the same device. For the specific implementation principles of the receiving unit, the obtaining unit, the executing unit, and the sending unit, the second embodiment of the present invention is not described in detail in the third embodiment of the present invention.
本发明实施例还提出一种第一服务器,如图7所示,其结构组成如下述:The embodiment of the present invention further provides a first server, as shown in FIG. 7, whose structural composition is as follows:
第一服务器包括接口701、存储器702以及处理器703。接口701、存储器702以及处理器703之间通过总线连接,并通过总线传输数据。处理器703从存储器702存储的程序中读取指令,执行如下操作:The first server includes an interface 701, a memory 702, and a processor 703. The interface 701, the memory 702, and the processor 703 are connected by a bus and transmit data through the bus. The processor 703 reads an instruction from the program stored in the memory 702 and performs the following operations:
通过所述接口701,接收用户发送的第一数据操作请求,所述第一服务器用于向用户提供接入服务,所述第一数据操作请求用于请求对数字对象进行处理,所述第一数据操作请求包括所述用户的令牌和所述数字对象的标识;Receiving, by the interface 701, a first data operation request sent by a user, where the first server is configured to provide an access service to the user, and the first data operation request is used to request processing of the digital object, where the first The data operation request includes the token of the user and an identifier of the digital object;
根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为第二服务器的自治域;Determining, according to the identifier of the digital object that is included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server;
删除所述第一数据操作请求包括的所述用户的令牌,获得第二数据操作请求,所述第二数据操作请求包括所述数字对象的标识;Deleting the token of the user included in the first data operation request, obtaining a second data operation request, where the second data operation request includes an identifier of the digital object;
通过所述接口701,向第二服务器发送所述第二数据操作请求。The second data operation request is sent to the second server through the interface 701.
在上述第一服务器的结构组成中,接口701用于执行上述实施例一中的11和12中的传输第一数据操作请求的功能。处理器703用于执行上述13至19中的全部功能,具体地,第一服务器中的接口701以及处理器703的具体实施原理请参见上述实施例一中的详细阐述,这里不再赘述。In the structural composition of the first server, the interface 701 is configured to perform the function of transmitting the first data operation request in 11 and 12 in the first embodiment. The processor 703 is configured to perform all the functions in the above-mentioned 13 to 19. Specifically, the specific implementation principles of the interface 701 and the processor 703 in the first server are described in detail in the foregoing Embodiment 1, and details are not described herein again.
本发明实施例三还提出一种第二服务器,如图8所示的结构。第二服务器包括接口801、存储器802和处理器803。第二服务器包括的处理器803可从存储器802存储的程序读取出指令,执行下述操作:The third embodiment of the present invention also proposes a second server, such as the structure shown in FIG. The second server includes an interface 801, a memory 802, and a processor 803. The processor 803 included in the second server can read out an instruction from a program stored in the memory 802, and performs the following operations:
通过所述接口801,接收接收第一服务器发送的数据操作请求,所述数据操作请求用于请求对数字对象进行处理,所述数据操作请求包括所述数字对象的标识和用户的标识,所述第二服务器的自治域为所述数据操作请求的目标域; Receiving, by the interface 801, a data operation request sent by the first server, where the data operation request is used to request processing, the data operation request includes an identifier of the digital object and an identifier of the user, The autonomous domain of the second server is the target domain of the data operation request;
请求第三服务器对所述用户进行认证;Requesting a third server to authenticate the user;
确定所述用户通过所述第三服务器的认证后,根据所述操作请求中的用户的标识获得数字对象操作权限,所述数字对象操作权限为所述第二服务器对与所述用户相关的数字对象的操作权限;After determining that the user is authenticated by the third server, obtaining a digital object operation authority according to the identifier of the user in the operation request, where the digital object operation authority is a number related to the user by the second server The operation authority of the object;
根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The digital object is processed according to the digital object operation authority and the identifier of the digital object.
在本发明实施例三提出的上述第一服务器和第二服务器中,接口可以为以下一种或多种:提供有线接口的网络接口控制器(network interface controller,NIC),例如以太网NIC,该以太网NIC可以提供铜线和/或光纤接口;提供无线接口的NIC,例如无线局域网(wireless local area network,WLAN)NIC。In the above-mentioned first server and second server proposed in the third embodiment of the present invention, the interface may be one or more of the following: a network interface controller (NIC) providing a wired interface, such as an Ethernet NIC, The Ethernet NIC can provide a copper wire and/or fiber interface; a NIC that provides a wireless interface, such as a wireless local area network (WLAN) NIC.
存储器可以是易失性存储器(volatile memory),例如随机存取存储器(random-access memory,RAM);或者非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);或者上述种类的存储器的组合The memory may be a volatile memory such as a random-access memory (RAM) or a non-volatile memory such as a flash memory or a hard disk ( Hard disk drive (HDD) or solid-state drive (SSD); or a combination of the above types of memory
处理器可以是中央处理器(central processing unit,CPU),或者是CPU和硬件芯片的组合。信号处理器还可以是网络处理器(network processor,NP)。或者是CPU和NP的组合,或者是NP和硬件芯片的组合。The processor can be a central processing unit (CPU) or a combination of a CPU and a hardware chip. The signal processor can also be a network processor (NP). Either a combination of CPU and NP, or a combination of NP and hardware chips.
上述硬件芯片可以是以下一种或多种的组合:专用集成电路(application-specific integrated circuit,ASIC),现场可编程逻辑门阵列(field-programmable gate array,FPGA),复杂可编程逻辑器件(complex programmable logic device,CPLD)。The hardware chip may be a combination of one or more of the following: an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), and a complex programmable logic device (complex) Programmable logic device, CPLD).
本领域的技术人员应明白,本发明的实施例可提供为方法、装置(设备)、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、只读光盘、光学存储器等)上实施的计算机程序产品的形式。 Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, apparatus (device), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, read-only optical disks, optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、装置(设备)和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
最后应说明的是:以上实施例仅用以示例性说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明及本发明带来的有益效果进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明权利要求的范围。 Finally, it should be noted that the above embodiments are only used to exemplify the technical solutions of the present invention, and are not limited thereto; although the beneficial effects brought by the present invention and the present invention are described in detail with reference to the foregoing embodiments, the field It should be understood by those skilled in the art that the technical solutions described in the foregoing embodiments may be modified or equivalently replaced with some of the technical features; and such modifications or substitutions do not deviate from the essence of the corresponding technical solutions. The scope of the claims.

Claims (18)

  1. 一种用于处理跨域数据的方法,其特征在于,所述方法包括:A method for processing cross-domain data, the method comprising:
    第一服务器接收用户发送的第一数据操作请求,所述第一服务器用于向用户提供接入服务,所述第一数据操作请求用于请求对数字对象进行处理,所述第一数据操作请求包括所述用户的令牌和所述数字对象的标识;The first server receives a first data operation request sent by the user, the first server is configured to provide an access service to the user, and the first data operation request is used to request processing of the digital object, the first data operation request Including a token of the user and an identification of the digital object;
    所述第一服务器根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为第二服务器的自治域;Determining, by the first server, the target domain of the first data operation request as an autonomous domain of the second server according to the identifier of the digital object that is included in the first data operation request;
    所述第一服务器删除所述第一数据操作请求包括的所述用户的令牌,获得第二数据操作请求,所述第二数据操作请求包括所述数字对象的标识;The first server deletes the token of the user included in the first data operation request, and obtains a second data operation request, where the second data operation request includes an identifier of the digital object;
    所述第一服务器向第二服务器发送所述第二数据操作请求。The first server sends the second data operation request to the second server.
  2. 如权利要求1所述的方法,其特征在于,所述第一数据操作请求还包括用户的标识,所述方法还包括:The method of claim 1, wherein the first data operation request further comprises an identifier of the user, the method further comprising:
    所述第一服务器根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为所述第一服务器的自治域;Determining, by the first server, the target domain of the first data operation request as an autonomous domain of the first server according to the identifier of the digital object that is included in the first data operation request;
    所述第一服务器根据对应关系、所述用户的令牌和所述用户的标识,确定所述用户已通过认证,所述对应关系包括所述用户的令牌和所述用户的标识;Determining, by the first server, that the user has passed the authentication according to the correspondence, the token of the user, and the identifier of the user, where the correspondence includes the token of the user and the identifier of the user;
    所述第一服务器根据所述用户的标识,获得数字对象操作权限,所述数字对象操作权限为所述第一服务器对与所述用户相关的数字对象的操作权限;The first server obtains a digital object operation authority according to the identifier of the user, and the digital object operation authority is an operation authority of the first server to a digital object related to the user;
    所述第一服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The first server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  3. 如权利要求1或2所述的方法,其特征在于,所述第一服务器接收用户发送的第一数据操作请求之前,所述方法还包括:The method according to claim 1 or 2, wherein before the first server receives the first data operation request sent by the user, the method further includes:
    所述第一服务器接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识; Receiving, by the first server, an access request sent by the user, where the access request is used to request to obtain a token, where the access request includes an identifier of the user;
    所述第一服务器根据所述用户的标识,确定所述用户属于所述第一服务器的自治域;Determining, by the first server, that the user belongs to an autonomous domain of the first server according to the identifier of the user;
    所述第一服务器对所述用户进行认证;The first server authenticates the user;
    所述第一服务器确定所述用户通过认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。After the first server determines that the user passes the authentication, the first server sends a token of the user corresponding to the identifier of the user to the user.
  4. 如权利要求1或2所述的方法,其特征在于,所述第一服务器接收用户发送的第一数据操作请求之前,所述方法还包括:The method according to claim 1 or 2, wherein before the first server receives the first data operation request sent by the user, the method further includes:
    所述第一服务器接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;Receiving, by the first server, an access request sent by the user, where the access request is used to request to obtain a token, where the access request includes an identifier of the user;
    所述第一服务器根据所述用户的标识,确定所述用户不属于所述第一服务器的自治域;Determining, by the first server, that the user does not belong to an autonomous domain of the first server according to the identifier of the user;
    所述第一服务器请求第三服务器对所述用户进行认证;The first server requests the third server to authenticate the user;
    所述第一服务器确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。After the first server determines that the user is authenticated by the third server, the first server sends a token of the user corresponding to the identifier of the user to the user.
  5. 如权利要求1至4任一所述的方法,其特征在于,所述数字对象为存储于第四服务器的虚拟数字对象,所述第一服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理包括:The method according to any one of claims 1 to 4, wherein said digital object is a virtual digital object stored in a fourth server, said first server operating authority according to said digital object and said digital object Identifying, processing the digital object includes:
    所述第一服务器根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;Determining, by the first server, a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object;
    所述第一服务器根据所述位置指针,从所述第四服务器获取所述数字对象;The first server acquires the digital object from the fourth server according to the location pointer;
    所述第一服务器根据所述数字对象操作权限,对所述数字对象进行处理。The first server processes the digital object according to the digital object operation authority.
  6. 如权利要求2至5任一所述的方法,其特征在于,所述数字对象的标识包括数字对象组标识;The method according to any one of claims 2 to 5, wherein the identifier of the digital object comprises a digital object group identifier;
    所述第一服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理,包括:The first server processes the digital object according to the digital object operation authority and the identifier of the digital object, including:
    所述第一服务器根据所述数字对象操作权限和所述数字对象组标识,对 所述数字对象组标识中的每个成员进行处理。The first server is configured according to the digital object operation authority and the digital object group identifier, Each member of the digital object group identification is processed.
  7. 一种用于处理跨域数据的方法,其特征在于,所述方法包括:A method for processing cross-domain data, the method comprising:
    第二服务器接收第一服务器发送的数据操作请求,所述数据操作请求用于请求对数字对象进行处理,所述数据操作请求包括所述数字对象的标识和用户的标识,所述第二服务器的自治域为所述数据操作请求的目标域;The second server receives a data operation request sent by the first server, where the data operation request is used to request processing of the digital object, where the data operation request includes an identifier of the digital object and an identifier of the user, where the second server The autonomous domain is the target domain of the data operation request;
    所述第二服务器请求第三服务器对所述用户进行认证;The second server requests the third server to authenticate the user;
    所述第二服务器确定所述用户通过所述第三服务器的认证后,根据所述数据操作请求中的所述用户的标识获得数字对象操作权限,所述数字对象操作权限为所述第二服务器对与所述用户相关的数字对象的操作权限;After the second server determines that the user is authenticated by the third server, obtains a digital object operation authority according to the identifier of the user in the data operation request, where the digital object operation authority is the second server. Operational authority to a digital object associated with the user;
    所述第二服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The second server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  8. 如权利要求7所述的方法,其特征在于,所述第二服务器请求第三服务器对所述用户进行认证之后,所述方法还包括:The method according to claim 7, wherein after the second server requests the third server to authenticate the user, the method further includes:
    所述第二服务器确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。After the second server determines that the user is authenticated by the third server, the second server sends a token of the user corresponding to the identifier of the user to the user.
  9. 如权利要求7或8所述的方法,其特征在于,所述数字对象为存储于第四服务器的虚拟数字对象,所述第二服务器根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理包括:The method according to claim 7 or 8, wherein the digital object is a virtual digital object stored in a fourth server, and the second server is based on the digital object operation authority and the identifier of the digital object. Processing the digital object includes:
    所述第二服务器根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;The second server acquires a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object;
    所述第二服务器根据所述位置指针,从所述第四服务器获取所述数字对象;The second server acquires the digital object from the fourth server according to the location pointer;
    所述第二服务器根据所述数字对象操作权限,对所述数字对象进行处理。The second server processes the digital object according to the digital object operation authority.
  10. 一种第一服务器,其特征在于,所述第一服务器用于向用户提供接入服务,所述第一服务器包括:A first server, wherein the first server is configured to provide an access service to a user, and the first server includes:
    接收单元,用于接收用户发送的第一数据操作请求,所述第一数据操作请求用于请求对数字对象进行处理,所述第一数据操作请求包括所述用户的 令牌和所述数字对象的标识;a receiving unit, configured to receive a first data operation request sent by a user, where the first data operation request is used to request processing on a digital object, where the first data operation request includes the user The token and the identifier of the digital object;
    确定单元,用于根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为第二服务器的自治域;a determining unit, configured to determine, according to the identifier of the digital object that is included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server;
    执行单元,用于删除所述第一数据操作请求包括的所述用户的令牌,获得第二数据操作请求,所述第二数据操作请求包括所述数字对象的标识;An execution unit, configured to delete a token of the user included in the first data operation request, to obtain a second data operation request, where the second data operation request includes an identifier of the digital object;
    发送单元,用于向第二服务器发送所述第二数据操作请求。And a sending unit, configured to send the second data operation request to the second server.
  11. 如权利要求10所述的第一服务器,其特征在于,所述第一数据操作请求还包括用户的标识;The first server according to claim 10, wherein the first data operation request further comprises an identifier of the user;
    所述确定单元,还用于根据所述第一数据操作请求包括的所述数字对象的标识,确定所述第一数据操作请求的目标域为所述第一服务器的自治域;The determining unit is further configured to determine, according to the identifier of the digital object that is included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the first server;
    所述第一服务器还包括:The first server further includes:
    获得单元,用于根据对应关系、所述用户的令牌和所述用户的标识,确定所述用户已通过认证后,根据所述用户的标识获得数字对象操作权限,所述对应关系包括所述用户的令牌和所述用户的标识,所述数字对象操作权限为所述第一服务器对与所述用户相关的数字对象的操作权限;a obtaining unit, configured to obtain, according to the correspondence, the token of the user, and the identifier of the user, that the user has obtained the digital object operation authority according to the identifier of the user after the user has passed the authentication, where the correspondence includes the a token of the user and an identifier of the user, the digital object operation authority being an operation authority of the first server to a digital object related to the user;
    所述执行单元,还用于根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The execution unit is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
  12. 如权利要求10或11所述的第一服务器,其特征在于,所述接收单元,还用于接收所述用户发送的接入请求,所述接入请求用于请求获得令牌,所述接入请求包括所述用户的标识;The first server according to claim 10 or 11, wherein the receiving unit is further configured to receive an access request sent by the user, where the access request is used to request to obtain a token, and the receiving The incoming request includes the identity of the user;
    所述确定单元,还用于根据所述用户的标识,确定所述用户属于所述第一服务器的自治域;The determining unit is further configured to determine, according to the identifier of the user, that the user belongs to an autonomous domain of the first server;
    所述执行单元,还用于对所述用户进行认证;The execution unit is further configured to authenticate the user;
    所述发送单元,还用于确定所述用户通过认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。The sending unit is further configured to: after the user passes the authentication, send the token of the user corresponding to the identifier of the user to the user.
  13. 如权利要求10或11所述的第一服务器,其特征在于,所述接收单元,还用于接收所述用户发送的接入请求,所述接入请求用于请求获得令牌, 所述接入请求包括所述用户的标识;The first server according to claim 10 or 11, wherein the receiving unit is further configured to receive an access request sent by the user, where the access request is used to request to obtain a token, The access request includes an identifier of the user;
    所述确定单元,还用于根据所述用户的标识,确定所述用户不属于所述第一服务器的自治域;The determining unit is further configured to determine, according to the identifier of the user, that the user does not belong to an autonomous domain of the first server;
    所述执行单元,还用于请求第三服务器对所述用户进行认证;The execution unit is further configured to request the third server to authenticate the user;
    所述发送单元,还用于确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。The sending unit is further configured to: after determining that the user is authenticated by the third server, send a token of the user corresponding to the identifier of the user to the user.
  14. 如权利要求10至13任一所述的第一服务器,其特征在于,所述数字对象为存储于第四服务器的虚拟数字对象;The first server according to any one of claims 10 to 13, wherein the digital object is a virtual digital object stored in a fourth server;
    所述执行单元,具体用于根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;根据所述位置指针,从所述第四服务器获取所述数字对象;根据所述数字对象操作权限,对所述数字对象进行处理。The execution unit is configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and according to the location pointer, from the The four servers acquire the digital object; the digital object is processed according to the digital object operation authority.
  15. 如权利要求11至14任一所述的第一服务器,其特征在于,所述数字对象的标识包括数字对象组标识;The first server according to any one of claims 11 to 14, wherein the identifier of the digital object comprises a digital object group identifier;
    所述执行单元,具体用于根据所述数字对象操作权限和所述数字对象组标识,对所述数字对象组标识中的每个成员进行处理。The execution unit is specifically configured to process each member in the digital object group identifier according to the digital object operation authority and the digital object group identifier.
  16. 一种第二服务器,其特征在于,所述第二服务器包括:A second server, wherein the second server comprises:
    接收单元,用于接收第一服务器发送的数据操作请求,所述数据操作请求用于请求对数字对象进行处理,所述数据操作请求包括所述数字对象的标识和用户的标识,所述第二服务器的自治域为所述数据操作请求的目标域;a receiving unit, configured to receive a data operation request sent by the first server, where the data operation request is used to request processing on the digital object, where the data operation request includes an identifier of the digital object and an identifier of the user, and the second The autonomous domain of the server is the target domain of the data operation request;
    执行单元,用于请求第三服务器对所述用户进行认证;An execution unit, configured to request the third server to authenticate the user;
    获得单元,用于确定所述用户通过所述第三服务器的认证后,根据所述数据操作请求中的用户的标识获得数字对象操作权限,所述数字对象操作权限为所述第二服务器对与所述用户相关的数字对象的操作权限;a obtaining unit, configured to determine, after the user is authenticated by the third server, obtain a digital object operation authority according to the identifier of the user in the data operation request, where the digital object operation authority is the second server pair The operation authority of the digital object related to the user;
    所述执行单元,还用于根据所述数字对象操作权限和所述数字对象的标识,对所述数字对象进行处理。The execution unit is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
  17. 如权利要求16所述的第二服务器,其特征在于,所述第二服务器还 包括:A second server according to claim 16 wherein said second server is further include:
    发送单元,用于确定所述用户通过所述第三服务器的认证后,向所述用户发送与所述用户的标识对应的所述用户的令牌。And a sending unit, configured to: after the user is authenticated by the third server, send a token of the user corresponding to the identifier of the user to the user.
  18. 如权利要求16或17所述的第二服务器,其特征在于,所述数字对象为存储于第四服务器的虚拟数字对象,所述执行单元,具体用于根据所述数字对象的标识,获取位置指针,所述位置指针用于表示所述第四服务器存储所述数字对象的地址;根据所述位置指针,从所述第四服务器获取所述数字对象;根据所述数字对象操作权限,对所述数字对象进行处理。 The second server according to claim 16 or 17, wherein the digital object is a virtual digital object stored in a fourth server, and the executing unit is configured to acquire a location according to the identifier of the digital object. a pointer, the location pointer is used to indicate that the fourth server stores an address of the digital object; according to the location pointer, the digital object is obtained from the fourth server; according to the digital object operation authority, The digital object is processed.
PCT/CN2016/104053 2015-11-10 2016-10-31 Method for processing cross-domain data, first server and second server WO2017080381A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510760330.5 2015-11-10
CN201510760330.5A CN106685901B (en) 2015-11-10 2015-11-10 Method for processing cross-domain data, first server and second server

Publications (1)

Publication Number Publication Date
WO2017080381A1 true WO2017080381A1 (en) 2017-05-18

Family

ID=58694572

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/104053 WO2017080381A1 (en) 2015-11-10 2016-10-31 Method for processing cross-domain data, first server and second server

Country Status (2)

Country Link
CN (1) CN106685901B (en)
WO (1) WO2017080381A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431966A (en) * 2020-02-21 2020-07-17 视联动力信息技术股份有限公司 Service request processing method and device, electronic equipment and storage medium
CN116150793A (en) * 2023-03-17 2023-05-23 北京信源电子信息技术有限公司 DOA-based handle identification analysis technology data protection method and system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935336B (en) * 2020-08-18 2023-05-30 下一代互联网关键技术和评测北京市工程研究中心有限公司 IPv 6-based network governance method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350710A (en) * 2007-07-16 2009-01-21 华为技术有限公司 Network system, authority issuing server, authority issuing and executing method
US20090132713A1 (en) * 2007-11-20 2009-05-21 Microsoft Corporation Single-roundtrip exchange for cross-domain data access
US20090254745A1 (en) * 2008-04-07 2009-10-08 Ravi Ganesan Efficient security for mashups
CN102195957A (en) * 2010-03-19 2011-09-21 华为技术有限公司 Resource sharing method, device and system
CN104216907A (en) * 2013-06-02 2014-12-17 上海贝尔股份有限公司 Method, device and system for providing database access control
CN104410711A (en) * 2014-12-15 2015-03-11 北京国双科技有限公司 Cross-domain network resource request method and device for client

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7539191B1 (en) * 2002-12-12 2009-05-26 Packet Design, Inc. System and method for securing route processors against attack
CN100493089C (en) * 2005-12-26 2009-05-27 北京航空航天大学 Service computing system based on service and underlying resource separation
CN100353713C (en) * 2005-12-26 2007-12-05 北京航空航天大学 Authentic remote service heat deploying method
CN104735055B (en) * 2015-02-12 2018-09-21 河南理工大学 A kind of cross-domain safety access control method based on degree of belief

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350710A (en) * 2007-07-16 2009-01-21 华为技术有限公司 Network system, authority issuing server, authority issuing and executing method
US20090132713A1 (en) * 2007-11-20 2009-05-21 Microsoft Corporation Single-roundtrip exchange for cross-domain data access
US20090254745A1 (en) * 2008-04-07 2009-10-08 Ravi Ganesan Efficient security for mashups
CN102195957A (en) * 2010-03-19 2011-09-21 华为技术有限公司 Resource sharing method, device and system
CN104216907A (en) * 2013-06-02 2014-12-17 上海贝尔股份有限公司 Method, device and system for providing database access control
CN104410711A (en) * 2014-12-15 2015-03-11 北京国双科技有限公司 Cross-domain network resource request method and device for client

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431966A (en) * 2020-02-21 2020-07-17 视联动力信息技术股份有限公司 Service request processing method and device, electronic equipment and storage medium
CN116150793A (en) * 2023-03-17 2023-05-23 北京信源电子信息技术有限公司 DOA-based handle identification analysis technology data protection method and system
CN116150793B (en) * 2023-03-17 2023-10-24 北京信源电子信息技术有限公司 DOA-based handle identification analysis technology data protection method and system

Also Published As

Publication number Publication date
CN106685901B (en) 2020-06-02
CN106685901A (en) 2017-05-17

Similar Documents

Publication Publication Date Title
US10805085B1 (en) PKI-based user authentication for web services using blockchain
EP2625643B1 (en) Methods and systems for providing and controlling cryptographically secure communications across unsecured networks between a secure virtual terminal and a remote system
US9838870B2 (en) Apparatus and method for authenticating network devices
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
US11196561B2 (en) Authorized data sharing using smart contracts
WO2017161706A1 (en) Method of controlling access to network resource in local area network, device, and gateway equipment
US11829502B2 (en) Data sharing via distributed ledgers
US9942200B1 (en) End user authentication using a virtual private network
JP6940240B2 (en) Certificate acquisition method, authentication method and network device
JP2008141581A (en) Secret information access authentication system and method thereof
WO2020062667A1 (en) Data asset management method, data asset management device and computer readable medium
US11394698B2 (en) Multi-party computation (MPC) based authorization
KR20150053912A (en) Method and devices for registering a client to a server
WO2022173882A1 (en) Secure network protocol and transit system to protect communications deliverability and attribution
WO2017080381A1 (en) Method for processing cross-domain data, first server and second server
US10740478B2 (en) Performing an operation on a data storage
WO2023279782A1 (en) Access control method, access control system and related device
WO2019138399A1 (en) A method and a computer program for exchanging secured peer-to-peer communications
WO2022227799A1 (en) Device registration method and apparatus, and computer device and storage medium
EP3942770B1 (en) Chained trusted platform modules (tpms) as a secure bus for pre-placement of device capabilities
WO2016082363A1 (en) User data management method and apparatus
CN112307116A (en) Data access control method, device and equipment based on block chain
KR102639244B1 (en) Method, server and system for providing integrated authentication solution based on single sign on
JP2018067327A (en) Secure proxy for protecting private data
GB2590520A (en) Data sharing via distributed ledgers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16863558

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16863558

Country of ref document: EP

Kind code of ref document: A1